The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 43

Monday 14 August 2017


Scientists Fear Trump Will Dismiss Blunt Climate Report
Rich Kulawiec
How the Indiana GOP Used Uneven Early Voting Rules to Tamp Down Democratic Votes
Ed Kilgore
Russian Cyberattack Targeted Elections Vendor Tied To Voting-Day Disruptions
Former MI5 chief warns against cracking dowm on encryption
The Guardian
UK Law Proposal to Criminalize Re-Identification of Anonymized User Data
Bleeping Computer
VPN Provider Accused of Sharing Customer Traffic With Online Advertisers
Bleeping Computer
Internet Archive blocked by government of India
Apple's troubles in China have just started, after it removed more than 400 VPN apps
Botched Firmware Update Bricks Hundreds of Smart Door Locks
Catalin Cimpanu
"Driverless" van in Virginia
Mark Thorson
HPE's future for us
Is LIBOR, Benchmark for Trillions of Dollars in Transactions, a Lie
Matt Taibbi
Malicious code written into DNA infects the computer that reads it
Devin Coldewey
The Guy Who Invented Those Annoying Password Rules Now Regrets
UK Airlines and rail companies face huge fines for IT meltdowns
The Telegraph
Cyberattack on UCLA server potentially accesses student information
Daily Bruin
Bruce Springsteen Is Bringing His Music and His Memories to Broadway
The New York Times
Secrets of Silicon Valley - the Persuasion Machine
Brian Randell
Re: The Death of Ruby? Developers Should Learn These Languages
Kelly Bert Manning
Re: Mozilla launches new effort to counter fake news
Jonathan M. Smith
Re: Fishy circumstances cause power outage in Seattle
Michael Bacon
Info on RISKS (comp.risks)

Scientists Fear Trump Will Dismiss Blunt Climate Report (The NYTimes)

Rich Kulawiec <>
August 8, 2017 at 1:35:33 PM EDT
Science section of 2018 National Climate Assessment leaked to The NYTimes


  The report concludes that even if humans immediately stopped emitting
  greenhouse gases into the atmosphere, the world would still feel at least
  an additional 0.50 degrees Fahrenheit (0.30 degrees Celsius) of warming
  over this century compared with today. The projected actual rise,
  scientists say, will be as much as 2 degrees Celsius.

  A small difference in global temperatures can make a big difference in the
  climate: The difference between a rise in global temperatures of 1.5
  degrees Celsius and one of 2 degrees Celsius, for example, could mean
  longer heat waves, more intense rainstorms and the faster disintegration
  of coral reefs.

  Among the more significant of the study's findings is that it is possible
  to attribute some extreme weather to climate change. The field known as
  "attribution science" has advanced rapidly in response to increasing risks
  from climate change.

The report:

It's 673 pages.  The executive summary is readable by a general audience, but
some science background would be helpful for some of the chapters.

How the Indiana GOP Used Uneven Early Voting Rules to Tamp Down Democratic Votes (Ed Kilgore)

Dewayne Hendricks <>
August 11, 2017 at 8:11:35 AM EDT
Ed Kilgore, NYMag, 10 Aug 2017

Sometimes, disputes over voting rights are hard to sort out, since they are
often loaded with legalese and hinge on obscure election procedures. But an
investigative report by the Indianapolis Star lays out a pretty
open-and-shut case of voter suppression by the Indiana GOP:

State and local Republicans have expanded early voting in GOP-dominated
areas and restricted it in Democratic areas, an IndyStar investigation has
found, prompting a significant change in Central Indiana voting patterns.

That made voting more convenient in GOP areas for people with transportation
issues or busy schedules. And the results were immediate.

How much more convenient, you may ask? A lot:

Hamilton County saw a 63 percent increase in absentee voting from 2008 to
2016, while Marion County saw a 26 percent decline. Absentee ballots are
used at early voting stations.

Voter registration during this period was up in both counties.

There's not much mystery about why the trends and the decisions that drove
them started happening after the 2008 elections: That's when Indiana went
Democratic in a presidential election for the first time since 1964, and
only the second time since World War II. Marion County (Indianapolis) had
three early voting sites in 2008. Republicans changed that immediately.

