The RISKS Digest
Volume 29 Issue 25

Thursday, 11th February 2016

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Asiana: Secondary Cause of Crash Was Poor Software Design

Gabe Goldberg

More than 100 crashes caused by confusing gear shifters—Jeep, Chrysler, Dodge

Gabe Goldberg

Conclusions of research on oldest ancient homo sapiens DNA study revised due to data-processing error

Bob Gezelter

IoT Insecurity by design

TechDirt via Alister Wm Macintyre

Fake Online Locksmiths May Be Out to Pick Your Pocket, Too

NYTimes

Dodgy USB Type-C cable fries vigilante engineer's $1,000 laptop

Ian Paul

Live in the EU? You probably should start accessing Google through a VPN or proxy.

Reuters

Hackers Get Employee Records at Justice and Homeland Security Depts

Eric Lichtblau

Hackers claim to have hacked NASA, hijacked one of its drones

danny burstein

Hacked Toy Company VTech's TOS Now Says It's Not Liable for Hacks

Lorenzo Franceschi-Bicchierai via Richard Forno

Hack-Proof RFID Chips

Larry Hardesty

"KB 3123862 eerily resembles Microsoft's earlier Get Windows 10 patch"

Woody Leonhard

AFCEA on cybersecurity

Warren Pearce

University of California traffic stored for up to 30 days

Christopher Brooks

At Berkeley, a New Digital Privacy Protest

NYTimes

Why "Let's Encrypt" free SSL certs are worse than useless—actually dangerous—to many sites

Lauren Weinstein

Shopping Mall SMS Parking Notifications Could Be Used To Track Any Car

Slashdot via Dan Jacobson

Increasingly popular update technique for iOS apps puts users at risk

Lucian Constantin

EAC exec director on voter registration

Voting News Weekly

Amazon's customer service backdoor

Medium.Com

"rm -rf /" Can Brick Your UEFI System

Henry Baker

Re: Errors in Scientific Software May Be More Serious Than Suspected

Mike Crawford

Re: Israel's electric grid hit by severe hack attack

Mike Rechtman

Re: On Facebook normally one can only see others' public groups

Dan Jacobson

Re: Date formats

J R Stockton

Re: Why do people keep ... looking for lost cellphones

Michael Kohne
Al Mac

Blackout rehearsals: let's start with GPS

Martyn Thomas

Doing University exams on computers?

Richard A. O'Keefe

Info on RISKS (comp.risks)

Asiana: Secondary Cause of Crash Was Poor Software Design

Asiana Airlines said Monday that contributing factors to the July 2013 crash
in San Francisco included poor software design and the failure of the
plane's low-speed alerting system to activate in time for a safe recovery.

http://www.frequentbusinesstraveler.com/2014/03/asiana-secondary-cause-of-crash-was-poor-software-design/

Gabriel Goldberg, Computers and Publishing, Inc. gabe@gabegold.com
3401 Silver Maple Place, Falls Church, VA 22042  (703) 204-0433

More than 100 crashes caused by confusing gear shifters—Jeep, Chrysler, Dodge

The shift system operates electronically and the gear requested by the
driver is transmitted from the shifter via the CANbus to the Transmission
Control Module which makes the requested shift.
http://consumerist.com/2016/02/08/more-than-100-crashes-caused-by-confusing-jeep-chrysler-dodge-gear-shifters/

  ...sometimes.

Gabriel Goldberg, Computers and Publishing, Inc.,
3401 Silver Maple Place, Falls Church, VA 22042  (703) 204-0433

Conclusions of research on oldest ancient homo sapiens DNA study revised due to data-processing error

All human endeavors involving information are subject to overlooked data,
erroneous computations, and a variety of other failings.

Recently, a team led by Andrea Manica (University of Cambridge) extracted
the genome of an Ethopian who died 4,500 years ago, a significant
accomplishment. However, when cross comparing the results with modern
reference genomes, a team member failed to convert the modern dataset to the
same format as the extracted DNA data. This failure to normalize formats led
to incorrect conclusions about the relatedness of the ancient individual to
more modern populations.

Pontus Skoglund (Harvard Medical School) and his colleague, David Reich,
obtained the raw data from Manica, and came to different conclusions.  When
told of the discrepancy, Manica's team investigated and discovered the
processing error.

The Nature erratum report is at:
http://www.nature.com/news/error-found-in-study-of-first-ancient-african-genome-1.19258

Bob Gezelter, http://www.rlgsc.com

IoT Insecurity by design

With the "Internet of things" (IoT), security is an afterthought? Whether
it's your automobile, your refrigerator or your tea kettle, so-called
"smart" Internet of things devices are consistently and alarmingly showing
that they're anything but.  Most IoT devices are insecure by design.  They
leak user info.  They identify the device, where it is being used, what the
user is doing.  It is not just PII given out, it is also surveillance of the
customers made available to almost anyone.

Identify whether the user is at home or not.

