The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 42

Friday 19 December 2014

Contents

Drone blimps over Washington DC
Marc Rotenberg
PGN
Interesting slip from *The NYTimes* on Sony and North Korea?
Sanger/Perlroth via Prashanth Mundkur
From thehill.com: FBI accuses North Korea of hack
Armando Stettner
ICANN e-mail accounts, zone database breached in spearphishing attack
Dan Goodin via Werner U
Ars Technica public stmt and reaction to hack on 14 Dec ...
Werner U
"Misfortune Cookie" CVE-2014-9222
Bob Gezelter
"12 million home and business routers vulnerable to critical hijacking hack"
Dan Goodin via Gene Wirchenko
German Researchers Discover a Flaw That Could Let Anyone Listen to Your Cell Calls
Craig Timberg
SS7 hackdoors allow ANYONE to listen to your calls
Henry Baker
"Microsoft vs. DoJ: The battle for privacy in the cloud"
Simon Phipps via Gene Wirchenko
LU Wei editorial in the *HuffPost*
Dave Farber
Public Reactions to Snowden
Bruce Schneier
FBI Agents Pose as Repairmen to Bypass Warrant Process
Bruce Schneier
After Silk Road takedowns, Dark Web drug sites still thriving
Cyrus Farivar via Dewayne Hendricks
Emergency? DNS TTL < 6 months?
Henry Baker
Re: SmartDriver: a 16-year-old can see the risks
Bob Frankston
Re: Lenovo recalls more than 500,000 power cords due to spark, burn risk
Morten Welinder
Re: "Your cell phone number: To give or not to give"
John Levine
David E. Ross
Kelly Bert Manning
Info on RISKS (comp.risks)

Drone blimps over Washington DC

Marc Rotenberg <alert@epic.org>
Fri, 19 Dec 2014 11:52:46 -0500
Excerpt from the EPIC Alert 21.24, 19 Dec 2014
Electronic Privacy Information Center (EPIC), Washington, DC
     http://www.epic.org/alert/epic_alert_21.24.html

On Friday, December 19, 2014, the U.S. Army will deploy drone surveillance
blimps just north of the nation's capital. The surveillance blimp system,
known as "JLENS," is comprised of two 250-foot blimps. As deployed in Iraq,
one blimp contains aerial and ground surveillance technology that covers a
340-mile range, while the other has targeting capability including HELLFIRE
missiles. The surveillance blimps fly as high as 10,000 feet and can remain
operational for up to 30 days straight.

The JLENS system is manufactured by defense contractor Raytheon.  Raytheon
has tested the JLENS system with the company's MTS-B Multi-Spectral
Targeting System. The MTS-B offers long-range video surveillance that allows
the real-time tracking of moving targets, including vehicles and persons, on
the ground.

Earlier in 2014, EPIC filed a Freedom of Information Act lawsuit to gain
more information about the JLENS system. EPIC asked the Army for technical
specifications as well as any policies limiting domestic surveillance.
EPIC's goal in the FOIA request and subsequent FOIA lawsuit is to determine
what surveillance data the Army plans to collect during the three-year JLENS
test, as well as how the Army plans to process, store, redact or delete
data.

Preliminary documents obtained by EPIC suggested that the blimps would be
equipped with video surveillance, though the Army since has claimed that
video surveillance will not be deployed. However, documents obtained by EPIC
in another FOIA case demonstrate that Customs and Border Protection is
operating surveillance blimps with video surveillance. Raytheon also has
demoed a video surveillance upgrade for the JLENS system.

EPIC has urged Congress to establish privacy safeguards for aerial
drones. EPIC also recommended requiring notice of all drone surveillance
policies through the Administrative Procedure Act.

The Freedom of Information Act lawsuit is EPIC v. Army, No. 14-776
(D.D.C. filed May 6, 2014).

Raytheon:  JLENS
    http://www.raytheon.com/capabilities/products/jlens/

EPIC:  FOIA Request to Dept. of Army re: JLENS (Nov. 1, 2013)
    http://epic.org/foia/army/FOIA-Request.pdf

EPIC:  Complaint v. Dept. of Army (May 6, 2014)
    http://epic.org/foia/army/Complaint.pdf

EPIC:  Testimony before Congress re: Drone Privacy (Jul. 12, 2012)
    http://www.epic.org/privacy/testimony/EPIC-Drone-Testimony-7-12.pdf

CBP:  Privacy Assessment on Aerial Surveillance (Aug. 29, 2014)
    http://epic.org/redirect/121914-cpb-aerial.html

EPIC:  EPIC v. Army – Surveillance Blimps
    https://epic.org/foia/army/

EPIC:  Spotlight on Surveillance - Eyes in the Sky (Oct. 2014)

https://epic.org/privacy/surveillance/spotlight/1014/drones.html#_ftn

EPIC: Unmanned Aerial Vehicles (UAVs) and Drones
    https://epic.org/privacy/drones/

Current and back issues are available at: http://www.epic.org/alert


Drone blimps over Washington DC

<"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 19 Dec 2014 10:26:54 PST
Perhaps someone has had second thoughts about having a remotely programmable
drone system capable of launching HELLFIRE missiles aimed at our own
buildings or even people in Washington DC, as a result of attackers who had
been able to subvert the presumably not-secure-enough computer systems and
networks?  However, if certain government folks tell us that it the system
is totally impervious to attack and adequately secure against subversion,
misuse, and denial of service attacks—*perhaps because it has been
designed and operated by experts*—RISKS readers will know better.  The
Manchurian blimp?


