The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 22

Monday 3 April 2017

Contents

Automated Weather Observation failure closes airport
Tri-City Herald via Clay Jackson
Galaxy S8 face recognition already defeated with a simple picture
Ars Technica
FAKE NEWS!! The best and worst April Fools' Day stories
The Guardian
April Fools' Day pranks 2017—a complete list of all of the day's Internet hoaxes
The Washington Post
Lawmakers confuse 'oversight' and 'overlook'
EFF's EFFector
The Future of Free Speech, Trolls, Anonymity and Fake News Online
Pew
Why Tug on ATMs
Krebs
Re: Risks from falsified Data
A Michael W Bacon
David Alexander
Re: Fake Sleuths: Web Gets It Wrong
Kelly Bert Manning
Re: NASA Fireworks
Wols
Bruce Hunter
Re: Self-checkout at grocery stores and elsewhere
Kelly Bert Manning
Re: US Congress rapes privacy, they are next
Joseph Brennan
Info on RISKS (comp.risks)

Automated Weather Observation failure closes airport

Clay Jackson <clayj@nwlink.com>
Sat, 1 Apr 2017 15:07:37 -0700
http://www.tri-cityherald.com/latest-news/article141439099.html

What happens when there are no human controllers available?


Galaxy S8 face recognition already defeated with a simple picture

Monty Solomon <monty@roscom.com>
Sat, 1 Apr 2017 21:52:36 -0400
https://arstechnica.com/gadgets/2017/03/video-shows-galaxy-s8-face-recognition-can-be-defeated-with-a-picture/


FAKE NEWS!! The best and worst April Fools' Day stories (The Guardian)

Monty Solomon <monty@roscom.com>
Sat, 1 Apr 2017 14:00:40 -0400
https://www.theguardian.com/theguardian/2017/apr/01/fake-news-the-best-and-worst-april-fools-day-stories


April Fools' Day pranks 2017—a complete list of all of the day's Internet hoaxes (The Washington Post)

Monty Solomon <monty@roscom.com>
Sat, 1 Apr 2017 21:14:01 -0400
April Fools' Day pranks 2017—a complete list of all of the day's Internet
  hoaxes
https://www.washingtonpost.com/news/the-intersect/wp/2017/03/31/an-updated-and-depressing-list-of-all-the-april-fools-pranks-on-the-internet/


Lawmakers confuse 'oversight' and 'overlook' (EFF's EFFector)

"EFFector List" <editor@eff.org>
Sat, 01 Apr 2017 09:14:28 -0700
EFFector Vol. 30, No. 7  April 1, 2017  editor@eff.org

A Publication of the Electronic Frontier Foundation
ISSN 1062-9424

  effector: n, Computer Sci. A device for producing a desired change.

EFF Updates

* Surveillance Oversight Committees Confused `Oversight' and `Overlook'

The bipartisan leaders of the House and Senate Intelligence Committees
apologized during a press conference this morning for failing to provide
rigorous supervision of the intelligence community, blaming past years'
inaction on a fundamental misunderstanding of the word *oversight*.  House
Intelligence Chairman Devin Nunes: “It was merely a miscommunication.  We
had mixed up the word *oversee* and the word *overlook*.  We thought we were
supposed to overlook the mistakes of the intelligence community, not provide
oversight.''  Senate Intelligence Committee Richard Burr said, “We
unequivocally condone the privacy invasions committed by U.S. intelligence
agencies. Oh shoot, I mean condemn.''  https://www.eff.org/pages/04/01

* European Union Announces Plan for Privacy Wall Around U.S.