The data goes out clear text, very few have any security protocols.

Difficult to identify who, in the supply chain, to hold accountable, and get
the problems fixed.

http://www.theregister.co.uk/2016/01/19/iot_smart_devices_are_dumb/
https://www.dropbox.com/s/36nxibezelxrduk/FTC-PrivacyCon-2016.pdf

<https://www.techdirt.com/articles/20150721/17481331719/car-hack-demonstrates-why-security-researchers-shouldnt-have-to-worry-about-copyright-exposing-weaknesses.shtml>
<https://www.techdirt.com/articles/20150824/06411532041/internet-not-so-smart-things-samsungs-latest-smart-fridge-can-expose-your-gmail-password.shtml>
<https://www.techdirt.com/articles/20151015/13551232547/easily-hacked-tea-kettle-latest-to-highlight-pathetic-internet-things-security.shtml>

"Smart" Door Bell

It is accessible to crooks from the "insecure" side of the door & the camera
only shows the back of someone leaving, so a person can break in, then
disable it.

They don't have to break in.  Unscrew 2 screws outside the home, press a
button, and now they can change anything in the home's IoT.

They can "hack" their way in, insecurity by design.  Fortunately the screws
are non-standard.

Some bugs have been fixed, more have been reported.

https://www.techdirt.com/articles/20160112/11405333312/ding-dong-your-easily-hacked-smart-doorbell-just-gave-up-your-wifi-credentials.shtml

"Smart" Thermostat

Nest has fixed several bugs, there are more reported, with their hardware,
software, and customer service.

https://www.techdirt.com/articles/20160121/05125933392/nest-thermostat-goes-internet-things-darling-to-cautionary-tale.shtml

Do you have web cams in your home?  Forget about stopping that info going
out to other people, unless you put masking tape over the camera.

Weigh yourself in the bathroom - forget about privacy of other people not
knowing the results.

Who owns the data streaming out of your home?  Apparently not you.  So do
you have a legal right to interfere with that data exiting?

http://www.govtech.com/security/Is-Privacy-Compromised-By-Growth-of-IoT-Devices.html

Smart devices need to become user-friendly.

http://www.argusinsights.com/smarthomeapps2016/

Fake Online Locksmiths May Be Out to Pick Your Pocket, Too

http://www.nytimes.com/2016/01/31/business/fake-online-locksmiths-may-be-out-to-pick-your-pocket-too.html

Odds are good that when you search Google for someone to help you get into
your home or car, results will include poorly trained subcontractors who
will squeeze you for cash.

Dodgy USB Type-C cable fries vigilante engineer's $1,000 laptop (Ian Paul)

Ian Paul, PCWorld, 3 Feb 2016
If you don't do your research, buying a third-party Type C adapter is a
little like playing Russian roulette with your gadgets.
http://www.pcworld.com/article/3029368/hardware/dodgy-usb-type-c-cable-fries-vigilante-engineers-1000-laptop.html?google_editors_picks=true

selected text:

Benson Leung's good intentions have finally caught up with him. The Google
engineer who launched a crusade against bad USB-C cables in late 2015 just
uncovered another sub-standard USB-C cable—and this time it's cost him a
$1,000 laptop.

The Google engineer recently tested Surjtech's 3M USB 3.1 Type-C to standard
Type-A USB 3.0 adapter cable, but those tests didn't get very far at
all. Leung said that as soon as he connected the cable to his Chromebook
Pixel, via a small USB power delivery (PD) analyzer, both the PD and his
laptop ceased working properly.

The problem with the Surjtech cable ... was that the device was completely
miswired ... .  The offending cable is currently unavailable on Amazon.

Why this matters: Type-C adapters are particularly important cables right
now since they're shipping with phones that use the newer tech as a charging
port.

http://www.howtogeek.com/240777/watch-out-how-to-buy-a-usb-type-c-cable-that-wont-damage-your-devices

Live in the EU? You probably should start accessing Google through a VPN or proxy.

Google to scrub web search results more widely to soothe EU objections
http://www.reuters.com/article/us-google-eu-privacy-idUSKCN0VJ29U

  To address the concerns of European authorities, the Internet giant will
  soon start polishing search results across all its websites when someone
  conducts a search from the country where the removal request originated, a
  person close to the company said.  That means that if a German resident
  asks Google to de-list a link popping up under searches for his or her
  name, the link will not be visible on any version of Google's website,
  including Google.com, when the search engine is accessed from Germany.

Live in the EU and want to know what your government masters are trying to
keep you from seeing on Google search? You'll have to use a proxy or VPN to
access Google. I strongly recommend you do so for other than the most
innocuous searches. Don't blame Google for this, blame your bureaucratic and
political czars of censorship who want to control every aspect of what you
see, hear, and think. You poor slaves.

