The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 16

Sunday 26 February 2017

Contents

That "Russian" DoS against Deutsche Telekom? They just arrested... a Brit
RT via danny burstein
Swift-based ransomware targets macOS pirates with false decryption promise
AppleInsider via geoff goodfellow
Study reveals bot-on-bot editing wars raging on Wikipedia's pages
The Guardian
SHA-1 collision
PGN
Cloudflare bug
Brooks Davis
IoT problems
Joe Durusau
Prominent medical quackery website removed from Google search results
Mark Thorson
Prominent cartoonist shadowbanned by Twitter
Mark Thorson
Re: German parents told to destroy Cayla
Peter Bernard Ladkin
Science societies have long shunned politics. But now they're ready to march.
The Washington Post via Lauren Weinstein
Response to Michael Marking
Ken Knowlton
Re: The AI Threat Isn't Skynet
Chris Drewe
Re: Dutch election will be counted by hand
Richard Bos
Re: Old Intel Chips
Andrew Duane
Re: Cooperative Bank sends a text with a dyn.co link
Richard Bos
Andrew Duane
Re: Facebook Trending
Michael Bacon
Re: "The missile may have veered ... towards the United States"
Richard Bos
Re: Nim Language Draws From Best of Python, Rust, Go, and Lisp
OK
Re: WiReD—Product is Mis-Identified
tanner andrews
Re: WiReD
Michael Kohne
John Bechtel
Michael Kohne
Info on RISKS (comp.risks)

That "Russian" DoS against Deutsche Telekom? They just arrested..

danny burstein <dannyb@panix.com>
Fri, 24 Feb 2017 09:38:38 -0500 (EST)
The cops just arrested... a Brit.

  [quoting from Russia Today for their well deserved gloat]

Not Russian hackers: Brit arrested for cyberattack on Germany [previously]
blamed on Moscow

A UK national has been detained in London on suspicion of carrying out a
cyber-attack last year that left 1 million Deutsche Telekom customers
without service.  At the time, German Chancellor Angela Merkel hinted that
Russia might be behind the attack.

The 29-year-old man was arrested on Wednesday at Luton airport in southern
England by officers from the UK's National Crime Agency (NCA) at the request
of the *German* police, The Local reported.

Rest, including the description of the attack that took DT the Internet off
line, and per friends of mine in Germany, was a lot more intense than
reported and still has continuing after effects:
  https://www.rt.com/news/378441-germany-cyber-attack-telekom-russia/


Swift-based ransomware targets macOS pirates with false decryption promise

geoff goodfellow <geoff@iconia.com>
Wed, 22 Feb 2017 11:04:26 -1000
New ransomware for the Mac has been discovered by security researchers, with
the "poorly coded" malware created in Swift encrypting the user's files and
demanding a payment, without any possibility of decrypting the files even if
the ransom is paid...

http://appleinsider.com/articles/17/02/22/swift-based-ransomware-targets-macos-pirates-with-false-decryption-promise


Study reveals bot-on-bot editing wars raging on Wikipedia's pages (The Guardian)

Lauren Weinstein <lauren@vortex.com>
Thu, 23 Feb 2017 17:23:56 -0800
via NNSquad
https://www.theguardian.com/technology/2017/feb/23/wikipedia-bot-editing-war-study

  "The fights between bots can be far more persistent than the ones we see
  between people," said Taha Yasseri, who worked on the study at the Oxford
  Internet Institute. "Humans usually cool down after a few days, but the
  bots might continue for years."  The findings emerged from a study that
  looked at bot-on-bot conflict in the first ten years of Wikipedia's
  existence. The researchers at Oxford and the Alan Turing Institute in
  London examined the editing histories of pages in 13 different language
  editions and recorded when bots undid other bots' changes.

    [Above also noted by Gabe Goldberg, who added this:
  Great way to create encyclopedia...and run the future world:]

  Yasseri believes the work serves as an early warning to companies
  developing bots and more powerful artificial intelligence (AI) tools. An
  AI that works well in the lab might behave unpredictably in the wild.
  “Take self-driving cars.  A very simple thing that's often overlooked is
  that these will be used in different cultures and environments,” said
  Yasseri. “An automated car will behave differently on the German autobahn
  to how it will on the roads in Italy. The regulations are different, the
  laws are different, and the driving culture is very different,” he said.

