The RISKS Digest
Volume 31 Issue 10

Thursday, 7th March 2019

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


All Intel chips open to new Spoiler non-Spectre attack: Don't expect a quick fix.
The rise of the online ticketing bots
David Strom
DeepFake litigation
Fake paid product reviews on Amazon challenged
Consumer Health
Siri, What Should I Eat?
Goldman Sachs asks in biotech research report: Is curing patients a sustainable business model?
Chuck Petras
GDPR: Victim of Sheryl Sandberg's "Lean On" Feminism
Henry Baker
Phishing Scams: Is Your Financial Institution Helping Cyberthieves?
Washington Consumers' Checkbook
Once hailed as unhackable, blockchains are now getting hacked
MIT Technology Review
Uproar Over Facebook 2FA Privacy Violation
Richi Jennings
Prosecutors Don't Plan to Charge Uber in Self-Driving Car's Fatal Accident
Outdoor Tech—Skiing *and* privacy?
Rob Slade
PDF Signatures
Rob Slade
Alphabet's Security Start-Up Wants to Offer History Lessons
Nicole Perlroth
Yet another Facebook privacy leak
Peter Houppermans
Re: Robocalls Routed via Virtue Signaling Network?
John Levine
Re: Oscars: IBM & Surveillance AI: Clean Hands?
Amos Shapir
Info on RISKS (comp.risks)

All Intel chips open to new Spoiler non-Spectre attack: Don't expect a quick fix. (ZDNet)

Monty Solomon <>
Tue, 5 Mar 2019 13:42:38 -0500

Intel CPUs afflicted with simple data-spewing spec-exec vulnerability

SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks

The rise of the online ticketing bots

David Strom via WebInformant <>
Tue, 5 Mar 2019 12:33:55 -0600
Web Informant, March 5, 2019 [via Gabe Goldberg]

A new report describes the depth of criminality across online ticketing
websites. I guess I was somewhat naive before I read the report, "How Bots
affect ticketing," from Distil Networks
(Registration is required.) The vendor sells anti-bot security tools, so
some of what they describe is self-serving to promote their own
solutions. But the picture they present is chilling and somewhat depressing.

The ticketing sites are being hit from all sides: from dishonest ticket
brokers and hospitality agents who scrape details and scalp or spin the
tickets, to criminals who focus on fan account takeovers to conduct credit
card fraud with their ticket purchases. These scams are happening 24/7,
because the bots never sleep. And there are multiple sources of ready-made
bad bots that can be set loose on any ticketing platform.

You probably know what scalping is, but spinning was new to me.  Basically,
it involves a mechanism that appears to be an indecisive human who is
selecting tickets but holding them in their cart and not paying for
them. This puts the tickets in limbo, and takes them off the active
marketplace just long enough that the criminals can manipulate their supply
and prevent the actual people from buying them. That is what lies at the
heart of the criminal ticketing bot problem: the real folks are denied their
purchases, and sometimes all seats are snapped up within a few milliseconds
of when they are put on sale. In many cases, fans quickly abandon the legit
ticketing site and find a secondary market for their seats, which may be
where the criminals want them to go. This is because the seat prices are
marked up, with more profit going to the criminals. It also messes with the
ticketing site's pricing algorithms, because they don't have an accurate
picture of ticket supply.

This is new report from Distil and focusing just on the ticketing
vendors. In the past year, they have seen a rise in the sophistication of
the bot owners' methods. That is because like much with cybercrime, there is
an arms race between defenders and the criminals, with each upping their
game to get around the other. The report studied 180 different ticketing
sites for a period of 105 days last fall, analyzing more than 26 billion

Distil found that the average traffic across all 180 sites was close to 40%
consumed by bad bots. That's the average: many sites had far higher
percentages of bad bot traffic.

