The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 67

Thursday 4 June 2015

Contents

Simple String of Characters Crashes Skype
PCMag
You Can Be Prosecuted for Clearing Your Browser History
The Nation
Artificial Pancreas and Risks
IEEE Spectrum item via Werner U
EHR Costs More $ Billions Piled On For "Security"
Politico via D Kross
Long, detailed expose regarding Russia's massive, dangerous, professional Internet trolling misinformation operations
The NY Times
Cybersecurity Views from a National Intelligence Officer
Jon Oltsik via Werner U
NOBUS can shoot ourselves in the foot like this
Henry Baker
U.S. Surveillance in Place Since 9/11 Is Sharply Limited
The NY Times
"You haven't seen anything yet" Thought for the Day
Lauren Weinstein
Questions and Answers About Newly Approved USA Freedom Act
The NY Times
Article: How I tracked FBI aerial surveillance
PGN
Little Brothers are watching you: Nexar
Geektime via Amos Shapir
Intel's new Fortran Extended with Crap Algorithmic Language
Simon Sharwood via Henry Baker
Apple now dominates consumer digital video viewing, says new Adobe report
Jackie Dove
EU wants to kill open Wi-FI
Lauren Weinstein
Re: Volvo horrible self-parking car accident
Andrew Pam
Re: This Ad for Banned Food in Russia Can Hide Itself From the Cops
Amos Shapir
Re: Only 3% of people aced Intel's phishing quiz
Amos Shapir
Re: Woman plans to sue after Fla. license labels her a sex offender
Amos Shapir
Re: House of Discards: Wikipedia pre-election edits
Peter Bernard Ladkin
Info on RISKS (comp.risks)

Simple String of Characters Crashes Skype (PCMag)

Lauren Weinstein <lauren@vortex.com>
Wed, 3 Jun 2015 10:42:03 -0700
  A bug in Microsoft's communication program means sending or receiving a
  message that says "http://:" (without the quotation marks) will crash
  Skype. Rebooting or logging in and out does not help; it simply crashes
  again at launch.  The glitch, according to VentureBeat, works on Windows,
  Android, and iOS; Skype on Mac and the Windows 8 Modern app, however,
  appear unaffected.  [PCMag via NNSquad]
     http://www.pcmag.com/article2/0,2817,2485271,00.asp

Unit testing? BAH!


You Can Be Prosecuted for Clearing Your Browser History

Lauren Weinstein <lauren@vortex.com>
Thu, 4 Jun 2015 13:37:01 -0700
  Prosecutors are able to apply the law broadly because they do not have to
  show that the person deleting evidence knew there was an investigation
  underway. In other words, a person could theoretically be charged under
  Sarbanes-Oxley for deleting her dealer's number from her phone even if she
  were unaware that the feds were getting a search warrant to find her
  marijuana. The application of the law to digital data has been
  particularly far-reaching because this type of information is so easy to
  delete. Deleting digital data can inadvertently occur in normal computer
  use, and often does.  [*The Nation* via NNSquad]

http://m.thenation.com/article/208593-you-can-be-prosecuted-clearing-your-browser-history


Artificial Pancreas and Risks (IEEE Spectrum)

Werner U <werneru@gmail.com>
Tue, 2 Jun 2015 19:22:37 +0200
[ citing from the IEEE Spectrum website
  tracking "Bio-Medicine <http://spectrum.ieee.org/biomedical>" and the
  "Tech Talk" blog there ]

(*The artificial pancreas is the culmination of a 50-year slog in
bioengineering--one that is finally paying off because of improvements in
insulin, sensors, and algorithms.*)

Diabetes Has a New Enemy: Robo-Pancreas
Sensors, actuators, and algorithms can automatically control blood sugar....
<http://spectrum.ieee.org/biomedical/bionics/diabetes-has-a-new-enemy-robopancreas>

Can Hackers Commit the Perfect Murder By Sabotaging an Artificial Pancreas?
<http://spectrum.ieee.org/tech-talk/biomedical/bionics/can-hackers-commit-the-perfect-murder-by-sabotaging-an-artificial-pancreas->
Robotic systems are, at last, beginning to take over some of the burden of
managing the fluctuations in blood glucose in patients with Type 1
diabetes. But a new report warns that as the systems get adopted more
widely, the risk of criminal eavesdropping and sabotage will also increase.

