The RISKS Digest
Volume 28 Issue 52

Monday, 16th February 2015

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


The End of Privacy, *Science*, 30 Jan 2015
Turning off encryption to improve interoperability
Jeremy Epstein
Can Open-Source Voting Tech Fix the U.S. Elections System?
Barry Gold
Require dash cams in aircraft, pointed inward
Dan Jacobson
Romanian diplomat fired after calling guests 'ghastly' and 'undesirable' in invitation email
hrgrapevine via Monty Solomon
A Crypto Trick That Makes Software Nearly Impossible to Reverse Engineer
Andy Greenberg
Legislators Want Computer Science to Count for Language Requirement
Dian Schaffhauser
AT&T charges $29 more for gigabit fiber that doesn't watch your Web browsing
Ars Technica
How One Stupid Tweet Blew Up Justine Sacco's Life
"Vint Cerf Warns of 'Digital Dark Age'"
Pallab Ghosh
Digital data storage may leave future in dark about us, warns Cerf
Lauren Weinstein
Security Gaps Found in 39,890 Online Databases Containing Customer Data
"OpenDNS sounds warning on the most sophisticated PayPal scam yet"
Brian Jackson
"DDoS malware for Linux systems comes with sophisticated custom-built rootkit"
Lucian Constantin
Google updates disclosure policy after Windows, OS X zero-day controversy
"Microsoft yanks KB 2920732 patch for killing PowerPoint 2013 on Windows RT"
Woody Leonhard
"Microsoft's SSL 3.0 Poodle-busting patch KB 3023607 breaks popular Cisco VPN client"
Woody Leonhard
"Visual Studio patch rollup KB 3001652 causes widespread freezing problems"
Woody Leonhard
"Dangerous IE vulnerability opens door to powerful phishing attacks"
Lucian Constantin
"Mozilla reveals Firefox add-on lockdown"
Gregg Keizer
Re: Internet providers lobby against backup power rules for phone lines
paul wallich
Re: Stop the Mass Hacks Attacks: Use Strong 2-Factor Authentication or Go to Jail!
Richard M Stein
Info on RISKS (comp.risks)

The End of Privacy, *Science*, 30 Jan 2015

"Peter G. Neumann" <>
Mon, 16 Feb 2015 11:09:35 PST
*Science* (the magazine published by the American Association for the
Advancement of Science. in contrast with lower-case *science* (the
discipline regarded as the state of knowing—knowledge as distinguished
from ignorance or misunderstanding) [although the AAAS magazine does a
remarkable job of blending the two together] has just published a very
timely special issue on The End of Privacy.  This issue includes an
extraordinary compilation of articles:

* Big data and the Internet are empowering researchers and the public --
  but endangering privacy

* Unmasked
* When your voice betrays you
* Breach of trust
* Game of drones
* Risk of exposure
* Could your pacemaker be hackable?
* Hiding in plain sight
* Trust me, I'm a medical researcher
* Camouflaging searches in a sea of fake queries

* Control use of data to protect privacy (Susan Landau)
* What the right to be forgotten means for privacy in the digital age
  (A.L. Newman)

Privacy and human behaviour in the age of information (A. Acquisti et al.)

plus more items, and an encrypted URL that you might want to decode...

RISKS readers will find some extraordinarily well-researched background here.
Most if not all of it appears to be online.

Turning off encryption to improve interoperability

Jeremy Epstein <>
Fri, 13 Feb 2015 01:13:32 -0500
In a time when more and more traffic is encrypted to protect privacy and
security, the District of Columbia is turning *off* the encryption in the
radios used by emergency responders, due to interoperability problems.
Encryption had been turned on for emergency responders after the 2013 Navy
Yard rampage, when it's possible that the shooter was listening in to those
searching for him.

D.C. Mayor Muriel E. Bowser's administration announced Wednesday that the
District will abandon its new system of encrypting radio communications
among firefighters and paramedics.

The District's encryption came under intense scrutiny last month when Metro
officials said they found changes to firefighter radio settings related to
encryption following a widespread radio failure during Metro'ss fatal Jan.
12 smoke incident.