Botnets aren't only a problem with ticketing websites, of course. In an
article that I wrote recently for CSOonline
I discuss how criminals have manipulated online surveys and polls.
(Registration also required.) Botnets are just one of many methods to fudge
the results, infect survey participants with malware, and manipulate public

So what can a ticketing site operator do to fight back? The report has
several suggestions, including preventing outdated browser versions, using
better Captchas, blocking known hosting providers popular with criminals,
and looking carefully at sources of traffic for high bounce rates, a series
of failed logins and lower conversion rates, three tells that indicate

Comments always welcome here. <

DeepFake litigation (Fortune)

"Peter G. Neumann" <>
Tue, 5 Mar 2019 11:37:22 PST

Fake paid product reviews on Amazon challenged (Consumer Health)

Gabe Goldberg <>
Sun, 3 Mar 2019 21:41:45 -0500
Consumer Health Digest #19-09, 3 Mar 2019

According to a complaint by the Federal Trade Commission (FTC), Cure
Encapsulations, Inc. and its owner, Naftula Jacobowitz:

  * paid a Web site, to create and post Amazon
    reviews of their product "Quality Encapsulations Garcinia Cambogia
    Extract with HCA" capsules.

  * falsely claimed that the product is an appetite-suppressing,
    fat-blocking, weight-loss pill.

Jacobowitz allegedly told the site's operator that the product needed to
have an average rating of 4.3 out of 5 stars in order to have sales and to,
"Please make my product ... stay a five star." The reviews were posted on
Amazon and were represented as truthful and written by actual purchasers,
when in reality they were fabricated. The FTC's complaint also alleges that
the defendants made false and unsubstantiated claims on their Amazon product
page, including through the purchased reviews, that their garcinia cambogia
product is a "powerful appetite suppressant," "Literally BLOCKS FAT From
Forming," causes significant weight loss, including as much as twenty
pounds, and causes rapid and substantial weight loss, including as much as
two or more pounds per week.

The proposed court order settling the FTC's complaint

  * prohibits the defendants from making weight-loss,
    appetite-suppression, fat-blocking, or disease-treatment claims for
    any dietary supplement, food, or drug unless they have competent and
    reliable scientific evidence in the form of human clinical testing
    supporting the claims.
  * requires them to have competent and reliable scientific evidence to
    support any other claims about the health benefits or efficacy of
    such products.
  * prohibits them from making misrepresentations regarding
    endorsements, including that an endorsement is truthful or by an
    actual user.
  * requires the defendants to email notices to consumers who bought the
    capsules detailing the FTC's allegations regarding their efficacy
  * requires the defendants to notify Amazon, Inc. that they purchased
    Amazon reviews of their Quality Encapsulations Garcinia Cambogia
    capsules and to identify to Amazon the purchased reviews.
  * imposes a judgment of $12.8 million, which will be suspended upon
    payment of $50,000 to the Commission and the payment of certain
    unpaid income tax obligations.

If the defendants are later found to have misrepresented their financial
condition to the FTC, the full amount of the judgment will immediately
become due. [FTC brings first case challenging fake paid reviews on an
independent retail website.
FTC news release. 26 Feb 2019]

Siri, What Should I Eat? (

Richard Stein <>
Sun, 3 Mar 2019 14:32:07 -0800


"Coming up with a truly personalized diet would require crunching billions
of pieces of data about each person. In addition to analyzing the 40
trillion bacteria from about 1,000 species that reside in our guts, as the
project I participated in did, it would need to take into account all of the
aspects of that person's health, including lifestyle, family history,
medical conditions, immune system, anatomy, physiology, medications and
environment. This would require developing an artificial intelligence more
sophisticated than anything yet on the market."

Risk: Dietary app guidance based on AI requires a randomized control trial
to establish viability and merit before it can reliably applied for human

Goldman Sachs asks in biotech research report: Is curing patients a sustainable business model?

Mon, 4 Mar 2019 14:12:41 -0800
The risks, I think, are self-evident.

The potential to deliver `one shot cures' is one of the most attractive
aspects of gene therapy, genetically-engineered cell therapy and gene
editing. However, such treatments offer a very different outlook with regard
to recurring revenue versus chronic therapies, analyst Salveen Richter wrote
in the note to clients Tuesday.  “While this proposition carries tremendous
value for patients and society, it could represent a challenge for genome
medicine developers looking for sustained cash flow.''

Goldman Sachs asks in biotech research report: “ Is curing patients a
sustainable business model?''