Interesting slip from *The NYTimes* on Sony and North Korea?

Prashanth Mundkur <prashanth.mundkur@gmail.com>
Thu, 18 Dec 2014 21:08:10 -0800
David E. Sanger and Nicole Perlroth, New York Times, Dec. 17, 2014
http://www.nytimes.com/2014/12/18/world/asia/us-links-north-korea-to-sony-hacking.html

  It is not clear how the United States determined that Mr. Kim's government
  had played a central role in the Sony attacks.  North Korea's computer
  network has been notoriously difficult to infiltrate.  But the National
  Security Agency began a major effort four years ago to penetrate the
  country's computer operations, including its elite cyberteam, and to
  establish `implants' in the country's networks that, like a radar system,
  would monitor the development of malware transmitted from the country.

Rather amazing that *The NYTimes* is reporting clear as day that the NSA is
targeting an entire country's computer network.  For a change, something
that is almost surely *not* from a Snowden document?


From thehill.com: FBI accuses North Korea of hack

"Armando Stettner" <aps@stettner.com>
Dec 19, 2014 1:03 PM
  [From Dave Farber]

http://thehill.com/policy/cybersecurity/227689-fbi-official-blames-north-korea-for-sony-hack

The FBI officially blamed North Korea in the cyberattack that has
devastated Sony Pictures Entertainment, damaging the studio's reputation,
costing it millions of dollars and causing it to cancel the release of its
controversial comedy,  *The Interview*

The attack is unprecedented, the FBI said in a release.  “The destructive
nature of this attack, coupled with its coercive nature,sets it apart.''

The hack has been referred to as the first successful, large-scale
destructive cyberattack on a U.S. company (Sony Pictures Entertainment is an
American subsidy of a Japanese multinational conglomerate, Sony). The
hackers not only stole data, but permanently deleted files on Sony's
servers. They later threatened 9/11-style attacks on any theater that
screened *The Interview,* which depicts a fictional assassination of North
Korean leader Kim Jong-un.

The FBI confirmed rampant speculation that the attack's methods tied it
back to the reclusive East Asian regime.

“Technical analysis of the data deletion malware used in this attack
revealed links to other malware that the FBI knows North Korean actors
previously developed,'' the bureau said in a release.

“The FBI also observed significant overlap between the infrastructure used
in this attack and other malicious cyber activity the U.S. government has
previously linked directly to North Korea,'' it said.

Specifically, the FBI linked the tools used in the Sony hit to a round of
North Korean cyberattacks on South Korean bands and media companies in March
2013.

While the bureau stopped short of calling the action a terrorist attack or
act of war—as many lawmakers have over the past few days—it did have
strong words for Pyongyang.

FBI: “North Korea's actions were intended to inflict significant harm on a
U.S.  business and suppress the right of American citizens to express
themselves.  Such acts of intimidation fall outside the bounds of acceptable
state behavior.''


ICANN e-mail accounts, zone database breached in spearphishing attack (Dan Goodin)

Werner U <werneru@gmail.com>
Thu, 18 Dec 2014 20:59:22 +0100
Dan Goodin, Ars Technica, 17 Dec 2014
Password data, other personal information of account holders exposed.
<http://arstechnica.com/security/2014/12/icann-e-mail-accounts-zone-database-breached-in-spearphishing-attack/>

Unknown attackers used a spearphishing campaign to compromise sensitive
systems operated by the Internet Corporation for Assigned Names and Numbers
(ICANN), a coup that allowed them to take control of employee e-mail
accounts and access personal information of people doing business with the
group.

ICANN, which oversees the Internet's address system, said in a release
published Tuesday <https://www.icann.org/news/announcement-2-2014-12-16-en>
that the breach also gave attackers administrative access to all files
stored in its centralized zone data system <https://czds.icann.org/en>, as
well as the names, postal addresses, e-mail addresses, fax and phone
numbers, user names, and cryptographically hashed passwords of account
holders who used the system. Domain registries use the database to help
manage the current allocation of hundreds of new generic top level domains
(gTLDs) currently underway. Attackers also gained unauthorized access to
the content management systems of several ICANN blogs.

"We believe a 'spear phishing' attack was initiated in late November 2014,"
Tuesday's press release stated. "It involved email messages that were
crafted to appear to come from our own domain being sent to members of our
staff. The attack resulted in the compromise of the email credentials of
several ICANN staff members."

