The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 07

Tuesday 15 July 2014


14,000 Draft Notices Sent To Pennsylvania Men Born In 1800s
Doug Hosking
Birth control of the future could be activated with wireless remote
Sarah Gray via Henry Baker
Crypto weakness in smart LED lightbulbs exposes Wi-Fi passwords
Dan Goodin
Private crypto key stashed in Cisco VoIP manager allows network hijacking
Dan Goodin via Monty Solomon
FCC's awful website crashes on last day for initial net neutrality comments
Jon Brodkin via Lauren Weinstein
Pew Research: Global Opinions of U.S. Surveillance
Richard Forno
GCHQ hacks online polls
Glenn Greenwald via Henry Baker
Report: Rare leaked NSA source code reveals Tor servers targeted
Cyrus Farivar via Monty Solomon
Should hospitals investigate their patients?
danny burstein
Designing water slides is not the same as designing roller coasters
Ben Rothke
Female Cyber Sleuths Hack Into Silicon Valley's Boys Club"
Jordan Robertson
Site catalogues links being censored from Google by EU
Lauren Weinstein
The right to be forgotten will turn the Internet into a work of fiction
David Mitchell via Lauren Weinstein
WashPost: In NSA-intercepted data, those not targeted far outnumber the foreigners who are
Lauren Weinstein
Chinese Hackers Broke Into U.S. Personnel Networks, NYT Reports
AP via David Farber
Germany 'may revert to typewriters' to counter hi-tech espionage
Henry Baker
Re: Hong Kong electronic voting system ...
nick brown
Michael Bacon
Re: Unix "*" wildcards considered harmful
Dave Horsfall
Info on RISKS (comp.risks)

14,000 Draft Notices Sent To Pennsylvania Men Born In 1800s

"Doug Hosking" <>
Thu, 10 Jul 2014 18:49:18 -0700
... and you thought "Y2k-like" bugs were ancient history .

Birth control of the future could be activated with wireless remote (Sarah Gray)

Henry Baker <>
Mon, 07 Jul 2014 15:57:18 -0700
FYI—Q: If the NSA hacked this device & caused a woman to get pregnant,
would the NSA legally become the father of the child & be liable for child
support?  What if NSA-weakened encryption enabled someone else to hack the

Sarah Gray, *Salon*, 7 Jul 2014
The device, developed by MicroCHIP, can last up to 16 years

The company MicroCHIP, based in Massachusetts, is developing a rather
futuristic form of contraception: a microchip that lasts for 16 years and
can be easily turned off, no doctor's appointment necessary.

The concept was conceived two years ago when Bill Gates visited Robert
Langer's MIT lab. Gates, according to MIT Technology Review, mused over
whether it was possible to create a birth control that could easily be
turned on or off as desired. Langer thought a product he invented with
Michael Cima and John Santini in the 1990s might work, which was licensed to

The chip would be wireless, and could be controlled by the patient via
remote control. Doctors, too, could control dosage remotely. MIT Technology
Review explains the technology:

“The device measures 20 x 20 x 7 millimeters, and it is designed to be
implanted under the skin of the buttocks, upper arm, or abdomen. It
dispenses 30 micrograms a day of levonorgestrel, a hormone already used in
several kinds of contraceptives. Sixteen years' worth of the hormone fits in
tiny reservoirs on a microchip 1.5 centimeters wide inside the device.
MicroCHIP invented a hermetic titanium and platinum seal on the reservoirs
containing the levonorgestrel. Passing an electric current through the seal
from an internal battery melts it temporarily, allowing a small dose of the
hormone to diffuse out each day.''

Gates is no stranger to sexual health technology. In 2013, the Bill and
Melinda Gates Foundation challenged innovators to build a better condom --
one that would protect against unwanted pregnancy, sexually transmitted
infections and feel good—to entice more folks to use them.

