The RISKS Digest
Volume 28 Issue 40

Friday, 5th December 2014

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


These 31 Builders Made Mistakes That Will Leave You BAFFLED
Gabe Goldberg
NTSB report on Boeing 787
Jeremy Epstein
SmartDriver: a 16-year-old can see the risks
Richard A. O'Keefe
Hacked vs. Hackers: Game On
Nicole Perlroth
Hackers Pirate Sony Films and Leak Studio Salaries
Monty Solomon
Sony Pictures' computers are still locked as hackers demand equality
engadget via Dave Farber
It Gets Worse: Newest Sony Data Breach Exposes Thousands Of Passwords
Charlie Warzel via Monty Solomon
Argument preview: Social media as a crime scene
scotusblog via Monty Solomon
"Gangnam Style overflows INT_MAX, forces YouTube to go 64-bit"
Peter Bright
"How to crash the data center with one word"
Apple entering a `whack-a-mole' era of malware defense
ZDNet via Bob Frankston
"Fraudulent apps stalk Apple's App Store"
Simon Phipps via Gene Wirchenko
"BYOD Brings Corporate Contradictions"
Tom Kaneshige
New Snowden docs: GCHQ's ties to telco gave spies global surveillance reach
Sean Gallagher
NSA subverts GSM standards processes with vulnerabilities
Ryan Gallagher
'Regin' malware comes from western intelligence agency, say experts
Brian Randell
The triumph of hope—or hype?—over experience
Robert L Wears
The Trolls Among Us
Anne Applebaum
This Net was Made for You and Me ???
Julian Assange via Henry Baker
I thought fleeting messages were bad
Dan Jacobson
Re: Recent RISKS Problematic Posts
Martin Ward
Re: "Silicon Valley's combination of power and irresponsibility
Chris Drewe
Re: Uber's Underhanded App reporting data back w/o permission
George Sigut
Info on RISKS (comp.risks)

These 31 Builders Made Mistakes That Will Leave You BAFFLED

Gabe Goldberg <>
Sat, 29 Nov 2014 14:55:39 -0500
Technology must have been involved somehow...'s what went wrong.

  [This item is decidedly *NOT* computer related, but I will bet some of
  these examples will appear in computer-related talks.  I'm reminded of the
  photo of the barrier in a road, with tracks of vehicles that went around
  it on the grass, which I must have seen in a dozen security talks by now.

NTSB report on Boeing 787

Jeremy Epstein <>
Tue, 2 Dec 2014 13:33:11 -0500
As one might expect, it wasn't a single problem, but a series of
interrelated problems.  It's a fairly simple matter to substitute "software"
for "battery", and see the state of security in the world today.

Flaws in manufacturing, insufficient testing and a poor understanding of an
innovative battery all contributed to the grounding of Boeing's 787 fleet
last year after a fire in a jet at Boston's airport and another incident in
Japan, according to a report released Monday by regulators.

The report, by the National Transportation Safety Board, assigned in the
starkest terms yet the blame for the 787's battery problems.

The safety board investigating the Boston episode suggested for the first
time that manufacturing flaws introduced defects that led a battery cell to
fail, though the board stopped short of drawing a firm conclusion. The
failure of that cell rippled to other cells, causing the battery to consume
itself in fire and smoke. [...]

The board found a wide range of failings among manufacturers and
regulators. The battery's maker, GS Yuasa of Japan, used manufacturing
methods that could introduce potential defects but whose inspection methods
failed to detect the problem, the board found. Boeing's engineers failed to
consider and test the worst-case assumptions linked to possible battery
failures, it said. And the Federal Aviation Administration failed to
recognize the potential hazard and did not require proper tests as part of
its certification process, the report said. [...]íit_th_20141202&nl=todaysheadlines&nlid#103254

SmartDriver: a 16-year-old can see the risks

"Richard A. O'Keefe" <>
Thu, 4 Dec 2014 18:54:25 +1300
I recently got e-mail from the Tower insurance company promoting
SmartDriver, produced by a US company called DriveFactor.

