Prev

RISKS Digest 30.16

Sunday 26 February 2017

That "Russian" DoS against Deutsche Telekom? They just arrested... a Brit

RT via danny burstein <dannyb@panix.com>

Date: Fri, 24 Feb 2017 09:38:38 -0500 (EST)

The cops just arrested... a Brit.

[quoting from Russia Today for their well deserved gloat]

Not Russian hackers: Brit arrested for cyberattack on Germany [previously] blamed on Moscow

A UK national has been detained in London on suspicion of carrying out a cyber-attack last year that left 1 million Deutsche Telekom customers without service. At the time, German Chancellor Angela Merkel hinted that Russia might be behind the attack.

The 29-year-old man was arrested on Wednesday at Luton airport in southern England by officers from the UK's National Crime Agency (NCA) at the request of the *German* police, The Local reported.

Rest, including the description of the attack that took DT the Internet off line, and per friends of mine in Germany, was a lot more intense than reported and still has continuing after effects: https://www.rt.com/news/378441-germany-cyber-attack-telekom-russia/

Swift-based ransomware targets macOS pirates with false decryption promise

AppleInsider via geoff goodfellow <geoff@iconia.com>

Date: Wed, 22 Feb 2017 11:04:26 -1000

New ransomware for the Mac has been discovered by security researchers, with the "poorly coded" malware created in Swift encrypting the user's files and demanding a payment, without any possibility of decrypting the files even if the ransom is paid...

http://appleinsider.com/articles/17/02/22/swift-based-ransomware-targets-macos-pirates-with-false-decryption-promise

Study reveals bot-on-bot editing wars raging on Wikipedia's pages

The Guardian <lauren@vortex.com>

Date: Thu, 23 Feb 2017 17:23:56 -0800

via NNSquad https://www.theguardian.com/technology/2017/feb/23/wikipedia-bot-editing-war-study

"The fights between bots can be far more persistent than the ones we see between people," said Taha Yasseri, who worked on the study at the Oxford Internet Institute. "Humans usually cool down after a few days, but the bots might continue for years." The findings emerged from a study that looked at bot-on-bot conflict in the first ten years of Wikipedia's existence. The researchers at Oxford and the Alan Turing Institute in London examined the editing histories of pages in 13 different language editions and recorded when bots undid other bots' changes.

[Above also noted by Gabe Goldberg, who added this: Great way to create encyclopedia...and run the future world:]

Yasseri believes the work serves as an early warning to companies developing bots and more powerful artificial intelligence (AI) tools. An AI that works well in the lab might behave unpredictably in the wild. “Take self-driving cars. A very simple thing that's often overlooked is that these will be used in different cultures and environments,” said Yasseri. “An automated car will behave differently on the German autobahn to how it will on the roads in Italy. The regulations are different, the laws are different, and the driving culture is very different,” he said.

[Who BOThers the BOTherds? NoBOTy but the BOTherds themselves! PGN]

SHA-1 collision

PGN <neumann@csl.sri.com>

Date: Thu, 23 Feb 2017 12:12:12 PST

Two PDF files display different content, yet have the same SHA-1 digest.

Nine quintillion (9,223,372,036,854,775,808) SHA1 computations, with 6,500 CPU-years for phase one, and 110 GPU-years for phase two:

https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html

https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/

https://www.wsj.com/articles/google-team-cracks-longtime-pillar-of-internet-security-1487854804

https://shattered.it/ and http://shattered.io/ https://marc-stevens.nl/research/papers/SBKAM17-SHAttered.pdf

However, this is not particularly earth-shattering. in that SHA-1 is not used much any more. Incidentally, the fourth of Adi Shamir's 15 predictions for the next 15 years on cybersecurity, crypto, quantum, privacy, and payments (blogged by Ross Anderson) from a recent panel in 2017 Financial Crypto:

4. RC4 and SHA-1 will be phased out while AES and SHA-2/3 will remain secure. (Adi expects a SHA-1 collision within the year.)

https://www.lightbluetouchpaper.org/2016/02/22/financial-cryptography-2016/#comment-1456744

Cloudflare bug

Brooks Davis <brooks@csl.sri.com>

Date: Fri, 24 Feb 2017 16:58:11 +0000

Cloudflare was leaking data between TLS sessions on the encrypted proxy systems. Google found this and reported it last week. (Do look at the PNGs of leaked data, it's remarkable!)

https://bugs.chromium.org/p/project-zero/issues/detail?id=1139

Cloudflare found the bug, fixed it, and posted a write-up:

https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

The bogus code was something like:

/* generated code */ if ( ++p == pe ) goto _test_eof;

but the ++ caused p to skip passed pe due to alignment. Assuming they were using a malloc() with strict bounds, leakage would be zero. (Another part of the writeup asserts that the bug triggered reliably only on 4k or smaller buffers.)