The microchip device is still in the testing phase, and is not yet FDA
approved. CNET reports:

“So far, the chips have been tested in a human clinical trial, delivering
osteoporosis medication to post-menopausal women over a one-month period,
demonstrating that the technology works, producing no adverse immune
reaction, and demonstrating the durability of the chip. The device was
implanted using a local anesthetic, and the procedure took no more than 30

There are, of course, large kinks to work out before this could become a
viable contraceptive method (not including political battles over birth
control).  A commenter on MIT Technology Review worries about who could
potentially control such a device without the woman's consent. It is a
rather scary prospect.

The chips would need all sorts of encryption to protect data and keep the
device safe from hackers. As technology entwines itself more and more within
the fabric of our being—quite literally in this case—we must tread
carefully, especially in terms of health.

MIT Technology Review, CNET

Crypto weakness in smart LED lightbulbs exposes Wi-Fi passwords (Dan Goodin)

Monty Solomon <>
Tue, 8 Jul 2014 01:38:32 -0400
Dan Goodin, Ars Technica
More evidence the Internet of things treats security as an afterthought.

In the latest cautionary tale involving the so-called Internet of things,
white-hat hackers have devised an attack against network-connected
lightbulbs that exposes Wi-Fi passwords to anyone in proximity to one of the
LED devices.

The attack works against LIFX smart lightbulbs, which can be turned on and
off and adjusted using iOS- and Android-based devices. Ars Senior Reviews
Editor Lee Hutchinson gave a good overview here of the Philips Hue lights,
which are programmable, controllable LED-powered bulbs that compete with
LIFX. The bulbs are part of a growing trend in which manufacturers add
computing and networking capabilities to appliances so people can manipulate
them remotely using smartphones, computers, and other network-connected
devices. A 2012 Kickstarter campaign raised more than $1.3 million for LIFX,
more than 13 times the original goal of $100,000. ...

Private crypto key stashed in Cisco VoIP manager allows network hijacking (Dan Goodin)

Monty Solomon <>
Tue, 8 Jul 2014 01:45:14 -0400
Update closes backdoor allowing unauthorized control of sensitive messaging

Dan Goodin, Ars Technica, 2 Jul 2014

Cisco Systems has released a security update that closes a backdoor allowing
attackers to control software that large organizations use to manage voice
over IP (VoIP) calls and messaging over their networks.

The default secure shell (SSH) key made it possible for hackers to gain
highly privileged administrative access to the Cisco Unified Communications
Domain Manager, the networking company warned in an advisory published
Wednesday. From there, intruders could execute arbitrary commands or gain
persistent access to the systems. The advisory didn't explicitly say that
attackers could monitor discussions or track the times that calls or
messages were made and who sent and received them, but it wouldn't be
surprising if those capabilities were also possible in an e-mail, a Cisco
representative said these capabilities were not possible. In addition to
VoiP management, the Cisco Unified Communications Domain Manager also allows
users to manage Cisco Jabber, a cloud-based service for instant messaging,
voice and video communications, desktop sharing, and conferencing. ...

FCC's awful website crashes on last day for initial net neutrality comments (Jon Brodkin)

Lauren Weinstein <>
Tue, 15 Jul 2014 08:20:04 -0700
Jon Brodkin, Ars Technica via NNSquad, 15 Jul 2014

  "Today is the last day to file initial comments on the Federal
  Communications Commission's network neutrality proposal, and the FCC's
  ancient website is unable to handle the load.  This morning when trying to
  access the form to submit comments and the list of already submitted
  comments, I got an error message that said: "could not inspect JDBC
  autocommit mode." I also got this much longer and more entertaining error
  message: ..."

Pew Research: Global Opinions of U.S. Surveillance

Richard Forno <>
July 14, 2014 at 3:57:47 PM EDT
[Pew Research via Dave Farber]

The Pew Research Center's 2014 Global attitudes survey asked 48,643
respondents in 44 countries what they thought about the American government
monitoring communications, such as e-mails and phone calls, in the U.S. and
other countries. Specifically, global publics were asked whether the
U.S. government's alleged monitoring of communications from individuals
suspected of terrorist activities, American citizens, citizens of the survey
countries or the leaders of the survey countries is acceptable or

GCHQ hacks online polls (Glenn Greenwald)

Henry Baker <>
Tue, 15 Jul 2014 06:30:16 -0700
FYI—How thin is the line between "hacking online polls" and "hacking
online elections"?