The web page is
with a FAQ at

This is an app for iOS and Android that purports to measure how safely you
are driving by using your device's sensors to record “acceleration,
braking, cornering, trip frequency and duration'' and your GPS location,
more. You can get a discount of up to 20% if you are safe enough.

In no particular order,
 - I am very pleased to have a phone that is too dumb to support malware.
   (  No discount for me!
 - Wait, I do have an iPad, and so does my wife.
   Sorry, it doesn't work on iPads.  No discount for me!
 - My wife *does* have a smart-phone.  It's a Windows phone.
   No discount for her!
 - The app will lack awareness of the context.  If a child or an animal
   runs across the road in front of me, and I brake hard enough to avoid
   a death, I will be penalised for unsafe driving, not rewarded.
   Similarly, a sharp turn to avoid an accident will count as unsafe,
   not safe.
   suggests that they can tell light traffic from rush hour, but the
   statement “the car experienced an additional 13.7 total g's of
   acceleration'' is a little confusing.
 - I wonder whether they compare your speed as reported by GPS with the
   speed limit for the relevant road, and just how accurate their maps are.
 - The app will lack awareness of the context.  We are often told these days
   that driving too slowly is dangerous, but the app won't know about rain,
   fog, or road works, and it doesn't appear to have any way you can
   tell it that you are towing something.
 -  Q. Can I get a copy of my data?
    A. We will provide access to your data that is readily available.
    Please note that we may ask you to pay a reasonable fee if your request
    is time consuming or costly.
   This is a non-answer.  A couple of Official Information Act requests
   have shown me that governments have a way of saying that information
   they *ought* to have had is not readily available, and I don't expect
   businesses to be any different.  And whose opinion of `a reasonable fee'
 -  Q. Can the police request the data in case of accidents or
    A. If TOWER is legally required to share information with authorities,
    we will abide by our obligations under the law.
   This is an even more flagrant non-answer.  If the data are held in the
   US and analysed by DriveFactor, they can presumably thumb their noses at
   NZ law.  *Tower* might well not hold anything but summaries.

Longer term, I'm concerned by several things.

 - First people paid their bills over the counter at the post office, then
   Internet banking became available, and now you are charged penalty
   payments if you pay over the counter in real money.  How long before your
   insurance company starts charging extra to people who don't use such an
   app? (With a safe driving discount of up to 20%, I think we can see that
   the penalty paid by a Windows Phone user could be substantial.)

 - How long before inability to produce your logs counts against you in
   court?  (If you don't want anyone monitoring your driving, you must know
   you are a bad driver, so the accident must have been your fault.)

 - There is a privacy act in New Zealand, but under the principle of the
   sovereignty of Parliament, it could be gone tomorrow if John Key's
   business friends saw an advantage in getting their hands on data like
   this.  Of course much of this information can be gleaned from mobile
   phones anyway if you can plant what you want in them, and NZ is part of
   Five Eyes. But I like to turn my phone off when driving, for safety,
   ironically enough.  DriveSmart offers a financial incentive to keep your
   phone on.

My younger daughter will turn 16 tomorrow and is interested in learning to
drive.  When I told her about DriveSmart, she was able to grasp these

Welcome to the self-surveillance society.

Hacked vs. Hackers: Game On (Nicole Perlroth)

Monty Solomon <>
Wed, 3 Dec 2014 21:10:22 -0500
Nicole Perlroth, *The New York Times*, 03 Dec 2014 and the blog:

There has been an awakening that online threats are real and growing worse,
and that the prevailing `patch and pray' approach to computer security will
not do.

  [Also noted by Matthew Kruk.  Those of you tired at rather pessimistic
  items in RISKS might also be interested in a companion article by Nicole
  Perlroth in the same issue of *The Times* and the same blog:

Hackers Pirate Sony Films and Leak Studio Salaries

Monty Solomon <>
Wed, 3 Dec 2014 20:20:04 -0500
The breach exposed two things the movie industry loathes—the piracy of
films, and details about executive compensation.  It sent a ripple of dread
across Hollywood.