GDPR: Victim of Sheryl Sandberg's "Lean On" Feminism

Henry Baker <>
Mon, 04 Mar 2019 08:57:08 -0800
"... the memo reveals that Sandberg's feminist memoir ["Lean In"] was
perceived as a *lobbying tool* by the Facebook team and a means of winning
support from female legislators for Facebook's wider agenda."

"[George Osborne] offered to host a launch for Sandberg's book in Downing
Street, an event that went ahead in spring 2013."

Apparently, Sheryl Sandberg's relationship with feminism was transactional
all along; she shamelessly traded on her feminist relationships in her
attempts to destroy GDPR.

But isn't privacy a feminist issue?

Isn't Viviane Reding (GDPR's architect) a feminist?

Famous Sandberg quotes:

"There's a special place in hell for women who don't help other women." --
Sheryl Sandberg

"Leadership is not bullying and leadership is not aggression.  Leadership is
the expectation that you can use your voice for good.  That you can make the
world a better place."—Sheryl Sandberg

Revealed: Facebook's global lobbying against data privacy laws

Social network targeted legislators around the world, promising or
threatening to withhold investment

Carole Cadwalladr & Duncan Campbell, *The Guardian*, modified 3 Mar 2019

Facebook has targeted politicians around the world--including the former UK
chancellor, George Osborne--promising investments and incentives while
seeking to pressure them into lobbying on Facebook's behalf against data
privacy legislation, an explosive new leak of internal Facebook documents
has revealed.

The documents, which have been seen by the Observer and Computer Weekly,
reveal a secretive global lobbying operation targeting hundreds of
legislators and regulators in an attempt to procure influence across the
world, including in the UK, US, Canada, India, Vietnam, Argentina, Brazil,
Malaysia and all 28 states of the EU.  The documents include details of how

* Lobbied politicians across Europe in a strategic operation to head off
  "overly restrictive" GDPR legislation.  They include extraordinary claims
  that the Irish prime minister said his country could exercise significant
  influence as president of the EU, promoting Facebook's interests even
  though technically it was supposed to remain neutral.

* Used chief operating officer Sheryl Sandberg's feminist memoir Lean In to
  "bond" with female European commissioners it viewed as hostile.

* Threatened to withhold investment from countries unless they supported or
  passed Facebook-friendly laws.

The documents appear to emanate from a court case against Facebook by the
app developer Six4Three in California, and reveal that Sandberg considered
European data protection legislation a "critical" threat to the company.  A
memo written after the Davos economic summit in 2013 quotes Sandberg
describing the "uphill battle" the company faced in Europe on the "data and
privacy front" and its "critical" efforts to head off "overly prescriptive
new laws".

Most revealingly, it includes details of the company's "great relationship"
with Enda Kenny, the Irish prime minister at the time, one of a number of
people it describes as "friends of Facebook".  Ireland plays a key role in
regulating technology companies in Europe because its data protection
commissioner acts for all 28 member states.  The memo has inflamed data
protection advocates, who have long complained about the company's "cosy"
relationship with the Irish government.

The memo notes Kenny's "appreciation" for Facebook's decision to locate its
headquarters in Dublin and points out that the new proposed data protection
legislation was a "threat to jobs, innovation and economic growth in
Europe".  It then goes on to say that Ireland is poised to take on the
presidency of the EU and therefore has the "opportunity to influence the
European Data Directive decisions".  It makes the extraordinary claim that
Kenny offered to use the "significant influence" of the EU presidency as a
means of influencing other EU member states "even though technically Ireland
is supposed to remain neutral in this role".

It goes on: "The prime minister committed to using their EU presidency to
achieve a positive outcome on the directive."  Kenny, who resigned from
office in 2017, did not respond to the Observer's request for comment.

John Naughton, a Cambridge academic and Observer writer who studies the
democratic implications of digital technology, said the leak was "explosive"
in the way it revealed the "vassalage" of the Irish state to the big tech
companies.  Ireland had welcomed the companies, he noted, but became "caught
between a rock and a hard place".  "Its leading politicians apparently saw
themselves as covert lobbyists for a data monster."