European Union Commissioner for Justice Vera Jourova announced plans today
to permanently protect Europeans' data from U.S. government spying with the
newest transnational data agreement: Privacy Wall. Once approved by the
European Commission, the EU will begin constructing a thirty-foot wall
around the United States. Only U.S. tech companies that comply with EU
privacy restrictions and prohibit U.S. government access to their data will
be given fiber optic grappling hooks to transport Europeans' data across the
Atlantic, over the wall, and back to their U.S.-based
servers. U.S. lawmakers appeared unfazed by U.S.  companies' complaints that
Privacy Wall will effectively kill their business abroad, but they responded
to alarm bells raised by officials in the intelligence community who are
concerned about losing generalized access to Europeans' data.
https://www.eff.org/pages/04/01

* In Major Mix-Up, Oscars for Best Film Goes to Most Torrent-ed Movie

The Academy Awards suffered an astounding embarrassment this week when
presenters Alfonso Ribeiro and Mayim Bialik incorrectly handed out the Oscar
for Best Film to the most-frequently torrent-ed movie of 2016, Deadpool,
instead of the actual winner, Moonlight. Hollywood is blaming the mistake on
accounting firm PricewaterhouseCoopers, which is responsible for guarding
the envelopes containing names of both Oscars winners and TorrentFreak's
list of most frequently torrent-ed films. Having been left off the list of
Best Film nominees all together, Deadpool director Tim Miller and lead actor
Ryan Reynolds were not in attendance at Sunday night's Oscars, giving Kanye
West time to take the stage and correct the mistake.
https://www.eff.org/pages/04/01

* FBI Seeks Technical Backdoor to Un-Mute iPhones

Frustrated by silence on conference calls, the FBI is asking Apple to
provide a backdoor so that the agency can un-mute iPhones across the world
without the iPhone users' consent.  “It's incredibly frustrating when
you're waiting for someone to chime in on a conference call, and they're
still on mute,'' FBI Director Jim Comey said at a press conference
today. Comey appeared unmoved by arguments from technology and civil
liberties advocates that creating a backdoor into all iPhones would
undermine the privacy and security of tens of millions of technology users
around the world.  “Our work to protect this country's national security is
too important to wait the seconds it takes for our analysts to unlock and
un-mute their phones,'' Comey said. When asked if the FBI was seeking a
similar accommodation from Android-developer Google, Comey at first laughed,
but quickly sobered and asked “wait, people still use Android?''
https://www.eff.org/pages/04/01

* EFF Releases Surveillance Self Defense for In-Person Meetings

EFF is out with an updated Surveillance Self Defense guide today that
includes, for the first time, security tips for in-person
meetings. Highlights include recommendations for verifying a person's
identity, evading facial recognition systems, and circumventing
censorship. For instance, you should have anyone you meet print off their
public PGP key on red paper, fold that paper into the shape of a flower, and
pin that paper flower to their label. Additionally, the guide recommends
drawing Kiss-style shapes on your face with eyeliner to protect yourself
from facial recognition technology and constantly carrying around a bullhorn
so you can shout louder than anyone trying to limit your free speech.
https://www.eff.org/pages/04/01

* EFF Gives Posthumous Lifetime Achievement Pioneer Award to Perfect 10

EFF is awarding a 2017 Pioneer Award to recently-defunct men's magazine and
prodigious copyright-litigation-loser, Perfect 10. EFF established the
Pioneer Awards in 1992 to recognize leaders on the electronic frontier who
are extending freedom and innovation in the realm of information
technology. The awards celebrate those who have contributed substantially to
the health, growth, accessibility, or freedom of computer-based
communications.  Perfect 10 is receiving a posthumous lifetime achievement
Pioneer Award this year for its cutting-edge strategy of losing copyright
lawsuits in order to advance the doctrine of fair use. After losing cases
against Amazon, Google, CCBill, and Megaupload, Perfect 10 was finally
liquidated in March of this year to satisfy a litigation debt to yet another
victorious defendant, Giganews. We salute Perfect 10’s dozen-year campaign
to help make the Internet more free by consistently losing in court. Bravo!
https://www.eff.org/pages/04/01

* Intelligence Community Unveils Emotional Vulnerabilities Program

Director of National Intelligence Dan Coats today revealed a new program by
which the U.S. Intelligence Community will, when appropriate, disclose
information about emotional vulnerabilities it discovers in the course of
its national security work. Building off of the widely celebrated success of
the vulnerabilities equities process (which still exists, we think?),
U.S. intelligence agencies will begin sharing and sometimes publishing
information about the personality quirks it discovers as it conducts
surveillance of law-abiding Americans. “We hope to make the country more
secure by letting people know that their roommate has arachnophobia, their
brother is addicted to tanning beds, and their mother has a fear of being
abandoned by her children,” said Coats after flinching away from a pigeon
that wasn't even flying toward the DNI.  https://www.eff.org/pages/04/01

miniLinks

White House Supports Day without a (Internet) Troll

Following the success of the Day Without a Woman general strike in March,
the White House has thrown its support behind today's Day without a Troll
Strike, during which all Internet trolls will disappear from comment
sections and forums online.  https://www.eff.org/pages/04/01