State law requires a unanimous vote from county election boards to create
more than one early voting site. The Democrats on the boards in both urban
Marion and suburban Hamilton Counties voted for more sites. The Republicans
in Hamilton did, too—but not the sole Republican in Marion.

[F]our attempts to expand early voting in Marion County have been approved
by Democrats, but blocked by the county's lone GOP representative on the
elections board.

In May, Common Cause Indiana and the NAACP's Indianapolis chapter filed a
lawsuit against the Marion County Election Board, Lawson and individual
members of the Marion County Election Board, along with Marion County Clerk
Myla Eldridge over the lack of early voting locations in the County.

Russian Cyberattack Targeted Elections Vendor Tied To Voting-Day Disruptions (NPR)

Gabe Goldberg <>
Thu, 10 Aug 2017 20:17:18 -0400
When people in several North Carolina precincts showed up to vote last
November, weird things started to happen with the electronic systems used to
check them in.

"Voters were going in and being told that they had already voted—and they
hadn't," recalls Allison Riggs, an attorney with the Southern Coalition for
Social Justice.  The electronic systems—known as poll books—also
indicated that some voters had to show identification, even though they did
not.  Investigators later discovered the company that provided those poll
books had been the target of a Russian cyberattack.

But wait:

  There is no evidence the two incidents are linked, but the episode has
  revealed serious gaps in U.S. efforts to secure elections. Nine months
  later, officials are still trying to sort out the details.  [...]  The
  county conducted its own investigation in November and determined that VR
  Systems' software had not failed. Some poll books had not been updated
  with the latest software, so they were displaying outdated voter
  information.  "The conclusion was that it was administrative errors that
  caused the issues on Election Day," says Bowens.

The risk? Premature conclusion jumping and misleading headlines.

Former MI5 chief warns against cracking dowm on encryption (The Guardian)

"Peter G. Neumann" <>
Sat, 12 Aug 2017 11:15:08 PDT

UK Law Proposal to Criminalize Re-Identification of Anonymized User Data (Bleeping Computer)

Lauren Weinstein <>
Wed, 9 Aug 2017 19:10:03 -0700
via NNSquad

  While Olejnik applauds the UK's efforts to expand user data privacy
  protections, he warns that the UK may be treading dangerous ground.
  "There are several issues with [the] banning of re-identification," he
  says. "First, it won't work.  Second, it will decrease security and
  privacy."  The biggest problem in Olejnik's eyes is that there's is no
  effective way to enforce it in practice. Second, it stifles security and
  privacy research who often re-identify anonymized data in their day-to-day

VPN Provider Accused of Sharing Customer Traffic With Online Advertisers (Bleeping Computer)

Lauren Weinstein <>
Tue, 8 Aug 2017 11:53:35 -0700

  On Monday, the Center for Democracy & Technology (CDT)—a US-based
  privacy group—has filed a complaint with the US Federal Trade
  Commission (FTC) accusing one of today's largest VPN providers of
  deceptive trade practices.  In a 14-page complaint, the CDT accuses
  AnchorFree—the company behind the Hotspot Shield VPN—of breaking
  promises it made to its users by sharing their private web traffic with
  online advertisers for the purpose of improving the ads shown to its

Internet Archive blocked by government of India (Medianama)

Lauren Weinstein <>
August 9, 2017 at 12:57:11 AM EDT
Medianama via NNSquad

Apple's troubles in China have just started, after it removed more than 400 VPN apps (Sundry)

geoff goodfellow <>
Wed, 9 Aug 2017 08:49:14 -1000

Apple has come under considerable criticism following its decision to agree
to a Chinese government request to remove VPN apps from its local App
Store. Virtual private networks allow people in China to access sites
blocked by the government, and to ensure that authorities cannot track the
sites they visit.

App-tracking site says that the company has so far removed more
than 400 VPN apps. But while Apple is trying to maintain good relationships
with China by complying with such requests, analysts and tech commentators
believe that its troubles with the country have just started.