In that incident, D.C. firefighters could not communicate with supervisors
above ground when they learned that a train was trapped in a smoke-filled
tunnel south of the L'Enfant Plaza station with more than 200 passengers

D.C. firefighters and the city's homeland security agency have disputed
that encryption played any part in the radio failure. [...]

The District began work to encrypt its radio transmissions after the 2013
rampage at the Navy Yard. The shooting that left 12 dead prompted a
dangerous search by police as they hunted the gunman before fatally shooting
him. Although communication involving federal and local police agencies
could not be heard by outsiders, the fire department scanner—widely
available over the Internet—provided an account of some of the
behind-the-scenes activities. Firefighters were not in the building when the
manhunt was underway. [...]

Can Open-Source Voting Tech Fix the U.S. Elections System?

Barry Gold <>
Thu, 12 Feb 2015 17:53:35 -0800
PGN correctly identified a number of problems with the existing "twentieth
century" voting system.  Installing an electronic voting system that has
been vetted through open-source inspection won't fix those problems, but it
also won't make them worse.

But the problem with *any* computerized voting system is much bigger than
just the (application) code of the voting machines and tabulation system.  A
few other questions suggest themselves:

1. How do we know that the code running on the voting machines is the
code that we inspected?

  1a) Is there a bug (intentional?) in the compiler?
  1b) How do we make sure that the people in charge of deploying the voting
      machines installed the publicly-vetted software on them, rather than
      some other software that does what _they_ want?

2. What about the underlying OS?  Windows?  Would you trust Windows with
your vote?  Linux is open source, but still... how do you know that the
version on the machines is the version we vetted?

3. Same questions re the firmware installed by the machines'
manufacturer(s)?  Insert malware into the boot program and you can do
anything you want.

In general, are we going to go around and let random people inspect the
machine's RAM/Flash, OS, and installed code (IN BINARY) for malware and to
make sure that what we saw is really what we got?

There are only two ways to ensure(*) that the votes are counted correctly:

A. Use something physical—a piece of paper, a card, whatever—that the
voter can see go into a ballot box and the various parties with an interest
in the outcome can watch the ballot boxes be transferred to the counting
center.  Then occasionally and at random insert fake precincts into the
process, whose counts are known in advance, and make sure that they are
counted correctly(+).  Then subtract those known counts from the final

B. Issue a receipt of some sort to the voter, which he can check against the
final results to make sure his vote was counted.

I've seen proposals for a system like that, where a voter is given a
three-part ballot to mark; he deposits two parts and keeps one.  He can
later use the one he kept to verify his vote.  [That's from Ron Rivest.  PGN]

But any system that allows a voter to verify that his vote was counted
correctly can _also_ be used by somebody who wants to make sure the vote was
cast the way the voter was paid (or threatened) to vote.  If I'm going
around buying votes, I can have everybody bring me their part of the
three-part ballot and I can make sure they voted the way I wanted, before I
paid them.

Or if I'm planning to fire anybody who voted for a Democrat (or Republican,
or Peace and Freedom...), I can demand they bring their ballots for me to

As with many other human endeavors, there is *no* perfect system.  We either
take a chance on some votes being miscounted, or we allow for the
possibility of vote-buying/coercion.

(*) In so far as we can be sure of *anything* when the stakes are so high
and there are so many people with an interest in the outcome and no sense of
personal ethics.

(+) You have to make the fake precincts look similar to real ones, so that
the software won't be able to tell if it's counting a real one or a fake
one.  Also, you have to randomly generate the ballots from the fake
precincts every election, so that the software makers can't predict what the

Require dash cams in aircraft, pointed inward

Dan Jacobson <>
Sat, 14 Feb 2015 01:08:12 +0800
You all must have seen the news "Dashcams capture dramatic footage of
Taiwanese plane crash".  Gee, one of those things pointed inward could
perhaps help answer which pilot pushed which button. Well why aren't cockpit
image recorders standard along with cockpit voice recorders yet?  Oh,

Why pilots dislike being on cockpit cam
Pilots Blast NTSB on Cockpit Video Cameras
Call cameras "fool's gold" of crash investigation