    [Who BOThers the BOTherds? NoBOTy but the BOTherds themselves!  PGN]


SHA-1 collision

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 23 Feb 2017 12:12:12 PST
Two PDF files display different content, yet have the same SHA-1 digest.

Nine quintillion (9,223,372,036,854,775,808) SHA1 computations, with 6,500
CPU-years for phase one, and 110 GPU-years for phase two:

https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html

https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/

https://www.wsj.com/articles/google-team-cracks-longtime-pillar-of-internet-security-1487854804

https://shattered.it/   and  http://shattered.io/
https://marc-stevens.nl/research/papers/SBKAM17-SHAttered.pdf

However, this is not particularly earth-shattering. in that SHA-1 is not
used much any more.  Incidentally, the fourth of Adi Shamir's 15 predictions
for the next 15 years on cybersecurity, crypto, quantum, privacy, and
payments (blogged by Ross Anderson) from a recent panel in 2017 Financial
Crypto:

  4. RC4 and SHA-1 will be phased out while AES and SHA-2/3 will remain
     secure.  (Adi expects a SHA-1 collision within the year.)

https://www.lightbluetouchpaper.org/2016/02/22/financial-cryptography-2016/#comment-1456744


Cloudbleed

Brooks Davis <brooks@csl.sri.com>
Fri, 24 Feb 2017 16:58:11 +0000
Cloudflare was leaking data between TLS sessions on the encrypted proxy
systems.  Google found this and reported it last week.  (Do look at the
PNGs of leaked data, it's remarkable!)

https://bugs.chromium.org/p/project-zero/issues/detail?id=1139

Cloudflare found the bug, fixed it, and posted a write-up:

https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

The bogus code was something like:

  /* generated code */
  if ( ++p == pe )
      goto _test_eof;

but the ++ caused p to skip passed pe due to alignment.  Assuming they were
using a malloc() with strict bounds, leakage would be zero.  (Another part
of the writeup asserts that the bug triggered reliably only on 4k or smaller
buffers.)

PS. One amusing note from the Cloudflare writeup: one of several conditions
that trigger the bug included "Server-Side Excludes execute only if the
client IP has a poor reputation (i.e., it does not work for most visitors)."
Which means that data leaks happened more commonly to clients that~< were
believed to be malicious!

  [This has been PGN-ed for RISKS.  Thanks to Brooks.]


IoT problems

"Joe Durusau" <durusau@att.net>
Thu, 23 Feb 2017 16:09:55 -0600
RISKS readers might be interested in the following from the IEEE Computer
Society, on the subject of the Internet of Unnecessary things.

https://www.computer.org/web/prpl-matters/content?g=8459902&type=article&urlTitle=coping-with-the-internet-of-unnecessary-things&lf1=7701638684d136616110261c62281496

Incidentally, I didn't write it.


Prominent medical quackery website removed from Google search results

Mark Thorson <eee@sonic.net>
Thu, 23 Feb 2017 13:18:42 -0800
On the one hand, I agree with the anti-quackery motive, but removing quite
possibly the most trafficked "alternative" medicine website from search
results is disturbing to me.  What if tomorrow it's the Church of
Scientology?  Mike Adams is no character to be respected, but it's cases
like this which test our tolerance for suppressing other people's beliefs.
Erosion always begins with the easiest pebble to move.

http://scienceblogs.com/insolence/2017/02/23/google-delists-mike-adams-his-hilarious-tantrum-about-the-conspiracy-behind-it-is-epic-as-is-my-schadenfreude/


Prominent cartoonist shadowbanned by Twitter

Mark Thorson <eee@sonic.net>
Thu, 23 Feb 2017 14:01:30 -0800
The information war is on the march.

http://blog.dilbert.com/post/156377416856/should-twitter-and-facebook-be-regulated-as


Re: German parents told to destroy Cayla

Peter Bernard Ladkin <ladkin@causalis.com>
Wed, 22 Feb 2017 07:12:13 +0100
> "An official watchdog in Germany has told parents to destroy a talking
> doll called Cayla because its smart technology can reveal personal data.
> The warning was issued by the Federal Network Agency (Bundesnetzagentur),
> which oversees telecommunications."

