The RISKS Digest
Volume 30 Issue 04

Tuesday, 20th December 2016

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


U.S. House Encryption Working Group report
Project Wycheproof—Crypto Check Libraries
Russian Hackers Stole Millions a Day With Bots and Fake Sites
Vindu Goel
UK Police must be given power to shut websites
The Standard via Chris Drewe
Rail Crossing Warnings Are Sought for Mapping Apps
The New York Times
California DMV Calls Uber's San Francisco Self-Driving Cars Illegal
The states of texting and driving in the U.S.
Ars Technica
Inside LeakedSource and Its Database of Hacked Accounts
Integrity and correctness of Internet information
Martin Ward
Re: U.S. feds cyberattack U.S. states
Dick Mills
Re: Audi Cars Now Talk To Stop Lights In Vegas
Anthony Youngman
Info on RISKS (comp.risks)

U.S. House Encryption Working Group report

"Peter G. Neumann" <>
Tue, 20 Dec 2016 13:40:49 PST
The U.S. House Judiciary Committee and House Energy and Commerce Committee
Encryption Working Group has released its Year-End Report.  It makes four
specific observations:

1. Any measure that weakens encryption works against the national interest.

2. Encryption technology is a global technology that is widely and
   increasingly available around the world.

3. The variety of stakeholders, technologies, and other factors create
   different and divergent challenges with respect to encryption and the
   “going dark'' phenomenon, and therefore there is no one-size-fits-all
   solution to the encryption challenge.

4. Congress should foster cooperation between the law enforcement community
   and technology companies.

These observations are pithy and relevant to other nations as well.  The
Keys Under Doormats report (RISKS-28.75) appears to have had considerable
influence on the committee, and is cited on the first text page of their

  [Reminder: The subsequent published version of that report is available
  online: Harold Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh,
  Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Susan Landau,
  Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier,
  Michael Specter, Daniel J. Weitzner, Keys Under Doormats: Mandating
  Insecurity by Requiring Government Access to All Data and Communications,
  published in the Journal of Cybersecurity, vol 1 no 1, Oxford University
  Press, 17 November 2015.
  The authors received the 2016 Pioneer Award (given annually by the
  Electronic Freedom Foundation) for the paper.]

Project Wycheproof—Crypto Check Libraries (Google)

Lauren Weinstein <>
Mon, 19 Dec 2016 19:17:09 -0800
GoogleBlog via NNSquad

  We're excited to announce the release of Project Wycheproof, a set of
  security tests that check cryptographic software libraries for known
  weaknesses. We've developed over 80 test cases which have uncovered more
  than 40 security bugs (some tests or bugs are not open sourced today, as
  they are being fixed by vendors). For example, we found that we could
  recover the private key of widely-used DSA and ECDHC implementations.  We
  also provide ready-to-use tools to check Java Cryptography Architecture
  providers such as Bouncy Castle and the default providers in OpenJDK.

Russian Hackers Stole Millions a Day With Bots and Fake Sites (Vindu Goel)

Lauren Weinstein <>
Tue, 20 Dec 2016 12:56:52 -0800
Vindu Goel, *The New York Times*, via NNSquad

  In a twist on the peddling of fake news to real people, researchers say
  that a Russian cyberforgery ring has created more than half a million fake
  Internet users and 250,000 fake websites to trick advertisers into
  collectively paying as much as $5 million a day for video ads that are
  never watched.  The fraud, which began in September and is still going on,
  represents a new level of sophistication among criminals who seek to
  profit by using bots—computer programs that pretend to be people—to
  cheat advertisers.

UK Police must be given power to shut websites (The Standard)

Chris Drewe <>
Tue, 20 Dec 2016 21:36:04 +0000
Item in London UK *The Standard* newspaper, 16 Dec 2016

Police need new powers to shut websites and curb access to social media to
fight the threat of child abuse and revenge porn attacks, a chief constable
said today.  Stephen Kavanagh, the National Police Chiefs Council lead on
digital crime, said officers should also be ready to push the boundaries of
the law and sometimes go beyond what the regulations or courts accept to
protect the public from Internet offending.  Mr Kavanagh said he was deeply
concerned at the scale of the problem and felt the privacy lobby had been
allowed to dominate discussions for too long at the expense of public
safety. He insisted that a tougher law enforcement response, including
updated legislation, was needed.

