The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 02

Thursday 15 December 2016


Thunderbird Felled by Sticky Button
Yahoo Says 1 Billion User Accounts Were Hacked
More details on massive new Yahoo hack—it only gets worse
Business Insider via LW
Stolen Yahoo Data Includes Government Employee Information
Interview with Charles Delavan on Podesta's e-mail
Colorado election omits more than 20,000 ballots
The DenverChannel
Uber said it protects you from spying. Security sources say otherwise
Bruce Schneier's latest CryptoGram
Value of having a computer at home is mixed
WashPo item via Ridgely C. Evers
Craig Burton
Info on RISKS (comp.risks)

Thunderbird Felled by Sticky Button (AirForceMag)

"Peter G. Neumann" <>
Thu, 15 Dec 2016 7:04:16 PST
  [Thanks to Todd Carpenter.  PGN]

The Thunderbirds aerial demonstration team F-16 that crashed in
Colorado on 2 Jun 2016—minutes after a flyby of the Air Force Academy
graduation, attended by President Obama—was done in by a stuck button on
the throttle, the service announced Wednesday. Normally the throttle
won't move all the way to cutoff unless the button is depressed, but the
button had become stuck in the depressed position due to accumulated
metallic debris, stray lubricant, a misaligned clevis pin, and wear on
the spring mechanism, USAF's official accident investigation found. The
pilot, Maj. Alex Turner, inadvertently rotated the throttle to the
engine cutoff position, and by the time he realized what had happened,
was too low to restart the engine, though he attempted to do so. Turner
delayed ejection for a few seconds to steer the jet away from a house.
He ejected with only minor injury, was picked up, and was later
introduced to Obama. Though the Air Force said it will not comment on
disciplinary action, Turner apparently was considered blameless in the
accident because he was promptly returned to flying duty. Though the
jet, tail No. 92-3890, seemingly landed upright and largely intact, it
was declared a total loss, at a value of $29.4 million. Technical orders
have been changed to require a more thorough regular inspection of the
mechanism and the proper alignment of the pin. The accident board wrote
that "a significant number of sticky throttle triggers in F-16 history
have led to hardware changes that have reduced but not eliminated the
number of occurrences" of this problem. The throttle was recovered
intact and the investigation team operated the button 50 times, finding
that the button got stuck about 36 percent of the time.

Yahoo Says 1 Billion User Accounts Were Hacked

Lauren Weinstein <>
Wed, 14 Dec 2016 14:48:10 -0800
  [via NNSquad]

  Yahoo, already under a cloud from its summertime disclosure that 500
  million user accounts had been hacked in 2014, disclosed Wednesday that
  another attack a year earlier had compromised more than 1 billion Yahoo
  accounts. The newly disclosed attack involved more sensitive user
  information, including unencrypted security questions. Yahoo is forcing
  all of the affected users to change their passwords and it is invalidating
  the security questions.  Yahoo had agreed to sell its core businesses to
  Verizon Communications for $4.8 billion. Verizon said that it might seek
  to renegotiate the terms of the transaction after the first hacking was
  disclosed. It's unclear how the newest information will affect its view of
  the purchase.

Security Questions are potential security disasters, especially if you
give "correct" answers to the typical ones.   [LW]

More details on massive new Yahoo hack—it only gets worse

Lauren Weinstein <>
Wed, 14 Dec 2016 16:53:27 -0800

  "The company has not been able to identify the intrusion associated with
  this theft," Yahoo said on Wednesday about the new incident ... With a
  billion accounts at risk, that would make this the biggest breach of ever
 —bigger than the Myspace breach of 360 million user accounts and 427
  million passwords. Yahoo said that payment-card data and bank-account
  information were not stored on the system the company "believes" was
  affected. But the hackers may have collected a trove of other valuable
  personal information, such as user names, email addresses, telephone
  numbers, dates of birth, hashed passwords, and, in some cases, encrypted
  or unencrypted security questions and answers.

Anyone now willing to pay more than $0 for Yahoo is an idiot.

Stolen Yahoo Data Includes Government Employee Information

Lauren Weinstein <>
Thu, 15 Dec 2016 10:01:41 -0800

  More than 150,000 U.S. government and military employees are among the
  victims of Yahoo! Inc.'s newly disclosed data breach, and their names,
  passwords, telephone numbers, security questions, birth dates, and backup
  e-mail addresses are now in the hands of cybercriminals. It's a leak that
  could allow foreign intelligence services to identify employees and hack
  their personal and work accounts, posing a threat to national security.
  These employees had given their official government accounts to Yahoo in
  case they were ever locked out of their e-mail.

    [Bottom line: Cookies hacked.  PGN]

  [PGN notes: See also]
Yahoo Says It Was Hacked. Here's How to Protect Yourself.
Important Security Information for Yahoo Users

Interview with Charles Delavan on Podesta's e-mail (Slate)

"Peter G. Neumann" <>
Thu, 15 Dec 2016 12:01:17 PST

I called up Charles Delavan because I thought he was lying.  Delavan, 29,
has achieved a measure of infamy among politicos and security wonks as the
IT guy who assured John Podesta that a phishing email intended to steal his
Gmail password was "a legitimate email." The detail emerged in an October
WikiLeaks dump and was reported as a stunning example of incompetence on the
part of the Hillary Clinton campaign's tech team. Podesta or one of its
aides, it seemed, had initially been suspicious of the email but went ahead
and opened the fateful link after Delavan vouched for its authenticity.

But a front-page *New York Times* article published Tuesday gave the story
an almost incredible twist. *The Times* quotes Delavan as saying that he
actually recognized that the email was a hoax-but mistakenly typed the word
legitimate when he meant to type illegitimate. The implication was that the
Clinton campaign was compromised not by incompetence, but by a slip of the
fingers. The anecdote triggered headlines around the web: "A Typo Might Have
Cost Clinton the Election," gushed the Week.  [...]

