The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 44

Tuesday 6 January 2015


Too many pilots can't handle an emergency
David Learmount via Chris Drewe
Brouhaha brewing over single-operator trains
Jay Ashworth
"Could e-voting be on its way in the UK?"
Andy Walker
Quick book recommendation
David Jefferson
How Laws Restricting Tech Actually Expose Us to Greater Harm
WiReD via Lauren Weinstein
Risks in Using Social Media to Spot Signs of Mental Distress
NYTimes via NNSquad
Indian government blocks dangerous websites like Github, Dailymotion, Pastebin
Vijay via Prashanth Mundkur
U.S. Social-Media Giants Are Resisting Russia Censors
WSJ via NNSquad
Low-risk 'worm' removed at hacked South Korea nuclear operator
Reuters via Richard I Cook
Iran expands 'smart' Internet censorship
Reuters via NNSquad
FBI Investigating Whether Companies Are Engaged in Revenge Hacking
Gabe Goldberg
Inadvertent Algorithmic Cruelty
Gabe Goldberg
Hackers claim they can copy fingerprints from photos
Bob Frankston
Toy Story and digital preservation
Mark Thorson
NSA has VPNs in Vulcan death grip--no, really,that's what they call it
Ars via Lauren Weinstein
Smart grid powers up privacy worries
David Perera via Henry Baker
Romanian version of EU cybersecurity directive allows warrantless access to data
Her Task Is to Wean the White House Off Floppy Disks
Julie Hirschfeld Davis quoting Megan J. Smith
Gogo issues fake HTTPS certificate to users visiting YouTube
I added grandma to a NSFW group
Dan Jacobson
Silicon Valley's Mirror Effect
Bob Frankston
The Biggest Security Threats We'll Face in 2015?
WiReD via Matthew Kruk
"Critical vulnerability in Git clients puts developers at risk"
Lucian Constantin via Gene Wirchenko
Norse Security IDs 6, Including Ex-Employee, As Sony Hack Perpetrators
slashdot via Lauren Weinstein
AP: Sony emails show a studio ripe for hacking
Lauren Weinstein
Sony's North Korea "comedy assassination" film available online
Lauren Weinstein
Re: ICANN e-mail accounts, zone database breached in spearphishing attack
John Levine
Re: dual-SIM cell phones
danny burstein
Re: Emergency? DNS TTL < 6 months?
Amos Shapir
Re: Lenovo recalls more than 500,000 power cords
Leonard Finegold
Chris Drewe
Info on RISKS (comp.risks)

Too many pilots can't handle an emergency (David Learmount)

Chris Drewe <>
Thu, 01 Jan 2015 18:41:45 +0000
David Learmount, *The Telegraph*, 31 Dec 2014

Opinion piece in today's newspaper (Dec 31st, 2014) about pilots'
overreliance on computers to fly aircraft may be of interest for RISKS.
This is in the context of the recent AirAsia flight QZ8501 loss, but it also
appears to figure in Air France flight 447 plunging into the Atlantic 5
years ago.  The article summarises an FAA study (published last year) called
'The Operational Use of Flight Path Management Systems', which says:

  The FAA working group established that today's pilots have a number of
  vulnerabilities. The prime one is that if the automatics fail, the pilots
  are no longer practised in managing without them. This leads pilots to
  lose confidence in their own traditional flying abilities, so when things
  go wrong they have a tendency to try to restore failed automatic systems
  when, in fact, they should be flying the aircraft to keep it safe.

Incidentally, I'm certainly no expert, but I'd always assumed that iced-up
pitot tubes (for air-speed indicators) were a pretty routine problem for

Brouhaha brewing over single-operator trains

Jay Ashworth <>
Mon, 22 Dec 2014 19:40:32 -0500 (EST)
I've been a regular reader of (and occasional contributor to) RISKS since
the early 80s.  In all that time, I'm not sure I have seen a proposal that
takes as insufficient a view of the real deployment arena as this one:

Even if we ignore for a moment the long-term proposal of people-free freight
trains, going from two people to one would seem to benefit exactly one group
of people: the railroads that have to pay the other half of their road

It's not exactly like a failure on a 5000-ton train pulled by a 400-ton
locomotive is small and has little effect on the Real World...

