The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 26

Thursday 11 September 2014

Contents

Nancy Pelosi urges FCC to reclassify broadband as a utility
Verge
"Microsoft patch KB 2918614 triggers 'key not valid for use,' more errors"
Woody Leonhard via Gene Wirchenko
Apple - Update to Celebrity Photo Investigation
Monty Solomon
Apple Announces Apple Pay
Monty Solomon
iPod classic is dead, and the 30-pin connector along with it
Casey Johnston via Monty Solomon
Re: Apple Says It Will Add New iCloud Security Measures After Celebrity Hack
Kurt Seifried
Amazon's Fire Phone falls to 99 cents on a two-year contract
Roy Amadeo via Monty Solomon
Feds say NSA "bogeyman" did not find Silk Road's servers
David Kravets via Monty Solomon
"Tech industry groups ask U.S. Senate to 'swiftly pass' NSA curbs"
John Ribeiro via Gene Wirchenko
5 million leaked gmail usernames and passwords
Daily Dot via Chris Beck
"Comcast's open Wi-Fi hotspots inject ads into your browser"
Ian Paul via Gene Wirchenko
"Salesforce.com warns customers of malware attack"
Lucian Constantin via Gene Wirchenko
AT&T/Verizon say 10Mbps is too fast for "broadband," 4Mbps is enough
Jon Brodkin via Monty Solomon
Penalty for driving while texting in Long Island-a disabled cell phone
David Kravets via Monty Solomon
NOBUS BOGUS: "Do You Feel Lucky, Punk?"
Henry Baker
The Case for Resign Switches for Politicians
Henry Baker
"Predictive" Technology Used to ID Troubled Cops
Henry Baker
Re: GM to Introduce Hands-Free Driving in Cadillac Model
Gabe Goldberg
Re: This chart shows the world's Internet usage shifting to smartphones
Rodney Van Meter
Info on RISKS (comp.risks)

Nancy Pelosi urges FCC to reclassify broadband as a utility

Lauren Weinstein <lauren@vortex.com>
Mon, 8 Sep 2014 16:21:13 -0700
Verge via NNSquad
http://www.theverge.com/2014/9/8/6123801/pelosi-urges-title-ii-classification-of-broadband

  A good number of politicians have recently made statements in favor of net
  neutrality, but House Minority Leader Nancy Pelosi is going further than
  most of them today and asking that the Federal Communications Commission
  reclassify broadband as a utility using Title II of the Communications Act
 —exactly what net neutrality advocates have been pushing for. In a
  letter to FCC chair Tom Wheeler, Pelosi writes that Title II is "an
  appropriate tool to refine modern rules," and that it can do so without
  the FCC overburdening broadband providers.


"Microsoft patch KB 2918614 triggers 'key not valid for use,' more errors" (Woody Leonhard)

Gene Wirchenko <genew@telus.net>
Mon, 08 Sep 2014 16:04:46 -0700
Woody Leonhard | InfoWorld, 08 Sep 2014
August's Windows Installer Service patch causes wide range of
inscrutable problems on Windows 7 and Windows 8 machines
http://www.infoworld.com/t/microsoft-windows/microsoft-patch-kb-2918614-triggers-key-not-valid-use-more-errors-249973


Apple - Update to Celebrity Photo Investigation

Monty Solomon <monty@roscom.com>
Mon, 8 Sep 2014 23:39:55 -0400
Apple Media Advisory
Update to Celebrity Photo Investigation
http://www.apple.com/pr/library/2014/09/02Apple-Media-Advisory.html

We wanted to provide an update to our investigation into the theft of photos
of certain celebrities. When we learned of the theft, we were outraged and
immediately mobilized Apple's engineers to discover the source. Our
customers' privacy and security are of utmost importance to us. After more
than 40 hours of investigation, we have discovered that certain celebrity
accounts were compromised by a very targeted attack on user names, passwords
and security questions, a practice that has become all too common on the
Internet. None of the cases we have investigated has resulted from any
breach in any of Apple's systems including iCloud or Find my iPhone. We are
continuing to work with law enforcement to help identify the criminals
involved.

To protect against this type of attack, we advise all users to always use a
strong password and enable two-step verification. Both of these are
addressed on our website at http://support.apple.com/kb/ht4232 .