Hackers Get Employee Records at Justice and Homeland Security Depts (Eric Lichtblau)

Eric Lichtblau, *The New York Times*, 8 Feb 2016
http://www.nytimes.com/2016/02/09/us/hackers-access-employee-records-at-justice-and-homeland-security-depts.html?smprod=nytcore-iphone&smid=nytcore-iphone-share&_r0

WASHINGTON—In the latest cyberattack targeting the federal government, an
intruder gained access to information for thousands of employees at the
Justice Department and the Department of Homeland Security, but officials
said Monday that there was no indication that sensitive information had been
stolen.  Most of the information appeared to have been culled from internal
government directories, including employeesâ email addresses, phone
numbers and job titles.

Motherboard, a technology news site, reported on Sunday that it had been
approached by a hacker who claimed to have obtained employee information on
about 20,000 people at the F.B.I. and 9,000 at the Department of Homeland
Security.  [...]

Hackers claim to have hacked NASA, hijacked one of its drones

[net-security.org]

AnonSec hackers claim that they have breached a number of NASA's systems,
and they have published a data trove containing video recordings made by the
agency's aircrafts and drones, the drone's flight logs, and the names, email
addresses and telephone numbers of some 2,400 agency employees.

They apparently attempted to interest *The Guardian* and WikiLeaks into
analyzing the stolen info and publishing the results, but after having
received no answer, they decided to do it themselves by torrenting the dump.

The leak was accompanied by an extensive document describing the things they
had to do to compromise NASA's systems (attacks and exploits) and the extent
of the compromise. [...]

  http://www.net-security.org/secworld.php?id397

Hacked Toy Company VTech's TOS Now Says It's Not Liable for Hacks (Lorenzo Franceschi-Bicchierai)

Lorenzo Franceschi-Bicchierai, Motherboard, 9 Feb 2016

Last Friday, parents and kids who own the Internet-connected toys made by
VTech finally received some much-awaited news: The company's app store and
learning portal was back online after being shut down for more than two
months following the embarrassing data breach that exposed the personal data
of more than 6 million children.

“After further strengthening our data protection, the Learning Lodge
service is now back online.  We are committed to the privacy and protection
of the information you entrust with VTech.'' [VTech's president King Pang
wrote in an email to customers, which a parent shared with Motherboard.]

What Pang didn't say in the email, however, is that VTech seems to be trying
to skirt any responsibility for a future hack, deflecting the blame to its
own customers.

In its Terms and Conditions for the Learning Lodge, VTech now includes the
following ominous language in all-caps:

  “YOU ACKNOWLEDGE AND AGREE THAT ANY INFORMATION YOU SEND OR RECEIVE
  DURING YOUR USE OF THE SITE MAY NOT BE SECURE AND MAY BE INTERCEPTED OR
  LATER ACQUIRED BY UNAUTHORIZED PARTIES.''

It's unclear when this language was added, but the document says it was
updated on December 24 of last year. (VTech did not respond to a request for
comment on the Terms and Conditions but said key functions of the Learning
Lodge came back online on January 23.)

But security and privacy experts are concerned that this could be an attempt
to skirt lawsuits in case of a future data breach—and they believe
consumers should be aware of the move to avoid liability, especially
considering that VTech is now getting in the house monitoring business.

Rik Ferguson, the vice president of security research at Trend Micro, said
the clause is “outrageous, unforgivable, ignorant, opportunistic, and
indefensible,'' and likened it to `weasel words'.  Despite this surprising
change—a British law professors told me he's never seen a clause like
that before—legal experts doubt the provision has any real value.

http://motherboard.vice.com/read/hacked-toy-company-vtech-tos-now-says-its-not-liable-for-hacks

It's better to burn out than fade away.

  [Robert Schaefer noted with respect to this item:
    It has been conjectured that maybe, perhaps, someday lawsuits would
    bring improvements in off-the-shelf software, but the law works both
    ways.  EULAs (that thing you click on before being able to actually use
    the product) are intended to prevent lawsuits.
  PGN]

Hack-Proof RFID Chips (Larry Hardesty)

Larry Hardesty, MIT News, 3 Feb 2016 via ACM TechNews, 5 Feb 2016
Read the TechNews Online at: http://technews.acm.org

Researchers at the Massachusetts Institute of Technology (MIT) and Texas
Instruments have developed a virtually hack-proof radio-frequency
identification (RFID) chip, which they presented this week at the
International Solid-State Circuits Conference in San Francisco.  MIT
graduate student Chiraag Juvekar says the chip is designed to foil
side-channel attacks, which analyze patterns of memory access or
fluctuations in power consumption when a device is conducting a
cryptographic operation, in order to extract its cryptographic key.  The
RFID chip's effectiveness in preventing such attacks is courtesy of two
design advances: an on-chip power supply whose link to the chip circuitry
would be virtually impossible to sever, and an array of "nonvolatile" memory
cells that can store whatever data the chip is working on when it starts to
lose power.  The device utilizes ferroelectric crystals and a bank of
3.3-volt capacitors as an on-chip energy source, while 571 1.5-volt
ferroelectric cells are embedded into its circuitry.  When the chip's power
source, an external scanner, is removed, the chip harnesses the 3.3-volt
capacitors and completes as many operations as possible, then stores the
data it is working on in the 1.5-volt cells.  When power is reintroduced,
the chip recharges the capacitors so that if another interruption occurs, it
will have sufficient power to store data.  It then resumes its previous
computation and if that computation was an update of the secret key, it will
finish the update before responding to a query from the scanner, thwarting
power-glitch attacks.
http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-e9d0x2dcd3x065505&

