The RISKS Digest
Volume 29 Issue 45

Monday, 11th April 2016

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Japanese computer system problems left many flight passengers stranded
Chiaki Ishikawa
MedStar Disputes Reports That "Simple" Fix Would've Prevented Hack
Gabe Goldberg
Alaska cancels all K-12 standardized tests for the year: "technical problems"
WashPo via Jeremy Epstein
When IP addresses lie
Fusion via Charles Mann
How a Cashless Society Could Embolden Big Brother
The Atlantic via NNSq
Top executives not interested in having good cyber security
CNBC via AlMac
To dodge crypto, undercover UK cops simply asked to see terror convict's iPhone
Ars Technica
Judge calls Uber algorithm "genius," green-lights surge-pricing lawsuit
Ars Technica
NJ Transit is audio recording thousands of its riders
Larry Higgs via Henry Baker
Republicans Hijack an Election Agency
Stanford data breach
Randy Livingston via Paul Saffo
Cyber insurance rates fall with lull in major hacks
New Jersey University Was Fake, but Visa Fraud Arrests Are Real
Yours sincerely, yourself
Dan Jacobson
The Panama Papers Expose the Hidden Wealth of the World's Super-Rich
Chuck Collins
Excellent *Salon* article about the Panama Papers
Severo Ornstein
The Panama Papers: Here's What We Know?
Re: Panama Papers Explainer
Re: Panama Papers law firm PR statemenmt
Al Mac
Re: Panama Papers / major links
Al Mac
How a Cryptic Message, 'Interested in Data?,' Led to the Panama Papers
Obama calls for international tax reform amid Panama Papers revelations
Rupert Neate and David Smith
Re: Man with Null name
Henry Baker
Re: Wrecking crew demolishes wrong house due to Google Maps error
David Landgren
Make the most of your 0 credits!
Dan Jacobson
The Deluge of Spurious Correlations in Big Data: Randomness in Nature and Data
Diego Latella
E-borders and successor programmes: a UK NAO Report
Diego Latella
Info on RISKS (comp.risks)

Japanese computer system problems left many flight passengers stranded

Thu, 07 Apr 2016 19:22:47 +0900
In the spring season when many people travel for sightseeing in Japan, two
computer system malfunctions grounded many passengers in the last few weeks.

March 22, ANA check-in systems failed to function properly.

ANA system glitch grounds 10,000 domestic passengers, is resolved
three hours later: URL

A google cache of a short notice of the day from ANA (in Japanese):

On April first, JAL's system to decide where the passengers and cargoes
should be placed inside plane hull stopped working.

JAL system glitch causes Haneda flight cancelations

JAL's short announcement on that day (in Japanese):

The irate passengers were complaining in TV interviews on that day each, but
as a computer professional I was curious what caused the issues.

This time something very new happened.

Interestingly, the cause and remedy was announced very quickly (well
relatively speaking) by ANA and JAL.  Not in the exact details that I want
(especially in JAL's case), but I think the public in general now understand
computer systems better than they did, say, 20-30 years ago, and the
companies affected seem to be a little forthcoming about the issues they

I am not sure if English translation of the following articles are
available, but the Japanese articles I read explained thusly:

ANA's case:

- in ANA's case, the problem was traced to a mal-behaving ethernet switch
  CISCO 4948E. The switch was used to exchange packets among redundant DB
  servers to cross check the operation of each server, and when the
  communication degraded, the system stopped.  Once this ethernet switch
  unit was replaced, the system began operating again after a clean up.

  The issue that triggered the failure of the system is that the system as a
  whole could not detect the degrading (not complete shutdown) of the switch
  and ANA mentioned some measure in the statement.

  Of course, how the status of the switch was monitored is not explained
  very well in the press articles. Possible brown-bag type of bug?

JAL's case:

* In JAL's case, the problem was traced to a system that decides where to
  put the load (i.e., passengers, and cargoes) to keep a good balance of the
  weight on the airplane. This system called NetLine/Load was originally
  created by by Lufthansa Systems (LHS).

  According the article above, a critical region handling routine was
  installed in the week before and this caused a deadlock of the application
  cache (not sure exactly what/where the cache is) and handling of disk

  There is a stand-by system that tried to take over once the deadlock
  degraded the primary system. But the stand-by system did not have the peak
  performance of a primary one, and the system failed to handle the busy
  requests of the morning rush hour flights although some flight data were
  processed satisfactorily, and thus many flights were canceled during that

  JAL announced its plan to upgrade the secondary system's capacity to match
  the primary one.  (Why the critical region handler was installed in the
  previous week was not explained, and it seems to be ripped off from the
  program under testing.)