Apple Announces Apple Pay

Monty Solomon <monty@roscom.com>
Tue, 9 Sep 2014 22:30:34 -0400
Transforming Mobile Payments with an Easy, Secure & Private Way to Pay

CUPERTINO, California--September 9, 2014--Apple today announced Apple Pay, a
new category of service that will transform mobile payments with an easy,
secure and private way to pay. Apple Pay works with iPhone 6 and iPhone 6
Plus through a groundbreaking NFC antenna design, a dedicated chip called
the Secure Element, and the security and convenience of Touch ID. Apple Pay
is easy to set up, so hundreds of millions of users can simply add their
credit or debit card on file from their iTunes Store account. Apple Pay will
also work with the newly announced Apple Watch, extending Apple Pay to over
200 million owners of iPhone 5, iPhone 5c and iPhone 5s worldwide.

Apple Pay supports credit and debit cards from the three major payment
networks, American Express, MasterCard and Visa, issued by the most popular
banks including Bank of America, Capital One Bank, Chase, Citi and Wells
Fargo, representing 83 percent of credit card purchase volume in the US.* In
addition to the 258 Apple retail stores in the US, some of the nation's
leading retailers that will support Apple Pay include Bloomingdale's, Disney
Store and Walt Disney World Resort, Duane Reade, Macy's, McDonald's,
Sephora, Staples, Subway, Walgreens and Whole Foods Market. Apple Watch will
also work at the over 220,000 merchant locations across the US that have
contactless payment enabled. Apple Pay is also able to make purchases
through apps in the App Store. ...

http://www.apple.com/pr/library/2014/09/09Apple-Announces-Apple-Pay.html

  [Given the troubles around the world with online payments, this might be
  an invitation to disaster.  PGN]


iPod classic is dead, and the 30-pin connector along with it (Casey Johnston)

Monty Solomon <monty@roscom.com>
Tue, 9 Sep 2014 22:41:21 -0400
Casey Johnston, Ars Technica, 9 Sep 2014,
This marks a complete transition to Lightning connectors, in just two years.

When apple.com returned after the event announcing Apple's new iPhone 6, 6
Plus, and Apple Watch, one of its longest-standing members was gone: the
iPod classic. Along with it goes the 30-pin dock connector, marking a
complete transition to the Lightning connector for Apple's entire mobile
device fleet in exactly two years. ...

http://arstechnica.com/gadgets/2014/09/ipod-classic-is-dead-and-the-30-pin-connector-along-with-it/


Re: Apple Says It Will Add New iCloud Security Measures After Celebrity Hack (Chen, RISKS-28.25)

Kurt Seifried <kurt@seifried.org>
Tue, 9 Sep 2014 15:54:23 -0600
I'm glad they're not actually fixing the root problems like strengthening
authentication or making brute force attacks harder, now as long as nobody
goes on vacation or doesn't check email for a few days we'll all be safe!

BTW if someone is attacking my iCloud account what exactly can I do about
it? Randomly change my password and hope for the best? Is there any way to
contact apple? Nope!


Amazon's Fire Phone falls to 99 cents on a two-year contract (Roy Amadeo)

Monty Solomon <monty@roscom.com>
Tue, 9 Sep 2014 22:56:15 -0400
After reports of it struggling in the market, the device gets a $200 price cut.
Ron Amadeo, Ars Technica, 8 Sep 2014
http://arstechnica.com/gadgets/2014/09/amazons-fire-phone-falls-to-99-cents-on-a-two-year-contract/


Feds say NSA "bogeyman" did not find Silk Road's servers (David Kravets)

Monty Solomon <monty@roscom.com>
Tue, 9 Sep 2014 00:52:56 -0400
David Kravets, *Ars Technica*, 6 Sep 2014
FBI says it found main server via a "misconfiguration" of the login interface.

The FBI easily found the main server of the now-defunct Silk Road online
drug-selling site, and didn't need the National Security's help, federal
prosecutors said in a Friday court filing.

The underground drug website, which was shuttered last year as part of a
federal raid, was only accessible through the anonymizing tool Tor. The
government alleges that Ross Ulbricht, as Dread Pirate Roberts, "reaped
commissions worth tens of millions of dollars" through his role as the
site's leader. Trial is set for later this year.

The authorities said Friday that the FBI figured out the server's IP address
through a misconfiguration in the site's login window. They said that a US
warrant wasn't required to search the Icelandic server because "warrants are
not required for searches by foreign authorities of property overseas."  ...

http://arstechnica.com/tech-policy/2014/09/feds-say-nsa-bogeyman-did-not-find-silk-roads-servers/
http://cdn.arstechnica.net/wp-content/uploads/2014/09/silkroaddoc.pdf


"Tech industry groups ask U.S. Senate to 'swiftly pass' NSA curbs" (John Ribeiro)