What does surprise me in this AP piece is that AAR appears in *favor*
of one-person crews.  I guess it represents the railroad owners, though.

Jay R. Ashworth, Ashworth & Associates, St Petersburg FL USA

  [By reverse induction, the railroad owners would undoubtedly love
  zero-person crews, where I presume Jay and many other RISKS readers would
  not.  PGN]

"Could e-voting be on its way in the UK?"

Andy Walker <>
Wed, 24 Dec 2014 21:33:05 +0000
A BBC Politics article at
asks the question in the Subject.  The Political and Constitutional Reform
Committee of MPs has recommended that the government should run online
voting pilots in the next parliament "with a view to all electors having the
choice of voting online at the 2020 general election".  According to the
article, a fellow campaigner is Lord Malloch Brown, a former minister who is
now chairing an e-voting technology company.  Unsurprisingly, Malloch Brown
claims that his company's machines "are much more secure than postal votes"
and are "very advanced, with high levels of encryption", and that "the
results can be registered and collated before hackers have time to break
into the systems".  Hmm.

At least some of the Committee seem to be clued up, but the fear has to be
that political issues will weigh more heavily than the security and other
problems that have so frequently surfaced in RISKS.

Andy Walker, Nottingham.

Quick book recommendation

David Jefferson <>
Wed, 24 Dec 2014 15:17:46 -0800
Here is a book I recommend to anyone interested in online voting: Kim
Zetter's Countdown to Zero Day: Stuxnet and the Launch of the World's First
Digital Weapon.

This book captures the zeitgeist of cyberattacks and cyberweapons better
than any other book I have come across.  It is technically accurate, but I
think extremely accessible to general audiences.  And it is a pretty
exciting and amazing story as well.  Although it does not event mention
Internet voting per se, you cannot read this book and fail to appreciate the
dangers that Internet voting would be vulnerable to.

Kim Zetter, of course, was an early journalist, and one of the best,
covering the voting wars a decade ago.

How Laws Restricting Tech Actually Expose Us to Greater Harm

Lauren Weinstein <>
Wed, 24 Dec 2014 20:25:42 -0800
Wired via NNSquad

  "And that's why the current regulatory paradigm for computers, inherited
  from the 16-year-old stupidity that is the Digital Millennium Copyright
  Act, needs to change. As things stand, the law requires that computing
  devices be designed to sometimes disobey their owners, so that their
  owners won't do something undesirable. To make this work, we also have to
  criminalize anything that might help owners change their computers to let
  the machines do that supposedly undesirable thing."

Risks in Using Social Media to Spot Signs of Mental Distress

Lauren Weinstein <>
Fri, 26 Dec 2014 20:52:52 -0800
*The New York Times* via NNSquad

  A week after the app was introduced on its website, more than 4,000 people
  had activated it, the Samaritans said, and those users were following
  nearly 1.9 million Twitter accounts, with no notification to those being
  monitored. But just about as quickly, the group faced an outcry from
  people who said the app, called Samaritans Radar, could identify and prey
  on the emotionally vulnerable—the very people the app was created to
  protect.  "A tool that 'lets you know when your friends need support' also
  lets you know when your stalking victim is vulnerable #SamaritansRadar," a
  Briton named Sarah Brown posted on Twitter. A week and a half after the
  app's introduction, the Samaritans announced it was reconsidering the
  outreach program and disabled the app.