Botched Firmware Update Bricks Hundreds of Smart Door Locks (Catalin Cimpanu)

Jim Reisert AD1C <>
Sun, 13 Aug 2017 12:17:21 -0600
Catalin Cimpanu, BleepingComputer, 12 Aug 2017

  On Tuesday, August 8, smart locks manufacturer LockState botched an
  over-the-air firmware update for its WiFi enabled smart locks, causing the
  devices to lose connectivity to the vendor's servers and the ability to
  open doors for its users.

  Only one LockState product was affected, which is the LockState RemoteLock
  6i (also known as 6000i).

  The device costs $469 and is sold mainly to Airbnb hosts via an official
  partnership LockState has signed with the company. Hosts use the smart
  locks to configure custom access codes for each Airbnb renter without
  needing to give out a physical key to each one.

   [Also noted by Jeremy Epstein, who added this riskful thought:
     I'm not sure whether it's a research problem, or just the need for
     solid engineering, but someone needs to figure out how to make IoT
     devices that can be securely updated over a period of decades.  This
     is a problem that's going to recur endlessly.
   PGN-ed very slightly]

"Driverless" van in Virginia

Mark Thorson <>
Tue, 8 Aug 2017 11:47:03 -0700
Driven by man disguised as a car seat.
Some kind of study by the Virginia Tech Transportation Institute.

What is the Risk?  Is it a study to see if people freak out at
the sight of a "driverless" van?

HPE's future for us (Insights)

Gabe Goldberg <>
Sun, 13 Aug 2017 02:02:53 -0400
"Let's have something embedded in our eyes or attached to the nerves that go
from our eyes to our brains that will overlay data there," says Facemire,
adding that could be 10 or more years out.

Is LIBOR, Benchmark for Trillions of Dollars in Transactions, a Lie? (Matt Taibbi)

geoff goodfellow <>
Sun, 13 Aug 2017 17:06:00 -1000
Matt Taibbi, Rolling Stone, 11 Aug 2017

While nuke kooks rage, British regulators reveal rip in financial space-time
continuum and $350 trillion headache


It was easy to miss, with the impending end of civilization burning up the
headlines, but a beyond-belief financial story recently crept into public

A Bloomberg headline on the story was a notable achievement in the history
of understatement. It read:


The casual news reader will see the term "LIBOR" and assume this is just a
postgame wrapup to the LIBOR scandal of a few years back, in which may of
the world's biggest banks were caught manipulating interest rates.

It isn't. *This is a new story, featuring twin bombshells from a leading
British regulator*—one about our past, the other our future. To wit:

  "Going back twenty years or more, the framework for hundreds of trillions
  of dollars worth of financial transactions has been fictional.  We are
  zooming toward a legal and economic clusterf*ck of galactic proportions"
 —the "uncertain future" Bloomberg humorously referenced.

LIBOR stands for the London Interbank Offered Rate. It measures the rate at
which banks lend to each other. If you have any kind of consumer loan, it's
a fair bet that it's based on LIBOR.

A 2009 study by the Cleveland Fed found that 60 percent of all mortgages in
the U.S. were based on LIBOR. Buried somewhere in your home, you probably
have a piece of paper that outlines the terms of your credit card, student
loan, or auto loan, and if you peek in the fine print, you have a good
chance of seeing that the rate you pay every month is based on LIBOR.

Years ago, we found out that the world's biggest banks were manipulating
LIBOR. That sucked.

Now, the news is worse: LIBOR is made up.

Actually it's worse even than that. LIBOR is probably both manipulated and
made up. The basis for a substantial portion of the world's borrowing is a
bent fairy tale.

The admission comes by way of Andrew Bailey, head of Britain's Financial
Conduct Authority. He said recently (emphasis mine):

"The absence of active underlying markets raises a serious question about
the sustainability of the LIBOR benchmarks. If an active market does not
exist, how can even the best run benchmark measure it?"

As a few Wall Street analysts have quietly noted in the weeks since those
comments, an "absence of underlying markets" is a fancy way of saying that
LIBOR has not been based on real trading activity, which is a fancy way of
saying that LIBOR is bullshit.