If Delavan had meant to type *illegitimate* rather than *legitimate*, why
did he preface it with the article *a* rather than *an*?  Was that a typo,
too?  Moreover, if Delavan's goal had been to warn Podesta that the email
was a scam, you'd think he would have told Podesta not to follow its
instructions and not to click on the "change password" link therein.
Instead, he followed his assertion that the email was "legitimate" by
reiterating to Podesta the instructions contained in the email itself,
almost to the word. The phishing email told Podesta, "You should change your
password immediately"-which is exactly what Delavan told him. So Delavan not
only called the email "legitimate," he practically ordered Podesta to do
what it said.

All of which led me immediately to suspect something rather uncharitable of
Delavan: that he not only fell for the phishing scheme but that he
subsequently lied about it to *The New York Times*, perhaps trying to pass
it off as a typo because he was too embarrassed to admit the truth. (A quick
search of Twitter made it clear that I was not the only one who suspected

I doubted I could actually get a hold of Delavan to confront him with my
hypothesis. I figured he would have retreated from the public Internet
months ago. Still, I figured it was worth a shot. The first thing I tried
was to call the cellphone number contained in his email itself, which is
still publicly available on WikiLeaks' site. He picked up on the second

Colorado election omits more than 20,000 ballots

"Peter G. Neumann" <>
Thu, 15 Dec 2016 7:02:14 PST
More than 20K ballots in Colorado not counted because of signature
  discrepancies, ID problems

DENVER “ More than 21,000 General Election ballots in Colorado weren't
counted because voters either failed to verify discrepancies in their
signatures, didn't sign their ballots or didn't verify their registration
with a form of identification.

The Colorado Secretary of State's Office certified the state's election
results late last week.

The certified results show 2,859,216 ballots were cast “- a number that
differed from a spreadsheet released by the office Dec. 5 -“ before the
results were certified “- that showed more than 2.88 million ballots had
been counted.

The 2016 General Election was the first presidential election in which
Colorado used a mail-in ballot system. Registered voters were mailed a
ballot weeks before Election Day and had to either mail them back or drop
them off at their county clerk's office or drop-off locations.

Each ballot required a signature that matched the signature on the person's
voter registration form in order to minimize any possible voter fraud. If
there were discrepancies, those people had eight days to verify their
signatures with their local county clerk after Election Day, lest their
ballot not count.

Lynn Bartels, a spokeswoman for the Secretary of State's Office, said there
were a total of 21,408 ballots that were mailed in or dropped off that
weren't counted because of the various discrepancies.

Ballots with signature discrepancies amounted to the largest group that
weren't counted; 16,209 ballots had signatures that weren't verified.

A total of 2,606 ballots weren't signed at all, and Bartels said 2,593
ballots weren't counted because no identification to verify a person's
registration was provided.

Many of the ballots not counted because a person's identity wasn't verified
likely came from people who registered through voter registration drives or
who registered late and needed to provide a copy of a U.S. or Colorado ID in
order for their vote to count.  [...]

Uber said it protects you from spying. Security sources say otherwise

Monty Solomon <>
Thu, 15 Dec 2016 11:25:35 -0500
Uber said it protects you from spying.  Security sources say otherwise

Bruce Schneier's latest CryptoGram

"Peter G. Neumann" <>
Thu, 15 Dec 2016 6:59:32 PST
Bruce's new CryptoGram contains his thoughts on these two items
(among others).

  My Priorities for the Next Four Years
  Hacking and the 2016 Presidential Election

See for the entire issue.

Value of having a computer at home is mixed

"Evers Ridgely C." <>
December 14, 2016 at 3:04:01 PM
  [I wonder if a similar study couldn't show that having books at home had a
  similar mixed value DFJ]

Several years ago, economists conducted a fascinating and first-of-its-kind
experiment to answer that question. Some of the latest results from that
project, which were released Monday in a working paper from the National
Bureau of Economic Research, show that the benefits of having a computer at
home are subtle and somewhat counterintuitive.

Re: SHAME ON YOU, GOOGLE! (Weinstein, RISKS-30.01)

Craig Burton <>
Thu, 15 Dec 2016 11:18:33 +1100
>[google] should clearly label [holocaust denier page] as being
>false, a lie, or at least as having no credibility.  Call it "CredRank"

If you search Google for "is the earth flat" you get a top listed hit and
Google extract offering ten reasons why the earth is flat.  I'm guessing
this is google's Pagerank finding *only answers going against* what is
widely assumed knowledge - because why would there be web pages bothering
to simply state the opposite of an example of broad knowledge is false?
Also, I suspect there are infinitely many ways of asking about *the
opposite of* a single truth (Albert Einstein had something to say about

The problem is a serious one but I wonder if Google can act.   Google would
not maintain a kind of reverse page-rank for web garbage pages.  There
would be no commercial reason to do this since high ranking garbage pages
would be of no value for adsense.  And there would be a lot of them.  I
even wonder if there may be pages specifically to trap and monetise
diligent fake news verification questions to google like "Is Hillary
Clinton Ill?".

I don't care if some people think the earth is flat so long as they aren't
commercial pilots.  But I do think Google could run a bucket list of top
history-denier questions a reasonable person would consider hate speech and
handle them specially, as a public service.  Still even this might be as
google says in its hate speech policy "a delicate balancing act".

Either that or we all sit down and write competing web pages specifically
addressing questions like "Are <some race> less intelligent than <some
other race>?  NO" and perhaps a billion others?  I'll do this over the
Christmas break.

Please report problems with the web pages to the maintainer