Sony Pictures' computers are still locked as hackers demand equality

"David Farber via ip" <>
Wed, 26 Nov 2014 07:06:20 -0500

It Gets Worse: Newest Sony Data Breach Exposes Thousands Of Passwords

Monty Solomon <>
Thu, 4 Dec 2014 18:18:04 -0500

Argument preview: Social media as a crime scene

Monty Solomon <>
Mon, 1 Dec 2014 07:41:20 -0500
... In this case, a thirty-one-year-old man, Anthony Douglas Elonis, who
lives in the small Pennsylvania community of Lower Saucon Township, was
convicted for postings on Facebook four years ago that prosecutors treated
as actual threats of violence. The jury agreed, leading to a guilty verdict
and a forty-four-month prison sentence. His messaging came after his wife
had left him and he was fired from his job at an amusement park because of
one of his postings. ...

"Gangnam Style overflows INT_MAX, forces YouTube to go 64-bit" (Peter Bright)

Gene Wirchenko <>
Thu, 04 Dec 2014 09:33:49 -0800
Peter Bright, *Ars Technica*, 3 Dec 2014
Psy's hit song has been watched an awful lot of times.

Although it's no longer 2012, apparently people are still watching the
YouTube video for Korean pop star Psy's smash hit song Gangnam Style.

The irritatingly catchy tune has racked up so many views that Google has
been forced to upgrade YouTube's infrastructure to cope. When YouTube was
first developed, nobody ever imagined that a video would be watched more
than 2 billion times, so the view count was stored using a signed 32-bit

"How to crash the data center with one word"

Gene Wirchenko <>
Thu, 04 Dec 2014 10:06:46 -0800
`Anonymous', InfoWorld, 3 Dec 2014
A single word on a simple button does not mean what an admin thinks
it means during what should be a routine weekend job

Techies and users often accuse each other of speaking different languages,
but truth be told, we in IT don't always understand one another either. Take
the case of the tech team who decided a simple one-word sign in the data
center would mean the exact opposite of all expectations.

As I paused outside of the closed door, I stared at a big, red button
labeled "Open" right next to the entrance. I'd seen it before and assumed it
would open the door. Logically, I pushed the button.

Instantly, a dreaded silence descended—the sound of a data center that
has gone dead. The Open button must have shut off all power to the data
center! It certainly hadn't opened the door.

To this day I marvel at the lunacy of putting a big, red, completely
unprotected button next to a door, labeled as Open but in actuality meaning
"Open all power circuits in case of emergency only."

The label never changed, but our crew put a plastic box over it so you had
to flip open the box before you could push the button. Even with a small
staff, you can never assume that everyone knows what a sign like that
means. Clear communication is a necessity.

Apple entering a `whack-a-mole' era of malware defense (ZDNet)

"Bob Frankston" <>
5 Dec 2014 14:48:22 -0500å39&ttagå39&ftag=TRE17cfd61

"Fraudulent apps stalk Apple's App Store" (Simon Phipps)

Gene Wirchenko <>
Thu, 04 Dec 2014 10:02:24 -0800
Simon Phipps, *InfoWorld*, 3 Dec 2014
Angry support queries fly, citing problems with mystery iOS apps --
that turn out to be scamware

selected text:

Many people think that the sort of scams Microsoft cleared out of its mobile
app store this year could never affect Apple. But how tight is Apple's
review process for the App Store? If you're competing with Apple, it seems
to be very tight, and the rules are constantly changing. But if you're a
scammer looking to make a fast buck, it appears that Apple process can be

That's three apps that logic demands should never have been allowed into the
App Store in the first place if anyone was paying the slightest attention to
their names and icons, including one with a dummy URL for support and
another hollow shell that cannot possibly have passed any meaningful
scrutiny by an app tester. Yet they are all in the supposedly sanitary
iTunes Store. I found several other apps (1, 2, 3) using the name
Quickoffice (although without Google's icon). How many more apps like this
are there in the App Store?

I contacted Apple for comment but received no reply at press time.