Interesting that rather well explained review of the incidents appeared in
general trade press, although the exact details are still lacking.  [CI]

PS: That both airlines did not seem to have a foreign-language announcements
(maybe I did not search hard enough?) may point to a problem when overseas
tourists gather in 2020 when Tokyo Olympics and Paralympic Games will be

MedStar Disputes Reports That "Simple" Fix Would've Prevented Hack

Gabe Goldberg <>
Thu, 7 Apr 2016 15:09:05 -0400
Columbia, Md.—*MedStar Health*, the Columbia-based healthcare network
that operates 10 hospitals in the Baltimore-Washington area, is disputing
media reports that last week's crippling malware attack was the result of
poor system maintenance. "News reports circulating about the malware attack
on MedStar Health's IT system are incorrect," the company said in a
statement. "Our partner *Symantec* has been on the ground from the start of
the situation and has been conducting a thorough forensic analysis. In
reference to the attack at MedStar, Symantec said, `The 2007 and 2010 fixes
referenced in the article were not contributing factors in this event.'" The
Associated Press, citing an anonymous source, reported Tuesday that the
hackers exploited a design flaw in MedStar's system that had persisted since
2007, despite "urgent public warnings in 2007 and in 2010 that it needed to
be fixed with a simple update." The attack early last week crippled the
company's three main clinical information systems supporting patient care,
though MedStar said that no patient or associate data was compromised.

Alaska cancels all K-12 standardized tests for the year: "technical problems"

Jeremy Epstein <>
Tue, 5 Apr 2016 20:52:49 -0400
The issue isn't that the tests are poorly designed, or that they waste
teacher time "teaching to the test", or that they don't help students learn.
The problem was that the technology wasn't ready for prime time.

Among the problems were a "construction worker [who] accidentally cut a
fiber optic cable thousands of miles away at the University of Kansas"
(presumably blocking access to servers there).  They didn't have redundancy
for a system that's used by every schoolchild in the state of Alaska?  Also
bugs that caused the system to repeatedly restart, which caused problems
because students weren't permitted to start back at the beginning.

At the risk of getting on my hobby horse, given the budget for the system
($5M), what's the odds that any state would get Internet voting right?
There's certain similarities (e.g., everyone uses it more-or-less on the
same day, makeups are problematic, and issues like security and availability
are paramount), but with significant differences (e.g., no secret ballot in
test taking!) - and I'm willing to bet that Alaska didn't invest $5M in
their Internet voting system.

When IP addresses lie

Charles C <>
Mon, 11 Apr 2016 18:42:26 +0000 (UTC)


The Kansas house is not the only house to have problems as a result of being
a default location in the MaxMind database. I also spoke with a man in
Virginia who has experienced similar problems for years.

Tony Pav lives in a house at the end of a cul-de-sac in Ashburn,
Virginia. Among other things, Ashburn is home to a number of large data
center—the giant buildings that companies like Google and Facebook use to
store their huge clusters of servers. As a result of all of these data
centers, there are a gigantic number of IP addresses associated with Ashburn
-- more than 17 million in all.

And due to the way MaxMind selected its default locations, all 17 million of
these IP addresses appeared to be located in Pav's home.

Pav told me he first started experiencing problems four years ago. In 2012,
he came home late one night to find the police about to break down his
door. They said they were looking for a stolen government laptop with
personal information on it. He let them in to search; it wasn't there, even
though its IP address was pointing right at his house. ...

How a Cashless Society Could Embolden Big Brother

Lauren Weinstein <>
Sun, 10 Apr 2016 07:42:05 -0700

  But wherever information gathers and flows, two predators follow closely
  behind it: censorship and surveillance.  The case of digital money is no
  exception. Where money becomes a series of signals, it can be censored;
  where money becomes information, it will inform on you.

This is but one example of such technology "bottlenecks" that could put a
big smile on Big Brother's face. Concentration of communications resources
are another. Yet another will almost certainly be autonomous vehicles, which
I'm convinced governments will use both to collect vast quantities of data,
and that governments will ultimately demand the ability to remotely control
in an array of contexts.