LIBOR is generally understood as a measure of market confidence. If LIBOR
rates are high, it means bankers are nervous about the future and charging a
lot to lend. If rates are low, worries are fewer and borrowing is cheaper.

It therefore makes sense in theory to use LIBOR as a benchmark for borrowing
rates on car loans or mortgages or even credit cards. But that's only true
if LIBOR is actually measuring something.

Here's how it's supposed to work. Every morning at 11 a.m. London time,
twenty of the world's biggest banks tell a committee in London how much they
estimate they'd have to pay to borrow cash unsecured from other banks.

The committee takes all 20 submissions, throws out the highest and lowest
four numbers, and then averages out the remaining 12 to create LIBOR rates.

Theoretically, a fine system. Measuring how scared banks are to lend to each
other should be a good way to gauge market stability. Except for one thing:
banks haven't been lending to each other for decades.

Up through the Eighties and early Nineties, as global banks grew bigger and
had greater demand for dollars, trading between banks was heavy. That robust
interbank lending market was why LIBOR became such a popular benchmark in
the first place.  [...]

Malicious code written into DNA infects the computer that reads it (Devin Coldewey)

Dewayne Hendricks <>
Fri, Aug 11, 2017 at 1:03 AM
Devin Coldewey, TechCrunch, 10 Aug 2017

In a mind-boggling world first, a team of biologists and security
researchers have successfully infected a computer with a malicious program
coded into a strand of DNA.

It sounds like science fiction, but I assure you it's quite real—although
you probably don't have to worry about this particular threat vector any
time soon.  That said, the possibilities suggested by this project are
equally fascinating and terrifying to contemplate.

The multidisciplinary team at the University of Washington isn't out to make
outlandish headlines, although it's certainly done that. They were concerned
that the security infrastructure around DNA transcription and analysis was
inadequate, having found elementary vulnerabilities in open-source software
used in labs around the world. Given the nature of the data usually being
handled, this could be a serious problem going forward.

Sure, they could demonstrate the weakness of the systems with the usual
malware and remote access tools. That's how any competent attacker would
come at such a system. But the discriminating security professional prefers
to stay ahead of the game.

“One of the big things we try to do in the computer security community is
to avoid a situation where we say, ...adversaries are here and knocking on
our door and we're not prepared,'' said professor Tadayoshi Kohno, who has a
history of pursuing unusual attack vectors for embedded and niche
electronics like pacemakers.

“As these molecular and electronic worlds get closer together, there are
potential interactions that we haven't really had to contemplate before.''
added Luis Ceze, one co-author of the study.

Accordingly, they made the leap plenty of sci-fi writers have made in the
past, and that we are currently exploring via tools like CRISPR: DNA is
basically life's file system. The analysis programs are reading a DNA
strand's bases (cytosine, thymine etc, the A, T, G, and C we all know) and
turning them into binary data. Suppose those nucleotides were encoding
binary data in the first place? After all, it's been done before—right
down the hall.

Here comes the mad science:  [...]

The Guy Who Invented Those Annoying Password Rules Now Regrets Wasting Your Time (Gizmodo)

Lauren Weinstein <>
Tue, 8 Aug 2017 13:34:12 -0700

  The man in question is Bill Burr, a former manager at the National
  Institute of Standards and Technology (NIST). In 2003, Burr drafted an
  eight-page guide on how to create secure passwords creatively called the
  "NIST Special Publication 800-63. Appendix A." This became the document
  that would go on to more or less dictate password requirements on
  everything from email accounts to login pages to your online banking
  portal. All those rules about using uppercase letters and special
  characters and numbers--those are all because of Bill.  The only problem
  is that Bill Burr didn't really know much about how passwords worked back
  in 2003, when he wrote the manual. He certainly wasn't a security
  expert. And now the retired 72-year-old bureaucrat wants to apologize.
  "Much of what I did I now regret," Bill Burr told The Wall Street Journal
  recently, admitting that his research into passwords mostly came from a
  white paper written in the 1980s, well before the web was even
  invented. "In the end, [the list of guidelines] was probably too
  complicated for a lot of folks to understand very well, and the truth is,
  it was barking up the wrong tree."


