The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 64

Monday 25 July 2016


Russia accused of playing in US politics
Joker in the Pack: If Financial Systems Were Hacked
Dewayne Hendricks
"Leaked FBI documents reveal secret rules for spying on journalists with National Security Letters"
Trevor Timm
"The Sensible Safeguards Needed Now for Pokemon GO"
Lauren Weinstein
Chasing Pokemon, a Baby Step Toward Virtual Reality
Transistors Will Stop Shrinking in 2021, Moore's Law Roadmap Predicts
Rachel Courtland
HSBC Bank Executives Face Charges in $3.5 Billion Currency Case
America's broken digital copyright law is about to be challenged in court
Cory Doctorow
FCC Backs Swedish Company to Run American Phone Routing System
Re: Study: 78% of Resold Drives Still Contain Readable Personal or Business Data
Carl Byington
Re: Self-driving cars, accepting the moral dilemma
Barry Gold
Re: Faulty image analysis software may invalidate 40,000 fMRI studies
Amos Shapir
Info on RISKS (comp.risks)

Russia accused of playing in US politics (Sanger/Perlroth)

"Peter G. Neumann" <>
Mon, 25 Jul 2016 8:39:35 PDT
David Sanger and Nicole Perlroth, *The New York Times*, 25 July 2016
As Democrats Gather, A Russian Subplot Raises Intrigue (datelined yesterday)

Russia hacked the Democratic National Committee e-mails (thousands), and
dumped them on wikileaks, about how the DNC was biased against Bernie
Sanders.  This episode should also be a reminder about how easy it might be
to hack the forthcoming election—especially if Internet voting is
allowed.  It should also raise a lot of "hackles" (would that it were
hackless!).  PGN

Joker in the Pack: If Financial Systems Were Hacked

Dewayne Hendricks <>
July 25, 2016 at 9:46:42 AM EDT
Recent attacks give a glimpse of the sort of cyber-assault that could bring
the world economy to a halt. Better defences are needed
Jun 16 2016

This May Anonymous, a network of activists, briefly hacked into
Greece' central bank and warned in a YouTube message that:
“Olympus will fall=A6This marks the start of a 30-day campaign
against central-bank sites across the world.'' The warning struck a
raw nerve.

The financial system is little more than a set of promises between people
and institutions. If these are no longer believed the whole house of cards
will collapse and people will take their money and run. That happened in
2008 because of bad credit decisions; but the same could unfold via a
sophisticated cyber-attack. Processes designed to make banking safer have
created new vulnerabilities: large amounts of money flow through certain key
bits of infrastructure. If such systemic institutions were compromised, a
panic similar to those in 2008 could quickly spread.

Cyber-attacks are rapidly growing, and financial services are a favoured
target of thieves and people intent on causing chaos. The rise in attacks on
individual banks, mostly to steal money or information or to shut down the
system for the hell of it (often using so-called denial-of-service attacks),
is worrying enough. But two recent attacks signal a move from simple
“Bonnie and Clyde'' crimes to a new “Ocean'
Eleven'' sophistication.

In 2013 a raid by the Carbanak gang, named after the malware it used, was
discovered when its “mules'' were seen picking up cash that
was apparently being randomly dispensed by ATMs in Kiev (a ruse known as ATM
jackpotting, whereby criminals hack into a bank' PCs and then send
direct commands to the ATMs). The extent of the assault only gradually
became clear: the final bill could be high. The largest sums were stolen by
hacking into bank systems and manipulating account balances. For example, an
account with $1,000 would be credited with an extra $9,000, then $9,000
would swiftly be transferred to an offshore account; the account holder
would still have $1,000, so was unlikely to notice or panic. This messing
with the numbers showed a new ability and ambition among cyber-criminals.