Glenn Greenwald, *The Guardian*, 14 Jul 2014
Hacking Online Polls and Other Ways British Spies Seek to Control the Internet

The secretive British spy agency GCHQ has developed covert tools to seed the
Internet with false information, including the ability to manipulate the
results of online polls, artificially inflate pageview counts on web sites,
`amplify' sanctioned messages on YouTube, and censor video content judged to
be `extremist'.  The capabilities, detailed in documents provided by NSA
whistleblower Edward Snowden, even include an old standby for pre-adolescent
prank callers everywhere: A way to connect two unsuspecting phone users
together in a call.

The tools were created by GCHQ's Joint Threat Research Intelligence Group
(JTRIG), and constitute some of the most startling methods of propaganda and
Internet deception contained within the Snowden archive.  Previously
disclosed documents have detailed JTRIG's use of “fake victim blog posts,''
“false flag operations,'' “honey traps'' and psychological manipulation to
target online activists, monitor visitors to WikiLeaks, and spy on YouTube
and Facebook users.

But as the U.K. Parliament today debates a fast-tracked bill to provide the
government with greater surveillance powers, one which Prime Minister David
Cameron has justified as an “emergency'' to “help keep us safe,'' a newly
released top-secret GCHQ document called “JTRIG Tools and Techniques''
provides a comprehensive, birds-eye view of just how underhanded and
invasive this unit's operations are.  The document—available in full here
-- is designed to notify other GCHQ units of JTRIG's “weaponised
capability'' when it comes to the dark Internet arts, and serves as a sort
of hacker's buffet for wreaking online havoc.

The “tools'' have been assigned boastful code names.  They include invasive
methods for online surveillance, as well as some of the very techniques that
the U.S. and U.K. have harshly prosecuted young online activists for
employing, including “distributed denial of service'' attacks and “call
bombing.'' But they also describe previously unknown tactics for
manipulating and distorting online political discourse and disseminating
state propaganda, as well as the apparent ability to actively monitor Skype
users in real-time—raising further questions about the extent of
Microsoft's cooperation with spy agencies or potential vulnerabilities in
its Skype's encryption.  Here's a list of how JTRIG describes its

 * “Change outcome of online polls'' (UNDERPASS)

 * “Mass delivery of e-mail messaging to support an Information
Operations campaign'' (BADGER) and “mass delivery of SMS messages to
support an Information Operations campaign'' (WARPARTH)      [WARPATH?  PGN]

 * “Disruption of video-based websites hosting extremist content
through concerted target discovery and content removal.'' (SILVERLORD)

 * “Active skype capability. Provision of real time call records
(SkypeOut and SkypetoSkype) and bidirectional instant messaging. Also
contact lists.'' (MINIATURE HERO)

 * “Find private photographs of targets on Facebook'' (SPRING BISHOP)

 * “A tool that will permanently disable a target's account on their
computer'' (ANGRY PIRATE)

 * “Ability to artificially increase traffic to a website'' (GATEWAY)
and “ability to inflate page views on websites'' (SLIPSTREAM)

 * “Amplification of a given message, normally video, on popular
multimedia websites (Youtube)'' (GESTATOR)

 * “Targeted Denial Of Service against Web Servers'' (PREDATORS FACE)
and “Distributed denial of service using P2P. Built by ICTR, deployed by

 * “A suite of tools for monitoring target use of the UK auction site
eBay ('' (ELATE)

 * “Ability to spoof any e-mail address and send e-mail under that
identity'' (CHANGELING)

 * “For connecting two target phone together in a call'' (IMPERIAL

While some of the tactics are described as “in development,'' JTRIG touts
“most'' of them as “fully operational, tested and reliable.'' It adds:
“We only advertise tools here that are either ready to fire or very close
to being ready.''

