RISKS Digest 29.88

Tuesday 25 October 2016

Russian Suspected of Hacking U.S. Tech Companies Is Indicted

The NYTimes <>

Date: Sat, 22 Oct 2016 17:13:09 -0400

Yevgeniy Aleksandrovich Nikulin, 29, was arrested in Prague this month on charges that he hacked into networks at LinkedIn, Dropbox and Formspring.

Radio interference disables cars and cell phones in Evanston

ARRL via Ed Ravin <>

Date: Sat, 22 Oct 2016 23:40:07 -0400

Using the radio spectrum as a replacement for physical locking mechanisms like ignition keys means all the same issues/attacks facilitated by an unfettered access medium (like the Internet or wifi) are now applicable to starting a car. Man-in-the-middle and replay attacks have already been demonstrated against automobile keyfobs, so it was only a matter of time before a denial-of-service attack would show up.

"Police in Evanston, Illinois, contacted the ARRL Lab, after an apparent interference source began plaguing wireless vehicle key fobs, cell phones, and other wireless electronics. Key fob owners found they could not open or start their vehicles remotely until their vehicles were towed at least a block away, nor were they able to call for help on their cell phones when problems occurred. [...]"

"The interference source turned out to be a recently replaced neon sign switching-mode power supply, which was generating a substantial signal within the on-street parking area just across the sidewalk, between 8 and 40 feet from the sign. [...]"

Report on "Ethics of AI"

John Horgan <>

Date: October 22, 2016 at 11:39:33 AM EDT

[via Dave Farber]

"How Would an AI Cover an AI Conference?"

"... I spent last weekend at New York University listening to philosophers, scientists and engineers jaw about Ethics of Artificial Intelligence. How can we ensure that driverless cars, drones and other smart technologies -- such as algorithms that decide whether a human gets parole or a loan or has breast cancer—are used ethically? Also, what happens if machines get really smart? Can we design them to be nice to us? Do we have to be nice to them? Speakers responded to these questions in a welter of ways, as did members of the audience. How should I write it up? Too many choices!..."

As Artificial Intelligence Evolves, So Does Its Criminal Potential

The NYTimes <>

Date: Sun, 23 Oct 2016 19:15:22 -0400

The next generation of online attack tools used by criminals will add machine learning capabilities pioneered by AI researchers.

Pittsburgh's new artificially intelligent stoplights could mean no more pointless idling

Chris Weller <>

Date: October 23, 2016 at 10:43:35 AM EDT

[Note: This item comes from friend Mike Cheponis. DLH] (via Dave Farber)

Chris Weller, Flipboard, 22 Oct 2016 Pittsburgh's new artificially intelligent stoplights could mean no more pointless idling

Traffic lights are finally getting smarter in Pittsburgh.

Thanks to a new pilot program from the tech startup Rapid Flow Technologies, Steel City now boasts 50 intersections whose stoplights are running artificial intelligence software known as Surtrac that reduces wait times on empty or lightly-traveled roads.

Since Surtrac was first introduced in 2012, the Rapid Flow team estimates the AI stoplights have cut emissions by 21%, travel times by 25%, and idling times by 40%.

The magic of Surtrac is that it bundles each stoplight into an intelligent network "that moves all the vehicles it knows about through the intersection in the most efficient way possible," Rapid Flow CEO Steve Smith said at the recent White House Frontiers Conference, according to IEEE Spectrum.

Surtrac relies on a system of cameras and radar sensors that detect traffic patterns in particular areas. When one area starts to see more traffic -- during rush hour, for example—the other stoplights use a proprietary set of algorithms to adjust their timing accordingly.

The result is a smarter city that operates more like a living, breathing organism than just a static patch of roads.

Pittsburgh has recently been a popular site for urban-planning innovation. In August, the city played host to Uber's first rollout of self-driving cars. Uber selected Pittsburgh because of its odd assortment of narrow, one-way streets mixed with steep hills and a staggering 446 bridges, all of which make it an ideal setting for testing the limits of AI.

As IEEE Spectrum reports, Surtrac isn't the only smart traffic-management system. There are others in Utah, California, and Washington. But unlike those systems, the stoplights in Pittsburgh don't need a jumble of wires run beneath the city streets or the help of a central command to run.

In Pittsburgh, Surtrac allows the lights to talk to one another independently, based only on the feedback from the sensors and cameras. They essentially think for themselves. ...