This misrepresents the situation. For example, someone reading this
description could imagine that this has something to do with product safety,
a European regulation governing risk associated with consumer products which
has been taken into German law, namely EC765/2008
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:218:0030:0047:en:PDF

It's not a "warning". It is a determination by the telecommunications
regulator that it is illegal for people to use these devices. Third parties
wondering whether there is really a risk or not is beside the point. At the
same time, the regulator has made clear it is not going to go around
prosecuting all and sundry for unwitting use.

A more accurate rendering of the situation is as follows.

The telecommunications regulator has ordered the withdrawal of certain
communication devices from the market after determining that they are
illegal under Section 90 of the German Telecommunications Act, which
prohibits communications devices with a certain specified functionality
which conceal their communications capabilities as something else.

The prohibited functionality is defined in Section 90, which is about half a
page long. Those who can read German can read it here:
https://www.gesetze-im-internet.de/bundesrecht/tkg_2004/gesamt.pdf The point
of the Section is to prohibit covert surveillance devices and their use. The
regulator has determined that the Cayla toy is, given its functionality,
such a prohibited device.

The press release suggests that this is part of an ongoing regulatory
action. Here is an English version:
https://www.bundesnetzagentur.de/SharedDocs/Pressemitteilungen/EN/2017/17022017_cayla.html


Science societies have long shunned politics. But now they're ready to march.

Lauren Weinstein <lauren@vortex.com>
Sat, 25 Feb 2017 08:26:36 -0800
*WashPo* via NNSquad
https://www.washingtonpost.com/news/speaking-of-science/wp/2017/02/24/science-societies-have-long-shunned-politics-but-now-theyre-ready-to-march/

  Some of the nation's biggest scientific organizations, including the
  American Association for the Advancement of Science and the American
  Geophysical Union, are partnering with grass-roots organizers to plan the
  March for Science, an Earth Day rally in Washington and cities around the
  world aimed at defending "robustly funded and publicly communicated
  science."  The news signals that the effort, spawned from social-media
  musings in the days after President Trump's inauguration, has officially
  gone mainstream.  Such coordinated activism is a big change for scientists
  and the societies that represent them.

 - - -

I don't think marching is going to do a hell of a lot of good. But for many,
many years I have strongly urged that scientists and techies be involved
politically, and I was continually told by the higher-ups in these
professional societies that "This isn't our role. We just do the science and
let the data speak for us." I always knew that they were dangerously wrong
about this, and now we have the proof. I take no pleasure from being right
about the issue, however.

Some years ago, I held a pair of conferences about the Future of the
Internet. At one, there was a rather distinguished looking older attendee
whom I didn't know. I've called him the man in black since he was always
dressed entirely in black. He sat at the back of the room and listened
attentively—he rarely said anything. Then at one point, he pulled me
aside privately and said words to this effect: "Lauren, I spend all my time
in Washington dealing with politicians.  And I can guarantee you one
thing. If you techies don't become politically aware and active and start
pushing back, you're going to be crushed and steamrolled." Later I found out
that he was apparently a top lobbyist for the tobacco industry. It was like
getting advice from Darth Vader. But he was 100% correct.


Response to Michael Marking (RISKS-30.15)

Ken Knowlton <kcknowlton@aol.com>
Tue, 21 Feb 2017 22:14:17 -0500
  [Note: Anthony Thorn suggested Marking's item in Dave Farber's IP "is a
  political rant and has no business in RISKS."  I originally considered not
  including it, but then reflected on Lauren Weinstein's piece above.  I'm
  delighted Ken Knowlton rose to the occasion.  PGN]

Michael Marking's RISKS-30.15 commentary stated basically that AI does
nothing to ease, but exacerbates, the unbalance of benefits in our already
stratified society, also that it's not a new phenomenon.

  (I agree, and recall that as an 8-year old at the NYC 1939 Worlds Fair, my
  most memorable take-away problem, undisputed I presumed, was: with
  machines doing so much more of the work, how would we manage to deal with
  all the leisure time?)

