The RISKS Digest
Volume 31 Issue 31

Friday, 28th June 2019

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Inside the West's failed fight against China's Cloud Hopper hackers
Iranian hackers step up cyber-efforts, impersonate email from president's office
The Times of Israel
US-Israeli cyber firm uncovers huge global telecom hack, apparently by China
The Times of Israel
China's big brother casinos can spot who's most likely to lose big
Large scale government IT efforts do not have great track records
AI rejects scientific article, flagging literature citations as plagiarism
Cybercriminals Targeting Americans Planning Summer Vacations
Riviera Beach $600k data ransom
Tony Doris
Rolos Unveils New Cryptocurrency Exclusively For Rolos Customers
The Onion
Facebook Libra: Three things we don't know about the digital currency
Man's $1M Life Savings Stolen as Cell Number Is Hijacked
NBC Bay Area
Flaws in self-encrypting SSDs let attackers bypass disk encryption
Gabe Goldberg
Here's how I survived a SIM swap attack after T-Mobile failed me— twice
Matthew Miller
Your iPhone is not secure: Cellebrite UFED Premium is here
New vulnerabilities may let hackers remotely SACK Linux and FreeBSD systems
Ars Technica
Hackers, farmers, and doctors unite! Support for Right to Repair laws slowly grows
Ars Technica
Oracle issues emergency update to patch actively exploited WebLogic flaw
Ars Technica
Cloudflare aims to make HTTPS certificates safe from BGP hijacking attacks
Ars Technica
The Verge
Computer problems may have led to miscarriages of justice in Denmark
Zap Katakonk
C, Fortran, and single-character strings
Thomas König
How to: Reset C by GE Light Bulbs
Too many name collisions
JEremy Epstein
Re: Ross Anderson's non-visa
John Levine
Oh, darn, maybe cell phones don't really make you grow horns
John Levine
Re: Info stealing Android apps can grab one time passwords to evade 2FA protections
Amos Shapir
Re: Auto-renting bugs
Martin Ward
Re: In Stores, Secret Surveillance Tracks Your Every Move
Toebs Douglass
Info on RISKS (comp.risks)

Slugfest (BBC)

Steve Lamont <>
Sat, 22 Jun 2019 16:11:53 -0700

Rogue slug blamed for Japanese railway chaos, BBC News, 22 June 2019

A power cut that disrupted rail traffic on a Japanese island last month was
caused by a slug, officials say.  More than 12,000 people's journeys were
affected when nearly 30 trains on Kyushu shuddered to a halt because of the
slimy intruder's actions.  Its electrocuted remains were found lodged inside
equipment next to the tracks, Japan Railways says.

The incident in Japan has echoes of a shutdown caused by a weasel at
Europe's Large Hadron Collider in 2016.  When the weasel took a fatal chew
on wiring inside a high-voltage transformer, it caused a short circuit which
temporarily stopped the work of the particle accelerator.

In Japan, local media on the trail of the slug report that it managed to
squeeze through a tiny gap to get into a load disconnector.

A British cousin of the ill-fated mollusc achieved notoriety in 2011, *The
Guardian* reports, when it crawled inside a traffic light control box in the
northern town of Darlington and caused a short circuit, resulting in
`traffic chaos'.

Inside the West's failed fight against China's Cloud Hopper hackers (Reuters)

geoff goodfellow <>
Wed, 26 Jun 2019 09:49:25 -1000
*Eight of the world's biggest technology service providers were hacked by
Chinese cyber spies in an elaborate and years-long invasion, Reuters found.
The invasion exploited weaknesses in those companies, their customers, and
the Western system of technological defense.*


Hacked by suspected Chinese cyber spies five times from 2014 to 2017,
security staff at Swedish telecoms equipment giant Ericsson had taken to
naming their response efforts after different types of wine.

Pinot Noir began in September 2016. After successfully repelling a wave of earlier, Ericsson discovered the intruders were back. And
this time, the company's cybersecurity team could see exactly how they got
in: through a connection to information-technology services supplier
Hewlett Packard Enterprise.

