The RISKS Digest
Volume 29 Issue 08

Monday, 9th November 2015

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Cybersecurity Firm FireEye Blames Tanking Stock On U.S.-China Hacking Deal
Robert Hackett via Prashanth Mundkur
Helping victims who used encrypted privacy
Scripps via AlMac
Anonymity of Crooks
Trade Pact Could Bar Governments From Auditing Source Code
TPP Details made public
Net Of Insecurity: The kernel of the argument
Craig Timberg
German & US spy scandals make us paranoid
IBTimes et al. via AlMac
UK Health Minister announces a review of NHS IT
Martyn Thomas
Why haven't our medical records entered the digital age
Programmers: Stop Calling Yourselves Engineers
Ian Bogost
More and more audio enthusiasts hitting fast forward
Boston Globe
When Neighbors Tangle Online
Volkswagen Says Whistle-Blower Pushed It to Admit Broader Cheating
The EC is preparing a frontal attack on the hyperlink
Julia Reda
Ransomware: Newest viral marketing gimmick
Dan Goodin via Henry Baker
Re: Internet of Ears / OK Google
William Brodie-Tyrrell
Re: Wikipedia and Deepak Chopra: Open-Source Character Assassination
Rob Slade
Re: $1 million iPhone Zero-day Bounty
Brian Inglis
Info on RISKS (comp.risks)

Cybersecurity Firm FireEye Blames Tanking Stock On U.S.-China Hacking Deal (Robert Hackett)

Prashanth Mundkur <>
Sat, 7 Nov 2015 10:33:50 -0800
Robert Hackett, November 5, 2015, Fortune

(As the article notes, the reasons the FireEye CEO is giving for their
plunging stock don't explain why the stocks of their competitors have

Helping victims who used encrypted privacy (Scripps)

"Alister Wm Macintyre \(Wow\)" <>
Thu, 5 Nov 2015 15:11:02 -0600
There's a battle between:

* Advocates of quality privacy in a world of untrustworthy government
  officials, and an epidemic of fraud.

* Law Enforcement leaders blaming encryption for their inability to solve
  crimes and serve the public.

This contributes to great harm for many people, illustrated in this article:

I believe this is part of a larger challenge.  What can and should be done
about a person's electronic life, after they die, go missing, get kidnapped,
are temporarily disabled with mental health problems?

I believe in an optional "side door" into our electronic lives.  We could
create an Excel, on a CD, into a safety deposit box, or custody of our
lawyer, or other safe place. The Excel would contain a chart of our Internet
and other accounts, with passwords for each.  This could be accessed by a
search warrant, or a person we have informed the bank has our authority to
access it, when we become a crime victim, or are disabled.  After we die,
our descendant beneficiaries then have the tools to preserve Internet
history of loved ones who had accounts on social media, change our last
position on Linked In, to Deceased.  This is a system which is not
accessible by border guards when we travel abroad; stalkers; ex's; broad
range of Internet fraudsters who could access law enforcements' proposed
"back door"; or phishers, unless they phool the bank, with social

When there was a change of management in my former day job, I'd visit the
new manager, with a document, telling him or her that If I am gone at any
point in the future, here is a road map of security check points for our
computer servers, with the passwords needed at each access point that I
have, in my role as Master Security Officer.  Could you please put this in a
safe place, available for the next person who gets my job?  From time to
time we change the most critical passwords.  Here is a list of the people
whom we currently notify of the replacements.  When you are more oriented
with your role with us, perhaps you would like a briefing on weak points, we
are aware of, in our overall security.

Many people are using OS versions, and other resources, no longer supported
by the original vendor.  I believe that when a vendor decides it will no
longer support some old version, that the ability to access it should go
into some wayback repository, which can be accessed by people armed with
both money and a search warrant, when there are crime victims whose
electronic life was on such old stuff.

This is related to backups.  When our PC has a melt down, we want a
replacement version of software we were using, and the means to transfer the
data from our backup into it.

As for the allegation that encryption slows down access to the content, if
you have legal access, and a math chip to handle the decrypting, there is no
slow down.

Institutions which give guidance on wills, estate planning etc. might also
advise clients on how they can make their electronic lives accessible by
trusted loved ones, in the event of an unexpected emergency.