Indian government blocks dangerous websites like Github, Dailymotion, Pastebin

Prashanth Mundkur <>
Wed, 31 Dec 2014 02:28:44 -0800
Vijay, Tech Worm, December 28, 2014

Anupam Saxena, Times of India, Dec 31, 2014

Tech Worm excerpt:

  Neither of the two blocks bode well with the Internet users of India,
  especially the developers and students. GitHub provides a very high
  performing platform for distributed revision control and source code
  management (SCM) functionality of Git as well as adding its own
  features. With its user friendly web-based graphical interface and desktop
  as well as mobile integration it is a go to tool for developers and
  computer science students.

U.S. Social-Media Giants Are Resisting Russia Censors (WSJ)

Lauren Weinstein <>
Sat, 27 Dec 2014 14:02:00 -0800
*Wall Street Journal* via NNSquad

    "Facebook Inc., Twitter Inc. and Google Inc. have started resisting
     Russian government orders to remove information about a rally next
     month in support of opposition leader Alexei Navalny, raising the
     prospect of a showdown over the Kremlin's efforts to control online

     In response to a request from Russian prosecutors, Roskomnadzor, the
     country's communications regulator, began issuing block orders for
     Russia just hours after the Moscow rally was publicized on social
     media late last week, officials said. Facebook honored the initial
     order last weekend and blocked a page promoting the event, but others
     were quickly created, attracting more attention."

Low-risk 'worm' removed at hacked South Korea nuclear operator

Richard I Cook MD <>
Wed, 31 Dec 2014 11:05:03 -0600

Excerpt: “Korea Hydro & Nuclear Power Co Ltd said it would beef up cyber
security by hiring more IT security experts and forming an oversight
committee, as it came in for fresh criticism from lawmakers following recent
hacks against its headquarters.''

Comments: 1) What is a `low risk; worm? 2) Hiring experts and forming
committees does not seem to this writer to be an effective strategy for
reducing risk.

Iran expands 'smart' Internet censorship

Lauren Weinstein <>
Sat, 27 Dec 2014 19:14:22 -0800
Reuters via NNSquad

  "The Islamic Republic has some of the strictest controls on Internet
  access in the world, but its blocks on U.S.-based social media such as
  Facebook, Twitter and YouTube are routinely bypassed by tech-savvy
  Iranians using virtual private networks (VPNs).  Under the new scheme,
  Tehran could lift its blanket ban on those sites and, instead, filter
  their content.  The policy appears to follow President Hassan Rouhani's
  push to loosen some social restrictions, but it was not clear if it would
  mean more or less Internet freedom. Iranians on Twitter expressed concern
  that, as part of the new policy, the government would try to block VPN
  access to such sites."

FBI Investigating Whether Companies Are Engaged in Revenge Hacking

Gabe Goldberg <>
Tue, 30 Dec 2014 13:10:59 -0500
The hacked are itching to hack back.

To read the entire article, go to

Hacking costs the global economy as much as $575 billion annually, according
to a study published in June by McAfee, a security-software maker owned by
Intel Corp. (INTC), and the Center for Strategic & International Studies.

...certainly an objective observer. (Not)

Inadvertent Algorithmic Cruelty

Gabe Goldberg <>
Sun, 28 Dec 2014 17:20:06 -0500
Author says: I didn't go looking for grief this afternoon, but it found me
anyway, and I have designers and programmers to thank for it.  In this case,
the designers and programmers are somewhere at Facebook.

...different sort of risk from the usual.

Gabriel Goldberg, Computers and Publishing, Inc.
3401 Silver Maple Place, Falls Church, VA 22042           (703) 204-0433

Hackers claim they can copy fingerprints from photos

"Bob Frankston" <>
30 Dec 2014 12:06:46 -0500
As the resolution of photos increase and burst shots become common .

Toy Story and digital preservation

Mark Thorson <>
Mon, 22 Dec 2014 14:03:04 -0800
Here's an article about digital preservation, but what I find astounding is
that when they made the DVD version of Toy Story, they had to make it from a
film print because the digital files were unreadable.  How could anybody be
so incompetent as to allow millions of dollars worth of digital IP to become

Sure, I've lost a few files, but never anything important.
I keep backups of the important stuff.

