The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 49

Monday 2 February 2015


BMW ConnectedDrive using http not https
William Brodie-Tyrrell
First Officer Lands Delta Jet As Captain Locked Out Of Cockpit
Gabe Goldberg
China Further Tightens Grip on the Internet
Andrew Jacobs
Sustained Investment in Research Is Needed to Combat Cyberthreats
Brian Mosley
Your Coding Style Can Give You Away
Phil Johnson
Anonymizing Identifiers are not anonymous
Bob Gezelter
"80% of Canadians will choose a business on its privacy reputation, survey says"
Howard Solomon via Gene Wirchenko
"'Ghost' vulnerability poses high risk to Linux distributions"
Jeremy Kirk via Gene Wirchenko
FTC Releases "Internet of Things: Privacy and Security in a Connected World"
Bob Gezelter
Breach of Ethics
John Bohannon via Henry Baker
"CRTC bans Bell, Videotron from giving their customers subsidies for watching their content on mobile devices"
Candice So via Gene Wirchenko
Man Lost Contact With White House Drone
Michael D. Shear via Henry Baker
Re: "Will your expensive new headphones soon be obsolete?"
Chris Drewe
Re: People upset that the E-911 folk want to use GLONASS
Richard A. O'Keefe
Re: Schneider ... contains hardcoded credentials
Gabe Goldberg
Re: plofkraak
Craig Burton
Info on RISKS (comp.risks)

BMW ConnectedDrive using http not https

William Brodie-Tyrrell <>
Mon, 2 Feb 2015 10:55:19 +1030
BMW installs GSM modems in its cars for remote control, but communicates
with them in plain-text (Deutsche):
Machine translation:Ů&tl=en&

The report doesn't state whether this was the vulnerability leading to
interestingly high rates of BMW thefts recently, nor whether the patch that
they applied addresses authentication properly, e.g. validates certificates.

First Officer Lands Delta Jet As Captain Locked Out Of Cockpit

Gabe Goldberg <>
Mon, 02 Feb 2015 13:18:46 -0500
The risk? Massive/expensive/complex/reliable(?) technology defeated by ... a
piece of string. Martians in War of the Worlds defeated by ... Earthly bacteria:

Wikipedia says... is implied they are ignorant of disease
<> and decomposition. It is theorized
that their advanced technology eliminated whatever indigenous diseases were
present on Mars, and so they no longer remembered their effects. Ultimately,
their lack of knowledge or preparation against any bacteria indigenous to
Earth, causes their destruction here (though the epilogue states they may
have successfully invaded Venus by what Wells described as `putrefactive
bacteria', which digests organic materials upon death.

Lessons from airplane, from Martians?

Gabriel Goldberg, Computers and Publishing, Inc.
3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433

  [Monty Solomon noted an article on this:

China Further Tightens Grip on the Internet (Andrew Jacobs)

"ACM TechNews" <>
Fri, 30 Jan 2015 11:57:40 -0500 (EST)
Andrew Jacobs, *The New York Times*, 30 Jan 2015, ACM TechNews; 30 Jan 2015

Chinese officials this week took action to block the functioning of several
virtual private networks (VPNs) its citizens use to circumvent China's
online censorship apparatus.  Officials have long tolerated VPNs, which are
used by a broad spectrum of Chinese citizens, ranging from business people
to academics and scientists to artists.  However, the Chinese government has
been stepping up its online censorship activities in recent years as part of
a push for what it calls "cyber sovereignty," which is the idea the
government has the right to block online content it objects to.  The cyber
sovereignty campaign has seen the degradation or outright blocking of
numerous services Chinese citizens use to communicate with the rest of the
world.  Chinese scientists and academics are particularly incensed about the
difficulty they now face in getting access to Google Scholar.  Many within
and without China say the government's efforts to block Internet content are
proving a major impediment to the government's stated goal of shifting the
country's economy away from its reliance on manufacturing and construction
to a more entrepreneurial model.  The restrictions make it difficult for
foreigners to do business and are causing many bright Chinese entrepreneurs
to consider leaving the country.

Sustained Investment in Research Is Needed to Combat Cyberthreats (Brian Mosley)

"ACM TechNews" <>
Fri, 30 Jan 2015 11:57:40 -0500 (EST)
Brian Mosley, Sustained Investment in Research Is Needed to Combat
Cyberthreats, CISE AD Tells Congress Computing Research Policy Blog,
29 Jan 2015, via ACM TechNews; 30 Jan 2015

In testimony before the U.S. House Science, Space, and Technology
Committee's Research and Technology Subcommittee on Tuesday, Computer and
Information Science and Engineering (CISE) assistant director Jim Kurose
said sustained basic research investment is necessary for countering growing
cyberthreats.  He also stressed the need for behavioral researchers'
participation in this effort, since effective solutions must be
social-technical in nature.  In addition, Kurose said there must be closer
communication between federal agencies, especially the U.S. National
Institute of Standards and Technology, and industry in order to get the most
up-to-date information on ever-changing threats and best practices.
Kurose's views were echoed by all of the witnesses at the hearing, which
included both private- and public-sector experts.  In response to
subcommittee chairwoman Barbara Comstock's (R-VA) query on how Congress
should engage with constituents on the cybersecurity issue, witnesses
generally agreed everyday people must take a serious view of the threat and
use all available security tools.  "Utilizing targeted emails, spam,
malware, bots, and other tools, cybercriminals, "hacktivists," and
nation-states are attempting to access information technology systems all
the time," Comstock noted at the hearing.  "The defense of these systems
relies on professionals who can react to threats and proactively prepare
those systems for attack."

