The RISKS Digest
Volume 29 Issue 94

Friday, 25th November 2016

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Mars lander crash caused by 1-second inertial measurement error
European Space Agency via Geoff Goodfellow
CompSci Prof. Halderman: Want to Know if the Election was Hacked?
Election Audit in Wisconsin
More on election integrity
Russian propaganda effort helped spread 'fake news' during election, experts say
The Washington Post
Enough is Enough
Lauren Weinstein
According to Snopes, Fake News Is Not the Problem
Jessi Hempel
How The 2016 Election Blew Up In Facebook's Face
PM Threatens to sue unemployed citizen over Facebook share
JPost via Amos Shapir
Computer System Chaos At Shelby County Criminal Justice Center
Ben Moore
US Navy warns 134,000 sailors of data breach after HPE laptop is compromised
Ars Technica
Skoda driver decapitated after claiming car's cruise control was stuck
The Guardian via Martyn Thomas
Driver's last moments recorded in 999 call as he tells operator car's cruise control 'stuck' at 119mph
The Telegraph via Ian Halliday
Auto Safety Regulators Seek a Driver Mode to Block Apps
The New York Times
Distracted by holiday stress? E-mail hackers are banking on it
The Boston Globe
Is Social Media Disconnecting Us From the Big Picture?
The New York Times
UMass to pay $650K in HIPAA settlement
SCMagazine via Monty Solomon
Google warns journalists and professors: Your account is under attack
Ars Technica - privacy not so private
Gabe Goldberg
Miniature Wi-Fi Device Developed by Stanford Engineers Supplies Missing Link for the Internet of Things
Andrew Myers
Facebook Said to Create Censorship Tool to Get Back Into China
The New York Times
India demonetization
Alister Macintyre
Bruce Schneier: 'The Internet era of fun and games is over'
Austin Powell
Info on RISKS (comp.risks)

Mars lander crash caused by 1-second inertial measurement error (European Space Agency)

geoff goodfellow <>
Thu, 24 Nov 2016 11:56:46 -1000
The European Space Agency on 23 Nov 2016 said its Schiaparelli lander's
crash landing on Mars on 19 Oct 2016 followed an unexplained saturation of
its inertial measurement unit, which delivered bad data to the lander's
computer and forced a premature release of its parachute.

Polluted by the IMU data, the lander's computer apparently thought it had
either already landed or was just about to land. The parachute system was
released, the braking thrusters were fired only briefly and the on-ground
systems were activated.

Instead of being on the ground, Schiaparelli was still 3.7 kilometers above
the Mars surface. It crashed, but not before delivering what ESA officials
say is a wealth of data on entry into the Mars atmosphere, the functioning
and release of the heat shield and the deployment of the parachute—all of
which went according to plan. [...]

*A one-second glitch and a 3,700-meter freefall*

In its Nov. 23 statement, ESA said the saturation reading from
Schiaparelli's inertial measurement unit lasted only a second, but was
enough to play havoc with the navigation system.

“[T]he erroneous information generated an estimated altitude that was
negative.  That is, below ground level. This in turn successively triggered
a premature release of the parachute and the back shell, a brief firing of
the braking thrusters and finally activation of the on-ground systems as if
Schiaparelli had already landed.  In reality, the vehicle was still at an
altitude of around 3.7 kilometers.''  ESA said the sequence of events “has
been clearly reproduced in computer simulations of the control system's
response to the erroneous information.''

ESA's director of human spaceflight and robotic exploration, David Parker,
said in a statement that ExoMars teams are still sifting through the
voluminous data harvest from the Schiaparelli mission, and that an external,
independent board of inquiry, now being created, would release a final
report in early 2017.

  [Also noted by Monty Solomon:
Mars lander slammed into red planet after data glitch
  and Mary Shaw:
Computer glitch blamed for European Mars lander crash

CompSci Prof. Halderman: Want to Know if the Election was Hacked? Look at the Ballots

Lauren Weinstein <>
Wed, 23 Nov 2016 09:58:41 -0800
via NNSquad

  "You may have read at NYMag that I've been in discussions with the Clinton
  campaign about whether it might wish to seek recounts in critical
  states. That article, which includes somebody else's description of my
  views, incorrectly describes the reasons manually checking ballots is an
  essential security safeguard (and includes some incorrect numbers, to
  boot). Let me set the record straight about what I and other leading
  election security experts have actually been saying to the campaign and
  everyone else who's willing to listen."