These ideas won't solve all the problems, but are a start at thinking
outside the boxes.

Anonymity of Crooks (Knujon)

"Alister Wm Macintyre \(Wow\)" <>
Thu, 5 Nov 2015 16:12:53 -0600
One of the reasons why law enforcement leaders are so adamant about
destroying citizenry privacy, is that among the mass of Internet users are
criminals and terrorists, sharing in that privacy.  I believe that Internet
regulators and law enforcement have fallen down on their job of protecting
and serving the Internet public.  If they did their job properly, then a
great deal of the threat of Internet criminals and secret terrorist
communications would go away.

Check out the work of KNUJON (no junk backwards),

After I joined KNUJON, the volume of my unwanted e-mail dropped
astronomically. For every 1 spam I get today, I used to get 10,000 before
joining Knujon.  I tried to sell my former day job on using KNUJON
protection.  All co-workers told me "Everyone gets spam, Al.  Get over it."
They would not believe, nor try it out.  When I left that day job, they were
having to upgrade server which manages e-mail, because the volume of spam
was overwhelming them.  The company could run perfectly fine on servers with
1/10 the capacity, but for the spam problem.

Something like 90% of e-mail is some scam via spam, from an anonymous

These anonymous crooks are enabled by crooked Internet registrars,
identified by Knujon.

If the powers that be decided to end these crooked practices, we all would
suffer a lot less from malware, spam, fraud, etc. and law enforcement's job
would be so much easier.

There is a legitimate need for some anonymity for crime victims to have a
life unbothered by people they have an order of protection against.  There
are systems in place to protect these people in the physical world, which
need to be extended into the virtual world.  That's another case of the
judicial system failing to protect and serve Netizens.

Blame for crooks on the Internet also rests with most Internet users.  When
we get a spam e-mail, and just delete it, we are enabling the spammer to
stay in business, but if we first forward that spam to KNUJON, they will
work on putting the spammers into the slammer.

Trade Pact Could Bar Governments From Auditing Source Code (WiReD)

Lauren Weinstein <>
Thu, 5 Nov 2015 15:54:57 -0800
*WiReD* via NNSquad

  But if the international trade deal called the Trans-Pacific Partnership
  is adopted, the US and other member countries would be prohibited from
  requiring that companies from other member states hand over the source
  code of their products.  Volkswagen's home country Germany is not one of
  the TPP's potential member states, so this restriction wouldn't apply to
  that company, but it could potentially limit US regulators' access to
  Japanese and South Korean cars, among other products.  It could also put
  the kibosh on an idea proposed by Internet pioneer Vint Cerf and a group
  of other experts to require manufacturers to release the code that runs
  WiFi routers.


TPP Details made public (NZ)

"Alister Wm Macintyre \(Wow\)" <>
Thu, 5 Nov 2015 14:15:44 -0600
The government of New Zealand has released full text of the controversial
Trans-Pacific Partnership Trade deal.

This will fuel revived protests and meaningful debate by ordinary people who
are not politicians.

US Presidential candidate debaters will have to face more detailed questions
about TPP than in the past.

Text of the Trans-Pacific Partnership

TPP Full Text
TPP Final Table of Contents

Articles about what's there that many people do not like.

Net Of Insecurity: The kernel of the argument (Craig Timberg)

Prashanth Mundkur <>
Fri, 6 Nov 2015 15:19:29 -0800
Concern about Linux security hits WaPo.

Net Of Insecurity: The kernel of the argument
Craig Timberg, Nov 5, 2015, Washington Post

German & US spy scandals make us paranoid

"Alister Wm Macintyre \(Wow\)" <>
Sun, 8 Nov 2015 15:58:15 -0600
There are many dimensions to spy scandals.

Who spies on whom, for what reasons, and do they have their government legal
authority to do so?  Do they store the captured info where it can be
re-stolen by other hackers?

To save money, some passage of spy info is automated, then data requests are
sent through the network which go beyond agreed-to scope and topics.

Investigations into alleged spying, then get passed along to the news media
by Wikileaks.

Other nations, revealed as having been spied upon, launch their own

We hear these stories & wonder what else is going on, which has not yet been
leaked, and if any of this spying explains other stuff in our news.

