The RISKS Digest
Volume 28 Issue 11

Wednesday, 30th July 2014

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Harry R. Lewis, The Internet and Hieronymus Bosch
Right to be forgotten: Wikipedia chief enters Internet censorship row
Rowena Mason via Dewayne Hendricks
Comcast Used This 'Spooky' Propaganda to Kill Off a Local Internet Competitor
Vice via NNSquad
Software engineering and the lack thereof
Ken Shotting
Lawful Hacking: Using Existing Vulnerabilities for Wiretapping n the Internet
Henry Baker
Built for Speed: Designing Exascale Computers
Brian Hayes
"Another botched Microsoft patch: Office 365 ProPlus says 'Something went wrong' ''
Woody Leonhard via Gene Wirchenko
Spain's 'Google tax' could kill Facebook and Twitter
"Oracle's new database patch could cost you $23,000 per processor"
Serdar Yegulalp via Gene Wirchenko
Broadband bullies: Cable companies, lawmakers gang up on local providers
Caroline Craig via Gene Wirchenko
Thousands of sites compromised through WordPress plug-in vulnerability
Lucian Constantin via Gene Wirchenko
Re: Smart grid hack worries to raise insurance rates?
Geoffrey Keating
Steve Lamont
Geoffrey Keating
Re: Disk-sniffing dogs find thumb drives, DVDs?
John Rivard
Geoff Kuenning
Scott Miller
Info on RISKS (comp.risks)

Harry R. Lewis, The Internet and Hieronymus Bosch

"Peter G. Neumann" <>
Mon, 28 Jul 2014 14:00:22 PDT
Harry R. Lewis,
  The Internet and Hieronymus Bosch:
  Fear, Protection, and Liberty in Cyberspace,
pages 57--90 in The *Harvard Sampler: Liberal Education for the
Twenty-First Century*, edited by Jennifer M. Shephard, Stephen M. Kosslyn,
and Evelynn M. Hammonds, Harvard University Press, Cambridge Massachusetts,

This is a truly remarkable essay, and well worth reading—even if you
think you know all about the risks.  Harry's content comprehensively spans
many of those risks relating to the Internet that we have discussed here in
the past, and addresses some of the bigger-picture issues.  It is highly
relevant to all RISKS readers.  It is also easily readable by folks with
somewhat less technical expertise than our RISKS readers.  (Actually, the
entire book is itself full of thoughtfully provocative chapters.)

Harry has generously posted the page proofs of his chapter online (albeit
minus the Bosch artwork).  The text is linked as item #49 on this website page:
The middle panel from the Bosch triptych is at

Harry remarks in his end note to his book chapter:

  This chapter is based on the spring 2009 final lecture of Harry's
  Harvard course, “Quantitative Reasoning 48: Bits.''  His book with Hal
  Abelson and Ken Ledeen, Blown to Bits: Your Life, Liberty, and Happiness
  after the Digital Explosion (Addison-Wesley Professional, Reading, Mass.,
  2008), is based on the course material and can be downloaded at  It includes many of the particulars of
  the course not elaborated in this essay.

Right to be forgotten: Wikipedia chief enters Internet censorship row (Rowena Mason)

"Dewayne Hendricks" <>
Jul 28, 2014 1:41 PM
Rowena Mason, *The Guardian*, 25 Jul 2014 (via Dave Farber)
Jimmy Wales says Google should not be 'censoring history' after web search
company reveals it has approved half of requests

Internet search engines such as Google should not be left in charge of
"censoring history", the Wikipedia founder has said, after the US firm
revealed it had approved half of more than 90,000 "right to be forgotten"

Jimmy Wales said it was dangerous to have companies decide what should and
should not be allowed to appear on the Internet. His comments came after the
bosses of the leading search engines met the heads of European data
watchdogs on Thursday.

Google has been at the centre of a censorship row since the European courts
ruled that people should have the right to request that "irrelevant"
personal information about them is removed from search results.

