The RISKS Digest
Volume 28 Issue 92

Wednesday, 26th August 2015

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Air Traffic Ctlr directs pilot to.. nonexistent runway
danny burstein
FTC can sue for non-encryption?
Ars Technica via HB
Should Cops Be Allowed to Take Control of Self-Driving Cars?
Slate via LW
Car information security is a complete wreck
Cory Doctorow via HB
Your Car Network == CAN of Worms
Sean Gallagher via HB
Twitter's Right to Be Forgotten Move
Paul Alan Levy via Dave Farber
Political Tweets: Fuhgeddaboudem
Danziger Bridge prosecutors' misconduct, anonymous comments unmasked; convictions overturned
Henry Baker
Recursive UnJournalism; RTBF Story is Forgotten
Mike Masnick via HB
Virtualization doubles the cost of security breach
Maria Korolov
DEFCON23: Mass /Virtual/ Murder
Chris Rock via HB
ATT hotspots injecting ads by tampering with HTTP
Jonathan Mayer
Win10 stops piracy & privacy, so why should I care?
Henry Baker
Crypto is hard ...
Rogier Wolff
Re: Failing light rail safety system
David Alexander
Re: gmail policy on BCCs, related to Mass. pot dispensary
Steve Peterson
Re: Ad Blockers and the Nuisance at the Heart of the Modern Web
David Alexander
Re: ATM security risk: nonfinalization
Alister Wm Macintyre
Geoff Kuenning
Info on RISKS (comp.risks)

Air Traffic Ctlr directs pilot to.. nonexistent runway

danny burstein <>
Tue, 25 Aug 2015 07:42:12 -0400 (EDT)
Folk in the NYC area, especially commuters from Long Island, may remember a
plane that crash landed on Long Island Railroad tracks earlier this month.


[Private plane having engine trouble.. ATC giving him directions...]

The controller then provided information on "Bethpage strip" and informed
the pilot that the airport was closed; however, there was a runway there.

An examination of the area of the former Bethpage Airport revealed that
industrial buildings occupied the former runway surface area. The accident
site was located about 0.25 nm northwest of the former runway's approach
end.     ^^^^^^^

rest: 150816X95657&key=1

FTC can sue for non-encryption?

Henry Baker <>
Tue, 25 Aug 2015 09:21:22 -0700
FYI—I guess this means that encryption is now mandatory?

"Wyndham allowed its partner hotels to store credit card information in
plain text"

'The FTC argued that “taken together, [Wyndham] unreasonably and
unnecessarily exposed consumers' personal data to unauthorized access and

"the FTC has the ability to take action on behalf of consumers when
companies fail to take reasonable steps to secure sensitive consumer

FTC can sue companies with poor information security, appeals court says

Court says Wyndham hotels practices could be considered `unfair' and

Megan Geuss - Aug 24, 2015 9:47 pm UTC

On Monday, a federal appeals court ruled that the Federal Trade Commission
(FTC) has the power to take action (PDF) against companies that employ poor
IT security practices.  The ruling, from the United States Court of Appeals
for the Third Circuit, came as part of a lawsuit between the FTC and Wyndham
Worldwide Corporation, which manages a collection of hotels throughout the

In 2008 and 2009, Wyndham suffered three different breaches of its network,
ultimately losing payment card information for more than 619,000 customers
and causing $10.6 million in loss due to fraud.  The FTC sued Wyndham in
2012 for failing to protect its customers from hackers, and Wyndham
countered by saying that it was a victim of the hack itself and should not
be penalized by the FTC for the breach.

Should Cops Be Allowed to Take Control of Self-Driving Cars?

Lauren Weinstein <>
Wed, 26 Aug 2015 08:05:06 -0700

  What's less clear is where to draw the line. If a police officer can
  command a self-driving car to pull over for his own safety and that of
  others on the road, can he do the same if he suspects the passenger of a
  crime? And what if the passenger doesn't want the car to stop--can she
  override the command, or does the police officer have ultimate control?