The report, by Yogish C. Kudva and colleagues at the Mayo Clinic in
Rochester, Minn., and at the University of Virginia in Charlottesville, appears
in *Diabetes Technology & Therapeutics*
<http://online.liebertpub.com/doi/full/10.1089/dia.2014.0328>.

Make the machine administer too little insulin, and the blood-glucose level
may rise high enough to send the patient into a ketoacidosis coma.  Make it
administer too much, and the glucose falls until the brain fails causing the
to patient faint, or even die. It might seem to bad guys like the way to
commit the perfect murder. ...

Read all about it in the June issue of *IEEE Spectrum*, which is devoted to
a single topic: "Hacking the Human OS."


EHR Costs More $ Billions Piled On For "Security" (Politico)

<dkross@vzw.blackberry.net>
Wed, 3 Jun 2015 21:53:15 +0000
Health care spending $ billions to protect the records it spent $ billions
to install

http://www.politico.com/story/2015/06/health-care-spending-billions-to-protect-the-records-it-spent-billions-to-install-118432.html


Long, detailed expose regarding Russia's massive, dangerous, professional Internet trolling misinformation operations

Lauren Weinstein <lauren@vortex.com>
Tue, 2 Jun 2015 11:37:52 -0700
http://www.nytimes.com/2015/06/07/magazine/the-agency.html

  From a nondescript office building in St. Petersburg, Russia, an army of
  well-paid `trolls' has tried to wreak havoc all around the Internet and in
  real-life American communities.

  The battle was conducted on multiple fronts. Laws were passed requiring
  bloggers to register with the state. A blacklist allowed the government to
  censor websites without a court order. Internet platforms like VKontakte
  and Yandex were brought under the control of Kremlin allies. Putin gave
  ideological cover to the crackdown by calling the entire Internet a
  "C.I.A. project," one that Russia needed to be protected from.
  Restrictions online were paired with a new wave of digital propaganda. The
  government consulted with the same public relations firms that worked with
  major corporate brands on social-media strategy. It began paying fashion
  and fitness bloggers to place pro-Kremlin material among innocuous posts
  about shoes and diets, according to Yelizaveta Surnacheva, a journalist
  with the magazine Kommersant Vlast. Surnacheva told me over Skype that the
  government was even trying to place propaganda with popular gay bloggers
 —a surprising choice given the notorious new law against "gay
  propaganda," which fines anyone who promotes homosexuality to minors.
  [via NNSquad]


Cybersecurity Views from a National Intelligence Officer (Jon Oltsik)

Werner U <werneru@gmail.com>
Wed, 3 Jun 2015 10:41:38 +0200
Jon Oltsik, Network World, 2 Jun 2015

A report by John Oltsik <http://www.networkworld.com/author/Jon-Oltsik/>
from the recent Cyber Exchange Forum event, sponsored by ACSC (the Advanced
Cyber Security Center, <http://www.acscenter.org/>)

The featured speaker was Sean Kanuck, National Intelligence Officer for
Cyber Issues, Office of the Director of National Intelligence. In this role,
Sean directs the production of national intelligence estimates (for
cyber-threats), leads the intelligence community (IC) in cyber analysis, and
writes personal assessments about strategic developments in cyberspace.

Cybersecurity Views from a National Intelligence Officer
<http://www.networkworld.com/article/2930395/cisco-subnet/cybersecurity-views-from-a-national-intelligence-officer.html>

Some highlights:

* On the scope of threats. Sean does not subscribe to the notion of a "cyber
  Pearl Harbor" for the most part. He stated that there are only a few
  nation states capable of this type of attack (i.e. China and Russia) and
  that an attack of this magnitude was highly unlikely during peace
  time. His caveat to this was that we already face a series of disruptive
  attacks like those at the Sands Hotel of Las Vegas and Sony Pictures that
  are having a cumulative impact on the U.S. economy and national security.