Since May, the firm has received 90,000 requests for links to be removed,
relating to more than 300,000 pages. More than half of these requests have
been approved, it told European data watchdogs.

The authorities have been concerned that the Google has been notifying the
owners of pages that are delisted, which led in one case to a person being
written about again by the Wall Street Journal.

Google initially made it known that a paedophile, politician and doctor were
among the initial removal requests, but has since acknowledged there are
some more compelling claims.

Wales's position was backed by Rohan Silva, a tech entrepreneur and former
adviser to David Cameron, who tweeted that it was "good to hear (Wales)
fighting the good fight against Internet censorship".

But the Labour MEP Claude Moraes accused Google of failing to implement the
EU ruling properly. He also said the firm was not mentioning the fact that
data supervisory authorities were the final arbiters in disputed cases and
it was not junior staff making decisions on such issues.

Christopher Graham, the UK information commissioner, said some of Google's
concerns were overblown. [...[

Comcast Used This 'Spooky' Propaganda to Kill Off a Local Internet Competitor

Lauren Weinstein <>
Mon, 28 Jul 2014 14:27:07 -0700
Vice via NNSquad

  In the months and weeks leading up to the vote, the two companies
  bombarded residents and city council members with disinformation,
  exaggerations, and outright lies to ensure the measure failed. It did,
  narrowly, twice: In April 2003 and November 2004. Before the ISPs'
  disinformation campaigns, support for the project was up over 72 percent.
  The series of two-sided postcards painted municipal broadband as a
  foolhardy endeavor unfit for adults, responsible people, and perhaps as
  not something a smart woman would do. Municipal fiber was a gamble, a
  high-wire act, a game, something as "SCARY" as a ghost. Why build a
  municipal fiber network, one asked, when "Internet service [is] already
  offered by two respectable private businesses?"  In the corner, in tiny
  print, each postcard said "paid for by SBC" or "paid for by Comcast."

Software engineering and the lack thereof

Ken Shotting <>
Fri, 25 Jul 2014 15:11:28 -0500 (CDT)
I managed to get my hands on some detailed reports from the local speed
camera systems. I thought I might find some issues but was amazed at the
level of programming incompetence on display. The reports have many times
where the system reports that more than 100% of the cars passing a camera
are speeding and, at totally different times, that more than 100% of those
speeding exceeded the speed limit by more than 12 MPH. The system attempts
to divide by zero getting printed results like 1,000,000, (it ends with a
comma). There are more problems; these are just among the most blatant. Not
surprisingly, the local council members see nothing amiss with such results
because, as we all know, camera systems are perfect!

I sent the data and my analysis to the Baltimore Sun—which, if no one
changes their mind, is planning a story.  Obviously, we expect the camera
vendor to claim that the errors in the reporting software are atypical; the
system never issues an erroneous ticket because much more care is taken with
important system processes.  Given SEI work and ISO 9000, I expected it
would be easy to find expect opinions on the validity of such a claim,
written at a level that would be appropriate for a newspaper audience, but
have not had much luck.  I was going to look around the SRI site, when it
occurred to me that writing you might result in acquiring multiple useful
bits of information with one e-mail.  Anyway, if you know of good sources for
the above information, I'd much appreciate pointers - the more the better.

  [Some readers of RISKS should be sympathetic, perhaps having been
  erroneously dinged by these automated camera systems.  Moreover, many of
  you are inured to the lack of good software engineering in operating
  systems, embedded systems, and applications such as infrastructure
  systems, computer-aided elections, and so on.  So it should come as no
  surprise that some of the camera-driven automatic ticket-writer systems
  are much less than perfect.  PGN]

Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet

Henry Baker <>
Sun, 27 Jul 2014 16:21:00 -0700
FYI—Steven Bellovin, Matt Blaze, Sandy Clark and Susan Landau have come
up with perhaps the worst idea ever suggested by bright computer scientists:
provide legal authorization for every law enforcement agency to conduct
black-hat operations on every American, and indeed, on every person on the

(11 pages)

(68 pages)

Of course, that isn't what the language of their papers actually says, but
that will be the result.  Every person on the planet will become a target in
the Internet "free fire" zone, with the hackers now having full access to
the power and privileges of a nation state.