The second attack unfolded over a few days in February, when hackers stole
$81m from the Central Bank of Bangladesh' account at the Federal
Reserve in New York, in a shockingly ambitious heist. More worrying than its
scale was the fact that the raiders hijacked bank personnel' access
to SWIFT, a highly secure (or so it was thought) messaging system that
connects 11,000 financial institutions and sends around 25m messages a day,
helping to settle billions of dollars-worth of transactions. They then sent
35 false payment orders from Bangladesh Bank, via SWIFT, to the central
bank' account at the Fed.

Experts think it likely that several more such efforts remain to be
discovered. A similar, smaller, one has come to light in which hackers tried
to take $1m from a bank in Vietnam, in December. Banks are now looking at
limiting the number of people who can access SWIFT, and SWIFT itself has
raised the possibility of suspending banks with weak security controls.

These heists give a glimpse of what could lie ahead. Armageddon for banks
could take the form of an attack prepared over several months and then
carried out over a day or two of mayhem. In this scenario, the motive would
be to cause maximum instability, something that worries regulators more than
simple theft.  [..]

Dewayne-Net RSS Feed: <>

  [More hackles raised.]

"Leaked FBI documents reveal secret rules for spying on journalists with National Security Letters" (Trevor Timm)

Gene Wirchenko <>
Fri, 22 Jul 2016 10:44:05 -0700
Trevor Timm, Freedom, June 30, 2016

Opening text:

Today, The Intercept published leaked documents that contain the FBI's
secret rules for targeting journalists and sources with National Security
Letters (NSLs)—the controversial and unconstitutional warrantless tool
the FBI uses to conduct surveillance without any court supervision

  [More hackles...  PGN]

Lauren's Blog: "The Sensible Safeguards Needed Now for Pokemon GO"

Lauren Weinstein <>
Sun, 17 Jul 2016 11:00:35 -0700
            The Sensible Safeguards Needed Now for Pokemon GO

Unless Pokemon GO turns out to be a relatively short-lived popular
phenomenon (and actually even if it is, since PoGo will be but the
progenitor of many future augmented reality games and other applications) it
appears likely that the full real world impacts of the game were seemingly
not completely considered before launch, leading to a growing collection of
alarming situations.

There were signs of some sloppiness from the outset, when it was noted that
the PoGo iOS app was asking for far more account permissions than was
appropriate. The actual privacy risk in this case was minimal, but the mere
fact that the app got out the door this way—given the intense concerns
about app permissions generally—suggested a possible lack of due
diligence in key respects.

While various of the problematic reports we've seen about PoGo can be
chalked up to user inattention (plowing a car into a tree, driving off a
cliff, etc.), many others cannot be blamed on the users alone, per se.

To note but a sampling, these include PoGo being used to attract players to
be robbed, a registered sex offender who was supposed to stay away from
children using the game to partner with a young child, and very recently,
two players who were shot at by a homeowner when they were prowling a
residential neighborhood at 1 AM. An array of other trespass-related
occurrences have been noted, including players entering restricted areas at
a nuclear power plant.

Of broader impact is the swarming of neighborhoods, parks, and other public
places by far larger numbers of people than they were designed for—or
that local authorities are prepared for—at all hours of the day and
night. There are serious public safety concerns involved.

Such gaming activities become especially inappropriate when they occur at
locations that are utterly unsuitable for gaming, like ordinarily quiet and
respectful cemeteries and Holocaust museums.

Fans of PoGo enthusiastically declare that it's a great way to meet new
people and get exercise. Perhaps. In some locales at least, it seems that
players are mostly driving around in their cars to reach designated targets,
but we'll let that pass for the moment.

One suspicion that's difficult to shake is that seemingly there wasn't much
(if any?) attention given to purging inappropriate locations from PoGo's
ancestor game—Ingress—before deploying them in PoGo. The need for such
a purge should have been obvious, given that PoGo would have been reasonably
expected to attract far more users than Ingress (as it indeed dramatically
has) and would also be far more attractive to children.