Gene Wirchenko <genew@telus.net>
Tue, 09 Sep 2014 13:52:20 -0700
John Ribeiro, Infoworld, 09 Sep 2014
A coalition of tech industry groups writes a letter to Senate leaders
saying an erosion of trust is affecting their business abroad
http://www.infoworld.com/t/federal-regulations/tech-industry-groups-ask-us-senate-swiftly-pass-nsa-curbs-250096


5 million leaked gmail usernames and passwords (Daily Dot)

*Chris Beck* <cbeck@pacanukeha.net>
Wednesday, September 10, 2014
News surfaced yesterday in Russia about this leak (via Dave Farber)
Apparently you can check if you are on it at isleaked.com, but it's under a
lot of load and in Russian.  There is a text box and a button and you want
to see in the green box.
http://www.dailydot.com/crime/google-gmail-5-million-passwords-leaked/


"Comcast's open Wi-Fi hotspots inject ads into your browser" (Ian Paul)

Gene Wirchenko <genew@telus.net>
Tue, 09 Sep 2014 13:55:02 -0700
Ian Paul, PC World, InfoWorld, 09 Sep 2014
By injecting JavaScript ads into your browser, Comcast could be
creating unintended security vulnerabilities
http://www.infoworld.com/d/networking/comcasts-open-wi-fi-hotspots-inject-ads-your-browser-250141


"Salesforce.com warns customers of malware attack"

Gene Wirchenko <genew@telus.net>
Tue, 09 Sep 2014 13:53:28 -0700
Lucian Constantin, InfoWorld, 09 Sep 2014
A new version of the Dyreza online banking Trojan is stealing
Salesforce.com log-in credentials
http://www.infoworld.com/d/security/salesforcecom-warns-customers-of-malware-attack-250140


AT&T/Verizon say 10Mbps is too fast for "broadband," 4Mbps is enough (Jon Brodkin)

Monty Solomon <monty@roscom.com>
Tue, 9 Sep 2014 00:45:03 -0400
Cable lobby also implores FCC not to change definition of broadband.
Jon Brodkin, *Ars Technica*, 8 Sep 2014

AT&T and Verizon have asked the Federal Communications Commission not to
change its definition of broadband from 4Mbps to 10Mbps, saying many
Internet users get by just fine at the lower speeds. ...

http://arstechnica.com/business/2014/09/att-and-verizon-say-10mbps-is-too-fast-for-broadband-4mbps-is-enough/


Penalty for driving while texting in Long Island-a disabled cell phone (David Kravets)

Monty Solomon <monty@roscom.com>
Tue, 9 Sep 2014 22:39:50 -0400
David Kravets, Ars Technica, 9 Sep 2014
New York prosecutor says driving while texting is as dangerous as drunk
driving.

Motorists popped for texting-while-driving violations in Long Island could
be mandated to temporarily disable their mobile phones the next time they
take to the road.

That's according to Nassau County District Attorney Kathleen Rice, who says
she is moving to mandate that either hardware be installed or apps be
activated that disable the mobile phone while behind the wheel. The district
attorney likened the texter's punishment to drunk drivers who sometimes are
required to breathe into a device before turning on the ignition. ...

http://arstechnica.com/tech-policy/2014/09/penalty-for-driving-while-texting-in-long-island-a-disabled-cell-phone/


NOBUS BOGUS: "Do You Feel Lucky, Punk?"

Henry Baker <hbaker1@pipeline.com>
Mon, 08 Sep 2014 14:33:34 -0700
One major risk in the cyberwar arena is overplaying one's own hand.

Here's a little calculation that I did last week that I hope might sober some people up a bit.

NOBUS BOGUS: "Do You Feel Lucky, Punk?"

Gen. Michael Hayden, former director of the NSA, has put forward the concept
of "NOBUS" ("Nobody But US").

According to *The Washington Post*:

"To a certain extent, this NOBUS idea reflects the weighing of the dual
defensive and offensive mission of the NSA. ...  But we're talking about the
same agency that reportedly has a 600-some elite offensive hacker squad,
Tailored Access Operations or TAO, working out of its headquarters.  And
NOBUS also raises a lot of questions about how the intelligence agency
determines if something is likely to be exploited by adversaries."

http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/04/why-everyone-is-left-less-secure-when-the-nsa-doesnt-help-fix-security-flaws/

Hayden's NOBUS concept depends critically on the U.S. having an overwhelming
advantage in terms of *computer power* relative to its competitors --
particularly China.

Hayden: "If there's a vulnerability here that weakens encryption but you
still need four acres of Cray computers in the basement in order to work it
you kind of think 'NOBUS' and that's a vulnerability we are not ethically or
legally compelled to try to patch—it's one that ethically and legally we
could try to exploit in order to keep Americans safe from others."