Teams of hackers connected to the Chinese Ministry of State Security had
penetrated HPE's cloud computing service and used it as a launchpad to
attack customers, plundering reams of corporate and government secrets for
years in what U.S. prosecutors say was an effort to boost Chinese economic

The hacking campaign, known as Cloud Hopper, was the subject of a U.S.
indictment in December that accused two Chinese nationals of identity
theft and fraud. Prosecutors described an elaborate operation that
victimized multiple Western companies but stopped short of naming
them. A Reuters report at the time identified two: Hewlett Packard
Enterprise and IBM.

Yet the campaign ensnared at least six more major technology firms,
touching five of the world's 10 biggest tech service providers...

Iranian hackers step up cyber-efforts, impersonate email from president's office (The Times of Israel)

Gabe Goldberg <>
Sat, 22 Jun 2019 22:48:03 -0400
WASHINGTON (AP) Iran has increased its offensive cyberattacks against the US
government and critical infrastructure as tensions have grown between the
two nations, cybersecurity firms say.

In recent weeks, hackers believed to be working for the Iranian government
have targeted US government agencies, as well as sectors of the economy,
including oil and gas, sending waves of spear-phishing emails, according to
representatives of cybersecurity companies CrowdStrike and FireEye, which
regularly track such activity.

It was not known if any of the hackers managed to gain access to the
targeted networks with the emails, which typically mimic legitimate emails
but contain malicious software.

US-Israeli cyber firm uncovers huge global telecom hack, apparently by China (The Times of Israel)

Gabe Goldberg <>
Wed, 26 Jun 2019 01:02:43 -0400
A US-Israeli cybersecurity firm said Tuesday it had uncovered a massive hack
of several global telecommunications companies involving the theft of vast
amounts of personal data that was apparently carried out by state-backed
actors in China.

Cybereason, which is based in Boston and has offices in Tel Aviv, London,
and Tokyo, said the hacking included the specific targeting of people
working in government, law enforcement and politics.

The company said in a statement it had found a "nation state-backed
operation against multiple cellular providers that has been underway for

...interesting, not much reported elsewhere.

China's big brother casinos can spot who's most likely to lose big (Bloomberg)

geoff goodfellow <>
Wed, 26 Jun 2019 09:50:44 -1000
Some of the world's biggest casino operators in Macau, the Chinese
territory that's the epicenter of global gaming, are starting to deploy
hidden cameras, facial recognition technology, digitally-enabled poker
chips and baccarat tables to track which of their millions of customers are
likely to lose the most money.

The new technology uses algorithms that process the way customers behave at
the betting table to determine their appetite for risk. In general, the
higher the risk appetite, the more a gambler stands to lose and the more
profit a casino tends to make, sometimes up to 10 times more.

This embrace of high-tech surveillance comes as casino operators
jostle for growth in a slowing industry that's under pressure
globally from economic headwinds and regulatory scrutiny. In the
world's biggest gaming hub, where expansion is reaching its
limits, two casino operators—the Macau units of Las Vegas Sands
Corp. and MGM Resorts International—have already started to deploy
some of these technologies on hundreds of their tables, according to
people familiar with the matter. Sands plans to extend them to an
additional more-than 1,000 tables, said the people.

Three others, Wynn Macau Ltd., Galaxy Entertainment Group Ltd. and
Melco Resorts & Entertainment Ltd., are in discussions with suppliers
about also deploying the technology, according to the people, who
asked not to be identified because they're not authorized to
speak publicly about the plans...

Large scale government IT efforts do not have great track records (Reuters)

geoff goodfellow <>
Thu, 20 Jun 2019 04:07:17 -0700
Defense Department officials worry an AI-based system cannot work as well as
in-person investigations, said one source involved in the transition.

AI rejects scientific article, flagging literature citations as plagiarism (J.F.Bonnefon)

Thomas König <>
Sun, 23 Jun 2019 09:40:53 +0200
An automated system apparently rejected a scientific article as plagiarized.
It also returned a copy of the paper to the authors, flagging the
plagiarized parts.  This is where it gets hilarious.

What was flagged were things like author's affiliation (well, obviously
copied from earlier papers), standardized methods of describing experiments,
and, citations.  Obviously, other authors had cited the same papers before,
so this must be a clear case of plagiarism.