Historical side note: Ingress was originally developed at Google (in fact, I
was one of its earliest players, I believe while it was still in beta), then
spun off to a separate company—Niantic—in which Google holds a major

As I noted above, PoGo is but the beginning of what will certainly be a long
line of innovative and important augmented reality mobile apps.  And that
makes getting the real world implications of this tech in line with real
world requirements and impacts as quickly as possible—without stifling

The most important requirement is to give more control to municipalities and
persons who are impacted by these applications and their users.

For example, it doesn't exactly take rocket science to figure out that
sending users wandering around quiet residential areas in the middle of the
night is a recipe for potentially dangerous (even lethal) confusion and
confrontations, or that flooding a small park with thousands of people at
once—without prior warning to local authorities—can easily lead to
serious problems.

Niantic needs to immediately work toward providing much better mechanisms
for involved homeowners, business owners, municipalities, and other
associated entities, to request removal of specific locations from the PoGo
location database (much as you can request removal of locations from Google
Street View currently). And there should be ways to specify "curfews" for
specific locales as well—especially in residential neighborhoods, or
areas with special concerns about the safety of late night visitors.

It is also crucial that accessing this kind of request/control system not
require use of the PoGo app itself, nor ideally use of the Internet in any
way—given that many affected persons may not even have Internet access.

Obviously, different areas, regions, and countries will have their own
individual attitudes and concerns about participation in the PoGo ecosystem,
and we can reasonably expect the sorts of removal and/or curfew requests
received to vary widely around the globe.

But it is not appropriate for these decisions to be made wholly by Niantic
alone. And unless they and we get a handle on the real world impacts of
augmented reality apps in short order, you can be sure that politicians --
already expressing concerns about this area—will be moving in with their
own "control ideas"—that will likely not be of the form that many of us
would want, nor that would protect innovation going forward.

  [We have a huge pile of incremental stuff relating to Pok*, but Lauren's
  blog seems to cover most of it.  Suffice it to say that the resulting
  transgressions are startling, and the risks abound.  P]

Chasing Pokemon, a Baby Step Toward Virtual Reality (NYTimes)

Monty Solomon <>
Fri, 22 Jul 2016 08:08:27 -0400
Chasing Pok√¬©mon, a Baby Step Toward Virtual Reality

With a charged cellphone in hand, a reporter joins San Francisco's first large planned Pok√¬©mon Go event.

Transistors Will Stop Shrinking in 2021, Moore's Law Roadmap Predicts

Dewayne Hendricks <>
July 23, 2016 at 8:41:07 AM EDT
Rachel Courtland, IEEE Spectrum, 22 Jul 2016

After more than 50 years of miniaturization, the transistor could stop
shrinking in just five years. That is the prediction of the 2015
International Technology Roadmap for Semiconductors, which was officially
released earlier this month.

After 2021, the report forecasts, it will no longer be economically
desirable for companies to continue to shrink the dimensions of transistors
in microprocessors. Instead, chip manufacturers will turn to other means of
boosting density, namely turning the transistor from a horizontal to a
vertical geometry and building multiple layers of circuitry, one on top of

For some, this change will likely be interpreted as another death
knell for Moore' Law, the repeated doubling of transistor densities that has
given us the extraordinarily capable computers we have today. Compounding
the drama is the fact that this is the last ITRS roadmap, the end to a
more-than-20-year-old coordinated planning effort that began in the United
States and was then expanded to include the rest of the world.

Citing waning industry participation and an interest in pursuing other
initiatives, the Semiconductor Industry Association—a U.S. trade group
that represents the interests of IBM, Intel, and other companies in
Washington and a key ITRS sponsor—will do its own work, in collaboration
with another industry group, the Semiconductor Research Corporation, to
identify research priorities for government- and industry-sponsored
programs. Other ITRS participants are expected to continue on with a new
roadmapping effort under a new name, which will be conducted as part of an
IEEE initiative called Rebooting Computing.