And JTRIG urges its GCHQ colleagues to think big when it comes to Internet
deception: “Don't treat this like a catalogue.  If you don't see it
here, it doesn't mean we can't build it.''

The document appears in a massive Wikipedia-style archive used by GCHQ to
internally discuss its surveillance and online deception activities.  The
page indicates that it was last modified in July 2012, and had been accessed
almost 20,000 times.

GCHQ refused to provide any comment on the record beyond its standard
boilerplate, in which it claims that it acts “in accordance with a strict
legal and policy framework'' and is subject to “rigorous oversight.''  But
both claims are questionable.

British watchdog Privacy International has filed pending legal action
against GCHQ over the agency's use of malware to spy on Internet and mobile
phone users.  Several GCHQ memos published last fall by The Guardian
revealed that the agency was eager to keep its activities secret not to
protect national security, but because “our main concern is that references
to agency practices (ie, the scale of interception and deletion) could lead
to damaging public debate which might lead to legal challenges against the
current regime.'' And an EU parliamentary inquiry earlier this year
concluded that GCHQ activities were likely illegal.

As for oversight, serious questions have been raised about whether top
national security officials even know what GCHQ is doing.  Chris Huhne, a
former cabinet minister and member of the national security council until
2012, insisted that ministers were in “utter ignorance'' about even the
largest GCHQ spying program, known as Tempora—not to mention “their
extraordinary capability to hoover up and store personal e-mail, voice
contact, social networking activity and even Internet searches.'' In an
October Guardian op-ed, Huhne wrote that “when it comes to the secret world
of GCHQ and the [NSA], the depth of my `privileged information' has been
dwarfed by the information provided by Edward Snowden to The Guardian.''

Report: Rare leaked NSA source code reveals Tor servers targeted (Cyrus Farivar)

Monty Solomon <>
Tue, 8 Jul 2014 01:44:08 -0400
Cyrus Farivar, Ars Technica, 3 Jul 2014
NSA says it only gathers such data for "valid foreign intelligence purposes."

Two Germany-based Tor Directory Authority servers, among others, have been
specifically targeted by the National Security Agency's XKeyscore program,
according to a new report from German public broadcaster ARD. Tor is a
well-known open source project designed to keep users anonymous and
untraceable-users' traffic is encrypted and bounced across various computers
worldwide to keep it hidden.

This marks the first time that actual source code from XKeyscore has been
published. ARD did not say how or where it obtained the code.  Unlike many
other NSA-related stories, the broadcaster did not specifically mention the
information being part of the trove leaked by whistleblower Edward
Snowden. ...

  [Mok-Kong Shen noted: Tor users identified by NSA (auf deutsch).  PGN]

Should hospitals investigate their patients?

danny burstein <>
Sun, 6 Jul 2014 12:59:26 -0400 (EDT)
Via the PRIVACY Forum <>

  Imagine getting a call from your doctor if you let your gym membership
  lapse, make a habit of buying candy bars at the checkout counter, or begin
  shopping at plus-size clothing stores. For patients of Carolinas
  HealthCare System, which operates the largest group of medical centers in
  North and South Carolina, such a day could be sooner than they
  think. Carolinas HealthCare, which runs more than 900 care centers,
  including hospitals, nursing homes, doctors' offices, and surgical
  centers, has begun plugging consumer data on 2 million people into
  algorithms designed to identify high-risk patients so that doctors can
  intervene before they get sick. The company purchases the data from
  brokers who cull public records, store loyalty program transactions, and
  credit card purchases.

Designing water slides is not the same as designing roller coasters

Ben Rothke <>
Mon, 7 Jul 2014 09:45:52 -0400
The Verrückt is to be the world's tallest and fastest water slide and was
to open on 23 May 2014.