In addition to brushing aside the First, Third, Fourth and Fifth Amendments
to the Constitution, making the Internet into a free fire zone will reduce
it to a smoldering ruin, thereby rendering it unusable EXCEPT by criminals
and "law enforcement" professionals on phishing expeditions.

I'm sorry if the Internet is "going dark" for the FBI; for this you can
blame the overzealousness of their brethren at the NSA and the craven greed
of the advertising and social networking companies.  Virtually every
computer professional in the world not working at one of these agencies or
companies is now pledged to making the Internet "go dark" as soon and as
dark as possible—not for the benefit of criminals and terrorists, but for
the benefit of the 99% of us who are not involved in crime and terror.  Like
the people in crime-ridden neighborhoods who "take back their streets", we
computer scientists are "taking back our Internet".

We in the U.S. have just completed one of the largest case studies of what
happens when every individual in an industry has all of its e-mail and
financial records available to regulators.  The Securities and Exchange
Commission (SEC) already requires every person in the financial industry to
make every e-mail, cellphone text and financial record available to the SEC
in order to enforce insider trading and other financial rules.

The result: NADA!  NOTHING!  With thousands of bankers involved in fraud on
the U.S. taxpayer running into the trillions of dollars, _not one has been
prosecuted; not one has gone to jail_.  If this level of surveillance of the
financial community has produced zero convictions in the largest ripoff of
tax dollars in history, there is no reason to expect that any increased
level of surveillance of non-financial citizens will produce any better

If the Internet goes dark to the FBI and the NSA, so be it; the alternative
existential threat to freedom is far, far worse.

As Dietrich Bonhoeffer, German Lutheran theologian, famously noted:
“First they came for the Communists, but I was not a Communist so I did
not speak out.  Then they came for the Socialists and the Trade Unionists,
but I was neither, so I did not speak out.  Then they came for the Jews, but
I was not a Jew so I did not speak out.  And when they came for me, there
was no one left to speak out for me.”

The government wants to wiretap online communications — or in some cases
hack them

By Ellen Nakashima July 25 Follow @nakashimae

Law enforcement and intelligence agencies want to be able to wiretap social
media, instant message and chat services.  But building in ways to wiretap
these kinds of communication can lead to less secure systems, say technical
experts, including former National Security Agency officials.

Some security experts suggest hacking as an alternative, but other experts
-- including FBI officials—say that method poses serious risks.

Right now, only phone companies, broadband providers and some Internet phone
services are required by law to build in intercept capabilities, but the
government wants to extend that requirement to online communication

“From a purely technical perspective, when you add this sort of law
enforcement access feature to a system, you weaken it,'' said Steven
M. Bellovin, a computer science professor at Columbia University.  “First,
it creates an access point that previously didn't exist.  Second, you've
added complexity to the system ... and most security problems are due to
buggy code.''

In 1994, the government passed the Communications Assistance for Law
Enforcement Act, which mandated that phone companies make their systems

Richard `Dickie' George, a former NSA technical director until he retired in
September 2011, recalled how in the mid-1990s, “in the early days of
CALEA,'' the NSA tested several commercial phone systems with intercept
capabilities and “we found problems in every one.'' Making the systems
hack-proof, he said, “is really, really hard.''

He said, however, that over the years, “We've come a long way.''

Susan Landau, a faculty member in the Worcester Polytechnic Institute
Department of Social Science and Policy Studies in Massachusetts, said that
phone services are more complicated now—and so the switches are, too.
“It's highly doubtful the new switches are secure.''  The United States,
she said, “has a lot more to lose by building ways into communications
networks than it has to gain, because those ways last for a very long time,
and we enable others who couldn't afford to build [backdoors] in themselves
with ways to get into our communications systems.''