Comcast to Assimilate with the Borg

Looking to increase its market share, nationwide reach, and overall
reputation for evil, the Borg has announced that it is assimilating
broadband giant Comcast. “This merger will benefit consumers and boost
broadband competition, and the federal government should quickly approve
it,” Comcast's David Cohen said in a statement. “Plus, resistance is
futile.” https://www.eff.org/pages/04/01

White House Releases Diceware Passphrase List

In an attempt to demonstrate President Donald Trump's tech savvy, the White
House has released a list of suggested words to use when attempting to
create a secure passphrase. "Our list has the best words," said White House
Press Secretary Sean Spicer. "Words like tremendous, disaster, MAGA,
big-league, low-energy, beautiful, and winning. Sad!"
https://www.eff.org/pages/04/01

~ FBI Director Acknowledges Secure Backdoors Are Impossible

FBI Director Jim Comey said today that his agency, agreeing with technical
experts, has officially concluded that it is impossible to create a backdoor
into encrypted technologies without undermining users' security. Nope, even
that's too ridiculous for an April Fools' newsletter.
https://www.eff.org/pages/04/01

815 Eddy Street, San Francisco, CA 94109-7701, United States


The Future of Free Speech, Trolls, Anonymity and Fake News Online (Pew)

"Peter G. Neumann" <neumann@csl.sri.com>
Sun, 2 Apr 2017 18:52:13 PDT
http://www.pewinternet.org/2017/03/29/the-future-of-free-speech-trolls-anonymity-and-fake-news-online/


Why Tug on ATMs (Krebs)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Sun, 2 Apr 2017 11:39:30 -0500
https://krebsonsecurity.com/2017/03/why-i-always-tug-on-the-atm/

  [This item is a very nice warning about one of the clever ATM skimmer
  augmentations: real ATMs with a Fake Camera-based Appendage.  PGN]


Re: Risks from falsified Data (RISKS-30.20,21)

A Michael W Bacon <amichaelwbacon@gmail.com>
Sat, 1 Apr 2017 19:16:30 +0100
There were reports that, at the start of the Falklands War, the French
government declined to disclose the codes that would cause Exocet missiles
(that they had sold to the Argentine airforce) to abort/self-destruct.
After HMS Sheffield was severely damaged (and scuttled as a war grave of 20
dead sailors), they disclosed the codes.  No warship was hit after then,
only a requisitioned civilian RoRo vessel that lacked the technology to
communicate with the in-bound missiles.  SS Atlantic Conveyor was hit by two
Exocets, killing 12 crewman and badly injuring many others in the ensuing
fires.

Eight years later, there were reports that, in Operation Desert Storm ("Gulf
War I"), the Bloodhound ground-to-air missile system sold by Britain to the
Iraqis was mysteriously unable to hit Coalition aircraft transmitting a
particular IFF code.  There were also reports of Bloodhound missiles,
launched against RAF aircraft, turning around after launch and hitting the
launchers instead.  When I was "tidying up" in Kuwait after the war had
ended, I was informed (by a reliable source) that British crews at least had
been told they could ignore launch indications and were not to waste
missiles on the launchers.  The missile system had been "chipped".


Re: Risks from falsified Data (BBC, RISKS-30.20)

David Alexander <David.Alexander@paconsulting.com>
Mon, 3 Apr 2017 15:10:44 +0000
With regard to the mention of the item on the BBC website that that
discusses an alternative and much more subtle version of Malware making
changes to data which while being too small to notice immediately result in
system failure, I have a real-world example.