NSA has VPNs in Vulcan death grip--no, really, that's what they call it

Lauren Weinstein <>
Tue, 30 Dec 2014 09:59:39 -0800
Ars via NNSquad

  "The National Security Agency's Office of Target Pursuit (OTP) maintains a
  team of engineers dedicated to cracking the encrypted traffic of virtual
  private networks (VPNs) and has developed tools that could potentially
  uncloak the traffic in the majority of VPNs used to secure traffic passing
  over the Internet today, according to documents published this week by the
  German news magazine Der Speigel.  A slide deck from a presentation by a
  member of OTP's VPN Exploitation Team, dated September 13, 2010, details
  the process the NSA used at that time to attack VPNs--including tools with
  names drawn from Star Trek and other bits of popular culture."

 - - -

Not really new, but confirmational. That's what intel agencies around
the world are paid to do—crack codes.

Smart grid powers up privacy worries (David Perera)

Henry Baker <>
Fri, 02 Jan 2015 08:37:16 -0800
FYI—Why are we doing this?  Why aren't we spending this money on putting
in rooftop solar & cutting the cord to the grid entirely?

David Perera, *Politico*, 1 Jan 15

The next Big Data threat to our privacy may come from the electricity we
consume in our homes.

Smart online power meters are tracking energy use—and that data may soon
be worth more than the electricity they distribute.

The Department of Energy is publishing in January the final draft of a
voluntary code of conduct governing data privacy for smart meters, 38
million of which have already been installed nationwide.  The meters gather
information about household electricity consumption and transmit it
wirelessly at regular intervals to the supplier.  It's a key element in the
push for the so-called smart grid, a more efficient way to distribute the
nation's electricity.

But, despite the voluntary code, critics fear consumers will still be
cajoled or conned into giving up their data, not just to power companies but
to third-party data aggregators.  Too much money is at stake, they say.  And
the huge profits to be made could upend the business model of energy
utilities.  [...]

Romanian version of EU cybersecurity directive allows warrantless access to data

Lauren Weinstein <>
Fri, 26 Dec 2014 15:46:09 -0800
IT World via NNSquad

  "More than a dozen Romanian non-governmental organizations are protesting
  new cybersecurity legislation passed by the parliament last week that
  would force businesses to provide the country's national intelligence
  agencies with access to their data without a court warrant. The law could
  also impact businesses from Europe and beyond, as Romania is a hub for IT
  outsourcing and software development. Many multinational corporations
  including Amazon, Microsoft, Adobe Systems, Siemens and Intel have
  research and development centers in the country."

Her Task Is to Wean the White House Off Floppy Disks (Julie Hirschfeld Davis quoting Megan J. Smith)

Lauren Weinstein <>
Sun, 4 Jan 2015 09:15:41 -0800
Julie Hirschfeld Davis, *The New York Times*, 3 Nov 2015, via NNSquad

  Megan J. Smith advised President Obama on the technological issues before
  his decision late last year to come out strongly in favor of a free and
  open Internet, including making sure that Mr. Obama heard from Vinton
  G. Cerf, Google's vice president and one of the chief architects of the
  Internet, and Tim Berners-Lee, the inventor of the World Wide Web.
  "Having the engineering voice saying, 'This is how the technology works,'
  was very important," she said.

 - - -

I would add that in my experience, so long as you don't talk down to them,
most people are interested in the reality of how these systems work and how
that impacts their views of the associated policy issues.  Explaining in
ways non-techies will understand is crucial!

Gogo issues fake HTTPS certificate to users visiting YouTube

Lauren Weinstein <>
Mon, 5 Jan 2015 13:51:36 -0800
Ars via NNSquad

  Mandatory HTTPS connections have long been the bane of people using
  so-called "captive-portal" Internet services offered by hotels and
  conferences. Typically, such services redirect first-time users to a terms
  of service page before they can browse the Internet. Those redirections
  often stall when users first try to visit encrypted webpages, creating a
  hugely frustrating problem for end users, broadband providers, and website
  operators alike. While this is a hard problem to solve, Gogo's current
  approach sets a bad precedent.  Promising not to monitor or collect
  sensitive data isn't the same thing as being unable to do it. The entire
  premise of HTTPS is at stake.