Earlier this month, ICANN officials discovered the compromised credentials
were used to gain unauthorized access to the zone data system. Other
compromised systems included the ICANN GAC Wiki
<https://gacweb.icann.org/display/gacweb/Governmental+Advisory+Committee>,
where attackers were able to view a members-only index page and one
individual user's profile page; the ICANN Whois information portal
<http://whois.icann.org/>; and the ICANN blog <http://blog.icann.org/>.  The
most sensitive information exposed appears to be the personal information of
account holders of the centralized zone system. ICANN recommended holders
immediately change their accounts passwords...

As the group controlling the Internet's domain name system, ICANN is a
prime target for all kinds of attacks from hackers eager to obtain data
that can be used to breach other targets. Tuesday's advisory warning that
several employees were successfully breached should come as a wake up call
to similar groups and serve as a reminder of just how hard it is to prevent
social-engineering attacks.


Ars Technica public stmt and reaction to hack on 14 Dec ...

Werner U <werneru@gmail.com>
Thu, 18 Dec 2014 20:22:21 +0100
 Ars was briefly hacked yesterday; here's what we know
<http://arstechnica.com/staff/2014/12/ars-was-briefly-hacked-yesterday-heres-what-we-know/>
Readers, please change your passwords.
by Ars Staff - Dec 16, 2014 9:52 pm UTC
(If you have an account on Ars Technica, please change your password
today. See below for more details.)

At 20:00 CT on December 14, an Internet intruder gained access to one of the
Ars Web servers and spent the next hour attempting to get from the Web
server to a more central machine. At 20:52, the attempt was successful
thanks to information gleaned from a poorly located backup file. The next
day, at 14:13, the hacker returned to the central server and replaced the
main Ars webpage with a defacement page that streamed a song from the band
Dual Core. That song, "All the Things
<http://dualcoremusic.bandcamp.com/album/all-the-things>," features the
chorus:

Drink all the booze,
hack all the things!

The hacker didn't have long to drink all the booze and hack all the things,
fortunately; by 14:29, our technical team had removed the defaced page and
restored normal Ars operations. We spent the afternoon changing all internal
passwords and certificates and hardening server security even further.

Log files show the hacker's movements through our servers and suggest that
he or she had the opportunity to copy the user database. This database
contains no payment information on Ars subscribers, but it does contain user
e-mail addresses and passwords. Those passwords, however, are stored in
hashed form (using 2,048 iterations of the MD5 algorithm and salted with a
random series of characters). ...

  [NOTE the interesting discussion in the "PROMOTED COMMENTS" about MD5+salt
  encrypted passwords in the user database.]


"Misfortune Cookie" CVE-2014-9222

"Bob Gezelter" <gezelter@rlgsc.com>
Thu, 18 Dec 2014 10:46:24 -0700
Paraphrasing a blog entry on the vulnerability, "Misfortune Cookie" is
believed to afflict 12 million devices in 189 countries. The vulnerability
is a bug in the web server component RomPager from AllegroSoft, used by
many hardware vendors for embedded devices, including SOHO routers.
Reportedly, the weakness would allow an attacker to subvert the firewall,
exposing credentials and interior systems to attack.  A blog entry going
into more detail is at:
http://blog.norsecorp.com/2014/12/18/millions-at-risk-from-misfortune-cookie-soho-router-vulnerability/
Bob Gezelter, http://www.rlgsc.com


"12 million home and business routers vulnerable to critical hijacking hack"

Gene Wirchenko <genew@telus.net>
Fri, 19 Dec 2014 09:45:33 -0800
Dan Goodin - 18 Dec 2014
Bug exposes user data, as well as computers, Web cams, and other
connected devices.
http://arstechnica.com/security/2014/12/12-million-home-and-business-routers-vulnerable-to-critical-hijacking-hack/


German Researchers Discover a Flaw That Could Let Anyone Listen to Your Cell Calls (Craig Timberg)

"ACM TechNews" <technews@hq.acm.org>
Fri, 19 Dec 2014 11:45:34 -0500 (EST)
  [PGN-Excerpted from ACM TechNews, Friday, December 14, 2014]

(Craig Timberg, *The Washington Post*, 18 Dec 2014)

German researchers have discovered security flaws that could enable hackers,
spies, and criminals to listen to private phone calls and intercept text
messages.  This revelation is just the most recent indication of widespread
insecurity on the SS7 network.  The flaws are actually functions built into
SS7 for other purposes that hackers can repurpose for surveillance because
of the lax security on the network.  Although researchers did not find
evidence that their latest discoveries have been marketed to governments on
a widespread basis, vulnerabilities publicly reported by security
researchers often turn out to be tools long used by secretive intelligence
services, such as the U.S. National Security Agency or Britain's GCHQ, but
not revealed to the public.  The researchers found two distinct ways to
eavesdrop on calls using SS7 technology.  In the first, commands sent over
SS7 could be used to hijack a cellphone's forwarding function.  In the
second technique, hackers would use radio antennas to collect all the calls
and texts passing through the airwaves in an area.  The researchers also
discovered new ways to track the locations of cellphone users through SS7.
In addition, they found it was possible to use SS7 to learn the phone
numbers of people whose cellular signals are collected using surveillance
devices.
http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-d259x2c39bx062021&