I've been saying for ages that governments will demand access to sensor data
and the ability to control these vehicles, both individually and en masse.
They'll be able to effectively close down a city, lock your doors and drive
you direct to the police station, and more.  Don't believe it?  It's
inevitable if autonomous cars go mainstream.

Car information security is a complete wreck (Cory Doctorow)

Henry Baker <>
Mon, 24 Aug 2015 08:16:07 -0700
FYI—Obviously, the head-in-the-sand (or some other orifice) approach
isn't working...

"There is a sociopathic economic rationality to silencing researchers who
come forward with bugs."

"GM... says that your car is a copyrighted work and that researching its
bugs is a felony form of piracy."

"Volkswagen sued security researchers ... over disclosure of major bugs in
VW's keyless entry system."

Cory Doctorow, BoingBoing, 23 Aug 2015
Car information security is a complete wreck—here's why

Your Car Network == CAN of Worms (Sean Gallagher)

Henry Baker <>
Mon, 24 Aug 2015 09:03:06 -0700
FYI—It's time for Dan to host a "Top Geer" TV show...

Those '50's cars in Cuba are looking more attractive all the time!

"Not all of the vehicles that might be vulnerable ... can be patched easily."

"car companies have even sued researchers to shut them up"

"the network effect of a vulnerable remote connection to a vehicle increases
the odds that something can be hacked"

"start sending CAN bus signals to your engine controller and theoretically
make your engine explode"

"the [OBD II] port allows devices to jack directly into the CAN bus"

"CAN is a multi-master bus, and thus any device with a CAN transceiver is
able to send messages as well as receive"

"transmit access to the CAN bus is frequently sufficient to obtain arbitrary
control over all key vehicular systems (including throttle and brakes)"

"updates can't fix ... problems that may be in systems that can't be remote
updated, or updated at all."

"Automakers essentially hope that by deterring security researchers from
investigating their systems, they can keep potential vulnerabilities

Sean Gallagher, Ars Technica, 23 Aug 2015
Highway to hack: Why we're just at the beginning of the auto-hacking era

A slew of recently revealed exploits show gaps in carmakers' security fit
and finish.

Sean Gallagher's long, comprehensive article on the state of automotive
infosec is a must-read for people struggling to make sense of the summer's
season of showstopper exploits for car automation, culminating in a
share-price-shredding 1.4M unit recall from Chrysler, whose cars could be
steered and braked by attackers over the Internet.

All complex systems have bugs.  Even well-audited systems have bugs lurking
in them (cough openssl cough).  Mission-critical systems whose failings can
be weaponized by attackers to wreak incredible mischief are deeply, widely
studied, meaning that the bugs in the stuff you depend on are likely being
discovered by people who want to hurt you, right now, and turned into
weapons that can be used against you.  Yes, you, personally, Ms/Mr Nothing
To Hide, because you might be the target of opportunity that the attacker's
broad scan of IP addresses hit on first, and the software your attacker
wrote is interested in pwning everything, regardless of who owns it.

The only defense is to have those bugs discovered by people who want to help
you, and who then report them to manufacturers.  But manufacturers often
view bugs that aren't publicly understood as unimportant, because it costs
something to patch those bugs, and nothing to ignore them, even if those
bugs are exploited by bad guys, because the bad guys are going to do
everything they can to keep the exploit secret so they can milk it for as
long as possible, meaning that even if your car is crashed (or bank account
is drained) by someone exploiting a bug that the manufacturer has been
informed about, you may never know about it.  There is a sociopathic
economic rationality to silencing researchers who come forward with bugs.

In the computer world, the manufacturers have largely figured out that
threatening researchers just makes their claims more widely know (the big
exceptions are Oracle and Cisco, but everyone knows they're shitty companies
run by assholes).

The car industry is nearly entirely run by Oracle-grade assholes.  GM, for
example, says that your car is a copyrighted work and that researching its
bugs is a felony form of piracy.  Chrysler was repeatedly informed about its
showstopper, 1.4M-car-recalling bug, and did nothing about it until it was
front-page news.  Volkswagen sued security researchers and technical
organizations over disclosure of major bugs in VW's keyless entry system.
Ford claims that its cars are designed with security in mind, so we don't
have to worry our pretty little heads about them (because openssl was not
designed with security in mind?).