"BYOD Brings Corporate Contradictions" (Tom Kaneshige)

Gene Wirchenko <>
Tue, 02 Dec 2014 12:33:34 -0800
Tom Kaneshige, *CIO*, 1 Dec 2014
CIOs naturally want a BYOD policy in place to give them some level of
control, but the reality is that employees will do whatever they want
regardless of the policy.

New Snowden docs: GCHQ's ties to telco gave spies global surveillance reach (Sean Gallagher)

*Dewayne Hendricks* <>
Tuesday, November 25, 2014
Sean Gallagher, *Ars Technica*, 25 Nov 2014
Access through partners such as Cable & Wireless pulls in gigabits globally.

Documents reportedly from the Edward Snowden cache show that in 2009, GCHQ
(and by association, the NSA) had access to the traffic on 63 submarine
cable links around the globe. The cables listed handle the vast majority of
international Internet traffic as well as private network connections
between telecommunications providers and corporate data centers.

According to a report in the German newspaper Suddeutsche Zeitung, the
telecommunications company Cable & Wireless—now a subsidiary of Vodafone
-- actively shaped and provided the most data to GCHQ surveillance programs
and received millions of pounds in compensation.

The relationship was so extensive that a GCHQ employee was assigned to work
full-time at Cable & Wireless (referred to by the code-name Gerontic in NSA
documents) to manage cable-tap projects in February of 2009. By July of
2009, Cable & Wireless provided access to 29 out of the 63 cables on the
list, accounting for nearly 70 percent of the data capacity available to
surveillance programs.

A Vodafone spokesperson did not deny the details when questioned by
Suddeutsche Zeitung but said that any taps were performed legally under a

The cable access wasn't just used for surveillance—it was also used to
pipe back data pulled from other networks through Computer Network
Exploitation (CNE) operations to populate Incenser (a GCHQ special source
collection system) running in a data center at GCHQ's signals collection
center at Bude in Cornwall.

One of the networks that was targeted by a CNE hack and accessed over Cable
& Wireless capacity, according to an NSA slide, was the Fiber-Optic Link
Around the Globe (FLAG), a global network operated by the Indian
telecommunications company Reliance Communications' subsidiary, Global Cloud
Xchange. Data pulled the FLAG network's connections span the globe, with
landing points in the US, Europe, North Africa, the Saudi Peninsula, India,
Malaysia, China, Taiwan, South Korea, and Japan. [...]

NSA subverts GSM standards processes with vulnerabilities (Ryan Gallagher)

Henry Baker <>
Thu, 04 Dec 2014 11:40:21 -0800
Ryan Gallagher, *First Look*, 04 Dec 2014
Operation Auroragold: How the NSA Hacks Cellphone Networks Worldwide
The NSA continues to introduce vulnerabilities into GSM systems worldwide.

In March 2011, two weeks before the Western intervention in Libya, a secret
message was delivered to the National Security Agency.  An intelligence unit
within the U.S. military's Africa Command needed help to hack into Libya's
cellphone networks and monitor text messages.

For the NSA, the task was easy. The agency had already obtained technical
information about the cellphone carriers' internal systems by spying on
documents sent among company employees, and these details would provide the
perfect blueprint to help the military break into the networks.

The NSA's assistance in the Libya operation, however, was not an isolated
case.  It was part of a much larger surveillance program—global in its
scope and ramifications—targeted not just at hostile countries.

According to documents contained in the archive of material provided to The
Intercept by whistleblower Edward Snowden, the NSA has spied on hundreds of
companies and organizations internationally, including in countries closely
allied to the United States, in an effort to find security weaknesses in
cellphone technology that it can exploit for surveillance.

The documents also reveal how the NSA plans to secretly introduce new flaws
into communication systems so that they can be tapped into—a
controversial tactic that security experts say could be exposing the general
population to criminal hackers.

Codenamed AURORAGOLD, the covert operation has monitored the content of
messages sent and received by more than 1,200 email accounts associated with
major cellphone network operators, intercepting confidential company
planning papers that help the NSA hack into phone networks.