SS7 hackdoors allow ANYONE to listen to your calls

Henry Baker <hbaker1@pipeline.com>
Thu, 18 Dec 2014 16:14:00 -0800
FYI—“When I really need a confidential conversation, I use a
fixed-line''—which shows how clueless this politician is (SS7 is used for
ALL phone calls, fixed-line OR wireless).

https://en.wikipedia.org/wiki/Signalling_System_No._7
http://www.washingtonpost.com/blogs/the-switch/wp/2014/12/18/german-researchers-discover-a-flaw-that-could-let-anyone-listen-to-your-cell-calls-and-read-your-texts/


"Microsoft vs. DoJ: The battle for privacy in the cloud" (Simon Phipps)

Gene Wirchenko <genew@telus.net>
Wed, 17 Dec 2014 10:58:40 -0800
Simon Phipps, InfoWorld, 17 Dec 2014
Is a U.S. warrant enough to force an American company to breach privacy laws
abroad? Microsoft with the support of friends and foes
alike, says no.
http://www.infoworld.com/article/2859897/internet-privacy/microsoft-vs-doj-the-battle-for-privacy-in-the-cloud.html

selected text:

To put it more succinctly, the position Microsoft and so many others are
opposing "argues that, unlike your letters in the mail, emails you store in
the cloud cease to belong exclusively to you. Instead, according to the
government, your emails become the business records of a cloud provider."

This is a fundamentally important case for cloud computing, so it's no
surprise to see OpenStack cornerstones HP and Rackspace standing
shoulder-to-shoulder with their competitor. It's also fundamentally
important to digital rights globally, which is why the EFF and the ACLU are
joined by Digital Rights Ireland and the U.K.'s Open Rights Group (of which
I am a director). Let's hope the Supreme Court can see past the technical
and business details to the real issue—the privacy of the citizens of
every country where America trades, as well as American citizens.


LU Wei editorial in the *HuffPost*

"Dave Farber via ip" <ip@listbox.com>
Wed, 17 Dec 2014 10:31:13 -0500
China's new cyber Czar, Minister LU Wei has a new editorial on the
HuffingtonPost of all places that emphasizes the need for "cyber
sovereignty" see below.

His remarks below are nearly identical to those he gave at the U.S.-China
Internet Industry Forum earlier this month in Washington D.C.
http://m.huffpost.com/us/entry/6324060


Public Reactions to Snowden

Bruce Schneier <schneier@schneier.com>
Tue, 16 Dec 2014 15:43:47 -0600
  https://www.schneier.com/blog/archives/2014/12/over_700_millio.html

There's a new international survey on Internet security and trust, of
"23,376 Internet users in 24 countries," including "Australia, Brazil,
Canada, China, Egypt, France, Germany, Great Britain, Hong Kong, India,
Indonesia, Italy, Japan, Kenya, Mexico, Nigeria, Pakistan, Poland, South
Africa, South Korea, Sweden, Tunisia, Turkey and the United States." Amongst
the findings, 60% of Internet users have heard of Edward Snowden, and 39% of
those "have taken steps to protect their online privacy and security as a
result of his revelations."

The press is mostly spinning this as evidence that Snowden has not had an
effect: "merely 39%," "only 39%," and so on. (Note that these articles are
completely misunderstanding the data. It's not 39% of people who are taking
steps to protect their privacy post-Snowden, it's 39% of the 60% of Internet
users—which is not everybody—who have heard of him. So it's much less
than 39%.)

Even so, I disagree with the "Edward Snowden Revelations Not Having Much
Impact on Internet Users" headline. He's having an enormous impact. I ran
the actual numbers country by country, combining data on Internet
penetration with data from this survey. Multiplying everything out, I
calculate that 706 million people have changed their behavior on the
Internet because of what the NSA and GCHQ are doing. (For example, 17% of
Indonesians use the Internet, 64% of them have heard of Snowden and 62% of
them have taken steps to protect their privacy, which equals 17 million
people out of its total 250-million population.)

Note that the countries in this survey cover only 4.7 billion out of a total
7 billion world population. Taking the conservative estimates that 20% of
the remaining population uses the Internet, 40% of them have heard of
Snowden, and 25% of those have done something about it, that's an additional
46 million people around the world.  [...]


FBI Agents Pose as Repairmen to Bypass Warrant Process

Bruce Schneier <schneier@schneier.com>
Mon, 15 Dec 2014 02:15:29 -0600
This is a creepy story. The FBI wanted access to a hotel guest's room
without a warrant. So agents broke his Internet connection, and then posed
as Internet technicians to gain access to his hotel room without a warrant.

> From the motion to suppress:

  The next time you call for assistance because the Internet service in your
  home is not working, the "technician" who comes to your door may actually
  be an undercover government agent.  He will have secretly disconnected the
  service, knowing that you will naturally call for help and—when he
  shows up at your door, impersonating a technician—let him in.  He will
  walk through each room of your house, claiming to diagnose the problem.
  Actually, he will be videotaping everything (and everyone) inside.  He
  will have no reason to suspect you have broken the law, much less probable
  cause to obtain a search warrant.  But that makes no difference, because
  by letting him in, you will have "consented" to an intrusive search of
  your home.