Election Audit in Wisconsin

"Peter G. Neumann" <>
Thu, 24 Nov 2016 12:13:22 PST
  Wisconsin Elections Commission Receives Two Presidential
 Election Recount Petitions (Wisconsin Elections Commission)

More on election integrity

"Peter G. Neumann" <>
Wed, 23 Nov 2016 20:19:56 PST

Russian propaganda effort helped spread 'fake news' during election, experts say

Lauren Weinstein <>
Thu, 24 Nov 2016 18:12:40 -0800
via NNSquad

  The flood of 'fake news' this election season got support from a
  sophisticated Russian propaganda campaign that created and spread
  misleading articles online with the goal of punishing Democrat Hillary
  Clinton, helping Republican Donald Trump and undermining faith in American
  democracy, say independent researchers who tracked the operation.
  Russia's increasingly sophisticated propaganda machinery—including
  thousands of botnets, teams of paid human "trolls," and networks of Web
  sites and social-media accounts—echoed and amplified right-wing sites
  across the Internet as they portrayed Clinton as a criminal hiding
  potentially fatal health problems and preparing to hand control of the
  nation to a shadowy cabal of global financiers. The effort also sought to
  heighten the appearance of international tensions and promote fear of
  looming hostilities with nuclear-armed Russia.  Two teams of independent
  researchers found that the Russians exploited American-made technology
  platforms to attack U.S.  democracy at a particularly vulnerable moment,
  as an insurgent candidate harnessed a wide range of grievances to claim
  the White House.  The sophistication of the Russian tactics may complicate
  efforts by Facebook and Google to crack down on *fake news*, as they have
  vowed to do after widespread complaints about the problem.

Enough is Enough

Lauren Weinstein <>
Thu, 24 Nov 2016 22:45:13 -0800

The fake news, filter bubbles, echo chambers, and hate speech issues that
are now drowning the Internet are of such a degree that we need to call a
major summit of social media firms, experts, and other concerned parties to
hammer out practical industry-wide solutions.  Working groups also need to
be established forthwith. The status quo is no longer tenable.

According to Snopes, Fake News Is Not the Problem

Dewayne Hendricks <>
Mon, Nov 21, 2016 at 9:05 AM
Jessi Hempel, BackChannel, 16 Nov 2016
Take it from the Internet's chief myth busters: The problem is the failing

The day after the election, news began swirling around social media that
*New York Times* columnist David Brooks had called for President-elect
Donald Trump's assassination. Snopes managing editor Brooke Binkowski had a
feeling it was fake. Because, come on now, would a prominent columnist for a
reputable news outlet really make that kind of comment?

Snopes has made its business out of correcting the misunderstood satire,
malicious falsehoods, and poorly informed gossip that echoes across the
Internet—and that business is booming. Traffic jumped 85 percent over the
past year to 13.6 million unique visitors in October, according to
comScore. The site supports itself through advertising, and in the last
three years it has made enough money to quadruple the size of its staff.

Sure enough, a bit of Snopes reporting revealed that Brooks had written a
saying Trump would likely resign or be impeached within a year. A news item
published on *The Rightists *claimed Brooks had then said in an interview
for KYRQ Radio New York that Trump should be killed. Snopes found *The
Rightists* doesn't even pretend to traffic in truth
<>. In the site's *about* section, it
describes itself this way: “This is HYBRID site of news and satire.  part
[sic] of our stories already happens, part, not yet. NOT all of our stories
are true!'' What's more, the story's facts didn't add up. For example, the
site claimed Brooks had made the comments on a radio station KYRQ that
didn't exist.

Verdict: FALSE.

This is the state of truth on the Internet in 2016, now that it is as easy
for a Macedonian teenager to create a website as it is for *The New York
Times,* and now that the information most likely to find a large audience is
that which is most alarming, not most correct. In the wake of the election,
the spread of this kind of phony news on Facebook and other social media
platforms has come under fire for stoking fears and influencing the
election's outcome. Both Facebook and Google have taken moves to bar fake
news sites from their advertising platforms, aiming to cut off the sites'
sources of revenue.

