The RISKS Digest
Volume 30 Issue 51

Wednesday, 20th December 2017

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


ATL Hartsfield-Jackson Airport loses all power
A more mundane air travel risk
Jeremy Epstein
laims container ship's navigation system "hacked"
danny burstein
Commentary on the risks of technology and climate change
Rob Slade
When is Big Automation Too Big for Comfort?
Apparent Google update glitch disconnects student Chromebooks in schools across the U.S.
Former Facebook exec says social media is ripping apart society
The Verge
Hackers halt plant operations in watershed cyber-attack
Jim Finkle
Searchable database of 1.4 billion stolen credentials found on dark
Steven Cheung
World's biggest botnet sends 12.5 MILLION emails containing ransomware...
Daily Mail via Geoff Goodfellow
Department of Homeland Security finds government mobile apps lack
Rob Wilcox
Fun with blockchain
Initial Coin Offerings Horrify a Former SEC Regulator
The NYTimes via Gabe Goldberg
Bitcoin Exchange Youbit to Declare Bankruptcy After Hack
Bitcoin Investors Resort to Hypnotherapy to Recover Passwords
Ethereum cryptocurrency choking on purchases of virtual cats
Taipei Times
Many Consumers Lack Understanding of Basic Cyber-Hygiene
McLean-Based Hilton to Begin Rolling Out High-Tech "Connected Rooms"
Gabe Goldberg
Crooks Cash in Stolen Rewards Points for Flights and Hotels
Microsoft Researcher Details Real-World Dangers of Algorithm Bias
Experts Warn: Terrorists Could Kill Millions by Remotely Hacking
Gabe Goldberg
Dangers of dynamic road trip mapping applications
danny burstein
Large wildfires vs. navigation apps for drivers
David Tarabar
iOS 11 leaves iOS devices more vulnerable to edge-case attacks, says phone-cracking company ElcomSoft
9to6mac via Geoff Goodfellow
Want to break into a house? Just type in its address...
Dave Horsfall
Improving election integrity/security/???
The Germans have no word for "Entscheidungsproblem"
Catalin Cimpanu via Henry Baker
Have You Ever Felt Sorry for the IRS? Now Might Be the time
The NYTimes
Car theft "relay crime"
More Than a Third of Federal Websites Just Failed a Major Security
NSF-funded research on vehicular social networking
Ross Stapleton-Gray
Researchers craft Android app that reveals to find horrific menagerie of hidden spyware; legally barred from doing the same with iOS
Cory Doctorow
Overseas customers left behind in clearXchange to Zelle conversion
Dan Jacobson
Wrong number: Are Israel's phone companies systematically overcharging
Gabe Goldberg
Warn that results are not necessarily in order
Dan Jacobson
Upside of multiple-choice security questions
Ed Ravin
You can log into macOS High Sierra as root with no password
The Register
Feds in Two Minds About Artificial Intelligence Defense
Australian man uses snack bags as Faraday cage to block tracking by employer
Sean Gallagher
White House Weighs Personal Mobile Phone Ban for Staff
Re: Singapore MRT signaling fault injures 29
Richard M Stein
Re: Web Browser JavaScript Woes
Chris Drewe
Re: Taser Company Ignored SEC Emails ... In a Spam Folder
John Levine
Mark Kramer
Re: Are you aware that Comcast is injecting 400+ lines of JavaScript
geoff goodfellow
Info on RISKS (comp.risks)

ATL Hartsfield-Jackson Airport loses all power (CNN)

"Peter G. Neumann" <>
Sun, 17 Dec 2017 14:02:33 PST

  [This one is in need of some definitive explanation.  There are reports
  that some Georgia power equipment might have failed, caught fire, and
  damaged adjacent circuit cables and switches, wiping out redundant backup
  facilities.  If that is the case, this is just one more example of bad
  system design.  PGN]

A more mundane air travel risk

Jeremy Epstein <>
Thu, 30 Nov 2017 16:52:21 -0500
RISKS includes numerous discussions of air travel risks, from
vulnerabilities in airplane software, to crashes in airline reservation
systems, pricing errors, etc.  This one is more mundane—a bug in American
Airlines' pilot scheduling software allowed too many pilots to request
vacation during the busy holiday travel season.  The result is not enough
pilots to fly all the scheduled flights, although the airline and unions
disagree on how many flights will be affected.

Claims container ship's navigation system "hacked"

danny burstein <>
Tue, 28 Nov 2017 19:03:59 -0500
[UK news service]

Hackers took 'full control' of container ship's navigation systems for 10

In February 2017 hackers reportedly took control of the navigation systems
of a German-owned 8,250 teu container vessel en route from Cyprus to
Djibouti for 10 hours. "Suddenly the captain could not manoeuvre," an
industry source who did not wish to be identified told Fairplay sister title
Safety At Sea (SAS). "The IT system of the vessel was completely hacked."

There are three German shipowners that operate eight vessels between 8,200
and 8,300 teu, according to IHS Markit data, one of which confirmed
knowledge of the attack to SAS but denied it was a vessel from their own

While details are limited, according to the source, the 10-hour attack was
carried out by "pirates" who gained full control of the vessel's navigation
system intending to steer it to an area where they could board and take
over. The crew attempted to regain control of the navigation system but had
to bring IT experts on board, who eventually managed to get them running
again after hours of work.