Re: Self-driving cars shouldn't have to choose who to protect in a crash

tanner andrews <>

Date: Mon, 24 Oct 2016 11:20:09 -0400 (EDT)

Sure, it is worth considering whether the computer should choose to plow into the large on-coming vehicle, or into the kids in the road. However, this presumes way too much.

At this stage, I may be able to figure out that there is a large on-coming vehicle. But can the computer be sure it is a truck, as opposed to a re-purposed school bus full of field workers? Or a newer school bus which is full of kids? Or, for that matter either of these two buses, but having just unloaded the passengers?

And if we can make the correct identification, would it really be prudent to slam into the truck, thereby strewing flaming diesel oil, truck parts, and RISKS reader parts, all through the row of kids? Which I am hoping we correctly identified.

Samsung washing machines in Australasia hot issue since 2013

Donald Mackie <>

Date: Sat, 22 Oct 2016 12:19:27 +1300

Recall in Australia and NZ in 2013. Ours was *fixed* under the original recall. Supposedly added a water shield for some of the electronics. Subsequent publicity about the number of unfixed machines led us to call again, one of us thought it had been fixed, the other couldn't recall [*]. Answer was that it had been done but they would send a tech out anyway to check on it. He came and replaced pretty well all electronics at no charge. We now have another machine.

[* That's certainly a common line elsewhere: "I couldn't recall." PGN]

China's Total Information Awareness?

Simon Denyer <>

Date: Sat, 22 Oct 2016 4:04:12 PDT

Simon Denyer, *The Washington Post*, 22 Oct 2016 The world as Total Information Awareness would have been, now brought to you by the People's Republic of China...

Every LTE call, text, can be intercepted, blacked out, hacker finds

The Register <>

Date: Sun, 23 Oct 2016 20:45:56 -0700

*The Register* via NNSquad

The Third Generation Partnership Project (3GPP) telco body has known of the hack since at least 2006 when it issued a document describing Zhang's forced handover attack, and accepts it as a risk. The 3GPP's SA WG3 working group which handles security of LTE and other networks proposed in a May meeting that it would refuse-one-way authentication and drop encryption downgrade requests from base stations.

Unneeded Services Foster Botnets and other security problems

Bob Gezelter <>

Date: Sun, 23 Oct 2016 01:45:09 -0700

From the category of "when will they ever learn": Embedded devices (e.g., IoT) should, almost by definition, exclude all but absolutely required services. Back doors (e.g., telnet and ssh connections) create attack surface which can, and will be exploited.

The October 21 DDoS attack against DNS provider Dyn widely disrupted access to many popular web sites [*]. Internet-connected devices (e.g., cameras, baby monitors, and routers) are implicated in the attacking botnet.

According to an article published recently by Ars Technica, the devices subverted into the botnet appear to have run BusyBox, and had the telnet protocol enabled. Why, pray tell, was telnet enabled on a embedded devices sold to consumers?

"Both Mirai and Bashlight exploit the same IoT vulnerabilities, mostly or almost exclusively involving weakness involving the telnet remote connection protocol in devices running a form of embedded Linux known as BusyBox. But unlike Bashlight, the newer Mirai botnet software encrypts traffic passing between the infected devices and the command and control servers that feed them instructions. That makes it much harder for researchers to monitor the malicious network. There's also evidence that Mirai is able to seize control of Bashlight-infected devices and possibly even patch them so they can never be infected again by a rival botnet. About 80,000 of the 963,000 Bashlight devices now belong to Mirai operators, Drew said."

If this is correct, it is an example of a completely preventable incident.

The complete Ars Technica article can be found at:

Bob Gezelter,

[* Actually, Dyn was involved in only a relatively small portion of the what happened. PGN]

Kevin Marks: Internet becoming unreadable, lighter thinner fonts

LW <>

Date: Sun, 23 Oct 2016 19:06:01 -0700

Kevin Marks, *The Telegraph* via NNSquad

Where text used to be bold and dark, which contrasted well with predominantly white backgrounds, now many websites are switching to light greys or blues for their type. Award winning blogger Kevin Marks, founder of Microformats and former vice president of web services at BT, decided to look into the trend after becoming concerned that his eyesight was failing because he was increasingly struggling to read on screen text.


Kevin Marks: Internet becoming unreadable, lighter thinner fonts

Al Mac <>

Date: Tue, 25 Oct 2016 08:43:57 -0500

I have long asserted, that as we grow older, our vision is less easy to handle poor contrast. Light print on dark background, in small print, can lead to the light print blurring. As institutions abandon testing, they forget that poor contrast means they are writing off elderly clients - they don't want their web site readable to elderly population, and soon they don't care, because they no longer have such people as customers. People who design things on desk tops, with high tech, and do not test how readable that is on hand held screens, or by users with lower tech, fail to realize that they have created web designs unreadable for large swaths of the population. Then there are the visually impaired. Some nations mandate that they should have Internet access. Most sites ignore such laws.