"KB 3123862 eerily resembles Microsoft's earlier Get Windows 10 patch"

Woody Leonhard, InfoWorld, 5 Feb 2016
The mystery update has too many parallels with last year's Get Windows 10
patch debacle, so you may not want to install it.
http://www.infoworld.com/article/3030211/microsoft-windows/experts-recommend-dont-install-microsoft-patch-kb-3123862.html

selected text:

On Wednesday Microsoft released another mystery patch, KB 3123862, which
appears as an optional, unchecked patch in Windows Update and closely
parallels last year's reviled Get Windows 10 patch, KB 3035583—a patch
we're still fighting.

If you install the optional update, you find that KB 3123862 gives you
brand-spanking-new copies of the following:

* Explorer.exe, the Windows File Explorer, and ExplorerFrame.dll,
  which contains supporting files—icons, menus, bitmaps—for Explorer.exe
* Shell32.dll, the heart of the Windows interface
* Authui.dll, which controls logins

If that doesn't send a chill up your spine, you haven't been following
along.  The parallels to KB 3035583 are uncanny—and disquieting.

AFCEA on cybersecurity

Here are some more things to consider for RISKS (that I have been reading
since the mid 1980s) from the AFCEA (Armed Forces Communications and
Electronics Agency) conference.

Cybersecurity expert at Springs AFCEA conference: Secure networks don't
exist.  Businesses and government agencies that operate computer networks
should assume hackers will get past their defenses and should focus instead
on finding and removing them before they can do damage, a cybersecurity
expert said Wednesday at a conference in Colorado Springs.
http://gazette.com/cybersecurity-expert-at-springs-conference-secure-networks-don't-exist/article/1569242

Air Force Academy's Innovation Center has big cyber plans. A small center
growing at the Air Force Academy's Fairchild Hall will play a big part in
the study of the military's role in cyberspace. Academy Superintendent
Lt. Gen. Michelle Johnson told a crowd Wednesday at the Rocky Mountain
Cyberspace Symposium at The Broadmoor that the Air Force Cyber Innovation
Center, being established this year on the campus, will eventually study
technical, social and legal problems in the online world.
http://gazette.com/air-force-academys-innovation-center-has-big-cyber-plans/article/1569200#cxrecs_s

The Air Force plans to revolutionize how it handles computer warfare by
beefing up its force of cyberspace experts while contracting out easier
jobs, like running the service's network. Gen. John Hyten announced the
groundbreaking shift at the Rocky Mountain Cyberspace Symposium on Tuesday
at The Broadmoor, which drew more than 2,000 electronic security
experts. Under Hyten's plan, each of the Air Force's wings will include a
cyberspace squadron of computer experts by 2026.
http://gazette.com/article/1569128

Warren Pearce, Colorado Springs, 719-548-1748, wwpearce@comcast.net

University of California traffic stored for up to 30 days

The *San Francisco Chronicle* (paywalled) and other sources have been
reporting on-going deep, inside packet-level, monitoring of network traffic
at all University of California campuses.

Currently, the best summary may be found at
http://utotherescue.blogspot.com/2016/01/ucop-ordered-spyware-installed-on-uc.html.
See also
https://www.timeshighereducation.com/news/university-california-campus-monitoring-concerns-raised

It appears that network monitoring was put into place after the 2015 UCLA
incident that resulted in the notification of 4.5 million people about
possible id theft.

The network monitoring hardware is reported to be able to store 30 days of
full packets, though this seems improbable.

The risk here is that the University of California Office of the President
(UCOP) installed this hardware and then instructed campus staff to keep the
installation secret.  At one point, UCOP incorrectly used attorney/client
privilege as a reason for secrecy, though this was later retracted.

Other risks are that it is unknown where the data is being stored, who has
access to it and if and when it is being destroyed.

The current president of UC is Janet Napolitano, who previously headed DHS.