A spokesperson for Facebook said the documents were still under seal
in a Californian court and it could not respond to them in any detail:
"Like the other documents that were cherry-picked and released in
violation of a court order last year, these by design tell one side of
a story and omit important context."

The 2013 memo, written by Marne Levine, who is now a Facebook senior
executive, was cc-ed to Elliot Schrage, Facebook's then head of policy and
global communications, the role now occupied by Nick Clegg.  As well as
Kenny, dozens of other politicians, US senators and European commissioners
are mentioned by name, including then Indian president Pranab Mukherjee,
Michel Barnier, now the EU's Brexit negotiator, and Osborne.

The then chancellor used the meeting with Sandberg to ask Facebook to invest
in the government's Tech City venture, the memo claims, and Sandberg said
she would "review" any proposal.  In exchange, she asked him to become "even
more active and vocal in the European Data Directive debate and really help
shape the proposals".  The memo claims Osborne asked for a detailed briefing
and said he would "figure out how to get more involved".  He offered to host
a launch for Sandberg's book in Downing Street, an event that went ahead in
spring 2013.

Osborne told the Observer: "I don't think it's a surprise that the UK
chancellor would meet the chief operating officer of one of the world's
largest companies ... Facebook and other US tech firms, in private, as in
public, raised concerns about the proposed European Data Directive.  To your
specific inquiry, I didn't follow up on those concerns, or lobby the EU,
because I didn't agree with them."

He noted it was "not a secret" that he had helped launch Sandberg's book at
11 Downing Street and added: "The book's message about female empowerment
was widely praised, not least in the Guardian and the Observer."

In fact, the memo reveals that Sandberg's feminist memoir was perceived as a
lobbying tool by the Facebook team and a means of winning support from
female legislators for Facebook's wider agenda.

In a particularly revealing account of a meeting with Viviane Reding, the
influential European commissioner for justice, fundamental rights and
citizenship, the memo notes her key role as "the architect of the European
Data Directive" and describes the company's "difficult" relationship with
her owing to her being, it claims, "not a fan" of American companies.

"She attended Sheryl's Lean In dinner and we met with her right afterward,"
the memo says, but notes that she felt it was a "very 'American'
discussion", a comment the team regarded as a setback since "getting more
women into C-level jobs and on boards was supposed to be how they bonded,
and it backfired a bit".

The Davos meetings are just the tip of the iceberg in terms of Facebook's
global efforts to win influence.  The documents reveals how in Canada and
Malaysia it used the promise of siting a new data centre with the prospect
of job creation to win legislative guarantees.  When the Canadians hesitated
over granting the concession Facebook wanted, the memo notes: "Sheryl took a
firm approach and outlined that a decision on the data center was imminent.
She emphasized that if we could not get comfort from the Canadian government
on the jurisdiction issue, we had other options."  The minister supplied the
agreement Facebook required by the end of the day, it notes.

Phishing Scams: Is Your Financial Institution Helping Cyberthieves? (Washington Consumers' Checkbook)

Gabe Goldberg <>
Wed, 6 Mar 2019 14:34:51 -0500
It's bad enough when financial institutions don't practice what they preach,
but it only compounds the confusion when they promise one thing and do the
opposite. For example, Merrill Lynch recently posted this online alert:
“Recently, some Merrill Lynch clients have reported receiving emails that
appear to be from Merrill Lynch but which have, in fact, been sent by
imposters.  ... How can you tell the difference?  Fraudulent emails
typically include website links, and/or request you to provide personal
information. Merrill Lynch has not and will not initiate a request for
sensitive information via email.''

But when we reviewed a legitimate email sent by Merrill Edge, it did contain
website links and invitations to click to `view statements'.  When the link
is clicked, it takes you to an account login page where Merrill requests
sensitive information, in the form of your user ID and password.

Thus, Merrill's own legitimate email is similar to the emails it warns could
be bogus.

The risk? Nothing new, just same old clueless companies.