One alternative to wiretaps is to hack the target's phone or computer,
Bellovin and Landau said.  In so doing, the FBI would be exploiting software
flaws that already exist instead of creating new ones, Landau said.  And the
FBI would be getting communications before they are encrypted or after they
are decrypted, Bellovin said.

Landau: “They have to be very careful that they don't create a risk that
the exploit will proliferate elsewhere.  That's why we argue for increasing
the funding for research.''

Marcus Thomas, a former FBI official who ran the bureau's Operational
Technology Division, said hacking is “unreliable and dangerous because
hacks can propagate.''

Some tech-savvy privacy advocates say that the government sees the use of
malware as one among a number of options, along with weakening the security
of commercial software and forcing companies to allow the installation of
malware delivery devices on their networks.  “The government wants a
selection of tools, not just one,'' said American Civil Liberties Union
principal technologist Christopher Soghoian.

Forcing companies to put malware on a suspect's cellphone, say by using
security update features for mobile users, may lead “privacy aware''
consumers to turn off automatic security updates, Soghoian said.  “We
don't want to give consumers any reason to not update their software.'' n
He added that “by blessing the malware approach, Landau et al. ... are
giving DOJ political cover'' to use malware.

The FBI has in fact applied for search warrants to use the technique in
several recent criminal cases.

But FBI officials said in an interview that hacking is not commonly used on
the criminal side of the Justice Department.  "It is rare in law enforcement
investigations," said Amy S. Hess, executive assistant director of the
FBI's Science and Technology Branch.  She did not comment on how often it
might be used in intelligence investigations.

She said the capability is “very fragile.'' It changes, “minute by
minute, hour by hour, day to day, as to whether or not you're able to
stay up on that particular device just because of the changing nature of
technology.'' Moreover, she said, “a lot of bad guys trade off devices.
So how valuable will it be if you have to keep doing that type of procedure
over and over again?''

She noted it is also at “much higher risk'' of detection if it is
disclosed in a criminal case.

On Thursday, Scott Charney, Microsoft vice president of trustworthy
computing, said that the government has never asked the company to change
its code or alter its products to give it access to Skype, which is owned by
Microsoft.  “If they said ... put in a backdoor, we would fight it all
the way to the Supreme Court,'' he said during a panel session at the
Aspen Security Forum.  “If the government did that, and I really don't
think they would, it would be at the complete expense of American
competitiveness, because if we put in a backdoor for the U.S. government, we
couldn't sell anywhere in the world. Not even in America.''

Built for Speed: Designing Exascale Computers (Brian Hayes)

"ACM TechNews" <>
Fri, 25 Jul 2014 12:12:25 -0400 (EDT)
Brian Hayes, Topics, 22 Jul 2014, via ACM TechNews, 25 Jul 2014

Researchers at Harvard University's School of Engineering and Applied
Sciences (SEAS) are focused on developing the hardware and software for
exascale computers, while others are planning to apply exascale computing
resources to diverse scientific fields once they become available.  An
exascale computer would perform at least 1018 operations per second, and a
key challenge in realizing exascale systems is minimizing their electricity
consumption.  A SEAS research team investigating this issue found many
design parameters must be optimized simultaneously rather than individually,
while another researcher emphasizes improving the design of individual
transistors and the materials from which they are manufactured.  Exascale
systems likely will have to make do with less memory per processing core,
unless new memory devices can be created.  SEAS dean Cherry Murray expects
heterogeneous computer architectures to dominate scientific computing in the
coming years, using specialized subsystems optimized for different classes
of algorithms.  Also under consideration are systems specialized for one
specific operation.  Indeed, Institute for Applied Computational Science
director Hanspeter Pfister sees a basic rethink of programming models as
essential to an exascale transition.  "We're beyond the human capacity for
allocating and optimizing resources," he says.  Pfister suggests shifting
some concurrent computation onto hardware, while creating a new level of
abstraction to spare coders from micromanaging parallel processes.