PS. One amusing note from the Cloudflare writeup: one of several conditions that trigger the bug included "Server-Side Excludes execute only if the client IP has a poor reputation (i.e., it does not work for most visitors)." Which means that data leaks happened more commonly to clients that~< were believed to be malicious!

[This has been PGN-ed for RISKS. Thanks to Brooks.]

IoT problems

Joe Durusau <durusau@att.net>

Date: Thu, 23 Feb 2017 16:09:55 -0600

RISKS readers might be interested in the following from the IEEE Computer Society, on the subject of the Internet of Unnecessary things.

https://www.computer.org/web/prpl-matters/content?g=8459902&type=article&urlTitle=coping-with-the-internet-of-unnecessary-things&lf1=7701638684d136616110261c62281496

Incidentally, I didn't write it.

Prominent medical quackery website removed from Google search results

Mark Thorson <eee@sonic.net>

Date: Thu, 23 Feb 2017 13:18:42 -0800

On the one hand, I agree with the anti-quackery motive, but removing quite possibly the most trafficked "alternative" medicine website from search results is disturbing to me. What if tomorrow it's the Church of Scientology? Mike Adams is no character to be respected, but it's cases like this which test our tolerance for suppressing other people's beliefs. Erosion always begins with the easiest pebble to move.

http://scienceblogs.com/insolence/2017/02/23/google-delists-mike-adams-his-hilarious-tantrum-about-the-conspiracy-behind-it-is-epic-as-is-my-schadenfreude/

Prominent cartoonist shadowbanned by Twitter

Mark Thorson <eee@sonic.net>

Date: Thu, 23 Feb 2017 14:01:30 -0800

The information war is on the march.

http://blog.dilbert.com/post/156377416856/should-twitter-and-facebook-be-regulated-as

Re: German parents told to destroy Cayla

Peter Bernard Ladkin <ladkin@causalis.com>

Date: Wed, 22 Feb 2017 07:12:13 +0100

> "An official watchdog in Germany has told parents to destroy a talking > doll called Cayla because its smart technology can reveal personal data. > The warning was issued by the Federal Network Agency (Bundesnetzagentur), > which oversees telecommunications."

This misrepresents the situation. For example, someone reading this description could imagine that this has something to do with product safety, a European regulation governing risk associated with consumer products which has been taken into German law, namely EC765/2008 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:218:0030:0047:en:PDF

It's not a "warning". It is a determination by the telecommunications regulator that it is illegal for people to use these devices. Third parties wondering whether there is really a risk or not is beside the point. At the same time, the regulator has made clear it is not going to go around prosecuting all and sundry for unwitting use.

A more accurate rendering of the situation is as follows.

The telecommunications regulator has ordered the withdrawal of certain communication devices from the market after determining that they are illegal under Section 90 of the German Telecommunications Act, which prohibits communications devices with a certain specified functionality which conceal their communications capabilities as something else.

The prohibited functionality is defined in Section 90, which is about half a page long. Those who can read German can read it here: https://www.gesetze-im-internet.de/bundesrecht/tkg_2004/gesamt.pdf The point of the Section is to prohibit covert surveillance devices and their use. The regulator has determined that the Cayla toy is, given its functionality, such a prohibited device.

The press release suggests that this is part of an ongoing regulatory action. Here is an English version: https://www.bundesnetzagentur.de/SharedDocs/Pressemitteilungen/EN/2017/17022017_cayla.html

Science societies have long shunned politics. But now they're ready to march.

The Washington Post via Lauren Weinstein <lauren@vortex.com>

Date: Sat, 25 Feb 2017 08:26:36 -0800

*WashPo* via NNSquad https://www.washingtonpost.com/news/speaking-of-science/wp/2017/02/24/science-societies-have-long-shunned-politics-but-now-theyre-ready-to-march/

Some of the nation's biggest scientific organizations, including the American Association for the Advancement of Science and the American Geophysical Union, are partnering with grass-roots organizers to plan the March for Science, an Earth Day rally in Washington and cities around the world aimed at defending "robustly funded and publicly communicated science." The news signals that the effort, spawned from social-media musings in the days after President Trump's inauguration, has officially gone mainstream. Such coordinated activism is a big change for scientists and the societies that represent them.