Investigating Airline Accidents: Cockpit Video is not the Answer

Romanian diplomat fired after calling guests 'ghastly' and 'undesirable' in invitation email

Monty Solomon <>
Thu, 12 Feb 2015 20:27:40 -0500

A Crypto Trick That Makes Software Nearly Impossible to Reverse Engineer (Andy Greenberg)

"ACM TechNews" <>
Fri, 13 Feb 2015 12:18:48 -0500 (EST)
Andy Greenberg, *WiReD* News, 11 Feb 2015

SyScan security researcher Jacob Torrey has developed Hardened Anti-Reverse
Engineering Systems (HARES), a scheme that encrypts software so it is only
decrypted by the computer's processor at the last possible moment before the
code is executed.  Torrey says the HARES scheme prevents reverse-engineering
tools from reading the decrypted code as it is being run.  "It protects
software algorithms from reverse engineering, and it prevents software from
being mined for vulnerabilities that can be turned into exploits," he says.
HARES uses a hardware trick called a Translation Lookaside Buffer (TLB)
Split, which segregates the portion of a computer's memory where a program
stores its data from the portion where it stores its own code's
instructions.  HARES keeps everything in that "instructions" portion of
memory encrypted so it can only be decrypted with a key that is stored in
the computer's processor.  "You can specifically say that encrypted memory
shall not be accessed from other regions that aren't encrypted," says Lab
Mouse Security researcher Don Andrew Bailey.  Many hackers use a
reverse-engineering technique called "fuzzing," which involves entering
random data into the program with the goal of causing it to crash, and then
analyzing the crashes to locate more serious exploitable vulnerabilities.
However, Torrey notes using that technique on a program encrypted with HARES
would render the crashes completely unexplainable.

Legislators Want Computer Science to Count for Language Requirement (Dian Schaffhauser)

"ACM TechNews" <>
Fri, 13 Feb 2015 12:18:48 -0500 (EST)
Dian Schaffhauser, *Campus Technology*, 9 Feb 2015

A bipartisan bill introduced by legislators in Washington State would count
two years of computer science toward the foreign language requirement for
purposes of admission into college in the state.  A similar effort in
Kentucky last year cleared the state's Senate and is now undergoing further
work before the House educational subcommittee.  Only 40 percent of high
schools count credits earned in a computer science class toward
requirements, while the rest treat such courses as electives, according to a
recent study by the Computer Science Teachers Association (CSTA).  In the
report, CSTA recommends counting computer science courses toward graduation
requirements.  The proposal to expand computer science education would help
prepare students for jobs in high tech, says Washington state legislator
Chris Reykdal, co-sponsor of the bill.  "It strikes me that we don't give
kids a meaningful shot in getting some computer science basics before they
go to university," he says.  Co-sponsor Chad Magendanz also is promoting a
bipartisan proposal to expand computer science education to ready students
for careers in high tech.  "If we give more children access to computer
science learning now, they'll have greater opportunities in the future," he

AT&T charges $29 more for gigabit fiber that doesn't watch your Web browsing

Lauren Weinstein <>
Mon, 16 Feb 2015 09:57:41 -0800
Ars via NNSquad

  "AT&T's gigabit fiber-to-the-home service has just arrived in Kansas City,
  and the price is the same as Google Fiber--if you let AT&T track your Web
  browsing history."

How One Stupid Tweet Blew Up Justine Sacco's Life

Monty Solomon <>
Sat, 14 Feb 2015 10:39:09 -0500

The unique 21st-century misery of the online shaming victim.

"Vint Cerf Warns of 'Digital Dark Age'" (Pallab Ghosh)

"ACM TechNews" <>
Fri, 13 Feb 2015 12:18:48 -0500 (EST)
BBC News (02/13/15) Pallab Ghosh via ACM TechNews, 13 Feb 2015