These roadmapping shifts may seem like trivial administrative changes. But
“this is a major disruption, or earthquake, in the industry,'' says analyst
Dan Hutcheson, of the firm firm VLSI Research. U.S. semiconductor companies
had reason to cooperate and identify common needs in the early 1990', at the
outset of the roadmapping effort that eventually led to the ITRS' creation
in 1998. Suppliers had a hard time identifying what the semiconductor
companies needed, he says, and it made sense for chip companies to
collectively set priorities to make the most of limited R&D funding.

But the difficulty and expense associated with maintaining the leading edge
of Moore' Law has since resulted in significant consolidation. By Hutcheson'
count, 19 companies were developing and manufacturing logic chips with
leading-edge transistors in 2001. Today, there are just four: Intel, TSMC,
Samsung, and GlobalFoundries. (Until recently, IBM was also part of that
cohort, but its chip fabrication plants were sold to GlobalFoundries.)

These companies have their own roadmaps and can communicate directly to
their equipment and materials suppliers, Hutcheson says. What' more, they're
fiercely competitive. “They don't want to sit in a room and talk about what
their needs are,'' Hutcheson says. “It' sort of like everything' fun and
games when you start off at the beginning of the football season, but by the
time you get down to the playoffs it' pretty rough.''

“The industry has changed,'' agrees Paolo Gargini, chair of
the ITRS, but he highlights other shifts. Semiconductor companies that no
longer make leading-edge chips in house rely on the foundries that make
their chips to provide advanced technologies. What' more, he says,
chip buyers and designers—companies such as Apple, Google, and
Qualcomm—are increasingly dictating the requirements for future chip
generations. “Once upon a time,'' Gargini says, “the
semiconductor companies decided what the semiconductor features were
supposed to be. This is no longer the case.'' [...]

HSBC Bank Executives Face Charges in $3.5 Billion Currency Case

Monty Solomon <>
Fri, 22 Jul 2016 08:03:08 -0400

Federal prosecutors charge the bankers with engaging in a front-running
scheme related to a foreign exchange transaction in 2011.

America's broken digital copyright law is about to be challenged in court (Cory Doctorow)

Dewayne Hendricks <>
July 21, 2016 at 10:57:22 AM EDT
Cory Doctorow, *The Guardian*, 21 Jul 2016
The Electronic Frontier Foundation is suing the US government over
'unconstitutional' use of the Digital Millennium Copyright Act

The Electronic Frontier Foundation (EFF) filed a lawsuit on Thursday that
American copyright wonks, technologists and security researchers have been
hotly awaiting for nearly 20 years.

If they succeed, one of America's most controversial technology laws will be
struck down, and countries all over the world who have been pressured by the
US trade representative to adopt this American rule will have to figure out
whether they'll still enforce it, even after the US has given up on it.

The rule is section 1201 of the Digital Millennium Copyright Act (DMCA) of
1998, the *anti-circumvention* rule that makes it illegal to break an access
control for copyrighted works. These access controls often manifest as
digital rights management (DRM), and the DMCA gives them unique standing in

EFF is suing the US government, arguing that section 1201 of the DMCA is
unconstitutional, and also that the Library of Congress and the copyright
office have failed to perform their duties in the three-year DMCA 1201
exemption hearings.

What is digital rights management?

If you buy something, it's yours, and you can modify, configure, or use it
any way you'd like, even if the manufacturer would prefer that you
didn't. But the law forbids you from doing otherwise legal things if you
have to tamper with the DRM to do them.

Originally, this was used exclusively by the entertainment industries: by
adding DRM to DVDs, they could prevent companies from making DVD players
that accepted DVDs bought abroad. It's not illegal to bring a DVD home from
an overseas holiday and watch it, but if your DVD player recognises the disc
as out-of-region, it is supposed to refuse to play it back, and the act of
altering the DVD player to run out-of-region discs is unlawful under the
DMCA's section 1201. It could even be a crime carrying a five-year prison
sentence and a $500,000 fine for a first offense (the act of offering a
region-free DVD player for sale, or even the neighbour's kid helping you to
deregionalise your DVD player, can be criminal acts).

