The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 21

Saturday 1 April 2017


News break
US Congress rapes privacy, they are next
Misha Collins via Alister Wm Macintyre
Internet Noise, on purpose
Dan Schultz via Al Mac
Volkswagen's Emissions Fraud May Affect Mortality Rate in Europe
The New York Times
NASA fireworks a damp squib?
David Damerell
Re: NASA Fireworks
Kurt Seifried
Harlan Rosenthal
Re: Risks from falsified Data
Robert P. Schaefer
Info on RISKS (comp.risks)

News break

"Peter G. Neumann" <>
Sat, 1 Apr 2017 10:01:05 PDT
The only news on this April Fool's day seems to be that there is no longer
any Fake News.  All previous allegedly Fake News has now evidently been
declared to be genuine.  This will greatly simplify fact checking.

This issue of RISKS is apparently the first one in recent history on this
particular day of the year that has no Intentionally Very Fake News.

US Congress rapes privacy, they are next

"Alister Wm Macintyre" <>
Thu, 30 Mar 2017 21:46:15 -0500
  Misha Collins GoFundMe Campaign Aims To Purchase Congressional Browsing
  History, 29 Mar 2017

  The House of Representatives passed and agreed to the S.J.Res. 34 on March
  28, 2017, just a scant five days after the measure passed in the Senate.
  The joint resolution repeals privacy protections put into place by the
  Obama administration and effectively makes it okay for Internet service
  providers (ISPs) such as Verizon, Comcast, and Time Warner to collect and
  sell their customers' personal browsing data.

  In response, Supernatural star Misha Collins has started a GoFundMe
  campaign aimed at raising enough money to purchase the personal browsing
  data of all of the congressmen and women who voted in favor of the
  bill. Misha started the fund right after the resolution was passed and it
  has gained a huge amount of traction on social media. According to the
  first update, Misha wrote the following as the goal for the fundraiser.

  "Congress recently voted to strip Americans of their privacy rights by
  voting for SJR34, a resolution that allows Internet Service Providers to
  collect, and sell your sensitive data without your consent or knowledge.
  Since Congress has made our privacy a commodity, let's band together to
  buy THEIR privacy.

  "This GoFundMe will pay to purchase the data of Donald Trump and every
  Congressperson who voted for SJR34, and to make it publicly available.

  "Game on, Congress"

  "PS: No, we won't "doxx" people. We will not share information that will
  impact the safety & security of their families (such as personal
  addresses).  However, all other details are fair game. It says so right in
  the resolution that they voted to approve."

I predict the politicians will react to this by passing amendments :

* Privacy rules which apply only to the elected leaders, their top staff,
and the families of these people, also police, judges, military, and a few
other classes of government workers, like people working at NSA/CIA/FBI
etc., but continue the no privacy for the rest of the citizenry.

* Then maybe need a better way to identify exempted individuals, such as
granting judges the right to authorize privacy for victims of domestic
abuse, and people in the Witness Protection.

Journalists may have archived all info on the exempted classes, before my
first predicted amendment goes into action, so the politicians may need some
other law to demand that people who copied such info, delete it.  Good luck
enforcing that.  I predict the ISPs will make a fortune selling such info to
our foreign adversaries, such as North Korea, Iran, Russia.  In the near
future we will see lists of bad stuff done by Congressmen & women, such as
pornography sites, then for each bad thing, a list of which of those in
Congress indulge in that.

Remember that after a future election that gives more power to Democrats,
this can be undone.

The Verge argues that even though Republicans rolled back Obama privacy
protections, other earlier laws have not yet been reversed, making this
project impractical.

Internet Noise, on purpose (Dan Schultz)

"Alister Wm Macintyre" <>
Fri, 31 Mar 2017 01:54:11 -0500
  [US Congress has authorized ISPs to snoop into our browsing history, then
  sell that to advertisers & other 3rd parties without our knowledge or

  Here is how to feed them garbage, and use other techniques to thwart or
  mitigate surveillance against you.

  I hope this garbage does not include any sites of interest to law
  enforcement to go after users of those sites.  AWM]

  [WIRED has an article about this, which it won't let me access, unless I
  first turn off my ad blocker.]
  [I need to rethink "noise-signal" ratio, now that noise is a good thing.]

Here is prior history of Internet noise:

Volkswagen's Emissions Fraud May Affect Mortality Rate in Europe

Monty Solomon <>
Fri, 31 Mar 2017 02:07:14 -0400
  [Old item, not previously noted in RISKS.  PGN]

Software that allowed the auto manufacturer to skirt environmental rules
could lead to 1,200 deaths because of excess air pollution, researchers

NASA fireworks a damp squib?

David Damerell <>
Thu, 30 Mar 2017 21:39:34 +0100
> Iowa Senator Chuck Grassley reported, in 2007, that $ 1.9 billion in
> hardware was stolen, thanks to hackers into NASA.

Well, no.  Grassley reported that $1.9 billion in *data* was stolen, and
mentions (dismissively), the entirely sensible objection that the data was
not stolen when it was copied without permission since NASA still had the
data afterward.

One also wonders how this value was placed upon it; RISKS readers will be
familiar by the process where the net cost of unauthorised copying
mysteriously inflates until it threatens to exceed the world's total GDP.

Re: NASA Fireworks (RISKS-30.20)

Kurt Seifried <>
Thu, 30 Mar 2017 13:29:12 -0600
Er wot now? My first thought was "how do you physically steal that much
stuff, 1.9 billion is a huge amount of equipment.  Luckily it wasn't
hardware, the URL cited says:

  "One such investigation concerned the theft of approximately $1.9
  billion-worth of International Traffic in Arms Regulations data."

To whit the NASA guy argued "Mr. Cobb dismissed worries over the theft of
this data because, in his view, the data wasn't "stolen," since NASA was
still technically in possession of the accessed information. "

I'd also be very curious to know how they arrived at this $1.9 billion price
tag for this data. Maybe they meant ITAR data regarding $1.9 billion in
hardware? The whole thing makes very little sense once you start looking
into it.

Re: Risks from falsified Data (RISKS-30.20)

Harlan Rosenthal <>
Thu, 30 Mar 2017 13:58:57 -0500 (CDT)
Are we counting:

* The Pentium floating-point bug?
* The Excel bugs?
* Compiler bugs (often activated by optimization)

Re: Risks from falsified Data (BBC, RISKS-30.20)

"Robert P. Schaefer" <>
Fri, 31 Mar 2017 12:55:46 +0000
"There is an interesting article on the BBC website at that discusses an
alternative and much more subtle version of Malware. This involves
infiltrating systems and making changes to data which while being too small
to notice immediately result in system failure."

If you consider data to be the same as code and code to be the same as data,
then adding subtle malware is well known among nation states:

" the United States added a Trojan horse to gas pipeline control software
that the Soviet Union obtained from a company in Canada."

And of course more recently, stuxnet:

Please report problems with the web pages to the maintainer