Once hailed as unhackable, blockchains are now getting hacked (MIT Technology Review)

Gabe Goldberg <>
Tue, 5 Mar 2019 12:18:19 -0500

Uproar Over Facebook 2FA Privacy Violation (Richi Jennings)

Gabe Goldberg <>
Tue, 5 Mar 2019 12:30:49 -0500
Richi Jennings, Security Boulevard, 4 Mar 2019

Facebook has been caught red-handed again, so say privacy wonks. They accuse
Zuckerberg's crew of misusing phone numbers given to it for use in
two-factor authentication.

Said wonks say Facebook is sharing the data with Instagram and WhatsApp to
secretly link your profiles together. And that it lets miscreants look you
up by your phone number, subjecting your identity to stalking, social
engineering and other malicious awfulness. Facebook is also accused of
violating GDPR, for using the numbers without consent.

The risk? Facebook.

Prosecutors Don't Plan to Charge Uber in Self-Driving Car's Fatal Accident (NYTimes)

Richard Stein <>
Tue, 5 Mar 2019 19:44:03 -0800

"Arizona prosecutors said Tuesday that they had not found evidence to charge
Uber with a crime in connection with an accident in which one of its
autonomous cars hit and killed a pedestrian in Tempe a year ago.

"On March 18, 2018, a Volvo sport utility vehicle, one of several
self-driving vehicles that Uber was testing, was traveling about 40 miles
per hour when it hit Elaine Herzberg, 49, as she was walking her bicycle
across the street at night, the authorities said.  While the car was in
autonomous mode, a safety driver was sitting in the driver's seat.  The
Yavapai County Attorney's Office, which reviewed the case, said in a letter
dated Monday that there was 'no basis for criminal liability for the Uber
corporation.'  But it added that investigators should look into what the
safety driver 'would or should have seen that night given the vehicle's
speed, lighting conditions, and other relevant factors.'"

A favorable prosecution determination: blame the carbon component, not the
silicon. A jury trial on behalf of Ms. Herzberg's estate, if victorious,
might terminate the entire AV technology industry.

Outdoor Tech—Skiing *and* privacy?

Rob Slade <>
Wed, 6 Mar 2019 09:08:49 -0800
Outdoor Tech makes the Chips 2.0 speakers for your audio equipped ski
helmet.  It give you the ability to have conversations with your other
friends on the ski slope via a Bluetooth connection to your smartphone, and
thence over the Internet.

First problem: all the conversations go through Outdoor Tech's servers.

Second problem: in order to set up conversations with your friends, you have
to set up a group.  You have to search for your friends names.  While
searching, it turns out you can, with very little effort, find absolutely
anyone who has registered the speakers.  And their email addresses.  And
their phone numbers.

You can also find out where they are.

And reset their passwords.

I'm going to recommend this for all my skiing friends who don't think
security is important ...

PDF Signatures

Rob Slade <>
Wed, 6 Mar 2019 09:54:03 -0800
Today someone noted that PDF signatures are broken:

But I don't trust PDF signatures in any case.  I am pretty sure that almost
nobody knows how to use them.  (I mean, really.  How many security mavens
who actually understand cryptography and PKI are there in comparison to the
total number of people using tech they don't understand for almost all of
their business functions?)

For example: A certain entity which shall not be named (but whom we all
know) has asked me to sign an NDA for a process which I can't tell you about
because it's probably covered by the NDA.  I don't have a PDF document
creation program.  So I signed the signature page (of the five page NDA),
scanned that page, and sent it back.

(Whilst looking for and printing the NDA PDF I noticed that it had "active"
fields for name, address, etc.  When I went to fill in the date, my reader
[Foxit] offered to "sign" the document.  I don't know how, since I'm not
particularly aware of any certificates on my machine.)

I got a message back from an admin saying that the legal team says a JPEG
isn't good enough, and could I send in a PDF.

No, I didn't go back and get Foxit to sign it.  I opened a document in
LibreOffice, inserted the JPEG, and "printed" it as a PDF.  That seems to
have been acceptable.

(Although now they want a PDF of the whole five pages ...)

Never attribute to technical faults that which can be can be adequately
explained away by ignorance or pure, blind stupidity ...