  [Let's hope that at least some of the research pays attention to
  trustworthiness of some of the critical aspects of reliability, security,
  mathematical correctness, and so on.  Other than a few folks such as Les
  Lamport, very little effort has been devoted to such issues.  And I don't
  think I am EXAggerating.  PGN]

"Another botched Microsoft patch: Office 365 ProPlus says 'Something went wrong' '' (Woody Leonhard)

Gene Wirchenko <>
Mon, 28 Jul 2014 13:42:54 -0700
Woody Leonhard | InfoWorld, 28 Jul 2014
Microsoft took 12 days to fix a bug that locked out some Office 365
ProPlus customers after a silent patch automatically installed

Spain's 'Google tax' could kill Facebook and Twitter

Lauren Weinstein <>
Sun, 27 Jul 2014 11:29:13 -0700
Sharecast via NNSquad

  "Spanish Congress has passed a law, known as the "Google tax", that could
  result in the use of Facebook and Twitter being outlawed in the country.
  Specifically, Madrid passed a reform to the Spanish Intellectual Property
  Law (LPI) that grants the Spanish News Publishers Association (AEDE) the
  "inalienable right" to charge a fee for anyone that adds their content.
  Experts have begun to analyse the new regulation to see what effect it
  will have on social networks where users reproduce content with links to
  the original source."

 - - -

Spain certainly seems to be leading the way in the EU's thrust to try wreck
Internet free speech. It won't succeed, but there will be a lot of damage
along the way.

"Oracle's new database patch could cost you $23,000 per processor" (Serdar Yegulalp)

Gene Wirchenko <>
Mon, 28 Jul 2014 12:35:05 -0700
Serdar Yegulalp | InfoWorld, 25 Jul 2014
Latest patch set for Oracle's database automatically enables
in-memory processing—a feature for which Oracle charges extra.

selected text:

According to *The Register*, the latest patch set for Oracle Database 12
includes an upgrade to Oracle's loudly trumpeted in-memory database
technology, the company's implementation of a database-acceleration feature
now being put to use by Microsoft and many other competitors.

Oracle's in-memory processing isn't free, though. And enabling it will cost
you $23,000 per processor. What's more, according to analysis by EMC's Kevin
Closson, the in-memory features appear to be turned on by default by the

The upshot is that anyone who applies the latest patches and isn't
conscientious enough to determine whether they really need (or can afford)
the in-memory features could find themselves in the hole for at least five
figures next time a license audit comes up.

Broadband bullies: Cable companies, lawmakers gang up on local providers (Caroline Craig)

Gene Wirchenko <>
Fri, 25 Jul 2014 12:22:10 -0700
Caroline Craig | InfoWorld, 25 Jul 2014
House approves legislation prohibiting the FCC from aiding local
communities eager to set up high-speed broadband services

Thousands of sites compromised through WordPress plug-in vulnerability (Lucian Constantin)

Gene Wirchenko <>
Fri, 25 Jul 2014 12:06:48 -0700
Lucian Constantin, InfoWorld, 24 Jul 2014
Hackers are actively exploiting a vulnerability found recently in the
MailPoet Newsletters plug-in for WordPress

opening text:

A critical vulnerability found recently in a popular newsletter plug-in for
WordPress is actively being targeted by hackers and was used to compromise
an estimated 50,000 sites so far.

Re: Smart grid hack worries to raise insurance rates? (RISKS-28.10)

Geoffrey Keating <>
25 Jul 2014 12:04:40 -0700
> Apparently the insurance industry and the utility folks are beginning to
> look at the security issues around "smart grids", and realizing the
> risks.....

Reading the article, it seems more like the insurance industry is looking at
"smart grids" and detecting an opportunity!  The first sentence of one of
the linked Insurance Journal articles is "Energy companies have no insurance
against major cyber attacks, reinsurance broker Willis said".