The Internet is a hugely witty broad set of opinions but that should
not be blurred with the ability to buy drugs or guns, harass, share
imagery without consent or, worse, engage in the industrialising of
child abuse imagery.

On powers to access Internet communications, Mr Kavanagh said critics were
wrong to label the legislation a Snoopers Charter and insisted existing
rules contained some of the best regulation of police intrusive powers in
the world.  He said, however, that officers should be prepared to risk
occasionally stepping beyond the limits of the law and added: Police tend to
be too cautious about how they can use those powers to protect the public.

  Um... what about sites outside the UK?

Rail Crossing Warnings Are Sought for Mapping Apps

Monty Solomon <>
Tue, 20 Dec 2016 07:43:06 -0500

The National Transportation Safety Board asked tech companies to add the
locations of grade crossings into digital maps and to provide alerts for

California DMV Calls Uber's San Francisco Self-Driving Cars Illegal

Monty Solomon <>
Tue, 20 Dec 2016 08:58:15 -0500

The states of texting and driving in the U.S. (Ars Technica)

Monty Solomon <>
Mon, 19 Dec 2016 08:54:28 -0500

Inside LeakedSource and Its Database of Hacked Accounts (WiReD)

Monty Solomon <>
Tue, 20 Dec 2016 10:04:38 -0500

Integrity and correctness of Internet information

sur-behoffski <>
Wed, 21 Dec 2016 06:22:13 +1030
Here's the advice I give to people relating to interacting with Internet

  "There's lots of information on the Internet.  Some of it's even true!"

Re: SHAME ON YOU, GOOGLE! (Burton, RISKS-30.03)

Martin Ward <>
Tue, 20 Dec 2016 13:21:05 +0000
> Either that or we all sit down and write competing web pages ...

If many people do this, then these hundreds of pages will all end up off the
top page of results since they will "split the vote".

To "game" Google so that your preferred answer to a question becomes the top
hit, you need to select *one* page with that answer and get as many people
as possible to link to that page.

Dr Martin Ward STRL Principal Lecturer & Reader in Software Engineering

Re: U.S. feds cyberattack U.S. states (Al Mac, RISKS-30.03)

Dick Mills <>
Tue, 20 Dec 2016 13:29:57 -0500
> The U.S. state of Georgia traces 10 cyberattacks to U.S. federal agency DHS
> (Dept of Homeland Security).

It really gets dicey when this attribution is coupled with what is called
"active defense" or "hack back".  That is when a hacking victim invades the
hacker's computers to investigate, or to deter, or to claw back stolen
information.  Is hack-back a felony if the hacker is the US government?
What about when attribution goes to an enemy or allied foreign state?

I suspect that the reason that the US government seems so reluctant to
sanction foreign state hackers is that the US government is itself among the
worlds biggest hackers.  If we retaliate, we invite others to do the same to
us, and we are said to have the most to lose.

Apropos The long history of the U.S. interfering with elections elsewhere:

Re: Audi Cars Now Talk To Stop Lights In Vegas (Bos, RISKS-30.03)

Anthony Youngman <>
Tue, 20 Dec 2016 19:34:59 +0000
On 20/12/16 00:21, RISKS List Owner wrote:
> Of course, there are already drivers who turn off their engines at traffic
> lights.

And there are vehicles that automatically turn themselves off now ...

I've recently started driving an "ecotec" van, and when I stop at the lights
and engage neutral (as drivers should!) the engine will stop of its own
accord.  Pushing the clutch down to engage gear triggers an automatic
restart.  imho (as a user of this technology) this is not a problem, as a
properly functioning car (yes, I know ...) would restart without the
driver's active intervention.

Please report problems with the web pages to the maintainer