Commentary on the risks of technology and climate change

Rob Slade <>
Fri, 15 Dec 2017 11:34:35 -0800
An amusing observation on Twitter:

"The Los Angeles Police Department asked drivers to avoid navigation apps,
which are steering users onto more open routes—in this case, streets in
the neighborhoods that are on fire."

having an algorithm drive you straight into a climate change caused inferno
is an extremely 2017 way to go.

When is Big Automation Too Big for Comfort? (

Gabe Goldberg <>
Tue, 19 Dec 2017 23:34:12 -0500
Yara, a shipping company out of Oslo, Norway, in partnership with Kongsberg
<>, a maritime engineering group also out of
Norway, has created an autonomous container ship, the Yara Birkeland, that
is set to hit the high seas in 2018. This ocean-going vessel will be manned
by a crew of none. It's completely driverless.

The risks? This one's too easy...

Apparent Google update glitch disconnects student Chromebooks in schools across the U.S. (Geekwire)

Lauren Weinstein <>
Sat, 9 Dec 2017 14:02:30 -0800
via NNSquad

  Tens of thousands, perhaps millions, of Google Chromebooks, widely prized
  by schools due to their low cost and ease of configuration, were reported
  to be offline for several hours on Tuesday. The apparent cause? A
  seemingly botched WiFi policy update pushed out by Google that caused many
  Chromebooks to forget their approved network connection, leaving students

I agree: Requiring large fleets of Chromebooks to be manually re-associated
with their Wi-Fi networks cannot be called a practical solution. And of
course, most Chromebooks have never been on Ethernet since most people don't
have the requisite USB<->Ethernet adapters.

Former Facebook exec says social media is ripping apart society (The Verge)

Lauren Weinstein <>
Tue, 12 Dec 2017 08:33:14 -0800

  Another former Facebook executive has spoken out about the harm the social
  network is doing to civil society around the world. Chamath Palihapitiya,
  who joined Facebook in 2007 and became its vice president for user growth,
  said he feels "tremendous guilt" about the company he helped make. "I
  think we have created tools that are ripping apart the social fabric of
  how society works," he told an audience at Stanford Graduate School of
  Business, before recommending people take a "hard break" from social
  media.  Palihapitiya's criticisms were aimed not only at Facebook, but the
  wider online ecosystem. "The short-term, dopamine-driven feedback loops
  we've created are destroying how society works," he said, referring to
  online interactions driven by "hearts, likes, thumbs-up." "No civil
  discourse, no cooperation; misinformation, mistruth. And it's not an
  American problem—this is not about Russians ads. This is a global

Hackers halt plant operations in watershed cyber-attack (Jim Finkle)

"Peter G. Neumann" <>
Fri, 15 Dec 2017 6:57:31 PST
Jim Finkle, Reuters

(Reuters)—Hackers likely working for a nation-state recently invaded the
safety system of a critical infrastructure facility in a watershed attack
that halted plant operations, according to cyber-investigators and the firm
whose software was targeted.

FireEye Inc (FEYE.O) disclosed the incident on Thursday, saying it targeted
Triconex industrial safety technology from Schneider Electric SE (SCHN.PA).

FireEye and Schneider declined to identify the victim, industry or location
of the attack. Cybersecurity company Dragos said the hackers targeted an
organization in the Middle East, while a second firm, CyberX, said it
believe the victim was in Saudi Arabia.

It marks the first report of a safety system breach at an industrial plant
by hackers, who have in recent years placed increasing attention on breaking
into utilities, factories and other types of critical infrastructure,
cyber-experts said.

Compromising a safety system could let hackers shut them down in advance of
attacking other parts of an industrial plant, potentially preventing
operators from identifying and halting destructive attacks, they said.

Safety systems could be fooled to indicate that everything is okay even as
hackers damage a plant, said Galina Antova, co-founder of cybersecurity
firm Claroty.

Searchable database of 1.4 billion stolen credentials found on dark web

Steven Cheung <>
Tue, 12 Dec 2017 16:32:07 -0800
this has been slashdotted:

World's biggest botnet sends 12.5 MILLION emails containing ransomware... (Daily Mail)

geoff goodfellow <>
Mon, 27 Nov 2017 07:23:47 -1000
   - *Scarab malware is being sent out by Necurs, the largest email spam
   botnet ever*
   - *Infected files are hidden in fake scanned documents that appear to be
   - *Once an attached 7zip is opened, malware takes over your computer and
   - *A text file which then pops up threatens to erase them if the ransom
   isn't paid*

Millions of computers are at risk of infection by a virulent spam attack
that threatens to destroy your files, unless you pay a Bitcoin ransom.

The Scarab malware is being distributed by Necurs, the Internet's largest
email spam botnet, which has been used in a number of previous online

Within the first six hours of the attack 12.5 million emails had been
distributed, with more than two million messages being sent out per hour at
its height. [...]

Department of Homeland Security finds government mobile apps lack security

Rob Wilcox <>
Tue, 19 Dec 2017 06:54:16 -0800
Department of Homeland Security is studying the security and privacy of
mobile apps used within federal, state and local government including by
first responders.

Of 33 first responder apps studied, 32 had security flaws. Once the flaws
were found, the application developers were able to rectify the flaws in
about one hour of coding.

Project Website:

Press Release:

Fun with blockchain (MakeUseOf)

Gabe Goldberg <>
Tue, 28 Nov 2017 17:29:38 -0500
3 Blockchain Credit Agencies Changing Our Relationship With Money

Why You Should Keep Your Bitcoin in Cold Storage

What could go wrong? Add up all the con arguments. And "con", of course, has
multiple meanings.