USA NSA spies on everyone they can.  So does Germany BND, and we suspect
many more nations have similar practices.  What has been leaked about BND is
much less than what has been leaked about NSA, but this is not proof that
BND spying is less than NSA's, under the cockroach theory that if we find
out about some, there may be much more.

Allegedly some of the spying by the German BND agency was without authority
from higher authorities.

Of course if the "back door" enthusiasts in US law enforcement get their
way, then millions of criminals world wide will be spying on everyone who
uses technology of US manufacturers.

German BND has apparently both: been conducting spying of other nations, on
behalf of the NSA; and also spying on the USA, we not yet know if just on
German behalf, or for some other nation.

Meanwhile it has come out that NSA had a similar arrangement with Britain's
GCHQ to spy on the Germans.

The German American double agent was apparently loyal to neither, when he
was caught offering to sell his booty to the Russians, by using e-mail being
spied upon, which we might not have known about but for Snowden.  Then yet
another German government employee was caught spying for the Americans.

When government agencies have the authority to order companies to cooperate,
and keep silent about it, then any number of pieces of commercial hardware,
and innocent business operations, can be engaged in surveillance.

Iran believes it, when they arrest tourists and journalists.

Microsoft Windows has been dramatically increasing surveillance of its
customers.  Is this at the request of NSA?

Many hobbyist drones, in America, are made in China.  Do they secretly
report back to their maker any info they pick up?

If commercial airliners have been subverted to engage in spying on
territories they fly over, then that increases the risk of them being hit by
bombs and other weapons by various combatants in conflict zones.   Remember
Japan Airlines 007?

Airbus in the news at present, so far, is the crash in Egypt, and leak that
German BND allegedly spied on Airbus, on behalf of US NSA.

Why is the USA spying on Airbus?  Is it to help Boeing?

We have a US Presidential contender who lost her job at HP because she
allegedly spied on top executives to try to figure out who was leaking
confidential corporate secrets.  Now here is Airbus complaining about being
spied upon, when not so long ago it in turn was spying on its own employees.

UK Health Minister announces a review of NHS IT

Martyn Thomas <>
Fri, 6 Nov 2015 09:53:51 +0000
RISKS readers will recall the UK Connected for Health IT programme that, as
the Minister (Hunt) s quoted as saying, cost billions and "came to virtually
nothing in our biggest ever IT disaster".

Hunt has asked a US Professor to conduct a review to guide the way forward
for NHS IT. The review will be done by Robert Wachter, who Hunt calls an
“expert on the promise and pitfalls of new IT systems.''

Computer Weekly says that Wachter is the interim chairman of the Department
of Medicine at the University of California, San Francisco, and the author
of *The Digital Doctor*, which looks critically at the rise of healthcare IT
systems in the US.

Does any reader know whether he is well qualified to conduct this review?

Why haven't our medical records entered the digital age

"Peter G. Neumann" <>
Fri, 6 Nov 2015 15:00:26 PST
  [Courtesy of Dr. Deborah Peel" <>]

Programmers: Stop Calling Yourselves Engineers (Ian Bogost)

Henry Baker <>
Thu, 05 Nov 2015 08:35:39 -0800
  *Engineer* is an aspirational title in software development.  Traditional
  engineers are regulated, certified, and subject to apprenticeship and
  continuing education.  Engineering claims an explicit responsibility to
  public safety and reliability, even if it doesn't always deliver.  The
  title *engineer* is cheapened by the tech industry.  Ian Bogost, *The

Doing so undermines a long tradition of designing and building infrastructure in the public interest.

HB: "Software Engineering" is—and always has been—an oxymoron.  The
reason: software is where you put all the stuff that the real (hardware)
engineers couldn't deal with.  The dark secret of computers is the unholy
mess of legacy hardware decisions that have to be duck-taped over with
software.  This is not a good foundation for "engineering" a program or

The world should cheer the fact that 1980's-style "software engineering"
never caught on.  It would have smothered computer science in the crib --
just when a large number of innovative ideas were being developed.