  [Long item truncated for RISKS. PGN]

'Regin' malware comes from western intelligence agency, say experts

*Brian Randell* <>
Tuesday, November 25, 2014
The (UK) Guardian:

Usual suspects—Russia and China thought to be in the clear as attention
focuses on US, UK and Israeli agencies.  Symantec said the Regin malware was
likely developed by a nation-state.  But which one?

Regin is the latest malicious software to be uncovered by security
researchers, though its purpose is unknown, as are its operators. But
experts have told the Guardian it was likely spawned in the labs of a
western intelligence agency.

None of the targets of the Regin hackers reside on British soil, nor do any
live in the US. Most victims are based in Russia and Saudi Arabia—28% and
24% respectively.

Ireland had the third highest number of targets - 9% of overall detected
infections. The infections lists doesn't include any five-eyes countries
-- Australia, Canada, New Zealand, the UK and the US.

“We believe Regin is not coming from the usual suspects. We don't think
Regin was made by Russia or China,'' Mikko Hypponen, chief research officer
at F-Secure, told the Guardian. His company first spied Regin hiding on a
Windows server inside a customer's IT infrastructure in Northern Europe.

Only a handful of countries are thought capable of creating something as
complex as Regin. If China and Russia are ruled out, that would leave the
US, UK or Israel as the most likely candidates.  “There are no other
countries I can think of,'' said F-Secure researcher Sean Sullivan, when
*The Guardian* put this suggestion to him.

Full story at:

The triumph of hope—or hype?—over experience

"Robert L Wears, MD, MS, PhD" <>
Thu, 04 Dec 2014 07:18:41 -0500
Yet another techno-fantasy disaster—after 15 years, $16 billion CAD, a
province-wide EMR system is a disaster and should be thrown out and redone
from scratch.  The risks reported here were only (!) financial—no telling
what risks may have been borne by patients and workers from poorly designed,
dysfunctional systems.  But, the technocratic wish is so strong, hospitals
and governments are mindlessly rushing forward anyway.  *The Montreal

Robert L Wears, University of Florida,  1-904-244-4405 (ass't)
Imperial College London, +44 (0)791 015 2219

The Trolls Among Us (Anne Applebaum)

Monty Solomon <>
Sun, 30 Nov 2014 11:53:42 -0500
If you want to comment on this article, you shouldn't be allowed to be

Anne Applebaum, *Slate*, 28 Nov 2014

This Net was Made for You and Me ??? (Julian Assange)

Henry Baker <>
Thu, 04 Dec 2014 11:45:26 -0800
  [FYI—Perhaps not.  HB]

Who Should Own the Internet?  Julian Assange on Living in a Surveillance
Society, *The New York Times*, 4 Dec 2014

It is now a journalistic cliché to remark that George Orwell's *1984* was
`prophetic'.  The novel was so prophetic that its prophecies have become
modern-day prosaisms. Reading it now is a tedious experience.  Against the
omniscient marvels of today's surveillance state, Big Brother's fixtures --
the watchful televisions and hidden microphones—seem quaint, even

Everything about the world Orwell envisioned has become so obvious that one
keeps running up against the novel's narrative shortcomings.

I am more impressed with another of his oracles: the 1945 essay *You and the
Atomic Bomb*, in which Orwell more or less anticipates the geopolitical
shape of the world for the next half-century.  “Ages in which the dominant
weapon is expensive or difficult to make will tend to be ages of despotism,
whereas when the dominant weapon is cheap and simple, the common people have
a chance ... A complex weapon makes the strong stronger, while a simple
weapon—so long as there is no answer to it—gives claws to the weak.''

  [Long item truncated for RISKS.  PGN]

I thought fleeting messages were bad

Dan Jacobson <>
Sun, 30 Nov 2014 22:13:25 +0800
I thought fleeting messages were bad. You know, the kind that assume you are
still in front of your computer and your eyes also just happen to be glued
to that spot on the screen and then disappear in one second.

But now I read :

Sell, who "berated an FBI agent who asked her to install a backdoor into
Wickr," reportedly "prides herself on the fact that Wickr is designed by
professional cryptographers and that it knows absolutely nothing about its
users."  The firm "spent years designing the most fleeting message on the
market," stated Time Magazine, noting that messages are instantly "scrambled
by military-grade encryption technology"...