- - -

I don't think marching is going to do a hell of a lot of good. But for many, many years I have strongly urged that scientists and techies be involved politically, and I was continually told by the higher-ups in these professional societies that "This isn't our role. We just do the science and let the data speak for us." I always knew that they were dangerously wrong about this, and now we have the proof. I take no pleasure from being right about the issue, however.

Some years ago, I held a pair of conferences about the Future of the Internet. At one, there was a rather distinguished looking older attendee whom I didn't know. I've called him the man in black since he was always dressed entirely in black. He sat at the back of the room and listened attentively—he rarely said anything. Then at one point, he pulled me aside privately and said words to this effect: "Lauren, I spend all my time in Washington dealing with politicians. And I can guarantee you one thing. If you techies don't become politically aware and active and start pushing back, you're going to be crushed and steamrolled." Later I found out that he was apparently a top lobbyist for the tobacco industry. It was like getting advice from Darth Vader. But he was 100% correct.

Response to Michael Marking

Ken Knowlton <kcknowlton@aol.com>

Date: Tue, 21 Feb 2017 22:14:17 -0500

[Note: Anthony Thorn suggested Marking's item in Dave Farber's IP "is a political rant and has no business in RISKS." I originally considered not including it, but then reflected on Lauren Weinstein's piece above. I'm delighted Ken Knowlton rose to the occasion. PGN]

Michael Marking's RISKS-30.15 commentary stated basically that AI does nothing to ease, but exacerbates, the unbalance of benefits in our already stratified society, also that it's not a new phenomenon.

(I agree, and recall that as an 8-year old at the NYC 1939 Worlds Fair, my most memorable take-away problem, undisputed I presumed, was: with machines doing so much more of the work, how would we manage to deal with all the leisure time?)

There is another ethical aspect to the-rich-getting-richer: things and services developed thus tend, more and more, to be luxuries - not very helpful to anyone's well-being - but entailing, of course, further drain on resources, thus increasingly detrimental to the environment. Thus, even if benefits of AI, robotics, etc. were more uniformly shared, new speeds and efficiencies would/will speed ecological collapse. Unless . . .

Re: The AI Threat Isn't Skynet

Chris Drewe <e767pmk@yahoo.co.uk>

Date: Thu, 23 Feb 2017 22:18:48 +0000

1. In the UK, politicians and commentators are getting in a panic about AI taking away everybody's jobs; at risk of over-simplifying a huge topic, this seems unlikely to me, as I can remember the mid-1970s, when computers were moving from just being number-crunchers to doing more-glamorous jobs like typesetting and page make-up for newspapers and magazines, and the Internet and e-mail ("the electronic office") were on the horizon. These would let us whizz through our work in no time, with confident predictions that by the end of the century [1999] we would all be working 22-hour weeks and retiring at 40, which generated concerns that the streets might be filled with bored but well-off people causing social unrest. Now that we're well into the 21st century, how did it work out? Well... the typical working week is still around 40 hours, as it has been since the 1950s, while with pension funds depleted by an aging population and the credit crunch many people are worried if they will not be able to retire as early as 65. Not only that, but with computers, e-mail, the Internet, and cellphones, in many fields of work employees are expected to deal with business matters 24/7. So what did happen to the "leisure boom"? Obviously it's wise to anticipate likely developments and be prepared for them, but the main RISK seems to be planning in detail for a future which turns out to be quite different to what's expected.

> (1) The problem isn't AI, or other forms of automation, it's the use to > which AI and automation are put and the basic mechanisms for allocating and > deploying resources in our society.

2. Not sure what this has to do with RISKS, but... this seems to take the view that there's a fixed amount of health, wealth, and happiness in the world, and there must be a better way of sharing it fairly, if only we could find it; I'm not convinced, but then I'm just an engineer.

Re: Dutch election will be counted by hand

Richard Bos <raltbos@xs4all.nl>

Date: Tue, 21 Feb 2017 11:41:53 GMT

> Netherlands reverts to paper ballots and hand counting to thwart hackers.

This has another effect, not mentioned in the article but which I am going to experience directly—and for once, in RISKS, it's a positive one. Because they want to count the votes by hand, they need people to do the counting. For this, the government has sent out a call for volunteers. I will be one of them. It's personally unpaid, but you do get a bit of money for a local club - in my case, my chess club. Now, it's hardly as if this is going to kick-start my political career. You certainly won't be able to vote for me in the next election. After all, I'm there mainly for my chess club. But it _is_, in a trivial but very hands-on way, a chance for ordinary citizens to be _directly_ involved in the election process. And in my eyes, that can only be good for our democracy, hacking or no hacking.