China can obviously afford to build any computer it wants; it owns ~$1.3T of
US debt, and China already makes many of the components needed for such
computers.  So "four acres of Cray computers" isn't much of a show-stopper
for the Chinese.

http://www.treasury.gov/ticdata/Publish/mfh.txt

But based upon most reports of computer hacking I've read, the essential
element for hacking success isn't *computer* power, but *hacker* power;
i.e., human intelligence & hacking skill.  Yes, the NSA might well have
brute-forced a "collision attack" for STUXNET with four acres of Crays, but
such brute force attacks are rare simply because there are so many other --
& far cheaper—hacks readily available.

So, given the current level of IQ and STEM education in the U.S., "NOBUS"
might just be a hollow (and therefore very dangerous) conceit.

In order to gain some better insight, I've developed a simple model of
hacker skill analogous to *chess ratings*.  Of course, there's no studies
showing any correlation between chess ratings and hacker skills, nor even
studies showing that the probability distributions of chess skills and
hacker skills are similar.

https://en.wikipedia.org/wiki/Elo_rating_system

Nevertheless, I speculate that hacker skills are indeed distributed in a
manner similar to chess skills, and that hacker competitions might show
similar statistics to chess competitions.

Using these assumptions, I've done some calculations based on the
mathematics of chess ratings (developed by Zermelo, a half-century before
Elo).

http://www.glicko.net/research/preface-z28.pdf

If hacker skills were distributed *logistically* like chess ratings, then
one could calculate the probability of hacker A beating hacker B by looking
at the arithmetic *difference* of a chess-like hacker rating.

https://en.wikipedia.org/wiki/Logistic_distribution

Chess ratings seem to have a mean of perhaps 1130, and a standard deviation
of perhaps 315.  Since the probability of winning at chess is based only on
the rating *differences*, we don't care very much about the mean.

A chess rating deficit of 382 gives a 10% chance of winning.
A chess rating deficit of 798 gives a 1% chance of winning.
A chess rating deficit of 1200 gives a .1% chance of winning.

We can rescale a chess rating-like system to a distribution that looks a lot
more like an IQ distribution by setting the mean=100 and the 2.275% quantile
at 130; i.e., only 2.275% of the population has an IQ greater than 130.
(With this rescaling, the logistic distribution "s" parameter is about 8.0.)

Let's call this rating system "HQ", for "Hacker Quotient", and I will
presume that this HQ rating captures hacking skill levels.

An HQ deficit of 17.6 gives a 10% chance of winning.
An HQ deficit of 36.8 gives a 1% chance of winning.
An HQ deficit of 55.3 gives a .1% chance of winning.

China's population is ~1.355 billion, while the US population is ~318.679
million (Wikipedia).  If N=600 is the size of NSA's TAO group, then TAO
presumably represents the best 1.883x10^-4 % of the US population.  But
N=600 represents the best 4.428x10^-5 % of the Chinese population.  If the
tails of the distributions are thin, then the upper tail of a larger
population will have a larger mean than that of a smaller population.

If China's mean HQ is 100, and the US's mean HQ is 98 (following the IQ
difference between China and the US), the HQ deficit for the US TAO v. the
Chinese TAO is 13.58, hence the US's chance of winning a hacker war is only
15.5%.

If both the US and China's mean HQ is 100, the HQ deficit for the US TAO is
only 11.58, hence the US's chance of winning a hacker war is then 19%.

The core insight is that due to the 4.25x population advantage, the top N
(N=600) hackers in China are better than the top N hackers (i.e., NSA's TAO)
in the US.  If there is also a difference in the population mean HQ, then
this effect is additive to the deficit due to population size.

Since we are dealing with the sparse *tails* of these distributions, the
uncertainty of these calculations is very high.  Nevertheless, the overall
conclusion is similar: *population size matters* when looking at extreme
tails.

I should also point out that the US Internet infrastructure is far more
extensive than the Chinese infrastructure, so the US is a much juicer target
for any hacking.  The US would suffer substantially greater damage from any
maliciousness—particularly on a relative basis—and hence "people who
live in glass houses shouldn't throw stones".

I'm not so sure that the US wants to continue talking like Dirty Harry with
long odds such as these.

It would also behoove the US to *harden* all that glass—not just against
nation-states, but against *all* malicious actors.


The Case for Resign Switches for Politicians (Re: Zittrain, R-28.25)

Henry Baker <hbaker1@pipeline.com>
Tue, 09 Sep 2014 13:12:43 -0700
FYI—I don't know about kill switches for weapons, but I think that quite
a number of us voters would like to see "automatic resign switches" for
politicians who violate their campaign promises.