In an interview, Schlitterbahn Waterparks & Resorts co-owner Jeff Henry said
that “Our correction coefficients were all off. Models didn't show air and
water friction. A lot of our math was based on roller coasters at first, and
that didn't translate to a water slide like this.'',

"Female Cyber Sleuths Hack Into Silicon Valley's Boys Club" (Jordan Robertson)

"ACM TechNews" <>
Mon, 7 Jul 2014 12:14:37 -0400 (EDT)
Jordan Robertson, Bloomberg, 1 Jul 2014
[via ACM TechNews, Monday, July 7, 2014]

Women occupied just over 26 percent of computer and mathematical positions
in the U.S. last year, according to the U.S. Bureau of Labor Statistics.
However, one area of the tech world in which women are making great gains is
information security, where they outnumber men in certain positions, such as
analyst and adviser, according to the International Information Systems
Security Certification Consortium.  Women such as ThreatGrid threat manager
Tiffany Rad, for example, have found great success in information security,
assuming leadership positions in both industry and academia.  Women also are
seeking education in the field much more than they previously did.  Rad says
college classes she teaches on information security law that used to be
exclusively male are now almost evenly split between men and women.  The
success of women in information security also has come relatively quickly.
Jeff Moss, founder of the DefCon and Black Hat security conferences, says
although almost no women attended the conferences during the late '90s, now
there are "too many to mention."  Many attribute women's success in the
field to its meritocratic nature.  Heather Adkins, one of the founding
members of Google's security staff, says the field was mired in sexism when
she joined it in the late '90s, but it has markedly improved, although she
says bias still persists in some areas.

Site catalogues links being censored from Google by EU

Lauren Weinstein <>
Thu, 10 Jul 2014 21:59:48 -0700
(Hidden from Google via NNSquad):

  "The purpose of this site is to list all links which are being censored by
  search engines due to the recent ruling of "Right to be forgotten" in the
  EU. This list is a way of archiving the actions of censorship on the
  Internet. It is up to the reader to decide whether our liberties are being
  upheld or violated by the recent rulings by the EU."

 - - -

As inevitable as the sun rising in the east. And—fascinating—it not
only isn't a cloaked registration, but the registrant appears to be an
identifiable person with a notable presence on the Net (including on
GitHub). There is no escape from the Streisand Effect.

The right to be forgotten will turn the Internet into a work of fiction (David Mitchell)

Lauren Weinstein <>
Sun, 6 Jul 2014 12:05:16 -0700
David Mitchell, *The Guardian via NNSquad

  "People's right to suppress unpleasant lies which are publicly told is
  being extended to unpleasant truths—until they die when it's suddenly
  open season on slander. The Internet will become constructed entirely of
  two different sorts of untruth: contemporaneous unalloyed praise and
  posthumous defamatory hearsay.

  No one has the right to be forgotten, any more than they have the right to
  be remembered. Our only right in this regard should be not to be lied
  about. And then maybe we can try to see the unflattering facts of other
  people's pasts in the light of our own imperfections. I wouldn't think
  less of someone because his house was repossessed 16 years ago. But I
  would if he turned out to be a liar."

WashPost: In NSA-intercepted data, those not targeted far outnumber the foreigners who are

Lauren Weinstein <>
Sat, 5 Jul 2014 20:29:43 -0700
*The Washington Post* via NNSquad 5 Jul 2014

  The surveillance files highlight a policy dilemma that has been aired only
  abstractly in public. There are discoveries of considerable intelligence
  value in the intercepted messages and collateral harm to privacy on a
  scale that the Obama administration has not been willing to address.
  Among the most valuable contents, which The Post will not describe in
  detail, to avoid interfering with ongoing operations, are fresh
  revelations about a secret overseas nuclear project, double-dealing by an
  ostensible ally, a military calamity that befell an unfriendly power, and
  the identities of aggressive intruders into U.S. computer networks
  ... Months of tracking communications across more than 50 alias accounts,
  the files show, led directly to the 2011 capture in Abbottabad of Muhammad
  Tahir Shahzad, a Pakistan-based bomb builder, and Umar Patek, a suspect in
  a 2002 terrorist bombing on the Indonesian island of Bali. At the request
  of CIA officials, The Post is withholding other examples that officials
  said would compromise ongoing operations.