Even more importantly, the critically important *encryption technology* --
on which much of the security of the current Internet relies—isn't a
science today at all, but an *art*—a collection of ad hoc techniques that
sometimes more-or-less works.  To a first approximation, a computer system
is secure today if and only if a handful of really, really smart people
can't figure out a way to break it.  That's it!  There are almost no
theorems in encryption today that don't depend upon very squirrelly
assumptions.  You simply can't "engineer" an artifact in the absence of a
physical, a chemical, and a mathematical basis on which ground your

Also, before waxing too poetically about registered & regulated engineers, I
would draw attention to the almost-disaster of the Citigroup Center and the
ongoing San Francisco Bay Bridge fiasco.

  [Long item truncated for RISKS.  PGN]

More and more audio enthusiasts hitting fast forward

Monty Solomon <>
Sat, 7 Nov 2015 09:32:42 -0500

When Neighbors Tangle Online

Monty Solomon <>
Sun, 8 Nov 2015 11:44:31 -0500

Publicly accessible websites critical of board members and how buildings are
managed are leading to defamation lawsuits.

Volkswagen Says Whistle-Blower Pushed It to Admit Broader Cheating

Monty Solomon <>
Sun, 8 Nov 2015 18:53:11 -0500
Efforts to discover who was responsible for misconduct at the German
carmaker have been hampered by a culture of silence and a fear of delivering
bad news to superiors.

The EC is preparing a frontal attack on the hyperlink

Henry Baker <>
Sun, 08 Nov 2015 06:42:00 -0800
"Each weblink would become a legal landmine and would allow press publishers
to hold every single actor on the Internet liable."

Here's a soon-to-be-illegal link to the leaked .docx file:*/0B6d07lh0nNGNaXFzUFBPaE0tY0E?e=download

Ancillary Copyright 2.0: The European Commission is preparing a frontal
attack on the hyperlink  [...]

Ransomware: Newest viral marketing gimmick (Dan Goodin)

Henry Baker <>
Fri, 06 Nov 2015 07:07:07 -0800
There's an old joke about a man whose spouse's credit card had been stolen
by identity thieves, but he didn't report it because the identity thieves
racked up smaller monthly charges than his spouse did.  (rimshot!)

Perhaps OPM should utilize CryptoWall for encrypting government employee
data, because:
 * CryptoWall charges less than EMC; and
 * CryptoWall implements better encryption than EMC.

Dan Goodin, Ars Technica, 5 Nov 2015
Booming crypto ransomware industry employs new tricks to befuddle victims.
High-pressure tactics try to extort more people into paying to recover their data.

Ransomware that uses strong cryptography to hold entire hard drives' worth
of data hostage keeps getting nastier, as criminals attempt to find new ways
to extort more people into paying increasingly hefty ransoms to recover
their files.

A case in point is Chimera, a relative newcomer to the crypto ransom racket
that targets primarily businesses.  In an attempt to turn up the pressure on
infected victims, the malware threatens to publish their pictures and other
personal data somewhere on the Internet unless a ransom of $638 in bitcoins
is paid.  There's no evidence yet that the new cryptoware title has made
good on the threat to post victims' private data online, but it's a likely
bet the prospect is enough to convince some undecided victims to go ahead
and pay the fee.

The threat, according to a blog post published Tuesday, comes only after the
cryptoware has encrypted data stored not only on local hard drives but also
those on network drives.  To add drama to the attack, all file extensions
are changed to .crypt.  Chimera is also programmed to target specific
employees within an infected company, presumably to make sure the ransom
demand doesn't get missed.

A second example of cryptoware turning up the pressure on victims is the
latest version of CryptoWall, one of the early entrants in the industry.
The recently released CryptoWall 4.0 now replaces names of encrypted files
with pseudo-randomly generated letters and numbers, presumably to further
befuddle victims who are suddenly unable to access their data.  The new
version appears to continue encrypting data with 2,048-bit RSA keys, which
when implemented correctly are practically impossible to break.

That's not the only attention-grabbing ploy.  The notification the malware
sends to deliver the news that victims' data has been encrypted
congratulates them on becoming a part of the "large community CryptoWall."
Besides the snarky tone, the notice is also notable for its almost pristine
grammar and spelling and its clarity in explaining how strong crypto works.