Basically, the agents snooped around the hotel room, and gathered evidence
that they submitted to a magistrate to get a warrant. Of course, they never
told the judge that they had engineered the whole outage and planted the
fake technicians.

This feels like an important case to me. We constantly allow repair
technicians into our homes to fix this or that technological thingy. If we
can't be sure they are not government agents in disguise, then we've lost
quite a lot of our freedom and liberty.

  [PGN-Excerpted from CRYPTO-GRAM, 15 Dec 2014.
  Incidentally that issue of CRYPTO-GRAM also has items on Regin,
  the AURORA attack, and the Sony hack.]

INSERT

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing
summaries, analyses, insights, and commentaries on security: computer and
otherwise. You can subscribe, unsubscribe, or change your address on the Web
at <http://www.schneier.com/crypto-gram.html>. Back issues are also
available at that URL.

CRYPTO-GRAM is written by Bruce Schneier. Bruce Schneier is an
internationally renowned security technologist, called a "security guru" by
The Economist. He is the author of 12 books—including "Liars and
Outliers: Enabling the Trust Society Needs to Survive"—as well as
hundreds of articles, essays, and academic papers. His influential
newsletter "Crypto-Gram" and his blog "Schneier on Security" are read by
over 250,000 people. He has testified before Congress, is a frequent guest
on television and radio, has served on several government committees, and is
regularly quoted in the press. Schneier is a fellow at the Berkman Center
for Internet and Society at Harvard Law School, a program fellow at the New
America Foundation's Open Technology Institute, a board member of the
Electronic Frontier Foundation, an Advisory Board Member of the Electronic
Privacy Information Center, and the Chief Technology Officer at Co3 Systems,
Inc.  See <http://www.schneier.com>.

Crypto-Gram is a personal newsletter. Opinions expressed are not
necessarily those of Co3 Systems, Inc.


After Silk Road takedowns, Dark Web drug sites still thriving

"Dewayne Hendricks" <dewayne@warpspeed.com>
Dec 19, 2014 12:59 PM
Evolution sells drugs, guns, and more—but no “services related to murder.''
Cyrus Farivar, Ars Technica, 19 Dec 2914
http://arstechnica.com/business/2014/12/after-two-silk-road-takedowns-dark-web-drug-sites-still-thriving/

Over a year after the shuttering of the original Silk Road website and over
a month after the seizure of Silk Road 2 and other similar sites, the
sketchiest of Dark Web sites still persist.

According to a new report published Thursday from the Digital Citizens
Alliance (DCA), an advocacy group, Evolution Marketplace has long passed
Silk Road “as the largest illegal black market for drugs before the
takedown.'' Others include Agora Marketplace, Nucleus Marketplace, and a
number of smaller ones.

As of this week, Evolution has over 26,000 listings for drugs, weapons,
pornography, and more.

“Evolution Marketplace is a much different animal than Silk Road,'' Dan
Palumbo, the group's research director, said in a statement.  “They sell
weapons, stolen credit cards, and more nefarious items that were forbidden
on both versions of Silk Road. Silk Road sold a lot of dangerous things, but
operators drew the line at their version of `victimless crimes', i.e.. no
child pornography, weapons, or identity theft. Now, four of the top five
DarkNet Marketplaces sell weapons while three of the top five sell stolen
financial data. This is a darker DarkNet. It speaks to the challenge facing
law enforcement as they knock one set of bad actors offline, another comes
along with bigger and bolder intentions."

We have standards, after all(!)

Like the previous incarnations of Silk Road, Evolution (or `Evo' as it's
known to its users) requires Tor to use and boasts a slew of questionable
goods, all available for sale in bitcoins. Evo itself takes in between 2.5
and 4 percent of all transactions.  Signing up for the site takes just a few
moments --no e-mail address or anything else is even required. Ars decided
to create an account and take a dive into Evolution. (Like our previous
account on Silk Road 2, this reporter has created an account on Evolution
under the username `cfarivar', but has zero intention to purchase or sell
any items.)

In a look on Thursday, Ars found nearly 15,000 drug-related listings, by far
the most popular on the site: cocaine, methamphetamine, marijuana, and other
controlled substances were listed. Amongst other popular categories of
digital goods were various hacking guides, pirated software, and even
malware. A fake Colorado driver's license sells for just 0.257 bitcoins
($80). [...]


Emergency? DNS TTL < 6 months? Plan now for a post-DNS world

Henry Baker <hbaker1@pipeline.com>
Thu, 18 Dec 2014 15:50:47 -0800
Given

a) the recent ICANN attack;
b) the recent Sony attack;
c) the results of the recent Congressional election;
d) the attack by ATT/Verizon/etc. on "net neutrality";
e) the ongoing attack by MPAA/et al on "piracy"; and
f) the ongoing embarrassment of the NSA/GCHQ by Snowden;

it now appears that the current DNS system may have less than 6 months to
live, as the new Congress is poised to give all of these folks exactly what
they've paid handsomely for through campaign contributions over the past
many years.

