RISKS Digest 28.74

Wednesday 1 July 2015

Israel's comptroller: Biometric database full of flaws

Hanan Cohen <>

Date: Sun, 28 Jun 2015 08:34:50 +0300

Report says there is not enough information to determine whether the data- gathering system is even worthwhile. Meanwhile, Interior Minister Shalom orders extension of the trial period of the project.

Most Internet anonymity [VPN service] software leaks users' details


Date: Tue, 30 Jun 2015 07:57:36 -0700

QMUL via NNSquad

The study of fourteen popular VPN providers found that eleven of them leaked information about the user because of a vulnerability known as 'IPv6 leakage'. The leaked information ranged from the websites a user is accessing to the actual content of user communications, for example comments being posted on forums. Interactions with websites running HTTPS encryption, which includes financial transactions, were not leaked. The leakage occurs because network operators are increasingly deploying a new version of the protocol used to run the Internet called IPv6. IPv6 replaces the previous IPv4, but many VPNs only protect user's IPv4 traffic. The researchers tested their ideas by choosing fourteen of the most famous VPN providers and connecting various devices to a WiFi access point which was designed to mimic the attacks hackers might use.

The latest RISKS items from TechWeekEurope

Werner U <>

Date: Sun, 28 Jun 2015 23:05:16 +0200

(btw, the need for collaboration was the main point I made in a talk at the FIRST-conference in St.Louis in the early 90's)

IBM Security CTO: Cloud Security Needs Collaboration <>

WATCH: Cloud security needs to go beyond transparency to keep up with global coordinated attacks, according to IBM's Martin Borrett Ben Sullivan <>, June 26, 2015, 4:02 pm

Third Of British Firms Targeted By Ransomware <>

New study reveals alarming number of British firms have been held to ransom by hackers Tom Jowitt <>, June 26, 2015, 2:29 pm

Apple iPhones Hit With Blue Screen Of Death Bug <>

T-Mobile users in the US take to the Internet to share their anger at mystery outage Michael Moore <>, June 26, 2015, 11:21 am

Seven-Day Healthcare? Good Luck Without Mobile <>

Mubaloo's Alana Saunders tells us why the NHS needs to embrace mobile technology in order to provide a fuller service to patients Michael Moore <>, June 26, 2015, 3:38 pm

Apple Co-Founder Wozniak Predicts AI Will Treat Humans As Pets <> Steve Wozniak changes his mind about artificial intelligence and predicts benevolent machines

Tom Jowitt <>, June 26, 2015, 2:32 pm Have Password Management Services Been Hacked To Death?>, June 26, 2015, 12:54 pm

Cisco Patches Default SSH Key Virtual Appliance Vulnerabilities <>

Cisco urges firms to download fix for flaw that could allow attackers to gain access to systems and intercept traffic Steve McCaskill <>, June 26, 2015, 12:46 pm

Sophos IPO Values UK Security Firm at 1-billion pounds>

Security icon sounds dire warning over the security of the Internet of Things Michael Moore <>, June 25, 2015, 1:53 pm

*The Washington Post* to Deploy More Secure HTTPS Across Site

Gabe Goldberg <>

Date: Tue, 30 Jun 2015 17:37:00 -0400

[Now if they'd only fix site navigation and search, it would be worthwhile visiting...]

Washington, DC—*The Washington Post* said on Tuesday it will become the first major news publisher to deploy HTTPS, an Internet protocol that encrypts data exchanged between browsers and websites, across both its desktop and mobile sites. The company said the move will give site visitors the same level of privacy and security as when they conduct e-commerce or online banking. "We will be able to offer our more than 50 million readers per month the peace of mind in knowing that their privacy and reading habits are protected when they are on our site," said CIO Shailesh Prakash. The Post's homepage, National Security section and The Switch technology policy blog will be the first to move to HTTPS, with the rest of the site migrating in the coming months. <>

Gabriel Goldberg, Computers and Publishing, Inc. 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433

WiFi Offloading is Skyrocketing

Werner U <>

Date: Sun, 28 Jun 2015 16:42:52 +0200

[ smurfed from SlashDot—why in RISKS ? do read the comments... :-]

dkatana <> wrote on 25 Jun 2015 <>

WiFi Offloading is skyrocketing. This is the conclusion of a new report from Juniper Research, which points out that the amount of smartphone and tablet data traffic on WiFi networks will will increase to more than 115,000 petabytes by 2019, compared to under 30,000 petabytes this year, representing almost a four-fold increase. Most of this data is offloaded to consumer's WiFi by the carriers, offering the possibility to share your home Internet connection in exchange for "free" hotspots. [...] the growing number of WiFi devices using unlicensed bands is seriously affecting network efficiency. Capacity is compromised by the number of simultaneously active devices, with transmission speeds dropping as much as 20% of the nominal value. With the number of IoT and M2M applications using WiFi continuously rising, that could become a serious problem soon."*

The sharp elbows of driverless cars

Mark Thorson <>

Date: Mon, 29 Jun 2015 13:17:48 -0700

Google's driverless car cut off Delphi's driverless car in Mountain View. No collision occurred.