Initial Coin Offerings Horrify a Former SEC Regulator

Gabe Goldberg <>
Sun, 26 Nov 2017 21:22:46 -0500

As I understand it, in an ICO, you invent a new virtual currency (because
there aren't enough of them, yet, and the world needs more) and sell it for
Bitcoin or cash or whatever. Hey, I could probably do that.

So this former SEC regulator thinks that maybe this isn't such a good idea:

'ICOs represent the most pervasive, open and notorious violation of
federal securities laws since the Code of Hammurabi,' Mr. Grundfest said in
an interview.

What could possibly go wrong?

Bitcoin Exchange Youbit to Declare Bankruptcy After Hack (Coindesk)

Dan Jacobson <>
Wed, 20 Dec 2017 08:29:21 +0800
'The cyber-attack is the second for Youbit, previously known Yapizon.
The exchange was previously targeted in April in an attack which South
Korean officials believe was conducted with the support of neighboring
North Korea. Recent reports indicate that intelligence services in South
Korea suspect that North Korea is behind additional attacks against
domestic cryptocurrency exchanges, including market-leader Bithumb.'

Bitcoin Investors Resort to Hypnotherapy to Recover Passwords (Fortune)

Gabe Goldberg <>
Wed, 20 Dec 2017 14:02:42 -0500
Help is in sight for that batch of early-Bitcoin-adopters who are sitting on
untapped bounties because they've forgotten the passwords needed to get into
their wallets.

A hypnotist in South Carolina has recently begun offering to help people
recall forgotten passwords or find misplaced storage devices. Jason Miller
charges one bitcoin plus 5% of the amount recovered—though he claims that
rate is flexible.

“I've developed a collection of techniques that allow people to access
older memories or see things they've put away in a stashed spot,'' he told
*The Wall Street Journal*.

A number of investors who bet on Bitcoin years ago are now in a painful
limbo. In the way that bank accounts are protected by passwords, Bitcoin
wallets that use keys to transact are also typically guarded by complex
security codes. However, unlike a bank, Bitcoin has no central hotline to
call for a reset.

The risks? being human, being careless, being idiotic?

Ethereum cryptocurrency choking on purchases of virtual cats (Taipei Times)

Mark Thorson <>
Fri, 8 Dec 2017 13:48:09 -0800
CryptoKitties game threatens capacity of Ethereum blockchain.

Many Consumers Lack Understanding of Basic Cyber-Hygiene (Tenable)

Gabe Goldberg <>
Wed, 20 Dec 2017 13:09:16 -0500
New Study: Data breaches have been a headache for many years and for a long
time there seemed to be a general apathy about them. Our sense was that
things may have changed in the wake of the most severe breach ever—the
theft of 145 million social security numbers and other sensitive data from
Equifax—which leaves most Americans with the burden of having to monitor
for identity theft for the rest of their lives.

Against this backdrop, we decided to find out how aware Americans are of
cybersecurity threats and risks, how concerned they are about getting their
information stolen, and what they might be doing, or more importantly, not
doing about it. We also wanted to learn if recent breaches have caused
Americans to change their behavior at all. Tenable recently commissioned a
survey, conducted online by Harris Poll of more than 2,000 U.S. adults, to
determine how data breaches—and media attention around them—are
impacting consumers' perceptions about their online security and their

No surprises; chat with nearly any non-tech person to learn this...

McLean-Based Hilton to Begin Rolling Out High-Tech "Connected Rooms"

Gabe Goldberg <>
Fri, 8 Dec 2017 18:17:06 -0500
McLean-Based Hilton to Begin Rolling Out High-Tech "Connected Rooms" McLean,
Va.—*Hilton*, the McLean-based hospitality giant, said on Thursday it
plans to begin rolling out what it calls "connected rooms"—high-tech
guest rooms that let users control most aspects of their stay from their
mobile device. Currently in beta testing, the concept will allow guests to
use their Hilton Honors app to manage most things they would traditionally
do manually, from controlling the temperature and lighting to the TV and
window coverings. Users also will be able to load the most popular streaming
media and other accounts to in-room TVs.  In the longer-term, Hilton said
that guests will be able to use voice commands to control their room or
access their content, and to upload their own artwork and photos to display
on walls. "The technology we put in hotel rooms has to be intuitive, simple
and quick to pick up because guests typically spend a limited amount of time
in their rooms," said Joshua Sloser*, the company's senior vice president of
digital product.  Hilton said it will begin scaling the concept rapidly to
hotels across the United States over the coming weeks.>

  What could go wrong? Screaming at your hotel room because it can't
  understand you—voice control in my car sure isn't 100%
  accurate/compliant. Hilton app always listening to what goes on in the
  room. Tech support demands on ... bell staff, maybe.

Crooks Cash in Stolen Rewards Points for Flights and Hotels

Gabe Goldberg <>
Sun, 3 Dec 2017 23:09:29 -0500
It's nice to take a free trip using credit card rewards. Unfortunately,
criminal gangs feel the same way and are stealing other people's rewards
points—including those for British Airways and booking site Orbitz—in
order to resell them on the Internet.

The rewards scam, which began in Russia but has since spread to English and
Spanish speaking markets, represents yet another frontier for cybercriminals
to make money by hacking consumer accounts.