None of this stops bad guys from learning about the bugs in these systems --
it just stops you, the poor sucker behind the wheel, making payments on a
remote-controllable deathmobile, from learning about them.

Tesla, at least, has a bug-bounty program and a commitment to transparency.
But the bugs that researchers found are pretty heinous and difficult to
comprehensively mitigate.

Gallagher's article explains in eye-watering detail the dumb technological
decisions the car-makers made that got us into this mess, but more
importantly (and less prominently), the culture of the car-makers that has
allowed this situation to come to pass.  Even if the technological
boondoggles can be fixed, we're still in a lot of trouble unless we can sort
out their culture.  [...]

Twitter's Right to Be Forgotten Move (via Dave Farber)

Paul Alan Levy <>
August 24, 2015 at 2:43:56 PM EDT
Twitter's recent decision to cutoff API access to a site that memorializes
tweets from politicians, and that refuse to bar access to such tweets after
a political figure decides to hide a given tweet, presents an unusual twist
on the right to be forgotten.  Twitter's position is apparently that it is
protecting its users' right to have their own inconvenient past statements

Paul Alan Levy, Public Citizen Litigation Group, 1600 20th Street, NW
Wash. D.C.  20009 (202) 588-7725

Political Tweets: Fuhgeddaboudem

Henry Baker <>
Mon, 24 Aug 2015 07:56:43 -0700
FYI—If you believe in representative democracy and the First Amendment,
the right for politicians' words to be forgotten is the ultimate poison

It remains to be seen why Twitter would shut down a service that preserves
politicians' embarrassing tweets, but if the reason was to ingratiate
Twitter with said politicians, then Twitter should lose all of its Fourth
Estate privileges.

It's time to incorporate tweets into a Bitcoin-style blockchain so that it
will be impossible to delete them.

 - - - -

Open State Foundation promotes digital transparency by unlocking open data
and stimulates the development of innovative and creative applications.

Danziger Bridge prosecutors' misconduct, anonymous comments unmasked; convictions overturned

Henry Baker <>
Tue, 25 Aug 2015 12:18:25 -0700
This case troubles me for many reasons.  The police officers were wrong.
The prosecutors were wrong.  Yet *no one* will remain in jail.

I'm sure that this case will be used as an excuse to eliminate anonymous
postings on the Internet, but this would be the equivalent to removing
everyone's right to drive due to the bad behavior of a few drivers.

Furthermore, the apparently voluminous nature of the anonymous postings from
prosecutors makes one wonder about the volume of leaks to reporters from
"knowledgeable sources"—i.e., prosecutors—in many/most other cases.
There seems to be a systematic perversion of the right to a fair trial by
unethical prosecutors.

>From the Appeals Court ruling:

'That three supervisory-level prosecutors committed misconduct in connection
with the Danziger Bridge prosecution is beyond dispute.  Perricone's
comments spanned the entire prosecution and went directly to the guilt of
the defendants, the collective guilt of NOPD, and the relative competence
and integrity of defense counsel versus the USAO.  Dobinski's comments
stirred the pot by encouraging commenters who were plainly familiar with the
trial proceedings, one of whom was Perricone, to keep doing a `public
service' with their biased reports.  Mann's comments, posted during
post-trial sentencing proceedings, displayed partiality toward the
prosecution and denigrated the district court and defense counsel in another
Danziger Bridge case.'

'The government acknowledges significant, repeated misconduct by Perricone
and Jan Mann and, to a lesser extent, Dobinski.   [...]

Recursive UnJournalism; RTBF Story is Forgotten (Mike Masnick)

Henry Baker <>
Tue, 25 Aug 2015 12:43:09 -0700
FYI—"Should auld acquaintance be forgot, and never brought to mind?"

Remember the hacker's dictionary entry: "Recursion.  See recursion."  The
Right-To-Be-Forgotten (RTBF) is now being abused to take down stories about
RTBF itself.