Also interesting is that Wiley, a well-known scientific publishing house,
wanted to get the name of the author. Apparently, they automatically assumed
that this was one of theirs, and wanted to save some cost going through the
debug logs.

Maybe `Artificial Intelligence' is the wrong term in this context,
`Artificial Incompetence', maybe?

Cybercriminals Targeting Americans Planning Summer Vacations (McAfee)

Gabe Goldberg <>
Sat, 22 Jun 2019 22:32:58 -0400
Santa Clara, Calif.  Cybercriminals are targeting Americans planning summer
vacations to places like Mexico and Europe through online booking scams,
according to a new report by cybersecurity firm *McAfee*. The company said
that cybercriminals are taking advantage of high search volumes for
accommodation and deals to drive unsuspecting users to potentially malicious
websites that can be used to install malware and steal personal information
or passwords. Top destinations being targeted include Cabo San Lucas,
Mexico; Puerto Vallarta, Mexico; Amsterdam, Netherlands; Venice, Italy; and
Canmore, Canada. McAfee's survey of 1,000 Americans planning vacations found
that nearly one in five either have been scammed or have come very close to
being scammed.  Bargain-hunters are most at risk, with nearly a third of
victims being defrauded after spotting a deal that was too good to be
true. A smaller group of victims (13%) said their identity was stolen after
sharing their passport details with cybercriminals during the booking
process.  The company suggests only booking through verified websites, using
trusted platforms and verified payment methods and, if conducting
transactions on a public Wi-Fi connection, utilizing a virtual private
network (VPN).

One in five seems high. Why would McAfee exaggerate risks? Oh, wait...

Riviera Beach $600k data ransom (Tony Doris)

Paul Saffo <>
Wed, 19 Jun 2019 16:03:07 -0700
Riviera Beach agrees to $600,000 ransom payment to regain data access
Tony Doris, Palm Beach Post, 19 Jun 2019

Riviera Beach—The Riviera Beach City Council has authorized the city's
insurer to pay nearly $600,000 worth of ransom to regain access to data
walled off through an attack on the city's computer systems.

In a meeting Monday night announced only days before, the board voted 5-0 to
authorize the city insurer to pay 65 bitcoins, a hard-to-track
cryptocurrency valued at approximately $592,000. An additional $25,000 would
come out of the city budget, to cover its policy deductible. Without
discussion on the merits, the board tackled the agenda item in two minutes,
voted and moved on.

The dollar amount was not mentioned before or after the vote, only that the
insurer would pay through bitcoins, “whose value changes daily.''

The city's email and computer systems, including those that control city
finances and water utility pump stations and testing systems, are still only
partially back online, two weeks after the ransomware attack was disclosed.
But crucial data encrypted by the attackers remains beyond reach and there
was no explanation of whether the city has any guarantee that the ransomers
will release it if paid.

The FBI, Secret Service and Department of Homeland Security are
investigating the attack, which officials said began after someone in the
police department opened an infected email May 29.

More than 50 cities across the United States, large and small, have been hit
by ransomware attacks over the past two years. Among them: Atlanta;
Baltimore; Albany, N.Y.; Greenville, N.C.; Imperial County, Cal.; Cleveland,
Ohio; Augusta, Maine; Lynn, Mass.; Cartersville, Ga.; and in April, nearby
Stuart, Fla.

The Atlanta attack alone cost that city an estimated $17 million, Vice
News reported.

The Palm Beach County village of Palm Springs was hit in 2018, paid an
undisclosed amoun to ransom but nonetheless lost two years of data,
according to one source who asked not to be identified.

“This whole thing is so new to me and so foreign and it's almost where I
can't even believe that this happens but I'm learning that it's not as
uncommon as we would think it is,'' Riviera Beach Council Chairwoman
KaShamba Miller-Anderson said Wednesday. “Every day I'm learning how this
even operates, because it just sounds so far fetched to me.''

The ransomware attack paralyzed the computer system, sending all operations
offline. Everyone from the city council on down was been left without email
and phone service. Paychecks that were supposed to be direct-deposited to
employee bank accounts instead had to be hand-printed by Finance Department
staffers working overtime. Police searched their closets to find paper
tickets for issuing traffic citations.