Former ACM president Vint Cerf, one of the pioneers of Internet technology
and now a vice president and Chief Internet Evangelist at Google, worries
about a forthcoming "digital Dark Age" in which the rapid pace of
technological advancement will leave behind mountains of data people will no
longer be able to access.  "Old formats of documents that we've created or
presentations may not be readable by the latest version of the software
because backwards compatibility is not always guaranteed," Cerf said at the
recent annual meeting of the American Association for the Advancement of
Science.  Cerf's proposed solution to the problem is taking an "X-ray
snapshot" of data, which includes not just the information but also
descriptions of the application, operating system, and hardware it runs on.
He says this digital snapshot would then be uploaded to the cloud where it
could, in theory, live on in perpetuity.  Cerf says ensuring such data could
be read by future generations will require a standardized description, which
he calls "digital vellum."  He notes such techniques already have been
demonstrated by Carnegie Mellon University's Mahadev Satyanarayanan.  Cerf
says the technique is "not without its rough edges, but the major concept
has been shown to work."

  [Matthew Kruk noted

Digital data storage may leave future in dark about us, warns Cerf

Lauren Weinstein <>
Fri, 13 Feb 2015 09:36:07 -0800
E&T via NNSquad

This is an area of continuing serious anxiety.  I touched on it in CACM
["Bit-Rot Roulette"].  Interestingly, some of the most forward-looking
work in this area is being done by AMPAS - The Academy of Motion
Picture Arts and Sciences (the Oscar folks), who are rightly very
concerned about preserving motion picture production and distribution
assets in a digital world.

Security Gaps Found in 39,890 Online Databases Containing Customer Data (SaarlandU)

"ACM TechNews" <>
Fri, 13 Feb 2015 12:18:48 -0500 (EST)
Saarland University, 10 Feb 2015

Researchers at Saarland University's Center for IT-Security, Privacy, and
Accountability (CISPA) have found that anyone can call up or modify several
million pieces of customer data online, including names, addresses, and
emails, because of a misconfigured open source database upon which millions
of online stores and platforms base their services.  Three CISPA students
were able to demonstrate this vulnerability for 40,000 online databases in
Germany and France.  If the operators stick to the defaults in the
installation process and do not consider important details, the data is
available online and completely unprotected, according to the CISPA
researchers.  The flaw currently affects 39,890 online databases.  "The
databases are accessible online without being protected by any defensive
mechanism," says Saarland professor Michael Backes.  "You even have the
permissions to update and change data.  Hence we assume that the databases
were not left open on purpose."  The researchers informed the database
vendors, as well as international computer emergency response teams.  "A
database unprotected like this is similar to a public library with a wide
open entrance door and without any librarian," Backes warns.  "Everybody can

"OpenDNS sounds warning on the most sophisticated PayPal scam yet" (Brian Jackson)

Gene Wirchenko <>
Fri, 13 Feb 2015 11:37:44 -0800
Brian Jackson, *IT Business*, 11 Feb 2015
OpenDNS Security Labs found an elaborate phishing campaign targeting
users of the popular online payments processor PayPal, involving
several fake websites set up with the intent to steal information.

"DDoS malware for Linux systems comes with sophisticated custom-built rootkit" (Lucian Constantin)

Gene Wirchenko <>
Fri, 13 Feb 2015 11:34:14 -0800
Lucian Constantin, InfoWorld, 6 Feb 2015
XOR.DDoS is distributed through SSH brute-force password guessing attacks

opening text:

A malware program designed for Linux systems, including embedded devices
with ARM architecture, uses a sophisticated kernel rootkit that's custom
built for each infection.

Google updates disclosure policy after Windows, OS X zero-day controversy (Ars)

Lauren Weinstein <>
Fri, 13 Feb 2015 13:06:35 -0800
Ars via NNSquad

  "In a blog post today, the Google Security team announced changes to
  policies on full disclosure of bugs found by Project Zero, the security
  research team that uncovered zero-day vulnerabilities recently revealed in
  Microsoft's Windows 8.1 and Apple's OS X operating systems. Those
  disclosures, which were made 90 days after Google alerted Microsoft and
  Apple in accordance with Project Zero's strict release policy, stirred
  controversy because they had not yet been patched--and gave attackers time
  to leverage them before Microsoft and Apple distributed fixes."

An appropriate introduction of some flexibility in this regard. Good.