Microsoft Researcher Details Real-World Dangers of Algorithm Bias (Gizmodo)

"Dave Farber" <>
Sat, 9 Dec 2017 11:49:27 -0500

Sidney Fussell <//>  [LONG, TRUNCATED. PGN]

The Trouble With Bias at NIPS 2

However quickly artificial intelligence evolves, however steadfastly it
becomes embedded in our lives—in health
<>, law enforcement
etc.—it can't outpace the biases of its creators, humans. Microsoft
Researcher Kate Crawford delivered an incredible keynote speech, titled The
Trouble with Bias, at Spain's Neural Information Processing System
Conference on Tuesday. In Crawford's keynote, she presented a fascinating
breakdown of different types of harms done by algorithmic biases.

As she explained, the word "bias" has a mathematically specific definition
in machine learning, usually referring to errors in estimation or over/under
representing populations when sampling. Less discussed is bias in terms of
the disparate impact machine learning might have on different populations.
There's a real danger to ignoring the latter type of bias.  Crawford details
two types of harm: allocative harm and representational harm.

“An allocative harm is when a system allocates or withholds a certain
opportunity or resource,'' she began. It's when AI is used to make a certain
decision, let's say mortgage applications, but unfairly or erroneously
denies them to a certain group. She offered the hypothetical example of a
bank's AI continually denying mortgage applications to women. She then
offered a startling real world example: a risk assessment AI routinely found
that black criminals were a higher risk
than white criminals. (Black criminals were referred to pre-trial detention
more often because of this decision.)

Experts Warn: Terrorists Could Kill Millions by Remotely Hacking People's Cars

Gabe Goldberg <>
Mon, 4 Dec 2017 11:40:54 -0500
Cyberterrorists have the potential to put millions of lives at risk by hacking
the sophisticated cars on 21st Century roadways, one expert has warned.

The caution comes amid a host of technological advances pervading the
automotive industry.

“The current state of vehicles on the road today—the new, modern car,
not even self-driving—have become rolling computers,'' said John Simpson,
Consumer Watchdog's privacy project director.

And it's suggested that any computer is open to being hacked.  In 2015, the
National Highway Traffic Safety Administration recalled nearly 1.5 million
vehicles over fears that they could potentially be compromised.

...not exactly news, though useful recap and alert. Interesting appeal at
end, hardly related to this article:

The Western Journal strives to achieve the highest conservative values,
editorial standards and truth in journalism, all of which are under
attack. Your donation funds the fight against mainstream media corruption
and helps us reach millions of readers around the world with the truth.

Dangers of dynamic road trip mapping applications

danny burstein <>
Wed, 6 Dec 2017 23:59:21 -0500
One unanticipated effect of combining trip-planning applications that use
"real time" data with disaster events such as the yuge fire in the LA area:

"The Los Angeles Police Department asked drivers to avoid navigation apps,
which are steering users onto more open routes—in this case, streets in
the neighborhoods that are on fire."

Large wildfires vs. navigation apps for drivers

David Tarabar <>
Thu, 7 Dec 2017 17:46:08 -0500
"The Los Angeles Police Department asked drivers to avoid navigation apps,
which are steering users onto more open routes—in this case, streets in
the neighborhoods that are on fire."

iOS 11 leaves iOS devices more vulnerable to edge-case attacks, says phone-cracking company ElcomSoft

geoff goodfellow <>
Mon, 4 Dec 2017 09:39:14 -1000

Changes to the way that Apple protects encrypted iOS backups leave devices
more vulnerable to certain types of attack, says ElcomSoft, a Russian
company used by law enforcement agencies and others to access iPhones.
However, it only applies if the attacker has physical access to the device
and can crack the passcode.

The changes were deliberately introduced as part of iOS 11

Want to break into a house? Just type in its address...

Dave Horsfall <>
Wed, 6 Dec 2017 16:49:50 +1100

“One of Australia's largest home and contents insurers has suspended a new
  online feature that made private details about the security of peoples'
  homes publicly accessible, including whether monitored alarm systems were
  installed on their premises.''

It seems that those seeking quotes for their address found that some fields
were pre-filled from a previous quote, all in the name of making it easy, of
course.  Well, it sure made it easy for any potential burglars interested in
knocking that place over, such as whether deadlocks were likely fitted,
burglar alarms, etc.

Gadzooks; didn't anyone think?

Dave Horsfall, North Gosford NSW 2250, Australia

Improving election integrity/security/??? (Politico)

"Peter G. Neumann" <>
Mon, 18 Dec 2017 9:02:50 PST
ACTION AT LAST ON ELECTION SECURITY?—After months of debate but little
action, there appears to be a modicum of momentum building on Capitol Hill
to address some of the security shortcomings that voting integrity experts
say threaten to undermine the upcoming midterm elections.  Several lawmakers
made public pleas for movement on Friday and a bipartisan group of senators
are expected to drop an election security bill this week.

THE BILL: The upcoming legislation is aimed at greasing the
information-sharing channels that connect the Homeland Security Department,
the intelligence community and state election offices.  Election officials
said an inability to effectively swap data on hacker threats during the 2016
election left many in the dark about the digital invaders that were probing
the country's election networks. The proposed bill—backed by Republicans
Sens. Lindsey Graham and James Lankford, as well as Democrats Sens. Kamala
Harris and Amy Klobuchar—would also earmark additional resources for
states to bolster their digital defenses, according to an aide to one of the
lawmakers. The group is eager to get the legislation passed before the 2018
midterm primaries, the aide said.