The technologists of the Internet should be coming up with backup plans (and
backup programming) for a post-DNS world; or at least a DNS world in which
"root" is controlled by NSA/GCHQ/ATT/Verizon/Hollywood.

It would be far more difficult for this unholy alliance to destroy IPv4 or
IPv6, because that would require replacing every router in the world.  But
DNS is definitely on the bubble.

Forget about "certificate pinning"; all of the browsers will now have to
support multiple DNS mechanisms for different countries and different
"protection" (rackets?) domains.

It may be timely to utilize Tor ubiquitously, if only just for DNS lookup.

https://s3.amazonaws.com/s3.documentcloud.org/documents/1382881/250250989-comms-act-and-dmca-safe-harbor.pdf

"At the same time, even this narrow limitation on ISPs' immunity could have
the salutary effect of requiring ISPs to respond to takedown notices by DNS
lookups of pirate sites through the ISPs' own DNS servers, which is not
currently a general practice."

https://www.techdirt.com/articles/20141217/17533629473/mpaas-secret-plan-to-reinterpret-dmca-into-vast-censorship-machine-that-breaks-core-workings-internet.shtml

The MPAA's Secret Plan To Reinterpret The DMCA Into A Vast Censorship
Machine That Breaks The Core Workings Of The Internet

from the how-very-nice-of-them dept

Yes, all the attention these days about the Sony hack is on the decision to
not release The Interview, but it still seems like the big story to come out
of the hack is the sneaky plans of the MPAA in its bizarre infatuation with
attacking the Internet. We've already covered the MPAA's questionably cozy
relationship with state Attorneys General (to the point of both funding an
investigation into Google and writing documents for those AGs to send in
their names), as well as the continued focus on site blocking, despite an
admission that the MPAA and the studios still don't have the slightest clue
about the technology implications of site blocking.

Last week, TorrentFreak noted the various options that were under discussion
by the MPAA for blocking sites, and now The Verge has published more
information, including the analysis by MPAA's favorite hatchetmen lawyers at
Jenner & Block about how site blocking might work in practice [pdf] by
breaking DNS.

For years, actual technology experts have explained why DNS blocking is a
really bad idea, but the MPAA just can't let it go apparently. It's just,
this time, it's looking for ways to do it by twisting existing laws, rather
than by getting a new SOPA-like law passed.

To understand the plan, you have to first understand the DMCA section 512,
which is known as the safe harbor section, but which includes a few
different sections, with different rules applying to different types of
services. 512(a) is about "transitory digital network communications" and
basically grants very broad liability protection for a network provider who
isn't storing anything—but just providing the network. There are good
reasons for this, obviously. Making a network provider liable for traffic
going over the network would be a disaster for the Internet on a variety of
levels.

The MPAA lawyers appear to recognize this (though they make some arguments
for getting around it, which we'll get to in a follow-up post), but they
argue that a specific narrow attack via DMCA might be used to force ISPs to
break the basic Internet by disabling entries in their own DNS
databases. The trick here is twisting a different part of the DMCA, 512(d),
which is for "information location tools." Normally, this is what's used
against search engines like Google or social media links like those found on
Twitter. But the MPAA argues that since ISPs offer DNS service, that DNS
service is also an "information location tool" and... ta da... that's how
the MPAA can break DNS. The MPAA admits that there's an easy workaround for
end-users—using third-party DNS providers like OpenDNS or Google's DNS
service—but many users won't do that. And the MPAA would likely go after
those guys as well.

At the same time, even this narrow limitation on ISPs disabling immunity
could have the salutary effect of requiring ISPs to respond to takedown
notices by disabling DNS lookups of pirate sites through the ISPs' own DNS
servers, which is not currently a general practice. Importantly, the
argument for such a requirement need not turn on the Communications Act, but
can instead be based on the DMCA itself, which expressly limits ISPs'
immunity to each `separate and distinct' function that ISPs provide. See 17
U.S.C.  512(n). A reasonable argument can be made that DNS functionality
is an *information location tool* as contemplated by DMCA Section 512(d)
and, therefore, that ISPs are required, as a condition of the safe harbor,
to cease connecting users to known infringing material through their own DNS
servers. Should this argument hold—and we believe that it has a
reasonable prospect of success—copyright owners could effectively require
ISPs to implement a modest (albeit easily circumvented) form of DNS-based
site blocking on the basis of only a takedown notice rather than litigation.

In short, since DMCA takedown notices apply to "information location tools,"
but not to "transitory network communications," the MPAA would like to argue
that just the DNS lookup functionality is an information location tool --
and can thus be censored with just a takedown notice. This is both really
slimy (though brilliant in its nefariousness) and insanely dangerous for the
Internet and free speech. We see so many bogus DMCA takedowns of basic
content today, and here the MPAA is looking to effectively, and sneakily
expand that to whole sites by misrepresenting the law (badly).