How The 2016 Election Blew Up In Facebook's Face

Lauren Weinstein <>
Mon, 21 Nov 2016 13:03:56 -0800
via NNSquad

  As Facebook attempted to capture the fast-moving energy of the news cycle
  from Twitter, and shied away from policing political content, it created a
  system that played to confirmation bias and set the stage for fake news.

PM Threatens to sue unemployed citizen over Facebook share

Amos Shapir <>
Thu, 24 Nov 2016 17:19:29 +0200
A lawyer representing PM Benjamin Netanyahu sent a letter to an unemployed
man, threatening to sue for 130,000 NIS (about $30,000) for sharing an
allegedly defamatory blog post on his Facebook page.

It is still a mystery why this particular person was sued, and not the
person who actually wrote the blog.  I don't know if the blogger or the
hosting site were even asked to take it down, last time I checked it was
still there (it was first published in August); so I shared it too, just to
see what happens...

Computer System Chaos At Shelby County Criminal Justice Center

Ben Moore <>
Mon, 21 Nov 2016 21:16:33 -0600

The installation of a new computer program at the Shelby County [Memphis,
TN] courthouse is causing big problems across the board.

A spokesperson for the Shelby County Sheriff's Office says they expected
there would be some problems with the changeover, but the question is, did
anyone know just how bad it would be?

“I think it's *bs* really,'' said DeJuan Jackson. Jackson considers himself
lucky.  After posting bond, it only took him two days to get released from
prison.  Others inside are taking much longer to get out.

US Navy warns 134,000 sailors of data breach after HPE laptop is compromised (Ars Technica)

Monty Solomon <>
Fri, 25 Nov 2016 10:16:45 -0500

Skoda driver decapitated after claiming car's cruise control was stuck (The Guardian)

Martyn Thomas <>
Fri, 25 Nov 2016 19:06:49 +0000

The Bookout v Toyota Barr expert evidence came to mind.

Driver's last moments recorded in 999 call as he tells operator car's cruise control 'stuck' at 119mph (The Daily Telegraph)

Ian Halliday <>
Thu, 24 Nov 2016 18:50:11 +0000
London's *Daily Telegraph* reports the following story:

Mr Gandhi's eight-and-a-half minute 999 call was played to the inquest. The
coroner heard the Skoda hit the three-axle HGV with such force that its rear
axle was pushed to the front of the trailer. The Skoda was found with its
roof peeled off up to its rear wheels.

Ian W Halliday, BA Hons, SA Fin, MBCS

Auto Safety Regulators Seek a Driver Mode to Block Apps

Monty Solomon <>
Thu, 24 Nov 2016 21:56:18 -0500

Voluntary guidelines will be issued amid a spike in traffic fatalities in the last two years.

Distracted by holiday stress? E-mail hackers are banking on it

Monty Solomon <>
Thu, 24 Nov 2016 23:30:31 -0500

Is Social Media Disconnecting Us From the Big Picture? (The New York Times)

Lauren Weinstein <>
Tue, 22 Nov 2016 21:07:55 -0800

  "In hindsight, that failure makes sense. I've spent nearly 10 years
  coaching Facebook—and Instagram and Twitter—on what kinds of news
  and photos I don't want to see, and they all behaved accordingly.  Each
  time I liked an article, or clicked on a link, or hid another, the
  algorithms that curate my streams took notice and showed me only what they
  thought I wanted to see. That meant I didn't realize that most of my
  family members, who live in rural Virginia, were voicing their support for
  Trump online, and I didn't see any of the pro-Trump memes that were in
  heavy circulation before the election. I never saw a Trump hat or a sign
  or a shirt in my feeds, and the only Election Day selfies I saw were of
  people declaring their support for Hillary Clinton."