  [Of course, don't forget that government-mandated backdoors for monitoring
  would also be useful for nefarious purposes.  PGN]

Top executives not interested in having good cyber security (CNBC)

"Alister Wm Macintyre \(Wow\)" <>
Tue, 5 Apr 2016 17:14:08 -0500
According to CNBC, Tanium commissioned a survey with the Nasdaq. The survey
was conducted by Goldsmiths and included responses from 1,530 nonexecutive
directors and C-level executives in the United States, United Kingdom,
Germany, Japan and Nordic countries.

* 98 percent of the most vulnerable executives have little
confidence their firms constantly monitor devices and users on their

* More than 90 percent of corporate executives said they cannot read
a cybersecurity report and are not prepared to handle a major attack.

* 40 percent of executives said they don't feel responsible for the
repercussions of hackings.

* Individuals at the top of an organization - executives like CEOs
and CIOs, and even board members - didn't feel personally responsible for
cybersecurity or protecting the customer data.

Nasdaq report on what the cyber attackers are seeking:


To dodge crypto, undercover UK cops simply asked to see terror convict's iPhone

Monty Solomon <>
Wed, 6 Apr 2016 10:24:27 -0400

Judge calls Uber algorithm "genius," green-lights surge-pricing lawsuit

Monty Solomon <>
Wed, 6 Apr 2016 10:26:56 -0400

NJ Transit is audio recording thousands of its riders

Henry Baker <>
Sun, 10 Apr 2016 18:14:23 -0700
FYI—Lemme see.  We're recording train passengers, but not airline
passengers?  More likely, we've *found out* about recording train
passengers, but haven't *yet* found out about recording airline passengers.
Does anyone seriously believe anymore that airline passengers aren't being
recorded *all the time*, including in the restrooms, terminals and frequent
flyer lounges?

NJ Transit is recording the conversations of thousands of its riders

Who's listening to you on the train?  All the conversations between riders
are recorded by surveillance equipment aboard NJ Transit light rail trains,
which has commuter advocates and the ACLU concerned about privacy. [...]

Larry Higgs, NJ Advance Media for, 10 Apr 2016

Republicans Hijack an Election Agency (NYTimes)

"Peter G. Neumann" <>
Mon, 11 Apr 2016 7:43:39 PDT
Republicans Hijack an Election Agency, NYTimes Editorial, 10 Apr 2016

For 10 years, the Election Assistance Commission, the bipartisan federal
agency created after the 2000 election debacle to help make voting easier
and more standardized, has made it clear that prospective voters do not need
to prove that they are American citizens before they may register.

Anyone registering to vote with the federal voter-registration form, which
can be used for both federal and state elections, must already sign a
statement swearing that he or she is a citizen. Congress rejected a proposal
to require documented proof as well, finding that the threat of criminal
prosecution for a false statement was enough to deter fraud. This did not
satisfy some states, like Kansas and Arizona, where Republican officials
have fought for years to block voting by anyone who cannot come up with a
birth certificate or a passport.

See also:>>

Stanford data breach

Paul Saffo <>
Fri, 8 Apr 2016 15:06:26 +0000
  Date: April 7, 2016 at 11:01:12 PM PDT
  From: Randy Livingston <<>>
  Subject: Notification of Breach
  To: <<>>

  To all Stanford University employees,

On Monday, April 4, Stanford's Department of Public Safety and the
Information Security Office issued an alert to the university community
after receiving a small number of reports from employees of fraudulently
filed tax returns. Tax fraud has become a rampant problem across the
country, arising from widespread online financial scams and highly
publicized cyber breaches that have occurred in recent years. As such, at
the time of the university alert, it did not appear that the university was
being specifically targeted. University officials began investigating
immediately, and that investigation is ongoing. It now appears that the
university, among other employers, was a target as a source of W-2 forms.

As the investigation proceeded we determined that some Stanford employee W-2
forms were fraudulently downloaded from our third-party vendor. In total,
the W-2s of approximately 3,500 current and former Stanford employees were
downloaded through the vendor's system. The majority of these downloads are
likely legitimate, but I regret to report that we believe that at least 600
were downloaded fraudulently. An affected current or former employee may not
yet be aware that his/her records have been compromised.

The university will notify all employees whose W-2 forms were downloaded
from the vendor's site whether legitimately or not. We intend to issue those
notifications early next week. Those notifications will include further
instructions for accessing credit monitoring services and other protections
at no cost.

