RISKS Digest 28.27

Monday 15 September 2014

Lessons for the Future: Harvard Computer Science intro course

ACM TechNews <>

Date: Mon, 15 Sep 2014 11:55:17 -0400 (EDT)

[This item is included as perhaps an encouraging harbinger of things to come, something that RISKS has always touted from the very beginning -- pervasively increased awareness of computer literacy, and especially computer-related RISKS. This may be a tip of just one iceberg, but I consider it good news. PGN]

Meg P. Bernhard, Harvard Computer Science Introductory Course Logs Record-Breaking Enrollment Numbers, *The Harvard Crimson*m 11 Sep 2014 via ACM TechNews, Monday, September 15, 2014

Nearly 12 percent of Harvard College's students have enrolled in the college's introductory computer science class, Computer Science 50: "Introduction to Computer Science I." With a record-breaking total enrollment of 818 undergraduate students this semester, CS50 is the college's largest course, followed by "Principles of Economics," the previous semester's largest course. Several factors are contributing to the class's popularity. Instructor David J. Malan says the boost in enrollment in part reflects a growing interest among Harvard students and the general public in computer science. Professor Eddie Kohler says CS50's growing popularity also is due to its accessibility, characterizing the course as more of an experience. Harry R. Lewis, Harvard's director of undergraduate studies for computer science, says Harvard students have "figured out that in pretty much every area of study, computational methods and computational thinking are going to be important to the future." Lewis also says he has seen higher enrollment than ever in other computer science courses this semester, including "Introduction to the Theory of Computation," which has 153 students enrolled. The number of computer science concentrators at Harvard also has increased, nearly doubling between 2008 and 2013.

Lessons From the Past for a Future in Smart Cars

Monty Solomon <>

Date: Mon, 15 Sep 2014 09:28:14 -0400

The slow move toward air bags and seatbelts as standard safety features, into an era of the computer on wheels.

Steve Jobs Was a Low-Tech Parent

Nick Bilton via Monty Solomon <>

Date: Thu, 11 Sep 2014 20:09:55 -0400

Nick Bilton, *The New York Times*, 10 Sep 2014

When Steve Jobs was running Apple, he was known to call journalists to either pat them on the back for a recent article or, more often than not, explain how they got it wrong. I was on the receiving end of a few of those calls. But nothing shocked me more than something Mr. Jobs said to me in late 2010 after he had finished chewing me out for something I had written about an iPad shortcoming.

"So, your kids must love the iPad?" I asked Mr. Jobs, trying to change the subject. The company's first tablet was just hitting the shelves. "They haven't used it," he told me. "We limit how much technology our kids use at home."

I'm sure I responded with a gasp and dumbfounded silence. I had imagined the Jobs's household was like a nerd's paradise: that the walls were giant touch screens, the dining table was made from tiles of iPads and that iPods were handed out to guests like chocolates on a pillow.

Nope, Mr. Jobs told me, not even close. ...

Software glitch sends regular Colorado driver's licenses to immigrants

Kirk Mitchell via Jim Reisert <>

Date: Fri, 12 Sep 2014 15:25:42 -0600

Kirk Mitchell, *The Denver Post*, 12 Sep 2014

A software glitch mistakenly sent regular Colorado driver's licenses to hundreds of immigrants living in the United States illegally, rather than the special licenses they were supposed to get, officials said Friday.

The special driver's licenses created for the first time this year for immigrants do not have an intended disclaimer that makes it clear the holder cannot vote, according to authorities.

Specifically, the cards do not have a black band near the top indicating that the license does not offer voting privileges and is not for `public benefit purposes'. "They didn't have all the security measures they were supposed to have to make sure they were used correctly," said Daria Serna, spokeswoman for the Colorado Department of Revenue.

The driver's license cards for people in the country legally with visas and those living here illegally look *identical* to driver's licenses for U.S. citizens living in Colorado, according to a news release Friday by John Raffetto, spokesman for private contractor MorphoTrust.

The glitch resulted in errors that invalidated 524 Colorado driver's licenses for those living in this country illegally, Raffetto said.

NFL's finicky WiFi connections frustrate some coaches

David Tarabar <>

Date: Sun, 14 Sep 2014 18:36:37 -0400

A $400 million sponsorship by Microsoft has equipped NFL coaches with Surface tablets during games. This allows them to review plays and formations—replacing printed pictures that have been used for decades. However the connectivity has not been completely reliable. It seems that a crowded football stadium is not the best environment for reliable Wi-Fi.