Re: Old Intel Chips

Andrew Duane <e91.waggin@gmail.com>

Date: Wed, 22 Feb 2017 10:23:38 -0500

In Risks 30.15, Martin Ward wrote:

> A chip less than four years old is basically still in "alpha test"

That's not quite a fair characterization of this particular bug. I work for one of the companies significantly hit by this issue (*not* Intel), and I have many years background in hardware design so I've been messaging it to a lot of people in and around here lately.

The issue is a slight degradation of a small but critical circuit inside the chip that over a time measured in years will age a bit faster than expected. The years it takes the issue to even surface, coupled with the very small reduction in MTBF means it is not at all surprising that it took this long to find a couple of gates/wires that may not have been engineered quite as well as they should have been.

To characterize this as Alpha Test is not fair at all. All chips have problems throughout their life. Some are invisible, some are not. Some take a long time to discover, some surface very quickly. Sadly, the kinds of boards that use this chip are in very visible places thanks to them running the Internet. And that Internet itself has published this result far and wide. Irony at work.

That said, this is one of those risks of small embedded things out there that have latent issues and little ability to patch or service. In this case, there is no software remediation to patch, it requires a hardware fix. Major vendors like us will be repairing and upgrading boards. But how many small $100 appliances out there will just stop one day and be tossed in the trash?

Re: Cooperative Bank sends a text with a dyn.co link

Richard Bos <raltbos@xs4all.nl>

Date: Tue, 21 Feb 2017 12:00:26 GMT

> How can we persuade people not to click on dodgy links in emails and text > messages when legitimate companies send out genuine messages with links that > are indistinguishable from phishing attempts?

We cannot.

As far as I can tell, the only way to stop companies from sending out such deleterious emails is to switch banks, but unfortunately that is often prohibitively impractical.

Re: Cooperative Bank sends a text with a dyn.co link

Andrew Duane <e91.waggin@gmail.com>

Date: Wed, 22 Feb 2017 10:09:59 -0500

This reminds me of days not too far past with Verizon Wireless. I signed up for paperless electronic billing when it started many years back, Some weeks later, I got an email from vzw.com rather than verizonwireless.com with the subject "Important Message about your Verizon Wireless Bill" and a "click here to read" link that pointed to some unknown domain with no relation to Verizon, and a pdf file named something like "info_<date>.pdf". Hmmmm, sure sounds legit to me.

It turns out is was in fact my monthly bill, provide by some third-party billing service Verizon hired. I complained the same way Martin did and n a few months new emails started arriving that said "Here's your Verizon Bill" with a link to the right company. At least they did something about it fairly quickly.

Re: Facebook Trending

Michael Bacon <michael.bacon@grimbaldus.com>

Date: Thu, 23 Feb 2017 18:35:07 +0000

That reminds me too of the 1970's report, attributed to IBM, that 90% [it varied] of businesses failed within 18 months of a computer fire.

It was way before many, let alone most, businesses had a computer, was not exclusively to do with fire, and didn't come from IBM. It related to small businesses failing after losing their sole premises to some disaster.

It also reminds me of the exchange in Yes Minister (a U.K. TV series) in which a drunken Home Secretary has collided with a nuclear waste lorry. The Whitehall mandarin, Sir Humphrey Appleby announces that, "It leaked out." Aghast, the Minister exclaims, "The nuclear waste?" "No, Minister. The story."

Re: "The missile may have veered ... towards the United States"

Richard Bos <raltbos@xs4all.nl>

Date: Tue, 21 Feb 2017 12:20:56 GMT

> All missile launches...including subs...have a missile safety officer > Their sole job is to have their finger on the detonate button if something > goes wrong.

That, however, is not the problem. The problem is that the Prime Minister - the recently succeeding, not personally elected PM—knew about this test, and failed to inform Parliament. And she committed this lapse of faith, not in time of war when such leaks might have lead to panic, but at the time of a parliamentary debate on the future of Trident itself, when such information, including necessary technical nuances such as yours, was definitely due to the MPs. Would this added information have changed the outcome of the decision? _Should_ it have? Nobody can now tell. But one thing is certain: Theresa May treated her Parliament with disdain and a lack of /bona fide/, and _that_, regardless of any missile test, is well worth getting riled up about.

> The extremely poor scientific reporting that goes on in the media leaves a > lot of people with bad and/or incomplete information....

This is true enough, but this scandal is not about the science, but about the political misbehaviour afterward.