The university employs a third-party service named W-2Express, which is
operated by the credit bureau Equifax, to make W-2 forms accessible online
via tax preparation software or for direct download.  These downloads
required prior knowledge of an individual's Social Security Number and date
of birth.  The perpetrators were already in possession of this personal
information, which was subsequently used to log in and download the W-2

  [The rest omitted for RISKS.  PGN]

Randy Livingston is Stanford Vice President for Business Affairs and CFO

Cyber insurance rates fall with lull in major hacks (Reuters)

Gabe Goldberg <>
Tue, 5 Apr 2016 23:01:50 -0400

The risk? Mistaking a momentary risk reduction (weather) for long-term trend
(climate). And underpricing risk insurance.

New Jersey University Was Fake, but Visa Fraud Arrests Are Real

Monty Solomon <>
Wed, 6 Apr 2016 05:55:29 -0400

Federal officials set up the University of Northern New Jersey, which had no
real classes, to ensnare brokers who recruited foreigners trying to obtain
student visas.

Yours sincerely, yourself

Dan Jacobson <>
Wed, 06 Apr 2016 15:15:07 +0800
Bob Snodd sends NurdCo Corporation a message and gets back an auto-response:
"We at NurdCo are concerned and will get back to you promptly. Yours
sincerely, NurdCo Webpage Manager Bob Snodd"

So how did it happen? The template's [Given name] and [Surname] give the
intended answer when sent a test mail from the Webpage Manager himself's

OK I'll tell Facebook Pages to clarify whose names they are talking about.

The Panama Papers Expose the Hidden Wealth of the World's Super-Rich (Chuck Collins)

"Peter G. Neumann" <>
Tue, 5 Apr 2016 18:14:07 PDT
Chuck Collins, *The Nation* 5 Apr 2016
The Panama Papers Expose the Hidden Wealth of the World's Super-Rich

The Panama Papers reveal the widespread use of shell corporations in the
British Virgin Islands, the Seychelles in the Indian Ocean, and Panama.
Historically, North American investors prefer tax havens in the Caribbean or
Panama, with an estimated 54 percent of offshore investments going to those
areas.  The release of the Panama Papers should give a strong boost to US
and global campaigns to crack down on these global secrecy jurisdictions and

As global wealth concentrates in fewer hands, the world's wealthy are
shifting trillions to offshore havens to escape taxation, accountability,
and publicity.  The just-released Panama Papers—filled with titillating
details involving the shady dealings of world leaders and violent
traffickers of drugs and slaves—should give a strong boost to US and
global campaigns to crack down on these global secrecy jurisdictions and
practices.  Starting with an anonymous leak to the German newspaper
Süddeutsche Zeitung and shared with a consortium of journalists, the
Panama Papers initially identify 140 politicians and public officials using
off-shore schemes.  Leaders named with offshore wealth include current and
former members of China's politburo, three members of the UK House of Lords,
the president of Ukraine, and the prime ministers of Iceland and
Pakistan. Others include movie star Jackie Chan, Argentinian soccer star
Lionel Messi, and 29 billionaires from the Forbes global wealth list.
Initial media coverage in US major dailies is scant, perhaps due to the
conspicuous absence of US citizens named in what The Guardian calls the
*first tranche* of disclosures.   [Much more... Excellent article.]

Excellent *Salon* article about the Panama Papers

severo ornstein <>
Sat, 9 Apr 2016 10:04:06 -0700

The Panama Papers: Here's What We Know? (NYTimes)

Monty Solomon <>
Wed, 6 Apr 2016 05:43:00 -0400

The documents name international politicians, business leaders and
celebrities in a web of unseemly financial transactions.

Re: Panama Papers law firm PR statemenmt (RISKS-29.44)

"Alister Wm Macintyre \(Wow\)" <>
Wed, 6 Apr 2016 14:03:58 -0500
The Panama law firm has issued a PR statement to its clients about the
condition of its cybersecurity.  Other organizations have also issued some

* 3 year old version of Drupal, known to have many vulnerabilities.  They on
version 7.23.  In 2014, Drupal warned that anyone running on anything below
7.32 can consider themselves to be hacked.

* 3 month old version of Word Press.  I believe I have seen several stories
about vulnerabilities there.  I imagine someone could have done a search for
all places using a vulnerable application, for the purpose of breaching all
of them.

* Encryption not used in e-mails.

Re: Panama Papers / major links

"Alister Wm Macintyre \(Wow\)" <>
Sun, 10 Apr 2016 16:45:09 -0500
As some of you may know, I launched a group on Linked In, last week, to
collect links to major stories on this scandal.

There are many aspects of this leak, that may be foreign to many members of
the general public, so I am on the look out for places that do a good job of
explanation, such as this post I made there today:

  Off Shore Banking explained using a great piggy-bank analogy.