DNS is not an "information location tool" in the sense of a search
engine. It's the core underpinning of how much of the Internet works. At no
point in the 16 years the DMCA has been around has anyone made an argument
that the DNS system was covered by the "information location tools"
definition. Because that's clearly not what it was written to cover. The
MPAA's lawyers (in this "confidential" memo) appear to recognize that this
argument doesn't fully make sense because of that, but they seem to think
it's worth a go:

To be sure, the argument is not guaranteed to succeed, as unlike a pointer
or hyperlink text, DNS provides a user's browser with specific information
(IP routing information) that the user has requested by other means
(alphanumeric Internet addresses), as opposed to providing the user with an
active interface allowing the user to request information online, as they
might from a clickable page of search results. But at least in the literal
sense, DNS appears to fit within the list of Section 512(d) functions and a
reasonable argument can be made that DNS is more like a directory than the
provision of routing and should be treated accordingly under the statute as
a Section 512(d) function rather than a Section 512(a) function.

Pushing this argument would raise many of the problems found with the
original DNS-breaking proposal in PIPA/SOPA. It would raise even more
serious questions about the First Amendment and prior restraint.
Effectively, it would be moving the definition of "information location
tool" down the stack, such that rather than requiring the removal of access
to the specific infringing content, it would require removal of access to an
entire site based on a single accusation of infringement. Someone uploaded
an infringing video to YouTube? Under this interpretation, the MPAA can
force Verizon to make YouTube disappear from the Internet for all users
relying on Verizon's DNS. The censorship implications are massive here,
especially with no court proceeding at all. This wouldn't require anything
in court—just a single takedown notice, of which copyright holders send
millions. Rather than sending all those notices to Google and getting them
delisted from search, copyright holders could turn the firehose towards
Verizon, AT&T and Comcast, and basically take down half the Internet on
their say so alone. Yes, sites could counternotice, but ISPs would have 10
business days in which they can keep sites off their DNS entirely.

The results would be insane.

And that doesn't even touch on the technical havoc this would wreak. As
we've noted earlier, the MPAA admits it's not clear on the technical
implications of this plan, but let's just point back to Paul Vixie's
discussion of how SOPA/PIPA would break the Internet by mucking with the
core DNS functionality, no matter how it was implemented.

What this goes back to is the core purpose of DNS, which is merely to
translate a URL into a numeric equivalent to connect. It's not an
information location tool for helping people "find" information—it's just
the basic plumbing of how the Internet works. It's how basically all pieces
of the Internet expect to work. If you put in a URL here, then DNS returns
the proper IP addresses to follow through there. Breaking that, effectively
fracturing the Internet, and creating a patchwork of different DNS systems
would create a huge list of problems not easily fixed.

And, yet, because the MPAA can't figure out how to adapt to the times, it
appears to be willing to give it a shot. Because, hey, it's better than
innovating.

250250989 Comms Act and DMCA Safe Harbor (PDF)
https://www.documentcloud.org/documents/1382881/250250989-comms-act-and-dmca-safe-harbor.pdf


Re: SmartDriver: a 16-year-old can see the risks (RISKS-28.40)

"Bob Frankston" <bob2-53@bob.ma>
17 Dec 2014 11:23:00 -0500
At the mercy of statistics ... again!

The larger point is that it is not about you—it is about you as a
statistic.  This relates challenge in explaining why racial discrimination
is a problem. You might be part of a group that is statistically more prone
to crime. Should that "fact" be used to penalize you? I put the word fact in
quotes because there are many measures that can be used and there is a
tendency to use correlations or statistics in the absence of understanding.
Should your arrest (but not conviction) record be used to judge you? After
all lots of arrests make you more likely to be a criminal ... or maybe just
look like someone who is the usual suspect.

As a society we need to have an understanding of the mindlessness of such a
dependence on numbers and the consequences as the assumptions become
increasingly remote from how the numbers are used.


Re: Lenovo recalls more than 500,000 power cords due to spark, burn risk (Paul via Wirchenko, RISKS-28.41)

Morten Welinder <mwelinder@gmail.com>
Thu, 18 Dec 2014 22:04:57 -0500
> We could laugh about this one—how could anyone get a power cord wrong?

By using modular design and forgetting Ohm's law.

If you design your power supply cable to be identical around the world
except for the wall plug—that's smart visual design, but poor engineering
design—then you end up with a US cable that needs to shed twice as much
heat as cables elsewhere.  110V versus 220V-ish gets you that.

I do note that Lenovo's recall was worldwide, though.  I wonder if they really
needed to.


Re: "Your cell phone number: To give or not to give" (RISKS-28.41)

"John Levine" <johnl@iecc.com>
17 Dec 2014 05:55:12 -0000
Dual SIM cellphones are pretty common, although for obvious reasons you're
never going to get one from a carrier.  (Try eBay.)  You could have one sim
with your regular month to month plan, and the other with a cheap prepaid
plan.

Google Voice numbers are free and can send and receive SMS messages.  I find
them a dandy way to make the two-factor crowd happy.