Companies can only use the DMCA if they can argue that their DRM protected a
copyrighted work. Nike can't invoke section 1201 of the DMCA to prevent a
rival company from offering replacement shoelaces for its trainers, because
shoelaces and trainers aren't copyrighted (or copyrightable). But once
there/'s software involved, copyright enters the picture because software
itself can be copyrighted.

The proliferation of *smart* devices has put software—and potentially,
the DMCA—into every part of our lives. Your car is a computer that
surrounds your body. Auto manufacturers use DRM to prevent independent
mechanics from reading out information from broken cars and to prevent
diagnostic tool-makers from making smarter diagnostic equipment. Mechanics
and tool-makers who want to know what's wrong with your car have to either
break the DRM (risking fines or even prison) or get the official
manufacturer;s permission to compete, which drives up repair costs. In other
words, now that there's software in your car, the DMCA can be invoked to
give manufacturers a monopoly over parts, service and features for them.

And it's not just cars. Every three years, the US copyright office
entertains proposals for limited exemptions to section 1201 of the DMCA.

In 2015, they heard from people who have been frustrated by
anti-circumvention rules as applied to voting machines (a computer we put a
democracy inside of); hospital equipment (a computer we put sick people
inside of); medical implants (computers we put inside our bodies); as well
as critical infrastructure, financial technology and more.

FCC Backs Swedish Company to Run American Phone Routing System

Monty Solomon <>
Fri, 22 Jul 2016 08:00:14 -0400

Major wireless carriers pushed for Telcordia because of the cost savings,
but some intelligence officials have raised national security concerns.

Re: Study: 78% of Resold Drives Still Contain Readable Personal or Business Data

Carl Byington <>
Mon, 25 Jul 2016 09:09:04 -0700
"The solution Blancco recommends: buy a tool to perform complete data

Easier and cheaper - download any live boot Linux distro (perhaps to a USB stick, boot it,

"dd if=/dev/zero of=/dev/sda bs=1M"

Of course you need to replace sda with the actual device name that connects
to the disk you want to clear.

Then you only need to worry about the disk sectors that were written and
then remapped by the drive firmware. There are sectors on that disk that may
contain information that cannot (now) be overwritten by the OS. But to read
them you will need access to the drive firmware. Many - perhaps even most)
folks won't be able to do that. And in any case, *almost all* of the data is
overwritten with zeros.

Re: Self-driving cars, accepting the moral dilemma (RISKS-29.63)

Barry Gold <>
Thu, 21 Jul 2016 21:55:11 -0700
I vote for pricing the RISK. Just fold it into the cost of the "liability
insurance". Except that the owner won't actually be paying an insurance
premium as such. If the car is really autonomous, then any "fault" belongs
to the manufacturer and the mfgr will have to pay the damages. So the price
of the car has to include "insurance"—the risk of liability payouts needs
to be included in the price.

When you buy the car, you can have the manufacturer set it for totally
selfish (protect me at all costs), totally altruistic (always protect other
people first), or somewhere in between (protect me, unless it will save at
least n lives). The price of the car will change depending on what setting
you choose. But don't expect the difference to be very big, at least not if
the market sets the price. The chance of being in a potentially fatal
accident is less than 1 in 10,000 for the entire life of the car, even with
a human driver. With an automated "driver" that will (we hope) make many
fewer mistakes, it will be a lot less.  My guess is that a totally selfish
car will cost around $50 more than a totally altruistic one. Maybe even less
than that.

Re: Faulty image analysis software may invalidate 40,000 fMRI studies (Shapir, RISKS-29.63)

Amos Shapir <>
Mon, 25 Jul 2016 09:06:15 +0300
Mea culpa!

> This is not Dorothy Parker, but Hilaire Belloc.
> Martyn

Please report problems with the web pages to the maintainer