Many elements of the PP story need explanations, which are understandable to
people inexperienced in the subjects involved.

How a Cryptic Message, 'Interested in Data?,' Led to the Panama Papers

Monty Solomon <>
Wed, 6 Apr 2016 05:47:05 -0400

"We're very interested," replied an investigative reporter at a German
newspaper in response to an email more than a year ago from an anonymous

Obama calls for international tax reform amid Panama Papers revelations (Rupert Neate and David Smith)

Dewayne Hendricks <>
April 6, 2016 at 11:54:06 AM EDT
Rupert Neate in NY, David Smith in Washington, *The Guardian*, 5 Apr 2016
Unscripted remarks come as Justice Department confirms it is examining US
links to leaked documents from Panama-based tax firm Mossack Fonseca

Barack Obama has called for international tax reform in the wake of the
revelations contained in the Panama Papers.

In an unscheduled appearance in the White House briefing room, Obama
described the revelations from the leaks as "important stuff" and said the
issue of global tax avoidance was a *huge problem*.

Obama's intervention came as the leak of 11.5m files from the Panama-based
Mossack Fonseca continued to create uproar and upheaval around the world.

Re: Man with Null name (Drewe, RISK-29.44)

Henry Baker <>
Tue, 05 Apr 2016 19:00:23 -0700
Cute!  His name is R.F.Null, which tells me he knows something about radio
and/or radio direction finders—those things that the BBC uses to find
unpaid radio receivers.

  [He may have an antagonist named R.F.Interference.  PGN]

Re: Wrecking crew demolishes wrong house due to Google Maps error (RISKS-29.44)

David Landgren <>
Wed, 6 Apr 2016 11:30:43 +0200
Not the first time this has happened. See also:

Each time, it's either in Texas, or done by a Texan company.

  [The AIdes of Texas are upun us, I wreckon.  Remember the Alamo?  PGN]

Make the most of your 0 credits!

Dan Jacobson <>
Fri, 08 Apr 2016 20:56:26 +0800
I received this today from Blendr (like Grindr or Tinder):

  Make the most of your credits!

  We've noticed that you haven't used your credits for a while. Did you know
  that by using your credits you could increase your popularity level with
  our easy to use, one-click tools?  [Tell me more]

  Use your 0 credits to increase your popularity and meet more people!

The Deluge of Spurious Correlations in Big Data: Randomness in Nature and Data

Diego Latella <>
Fri, 08 Apr 2016 17:57:19 +0200
Interesting seminar at the IMT School for Advanced Studies
by Prof. Giuseppe Longo (CNRS et Ecole Normale Superieure, Paris).

The title of the talk was: The Deluge of Spurious Correlations in Big Data:
  Randomness in Nature and Data.
The official paper has been published in Springer's Foundations of Science.

The paper is *foundational* in the sense that, roughly speaking, it belongs
to the category of scientific contributions to algorithms/computability
theory in the form of negative results. The main message is simple and
clear: whatever correlation you want to consider, if you search for it in a
sufficiently large data set, you will find it. This depends only on the size
of the dataset and not on the nature of the data; in particular you find the
correlation also in data sets made up of random data.  From abstract of the

  Using classical results from ergodic theory, Ramsey theory and algorithmic
  information theory [=E2=80=A6 ], [f]or example, we prove that very large
  databases have to contain arbitrary correlations. These correlations
  appear only due to the size, not the nature, of data. They can be found in
  *randomly generated, large enough databases, which as we will prove
  implies that most correlations are spurious. Too much information tends to
  behave like very little information. The scientific method can be enriched
  by computer mining in immense databases, but not replaced by.

Although the paper addresses mainly the general issue of scientific
research, its results apply of course also to political/social science and
their implications also for what concerns civil liberties (as they may be
affected by decisions based on Big-data techniques).

Dott. Diego Latella, CNR-ISTI, Via Moruzzi 1, 56124, Pisa, Italy  +390506212982

E-borders and successor programmes: a UK NAO Report

Diego Latella <>
Sun, 10 Apr 2016 18:56:55 +0200
You might find the UK National Audit Office Report on E-borders and
successor programmes (December 2015) on PNR based border security programs
in UK an interesting one: =

The lesson I've learned (over and over again) is that (far too) often
lessons are not learned.

Dott. Diego Latella - Senior Researcher CNR-ISTI, Via Moruzzi 1, 56124 =
Pisa, Italy  (
FM&&T Lab. ( - ph: +390506212982

Please report problems with the web pages to the maintainer