Did you ever wonder why the phone directory yellow pages is in black on yellow? It is because that is most readable and eyes-friendly to the most population. Phone book publishers wanted to maximize who can see their stuff. Apparently many web designers do not share that concept.

Now we have someone in the Tech biz, rediscovering and sharing the truth that a great deal of the Internet is being made unreadable to much of the population which wants such access.

Internet is becoming unreadable because of a trend towards lighter, thinner fonts [..]

The Internet is becoming less readable because of a trend towards lighter and thinner fonts, making it difficult for the elderly or visually-impaired to see words clearly, a web expert has found. [..]

Blogger Kevin Marks, founder of Microformats and former vice president of web services at BT, decided to look into the trend after becoming concerned that his eyesight was failing because he was increasingly struggling to read on screen text.

He found a 'widespread movement' to reduce the contrast between the words and the background, with tech giants Apple, Google and Twitter all altering their typography.

True black on white text has a contrast ratio of 21:1 - the maximum which can be achieved. Most technology companies agree that it is good practice for type to be a minimum of 7:1 so that the visually-impaired can still see text.

But Mr Marks, found that even Apple's own typography guidelines, which recommended 7:1 are written in a contrast ratio of 5.5:1.

Google's guidelines also suggest a 7:1 contrast ratio, but 54 per cent opacity of display, which brings the ratio down to 4.6:1.

Mr Marks, who has been named one of the Telegraph's 50 must influential Britons in technology, said the changes risk undermining the universal reach of the Internet. "The typography choices of companies like Apple and Google set the default design of the web, and these two drivers of design are already dancing on the boundaries of legibility," he warned on the technology site Backchannel.>, which came up with the original ratio formula in 2008 to help web designers said too little contrast made web pages 'confusing and frustrating' [..] Mr Marks said that reducing the contrast risked alienating some users.

"To arbitrarily throw away contrast based on a fashion that looks good on my perfect screen in my perfectly lit office is abdicating designer's responsibilities to the very people for whom they are designing," he said. "My plea to designers and software engineers: Ignore the fads and go back to the typographic principles of print.

"You'll be making things better for people who read on smaller, dimmer screens, even if their eyes aren't aging like mine. It may not be trendy, but it's time to consider who is being left out by the web's aesthetic."


Dyn Statement on the 21 Oct 2016 DDoS Attack

Kyle York PGN-ed <>

Date: Sat, 22 Oct 2016 13:32:16 -1000

Kyle York, Dyn Chief Strategy Officer, 22 Oct 2016 <>

[Note: Check the URL for the complete message. It has been PGN-pruned here, because the statement comes across as more of a PR message).]

It's likely that at this point you've seen some of the many news accounts of the Distributed Denial of Service (DDoS) attack Dyn sustained against our Managed DNS infrastructure this past Friday, October 21. We'd like to take this opportunity to share additional details and context regarding the attack. At the time of this writing, we are carefully monitoring for any additional attacks. Please note that our investigation regarding root cause continues and will be the topic of future updates. It is worth noting that we are unlikely to share all details of the attack and our mitigation efforts to preserve future defenses. [Thanks omitted]

Attack Timeline

Starting at approximately 7:00 am ET, Dyn began experiencing a DDoS attack. While it's not uncommon for Dyn's Network Operations Center (NOC) team to mitigate DDoS attacks, it quickly became clear that this attack was different (more on that later). Approximately two hours later, the NOC team was able to mitigate the attack and restore service to customers. Unfortunately, during that time, Internet users directed to Dyn servers on the East Coast of the US were unable to reach some of our customers' sites, including some of the marquee brands of the Internet. We should note that Dyn did not experience a system-wide outage at any time—for example, users accessing these sites on the West Coast would have been successful.

After restoring service, Dyn experienced a second wave of attacks just before noon ET. This second wave was more global in nature (i.e. not limited to our East Coast POPs), but was mitigated in just over an hour; service was restored at approximately 1:00 pm ET. Again, at no time was there a network-wide outage, though some customers would have seen extended latency delays during that time.

News reports of a third attack wave were verified by Dyn based on our information. While there was a third attack attempted, we were able to successfully mitigate it without customer impact.