Christopher Brooks, University of California Berkeley, Academic Program
Manager & Software Engineer cxh@eecs.berkeley.edu, 707.332.0670

At Berkeley, a New Digital Privacy Protest

http://www.nytimes.com/2016/02/02/technology/at-uc-berkeley-a-new-digital-privacy-protest.html

  Under a program initiated by Ms. Napolitano, the former secretary of
  Homeland Security in the Obama administration, the university system began
  installing hardware and software in its data centers that would monitor
  patterns of digital traffic, like what websites are being visited by
  faculty and students, or telltale signs of cyber intruders.  The program,
  which was begun with little notice or consultation, soon rankled a group
  of professors at one campus, Berkeley, which has a deep-seated ethos of
  academic freedom as the cradle of the free speech movement in the
  1960s. In recent days, the professors have begun speaking out publicly
  about the issue. "My primary concern is monitoring the private information
  of students and faculty in secret," said Eric Brewer, a professor of
  computer science at U.C. Berkeley. "I'm sure there's good intent. But I
  can't see a good reason for doing it."

Why "Let's Encrypt" free SSL certs are worse than useless—actually dangerous—to many sites

https://plus.google.com/+LaurenWeinstein/posts/iprFnhPwaYF

You may have heard about the "Let's Encrypt" project that is ostensibly
pushing for widespread adoption of SSL on websites by offering free SSL
certificates on demand.

What you may not have heard is that despite widespread objections (their
discussion/comments threads on this are long indeed) they have apparently
refused to make any certs available with expiration periods longer than 90
days, for a variety of mostly highly questionable reasons.

They argue that if you run their full system you won't care, because all
your certs will automatically be renewed. But in practice, many environments
cannot (for policy and/or technical reasons) deploy automatic certificate
management systems, and manually updating certs—especially for multiple
machines—is often entirely impractical on such a frequent basis.

Worse, it's exactly the sites with limited time and person resources,
especially on legacy systems, who could have most benefited from these
certificates, but have the least ability to participate in their automated
environment or roll their own automated systems.

And when a cert expires, given the heavy-handed, often unnecessarily
panic-inducing, hard to bypass warnings of some browsers these days, it
effectively can cut users off from important resources.  In some situations,
that's downright dangerous.

It is a real shame that Let's Encrypt is being—frankly—so half-assed
about what could have been a great program.

Shopping Mall SMS Parking Notifications Could Be Used To Track Any Car

http://yro.slashdot.org/story/16/02/03/0315233/shopping-mall-sms-parking-notifications-could-be-used-to-track-any-car

Westfield's Scentre Group has removed SMS notifications for its ticketless
parking system after it was discovered they could be used to track other
people's cars unnoticed. The system allows you to enter any licence plate,
which in turn will be scanned upon entry and exit at mall parking facilities
-- and when the free parking time is up, a notification message is sent to
the mobile phone number entered, with the exact location of the car.

Increasingly popular update technique for iOS apps puts users at risk (Lucian Constantin)

Lucian Constantin, InfoWorld, 29 Jan 2016
JSPatch could allow malicious developers to bypass Apple's strict
application review process and access restricted iOS functions
http://www.infoworld.com/article/3027590/ios/increasingly-popular-update-technique-for-ios-apps-puts-users-at-risk.html

selected text:

For example, after adding the JSPatch engine to their application, which
requires just 7 lines of code, developers can configure the app to always
load JavaScript code from a remote server they control.  This code is then
interpreted by the JSPatch engine and converted into Objective-C.

"JSPatch is a boon to iOS developers," security researchers from FireEye
said in a blog post. "In the right hands, it can be used to quickly and
effectively deploy patches and code updates. But in a non-utopian world like
ours, we need to assume that bad actors will leverage this technology for
unintended purposes."

The problem is that hot patching is at odds with the iOS security model,
which partially draws its strength from Apple's walled garden, its carefully
controlled app store.

There are some security-related restrictions that Apple imposes on
third-party apps and which are solely enforced through the app store review
process. JSPatch allows developers to bypass such policies.

EAC exec director on voter registration

The Voting News Weekly, 1-7 Feb 2016

Newly-appointed Election Assistance Commission Executive Director Brian
Newby has decided—without public notice or review from his agency's
commissioners—that residents of Alabama, Kansas and Georgia can no longer
register to vote using a federal form without providing proof of U.S.
citizenship. The action by the new executive director of the U.S. Election
Assistance Commission is being roundly criticized by voting rights
activists, who say the "secretive move" will create additional barriers for
potential voters, and one of the agency's own commissioners, who says it
contradicts policy and precedent. U.S. House Speaker Paul Ryan told black
lawmakers Wednesday that he supports new voting rights protections they've
championed, but said he won't bypass a committee chairman to move
legislation. In the Iowa Democratic party's chaotic attempt to report caucus
results on Monday night, the results in at least one precinct were
unilaterally changed by the party as it attempted to deal with the
culmination of a rushed and imperfect process overseeing the
first-in-the-nation nominating contest. Early voters in Maryland's primary
will cast their ballots on paper that will be scanned by a machine—just
as election day voters will—after elections officials nixed the use of
their ES&S ExpressVote ballot-marking devices for early voting. A federal
court panel ruled that two of North Carolina's 13 congressional districts
were racially gerrymandered and must be redrawn within two weeks, sparking
uncertainty about whether the March primary elections can proceed as
planned. The U.S. Supreme Court denied a request from Republican members of
Congress to put on hold a Virginia election map that gives Democrats a
chance to pick up a seat in this year's election. Renewed fighting between
communities has sparked tensions as presidential elections in the Central
African Republic draw closer, while Haiti's outgoing president prepared to
leave office despite having no replacement after a botched election.