The Germans have no word for "Entscheidungsproblem"

Henry Baker <>
Wed, 06 Dec 2017 16:36:39 -0800
nor any word for "irony".  :-)

Catalin Cimpanu  5 Dec 2017
Germany Preparing Law for Backdoors in Any Type of Modern Device

German authorities are preparing a law that will force device manufacturers
to include backdoors within their products that law enforcement agencies
could use at their discretion for legal investigations.  The law would
target all modern devices, such as cars, phones, computers, IoT products,
and more.

Officials are expected to submit their proposed law for debate this week,
according to local news outlet RedaktionsNetzwerk Deutschland (RND).

Difficulties in investigating modern crime, terrorist attacks

The man supporting this proposal is Thomas de MaiziŤre, Germany's
Interior Minister, who cites the difficulty law enforcement agents have had
in past months investigating the recent surge of terrorist attacks and other

The Interior Minister says that police officers are having a hard time
investigating cases because smart devices are warning owners before officers
could do anything about it.  The Minister cites the cases of smart cars that
alert an owner as soon as the car is shaken, even a little bit.  He says
he'd like police to be able to intercept that warning and stop it when
investigating a case.

De MaiziŤre claims that companies have a "legal obligation" to introduce
backdoors for the use of law enforcement agencies and he also wants to
require the industry to disclose its "programming protocols" for future
analysis.  This latter clause could allow German officials to force
companies to disclose details about their encrypted communication practices.

German officials want "Hack Back" clause

Furthermore, the new law would also give German officials powers akin to the
"Hack Back" bill proposed in the US, allowing authorities the power to hack
any remote computer.  The Minister says this is important to "shut down
private computers in the event of a crisis," such as is the case with botnet

But privacy advocates who also read the new law proposal say the text also
contains verbiage that would allow the German state to intercept any traffic
on the Internet [1, 2], effectively setting up a surveillance state with
full snooping powers over everyone's online communications.  Experts called
for caution before approving the new law, which could be abused in its
current state.

German authorities anticipated such reaction and said that any access to
such data would be allowed only after law enforcement have obtained a court
order.  But the problem with encryption backdoors is not how you access
them, but that they exist in the first place and that they could be abused
by ill-intent actors as well.

Concerted efforts to weaken encryption across the globe

The law proposal is not a surprise for people who've been keeping an eye on
such things.  There are concerted efforts going on in Germany, France, and
the UK to introduce legislation for mandatory encryption backdoors.  In
fact, de MaiziŤre and his French counterpart even signed a joint letter
they sent to the European Commission that supported encryption backdoors.

Similarly, the fight for encryption backdoors has been recently reopened in
the US as well, after a series of comments made by US Deputy Attorney
General Rod Rosenstein.

While the EU was very clear it does not intend to support the introduction
of laws that allow for generic encryption backdoors, in March 2017, the
European Commission offered its support for a plan that would allow law
enforcement to access data exchanged via encrypted instant messaging
services, such as WhatsApp, Telegram, Signal, and others.

Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he
covers topics such as malware, breaches, vulnerabilities, exploits, hacking
news, the Dark Web, and a few more.  Catalin previously covered Web &
Security news for Softpedia between May 2015 and October 2016.  The easiest
way to reach Catalin is via his XMPP/Jabber address at
For other contact methods, please visit Catalin's author page.

Have You Ever Felt Sorry for the IRS? Now Might Be the Time (NYTimes)

Gabe Goldberg <>
Tue, 19 Dec 2017 10:22:59 -0500
Already struggling with its workload, the agency must start adapting systems
to the new tax code while processing returns under the old one.

The risk? Starving IT infrastructure and staffing while expecting everything
to work just fine.

Also, of course, nonsense reporting like:

Updating the agency's vast computer system is also a gargantuan undertaking.
The IRS (along with much of the federal government and major financial
institutions) uses a computer programming language called Cobol, developed
almost 60 years ago. Almost every coding change will, in effect, have to be
entered by hand.

...disparaging Cobol because it's been used for a while (and sounding like
it's unchanged since initial development), and being alarmed at making
coding changes "by hand". As opposed to how?

More Than a Third of Federal Websites Just Failed a Major Security Test (Fortune)

Gabe Goldberg <>
Wed, 29 Nov 2017 01:36:41 -0500
More than a third of U.S. federal websites are missing key elements of
online security architecture, according to a report released Monday by the
Information Technology & Innovation Foundation (ITIF).

Out of 469 government websites surveyed by ITIF, just 36% passed the test
for both Domain Name System Security (DNSSEC) and Secure Sockets Layer (SSL)

These two security features are crucial elements of online security, without
which browsing can be insecure.  Federal government websites still require
significant improvement.  Doing so will help ensure that the many Americans
who routinely use the Internet to access government services and information
can continue to do so.

The risk? Things don't change much.

NSF-funded research on vehicular social networking

Ross Stapleton-Gray <>
December 13, 2017 at 12:45:17 PM EST
  [via David Farber]

So, yet another issue to give us angst: how to take it when your car
becomes more popular than you are?

As I read this, the researchers are proposing that it would be helpful if
your car were socially networked, i.e., more readily communicated with cars
where past history and interests suggested common concerns, value of
informational leads, etc.  Lots of exercises left to the reader, e.g., a ton
of privacy implications, opportunities for marketing (think cars whose
owners are being paid to "push" specific routing/destinations as better than
others... in the olden days, when Jeb suggests the best route into town is
to pass the Kroger, and not the K-Mart...), etc.