* On future attacks. Sean spoke of a growing concern around data integrity
  using the Syrian Electronic Army hack of the Associated Press's Twitter
  account in 2013. This particular event led to a decrease of $137 billion
  in stock market valuation. He emphasized the fact that a relatively small
  crime moved billions of dollars and that these types of scams are often
  used to fund all types of other malicious activities.

* On non-state actors. While these groups don't have the sophistication of
  nation states, Kanuck described the threat from non-state actors as being
  "as good as what can be purchased online from the cyber black market." In
  other words, the bad guys will improve malware attacks as well as their
  tactics, techniques, and procedures (TTPs) as the cybercrime industry
  becomes more organized and market-like. Unfortunately, this advancement is
  already well underway.

* On political will. Sean stated that there are about 30 countries that are
  now developing offensive cyber capabilities. It's cheap and effective with
  very little risk.

* On commercial cybersecurity innovation. New products like automated
  penetration testing software can really help companies identify IT risk,
  but Kanuck pointed out that they are also making it easier for the black
  hat community.

Sean said that organizations can expect to encounter cyber-attacks that
cause IT attrition and degradation.

Much like disaster recovery, organizations should then create a plan that
allows them to operate in a degraded state when this occurs...


NOBUS can shoot ourselves in the foot like this

Henry Baker <hbaker1@pipeline.com>
Thu, 04 Jun 2015 10:58:10 -0700
"NOBUS" = "NObody But US" is Gen. Michael Hayden's famous boast regarding
NSA's capabilities, e.g.:

http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/04/why-everyone-is-left-less-secure-when-the-nsa-doesnt-help-fix-security-flaws/

Let's assume, for the sake of argument, that this is true; that no govt --
with the exception of the U.S.—can collect and interpret intelligence as
well as the U.S.

Most people would assume that this is a *GOOD* thing; after all, isn't
intelligence *obviously* monotonically increasing?  Isn't it *obvious* that
more intelligence is always better?  Isn't this monotonicity the whole point
of "collect it all" ?

A problem with "obvious" is that "obvious" doesn't necessarily mean "true".

Perhaps the simplest example of non-monotonicity is the Ishihara Color Test
*hidden digit plate*: "only individuals with color vision defect could
recognize the figure".  A person with normal color vision (i.e., without the
color vision defect) wouldn't see the figure.  In this case, more
information is worse!

https://en.wikipedia.org/wiki/Color_perception_test

The "collect it all" mentality has already been challenged on Bayesian grounds:

http://www-stat.wharton.upenn.edu/~hwainer/Readings/Wainer%20Savage.pdf

I'm going to challenge NOBUS on "paranoia & arrogance" grounds; I claim that
the NOBUS attitude has actually made it cheaper and easier for the U.S. to
*attack itself* with a self-inflicted act of "terrorism".

Here are the ingredients:

* U.S. paranoia has put its entire govt security apparatus on a "hair
  trigger" response
* U.S. is now capable and willing to shoot down commercial airliners as a
  defense against another "9/11"
* "Collect it all" enables U.S. govt to make intelligence correlations
  impossible by other govts
* Electronic intelligence "evidence" is given far greater weight than common
  sense by govt intelligence apparatus

Since the U.S. govt has already loaded its gun, pointed it at its foot, and
cocked it, all that a "terrorist" has to do now is to convince the govt that
a threat from that foot is imminent, at which point the U.S. govt will blow
its own foot off.

This "terrorist" knows that the collect-it-all NSA is listening to meta-data
world-wide, and actual data outside the U.S.  Furthermore, the NSA is hard
at work producing correlations, the overwhelming majority of which are
spurious.

Enter the Ishihara Color Test *vanishing plate*: only individuals with
better color vision can recognize the figure; the US now has better
intelligence vision, so NOBUS sees the figure.