... and one more thing

"The partnership with the NFL hasn't worked out ideally for Microsoft, either. Coaches, players, and TV announcers have repeatedly referred to the Surface tablets as iPads"

Airlines Take the Bump Out of Turbulence

Monty Solomon <>

Date: Sun, 14 Sep 2014 01:29:16 -0400

Stronger computing power, improved satellite and radar technology and more sophisticated scientific models give airlines a greater understanding of flying conditions.

Trying to Hit the Brake on Texting While Driving

Monty Solomon <>

Date: Sun, 14 Sep 2014 01:21:41 -0400

People keep texting when they're behind the wheel, so an engineer has found a technological solution. The problem: He can't do it on his own.

NSA/GCHQ/CSEC Infecting Innocent Computers Worldwide

Bruce Schneier <>

Date: Mon, 15 Sep 2014 00:08:11 -0500

Bruce Schneier, CRYPTO-GRAM, 15 Sep 2014, Co3 Systems, Inc.

There's a new story on the C't Magazin website about a 5-Eyes program to infect computers around the world for use as launching pads for attacks. These are not target computers; these are innocent third parties.

The article actually talks about several government programs. HACIENDA is a GCHQ program to port-scan entire countries, looking for vulnerable computers to attack. According to the GCHQ slide from 2009, they've completed port scans of 27 different countries and are prepared to do more.

The point of this is to create ORBs, or Operational Relay Boxes. Basically, these are computers that sit between the attacker and the target, and are designed to obscure the true origins of an attack. Slides from the Canadian CSEC talk about how this process is being automated: "2-3 times/year, 1 day focused effort to acquire as many new ORBs as possible in as many non 5-Eyes countries as possible." They've automated this process into something codenamed LANDMARK, and together with a knowledge engine codenamed OLYMPIA, 24 people were able to identify "a list of 3000+ potential ORBs" in 5-8 hours. The presentation does not go on to say whether all of those computers were actually infected.

Slides from the UK's GCHQ also talk about ORB detection, as part of a program called MUGSHOT. It, too, is happy with the automatic process: "Initial ten fold increase in Orb identification rate over manual process." There are also NSA slides that talk about the hacking process, but there's not much new in them.

The slides never say how many of the "potential ORBs" CSEC discovers or the computers that register positive in GCHQ's "Orb identification" are actually infected, but they're all stored in a database for future use. The Canadian slides talk about how some of that information was shared with the NSA.

Increasingly, innocent computers and networks are becoming collateral damage, as countries use the Internet to conduct espionage and attacks against each other. This is an example of that. Not only do these intelligence services want an insecure Internet so they can attack each other, they want an insecure Internet so they can use innocent third parties to help facilitate their attacks.

The story contains formerly TOP SECRET documents from the US, UK, and Canada. Note that Snowden is not mentioned at all in this story. Usually, if the documents the story is based on come from Snowden, the reporters say that. In this case, the reporters have said nothing about where the documents come from. I don't know if this is an omission—these documents sure look like the sorts of things that come from the Snowden archive—or if there is yet another leaker. or

The Mystery of Apple Watch's Battery Life

*NYTimes* via Monty Solomon <>

Date: Sun, 14 Sep 2014 02:44:08 -0400

Apple had plenty to brag about at its event earlier this week. So it was particularly noticeable when Apple left out an important detail about the brand-new Apple Watch: the battery life.

iPwned: How easy is it to mine Apple services, devices for data?

Ars Technica via Monty Solomon <>

Date: Sun, 14 Sep 2014 10:41:31 -0400

Banks Did It Apple's Way in Payments by Mobile

Monty Solomon <>

Date: Sun, 14 Sep 2014 02:45:02 -0400

The eagerness of banks and card companies to work with Apple on its mobile payment system suggests Apple's clout and the concern financial players have for their future.

Senator demands US courts recover 10 years of online public records

David Kravets via Monty Solomon <>

Date: Sun, 14 Sep 2014 10:22:41 -0400

"Restore access," lawmaker says of docs purged because of computer upgrade issue.

David Kravets, Ars Technica, 13 Sep 2014

The head of the powerful Senate Judiciary Committee is urging the federal bureaucracy to restore a decade's worth of electronic court documents that were deleted last month from online viewing because of an upgrade to a computer database known as PACER.

Senate Judiciary Committee Chairman Patrick Leahy (D-Vermont) said the removal of the thousands of cases from online review is essentially erasing history. ...

How the cybercrime industry fueled Target breach

Jeff Marganteen <>

Date: Mon, 15 Sep 2014 11:17:49 PDT

Jeff Morganteen, CNBC, 10 Mar 2014 <> How the cybercrime industry fueled Target credit card breach: McAfee Labs

McAfee CTO: Target attack was defendable. Mike Fey, McAfee worldwide chief technology officer, discusses Target's data breach, how to best protect customer information and competition in the cybersecurity space.