UMass to pay $650K in HIPAA settlement

Monty Solomon <>
Thu, 24 Nov 2016 21:53:50 -0500
UMass to pay $650K in HIPAA settlement

UMass settles potential HIPAA violations following malware infection

Google warns journalists and professors: Your account is under attack

Lauren Weinstein <>
Wed, 23 Nov 2016 17:22:13 -0800
via NNSquad

  Google is warning prominent journalists and professors that
  nation-sponsored hackers have recently targeted their accounts, according
  to reports delivered in the past 24 hours over social media.  The people
  reportedly receiving the warnings include Nobel-winning economist and New
  York Times columnist Paul Krugman, Stanford University professor and
  former US diplomat Michael McFaul, GQ correspondent Keith Olbermann, and
  according to this tweet, Politico, Highline, and Foreign Policy
  contributor/columnist Julia Ioffe; New York Magazine reporter Jonathan
  Chait; and Atlantic magazine writer Jon Lovett. Reports of others
  receiving the warnings are here and here. Many of the reports included
  banners that Google displayed when account holders logged in. Ars spoke to
  someone who works for a well-known security company who also produced an
  image of a warning he received. The person said he was aware of a fellow
  security-industry professional receiving the same warning. - privacy not so private

Gabe Goldberg <>
Thu, 24 Nov 2016 09:41:35 -0500
Discussion thread:

If you're an Amazon user, I'm sure you know that your reviews appear under
your public profile. Within your profile there is a sensitivity filter that
can be set to prevent people from viewing your reviews of "sensitive" items
directly through your profile but an easily accessible link that could be
exploited by any user to view any other user's sensitive reviews directly
through their profiles, regardless of the sensitivity settings.

Surprise, as one response noted: Nothing is really private on the Internet,
so a good rule of thumb is not to post anything on any website that you
don't want to be public.

Miniature Wi-Fi Device Developed by Stanford Engineers Supplies Missing Link for the Internet of Things (Andrew Myers)

"ACM TechNews" <>
Wed, 23 Nov 2016 12:01:22 -0500 (EST)
ACM TechNews; 23 Nov 2016

Andrew Myers, *Stanford News*, 16 Nov 2016

Stanford University researchers have developed HitchHike, a tiny,
ultra-low-energy wireless radio that enables data transmission using just
micro-watts of energy.  HitchHike "can be used as-is with existing Wi-Fi
without modification or additional equipment," and consumers can use it
today with a cell phone and an off-the-shelf Wi-Fi router, according to
Stanford researcher Pengyu Zheng.  HitchHike requires so little power a
small battery could drive it for a decade or more, and it has the potential
to harvest energy from existing radio waves and use that electromagnetic
energy to power itself, potentially indefinitely.  "HitchHike could lead to
widespread adoption in the Internet of Things," says Stanford professor
Sachin Katti.  HitchHike is a variation on a backscatter radio.  The system
bounces Wi-Fi signals back into the atmosphere, a signal known as
backscatter.  In order to function as a true radio, HitchHike must produce
its own messages, rather than reflect existing messages.  To do that, the
Stanford researchers developed "code word translation."  HitchHike shifts
its new signal to another Wi-Fi channel, thus avoiding the radio
interference between the original signal and the new data stream.
"HitchHike opens the doors for widespread deployment of low-power Wi-Fi
communication using widely available Wi-Fi infrastructure and, for the first
time, truly empower the Internet of Things," Zheng says.

Facebook Said to Create Censorship Tool to Get Back Into China

Lauren Weinstein <>
Tue, 22 Nov 2016 17:27:04 -0800
via NNSquad

  The social network has quietly developed software to suppress posts from
  appearing in people's news feeds in specific geographic areas, according
  to three current and former Facebook employees, who asked for anonymity
  because the tool is confidential. The feature was created to help Facebook
  get into China, a market where the social network has been blocked, these
  people said. Mr. Zuckerberg has supported and defended the effort, the
  people added.

    [This appears to be unsourced, but since it's in the New York Times,
    it's worth reading with that important proviso in mind. LW]

India demonetization

"Alister Wm Macintyre \(Wow\)" <>
Thu, 24 Nov 2016 15:55:40 -0600
India has a financial crisis, which they brought upon themselves, by poor
planning.  The economy is at a virtual stand still.

Certain currency is believed to be heavily used by criminals, and citizens
who fail to pay taxes, so India declared that two rupee notes, which had
been legal tender, would no longer be, and the people were given less than 2
months to get that currency converted to the replacement notes, at banks and
post offices.