Amazon's customer service backdoor

https://medium.com/@espringe/amazon-s-customer-service-backdoor-be375b3428c4#.1x6v4if1b

"rm -rf /" Can Brick Your UEFI System

FYI—UEFI was supposed to make PC HW safer, but unauditable UEFI has
turned into a security nightmare.  In the PC world, there are turdlets all
the way down...

"with about 20 lines of code on Windows, you can cause the same havoc", so
this problem isn't specific to Linux.
  [Yes, and it has appeared in RISKS before.  PGN]

https://www.phoronix.com/scan.php?page=news_item&px=UEFI-rm-root-directory

In A UEFI World, "rm -rf /" Can Brick Your System

Written by Michael Larabel in Hardware on 1 February 2016 at 08:14 AM EST.

Running rm -rf / on any UEFI Linux distribution can potentially perma-brick
your system.

As a public service announcement, recursively removing all of your files
from / is no longer recommended. On UEFI distributions by default where EFI
variables are accessible via /sys, this can now mean trashing your UEFI
implementation.

There is this systemd bug report requesting that UEFI variables be mounted
as read-only by default. Lennart Poettering had initially responded and
simply said, "Well, there are tools that actually want to write it. We also
expose /dev/sda accessible for root, even though it can be used to hose your
system. The ability to hose a system is certainly reason enough to make sure
it's well protected and only writable to root. But beyond that: root can do
anything really." He then closed the ticket.

There were many community comments since then, but systemd developers have
stood their ground and will not be mounting the EFI variables as read-only
as they do write to the variables in some cases. Matthew Garrett who is also
often involved in the UEFI Linux situation tweeted, "systemd is not
responsible for allowing kernel code that I wrote to destroy your shitty
firmware. I think you get to blame me instead." It's not a systemd-specific
issue at all but any distribution (or operating system for that matter)
mounting EFI variables not as read-only.

Should your system get bricked, you can always turn your computer into
bottle openers... ;)

Matthew says with about 20 lines of code on Windows, you can cause the same
havoc. He points out that mounting EFI variables as read-only could break
some user-space applications and isn't the solution to the problem. He does
have some ideas for addressing this issue, but didn't elaborate or issue any
new patches yet. For now, be forewarned you probably don't want to rm -rf /
your Linux system if using modern UEFI hardware.

Michael Larabel is the principal author of Phoronix.com and founded the site
in 2004 with a focus on enriching the Linux hardware experience. Michael has
written more than 10,000 articles covering the state of Linux hardware
support, Linux performance, graphics drivers, and other topics. Michael is
also the lead developer of the Phoronix Test Suite, Phoromatic, and
OpenBenchmarking.org automated benchmarking software. He can be followed via
Twitter or contacted via MichaelLarabel.com.

Re: Errors in Scientific Software May Be More Serious Than Suspected

(Scientific data analysis is buggy because researchers aren't professional
coders.)

In 1994, I found that the pseudorandom number generator in CERNLIB had a
short "period", that is, after fewer samples than required to complete a
Monte Carlo calculation typical for the time, the PRNG would repeat its
previous "random" numbers verbatim.

This had to do with the generator having been written in the 1960s when
particle physics apparati were smaller and less complex.

Monte Carlo calculations are used to find the "acceptance" of a particle
detector, loosely speaking, the sensitivity of the detector to a given
event.  The published event count is the observed event count divided by the
acceptance, whose calculation depends on a quality random number source.

I'm not able to find my USENET post just now, but I expect my address was
crawford@scipp.ucsc.edu.  The day after I blasted this news throughout every
corner of the scientific community, a CERN staff member mailed me the source
to a PRNG with a much longer period.  To paraphrase his cover letter, he
wrote "Here's what you need, but the guy who maintains that part of CERNLIB
won't accept my patch because I'm British and he's French."

It was later pointed out to me that important results would be verified by
duplicating experiments.  If the detector is different, then it is unlikely
that the acceptance calculation would err by the same amount.

Also there are some experiments that seed their PRNGs with a radiation
source.

I asked my advisor why all the software was written by grad students rather
than hiring professional engineers: "Because students need jobs".

Michael D. Crawford mike@soggywizards.com http://soggywizards.com/

Re: Israel's electric grid hit by severe hack attack

Storm in a teacup:
http://www.theregister.co.uk/2016/01/28/israel_power_grid_attack_boring_ransomware/

... He's a politician; you can't expect him to actually understand what he's
talking about...

Re: On Facebook normally one can only see others' public groups

https://www.facebook.com/4/groups , unless one uses
https://www.facebook.com/search/4/groups !