There is another ethical aspect to the-rich-getting-richer: things and
services developed thus tend, more and more, to be luxuries - not very
helpful to anyone's well-being - but entailing, of course, further drain on
resources, thus increasingly detrimental to the environment. Thus, even if
benefits of AI, robotics, etc. were more uniformly shared, new speeds and
efficiencies would/will speed ecological collapse. Unless . . .


Re: The AI Threat Isn't Skynet (RISKS-30.15)

Chris Drewe <e767pmk@yahoo.co.uk>
Thu, 23 Feb 2017 22:18:48 +0000
1. In the UK, politicians and commentators are getting in a panic about AI
taking away everybody's jobs; at risk of over-simplifying a huge topic, this
seems unlikely to me, as I can remember the mid-1970s, when computers were
moving from just being number-crunchers to doing more-glamorous jobs like
typesetting and page make-up for newspapers and magazines, and the Internet
and e-mail ("the electronic office") were on the horizon.  These would let
us whizz through our work in no time, with confident predictions that by the
end of the century [1999] we would all be working 22-hour weeks and retiring
at 40, which generated concerns that the streets might be filled with bored
but well-off people causing social unrest.  Now that we're well into the
21st century, how did it work out?  Well... the typical working week is
still around 40 hours, as it has been since the 1950s, while with pension
funds depleted by an aging population and the credit crunch many people are
worried if they will not be able to retire as early as 65.  Not only that,
but with computers, e-mail, the Internet, and cellphones, in many fields of
work employees are expected to deal with business matters 24/7.  So what did
happen to the "leisure boom"?  Obviously it's wise to anticipate likely
developments and be prepared for them, but the main RISK seems to be
planning in detail for a future which turns out to be quite different to
what's expected.

> (1) The problem isn't AI, or other forms of automation, it's the use to
> which AI and automation are put and the basic mechanisms for allocating and
> deploying resources in our society.

2. Not sure what this has to do with RISKS, but... this seems to take the
view that there's a fixed amount of health, wealth, and happiness in the
world, and there must be a better way of sharing it fairly, if only we could
find it; I'm not convinced, but then I'm just an engineer.


Re: Dutch election will be counted by hand (Thorson)

Richard Bos
Tue, 21 Feb 2017 11:41:53 GMT
> Netherlands reverts to paper ballots and hand counting to thwart hackers.

This has another effect, not mentioned in the article but which I am going
to experience directly—and for once, in RISKS, it's a positive one.
Because they want to count the votes by hand, they need people to do the
counting. For this, the government has sent out a call for volunteers.  I
will be one of them. It's personally unpaid, but you do get a bit of money
for a local club - in my case, my chess club.  Now, it's hardly as if this
is going to kick-start my political career.  You certainly won't be able to
vote for me in the next election. After all, I'm there mainly for my chess
club. But it _is_, in a trivial but very hands-on way, a chance for ordinary
citizens to be _directly_ involved in the election process. And in my eyes,
that can only be good for our democracy, hacking or no hacking.


Re: Old Intel Chips (RISKS-30.15)

Andrew Duane <e91.waggin@gmail.com>
Wed, 22 Feb 2017 10:23:38 -0500
In Risks 30.15, Martin Ward wrote:

> A chip less than four years old is basically still in "alpha test"

That's not quite a fair characterization of this particular bug. I work for
one of the companies significantly hit by this issue (*not* Intel), and I
have many years background in hardware design so I've been messaging it to a
lot of people in and around here lately.

The issue is a slight degradation of a small but critical circuit inside the
chip that over a time measured in years will age a bit faster than
expected. The years it takes the issue to even surface, coupled with the
very small reduction in MTBF means it is not at all surprising that it took
this long to find a couple of gates/wires that may not have been engineered
quite as well as they should have been.

To characterize this as Alpha Test is not fair at all. All chips have
problems throughout their life. Some are invisible, some are not. Some take
a long time to discover, some surface very quickly. Sadly, the kinds of
boards that use this chip are in very visible places thanks to them running
the Internet. And that Internet itself has published this result far and
wide.  Irony at work.

That said, this is one of those risks of small embedded things out there
that have latent issues and little ability to patch or service. In this
case, there is no software remediation to patch, it requires a hardware
fix. Major vendors like us will be repairing and upgrading boards. But how
many small $100 appliances out there will just stop one day and be tossed
in the trash?