 - - -

Unacceptable. Period.

I added grandma to a NSFW group

Dan Jacobson <>
Sat, 27 Dec 2014 13:35:47 +0800
Today I did the maximum dumb thing in my computer career. Toying around
with the "Facebook Friends To Groups Adder - Chrome Extension", before
you know it I had added Grandma, professors, my neighbor's kids, that
bible thumper, all to one of the [Not Suitable For Work] Facebook groups
I was a member of.

The administrator happened to be awake at the time and asked if I was nuts.
Fortunately they were able to cancel each of the 300 membership applications
in the queue before anyone noticed...

Silicon Valley's Mirror Effect

"Bob Frankston" <>
27 Dec 2014 10:21:39 -0500
A reminder of the very strong hindsight bias in Silicon Valley along with a
simplistic measure of merit and the idea that smart people can pick winners
and offering prizes as incentives. Thus we adopt policies with parts and not
wholes. It's not just Silicon Valley.  We see the same biases from those who
became rich and blame smarts rather than luck. Once one is very rich there
is enough buffer so that one gets more opportunities to be lucky and to seem
prescient by simply ignoring failures.

This is also a risk to society as the (often naive) ideas become public
I read the book in my freshman sociology class and may be the source of the

The Biggest Security Threats We'll Face in 2015?

"Matthew Kruk" <>
Mon, 5 Jan 2015 06:18:06 -0700

"Critical vulnerability in Git clients puts developers at risk" (Lucian Constantin)

Gene Wirchenko <>
Wed, 24 Dec 2014 10:43:17 -0800
Lucian Constantin, InfoWorld, 19 Dec 2014
Malicious Git code repositories can execute rogue commands on client
machines interacting with them

A critical vulnerability in client software used to interact with Git, a
distributed revision control system for managing source code repositories,
allows attackers to execute rogue commands on computers used by developers.

The flaw affects the official Git client as well as third-party clients and
software based on the original Git code. The issue only affects
implementations running on Windows and Mac OS X, not Linux, because their
file systems are case-insensitive: NTFS and FAT for Windows and HFS+ for Mac

Norse Security IDs 6, Including Ex-Employee, As Sony Hack Perpetrators

Lauren Weinstein <>
Mon, 29 Dec 2014 08:57:09 -0800
Slashdot via NNSquad

  But Norse Security is taking the debate up a notch: saying that they have
  conclusive evidence pointing to group of disgruntled former employees as
  the source of the attack and data theft. The Security Ledger quotes Norse
  Vice President Kurt Stammberger saying that Norse has identified a group
  of six individuals—in the U.S., Canada, Singapore and Thailand—that
  it believes carried out the attack, including at least one 10-year
  employee of SPE who worked in a technical capacity before being laid off
  in May. Rather than starting from the premise that the Sony hack was a
  state sponsored attack, Norse researchers worked their investigation like
  any other criminal matter: starting by looking for individuals with the
  "means and motive" to do the attack.

AP: Sony emails show a studio ripe for hacking

Lauren Weinstein <>
December 18, 2014 at 12:21:48 PM EST
AP via NNSquad

  "In the weeks before hackers broke into Sony Pictures Entertainment, the
  studio suffered significant technology outages it blamed on software flaws
  and incompetent technical staffers who weren't paying attention, even as
  hackers targeted executives to trick them into revealing their online

- - -

It's my gut feeling that this relatively simple hack actually had
nothing to do with North Korea at all—though they may be leveraging
some propaganda points from it. But of course, it's in the interests
of the commercial "cybersecurity" firms—and governments seeking
ever larger and bloated "cyberwar" budgets—to play this up as some
sort of "super hack" and to pin it on a widely despised geopolitical
enemy—much more conducive to expanded sales and budgets than this
turning out to have been the work of teenage hackers living in their
parents' basements.