Your Coding Style Can Give You Away (Phil Johnson)

"ACM TechNews" <>
Fri, 30 Jan 2015 11:57:40 -0500 (EST)
Phil Johnson, ACM TechNews, 30 Jan 2015

CSI Computer Science: Your Coding Style Can Give You Away, Phil Johnson,
**, 28 Jan 2015

Researchers at Drexel University, the University of Maryland, the University
of Goettingen, and Princeton University have developed a code stylometry
using natural language processing and machine learning to determine the
authors of source code based on coding style.  The researchers say the
technology could be applicable to a wide range of situations in which
ascertaining the originating coder is important, such as to help identify
the author of malicious source code.  The researchers say they developed
abstract syntax trees derived from language-specific syntax and keywords,
which capture a syntactic feature set that "was created to capture
properties of coding style that are completely independent from writing
style."  They tested the code stylometry by gathering publicly available
data from Google's Code Jam, taking solutions to several identical problems
for a group of users as a training dataset in order to learn the style of
each coder.  The researchers then looked blindly at solutions the same
coders wrote to another problem and tried to identify the author of each.
The code stylometry achieved 95-percent accuracy in identifying the author
of anonymous code.  In addition, the researchers found coding style is more
well-defined through solving harder problems.  "This might indicate that as
programmers become more advanced, they build a stronger coding style
compared to newbies," according to the researchers.

Anonymizing Identifiers are not anonymous

"Bob Gezelter" <>
Sat, 31 Jan 2015 07:07:38 -0700
For many years, I have argued that traffic analysis sets ample precedent to
distrust anonymization schemes. It has been well-documented in the signals
intelligence history that associating radio call signs with particular units
is not overly difficult by combining observable locations with detection of
particular call signs. In the "Computer Security Handbook, Third Edition"
(1995, Wiley) and subsequent editions, I noted that such collation hazards
were a serious privacy hazard.  MIT researchers de Montjoye, Radaeliti,
Singh, and Pentland have recently reconfirmed this hypothesis. In research
recently published in Science, they have illustrated the weakness of
commonly used anonymization schemes. Working from credit card transactional
data, they were able to identify individual activity without difficulty.
From the abstract: "... We study 3 months of credit card records for 1.1
million people and show that four spatiotemporal points are enough to
uniquely re-identify 90% of individuals. We show that knowing the price of a
transaction increases the risk of re-identification by 22%, on average.
Finally, we show that even data sets that provide coarse information at any
or all of the dimensions provide little anonymity and that women are more
re-identifiable than men in credit card metadata."  The implications of this
go far beyond credit card transactional data.  The complete Science article
is at:

Bob Gezelter,

"80% of Canadians will choose a business on its privacy reputation, survey says" (Howard Solomon)

Gene Wirchenko <>
Fri, 30 Jan 2015 11:21:25 -0800
Howard Solomon, *IT Business*, 29 Jan 2015

"'Ghost' vulnerability poses high risk to Linux distributions" (Jeremy Kirk)

Gene Wirchenko <>
Fri, 30 Jan 2015 11:05:32 -0800
Jeremy Kirk, *Infoworld*,  30 Jan 2015

A flaw in the GNU C Library can be exploited remotely for full control and
should be patched as soon as possible, according to Qualys.  A fault in a
widely used component of most Linux distributions could allow an attacker to
take remote control of a system after merely sending a malicious email.

FTC Releases "Internet of Things: Privacy and Security in a Connected World"

"Bob Gezelter" <>
Fri, 30 Jan 2015 10:21:26 -0700
The US Federal Trade Commission staff has issued "Internet of Things:
Privacy and Security in a Connected World", a report from a workshop on the
security and privacy issues of Internet-enabled devices and sensors.  The
FTC Report is at:

Bob Gezelter,

Breach of Ethics (John Bohannon)

Henry Baker <>
Fri, 30 Jan 2015 12:47:37 -0800
John Bohannon, *Science Magazine*

FYI—Some NSA employees are already in violation of both the ACM and IEEE
codes of ethics, and to the extent that NSA helps with the CIA assassination
drone program, some NSA employees may also be involved in war crimes.