Re: Date formats (RISKS-29.24)

ISO 8601 (the correctly-formatted name) gives several date formats, each
with the advantages stated if not mixed with each other.  For example, today
can be written as 2016-01-31, 2016-W04-7, 2016-031, 20160131, 2016W047,
2016031, and in longer forms for dates which may be before year 0000 or
after year 9999.

For applications in which proper sorting is needed but human readability is
not desired, one can use (at constant width) bases other than 10.

Re: Why do people keep ... looking for lost cellphones (R 29 24)

I can't be sure because the details are sketchy (mostly, I think, because
these people haven't been able to get anyone to talk to them), but it seems
that the cellphones in question ARE NOT at their house, So the problem is
that someone is being TOLD the phone is at their house, when in fact it is
not.

So jamming at their house won't help - the phone wasn't there anyway!

They need to get whoever is providing location service to debug the problem.

Given the lack of details, I can't be sure what they've done, but my
approach would be to talk to the local PD and file a harassment complaint
against the company in question. Being brought up on charges should bring
someone's attention to the problem.

Re: Why do people keep ... looking for lost cellphones (R 29 25)

Our most precious possessions are probably freedom & good health for
ourselves and loved ones, but when something takes away part of our
electronic lives, the emotional impact can drive normal humans to risk our
most precious possessions to try to recover what has been lost.

3+ million smart phones are stolen in a year, says consumer reports.
http://www.consumerreports.org/cro/news/2014/04/smart-phone-thefts-rose-to-3-1-million-last-year/index.htm

If the "find my stolen property" ap worked correctly, using it to trace
the crooks could get yourself killed.
Going after the alleged crooks is a form of vigilantism.
http://www.nytimes.com/2014/05/04/us/when-hitting-find-my-iphone-takes-you-to-a-thiefs-doorstep.html?_r=0

Especially when the GPS location is not exact, and you attack an innocent
person who has a phone like yours.
https://iphone.appstorm.net/general/opinion-general/unbelievable-find-my-iphone-stories-the-good-the-bad-and-the-ugly/

Victims of falsely being accused of location with stolen devices, have in
fact contacted local PD.  This has not helped them resolve the
situation. You are correct that the bad info is pointing at GPS of the home.
Jamming would not solve that.  The homes visited by the police, and
vigilantes wanting their property back, would need to collect some id info
from visitors, take that to a lawyer, to figure out who to sue, if any
lawyer would take such a case.

The lawyer may need to do a deposition on the brand name of phone, service
provider, ap, whatever system it uses, so that a properly qualified
technician can conduct a cyber security audit of whatever they are using to
locate the wrong house, to find out where the technology is being used
inappropriately.  Then, that can be the grounds for a million dollar law
suit.

Perhaps a law firm would be willing to do this for a class action suit on
behalf of many victims:

* Victims of the mistaken identity (see several links below)
* Victims who lost their phones & find my phone sent them to the wrong place
* Insurance companies that paid off for stolen property, which could not be
  recovered.

But it is not yet obvious to victims, and people whom they consult, what
needs to be done to solve this.  The victims of the mistake identities have
been suffering harassment for years, without resolution.  I suspect nothing
will be resolved, until some of these mistaken identity victims defend
themselves under the 2nd amendment, forcing authorities to take serious
action, like having the FTC do million dollar fines on companies marketing
bogus apps.

Here's a confusing story where bullets were fired into a home, killing a
baby inside, allegedly the wrong house of a stolen phone, but the trial
seems to be entirely focused on who is in the drug traffic.
http://fox6now.com/2015/11/30/he-shot-the-wrong-house-trial-begins-for-darmequaye-cohill-charged-in-shooting-death-of-bill-thao/

I speculate that either:

* There is something wrong with the hardware or software on the ap detecting
  the missing phone, which investigators would need to actually find to
  figure it out.
* There is an ap for crooks, which lets them steal mobile devices, then send
  out a bogus GPS location, to any other apps trying to find out where they
  are located.
* When the *find my phone* software cannot find it, it does not give an
  error message, it instead provides wrong info.  This can happen with badly
  written software.
* GPS coordinates may be accurate, but whatever system was supposed to key
  in what geography that really is, in the mapping software, has got bad
  input.