Re: Cooperative Bank sends a text with a dyn.co link (Ward, RISKS-30.15)

Richard Bos
Tue, 21 Feb 2017 12:00:26 GMT
> How can we persuade people not to click on dodgy links in emails and text
> messages when legitimate companies send out genuine messages with links that
> are indistinguishable from phishing attempts?

We cannot.

As far as I can tell, the only way to stop companies from sending out such
deleterious emails is to switch banks, but unfortunately that is often
prohibitively impractical.


Re: Cooperative Bank sends a text with a dyn.co link (Ward, RISKS-30.15)

Andrew Duane <e91.waggin@gmail.com>
Wed, 22 Feb 2017 10:09:59 -0500
This reminds me of days not too far past with Verizon Wireless. I signed up
for paperless electronic billing when it started many years back, Some weeks
later, I got an email from vzw.com rather than verizonwireless.com with the
subject "Important Message about your Verizon Wireless Bill" and a "click
here to read" link that pointed to some unknown domain with no relation to
Verizon, and a pdf file named something like "info_<date>.pdf".  Hmmmm, sure
sounds legit to me.

It turns out is was in fact my monthly bill, provide by some third-party
billing service Verizon hired. I complained the same way Martin did and n a
few months new emails started arriving that said "Here's your Verizon Bill"
with a link to the right company. At least they did something about it
fairly quickly.


Re: Facebook Trending (RISKS-30.11)

Michael Bacon - Grimbaldus <michael.bacon@grimbaldus.com>
Thu, 23 Feb 2017 18:35:07 +0000
That reminds me too of the 1970's report, attributed to IBM, that 90% [it
varied] of businesses failed within 18 months of a computer fire.

It was way before many, let alone most, businesses had a computer, was not
exclusively to do with fire, and didn't come from IBM.  It related to small
businesses failing after losing their sole premises to some disaster.

It also reminds me of the exchange in Yes Minister (a U.K. TV series) in
which a drunken Home Secretary has collided with a nuclear waste lorry.  The
Whitehall mandarin, Sir Humphrey Appleby announces that, "It leaked out."
Aghast, the Minister exclaims, "The nuclear waste?"  "No, Minister.  The
story."


Re: "The missile may have veered ... towards the United States" (Black, RISKS-30.15)

Richard Bos
Tue, 21 Feb 2017 12:20:56 GMT
> All missile launches...including subs...have a missile safety officer
> Their sole job is to have their finger on the detonate button if something
> goes wrong.

That, however, is not the problem. The problem is that the Prime Minister -
the recently succeeding, not personally elected PM—knew about this test,
and failed to inform Parliament. And she committed this lapse of faith, not
in time of war when such leaks might have lead to panic, but at the time of
a parliamentary debate on the future of Trident itself, when such
information, including necessary technical nuances such as yours, was
definitely due to the MPs.  Would this added information have changed the
outcome of the decision?  _Should_ it have? Nobody can now tell. But one
thing is certain: Theresa May treated her Parliament with disdain and a lack
of /bona fide/, and _that_, regardless of any missile test, is well worth
getting riled up about.

> The extremely poor scientific reporting that goes on in the media leaves a
> lot of people with bad and/or incomplete information....

This is true enough, but this scandal is not about the science, but
about the political misbehaviour afterward.


Re: Nim Language Draws From Best of Python, Rust, Go, and Lisp (Wols Lists, Risks-30.12)

<ok@cs.otago.ac.nz>
Tue, 21 Feb 2017 21:22:23 +1300
Wols Lists wrote about PL/I that "A misplaced parenthesis ran a serious risk
of still leaving you with a valid program, but one that did something
completely different from what you intended.  Caused by the massive
overloading of the meaning of said character."

It is well to understand old blunders so that we can avoid them.

Parentheses were used just three ways in PL/I:
 - fixed syntax, as in DO WHILE (expr); ... END;
   The pattern <keyword>(<stuff>) is common.
 - grouping, for expressions and declarations.
 - enclosing procedure arguments and array subscripts,
   which have the same form, as in Fortran.
"Massive overloading"?  Only if you think parentheses are
massively overloaded in C, C#, JavaScript, Ruby, ...