The cyberattacks that led to the massive data breach at Target last year marked the "coming-of-age" for a black-market service industry that caters to malicious hackers and identity thieves, computer security company McAfee Labs said in a quarterly report Monday.

That industry allowed the thieves to not only buy custom-made malware for the theft, but also to quickly sell credit card numbers from 40 million shoppers affected by the breach. The thieves sold the numbers through online back-channels that security experts call the "dark web," the company said.

"Retailers in general took this as a wake-up call," said Mike Fey, chief technology officer at McAfee, on *Squawk on the Street*. They saw an essentially off-the-shelf ... piece of malware modified for a unique environment, which was Target. A lot of retailers assumed that if they don't have a standard point-of-sale system, they were somehow safe. And I think Target showed them that's not the case."

McAfee Labs released its quarterly report on cybersecurity threats on Monday. The company focused its attention on the dark web malware industry that fueled the point-of-sale attacks on Target and other retailers late last year. The high-profile cyberattacks were unsophisticated technologies that identity thieves bought off the shelf from the cybercrime "service" community, which customized the software specifically for the attack, McAfee said.

McAfee researchers discovered that the Target thieves offered credit card information for sale in batches between 1 million and 4 million numbers, the cybersecurity company said. What's more, Fey said Target could have defended against the point-of-sale attacks if it had a cost-effective method of deploying existing security technology. "You take a look at the Target attack," Fey said. "That was defendable by technology that has been around. It didn't require a new silver bullet"

Last week, Target's chief information officer resigned as the retailer seeks to overhaul its security protections. [...]

After e-mail takeover, copycats demand cash to expose Bitcoin's creator

Ars Technica via Monty Solomon <>

Date: Sun, 14 Sep 2014 10:38:56 -0400

US gov't threatened Yahoo with $250K daily fine if it didn't use PRISM

Ars Technica via Monty Solomon <>

Date: Sun, 14 Sep 2014 10:35:03 -0400

[in 2008, reportedly at least doubling the fine for each day of noncompliance. Gambler's Ruin without having to gamble!?? PGN]

Supreme Court ruling has wiped out 11 "do it on a computer" patents so far

Ars Technica via NNSquad <>

Date: Sun, 14 Sep 2014 19:07:23 -0700

Ars Technica via NNSquad

"The courts are sending a pretty clear message: you can't take a commonplace human activity, do it with a computer, and call that a patentable invention," writes Lee.

Turning the tables on "Windows Support" scammers by compromising their PCs

Ars Technica via Monty Solomon <>

Date: Sun, 14 Sep 2014 10:38:25 -0400

Google Play and lack of version numbers

Dan Jacobson <>

Date: Sun, 14 Sep 2014 20:24:31 +0800

In contrast to Apple's App Store, Google Play, the official app store for the Android operating system, does not show version numbers for its apps, only a date. The assumption apparently is no app would have a second version issued on the same date, so users wouldn't need to bother distinguishing Trojans...

(Of course I don't actually own a smartphone, so I was only comparing their websites. Which apparently the problem is only limited to.)

Canon printers `Doom'ed

Henry Baker <>

Date: Mon, 15 Sep 2014 09:30:56 -0700

No authentication or signing for firmware updates; "Who suspects printers?"

Hacker puts Doom on a printer to highlight security vulnerabilities

Canon PIXMA printer compromised with vintage first-person shooter game during 44Con conference

Tom Fox-Brewster, *The Guardian*,, 15 Sep 2014

Running Doom on a printer is more than a gimmick: it's a security concern.

In 1993, first-person shooter Doom was a groundbreaking game. In 2014, it's being used by ethical hackers to demonstrate security vulnerabilities in connected devices.

Specifically: printers. During his talk at the 44Con conference in London, Michael Jordon from Context Information Security proved he could easily compromise the Canon PIXMA printer—popular for homes and small businesses alike—by making it run Doom.

From the exploitation standpoint, hacking the machine was trivial, as Jordon discovered that the device has a web interface with no username or password protecting it.

On initial inspection, this interface was of little interest, only showing ink levels and printing status. But it soon became apparent a hacker could use this interface to trigger an update to the machine's firmware - the underlying code that is essentially the heart and soul of the printer.

An outsider could thus have changed settings on the printer to convince it to ask for updates from a malicious server rather than Canon's official channel.

Jordon took advantage of what he described as `terrible; encryption protecting the firmware to add some tweaks to its code, enabling him to control the machine from afar.

A malicious hacker could have discovered what documents the printer was handling, or started issuing commands to take up resources. If it belonged to a business, they would also have had access to the network, on which to carry out further exploitation.