Alphabet's Security Start-Up Wants to Offer History Lessons (Nicole Perlroth)

"Peter G. Neumann" <>
Wed, 6 Mar 2019 9:54:52 PST
Nicole Perlroth, *The New York Times*, 4 Mar 2019)

In 2009, Google was hacked by the Chinese military.  Now Chronicle, a
security start-up owned by Google parent company Alphabet, plans to help
other companies learn from that experience.  The company's new Backstory
product will make Alphabet's storage, indexing, and search capabilities
available to other companies so they can trace the origins of a malicious
attack.  Chronicle is one of dozens of companies currently promising big
data threat intelligence and storage.  While many customers of other firms
can't afford to pay to search through huge amounts of information, Chronicle
says it will charge customer companies by their number of employees.

Yet another Facebook privacy leak

Peter Houppermans <>
Tue, 5 Mar 2019 12:37:42 +0100
Yet again, Facebook is caught using data for other purposes than indicated
at the time of collection (to phrase it in EU privacy law terms).  Not that
this ought to come as a surprise by now, it appears pretty much their modus

This week's installment:

"Another week, another Facebook privacy storm.  This time, the Silicon
Valley giant has been caught red-handed using people's cellphone numbers,
provided exclusively for two-factor authentication, for targeted advertising
and search—after it previously insinuated it wouldn't do that.
Folks handing over their mobile numbers to protect their accounts from
takeovers and hijackings thought the contact detail would be used for just
that: security. Instead, Facebook is using the numbers to link netizens to
other people, and target them with online ads."

Re: Robocalls Routed via Virtue Signaling Network? (RISKS-31.09)

"John Levine" <>
4 Mar 2019 23:50:01 +0900
> Precisely because Congresspersons utilize robocalls *themselves* for their
> own re-election campaigns.

Yes, they exempt themselves but this is a somewhat self limiting issue due
to campaign schedules.  FWIW, in my experience if you tell a candidate to
stop calling, they usually do.

> Who else loves robocalls?  Phone companies themselves.  Robocalls run up
> lucrative charges on accounts that would otherwise have *zero* traffic and
> minimum account charges.

This is simply false.  Inter-company accounting these days is all bill and
keep, so nobody gets paid for robocalls.  The problem is that the SS#7
signaling system was designed for a world in which there was a small number
of telcos and they all knew each other so there wasn't any internal
security, sort of like the early Internet.  Through the magic of VoIP now
anyone can dump a call into the network.

The point of the IETF's STIR and SHAKEN is to add a cryptographic signature
of the party injecting the call.  (The telco or VoIP provider, not the
individual caller.)  People I know at at large telcos say they're planning
to do what is essentially spam filtering, lose dubious looking calls coming
from parties with poor reputations.

> Who else loves robocalls?  NSA/intelligence agencies. ...

Sorry, my tin foil hat is at the cleaners this week.

Re: Oscars: IBM & Surveillance AI: Clean Hands? (RISKS-31.09)

Amos Shapir <>
Tue, 5 Mar 2019 17:09:27 +0200
What happened to IBM had happened to most big US companies in the 2000's.
Because of reduced regulations, corporations can make more money out of
their shares value than out of production. This means that IBM is no longer
a computer company, Ford is no longer a car company, etc.—they are all
stock brokerage companies, using their manufacturing part as en excuse.

Companies are no longer committed to their product, even to their customers,
and certainly not committed to their workers. (In another Big Company I'd
worked at, even the wording of the CEO's New Year message had changed from
“keep up the good work, generating value for our customers'' to “making
value for our shareholders'').

Consequently, anything which does not affect the share value, preferably
within the next quarter, is being scaled down. Middle managers know that,
but are helpless to do anything, they just grind their teeth and cut
corners; if the increase in raw profits (or even the increase of the
increase) stops rising for more than one quarter, shareholders will just
take their money elsewhere, and they'd all be jobless overnight. (Upper
management have their golden parachutes, of course).

One effect is that IBM has been growing in the past decades by acquiring
smaller companies which so far had escaped this fate, and can still do some
serious R&D. These companies still exist intact as independent business
units within IBM. So IBM is no longer a big company, it's becoming a
conglomerate of smaller ones.  (Some of the suggested future development
ideas mentioned at the end of the ad, are actually projects of companies
acquired by IBM).

Please report problems with the web pages to the maintainer