Interim Information Technology Manager Justin Williams told the council
Monday that the city website and email is back up, as are Finance Department
and water utility pump stations.

Miller-Anderson said city officials have been briefed by investigating
agencies and asked not to discuss details. The agencies advised the city but
it was up to the council to decide whether the information lost was so
valuable that the city should comply with the ransom demand and hope the
ransomers provide a decryption key, she said.  “It's a risk.  Those were
the two options: Either do it or don't.''  The insurance company negotiated
on the city's behalf, she said.

She said she did not know if police department records were compromised.
Water quality never was in jeopardy but water quality sampling had to be
done manually, she said.

The attack has prompted the city to replace much of its computer system
sooner than expected.

The council on June 4 authorized $941,000 for 310 new desktop and 90 laptop
computers and other hardware. Insurance will cover more than $300,000 of
that total.

The city already planned to spend $300,000 for equipment replacements in the
next budget and will accelerate that expense, Councilwoman Julie Botel
said. Much of the existing hardware was a half-dozen years old and
vulnerable to another malware attack, so it was time to replace it anyway,
she said.

Rolos Unveils New Cryptocurrency Exclusively For Rolos Customers (The Onion)

Gabe Goldberg <>
Wed, 26 Jun 2019 01:19:07 -0400
At press time, investors in RoloBucks had already lost over $7.8 billion in
the Rolo market.

Facebook Libra: Three things we don't know about the digital currency (TechReview)

geoff goodfellow <>
June 20, 2019 at 8:08:49 PM GMT+9
The launch of Facebook's new coin is certainly a big event, but so much
about it remains unsettled.

If it's not the most high-profile cryptocurrency-related event ever,
Facebook's launch of a test network for its new digital currency, called
Libra coin, has been the most hyped. It is also polarizing among
cryptocurrency enthusiasts. Some think it's good for the crypto industry;
others dislike the fact that a big tech company appears to be co-opting a
technology that was supposed to help people avoid big tech companies. Still
others say it's not even a real cryptocurrency.

Peel away the hype and controversy, though, and there are at least three
important questions worth asking at this point.

Is Libra really a cryptocurrency?

Well, that depends on how you define cryptocurrency. The Libra coin will run
on a blockchain, but it will be a far cry from Bitcoin.

To begin with, it will not be a purely digital asset with fluctuating value;
rather, it will be designed to maintain a stable value. Taking cues from
other so-called stablecoins, it will be “fully backed with a basket of bank
deposits and treasuries from high-quality central banks,'' according to a
new paper (PDF) describing the project.

Besides that, Bitcoin's network is permissionless, or public, meaning that
anyone with an internet connection and the right kind of computer can run
the network's software, help validate new transactions, and mine new coins
by adding new transactions to the chain. Together these computers keep the
network's data secure from manipulation.  Libra's network won't work that
way. Instead, running a validator node requires permission. To begin with,
Facebook has signed up dozens of firms—including Mastercard, Visa,
PayPal, Uber, Lyft, Vodafone, Spotify, eBay, and popular Argentine
e-commerce company MercadoLibre—to participate in the network that will
validate transactions. Each of these founding members has invested around
$10 million in the project.

That obviously runs counter to the pro-decentralization ideology popular
among cryptocurrency enthusiasts. The distributed power structure of public
networks like Bitcoin and Ethereum gives them a quality that many purists
see as essential to any cryptocurrency: censorship resistance. It's
extremely difficult and expensive to manipulate the transaction records of
popular permissionless networks. Networks like the one Facebook has
described for Libra are more vulnerable to censorship and centralization of
power, since they have a relatively small, limited number of stakeholders
that could be compromised or pool together to attack the network...