Remember the old joke about how to stop a robot: yell "Control-C".  Well,
the new joke about RTBF is to yell "Control-Z" (undo on Windoze).

One of the comments on this TechDirt story: "Recursive Journalism: TechDirt
should prepare a recursive strategy for these cases.  Nest the prior story
inside a new one with an iterative counter.  Repeat until it's turtles all
the way down."

Google Disappears TechDirt Article About Right To Be Forgotten Due To Right To Be Forgotten Request

Mike Masnick, TechDirt, 25 Aug 2015

Well, well.  Just a few days ago, we wrote about the fact that Google was
being asked to "forget" articles about the right to be forgotten, under new
right to be forgotten requests... and suddenly we've been notified that a
Techdirt article about the right to be forgotten has been similarly stuffed
down the memory hole*.  The article in question, is our story from last fall
about *The NY Times* writing about the right to be forgotten requests that
resulted in *NY Times* articles disappearing from some searches.  The *NYT*
detailed what each story was about and it wasn't too difficult to figure out
who was likely trying to make sure the articles were no longer linked to
their names.

It would appear that one of those individuals similarly has sent in this
request—but that's completely bogus, as we'll explain in a moment.  First
up, the notice:

  Due to a request under data protection law in Europe, we are no longer
  able to show one or more pages from your site in our search results in
  response to some search queries for names or other personal identifiers.
  Only results on European versions of Google are affected. No action is
  required from you.  [...]  [Very long message truncated for RISKS. PGN]

Virtualization doubles the cost of security breach (Maria Korolov)

Gene Wirchenko <>
Tue, 25 Aug 2015 14:06:38 -0700
Maria Korolov, InfoWorld (CSO) 24 Aug 2015
When a security incident involves virtual machines, the recovery costs
double compared to that of a traditional environment.

DEFCON23: Mass /Virtual/ Murder

Henry Baker <>
Tue, 25 Aug 2015 18:58:37 -0700
  FYI—For example, using the hacked OPM database and the techniques in
  this DEFCON talk, one could (virtually) "kill" all 22 million people in
  the OPM database—or at any rate, get an official death certificate
  issued for each and every one of them.  The appropriate web sites even
  have an "upload bulk death registration" button for your convenience.




DEF CON 23 - Chris Rock - I Will Kill You, 14 Aug 2015

Have you ever wanted to kill someone?  Do you want to get rid of your
partner, your boss or your arch nemesis?  Perhaps you want to enjoy your
life insurance payout whilst you're still alive.  Do you have rich elderly
parents that just won't die quick enough?  Or do you want a `Do Over' new

Then, this presentation is for you! I'll provide you with the insight and
techniques on how to `kill' someone and obtain a real death certificate and
shutdown their lives.  It focuses on the lack of security controls that
allow any of us to virtually kill off anyone or any number of people.
Forget the Dexter way of killing someone, I'll show you how to avoid the
messy clean up and focusing in on the digital aspects.  You could be dead
right now and not even know it.  [...]

ATT hotspots injecting ads by tampering with HTTP (Jonathan Mayer)

Henry Baker <>
Tue, 25 Aug 2015 17:22:33 -0700
  FYI—Yet another reason to convert *everything* to HTTPS...

Jonathan Mayer (CS+Lawyer, Stanford), Web Policy, August 25, 2015

While traveling through Dulles Airport last week, I noticed an Internet
oddity.  The nearby AT&T hotspot was fairly fast—that was a pleasant

But the web had sprouted ads.  Lots of them, in places they didn't belong.

Win10 stops piracy & privacy, so why should I care?

Henry Baker <>
Mon, 24 Aug 2015 12:39:02 -0700
  FYI—"*misunderstanding* around Microsoft's Services Agreement" ??
  Perhaps Microsoft is *misunderestimating* the negative response to all of
  Win10's snooping.  HB   [Multiple sources follow, somewhat PGN-ed]

The ordinary man-in-the-street would consider Win10's banishment from pirate
sites to be a good thing, but the problem is that *any technology powerful
enough to stop piracy is also powerful enough to destroy free speech and

Microsoft Wants to Block Pirated Content?  Pirate Sites Ban Windows 10 Instead

iTS torrent tracker admins ban Windows 10 users, BB and FSC administrators
thinking of doing the same

The misunderstanding [?] around Microsoft's Services Agreement is starting
to trickle into the ordinary life of regular Internet users, with scared
torrent tracker admins banning or thinking of banning Windows 10 users from
their sites.