Many years ago I was asked to investigate why a relatively small financial
accounting system dealing with regular payments contained an increasing
number of discrepancies from the paper records. It turned out that the
organisation in question had hired a programmer with a habit of getting
themselves fired from jobs without checking any of their references first.
Sure enough, they managed to get fired from this job too.

Said programmer had written a cron job which was set to start a (fairly well
hidden) script if the programmer either had their user account deleted or
they didn't log in for 3 months. The program generated 4 random numbers of 3
digits, two single digit numbers and the last of 2 digits for example 894,
6, 2 & 74. This would change every 894th instance of a 6 into a 2, then the
job would sleep for 74 days and run itself again, generating 4 new random
numbers. It kept no record of its actions. This is insidious, as there is no
traceability, other than who set it up and when it first ran (based on the
date that the programmer was fired). We had no way of knowing for certain
how many times it ran or what it changed.

By the time anyone realised that the variances were something more than
keyboard input errors it had been running long enough for the subtle but
incremental effects to be present in the Father and Son backup tapes. A copy
of the records had to be recovered from the Grandfather tape and a lot of
data had to be manually checked and re-entered from paper copies of the
records to bring it up to date. To my knowledge this incident never went
public, hence my reluctance to name names or places, and it was at least 20
years ago (and before the Computer Misuse Act came into effect) so I
couldn't be 100% certain of the finer points - I've slept since then.


Re: Fake Sleuths: Web Gets It Wrong

Kelly Bert Manning <Kelly.Manning@ncf.ca>
Sat, 1 Apr 2017 19:04:43 -0400 (EDT)
This also happened after the Boston Marathon bombing.

Based on Brown Skin and dark hair, Reddit users piled onto a witch hunt that
misidentified missing, already dead (4 weeks), Brown University student
Sunil Tripathi as one of the bombers.

http://www.cjr.org/analysis/sunil_tripathi_was_already_dead.php

"He was wrongly accused on Reddit, convicted on Twitter, and vilified on
Facebook"

Someone using a scanner to monitor Police Radio heard "Last name: Mulugeta,
M-U-L-U-G-E-T-A, M as in Mike, Mulugeta." in a context that had nothing to
do with the bombing and decided that "Mike Mulgeta" was one of the bombers.

https://www.theatlantic.com/technology/archive/2013/04/-bostonbombing-the-anatomy-of-a-misinformation-disaster/275155/

http://www.dailymail.co.uk/news/article-3035378/It-beast-Moderator-Reddit-s-Boston-Bombers-thread-tells-millions-users-descended-subreddit-days-attack-identified-wrong-suspect.html

https://en.wikipedia.org/wiki/Sunil_Tripathi

News media then piled on by the 100s, trying to contact Tripathi's family
for sound bites and surrounding his parent's home.

http://www.imdb.com/title/tt4087340/

So what triggers people to get it so wrong?

Bruce Schneier talks of people overestimating unfamiliar risks while
underestimating familiar risks. Were people trying to reduce their anxiety
level by trying to convert a vague nebulous risk to a (mis)identified risk?
This gave them Tripathi and his family as a target for their outrage. Did
venting that outrage that make them feel better?

Some people crave attention. Coming up with a name in an incident such as
this gets them attention, but for all the wrong reasons.


Re: NASA Fireworks (Seifried, RISKS-30.21)

Wols Lists <antlists@youngman.org.uk>
Sat, 1 Apr 2017 19:22:39 +0100
What on earth was NASA doing in possession of ITAR data?  Unless, of course,
they needed permission to send arms into space?


Re: NASA fireworks - collateral damage?

Bruce Hunter <brucer.hunter@gmail.com>
Sun, 2 Apr 2017 14:27:11 +1000
The interesting aspect of this report is that it is an excellent example of
where security countermeasures (in this case patches) can conflict with
safety controls (in this case the fire alarm system).

Standards are starting to recognise, not only the importance of protecting
control systems and functional safety from cyber attack, but also managing
the risk of incompatibility between safety functions and cybersecurity
countermeasures. The evolving ISA/IEC 62443 series does give good guidance
that try and address the gulf of understanding between the safety and
security domains.

Balancing diverse risks is becoming and interesting but challenging need
for safety-related systems.