  [*either*?  or some combination of the above?   PGN]

There are multiple victims, all over the map.  The same kind of problem is
playing out in other jurisdictions.  Some victims get much more news media
attention than others, and some journalists act like it is only happening at
one home.
http://www.cultofmac.com/408285/apple-thinks-this-house-is-the-bermuda-triangle-of-lost-iphones/

Australia, Melbourne
You can *find my phone*, but the police will do nothing about it.
https://iphone.appstorm.net/general/opinion-general/unbelievable-find-my-iphone-stories-the-good-the-bad-and-the-ugly/

Britain, Nottingham
Perhaps we all need insurance to cover risk that the police will smash into
our property, when we totally innocent, then not pay to repair the damage
done.
http://www.cnet.com/news/stolen-iphones-tracker-app-sends-police-to-wrong-house/
http://www.neowin.net/news/police-burst-into-wrong-house-to-recover-stolen-iphone
http://www.telegraph.co.uk/technology/news/9108550/Police-break-into-wrong-house-after-iPhone-mistake.html

This sort of thing happens more often with "swatting" where someone calls
the police, falsely claiming to be your home, talks about some horrible
crime they are engaged in, so the police send SWAT or other forces to break
in to your place with a no knock warrant, may kill or maim you in the
process.  Good luck getting compensation.  The police may have no idea who
it was who made the swatting phone call.
http://www.cato.org/raidmap

While many land line systems can tell the 911 operator where the phone call
came from, the wireless world has not seen fit to provide such traceability.

Canada, London, Ontario
Teenager uses *find my phone* ap, follows the map to demand its return, gets
shot dead.
http://www.businessinsider.com/teenager-killed-after-using-an-app-to-find-his-lost-cell-phone-2015-6

USA, Atlanta, Georgia
This is the story that started the RISKS thread.  They have to keep their
door locked, because some people are very angry at the occupants, thinking
their phone is in there, and they are ready to do violence to get it.  The
mistaken identity victims have got into the habit of asking brand name of
phone, phone service, app, involved.
http://fusion.net/story/214995/find-my-phone-apps-lead-to-wrong-home/
Speculation how it may be happening.
For example, thanks to copyrighted maps, some map companies put bogus info
in their maps—then if that bogus info shows up on another company's maps,
then that is proof of infringement.  But many companies might buy and use
the same map software, which includes the bogus info, and not know it is
bogus.
http://www.androidauthority.com/why-you-cant-trust-find-my-phone-apps-668949/
On one occasion, the police arrived because the phone was supposedly in the
possession of a missing girl.
http://www.wtoc.com/story/31083297/find-my-phone-app-pings-wrong-house

USA, Boston, MA
Some good advice here.
https://www.reddit.com/r/boston/comments/3cw4by/so_someone_stole_my_phone_and_i_know_where_it_is/

USA, Edgewater, Florida
This home has been identified by where is the stolen phone ap, and calls to
911 identifying crime in progress there.
http://abcnews.go.com/Business/cell-phone-flaw-homeowners-danger/story?id231998

USA, Las Vegas, Nevada
This guy gets both owners of missing phones coming to his door, and police
responding to domestic disturbance calls, whose GPS allegedly is his home.
He now has a sign in front of his home, about the problem, telling people
they should call the police, not bother him.
http://www.imore.com/lost-phones-tell-their-owners-theyre-home-las-vegas-man

USA, New Orleans, LA
Owners of the missing devices may have a case for lawsuit against Sprint,
where they PAID for a service which is not working as advertised.
http://www.wdsu.com/GPS-Tracks-Missing-Phones-To-Wrong-House/10980226
http://abcnews.go.com/Business/cell-phone-flaw-homeowners-danger/story?id
231998

USA, Rochester, Minn
The police raid was on the wrong house.  The guy they were after, was across
the street, and 3 houses down.  I think some people may be expecting more
precision from GPS etc. than it is really capable of.  The police claim they
found the home to raid, thanks to a tracking device on a stolen phone.
http://www.fox9.com/news/14020031-story
Local police dispute this story.
http://www.postbulletin.com/news/crime/officials-call-wrong-house-raid-story-erroneous/article_cd125535-70be-55f8-8602-c99f5c1f39dc.html

USA, Seattle, WA
Theft victim thinks he has located home where stolen item is located, but
police say the GPS ping is not probable cause to act.
http://www.seattletimes.com/seattle-news/privacy-laws-applied-backward/

This can also be a nightmare for the people who just want their smart phone.
https://forums.att.com/t5/Wireless-Account-Questions/5-days-Cust-Serv-Nightmare-for-a-lost-stolen-phone/td-p/4104908

Blackout rehearsals: let's start with GPS (Re: Mills, RISKS-29.24)

Great idea. We could start with GPS and find out who has got a hidden
dependency.  It might accelerate the adoption of E-LORAN as a backup.  Then
we can move on to a power blackout (if the 2003 blackout wasn't trial
enough).

But first, let's ask for an insurance quote to cover for the consequential
damage from the trials ...

Doing University exams on computers?

One of my colleagues has just announced that he belongs to a University
"working group discussing the possibility of organising computer-based
exams" and has solicited responses within just a few days.

This seems to me like a textbook example of doing something because we can
rather than because there's a real need for it, but I could be wrong about
that so I have urged that there should be an experimental study of students'
typing vs writing skill to see if it is now unfair to get students to write
by hand.

Does anyone know of any universities currently doing this and what problems
they've encountered?

  [Do you think this resembles the Electronic Voting and Internet Voting
  integrity problems?  PGN]

Please report problems with the web pages to the maintainer