"Microsoft yanks KB 2920732 patch for killing PowerPoint 2013 on Windows RT" (Woody Leonhard)

Gene Wirchenko <>
Fri, 13 Feb 2015 11:44:20 -0800
  [Remember when URLs were fairly short?  This is actually a shortened
  version.  The one with the tracking code is about half again as long.]

Woody Leonhard, *InfoWorld*, 12 Feb 2015
If you were unlucky enough to install KB 2920732, there's no way to
uninstall it.

"Microsoft's SSL 3.0 Poodle-busting patch KB 3023607 breaks popular Cisco VPN client" (Woody Leonhard)

Gene Wirchenko <>
Fri, 13 Feb 2015 11:48:36 -0800
Woody Leonhard, InfoWorld, 13 Feb 2015
Cisco verifies that installing KB 3023607 may lead to 'Failed to
initialize connection subsystem' errors with AnyConnect VPN

"Visual Studio patch rollup KB 3001652 causes widespread freezing problems" (Woody Leonhard)

Gene Wirchenko <>
Fri, 13 Feb 2015 11:35:55 -0800
Woody Leonhard, InfoWorld, 10 Feb 2015
The Black Tuesday patches have been out for just a few hours, and
there are multiple reports about KB 3001652 freezing and/or failing
with error 0x80070659

"Dangerous IE vulnerability opens door to powerful phishing attacks" (Lucian Constantin)

Gene Wirchenko <>
Fri, 13 Feb 2015 11:33:08 -0800
Lucian Constantin, InfoWorld, 3 Feb 2015
The flaw can be used to steal authentication cookies and inject rogue
code into websites.

opening text:

An Internet Explorer vulnerability lets attackers bypass the Same-Origin
Policy, a fundamental browser security mechanism, to launch highly credible
phishing attacks or hijack users' accounts on any website.

"Mozilla reveals Firefox add-on lockdown" (Gregg Keizer)

Gene Wirchenko <>
Fri, 13 Feb 2015 11:46:31 -0800
  In the Can't Win for Losing Department:

Gregg Keizer, Computerworld, 12 Feb 2015
Mozilla has detailed plans to require Firefox add-ons to be digitally
signed, a move meant to bear down on rogue and malicious extensions

opening text:

Mozilla yesterday detailed plans to require Firefox add-ons to be digitally
signed, a move meant to bear down on rogue and malicious extensions, and one
that resembled Google's decision years ago to secure Chrome's add-on

Some Firefox users called out Mozilla for disregarding its own
long-and-often-expressed ethos of the need for an open Internet.

Re: Internet providers lobby against backup power rules for phone lines (Weinstein, RISKS-28.51)

paul wallich <>
Fri, 13 Feb 2015 09:16:49 -0500
> Depending on consumers to keep backup systems running is a recipe for
> utter disaster.

I agree, but there's a bit of a conundrum here. For people who are getting
Plain Internet Service, regulators have already pretty much put the cable
modem/router/access point/whatever on the customer side of the demarc (which
is why you can buy your own cable modem and avoid the outrageous rental
charge). When you add phone to the equation, suddenly that customer-side box
is also responsible for E911 and general disaster service, and you have the
problem Lauren points out. (This, by the way, is why I've thus far declined
my ISP's offer to "upgrade" my cable modem at my own risk and expense so as
to provide free wifi for their other customers. If something in the
configuration process were to take out my phone service, I would have no 911
capability until they got around to sending a tech and charging me to fix
whatever was wrong.)

With Title II regulation of Internet service in general, it may be possible
for the FCC to simply mandate that all boxes sold for home Internet or VOIP
use be equipped with appropriate power backup. But if that happens I expect
a huge outcry from the same folks who don't like wearing seatbelts or
motorcycle helmets.

This is what happens when you "upgrade" the leaf nodes of your national
telecom infrastructure to pure digital without thinking about the details.

Re: Stop the Mass Hacks Attacks: Use Strong 2-Factor Authentication or Go to Jail! (RISKS-28.51)

Richard M Stein <>
Sun, 15 Feb 2015 16:50:40 +0800
  [Very long item, but a fairly strong compilation of ideas.  PGN]

How to most effectively deter defect escape from a software ecosystem?