Executive summary: Complicated.  LW

Chinese Hackers Broke Into U.S. Personnel Networks, NYT Reports

"David Farber via ip" <>
Thu, 10 Jul 2014 08:32:51 -0400

WASHINGTON (AP)  Chinese hackers broke into the computer networks of the
U.S. Office of Personnel Management earlier this year with the intention of
accessing the files of tens of thousands of federal employees who had
applied for top-secret security clearances, according to The New York Times.

Senior U.S. officials say the hackers gained access to some of the agency's
databases in March before the threat was detected and blocked, the Times
reported in an article posted on its website Wednesday night. How far the
hackers penetrated the agency's systems was not yet clear, the newspaper

Accusations of hacking by China and counterclaims of such activity by the
U.S. government have strained U.S.-Chinese relations. Chinese hacking has
been a major theme of U.S.-China discussions this week in Beijing, though
both sides have publicly steered clear of the controversy.

In May, the Justice Department filed a 31-count indictment against five
Chinese military officials operating under hacker aliases and accused them
of penetrating computer networks of a half-dozen steel companies and makers
of solar and nuclear technology to gain a competitive advantage. The Chinese
government denied the allegations and suspended a working group on cyber
rules that was to be part of the annual "Strategic and Economic Dialogue"
this week.

The Office of Personnel Management houses personal information for all
federal employees. Those applying for security clearances would be expected
to provide such information as foreign contacts, previous jobs, past drug
use and other personal details, the newspaper reported.

The Times quoted an unidentified senior U.S. official as saying that the
attack had been traced to China but that it wasn't clear whether the hackers
were part of the government. A Homeland Security Department official
confirmed to the Times that an attack occurred but said no loss of
personally identifiable information had been identified.

The Office of Personnel Management oversees a system by which federal
employees applying for security clearances enter financial data and other
personal information, the Times said, and those who maintain such clearances
are required to update their information through that system. Agencies and
contractors use the information to investigate employees.

The attack in March was not announced even though the Obama administration
has urged U.S. companies to share information about breaches in security
with the government and with consumers, the newspaper reported.

"The administration has never advocated that all intrusions be made public,"
Caitlin Hayden, a spokeswoman for the Obama administration, said in a
statement to the Times. "We have advocated that businesses that have
suffered an intrusion notify customers if the intruder had access to
consumers' personal information. We have also advocated that companies and
agencies voluntarily share information about intrusions."

Hayden said the administration had no reason to believe that personally
identifiable information for employees had been compromised.

Germany 'may revert to typewriters' to counter hi-tech espionage

Henry Baker <>
Tue, 15 Jul 2014 06:14:40 -0700
FYI—They now have to also worry about the xerox machines...

Germany 'may revert to typewriters' to counter hi-tech espionage

Politicians claim communications technology is mistrusted in wake of US
spying allegations and NSA surveillance revelations

Philip Oltermann in Berlin, Tuesday 15 July 2014 10.51 BST

German politicians are considering a return to using manual typewriters for
sensitive documents in the wake of the US surveillance scandal.

The head of the Bundestag's parliamentary inquiry into NSA activity in
Germany said in an interview with the Morgenmagazin TV programme that he and
his colleagues were seriously thinking of ditching e-mail completely.

Asked "Are you considering typewriters" by the interviewer on Monday night,
the Christian Democrat politican Patrick Sensburg said: "As a matter of
fact, we have—and not electronic models either".  "Really?", the
surprised interviewer checked. "Yes, no joke", Sensburg responded.

During the continuing row over alleged US spying operations in Germany,
there had been speculation that the CIA may have actively targeted the
Bundestag's NSA inquiry committee.