Sony's North Korea "comedy assassination" film available online

Lauren Weinstein <>
Wed, 24 Dec 2014 10:33:23 -0800
It has now been announced that Google Play/YouTube and other online venues
(possibly to include Netflix at some point) are either now or soon will
enable streaming of Sony's "comedy assassination" film (at least in some

I note this specifically because I do not support censorship even of this
trash, and I feel it is completely appropriate and admirable for the film to
be made widely available in the interests of free speech.

That said, this doesn't mean you're required to watch it. A film like this
is unlikely in the extreme to bring about positive change in a horrible
place like North Korea. If anything, it could drive their insane leadership
to even further internal repression.

So my *personal* recommendation remains to ignore this film entirely, and
not reward Sony's series of unforced errors that enabled this entire mess.

Re: ICANN e-mail accounts, zone database breached in spearphishing attack (Dan Goodin, RISKS-28.42)

"John Levine" <>
20 Dec 2014 02:22:05 -0000
>stored in its centralized zone data system <>,

Before people get too panicky, CZDS is used to distribute copies of top
level domain zone files to people like me who have signed up for access.
The account info used to access it is intended to be private but the zone
data itself is what the TLDs name servers serve, so it is by any normal
definition public.  (Some TLDs imagine that their zonefiles are full of
valuable proprietary data, which tells us that they don't understand the DNS
at all.)

ICANN wrote to us, told us that they'd reset our passwords so we'd have to
use the usual forgotten password hack to re-reset them to something we know.

Re: dual-SIM cell phones (Re: Levine, RISKS-28.42)

danny burstein <>
Fri, 19 Dec 2014 21:17:46 -0500 (EST)
> Re: "Your cell phone number: To give or not to give" (RISKS-28.41)
> Dual SIM cellphones are pretty common, although for obvious reasons you're
> never going to get one from a carrier.

First, I'm not so clear on how "obvious" it is as I can't figure
out the reluctance and resistance.

That being said, I've been trying for years to convince Omnipoint (where I'm
both a customer and a shareholder) to offer dual-SIM phones.

This would be a useful option for people who currently carry around two
separate phones - one for their personal use and one for work.

- at least today most phones (with one key exception - that's YOU Apple
I'm pointing at) use the same charger.

Re: Emergency? DNS TTL < 6 months? (Baker, RISKS-28.42)

Amos Shapir <>
Sat, 20 Dec 2014 12:34:30 +0200
This idea is not just disruptive but also stupid—as others may have
noticed by now; if DNS is blocked in any significant way, vulnerable sites
would just revert to publicizing their IP address as part of their URL
instead of the site name, thus completely bypassing DNS lookup.

Re: Lenovo recalls more than 500,000 power cords due to spark, burn risk (Welinder, RISKS-28.42)

Leonard Finegold <>
Sat, 20 Dec 2014 12:30:04 -0500
  "shed twice as much heat" is a typo?

Surely doubling the volts quadruples the power dissipated?
As my freshman students know...
  Twinkle twinkle little star
  Power equals I squared R

(awright... V squared over R, but that doesn't scan)

Re: Lenovo recalls more than 500,000 power cords (RISKS-28.42)

Chris Drewe <>
Sat, 20 Dec 2014 21:11:37 +0000
At risk of sounding like a total geek, in 220V Europe the mandatory wire
colours for power cords are:

Brown - Hot (live/phase)
Blue - Cold (neutral)
Green & Yellow stripes - Safety Ground (earth)

I believe that in North America they are black for hot and white for cold;
no idea what other territories use, presumably it depends on whether they're
110V or 220/240V.  Obviously for moulded cords it's impossible to verify
without cutting into the cord and damaging it, but the various territories'
safety authorities will need to be satisfied that regulations are being
complied with.

Please report problems with the web pages to the maintainer