"Sad day for developers: SCOTUS denies Google's appeal on APIs"

Simon Phipps <>

Date: Tue, 30 Jun 2015 09:24:06 -0700

Simon Phipps, InfoWorld, 29 Jun 2015 Supreme Court's decision is bad news for developers targeting the U.S. market, who will now have to avoid any API not explicitly licensed as open InfoWorld Tech Watch

opening text:

In an unsurprising ruling today, the Supreme Court balanced a little of the good it did last week by denying Google's appeal against Oracle in the matter of the copyrightability of APIs. The case will now be returned to the lower courts to hear Google's fair use defenses.

While the decision was foreshadowed by the amicus brief delivered by the Solicitor General a month ago, it's still bad news for 21st century developers and open communities. Denying the appeal gives corporations with a 20th century mindset the ability to require permission from developers seeking to innovate on top of their platforms. Instead of being able to just assume that use—especially re-implementation—of an API is OK, developers will now need to avoid any API that is not explicitly licensed as open.

"Microsoft quietly pushes 17 new trusted root certificates to all Windows systems"

Woody Leonhard <>

Date: Tue, 30 Jun 2015 09:27:00 -0700

Woody Leonhard, InfoWorld, 29 Jun 2015 The aging foundation of Certificate Authorities shows yet another crack as security experts are caught unaware

opening text:

Microsoft is under no obligation to notify you or ask your permission before placing a new trusted root certificate on your Windows PC. That said, just last year Microsoft was caught in the embarrassing position of yanking 45 bogus certificates issued under the root certificate authority of the government of India's Controller of Certifying Authorities. Transparency in distributing new trusted root certs is a good thing.

A certificate expert who goes by the Twitter handle @hexatomium said in an article on GitHub over the weekend that Microsoft started pushing the new trusted root certificates earlier this month to "all supported Windows systems." It isn't clear how the root certs were pushed, but he does say Microsoft "did not announce this change in any KB article or advisory."

"Tap your iPad to order: Restaurant automation nobody needs"

Galen Gruman <>

Date: Tue, 30 Jun 2015 09:37:28 -0700

Galen Gruman, InfoWorld, 30 Jun 2015 Self-checkout comes to the food court, with the same mixed experience as at any self-checkout terminal

opening text:

OTG, one of those companies that manages restaurants at airports, is very proud of its iPad deployment at Newark Liberty International Airport in New Jersey. More than 1,000 iPad Airs are in use at restaurant tables in the airport's food courts, letting travelers order food directly and pay on the spot—no need to wait for a server to take your order or to process your payment.

I had a chance to check out this deployment on a recent trip, and I'm not sure OTG's pride is warranted. As we've seen in other automation efforts, such as those self-checkout stands at supermarkets and home-improvement stores, the reality is not as smooth as the promise. And the goal remains to remove human labor on the vendor side and have the customer pick up at least some of that work.

Gene's Comments: 1) Look at the failure modes in the article. This is something that is not ready for general use. 2) Me pick up some of the work? This clashes with that when I go out, I typically want to be pampered a bit.

Automation dependency: Children of the Magenta

Henry Baker <>

Date: Sun, 28 Jun 2015 13:33:15 -0700

FYI—"Semi-autonomous" cars are here today, so it is appropriate to revisit what can go wrong due to "automation dependency".

Roman Mars's 31-minute podcast episode from "99% Invisible" discusses "Children of the Magenta", who are airline pilots who become such slaves to their autopilots that they allow their normal piloting skills to deteriorate.

The real problem with the crash of Air France 447 wasn't the fact that its air speed sensor failed, but the inability of these "Children of the Magenta" pilots to respond.

"What's It Doing Now": The user has no good model of what the autopilot is trying to do, but instead of simply disconnecting it, the pilot tries to "understand" the autopilot. An emergency situation is no place to be debugging your mental model of the autopilot.