Re: Nim Language Draws From Best of Python, Rust, Go, and Lisp

OK <ok@cs.otago.ac.nz>

Date: Tue, 21 Feb 2017 21:22:23 +1300

Wols Lists wrote about PL/I that "A misplaced parenthesis ran a serious risk of still leaving you with a valid program, but one that did something completely different from what you intended. Caused by the massive overloading of the meaning of said character."

It is well to understand old blunders so that we can avoid them.

Parentheses were used just three ways in PL/I: - fixed syntax, as in DO WHILE (expr); ... END; The pattern <keyword>(<stuff>) is common. - grouping, for expressions and declarations. - enclosing procedure arguments and array subscripts, which have the same form, as in Fortran. "Massive overloading"? Only if you think parentheses are massively overloaded in C, C#, JavaScript, Ruby, ...

A feature was copied from Fortran, because of its "familiarity" and "naturalness". That is that procedure arguments were passed by dummy variable. Supply a variable, and the procedure can change it. Supply an expression, and it's assigned to a hidden variable, so it's sort of like pass by value. So

CALL PROC(VAR); /* PROC can change VAR */ CALL PROC((VAR)); /* PROC cannot change VAR */

Worse than that, if the attributes of VAR did not match the attributes of the formal parameter, there was an *invisible* conversion from VAR to whatever was expected, making it an expression that just *looks* like a variable. E.g., DECLARE PROC ENTRY(DECIMAL FIXED (9,0)); DECLARE VAR BINARY FIXED (31,0); ... CALL PROC(VAR); /* invisible conversion, PROC can't change VAR */

>From which we learned that (1) invisible conversions are a bad idea (hello, C++, Java, &c) (2) it's really good if you can tell whether an actual parameter is passed by reference or value by the form of the call (actually, almost nobody learned this).

Re: WiReD -- Product is Mis-Identified

tanner andrews <tanner@payer.org>

Date: Wed, 22 Feb 2017 09:07:14 -0500 (EST)

> wired sells articles

No. It sells eyeballs. The articles are how it draws the viewers, but the viewers are the product for which money is taken.

The ad blockers may interfere with this revenue model, but the alternative is that the suppliers of eyeballs (to wit, readers) expose themselves to the risk of what the ad networks furnish. The ad networks will happily furnish malware, java scripts, pop-ups, and other evil things.

The installation of malware, pop-ups, and the like will reduce the ability of eyeballs to present themselves. Thus, over time, the business model destroys its product, and this may not be sustainable.

Re: WiReD

Michael Kohne <mhkohne@kohne.org>

Date: Wed, 22 Feb 2017 10:16:10 -0500

I think the problem here is that many folks do not run ad-blockers in order to block ads. They run ad-blockers in order to avoid their systems being infested by malware coming in through the ad network. They run ad-blockers in order to avoid their systems suddenly slowing down because an ad has started doing something processor intensive. They run ad-blockers in order to avoid their browsers spawning new tabs which start playing video or audio. They run ad-blockers because some ads are fantastically creepy in how they target you for certain products after you look at something on one website.

In other words: The presence of ads IS NOT the problem. It's the form of the ads, and the potential for harm that comes with them that's the problem.

Most web sites don't control their own ad content - they use ad networks that pick the ads on the fly based on all sorts of factors. And these ad networks are regularly used as malware vectors (even though they try REALLY hard to avoid it).

If the websites want people to not block ads, then perhaps the solution isn't ad-blocker-blockers, but rather, ads that aren't annoying, in-your-face, blaring-out-your-speakers video, which oh yea might also have some malware tagging along for the ride.

In other words, if they don't want people using ad blockers, perhaps the websites should take control of their own ads, make some guarantees about what's OK and what's not, and stop being stalker-level creepy.

Re: WiReD

John Bechtel <john@bechtel.me.uk>

Date: Thu, 23 Feb 2017 11:29:58 +0000

Yup. Absolutely. But its not my website, I am merely a visitor to it. If I don't like what they do—be it ads or indeed malware (and yes, I use an ad blocker primarily for that also)… then I don't go there. Its their decision to make about how they treat their site visitors (knowingly or unknowingly), its our decision to be treated that way or not.

Re: WiReD

Michael Kohne <mhkohne@kohne.org>

Date: Thu, 23 Feb 2017 07:28:00 -0500

Fair enough. I think, personally, that by just walking away we let these bozos go on believing that people are just cheap, instead of there being a number of valid reasons that people run ad-blockers. The market may catch up to them at some point, but who knows what we'll lose along the way?