Criminal or civil penalization of system administrators and their

Why not penalize the stockholders for investing in a software factory run by
individuals unqualified to even run a pet shop? Why not penalize the
consumer for trusting their information with a brand that 'they should have
known better about'? What's a cure, partial or complete, for the justifiable
erosion of confidence in an Internet economy?

Stricter life cycle exit criteria enforcement? More rigorous testing?

Certified software engineering training, including software safety and
formal specification?

Conscientious management and leadership, schooled in ethics and
technologically prescient and informed about when to "go live" or not?

Why not require each factory to publicly disclose their defect discovery and
repair throughout the life cycle? This measure can be used by consumers for
comparative shopping, enumerating dependencies on open source, and reassure
about their processes leading to publication, a software factory "Consumer
Reports" guide?

What about passing a law that eliminates manufacturer indemnification from
the software use license? Civil or criminal legislation that deters
publication possibly infringes corporate free speech.

Organizational neglect for a rigorous editorial life cycle (from
requirements through release) is routinely experienced by all
consumers. When intellectual property, especially and particularly software,
is commonly treated like used tissue paper, a lowest common denominator
publication will readily materialize.  'Agile' has become a euphemized
excuse to accelerate release defect density injection and intensify
production escape potential.

Perhaps a law should be passed that assigns full and lifetime accountability
to individual software factory contributors for their escaped defects. To
ensure enforcement, penalize everyone in the organization, doubled per
management layer, for each breech of public confidence and trust erosion
arising from the escape.  This pyramidal penalization scheme would quickly
bankrupt the personnel of any for-profit software factory, exponentially
depleting fortunes.

A possible deterrent might be found in the IEEE Code of Ethics. It states,
in part, do no harm. The Code implies that product life cycle participants
doubting release fitness and readiness stand up to management "to avoid
injuring others, their property, reputation, or employment by false or
malicious action."  This means that factory participants object, gain
alignment to fix what's broken given prioritization and severity, and ensure
corrective closure. Or, if necessary, walk-off the job rather than sustain
employment within an ethically compromised factory. A tough decision for
those who depend on it for their livelihood.

IEEE membership imbues ethical obligations, a professional duty to respect
the Code and conduct oneself accordingly. Those who elect to remain silent
in light of weak, dangerous, or ambivalent factory practices that compromise
ethics and render public outrage might be subject to e-profile shame, a
demerit counter notably absent from Linked or Facebook e-profiles. A
herd-immunity to defect escape might evolve which vaccinates the Internet
more effectively than any monetary incentive or group-think pressure.

Alternatively, a collective professional action, a unionized protest and
work stoppage, might forestall promotion of ill-fitting and trust-eroding
publications into the Internet economy. Imagine if everyone who authors
software "dropped their pencils" for a day in protest, including financial
or medical institutions?

Would a world-wide "Occupy" movement for software safety, privacy and
security influence public awareness of our technological precipice? It may
induce management to account for and reinforce ethical software engineering
conduct. A certain temporary suppression of defect escape might materialize
on the day of protest.

Software engineering discipline is substantially weakened by individuals who
are ethically irresponsible towards their customers, products, and the
organization they associate with. This myopic ethical conduct compromises
civil society, weakens our engineering profession, and compounds Internet

Hardcore capitalists promote the idea that the marketplace should solely
decide winners and losers. Technology industrial governance dominated by
this mindset breeds to promulgate 'covert institutionalized violence.' This
practice disenfranchises more worthy social interests over a select few:
Specifically, corporate data breeches flourish while individual e-profiles
and identities are victimized with impunity. Where are the Darwin Awards for
these irresponsible organizations?

Consumer Internet experience is today analogous to that found in financial
markets where profit is privatized and risk is publicly shared. Our
e-profiles and identities are monetized and exploited for private
enrichment, but individuals bare the expense of indiscriminate theft, credit
repair, and violation of privacy.

The time has come to implement a "Technology Safety, Privacy and Trust
Erosion Day" to promote the interests of a citizen's right to privacy and
security, to commemorate e-profile and identity ownership preservation,
dignity, respect, and the right to be left alone.

Richard M. Stein <>

Please report problems with the web pages to the maintainer