The excellent video in which the phrase "Children of the Magenta" first originated:

1997 AA presentation about the Levels of Flight Deck Automation and how to keep out of trouble

Episode 170: Children of the Magenta (Automation Paradox, pt. 1)

Roman Mars, 23 Jun 2015

On the evening of 31 May 2009, 216 passengers, three pilots, and nine flight attendants boarded an Airbus 330 in Rio de Janeiro. This flight, Air France 447, was headed across the Atlantic to Paris. The take-off was unremarkable. The plane reached a cruising altitude of 35,000 feet. The passengers read and watched movies and slept. Everything proceeded normally for several hours. Then, with no communication to the ground or air traffic control, flight 447 suddenly disappeared.

Days later, several bodies and some pieces of the plane were found floating in the Atlantic Ocean. But it would be two more years before most of the wreckage was recovered from the ocean's depths. All 228 people on board had died. The cockpit voice recorder and the flight data recorders, however, were intact, and these recordings told a story about how Flight 447 ended up in the bottom of the Atlantic.

The story they told was was about what happened when the automated system flying the plane suddenly shut off, and the pilots were left surprised, confused, and ultimately unable to fly their own plane.

[Long item—just part one of two—truncated for RISKS. PGN]

The Future of Car Keys? Smartphone Apps, Maybe

NYTimes <>

Date: Fri, 26 Jun 2015 23:19:23 -0400

Apps are increasingly performing the functions of keys, but experts say there are still kinks to be worked out before, and if, physical keys become extinct.

ISIS and the Lonely Young American

NYTimes <>

Date: Sun, 28 Jun 2015 13:32:53 -0400

For months, Alex had been growing closer to a new group of friends online -- the kindest she had ever had—who were teaching her what it meant to be a Muslim.

Leap Second problem

Bob Frankston <>

Date: 30 Jun 2015 16:51:23 -0400

Rather than write something long, I'll point out that he function

new timeSpan(2 Minutes).Seconds

cannot be implemented—yet is in many libraries. Cannot, as in cannot by definition.

There is no reason to break that function just because there are applications which need a more precise calculation relative to the rotation of the earth. Any programmer should know how to maintain a separate correction factor for those applications.

So why break a fundamental function like a time span calculation for the rare applications that need the extra precision?

Yes, I know that in 10,000 years it may matter but I have faith in our ability to program around it by then - most likely by an approach like time zones in which we simply create a standard correction factor for alarm clocks.

Growing opposition to the Leap Second

oMark Thorson <>

Date: Mon, 29 Jun 2015 16:51:37 -0700

More calls to abolish the Leap Second because it's alleged to cause problems for computers.

I'm reminded of all those planes that fell out of the sky when the date rolled over from 1999 to 2000. [!]

California mandatory vaccination harbinger of anti-virus software?

Henry Baker <>

Date: Mon, 29 Jun 2015 18:21:29 -0700

FYI—Whatever you may think of anti-vaxxers, the exact same arguments will be made to *require* "anti-virus" programs on your computers in order to connect to the Internet. Of course, since we know that NSA/GCHQ/*insert-your-favorite-spy-or-cybercriminal-name-here* put a very high priority on hacking anti-virus programs, these "vaccination" laws will -- in effect—*require* the installation of a *back door* onto your computer. GAME OVER!

California mandatory vaccination bill heads to governor's desk

Jerry Brown has not said if he will sign measure which would ban `personal belief' exemptions for vaccinating schoolchildren in wake of measles outbreak

Rory Carroll, 29 June 2015

The California legislature has passed a bill mandating vaccinations for children in public schools, moving the spotlight to Governor Jerry Brown, who must now decide whether to sign into law one of the strictest vaccination regimes in the United States.

The senate in Sacramento passed a final vote on Monday to ban exemptions from state immunization laws based on religious or other personal beliefs, a contentious measure taken months after a measles outbreak at Disneyland infected more than 150 people in the US and Mexico.

The law would require nearly all public schoolchildren to be vaccinated against diseases including measles and whooping cough, with exemptions only for children with serious health issues. Other unvaccinated children would need to be homeschooled.

Analyses of root causes?

Martyn Thomas <>

Date: Sat, 27 Jun 2015 11:02:37 +0100

Can anyone give me a link to any published analyses that identify the most common underlying errors in software (or systems) engineering that have led to exploitable security vulnerabilities or to safety-related failures?

[Martyn, Try the NIST National Vulnerability Database, with CVE Vulnerabilities and lots more. PGN]