All that is necessary is to seed NSA-monitored communications channels with
enough misdirections—each of which is completely innocent by itself --
but which, when "correlated" by a paranoid intelligence apparatus, will
create the perception of imminent attack by a commercial airliner landing at
a major U.S. city—e.g., Washington, DC or New York City.

Note that these seeds would be uncorrelated (and indeed uncorrelatable) by
any other govt, but due to NOBUS, only the U.S. govt would "see" the
"overwhelming" evidence of imminent attack.

Note that this "terrorist" need not send any agents into the physical U.S.;
he/she need not train anyone to fly a plane; he/she need never engage in an
act more violent than tapping a computer keyboard, using a cell phone or an
ATM machine or a credit card.

All this "terrorist" has to do is to convince this paranoid govt that a
commercial airliner is not under the complete control of its pilots, and
that this "knowledge" is obtained too late in the plane's landing pattern
before a missile would have to be fired.

But it gets worse: even *practice attempts* at misdirection will be
interpreted as additional evidence of a real plot, so this "terrorist" would
eventually be able to accomplish his/her goal.

I leave it to the Tom Clancy's of the world to construct the appropriate
seeds to plant, but it doesn't seem that difficult to come up with
appropriate scenarios.

Note that—due to NOBUS—no other govt would (be able to) come to the
same conclusions, and therefore that no other govt would willingly blow its
own foot off.

The NOBUS collect-it-all/correlate-it-all mentality has risks of its own.


U.S. Surveillance in Place Since 9/11 Is Sharply Limited

<>
Wed, 3 Jun 2015 08:42:12 -0400
http://www.nytimes.com/2015/06/03/us/politics/senate-surveillance-bill-passes-hurdle-but-showdown-looms.html

A bill to allow the government to restart surveillance operations, but with
new restrictions, passed over the opposition of the Senate majority leader,
and was signed by President Obama.


"You haven't seen anything yet" Thought for the Day

Lauren Weinstein <lauren@vortex.com>
Wed, 3 Jun 2015 18:11:14 -0700
The war against crypto is just beginning. Government officials around the
world—particularly here in the USA—are ramping up gigantic PR
campaigns aimed at legislators and the media to argue that end-to-end
encryption without backdoor access for government helps terrorists and
cannot be permitted, particularly if operated by the large Web services that
most people use. This battle is going to make the old Clipper Chip
controversies of the 90s look like a walk in the park. *** You can count on
it. ***  [LW in NNSquad]


Questions and Answers About Newly Approved USA Freedom Act

Monty Solomon <monty@roscom.com>
Wed, 3 Jun 2015 08:44:52 -0400
http://www.nytimes.com/aponline/2015/06/03/us/politics/ap-us-nsa-surveillance-qa.html


Article: How I tracked FBI aerial surveillance

<Peter G Neumann>
Thu, 4 Jun 2015 11:37:21 -0700
http://arstechnica.com/tech-policy/2015/06/how-i-tracked-fbi-aerial-surveillance/


Little Brothers are watching you

Amos Shapir <amos083@gmail.com>
Wed, 3 Jun 2015 17:32:26 +0300
A company called Nexar has unveiled a smartphone application that turns the
phone into a dashboard camera.  The application lets drivers rate other
drivers, and at the end of the day uploads all tagged footage to the cloud,
to be shared by other clients; it then uses the info to warn users of "bad
drivers" close to them.

Details at:
http://www.geektime.com/2015/05/28/channel-that-road-rage-into-something-constructive-with-nexar-you-can-easily-report-terrible-drivers/

There is no mention of whether the application enables tagged drivers to
review and/or appeal their rating (just the first issue which popped into my
mind, there may be lots more).  Amos


Intel's new Fortran Extended with Crap Algorithmic Language (Simon Sharwood)

Henry Baker <hbaker1@pipeline.com>
Wed, 03 Jun 2015 08:44:44 -0700
FYI—IoS = "Internet of Sh*t" ?  This napp app needs 1 GB of RAM & 4 GB of
flash (wipeable, of course) ?  The third world will be recycling these
processors for their drones, as in "The Internet of stuff hits the fan".