"Peter G. Neumann" <>
Tue, 8 Aug 2017 14:44:00 -0700

TL;DR Creating public (unencrypted) EBS Snapshots might not be a great idea.
Even if you are going to share them just for a second.  A lot can be fished
out of these snapshots: ssh keys, tls/ssl certificates, aws credentials,
private source code and internal (extremely) valuable HR/Accounting/IT

UK Airlines and rail companies face huge fines for IT meltdowns (The Telegraphy)

Chris Drewe <>
Wed, 09 Aug 2017 22:02:03 +0100
Item in this week's *The Telegraph*:

Interesting approach to preventing IT failures—make them illegal!
(Not sure about health as it's funded by taxes in the UK.)


  Airlines and rail companies that blame computer meltdowns for customer
  chaos will face huge fines under Government plans, ministers have said.
  Ministers are unveiling plans to force organisations that provide
  "essential services" in areas including transport, energy and the health
  service to improve their IT systems.  Those that suffer critical IT
  failures because they did not do enough to protect their systems could
  ultimately be fined as much as 4 per cent of global turnover.
  Organisations will also face fines if they fail to protect themselves from
  cyber-attacks that could put at risk services on which people rely.

Cyberattack on UCLA server potentially accesses student information (Daily Bruin)

Monty Solomon <>
Tue, 8 Aug 2017 10:27:25 -0400

Bruce Springsteen Is Bringing His Music and His Memories to Broadway (The New York Times)

Monty Solomon <>
Wed, 9 Aug 2017 22:48:19 -0400
Tickets to the intimate shows at the Walter Kerr Theater will be sold via a new technology called Verified Fan in an attempt to cut down on scalping.

  [Another new target for hacking in the exponentially/spirally escalating
  battle of defense vs offense?  PGN]

Secrets of Silicon Valley - the Persuasion Machine

Brian Randell <>
August 13, 2017 at 5:08:28 PM EDT
  [Via Dave Farber]

I've just watched "Secrets of Silicon Valley—the Persuasion Machine", a
one-hour BBC TV documentary, in which Facebook and Cambridge Analytica
featured heavily. The BBC has a page describing this program (at, with links to the program itself
on iPlayer, but I understand iPlayer (a superb service) is restricted to the
UK. However, you might nevertheless want this for IP.

  The Persuasion Machine
  Secrets Of Silicon Valley, Series 1 Episode 2 of 2

  Jamie Bartlett reveals how Silicon Valley's mission to connect the world
  is disrupting democracy, helping plunge us into an age of political
  turbulence. Many of the Tech Gods were dismayed when Donald Trump - who
  holds a very different worldview - won the American presidency, but did
  they actually help him to win? With the help of a key insider from the
  Trump campaign's digital operation, Jamie unravels for the first time the
  role played by social media and Facebook's vital role in getting Trump
  into the White House.  But how did Facebook become such a powerful player?

  Jamie learns how Facebook's vast power to persuade was first built for
  advertisers, combining data about our Internet use and psychological
  insights into how we think. A leading psychologist then shows Jamie how
  Facebook's hoard of data about us can be used to predict our personalities
  and other psychological traits. He interrogates the head of the big data
  analytics firm that targeted millions of voters on Facebook for Trump - he
  tells Jamie this revolution is unstoppable. But is this great persuasion
  machine now out of control? Exploring the emotional mechanisms that
  supercharge the spread of fake news on social media, Jamie reveals how
  Silicon Valley's persuasion machine is now being exploited by political
  forces of all kinds, in ways no one - including the Tech Gods who created
  it - may be able to stop.

Re: The Death of Ruby? Developers Should Learn These Languages Instead (RISKS-30.42)

Kelly Bert Manning <>
Wed, 9 Aug 2017 15:39:23 -0400 (EDT)
> "People should be open to learning multiple technologies, languages, and
> frameworks."

I find it surprising that people working in high tech industry would need to
be reminded of this. It should come up during their first year on the job,
and continually after that.