A feature was copied from Fortran, because of its "familiarity"
and "naturalness".  That is that procedure arguments were passed
by dummy variable.  Supply a variable, and the procedure can
change it.  Supply an expression, and it's assigned to a hidden
variable, so it's sort of like pass by value.  So

CALL PROC(VAR);   /* PROC can change VAR */
CALL PROC((VAR)); /* PROC cannot change VAR */

Worse than that, if the attributes of VAR did not match the
attributes of the formal parameter, there was an *invisible*
conversion from VAR to whatever was expected, making it an
expression that just *looks* like a variable.  E.g.,
DECLARE PROC ENTRY(DECIMAL FIXED (9,0));
DECLARE VAR BINARY FIXED (31,0);
... CALL PROC(VAR); /* invisible conversion, PROC can't change VAR */

>From which we learned that
 (1) invisible conversions are a bad idea (hello, C++, Java, &c)
 (2) it's really good if you can tell whether an actual
     parameter is passed by reference or value by the
     form of the call (actually, almost nobody learned this).


Re: WiReD—Product is Mis-Identified (Bechtel, RISKS-30.15)

tanner andrews <tanner@payer.org>
Wed, 22 Feb 2017 09:07:14 -0500 (EST)
> wired sells articles

No.  It sells eyeballs.  The articles are how it draws the viewers, but the
viewers are the product for which money is taken.

The ad blockers may interfere with this revenue model, but the alternative
is that the suppliers of eyeballs (to wit, readers) expose themselves to the
risk of what the ad networks furnish.  The ad networks will happily furnish
malware, java scripts, pop-ups, and other evil things.

The installation of malware, pop-ups, and the like will
reduce the ability of eyeballs to present themselves.
Thus, over time, the business model destroys its product,
and this may not be sustainable.


Re: WiReD (Bechtel, RISKS-30.15)

Michael Kohne <mhkohne@kohne.org>
Wed, 22 Feb 2017 10:16:10 -0500
I think the problem here is that many folks do not run ad-blockers in order
to block ads.  They run ad-blockers in order to avoid their systems being
infested by malware coming in through the ad network.  They run ad-blockers
in order to avoid their systems suddenly slowing down because an ad has
started doing something processor intensive.  They run ad-blockers in order
to avoid their browsers spawning new tabs which start playing video or
audio.  They run ad-blockers because some ads are fantastically creepy in
how they target you for certain products after you look at something on one
website.

In other words: The presence of ads IS NOT the problem. It's the form of the
ads, and the potential for harm that comes with them that's the problem.

Most web sites don't control their own ad content - they use ad networks
that pick the ads on the fly based on all sorts of factors.  And these ad
networks are regularly used as malware vectors (even though they try REALLY
hard to avoid it).

If the websites want people to not block ads, then perhaps the solution
isn't ad-blocker-blockers, but rather, ads that aren't annoying,
in-your-face, blaring-out-your-speakers video, which oh yea might also have
some malware tagging along for the ride.

In other words, if they don't want people using ad blockers, perhaps the
websites should take control of their own ads, make some guarantees about
what's OK and what's not, and stop being stalker-level creepy.


Re: WiReD (Kohne, RISKS-30.16)

John Bechtel <john@bechtel.me.uk>
Thu, 23 Feb 2017 11:29:58 +0000
Yup.  Absolutely.  But its not my website, I am merely a visitor to it.  If
I don't like what they do—be it ads or indeed malware (and yes, I use an ad
blocker primarily for that also)… then I don't go there.  Its their decision
to make about how they treat their site visitors (knowingly or unknowingly),
its our decision to be treated that way or not.


Re: WiReD (Bechtel, RISKS-30.16)

Michael Kohne <mhkohne@kohne.org>
Thu, 23 Feb 2017 07:28:00 -0500
Fair enough. I think, personally, that by just walking away we let these
bozos go on believing that people are just cheap, instead of there being a
number of valid reasons that people run ad-blockers. The market may catch up
to them at some point, but who knows what we'll lose along the way?

Please report problems with the web pages to the maintainer

Top