Dyn's operations and security teams initiated our mitigation and customer communications process through our incident management system. We practice and prepare for scenarios like this on a regular basis, and we run constantly evolving playbooks and work with mitigation partners to address scenarios like these.

What We Know

At this point we know this was a sophisticated, highly distributed attack involving 10s of millions of IP addresses. We are conducting a thorough root cause and forensic analysis, and will report what we know in a responsible fashion. The nature and source of the attack is under investigation, but it was a sophisticated attack across multiple attack vectors and Internet locations. We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack. [More thanks omitted]

Thank You Internet Community

On behalf of Dyn, I'd like to extend our sincere thanks and appreciation to the entire Internet infrastructure community for their ongoing show of support. We're proud of the way the Dyn team and the Internet community of which we're a part came together to meet yesterday's challenge. Dyn is collaborating with the law enforcement community, other service providers, and members of the Internet community who have helped and offered to help. The number and type of attacks, the duration, the scale, and the complexity of these attacks are all on the rise. As a company, we have for years worked closely with the Internet community to assist when others encountered attacks like these and will continue to do so. [...]

Hacked Cameras, DVRs Powered Today's Massive Internet Outage

Brett Glass <>

Date: Sunday, October 23, 2016

While my small ISP couldn't do much about the massive denial of service attacks that plagued the Internet this week (except to answer the phone calls from frustrated customers who could not use Twitter, Disqus, and other services which relied on Dyn as a DNS provider), we could at least make sure that we were not contributing to the attacks—and we did.

We blocked incoming attacks by the Mirai worm (which was creating the botnet that executed the DDoS attacks), monitored our network for vulnerable camera systems that were attempting to participate in it (there was only one—a cheap, Chinese DVR rebranded and resold by a company in New Jersey to one of our rural customers), and set up a honeypot to capture the code.

The thing which was embarrassing (or should have been) was that the code for the worm was simpler and easier to analyze than that of the infamous Morris worm, which was released on the Internet in 1988. It simply brute-forced certain vulnerable systems via Telnet, using default passwords, and then wormed its way into the affected systems via the shell. No need for "stack smashing" exploits or fancy, hand-assembled machine code; the systems were such sitting ducks that none of that was necessary to turn them into bots.

The owner of the infected DVR had no idea that he'd bought a vulnerable piece of equipment, one for which software updates were not available and whose security holes could not be closed—only shielded from outside attacks via a firewall and VPN. He was incredulous that anyone would even be ALLOWED to sell a device that insecure, or that the FCC—via its unwise and illegal "network neutrality" regulations—would require ISPs like me to leave them exposed to attacks by default.

As an ISP, an engineer, and an embedded system developer, all I can say is, "I told you so."

German voting system, for comparison

Thomas Koenig <>

Date: Sun, 23 Oct 2016 22:11:04 +0200

First, there is no voter registration per se. Everybody who moves house is required by law to report to the registry office ("Einwohnermeldeamt"). This office keeps track of everybody's date of birth and nationality, so they know when somebody is eligible for voting.

A few weeks before the election, everybody who may vote is sent voting cards. These can be used to request ballots, if the person wants to do this, they send in a the voting card, get a ballot, fill it out and send it back by mail in an envelope inside an envelope. The outer envelopes are opened, and the inner envelopes stored someplace at the appropriate office. How replacement of ballots is prevented there, I don't know.

On voting day (which is usually a Sunday), people go to the polling station, where they present their voting cards. If they have lost them, or forgotten them at home, they can show their ID cards instead, which everybody in Germany is required to have by law.

The name is checked against a list of voters, and it is marked that that person has voted.

Voting is done on paper ballots; you make a cross inside a circle next to the name of the candidate or party you choose.

Counting is done by hand, by volunteers or by draft. The counting process is open to everybody. Parties which have suspected of being cheated have urged their members to attend the counting process to report irregularities.

Paper ballots are kept to allow a recount. This has changed the result of elections in the last years a few times, leading to one additional seat given to the AfD in state elections in Bremerhaven after pupils miscounted badly, or to the ruling red-green coalition losing its majority in Cologne one year after the election.

Re: Undetectable election hacking?

Mark Brader <>

Date: Sat, 22 Oct 2016 20:37:57 -0400 (EDT)

Mark Kramer writes: > In the US Presidential elections people are not voting for parties. They are > not even voting for the people named on the ballot... > > In the US, people are actually voting state-by-state for people called > "electors", who are appointed by each state to participate in the Electoral > College. Those electors actually cast the final votes for the President. > They are supposed to be sworn to vote for the person (not the party) who won > the state-wide popular vote, but I believe there have been cases of > defection in the past. And even though the official "election" is assumed by > many to close at 8PM local time and all the hoopla starts over who won and > lost, it truly doesn't even take place until December when the Electoral > College meets to cast their ballots. > > This system was designed and described in the US Constitution when it was > first written.