I've been aware of it since I read "The Engineer", published by Time Life in
1967. Chapter 4 ends with a Picture Essay, "Education without End".

Page 96 deals with the noticeable phenomenon of graduate engineers returning
to campus for knowledge upgrading. Top left is a photo of a Graduate
Engineer sitting beside his undergrad son in a 1966 MIT Transistor Theory
Class. At the bottom MIT Prof (Dean?) Arthur C. Smith is shown teaching
Electrical Engineering to a class of engineers sent to MIT by their
employers for a year of upgrading.

If you aren't willing to learn anything new you should admit to yourself and
to your employer that your career is about to end.

I was less surprised when I heard that Canadian Federal Human Resources and
Social Development once asked the Software Human Resources Council lobby
group to explain what had happened to all the Windows NT Admin jobs they had
been telling people to train for. OS Versioning and end of support is such
an abstruse concept, after all.

Re: Mozilla launches new effort to counter fake news

"Jonathan M. Smith" <>
August 10, 2017 at 10:56:59 AM EDT
via Dave Farber

Your readers may be interested in this paper on an adjacent discipline:

Fabricated news, made to mislead or turn a profit, is a growing problem in
online communities. The U.S. intelligence community assessed that Russia
used social media to propagate misinformation campaigns throughout the 2016
presidential race.

  "Misinformation devalues the open web," said Katharina Borchert, Mozilla
  chief innovation officer, on Wednesday, announcing their new initiative.
  "We see this as a threat to the fabric of our society."

  The Mozilla Information Trust Initiative (MITI) will increase funding for
  research on misinformation, the first findings to be released later this
  year. The company hopes to leverage Firefox's size and reach to get data
  about news browsing habits.

  MITI will also tailor products to amplify actual news over fake news,
  expand an effort to increase digital news literacy and fund designers to
  work on software to provide on-the-fly visualizations of the problem.

  "There will not be a quick technical fix," said Borchert, who emphasized
  the importance of tackling the issue from multiple fronts.

  Fake news is more than just an issue of influencing mass numbers of
  people.  After the election, some producers of predominantly right-wing
  viral news stories acknowledged their work as hoaxes designed to attract
  advertising revenue.

  Mozilla is dedicating staff to MITI, including a new senior fellow and a
  research team under Borchert's purview.

Re: Fishy circumstances cause power outage in Seattle (Oxley, R30.42)

Michael Bacon - Grimbaldus <>
Wed, 9 Aug 2017 12:59:26 +0100
Hoo-RAY, another PGN fishy pun!  You are a DAB hand at them, and must have a
WHALE of a time PLAICING them.  Some are BETTA than others, but most are
BRILL.  I can't recall seeing a CRAPPIE one or one than made me GRUNT or
FLOUNDER.  Don't be KOI, we are SUCKERs for them and might DISCUSs whether
you are trying to DRUM up an OSCAR for 'SOLE punster'.  But I mustn't CARP,
it's all a CHARming CODology.  Now, where did I put that half-smoked ROACH?

  [I might presume that a Thesaurus would have been a large prehistoric fish
  that evolved into a land creature, and perhaps eventually into a
  BACONburger.  However, in that there have been so few puns in RISKS
  lately, I thought Michael could be the MAN-TA sneak through my fish net to
  tip the SCALES.  So, what's the relevance to Computer-Related Risks?
  Perhaps Seymour Crayfish would know, just for the HALIBUT.  Or, simply
  call me FISHMEAL (in a MOBYous comic strip).  PGN]

But to be serious—if the following can be taken seriously—several
years ago I was told the tale of the cow that broke through a rickety fence
at the edge of a small bluff, and tumbled over the edge, demolishing at the
bottom a small wooden shed, which housed the computer that both ran the
milking machines for the farm and processed the paperwork vital for the sale
of the milk, putting them out of action.

  "No milk today my love is gone away,
  The bottle stands forlorn a symbol of the dawn.
  No milk today it seems a common sight,
  But people passing by don't know the reason why."
 —Herman's Hermits C1966.

Please report problems with the web pages to the maintainer