If these professional organizations' codes of ethics are to have any
meaning, whatsoever, it is now time for the ethics committees of these
professional organizations to stand up and be counted.  As a result of the
Nuremberg Trials, "it is not an acceptable excuse to say 'I was just
following my superior's orders'".  [HB]

Breach Of Trust

After the Snowden revelations, U.S. mathematicians are questioning their
long-standing ties with the secretive National Security Agency

John Bohannon

IN THE WAKE of the Snowden revelations, most of the media attention has
focused on NSA's large-scale harvesting of data from U.S. citizens.  But it
is a more obscure exploit that concerns Hales and many other mathematicians:
what they see as an attack on the very heart of modern Internet security.
When you check your bank account online, for example, the information is
encrypted using a series of large numbers generated by both the bank server
and your own computer.  Generating random numbers that are truly
unpredictable requires physical tricks, such as measurements from a quantum
experiment. Instead, the computers use mathematical algorithms to generate
pseudorandom numbers.  Although such numbers are not fundamentally
unpredictable, guessing them can require more than the world's entire
computing power.  As long as those pseudorandom numbers are kept secret, the
encoded information can safely travel across the Internet, protected from
eavesdroppers—including NSA.

But the agency appears to have created its own back door into encrypted
communications. ... But it received little attention until internal NSA
memos made public by Snowden revealed that NSA was the sole author of the
flawed algorithm and that the agency worked hard behind the scenes to make
sure it was adopted by NIST.

"CRTC bans Bell, Videotron from giving their customers subsidies for watching their content on mobile devices" (Candice So)

Gene Wirchenko <>
Fri, 30 Jan 2015 11:18:43 -0800
Candice So,  *IT Business*, 29 Jan 2015T
The Canadian Radio-television Communications Commission (CRTC) has ruled
it's no longer going to allow cellphone service providers to give special
treatment to their own TV content when consumers stream it from wireless

Man Lost Contact With White House Drone (Michael D. Shear)

Henry Baker <>
Fri, 30 Jan 2015 06:44:55 -0800
FYI—"Lost contact with drone" will become the new excuse for U.S. errant
drone kills in the Middle East...  [Was this stunt calculated to create
controversy so that consumer drones will get regulated?  If this fall guy
were to spend a year in prison, it would at least raise the cost for future
false flag operations like this one.  (HB, slightly PGN-ed)]

Michael D. Shear, *The New York Times*, 29 Jan 2015

Re: "Will your expensive new headphones soon be obsolete?"

"Chris Drewe" <>
Thu, 29 Jan 2015 22:15:49 +0000

  Matthew Sparkes, Deputy Head of Technology, *The Telegraph*, 27 Jan 2015>

  Will your expensive new headphones soon be obsolete?  switchboards, so it
  should be no surprise that mobile phones will soon drop it. But many will
  be left holding expensive and obsolete headphones, says Matthew Sparkes

An item in yesterday's newspaper (27 Jan 2015) about headphone connections
for smartphones, tablets, etc.  In summary, it says that the 3.5mm jack plug
has been standard since the days of cassette Walkmans, but it is likely to
be soon replaced by proprietary connectors.

Good news is that power and digital audio can be fed directly to the
headphones, potentially giving better sound quality, while eliminating the
(relatively) bulky 3.5mm socket means yet-thinner smartphones.

Bad news is if headphones have brand-specific connectors and software so
upgrading your smartphone/tablet means changing your headphones as well (or
vice-versa).  Personally I've also long found model-specific accessories
(e.g. batteries, AC mains adapters) to be an irritation with other
equipment. [...]

Re: People upset that the E-911 folk want to use GLONASS (RISKS 28.47)

"Richard A. O'Keefe" <>
Fri, 30 Jan 2015 20:10:42 +1300
In RISKS-28.47, Danny Burstein raised his eyebrows at the idea of "rely[ing]
on a system under the complete control of another nation".  From the World
CIA Fact Book, World population: 7,174,611,584 (how do they measure so
precisely???)  US population: 318,89_,___ (given to two places in millions)
Russian population: 142,47_,___

This means that 93.5%+ of the world's population has no choice but to rely
on a foreign-controlled global navigation system.

Re: Schneider ... contains hardcoded credentials (Baker)

Gabe Goldberg <>
Fri, 30 Jan 2015 17:04:44 -0500
Long ago, I was asked for advice penetrating IBM's VM mainframe operating
system. (Don't confuse this with today's VMware.) This was a contract
evaluating security at a government installation running multiple
classification levels simultaneously; the data center manager claimed that
VM's (very robust) virtualization reliably isolated work areas.

I suggested that before trying anything technical, the pen-test staffer
check for egregious screwups, for example by starting at a public file area
("minidisk"), scanning all programs found for links to other minidisks,
scanning them and so on, to see what baubles might be found. A couple days
later he dropped a printout of the system directory on the manager's
desk. Either default link passwords for crown jewels were still in place or
someone had expediently coded real passwords in publicly available programs
-- so anyone on the system could access everything on the system. Either
way, another demonstration that "simple" often cracks the safe.

Gabriel Goldberg, Computers and Publishing, Inc., 3401 Silver Maple Place,
Falls Church, VA 22042 (703) 204-0433

Re: plofkraak (RISKS-28.48)

Craig Burton <>
Fri, 30 Jan 2015 16:45:05 +1100
Regarding the plofkraak, I suspect the below is this occurring in Australia

Please report problems with the web pages to the maintainer