I think that most of us would agree that lying and out-of-control
politicians have done far more damage than any number of captured weapons.
In particular, politicians are "captured" all the time by special interests.
Wouldn't it be nice for the voters to be able to (Eric) Cantorize a
politician who got too big for his/her britches?

This wouldn't require any Constitutional or legal changes, but merely a
computer-controlled lock box containing an irrevocable letter of
resignation, which would be automatically and immediately opened by an
online voting system after it tallied a simple majority "no confidence" vote
of the electorate of his/her district/state/country.

A politician could sign up for this service and tout it in his/her
advertising.  Otherwise, voters could safely assume that the politician was
merely "blowing smoke".

A more geeky solution could be developed using the Bitcoin blockchain &
scripting language.

http://www.nytimes.com/2014/09/09/us/politics/a-president-whose-assurances-have-come-back-to-haunt-him.html


"Predictive" Technology Used to ID Troubled Cops

Henry Baker <hbaker1@pipeline.com>
Wed, 10 Sep 2014 06:29:17 -0700
FYI—But these systems don't work.  But expect them to be used even more
after Ferguson, even though (particularly because??) they don't work.  These
expensive systems are complete scams, but govts buy them to cover their
asses (see, we've used "best practices").

Tami Abdollah, Technology Used to ID Troubled Cops, Sep 4 2014
http://www.officer.com/news/12001926/technology-used-to-id-troubled-cops

Police departments across the U.S. are using technology to try to identify
problem officers before their misbehavior harms innocent people, embarrasses
their employer, or invites a costly lawsuit—from citizens or the federal
government.

While such "early warning systems" are often treated as a cure-all, experts
say, little research exists on their effectiveness or—more importantly --
if they're even being properly used.

Over the last decade, such systems have become the gold standard in
accountability policing with a computerized system used by at least 39
percent of law enforcement agencies, according to the most recent data from
the U.S. Bureau of Justice Statistics.

The issue of police-community relations was thrust into the spotlight after
an officer fatally shot Michael Brown in Missouri.  Since then, departments
have held public forums to build trust with residents.  Some are testing
cameras mounted to officers to monitor their interactions with the public.

Experts say the early warning system can be another powerful tool to help
officers do their jobs and improve relations, but it is only as good as the
people and departments using it.  "It's not a guarantee that you will catch
all of those officers that are struggling," said Jim Bueermann of the
nonprofit Police Foundation, which is dedicated to better policing.  "These
systems are designed to give you a forewarning of problems and then you have
to do something."

  [Long item truncated for RISKS.  PGN]


Re: GM to Introduce Hands-Free Driving in Cadillac Model (R-28.25)

Gabe Goldberg <gabe@gabegold.com>
Mon, 08 Sep 2014 15:01:06 -0400
But you're steering and thus presumably watching the road.

"Let the car do the work ... BUT remain alert"—currently people already
drift off, lose focus, get hypnotized, and text while supposedly still
driving. Increased automation (auto-mation?) and hands/foot-free driving
can't help but worsen attention paid to driving. Alert? Not likely.


Re: This chart shows the world's Internet usage shifting to smartphones

Rodney Van Meter <rdv@sfc.wide.ad.jp>
Thu, 11 Sep 2014 11:37:53 -0400
http://thenextweb.com/shareables/2014/08/19/watch-world-move-towards-smartphones-one-simple-chart/

I saw this plot when it first arrived on the web a few weeks ago (courtesy
of Dave Farber's IP, IIRC).

It takes only a minute or two to see that the animation is far more glitzy
than accurate.

For starters, it is clear that most of the national lines are extrapolated
from a very small number of data points.  Moreover, the few data points are
likely derived from surveys with very different methodologies; the
discrepancies are substantial.

A clear example is India, in the lower left.  It appears to be composed of
three data points:

  date      PC   mobile
  3/2011  36.9%  22.9%
  3/2013  10.6%  12.8%
  3/2014  11.3%  22.1%

These numbers are simply not plausible.  I have seen other Internet
penetration numbers for India recently, that placed it at around 17%
(independent of method).  My *guess* is that the 2011 numbers actually
represent growth rate, rather than %age of the population!

Practically every country in the data shows some anomalous behavior.
Indonesia shows an outright U-turn; Argentina and Thailand appear to suffer
substantial declines in the actual number of Internet users via any
platform, which seems unlikely.  Korea shows a sudden sharp drop in PC use,
over 10% in a year.  Japan has an odd kink in its line in 2012, q declining
10% in six months but then recovering.

Bottom line, I think this pretty hopeless.

Please report problems with the web pages to the maintainer

Top