We aren't talking about The Pirate Bay, Kickass Torrents, RARBG, or
ExtraTorrent here, but the small scene trackers—which are so private that
it takes 30 minutes of googling just to find what the site acronym stands
for, what their URL is, and what the correct sign-up procedure is.

These trackers, along with the release scene, are where most pirated
materials first get posted and spread online, and where privacy, security,
and anonymity are very crucial factors, helping protect the identity of the
people spreading the pirated material online.

If you've been away from your computer this past week, you've probably
missed all the talk about Microsoft's new Windows 10 update procedures
which, coupled with the company's Services Agreement could allow it to block
pirated material and unauthorized hardware.

While the waters are still murky around this issue, with Microsoft staying
silent around the topic, and with not a single complaint from one Windows 10
user screaming that he had his downloaded torrents whipped from their hard
drive, some pirate tracker admins are already taking some steps to protect
themselves, just in case.

iTS admins block users with Windows 10 from their tracker

The first ones to hit the alarm button were the iTS admins, which have
started redirecting all Windows 10 users accessing their site to a YouTube
video called: Windows 10 is a Tool to Spy on Everything You Do.

Additionally, a statement was sent out to users from which you can also read

"Hey there shadows! Many of you might have heard or read about the terrible
privacy policy of windows 10 recently.  Unfortunately Microsoft decided to
revoke any kind of data protection and submit whatever they can gather to
not only themselves but also others.  One of those is one of the largest
anti-piracy company called MarkMonitor.

"Amongst other things windows 10 sends the contents of your local disks
directly to one of their servers.  Obviously this goes way too far and is a
serious threat to sites like ours which is why we had to take measures.
Since last Thursday Windows 10 is officially banned from iTS.  Members using
it get redirected to a video that eggsplains the dangers quite in detail
hoping to enlighten as many people as possible."

"Perhaps at some point special versions of Windows 10 will surface that
would successfully wipe all those outrageous privacy violations but until
then Windows 10 is not welcome here in the interest of this site and all iTS
members."  [...]

"As we all know, Microsoft recently released Windows 10.  You as a member
should know, that we as a site are thinking about banning the OS from FSC,"
said one of the FSC staff.

Likewise, in a message to their users, a BB admin said something similar,
"We have also found [Windows 10] will be gathering information on users' P2P
use to be shared with anti piracy group."

The anti-piracy group the pirate site admins are referring to is
MarkMonitor, a US company that specializes in online corporate identity
protection, one that is known to have worked with the MPAA in protecting its
copyrighted materials, but one that has also worked with Microsoft in the
past, to protect Windows users from online identity theft and scam

The reaction of everyone involved is very similar to the Y2K debacle, and
judging that Microsoft has worked with MarkMonitor in previous versions of
Windows should tell you that the pirate site admins are overreacting a bit.

We certainly don't believe Microsoft is going to commit reputational suicide
by messing with user files, may them be pirated or not.  Let's not forget
Windows 10 is an operating system, not our parents, and there's always Linux
or Mac around the corner.

Crypto is hard ...

Rogier Wolff <>
Wed, 26 Aug 2015 10:41:16 +0200
In response to:
Re: Intel to customers: We listen to you... All The Time! (Maziuk)

Henry Baker pointed us towards:

which says:

> Once such variant is 3DES, which will increase the effective key
> length to 112 bits or 168 bits, depending on how it's implemented.

strongly implying that the "work factor" explained a few lines up
would be 2^168 for the 168 bit key length.

Wouldn't it be nice to know something about cryptography before writing
about it? No matter how many keybits (112/168) you throw at 3-DES, I
understand that there is a "meet in the middle" attack that always restricts
the amount of work to break it to about 2^112.