Re: Self-checkout at grocery stores and elsewhere

Kelly Bert Manning <Kelly.Manning@ncf.ca>
Sun, 2 Apr 2017 15:08:30 -0400 (EDT)
Some people responded that they wanted store clerks to keep their jobs. That
is a valid personal action based on reasoning from personal ethical
principles. However, how many of us could afford to make as many phone calls
or send as much email or text if every connection still had to be manually
connected at the network switch centre and along the path?

Others commented that check out clerks are more efficient than most
individuals. Your checkout clerk may vary. Also, as usual, "it depends".

Most supermarkets have a multi-server multi-queue setup. Picking the wrong
queue is a prescription for time out of your life that you will never get
back, although some local supermarkets, Walmarts, Canada Tires and Home
Depots have a blend of both multi queue and single queue and attended or
self serve checkouts.

(multiserver, single queue - Wendy's or most banks)

(multi queue multi server - classic MacDonald's and most supermarkets and
other stores)

I am immune compromised. Waiting until a self serve checkout is unused
avoids close association with people in line and with the clerk. Depending
on the time of day / week that can be zero queue time, while check outs with
attendants rarely have no queue. Stores close tills and redirect staff to
other work if queues stop forming.

At a local drug store recently I was subjected to a memorised pitch for one
of their loyalty points cards, despite saying repeatedly "no, not
interested, the answer was no" as the rote pitch went on and on. I then
pointed out that she was being disrespectful of my time and the time of the
people waiting in the queue. Afterward, I contacted the chain to complain,
pointing out that assuming that I didn't get the message the first 10 times
in recent years is hardly a compliment, that I didn't shop there often
enough to make it worth my time, and that this experience made me less
likely to shop there in the future. The clerks often repeat the pitch for
each customer, even when they have heard it already while waiting in the
queue.

Credit Bureaus such as Equifax point out that credit and discounts are often
a trade off of privacy versus cost and credit. Higher credit risk involves
higher prices, discount cards require you to pay with personal information,
in addition to cash. My response to Equifax was that my wife and I make a
point of not having mortgage, auto loan, or other debt to preserve our
privacy. Only people who use credit should have their information profile
collected or released by Credit / Personal Information Reporting
Bureaus. Cash should be sufficient payment for goods and services. Customers
should not have to pay with personal information such as names, phone
numbers and personal purchase profiles, in addition to cash. unless there is
a Regulatory or Statutory Requirement to obtain the personal information.

I have Asperger's Syndrome. I find the tendency of clerks to engage in
banter annoying, confusing, and disrespectful of the time of the people
being served, and the customers waiting in line. It detracts from the
clerk's efficiency and interferes with their ability to make the correct
change. Why do they often fail to enter the cash received correctly? Why
can't they just give you the change amount shown on the till and the
receipt, rather than trying to do arithmetic in their head because they
don't realise that the amount is displayed for them and that they are making
a mistake by trying to compute change amounts in their head?

One time I went to buy some juice when I had laryngitis. When I failed to
respond to "how are you" with the mandatory, non-optional, socially
conventional response of "fine thanks, how are you" the clerk stood there
doing nothing and staring at me, holding up me and the people in line behind
we. My laryngitis was quite evident when I responded that "I have laryngitis
and I think that it is unprofessional of you to insist on chatting when
people are waiting in line". People on the Autism Spectrum often have to be
told that the "how are you" "fine thanks how about you" thing is a
non-optional, mandatory, social convention, and that people will often get
annoyed if you actually tell them how you are.

  [Thanks.  However, that's probably enough on this thread.  PGN]


Re: US Congress rapes privacy, they are next

Joseph Brennan <brennan@columbia.edu>
Mon, 3 Apr 2017 10:11:06 -0400
I doubt the ISPs will be dumb enough to sell the data. Google and Facebook
don't sell theirs. It's the crown jewels. If the ISPs follow that model they
will place ads on behalf of the advertisers, based on the data, which the
ISPs will keep to themselves.

But what liability is on the ISPs when this data is inevitably breached?
Nothing?

Please report problems with the web pages to the maintainer