> Award Abstract #1761641
> NeTS: EAGER: Intelligent Information Dissemination in Vehicular
> Networks based on Social Computing

Car theft "relay crime" (Sky)

Peter G Neumann <>
Sun, 26 Nov 2017 15:05:27 -0800

Also, from Gabe Goldberg:
Watch thieves steal car using technology instead of keys

Researchers craft Android app that reveals to find horrific menagerie of hidden spyware; legally barred from doing the same with iOS

Dewayne Hendricks <>
November 25, 2017 at 3:21:12 PM EST
Cory Doctorow, BoingBoing, 25 Nov 2017

Yale Privacy Lab and Exodus Privacy's devastating report on the dozens of
invasive, dangerous "trackers" hidden in common Android apps was generated
by writing code that spied on their target devices' internal operations,
uncovering all manner of sneaking trickery.

it would be great if we had effective regulatory oversight and the power to
seek legal relief from these companies for lying to us and/or sneaking
spyware into our lives; but every bit as important is the right to
independently audit their actions (as Privacy Lab and Exodus have done) and
to install code that overrides the undesirable functions of this spyware --
for example, by blocking its communications or chaffing it with plausible
garbage data.

The Exodus Privacy app's functionality is key to attaining the first goal ,
gathering independent evidence about the conduct of mobile firms and app
providers. Without that evidentiary basis, there's no way to know you need
self-help measures, nor is there any way to convince regulators to take
action, nor is there the possibility of creating public clamor for
competing products that would spur investors and entrepreneurs to make tools
that let you reclaim control over your device.

As Exodus and Yale note, these trackers are almost certainly also present in
iOS: the companies that make them advertise their iOS compatibility, for one
thing. But iOS is DRM-locked and it's a felony—punishable by a 5-year
prison sentence and a $500,000 fine for a first offense in the USA under
DMCA 1201, and similar provisions of Article 6 of the EUCD in France where
Exodus is located—to distribute tools that bypass this DRM, even for the
essential work of discovering whether billions of people are at risk due to
covert spying from the platform.

It's true that the US Copyright Office gave us a soon-to-expire exemption to
this rule that started in 2016, but that exemption only allows Exodus to use
that tool; it doesn't allow Exodus to make that tool, or to distribute it so
independent researchers can investigate iOS.

Overseas customers left behind in clearXchange to Zelle conversion

Dan Jacobson <>
Thu, 30 Nov 2017 02:00:41 +0800
>>>>> "SC" == S..., C.. <> writes:

SC> Yes, the Zelle app is [available only] in the US right now.

Well that creates a huge problem for many citizens who happen to be out of
the country at the moment and suddenly are cut off from their funds.

It would have been more wise to first introduce the app, and then three
months later after all users are safely moved over to it, only then have
them close down their clearXchange accounts.

But following the instructions, we all first close our clearXchange accounts
in order to move over to the app.

This seems a classic risk right out of ACM Risks Digest.

Wrong number: Are Israel's phone companies systematically overcharging

Gabe Goldberg <>
Sun, 26 Nov 2017 21:36:47 -0500
Consumer groups report endless complaints from Israelis who say they are
mischarged, lied to, pushed into debt, and even stopped at the airport for
fees they never agreed to.

Go figure: an abusive, arrogant, crooked phone company. What next,
inadequate consumer protections?!

Warn that results are not necessarily in order

Dan Jacobson <>
Thu, 07 Dec 2017 06:00:08 +0800
I think the atq(1) command should order its results.
I mean that is what "queues" are about, order.

"atq—lists the user's pending jobs, unless the user is the superuser; in
that case, everybody's jobs are listed. The format of the output lines (one
for each job) is: Job number, date, hour, queue, and username."

Now 15 years later I think they at least should warn on the man page that
the results are not necessarily in order.

The RISK is someone might just happen to get ordered results a few times,
and then build a program to process the results based on this assumption.

Upside of multiple-choice security questions

Ed Ravin <>
Sun, 10 Dec 2017 15:47:23 -0500
Found this on a website on the account setup page—finally, a
halfway-reasonable explanation for why so many sites use
multiple-choice security questions:

  Your account must include five security questions. [...]
  We provide predefined questions and answers because we've found
  that the majority of security issues our customers face can be
  traced to computer viruses that record typing, and using predefined
  answers protects against this type of intrusion.

You can log into macOS High Sierra as root with no password

geoff goodfellow <>
Tue, 28 Nov 2017 15:24:55 -1000
A trivial-to-exploit flaw in macOS High Sierra, aka macOS 10.13, allows
users to gain admin rights, or log in as root, without a password.

The security bug can be triggered via the authentication dialog box in
Apple's operating system, which prompts you for an administrator's username
and password when you need to do stuff like configure privacy and network

If you type in "root" as the username, leave the password box blank, hit
"enter" and then click on unlock a few times, the prompt disappears and,
congrats, you now have admin rights. You can do this from the user login

The vulnerability effectively allows someone with physical access to the
machine to log in, cause extra mischief, install malware, and so on. You
should not leave your vulnerable Mac unattended, nor allow remote desktop
access, until you can fix the problem. [...]

Feds in Two Minds About Artificial Intelligence Defense (Meritalk)

Gabe Goldberg <>
Wed, 29 Nov 2017 15:08:16 -0500
As Feds get smarter about Artificial Intelligence on the cyber-frontier,
seems agencies' IT defenders are suffering from schizophrenia about
cybercyborgs. That's the topline takeaway from the new MeriTalk Federal
Cyber-AI IQ Test study. Where 90 percent of cyberfolks swoon about AI as the
fix for the cybersieve, almost half of Feds suffer AI anxiety disorder. With
the exponential increase in cyber-attacks and insider-threat nightmares, now
is a fascinating time to consider AI's role in cybersecurity. We see Kevin
Cox and the CDM program office exploring AI and every cyber-vendor's touting
its new AI pixie dust. So, what's the state of Fed's AI IQ and what's the
path forward?