So 3-DES with more than 112 key bits only serve to instill a false sense of
security to those who don't know the details.

Moore's law implies we can break 10 more bits every 2 decades. Want to keep
a secret for a century (or don't want to be forced to change your encryption
system (*)), you need a "margin" of at least 5*10 = 50 bits.  Assuming 60
bits is broken today in 2015, 3DES will expire in 2115, even if you use 168

(*) Of course the /system/ can be broken in that period. But if you design a
margin of say only 20 bits, you can be SURE that you have to change the
encryption scheme in a few decades.  +31-15-2600998
 Delftechpark 26 2628 XH  Delft, The Netherlands. KVK: 27239233

Re: Failing light rail safety system (Muller)

David Alexander <>
Sat, 22 Aug 2015 17:41:25 +0000 (UTC)
I noted Geof Kuenning's post about low level hardware controllers to prevent
an 'all green' event on traffic lights with a failsafe mode.

In a previous job we did some vulnerability research in a lab on a system
made by a European manufacturer that controlled traffic lights. By using
ladder logic analysis we worked out which memory locations to alter in order
to set all the lights to green or red. It worked. Either they don't have
that kind of fail-safe controller or we defeated even that.  regards David

Re: gmail policy on BCCs, related to Mass. pot dispensary

Steve Peterson <>
Fri, 21 Aug 2015 17:24:49 -0500
About a year ago I switched to a paid outgoing SMTP service (US$45/year)
with better spam prevention logic.  Worth every cent.

Re: Ad Blockers and the Nuisance at the Heart of the Modern Web

David Alexander <>
Sat, 22 Aug 2015 17:49:20 +0000 (UTC)
In the post by Monty Solomon on the developments by PageFair, they seem to
have forgotten the basics of human nature. I have been using AdBlock and
Ghostery for years and love the freedom they give me from intrusive adverts
that annoy me and from <expletive deleted> that I don't want cluttering up
my web pages and trying to track my activity. I appreciate that some North
American readers may find the concept of privacy a bit 'quaint' but in
Europe we guard it as closely and value it as fiercely as many Americans do
the right to bear arms.

If PageFair think that I am going to be receptive to advertising that finds
a way round the blocking features I use then they have another think
coming. I am going to be actively hostile towards the companies supplying
the technology and those using it to advertise. They run the of alienating
their potential customers and losing market share, not gaining it.

If I have to choose between receiving adverts and there being a lot less web
content available, I'll take less web content every time.

Re: ATM security risk: nonfinalization

"Alister Wm Macintyre \(Wow\)" <>
Sun, 23 Aug 2015 11:22:48 -0500
  [Jeremy Epstein said,
    My bank's ATMs have this same "feature", but clicking "yes" just avoids
    reswiping the card.  You still have to re-enter the PIN.]

I have used the YES to do more transactions, without having to do the PIN#
again.  It has been a while since I last tried that, maybe they changed it

  [John Levine said,
    My bank does that, but demands that I re-enter my PIN if I pick YES for
    another transaction.  Perhaps they're not quite as dumb as they seem.

I have occasionally used the YES NO screen at the end of one of my
transactions, to do another one.  I did not have to enter my PIN # for the
later transaction.

Usually the customer in front of me is in another personal auto. The last
time, it was vehicle of a major company.  If that was not his personal
account, there might be a lot in there.  My bank limits what can be
withdrawn via ATM in a day, to a few hundred $, or at least they used to.

Re: ATM security risk: nonfinalization (McIntyre)

Geoff Kuenning <>
Sat, 22 Aug 2015 06:27:16 -0700
So: hang back and use binoculars.  Pull on a ski mask and walk or drive up
(having covered the license plate).  Grab money.

That sounds pretty foolproof to me.  However, you'd better do it soon
because customers will start catching on.

(And my own (big) banks have had the multi-transaction capability for
decades.  So I'd have to suspect the RISK is small since there are
relatively few latecomers to the technology.)

    Geoff Kuenning

Please report problems with the web pages to the maintainer