The name of Intel's new product?  Alimentary, my dear Watson...

Your baby's privacy is assured, because Intel's software is "leakproof" (tm).

Coming for grownups with adult diapers: the Sh*tbit wrist "activity" tracker.

http://www.theregister.co.uk/2015/06/02/intel_imagines_chips_in_kids_pants_to_create_the_internet_of_span_classstrikeshtspan_ithingsi/

Intel imagines chips in nappies to create the Internet of sh*t things

We have a CODE BROWN down there, repeat CODE BROWN

Intel-sponsored 'DiaperPie' connected nappy

Simon Sharwood, *The Register*, 2 Jun 2015

Computex 2015 If you think the Internet of Things (IoT) is a steaming pile
of you-know-what, Intel's kind-of confirmed your suspicions by backing a
team that's imagined an Internet-connected nappy (diaper for North American
readers).

Computex 2015 is full of folks spruiking the Internet of stuff.  On the show
floor you can hardly move for video cameras, sensors and associated
networking kit.

Intel's taken things a step further, revealing today that one of the `maker'
teams its encouraged to play with its Edison platform has created a
prototype Internet-connected nappy (diaper).

The idea's simple: nappies of the future will include a sensor, or you'll
get your tot to wear one, and when your offspring's alimentary canals
produce waste you'll get a warning on your smartphone.  WiFi produces too
much energy to ensure the viability of infant innards, so Bluetooth LE gets
the job of telling you about the presence of something brown or yellow.

For now, the nappy is full of an Intel Edison system and its host board.
The pair certainly have enough grunt to squeeze out some data: there's a
dual core Atom at 500Mhz in there, along with 1GB of RAM and 4GB of flash to
store—let's leave that to the imagination.

Before your correspondent's children were toilet trained, their mother and I
employed a sophisticated remote olfactory sensing technology to determine
whether their pants were full.  That biological device had a remarkable
range and never ran out of batteries but was susceptible to viruses, which
could reduce its sensitivity by inducing unusual flows of mucus.

Future parents, it seems, may be spared that marvelous part of child-rearing.

Intel and its makers did not, however, discuss a solution for the nastiest
part of the job, namely the bit involving wet wipes.  Your correspondent
will report if such a device can be found on the show floor.


Apple now dominates consumer digital video viewing, says new Adobe report (Jackie Dove)

Monty Solomon <monty@roscom.com>
Thu, 4 Jun 2015 13:35:53 -0400
Jackie Dove, 4 Jun 2015

In the run-up to Apple's Worldwide Developer Conference, Adobe Digital
Index, the company's marketing arm, has concluded that Apple is
currently the dominant player in consumer digital video consumption, and
that the trend is likely to continue.

In a new report examining Online Video Viewing and Browsing Trends
between 2014 and 2015, Adobe declared Apple as a clear winner in major
categories of content, including Internet-connected, subscription-based
pay TV programming, known in the trade as TV Everywhere. The study was
based on anonymous and aggregated data gathered by Adobe Marketing Cloud
analytics, which tracked more than 500 billion visits to 11,000 sites in
the US and 7,000 sites abroad.

The results? Not only does Apple dominate pay TV, but its iOS devices
account for a majority of all premium video viewing content whether
authenticated via subscription or unauthenticated and freely accessible.
According to Adobe's research, Apple has captured 62 percent of all
authenticated video.

http://thenextweb.com/apple/2015/06/04/apple-now-dominates-consumer-digital-video-viewing-says-new-adobe-report/


EU wants to kill open Wi-FI

Lauren Weinstein <lauren@vortex.com>
Tue, 2 Jun 2015 12:52:57 -0700
Open Wireless Advocates to European Court:
Don't Make Us Lock Down Our Networks