The risk? Aside from sophomoric and over-the-top writing, the risk is—as
usual—talking around and generalizing about a technology without defining
-- or, likely understanding—what it is. Or putting it in the context of
whatever is being discussed—here, cybersecurity. The article would make
as much sense with "AI" replaced by "walnuts".

Australian man uses snack bags as Faraday cage to block tracking by employer (Sean Gallagher)

Jim Reisert AD1C <>
Thu, 30 Nov 2017 17:53:17 -0700
Sean Gallagher, Ars Technica, 29 Nov 2017

  A 60-year-old electrician in Perth, Western Australia had his termination
  upheld by a labor grievance commission when it was determined he had been
  abusing his position and technical knowledge to squeeze in some recreation
  during working hours. Tom Colella used mylar snack bags to block GPS
  tracking via his employer-assigned personal digital assistant to go out to
  play a round of golf—more than 140 times—while he reported he was
  offsite performing repairs.

White House Weighs Personal Mobile Phone Ban for Staff (Bloomberg)

Gabe Goldberg <>
Tue, 28 Nov 2017 14:14:42 -0500

Horse, barn door? Maybe make entire White House a Faraday cage?

Re: Singapore MRT signaling fault injures 29 (Re: RISKS-30.50)

Richard M Stein <>
Tue, 19 Dec 2017 09:58:48 +0800
Straits Times, 19 Dec 2017

  "A simulation facility will be built for the East-West Line's (EWL) new
  signaling system to undergo extra tests before it is rolled out, in a
  move to beef up safety and not disrupt train services. The facility will
  be set up by French firm Thales, which aims to deliver the new signaling
  system for the EWL by next June. It is the first of its kind testing
  facility outside Toronto and Paris, where the firm is based."

Given Thales' prior release history, is it advisable to build the stack, and
also build the simulation?  Recall† and Richard Feynman's
appendix on the Challenger disaster for the Roger's Commission.

Wow! Talk about using human guinea pigs. Seems like a page from corporate
control fraud: Build a product and sell it with impunity. The newspaper
publication trail does not reproduce the statement of work. I wonder what
the SMRT procurement team was thinking when they signed- off? Did they ask
to review Thales content for: test plan, prior release defect escape
density, prior test results, wall clock to qualify any candidate change?
Life cycle practices to preserve integrity and publication viability of
intellectual property? Did the procurement team consult software release
subject matter experts?†

Where's the "wall" between development and test? Certain subject matter
needs to be communicated—like a common specification—to enable
development and qualification. As engineering is cooperative activity, ideas
must circulate to create better ones. Will the same stack developers also
participate by building the simulation stimulus—test programs? Does
Thales' new (to Singapore) signaling system simulation environment
accommodate editorial tension?

Ideally, "test author" v. "stack author" is applied to create and generate
editorial tension for qualification within a software factory.  Editorial
tension is characterized by:

1. Speed—¬†How quickly can the stimulus and assertion conditions
   detect and reveal latent defects or discover new ones arising from
   feature/patch application -per release metric as
   demonstrated in High-speed
   regression test and evaluation is important here (~10K measurements/hour,
   for instance)

2. Frequency—How often does the simulation run? For pre-check in? Before
   a candidate change is accepted into a project baseline, it needs to pass
   the simulation at top of branch merged w/candidate change). At
   post-integration? To qualify candidate release bits using all pre-check
   in passing candidate changes merged together into the candidate baseline?
   Who inspects and certifies the simulation results prior to publication?
   How many pairs of eyes are on this content? Are the change control board
   eyes trained/qualified to judge the simulation outcome?

3. Determinism—Simulation results are identical for a constant stack and
   environment using constant stimulus/assertion conditions? Do the results
   match, assuming identical initial conditions? If there's a detected
   failure, does it arise from the environment? Ecosystem infrastructure or
   target stack? Stimulus/assertion conditions?  Whomsoever does the triage
   is usually one of the best pairs of eyes to participate in the decision
   to determine release viability. This is usually a software test engineer,
   a highly interdisciplinary life cycle participant possessing: a
   comprehensive knowledge of the stack/ecosystem under test, the test
   environment, and the test stimulus.,
19 Dec 2017

  "Action could still be taken against the parties who were involved in a
  collision of two MRT trains on Nov 15, the Land Transport Authority (LTA)
  said yesterday, in response to queries from The Straits Times. The LTA
  said it "reserves the right" to take appropriate action, without stating
  what that might be. The French company building the new signaling system
  for the line has taken full responsibility for the collision, which left
  38 people injured and caused train delays affecting nearly 13,000
  commuters. It was caused by compatibility issues between the existing
  signaling system and the new communications-based train control (CBTC)
  system which Thales is installing for the East-West Line."