Re: Smart grid hack worries to raise insurance rates? (RISKS-28.10)

Steve Lamont
Fri, 25 Jul 2014 13:09:53 -0700

I hope that readers of this item took the time to go read the original
posting (link above), since there the comments take the writer, Mr Berst,
severely to task for conflating cyber attacks with some plain old corruption
by insiders and colluding meter manufacturers.

It's always a good idea to read to the bottom.

Re: Smart grid hack worries to raise insurance rates? (RISKS-28.10)

Geoffrey Keating <>
25 Jul 2014 12:04:40 -0700
> Apparently the insurance industry and the utility folks are beginning to
> look at the security issues around "smart grids", and realizing the
> risks.....

Reading the article, it seems more like the insurance industry is looking at
"smart grids" and detecting an opportunity!  The first sentence of one of
the linked Insurance Journal articles is "Energy companies have no insurance
against major cyber attacks, reinsurance broker Willis said."

Re: Disk-sniffing dogs find thumb drives, DVDs? (RISKS-28.10)

John Rivard <>
Fri, 25 Jul 2014 14:47:33 -0400
Dog's sense of smell is said to be somewhere between 10,000 and 100,000
times better than humans. So yes, they can probably distinguish different
types of electronic devices by smell.

But I'm fairly certain that pirated bits don't smell any different than
regular bits.

John C. Rivard, User Experience 248-971-0JCR Voice/SMS text (248-971-0527)

Re: Disk-sniffing dogs find thumb drives, DVDs? (Miller, RISKS-28.10)

Geoff Kuenning <>
Sun, 27 Jul 2014 22:39:33 -0700
I don't see a legal problem here.  Search warrants typically specify
particular items being sought.  For example, a warrant might state that it
is looking for "documents or electronic devices containing evidence of
violations of securities law."  [Disclaimer: I made that up; I don't think
I've read an actual warrant in my life.]

The dog's job is to locate USB drives and other electronics such as hard
drives.  The warrant will have been written to cover whatever storage medium
the cops think are likely, and they'll have the right to seize whatever they
find.  Their problem is finding the stuff, since the guilty party [assuming
guilt for the sake of argument] may have hidden it.  Once the dog locates
the USB drive, it's up to the police to decide whether to seize it.  This is
no different from finding it in a desk drawer.  The dog's job isn't to
decide what's contraband, it's to help the police locate it efficiently.

Geoff Kuenning

Re: Disk-sniffing dogs find thumb drives, DVDs? (Kuenning, RISKS-28.11)

"Scott Miller" <>
Mon, 28 Jul 2014 08:45:02 -0400
Geoff: I'm no lawyer, either, nor do I play one. I do try to grasp some
basic legal principles in hope of better navigating the minefield created by
the ever expanding State. My understanding is that a 4A compliant warrant is
required to be relatively specific in terms of the evidence sought per a
specific crime or crimes. The point is to prevent evidentiary "fishing
expeditions". To me, grabbing all electronic storage devices in a home or
office indiscriminately in search of content that is evidence of a
particular crime is analogous to hauling off every file cabinet and piece of
paper in that same setting would have been in 1981. (I know that was done in
investigations like Enron, but in that example, there was a strong
probability that all such documents were within the scope of examining
financial dealings for criminal behavior). I think that meets the plain
language definition of "unreasonable". To narrow my statement, if police
seize an excessive breadth of electronic storage devices under a search
warrant for child pornography and find evidence of same, I expect that
evidence and subsequent conviction would hold up in court (all else
equal). However, if that same search yielded evidence of, say, wire fraud,
and a charge was levied and a conviction obtained on that basis, I would
expect that evidence (and possibly the conviction) to be thrown out on
appeal. I remain skeptical that a dog can by smell discriminate at all
narrowly between differing types of microelectronics.

Please report problems with the web pages to the maintainer