"Encryption is a reversible transformation of information in order to
conceal it from unauthorized persons but providing at the same time access
to it for authorized users," the notice reads, according to this blog post
published by antivirus provider Bitdefender.  "To become an authorized user
and make the process truly reversible i.e. to be able to decrypt your files
you need to have a special private key.  In addition to the private key you
need the decryption software with which you can decrypt your files and
return everything in its place."

The notice goes on to warn users not to attempt to break the encryption lest
the files be lost forever.  CryptoWall 4.0 also employs advanced mechanisms
to avoid detection by antivirus and Firewall programs, according to
researchers at Heimdal Security.

The refinements show that cryptoware purveyors operate much like other
online businesses, which are constantly updating their products and services
in an attempt to bring in new business.  That dedication only makes sense,
given FBI estimates earlier this year that CryptoWall alone generated losses
of more than $18 million.  A separate report estimated US damages of $325
million from CryptoWall 3.0.  That translates into huge profits, especially
when considering the revenue is tax-free.

Now that crypto ransomware is a threat that won't be going away any time
soon, there's been a fair amount of debate about whether victims should pay
the ransom as demanded.  Recently, an FBI agent reportedly told businesses
it may be easier for them to pony up.  The comments generated howls of
protest among security professionals, who warned there's no guarantee the
fees will ensure the encrypted data is restored.

The critics are right that there can be no certainty that the ransomware
operators will make good on their promise.  And there's always the
possibility a programming error or law enforcement takedown will allow keys
to be recovered without paying the fee, as was the case last year with the
CryptoLocker brand.  Then again, there are plenty of reports of victims with
no other recourse who paid the ransom and recovered their files.
Ultimately, the decision should be made on a case-by-case basis.  No doubt,
paying the increasingly large fees is a risk, and it only rewards truly
pernicious and illegal behavior.  Then again, for people who have lost data
valued in the thousands or hundreds of thousands of dollars, paying a $700
ransom may be worth the risk and cost, although the move shouldn't be taken

Re: Internet of Ears / OK Google (Re: RISKS 29.07)

William Brodie-Tyrrell <>
Wed, 4 Nov 2015 10:07:55 +1030
Related to the "voice everywhere" phenomenon...

Injecting voice commands into microphone cables:

Facebook listens to your background, "to identify things you're listening

It gets more interesting when speech recognition is both ubiquitous and

Re: Wikipedia and Deepak Chopra: Open-Source Character Assassination (RISKS-29.07)

Rob Slade <>
Tue, 3 Nov 2015 12:59:28 -0800
I was very interested in Lauren's pointer to the Huffington post piece on

I use Wikipedia a lot, and find it helpful.  However, I almost never use
Wikipedia when I am looking for information about recent events, and
certainly never in isolation.  The article also points out why I don't use
Wikipedia for *any* information on technical or security topics, and,
particularly, why I don't contribute to Wikipedia on these topics:

  "These editors are no more empowered than any other volunteer editor, but
  their ideological zeal and willingness to viciously attack any opposing
  editor has driven off most impartial editors. After all, Wikipedia is 100%
  volunteer, so why would someone voluntarily spend their time being called
  a moron and facing endless opposition to every neutral edit?"

I'm a specialist, and an expert.  The Wikipedia article on computer viruses
is obviously being written and maintained by people who aren't.

The material is definitely incomplete, often to the point of being
misleading.  It's full of internal contradictions, since the editors don't
know enough about the technology to understand the implications of what is
there.  (Even though one of my books is cited: )

The malware entry is not quite as bad, although I'd never recommend it as a
reference.  I was amused to find an entry for "riskware," a term I've never
heard used in all the reference material I've reviewed:

I've complained about this before, and been asked why I didn't do something
about it.  Well, this is why.  If I made any edits, and took the time to
find references and citations, they'd probably just be reverted anyway by
well-meaning but non-expert editors.  They don't know the field or the
topic, so there is no reason they'd even recognize who I was.

Re: $1 million iPhone Zero-day Bounty (RISKS-29.07)

Brian Inglis <>
Wed, 4 Nov 2015 02:32:30 -0700

Please report problems with the web pages to the maintainer