If liability indemnification was proscribed for software, assuming vigilant
enforcement, would certain technology businesses be brave (or foolish)
enough to foist their wares on the public?†

Retrospective coverage of this incident -- --
incident event date 15NOV2017. Minute-by-minute description of incident
event sequence—pictorial graph of collision event precursors. --
published 21NOV2017. Thales acknowledges problem with signaling
system. "French company Thales has taken "full responsibility" for its part
in the Nov 15 train collision at Joo Koon MRT station. It said an
"unexpected" problem occurred in the interface between the old and new
signaling systems of the East-West Line (EWL). Thales, which is supplying
the new system for the EWL, has also apologised to commuters who were
inconvenienced, and the 38 people injured by the accident." --
published 22NOV2017. High-level summary of fault. "Protective "bubbles"
meant to keep trains at a safe distance from each other were inadvertently
disabled on Nov 15 before two trains collided at Joo Koon MRT station." --
published 22NOV2017. Singapore government expresses umbrage from incident
"The company supplying the new signaling system for the East-West Line
(EWL), on which a train collision occurred last week, "could have done
better", Transport Minister Khaw Boon Wan said yesterday."

Re: Web Browser JavaScript Woes (Firefox 57.0).

Chris Drewe <>
Thu, 23 Nov 2017 22:00:27 +0000
You've probably had submissions on this already; hardly end-of-the-world
stuff, though may be of interest.  I surf the web with Firefox on a Windows
7 laptop, and following advice on this very forum, I usually have JavaScript
disabled.  Allegedly this avoids possible security problems, but the big
advantage is that web pages load in a flash, *and* there's no problem with
loads of unwanted stuff wasting my monthly bandwidth allowance.  Some web
sites, particularly important ones like on-line bill payment or web e-mail
access, need JavaScript, so I manually enable this when required.

Last year, to my dismay a Firefox update removed the option to disable
JavaScript from the list, but I quickly found a 3rd-party add-on to put this
in the Tools menu (phew!).  Then last week Firefox updated to 57.0
("Quantum") which (according to the 'what's new' info) disables unauthorised
add-ons including this one, so I was stuck without JavaScript with no

Oh well, at least there's good old Internet Explorer 11 which I've hardly
ever used... but it runs without JavaScript as well?!?  I couldn't even find
any references to JavaScript in any of the set-up options either, and when I
tried the on-line help feature, this said "needs JavaScript to run"!
(Sounds like that old joke about 'the instructions for the microfilm reader
are on microfilm'.)  I don't recall ever changing this, but must have
disabled scripting when I first got the laptop to avoid any security issues.

To cut a long story short, A Google search (at least this doesn't need
JavaScript!) showed (a) IE actually uses the term 'Active scripting' for
this, with radio buttons for Disable/Prompt/Enable, so that fixed that, and
(b) Firefox set-up can be accessed via 'about:config' and the "I promise to
be good" screen.  What I plan to do is use IE for sites where JavaScript is
needed, and Firefox for everything else.

Re: Taser Company Ignored SEC Emails ... In a Spam Folder

John Levine <>
Fri, 24 Nov 2017 04:08:59 +0000
... the implicit assumption—that if ISPs just delivered all the mail
things would be fine—is quite false.

Most mail systems see about 90% spam.  An ISP like World that's been around
for a long time probably gets even more.  That means there are about ten
spam messages for every real one.  Even if your ISP spent the extra money
for the extra bandwidth and storage to receive and deliver all the spam,
your mail would be unusable, with the trickle of real mail hidden in the
torrent of junk.  I once met a person at the EFF who had a principled
unfiltered mailbox, and she said that every day she manually deleted 3000
messages from her inbox.  I don't know how she got any work done, and how
many of those 3000 were real.

You don't want mail systems to send non-delivery notices for all the mail
they don't deliver, since most of the return addresses are fake, and that
would just be more spam to the holders of the fake addresses.  Enough
systems do this that it has a name, blowback spam, and on my system I have
special rules to try and deal with the blowback spam I get to a few domains
that seem particularly popular with spammers.

The original problem, an SEC notification misfiled in a spam folder, was
clearly due to a bug in the spam filtering.  The SEC does not send out
notices at random, so the recipient must have given the SEC the address they
sent it to.  If the spam filters for that mailbox weren't set to deliver
mail from the SEC, which is not hard to recognize, that's just a bug.

What's much harder are bulk legal notices, such as ones notifying members of
a proposed class action.  Those are bulk mail sent to people who didn't ask
for it, typically from a sending system that's never sent them mail before,
which makes it technically identical to spam.  (Some people would say it is
spam.)  You can't just whitelist anything that looks like a legal notice
since spammers, not being totally stupid, would make their spam look like
legal notices.  Bulk mail services try to tell public blacklists when they
plan to do a run, and the blacklists tend to be cooperative, but even so,
when automated systems see a blast of unfamiliar mail, they tend to treat it

The actual unsurprising moral here is that spammers ruin things for

Re: Taser Company Ignored SEC Emails ... In a Spam Folder (Levine)

Mark Kramer <>
Sat, 9 Dec 2017 23:29:36 -0500
> This is true, but the implicit assumption that it ISPs just delivered
> all the mail things would be fine is quite false.

I never made such an assumption. I stated a fact: email is not a reliable
communications medium. There is no means of making it that way. Having a
government that punishes people for not receiving their Very Important Email
is a Bad Thing.

I received an email reply from someone who demanded the right to be a
"nomad" who has no snail mail access but does have email. I would say that
if you choose a lifestyle with known limitations, you have that right.

Re: Are you aware that Comcast is injecting 400+ lines of JavaScript into web pages.?

geoff goodfellow <>
Mon, 11 Dec 2017 23:30:34 -1000
Comcast replies, plus a Wyoming ISP chimes in:

On Sun, Dec 10, 2017 at 2:33 PM, the keyboard of geoff goodfellow <> wrote:

Please report problems with the web pages to the maintainer