Since India is a nation where 90% of the population do business by cash, and
85% of it in the rupee notes going away, there has been a stampede to where
they can convert their currency, with hundreds of people standing in line
for a day, all over the nation.

Some small businesses have gone out of business, because they cannot
function with the rupee notes which are still legal tender.

Since there is a ceiling on how much can be converted per person per day,
small businesses have each of their employees and family members doing their
dhare, magnifying how many people waiting in line, than would have been the
case without the daily limit.

Employees of many businesses have abandoned their work, because now they
must wait in line, day after day, to get their currency exchanged.

In the first week, at least 33 people died, because of the long lines, and
the shock.  One person, who needed to get to a hospital, died because a taxi
refused to accept the now banned currency.

ATM machines will take 2 weeks to be converted, having had no advance
warning, but in the mean time issue a much smaller note.

The nation is running out of some of the now legal types of currency,
including the replacement note.  Didn;t they have any idea how much was in

There is no limit on how much of the currency, which will be illegal next
year, may be deposited into bank accounts, but then the people will have to
prove they paid taxes on that money, or else suffer severe tax penalties.

Bruce Schneier: 'The Internet era of fun and games is over' (Austin Powell)

Dewayne Hendricks <>
Wed, Nov 23, 2016 at 7:46 PM
   [We noted Bruce's testimony to the Congressional site in the previous
   issue of RISKS.  Here are some snippets.  PGN]

Austin Powell, Daily Dot, 16 Nov 2016
Speaking before members of Congress, the Internet pioneer made clear the
dangers of the Internet of Things.

Internet pioneer Bruce Schneier issued a dire proclamation in front of the
House of Representatives' Energy & Commerce Committee Wednesday: “It might
be that the Internet era of fun and games is over, because the Internet is
now dangerous.''

The meeting, which focused on the security vulnerabilities created by smart
devices, came in the wake of the Oct. 21 cyberattack on Dyn that knocked
Amazon, Netflix, Spotify, and other major web services offline.

Schneier's opening statement provided one of the clearest distillations of
the dangers posed by connected devices I've seen. It should be required
viewing. He starts around the 1:10:30 mark in the livestream below, but
we've also transcribed most of his remarks.

Here's how he framed the Internet of Things, or what he later called the
*world of dangerous things*:

  As the chairman pointed out, there are now computers in everything. But I
  want to suggest another way of thinking about it in that everything is now
  a computer: This is not a phone. It's a computer that makes phone calls. A
  refrigerator is a computer that keeps things cold. ATM machine is a
  computer with money inside. Your car is not a mechanical device with a
  computer. It's a computer with four wheels and an engine*.  This is the
  Internet of Things, and this is what caused the DDoS attack we're talking
  about.  He then outlined four truths he's learned from the world of
  computer security, which he said is *now everything security*.

1) Attack is easier than defense

Complexity is the worst enemy of security. Complex systems are hard to
secure for an hours' worth of reasons, and this is especially true for
computers and the Internet. The Internet is the most complex machine man has
ever built by a lot, and it's hard to secure. Attackers have the advantage.

2) There are new vulnerabilities in the interconnections

The more we connect things to each other, the more vulnerabilities in one
thing affect other things. We're talking about vulnerabilities in digital
video recorders and webcams that allowed hackers to take websites.  There
was one story of a vulnerability in an Amazon account [that] allowed hackers
to get to an Apple account, which allowed them to get to a Gmail account,
which allowed them to get to a Twitter account. Target corporation, remember
that attack? That was a vulnerability in their HVAC contractor that allowed
the attackers to get into Target. And vulnerabilities like this are hard to
fix. No one system might be at fault.  There might be two secure systems
that come together to create insecurity.

3) The Internet empowers attackers.

Attacks scale. The Internet is a massive tool for making things more
efficient. That's also true for attacking. The Internet allows attacks to
scale to a degree that's impossible otherwise. We're talking about millions
of devices harnessed to attack Dyn, and that code, which somebody smart
wrote, has been made public. Now anybody can use it. It's in a couple dozen
botnets right now. Any of you can rent time on one dark web to attack
somebody else.  (I don't recommend it, but it can be done.) [...]

Please report problems with the web pages to the maintainer