Re: Recent RISKS Problematic Posts

Martin Ward <>
Sat, 29 Nov 2014 11:33:58 +0000
 >> Subject: House Republicans just passed a bill forbidding
 >> scientists from advising the EPA on their own research

 > ... The government should seek and require peer review of funding done by
 > people that aren't funded to do that research by the government. ...

The purpose of tenure is to ensure that even though the scientist is funded
by the government, the government has no influence on the scientist's work,
and the scientist's work has no impact on their funding. This allows the
scientist to be unbiased, and therefore give unbiased advice to the
EPA. (This means that the vast majority of scientists should be given
tenure: which is unfortunately not the case).

On the other hand, a "think tank" of lobbyists funded by oil companies in
order to push their agenda *cannot* be independent: their jobs depend on
presenting a certain point of view.  When the politicians (who are also
funded by the same oil companies) pass a bill forbidding the scientists from
advising the EPA, while at the same time allowing the lobbyists to advise
the EPA, it is clear that there is a problem.

 >> Subject: The safest computers are iPhones and iPads (Galen Gruman)
 >> But rarely do you see smartphones and tablets in these reports. Why?
 >> Because they're more secure than computers and data centers.
 > Bingo - the jackpot in in poor reasoning.

This one I agree with.  Why do thieves rob banks?  It's not because banks
are less secure than other places, but "because that's where the money is."

Dr Martin Ward STRL Principal Lecturer & Reader in Software Engineering

Re: "Silicon Valley's combination of power and irresponsibility

Chris Drewe <>
Sun, 30 Nov 2014 21:14:28 +0000
Recent RISKS have highlighted increasing tensions between Internet
businesses and governments.  For a British take, here are some excerpts
from an article in last week's *Telegraph* on the topic.

  The problem in this case, however, is not what Facebook shows us, but what
  we put up there ourselves. Playing host to all human life means,
  unfortunately, that you get exactly that—all human life, including the
  criminals, terrorists, racists and lunatics. ...  Facebook's argument has
  always been that it can't, and shouldn't, be held responsible for what its
  users post. And there's certainly something to that.  Keeping tabs on more
  than a billion people would be a huge technical challenge.  ...  Building
  a proper system of surveillance would require enormous resources, involve
  huge intrusion into our privacy, and throw up all manner of false
  positives.  In short, it is not just impractical, but probably impossible.

  But while this argument is valid, it is also enormously convenient. It
  allows the company to keep its customer services team—the number of
  people devoted to interacting with other human beings, with all the mess
  that involves—as small as possible, thereby raising profit margins and
  ensuring that most of its staff can get on with doing cool things with
  code. And it also allows it to wash its hands of the social consequences
  of the software it produces. ...  David Cameron is saying, in effect, that
  Facebook must use its enormous power wisely and responsibly—or the
  state will step in to ensure that it does. Facebook is saying that it is a
  tool of its users, not of governments. The old order is asserting itself
  against the new, and the new against the old. Even if an accommodation is
  eventually reached on this particular issue, it is a racing certainty that
  they will clash again.

IMHO I feel that this is a difference between European and American
cultures.  What seems to be wanted is for social networking sites to be
fully moderated and only accessible to vetted registered users, which would
probably virtually kill them, but European governments may well regard this
as an acceptable outcome.

[Chris also noted this article.  Included entire text removed for RISKS.  PGN]

Robert Colvile, *The Telegraph*, 27 Nov 2014
Why the [UK] Government has unfriended Facebook
The Lee Rigby case has brought the simmering tension between Silicon Valley
and the state out into the open.

Re: Uber's Underhanded App reporting data back w/o permission (Blain, RISKS-28.39)

GMS <>
Sat, 29 Nov 2014 08:25:24 -0500
... and when you read the blog followups, you will find a big
discussion of fact and conjecture, including the link
-- which dismantles the whole issue.

1247 Fort Miller Road, Fort Edward, NY 12828,   +1 518 695 4794

Please report problems with the web pages to the maintainer