In fact, nothing in the US Constitution has ever specified (1) that when the public votes to choose the electors, the names on the ballot should be those of the presidential candidates they have sworn to vote for; (2) that electors should be pledged to vote for a particular candidate at all; or for that matter (3) that electors should be chosen through a public vote at all. All of these things have been false in some cases.

The present system where all these things are true is one that has arisen on top of the constitutional one—and may reasonably be considered to have subverted the original notion that the choice of the president was too important to leave up to the general public.

Incidentally, it is also not true (4) that the Electoral College meets. Actually, as the constitution specifies, there are 51 separate meetings of the electors, one in each state and one in DC. The results from each state are sent to Washington and opened and tabulated in the presence of Congress.

Re: Undetectable election hacking?

Paul Edwards <>

Date: Sat, 22 Oct 2016 14:10:24 +1100

> Australia has begun registering voters automatically.

This might be news to the Australian Electoral Commission, the body responsible for administering the electoral roll and running federal elections in Australia.

Do you have a source for this assertion? suggests that enrolling is still a voter-initiated process.

> That's because Australia has instant run-off voting and proportional > representation, so the number of minority votes in a given district could > affect future elections.

To clarify for RISKS readers, Australia has a bicameral parliament. The lower house (House of Reps) is a winner-take-all proposition on a seat-by-seat basis, which uses a preferential run-off system. Thus the disgruntled voter can send a message to the major party by voting for a candidate who has no chance to win, and preferencing their preferred/least-evil major party candidate second. As such, such a vote won't influence future elections, but may (in theory) cause a rethink of policy platforms.

The upper house (Senate) is proportional representation, also using a preferential run-off system, but one that is now different to the lower house (after a law change earlier this year).

It's worth noting that despite the mythology around Australian voting, it's not compulsory to vote in Australia. If you are not on the roll, you don't have to vote. If you are on the electoral roll, on election day you have an obligation to attend a voting centre and have your name marked off the roll. That's enough to avoid the fine. (For me, I also go the next step and actually vote). The population of Australia is ~24 million; on election day in 2016 there were 15.7 million folks on the electoral roll, with a turnout of 14.3 million (91% turnout). (source for the latter two stats: )

Re: Undetectable election hacking?

David Brodbeck <>

Date: Fri, 21 Oct 2016 21:14:19 -0700

"It happens to be a very common comparison because Diebold's ATM machines are extremely accurate."

This is true, but it's largely because the criteria for a voting machine are almost exactly opposite those of an ATM.

An ATM doesn't just need to accurately record your input, it also: a) Keeps an identifiable record of what transaction you made. b) Allows your actions (and in many cases your photo) to be correlated with the final result, if there's a need to audit it later. The ATM security model revolves heavily around the idea that only you have your PIN and card combo, so the machine can know with certainty who you are.

By contrast, a voting machine: a) must NOT retain identifying information b) must NOT be able to correlate any one vote with a specific individual.

If we didn't have the secret ballot, we could build our voting machines like ATMs and verifying votes would be easy, but that's not the way we've chosen to structure our democracy.

Also, you might be overestimating how secure the average ATM is. Most are internally just commodity PC hardware running a consumer operating system; this used to be Windows CE but I don't know what the OS of choice is now, since I haven't worked on one in about 10 years.

The Right to be Forgotten for posts sitting in a moderator's queue

Dan Jacobson <>

Date: Mon, 24 Oct 2016 07:43:18 +0800

* User accidentally cuts and pastes his entire family bank records to the bottom of a post. But now it is in the moderator queue and user is late to the airport for a long trip.

* If it was an unmoderated post already posted, the user could easily edit it, but now it sits like a ticking time bomb in the moderator's queue, for how long, nobody knows, as the moderator is on a trip of his own.

* User is turning purple in horror, considering asking the government for assistance in stopping the pending possible disastrous release of personal information.

* Or: at 06:00 user makes a libelous post that gets queued. 10:00 user and party B agree to an out of court settlement. User wishes to stop potential post, but cannot! 12:00 moderator approves post leading to misunderstandings on all sides, and even violence.

* Or: N. Koreans launch a missile headed for the U.S. When halfway there the two sides reach a peace agreement. However there is no ABORT button to stop the missile!