  In the preliminary reference to the Court of Justice of the European
  Union, the Europe's highest court is asked whether an enforcement practice
  requiring open wireless networks to be locked is an acceptable
  one. Germany's Federal Supreme Court in 2010 held that the private
  operator of a wireless network is obliged to use password protection in
  order to prevent abuse by third parties. If the CJEU affirms this finding,
  the effect could be to extend this bad precedent throughout Europe,
  grounding the open wireless movement across the continent. If on the other
  hand it rejects that finding, German law could be forced to return to
  sanity, allowing thousands of hotspot operators to open up their networks
  again.  [via NNSquad]


Re: Volvo horrible self-parking car accident

Andrew Pam <xanni@glasswings.com.au>
Wed, 03 Jun 2015 12:36:03 +1000
Volvo points out that the pedestrian detection function requires additional
sensor hardware (radar and a camera) not fitted to that model, and even if
it were fitted it is overridden by a driver explicitly accellerating as in
the accident shown in the video.  Which raises a few relevant RISKS:

1. Why did the victims and the driver apparently believe that the car could
   magically avoid hitting pedestrians?

2. Why do the media typically fail to accurately investigate or report the
   incident?

3. Should a car fitted with appropriate sensors override a driver in such a
   situation?

Andrew Pam, Xanadu Chief Scientist; Glass Wings http://www.glasswings.com.au
Serious Cybernetics http://www.xanadu.com.au/; http://www.sericyb.com.au/


Re: This Ad for Banned Food in Russia Can Hide Itself From the Cops

Amos Shapir <amos083@gmail.com>
Tue, 2 Jun 2015 12:44:13 +0300
In Israel, street ads showing women - even just faces - often get marred or
damaged by Jewish ultra-orthodox activists.  Maybe this is a solution - an
ad that changes whenever it senses someone approaching who is wearing a
big black hat...


Re: Only 3% of people aced Intel's phishing quiz

Amos Shapir <amos083@gmail.com>
Tue, 2 Jun 2015 12:52:22 +0300
I used to work in a big company where the security department were trying to
educate employees by sending around messages which were supposed to look
suspicious, and then reprimanding those who had opened the messages.

The trouble was, they made such a poor job of hiding the messages' origin,
that I always mistook these for just yet another routine message from
security, and fell for opening them every time!

I wonder how many of Intel's subjects had opened the supposed phishing
messages precisely because they did recognize them for what they really
were.


Re: Woman plans to sue after Fla. license labels her a sex offender (RISKS-28.66)

Amos Shapir <amos083@gmail.com>
Tue, 2 Jun 2015 12:32:46 +0300
I wonder if this license had already made its way into some big bad database
of sex offenders.  If it did, she might be in for more trouble down the
road.  One specific problem in this case is that precisely because she's not
an offender, she has no legal right to require the state to let her search
such databases for her name!


Re: House of Discards: Wikipedia pre-election edits (Baker, RISKS-28.66)

Peter Bernard Ladkin <ladkin@rvs.uni-bielefeld.de>
Tue, 02 Jun 2015 07:41:37 +0200
In Risks 28.66, Henry Baker reports on Wikipedia-page edits from the UK
House of Commons before the UK elections. He also suggests a link with the
European Union Court of Justice ruling that people have a right to have
certain information about them obscured in a WWW search.

It's only one sentence; he doesn't justify the connection he makes and I
don't see one.

First, anyone can edit Wikipedia pages. This is not the first time in which
information on public figures may have been "cleaned up" on Wikipedia (if it
indeed happened, and whoever did it - many may be motivated). Most of us
understand that people whose career depends upon their personal reputation
may engage in "image management" and Wikipedia is the obvious place to
start. Indeed, North America has a little industry that will do it for you.

Second, public figures standing for public office in the UK have no legal
right set by the European Court or otherwise in UK law (as I understand it
as a layman) to have correct public-interest information about themselves
omitted from Internet searches or indeed any publication. They have
everyone's legal right through libel laws to have false information about
themselves corrected and resulting damage compensated by the perpetrator.

That's all as it was before the EUCJ ruling about the "right to be
forgotten".

Peter Bernard Ladkin, University of Bielefeld and Causalis Limited
www.rvs.uni-bielefeld.de www.causalis.com

Please report problems with the web pages to the maintainer

Top