Doom? Jordon used the first-person shooter as the basis for his presentation to the white-hat hacker audience at 44Con, to make it more interesting. The graphics may have been slightly dodgy, but the game running on the Canon PIXMA was still, definably, Doom.

The point of the project was to prove that machines most would not normally expect to be hacked can be valuable to those looking to breach networks. “If you can run Doom on a printer, you can do a lot more nasty things,'' Jordon told the Guardian. “In a corporate environment, it would be a good place to be. Who suspects printers?''

Canon has promised a fix, after working closely with Context. “We intend to provide a fix as quickly as is feasible,'' the company said.

[Truncated for RISKS. PGN]

Analysis Of Volunteer's Metadata Stream Reveals His Life In Detail, Allows Passwords To Be Guessed

TechDirt via Kenneth R. Mayer Jr. <>

Date: Saturday, September 13, 2014

(via Dave Farber)

Excellent article.

*Analysis Of Volunteer's Metadata Stream Reveals His Life In Detail, Allows Passwords To Be Guessed*> on Flipboard. Download Flipboard for free here <>.

Keep Your Data Yours While Traveling

Monty Solomon <>

Date: Fri, 12 Sep 2014 09:15:16 -0400

Experts share methods for maintaining security on electronic devices at hotels, airports and other places.

"Privacy Commissioner unearths apps demanding too many permissions"

Candice So via Gene Wirchenko <>

Date: Fri, 12 Sep 2014 13:01:50 -0700

Candice So, *IT Business*, 11 Sep 2014 Privacy Commissioner unearths apps demanding too many permissions

60 percent of apps fail basic privacy tests, finds international cross-governmental study

geoff goodfellow <>

Date: Sep 12, 2014 1:59 PM

Re: Apple Says It Will Add New iCloud Security Measures After Celebrity Hack

Steven Klein <>

Date: Sun, 14 Sep 2014 11:47:23 -0400

Kurt Seifried complains (sarcastically) about Apple not "making brute force attacks harder. They impose delays after three incorrect password attempts. Until recently, they only did this on user-facing systems, but have since fixed this so that the delay kicks in on all known interfaces.

He also strangely claims that there isn't “any way to contact Apple.''

In fact there are many ways to contact them.

Via the iCloud support contact page:

Via phone (with local numbers in dozens of countries):

And via a worldwide network of retail stores that offer in-person tech support. Here's a link to their support reservation page for their US stores:

I agree that Apple could do a better job, but I don't think the situation is improved by spreading misinformation.

Re: The Case for Resign Switches for Politicians

Michael Kohne <>

Date: Fri, 12 Sep 2014 07:33:50 -0400

Amusing as the idea is, I think that you've missed a problem here. While this would let the voters get rid of an out of control politician, it would
*also* encourage the politicians to hold ever more firmly to whatever viewpoint they espoused in their campaign, regardless of facts, new information, or common sense.

We've already got a problem with politicians who never compromise on anything, no matter how stupid their stance. I don't think we need to give them any *more* reasons to be intransigent. They've got that covered already.

Re: zero-day bounties

Paul Edwards <>

Date: Sat, 13 Sep 2014 06:52:10 +1000

How do you change the widely-used anti-pattern of pushing buggy software out prematurely?

As an example (one of many, but this time I actually got the figures):

A few years ago I was consulting in at a large company, specifically with their incident management team. The team manager said that a new version of an application had been released a few weeks prior. His team had spent four weeks working to respond to maintain reliability. There were no reports of customer dissatisfaction with the new version of the product supported by the application; his team had done a good job. His outcome: a handful of bugs identified, a tired and disgruntled team, and an overtime bill of ~$10K.

I did some further research and spoke to a few key people. I found that the additional 5 weeks of testing estimated to eliminate the bugs would have cost ~$40K, and delaying the new features would have forgone about $500K in revenue (they were expecting a 10% uplift in $1 million per week revenue -- that estimate was later found to be spot on)

From the perspective of the organization as a whole: it will not forgo $500K in revenue and add $40K to a project cost in order to save $10K in overtime—especially when there has been no downturn in customer sat or brand.

Using Henry's terms, in this case the bounty is small ($10K), compared to the cost of formal methods ($540K[1]).

* Will contextualizing the bug as a zero-day vulnerability change the behaviour seen above?

* Will changing the relative difference between the bounty and the cost of applying formal methods change the behaviour?

* Can you somehow quantify brand, customer sat, and the like as contributing to the bounty, to tip the scales?

I don't know. It's an interesting discussion to be had though.

[1] The organization would see the forgone revenue as a cost of formal methods.