Re: "Your cell phone number: To give or not to give" (RISKS-28.41)

"David E. Ross" <david@rossde.com>
Wed, 17 Dec 2014 15:05:02 -0800
I, too, have encountered a few Web sites that request my cell phone number
when I login.  All but one of them gives me the option to indicate that I do
not have a cell phone.  I do not have one; but if I did, I would still
select that option.

The one exception is Yahoo, which requests my cell phone number at least
once a week.  I have exchanged E-mail with Yahoo support personnel, asking
how this could be stopped.  After several messages and replies, I learned
that Yahoo has no plans to end this annoying request.  My exchange of E-mail
messages can be seen abut 1/4 down the page at
<http://www.rossde.com/quips/index.html>.


Re: "Your cell phone number: To give or not to give" (RISKS-28.41)

Kelly Bert Manning <Kelly.Manning@ncf.ca>
Thu, 18 Dec 2014 04:15:12 -0500 (EST)
In my case the question assumes a personal cell phone not in existence.

Having a cell phone is not mandatory, any more than having a land line phone
or a driver's license.

Never had a personal cell phone myself and don't plan to. Neither has my
wife or our youngest son. We live in a cell service reception and
transmission nearly dead area, among other reasons. I carry work cell phones
when I get paid to, and get paid for each incoming call, but at my home they
are no more useful than a pager. One employer even paid for a second home
phone modem / on call land line for more than a decade.

I am surprised that someone with an @telus.net email address would ask
this question, but Gene Wirchenko seemed to be quoting a USA article.
The USA is an international privacy backwater, compared to the Council
of Europe and Canada.

Most TELUS customers live in BC or Alberta, which have very similar PIPA
acts `Substantially Similar' to the National PIPEDA statute.  The Federal
PIPEDA Act applies to Federally Regulated Enterprises such as TELUS for
their operations within Canada. PIPEDA applies in Provinces that do not have
`Substantially Similar' Provincial Private Sector Privacy Statutes.
Inter-provincial commerce falls under PIPEDA.

Within Canada someone faced with a demand for excessive personal information
can simply point out that the demand is contrary to law and contact the
Relevant Privacy Commissioner if an enterprise or not for profit
organization persists with the demand.

www2.publicationsduquebec.gouv.qc.ca/dynamicSearch/telecharge.php?type=2&file=/P_39_1/P39_1_A.html

Section 9 of the Quebec privacy statue in effect since 1994 Jan 1 says: “No
person may refuse to respond to a request for goods or services or to a
request relating to employment by reason of the applicant's refusal to
disclose personal information except where
 (1) collection of that information is necessary for the conclusion or
     performance of a contract;
 (2) collection of that information is authorized by law; or
 (3) here are reasonable grounds to believe that the request is not lawful.
In case of doubt, personal information is deemed to be non-necessary.''

Trying to cobble together a contractual performance excuse such as texting
confirmations should at least get sharp questioning from Commissioners about
why Canada Post or email could not be used, and the number could only be
used for the purposes stated at the time it was collected from you. Function
Creep is not permitted without prior consent in Canada.

Customers can refuse to allow advertising to be folded in with monthly bank,
telephone or cable statements, and can prohibit marketing calls.  I got a
$100 credit the last time Shaw Cable ignored the Do Not Solicit flag on my
account in Shaw's Client database, but I had to complain to the Federal
Privacy Commissioner to get the attention of Shaw's Corporate Head of Legal
and collect my fee for the prohibited telemarketing calls and personalized
Canada Post mail. I followed the Robert Bulmash / Private Citizen
Inc. algorithm of serving Shaw with prior notice of my fee, in writing.

Shaw apologized, giving a variation on the "Rogue Marketer" story that Bell
Canada used when they got a $1.3 million fine from the CRTC.  You only get
one guess about who manages the Canadian Do No Call List for the CRTC.
Hiring someone else to make prohibited telemarketing calls does not buy you
a free pass in Canada.

www.crtc.gc.ca/eng/com100/2010/r101220.htm

There was discussion of having 2 line cell phones. Don't many cell phone
users have multiple phones with different numbers? There was a recent USA
Supreme Court case where Chief Justice John Roberts asked “what is your
authority'' in response to an appeal lawyer stating that carrying 2 or more
cell phones is not proof of criminality and is common. Sometimes folks in an
older generation just do not get it.

www.scientificamerican.com/article/how-many-cell-phones-does-it-take-to-arouse-a-supreme-court-justice-s-suspicion/
Isn't Call forwarding to a single cell phone another option?

Giving made up numbers, or a dial a prayer or similar, is a bad idea,
although some people would recognize a 555-0100 to 555-0199 phone number as
pure fiction for most area codes. Some times they just want something to
fill in the screen. I find that giving H0H 0H0 to sales clerks who ask for
my Postal Code speeds things up and makes my point without wasting their
time or mine. Most Canadians recognize that valid code, particularly around
XMAS.

An IT contractor who had a brief ~1990 tenure in the same office as me
objected to being placed in the Duty Analyst rotation. The first time
someone called the number he gave it turned out to be Dial a Prayer. That
did not work out well for him. Contractual Obligation not met.

Please report problems with the web pages to the maintainer

Top