"Unlike other inquiry committees, we are investigating an ongoing situation.
Intelligence activities are still going on, they are happening," said

Last year, the Russian government reportedly took similar measures in
response to proof of NSA spying, as revealed by whistleblower Edward

The federal guard service, a powerful body tasked with protecting Russia's
highest-ranking officials, put in an order for 20 Triumph Adler typewriters,
which create unique "handwriting", that allows its source to be traced.

According to German media, revelations about digital surveillance have
triggered a fundamental rethink about how the government conducts its
communications.  "Above all, people are trying to stay away from technology
whenever they can", wrote Die Welt.

"Those concerned talk less on the phone, prefer to meet in person.  More
coffees are being drunk and lunches eaten together. Even the walk in the
park is increasingly enjoying a revival".

Re: Hong Kong electronic voting system ... (RISKS-28.04)

Tue, 8 Jul 2014 00:32:28 +0200 (CEST)
Voting under duress?

Some years ago, I was invited --- as a "person who knows about computers"
--- to take part in a multinational commission (organised by legal/political
science people) that was looking at the possibilities for introducing
e-voting standards across Europe.

Most countries sent delegations with a moderately technical focus, but the
Swedes simply said, "We will not introduce any form of absentee voting ---
including postal voting --- until we have some way to know that the person
making the vote is alone in the room and cannot be subjected to any form of
duress". (To this day, postal voting is only accepted at Swedish elections
from people resident outside the country; I guess the pragmatic need to
accept _some_ kind of vote outweighs the "duress" issue in that case.)

PGN stated that Peterson is oversimplifying here. I'm not sure if that's
correct. If there is a single, easy to understand, non-technical flaw that
makes the technical discussion obsolete, it might be the best way to
dissuade lawmakers --- who tend to be easy to befuddle with gee-whiz claims
about technology --- from adopting e-voting technology.

Nick Brown, Strasbourg, France.  (Now retired from my previous job; hence
the change of address from

Re: Hong Kong electronic voting system ... (Kamens, RISKS-28.06)

Michael Bacon <>
Sun, 6 Jul 2014 20:23:49 +0100
> "For example, in many faux democracies, this takes the form of members of
the dominant party's goon squad visiting voters at home, one by one, ...

Forget your "faux democracies"; this type of behaviour is being investigated
by the Electoral Commission and the police in more than one UK local council
election, and has been suggested to have occurred in national General
Elections.  Particularly as the variant whereby individuals of the same
ethnicity as the voters - many of whom are not fluent in the English
language - collect their postal voting papers to complete them ... in the
spirit of being helpful, of course.

This notwithstanding, eVoting would deny us the amusement of pregnant and
hanging chads.

Re: Unix "*" wildcards considered harmful (Baker, Re: RISKS-28.06)

Dave Horsfall <>
Sun, 6 Jul 2014 11:22:57 +1000 (EST)
The original author got pilloried for this over on Full Disclosure, for
revealing a "bug" that's been known for around thirty years, and working
exactly as documented.  It's sad to see RISKS picking it up.

If a person chops a foot off by swinging an axe around, whose fault is it?
The axe's?  The manufacturer's (both of the axe and the tool-she)?  Or,
heaven forbid, the user's fault?

We seem to have a culture of "It's not my fault!", and finding someone else
to blame does not bode well for the future.

Dave Horsfall, North Gosford NSW, Australia

Re: Unix "*" wildcards considered harmful (Horsfall, RISKS-28.07)

Peter G Neumann <>
Sun, 6 Jul 2014 4:45:33 PDT
Dave, This is an old topic in RISKS regarding disclosure of bugs.  Contrary
to your view, the attackers often find the vulnerabilities before the good
guys.  From a software engineering point of view, I frequently note that the
buffer overflow problem was recognized and avoided in Multics around 1965.
I expect your message will be followed by many others saying it's about time
THIS bug in a very commonly used piece of software was finally unveiled.
Maybe NOW it will be fixed pervasively!

Please report problems with the web pages to the maintainer