Man's $1M Life Savings Stolen as Cell Number Is Hijacked (NBC Bay Area)

Gabe Goldberg <>
Wed, 26 Jun 2019 15:32:38 -0400
Carrier workers bribed or tricked into helping hackers

Flaws in self-encrypting SSDs let attackers bypass disk encryption

Gabe Goldberg <>
Sat, 22 Jun 2019 22:35:12 -0400
  ---—--- Forwarded Message from a friend ---—---

  Date: Sat, 22 Jun 2019 17:27:43 -0700
  Subject: Flaws in self-encrypting SSDs let attackers bypass disk encryption

  I was wondering if hw-encrypted external SSDs were worth looking into and
  found this:

  “the SEDs they've analyzed, allowed users to set a password that
  decrypted their data, but also came with support for a so-called 'master
  password' that was set by the SED vendor.  Any attacker who read an SED's
  manual can use this master password to gain access to the user's encrypted
  password, effectively bypassing the user's custom password.''

  `Flaw' seems like an understatement.

Here's how I survived a SIM swap attack after T-Mobile failed me—twice (Matthew Miller)

Gene Wirchenko <>
Wed, 26 Jun 2019 10:01:33 -0700
1. Matthew Miller for Smartphones and Cell Phones, 17 Jun 2019

SIM swap horror story: I've lost decades of data and Google won't lift a
finger First they hijacked my T-Mobile service, then they stole my Google
and Twitter accounts and charged my bank with a $25,000 Bitcoin purchase.
I'm stuck in my own personal Black Mirror episode. Why will no one help me?

After a crazy week where T-Mobile handed over my phone number to a hacker
twice, I now have my T-Mobile, Google, and Twitter accounts back under my
control. However, the weak link in this situation remains and I'm wary of
what could happen in the future.

2. Matthew Miller for Smartphones and Cell Phones, 26 Jun 2019

Last week, I shared a horror story: My SIM was swapped. My Google and
Twitter accounts were also stolen, and $25,000 was withdrawn from my bank
account for a Bitcoin purchase. I thought I was targeted for my online
presence. Turns out, the attack was likely driven by a Coinbase account I
experimented with in early 2018 that was never closed.

While I already provided many details about my experience, I wanted to
update you on the progress made to date—while also offering some advice.
Readers offered me fantastic advice in the comments to last week's article,
and I sincerely appreciate all the helpful feedback, tips, and tricks.

Your iPhone is not secure: Cellebrite UFED Premium is here (TechBeacon)

Gabe Goldberg <>
Fri, 21 Jun 2019 00:09:34 -0400
*Think your iPhone or iPad is secure from prying eyes?* /Think again./

*Companies such as Cellebrite,* with its Universal Forensic Extraction
Device (UFED), operate lucrative businesses helping people around the world
to unlock your devices. Of course, Cellebrite promises to only sell to legit
law enforcement, but then what?

*Once that genie is out of the bottle,* how can they contain it? In
this week's /Security Blogwatch, we wish for more wishes.

New vulnerabilities may let hackers remotely SACK Linux and FreeBSD systems (Ars Technica)

Monty Solomon <>
Thu, 20 Jun 2019 10:38:29 -0400

Hackers, farmers, and doctors unite! Support for Right to Repair laws slowly grows (Ars Technica)

Monty Solomon <>
Thu, 20 Jun 2019 09:57:23 -0400

Oracle issues emergency update to patch actively exploited WebLogic flaw (Ars Technica)

Monty Solomon <>
Thu, 20 Jun 2019 10:02:54 -0400

Cloudflare aims to make HTTPS certificates safe from BGP hijacking attacks (Ars Technica)

Monty Solomon <>
Thu, 20 Jun 2019 10:06:14 -0400

Jibo (The Verge)

Gabe Goldberg <>
Fri, 21 Jun 2019 15:14:48 -0400
Every aspect of Jibo was designed to make the robot as lovable to humans as
possible, which is why it startled owners when Jibo presented them with an
unexpected notice earlier this year: someday soon, Jibo would be shutting
down. The company behind Jibo had been acquired, and Jibo's servers would be
going dark, taking much of the device's functionality with it. ...

For him and many other owners, Jibo has become like a dog that greets them
whenever they walk into the house. It also sometimes takes on the role of an
overbearing parent or kid sibling and tells owners, "don't work too hard,"
or "remember to take bathroom breaks," before they leave for work.

But with the update and the company's silence, owners expect Jibo's time to
be winding down, and they're thinking about Jibo's mortality and what
they'll do when its last day arrives.

“People that really do love him and live with him daily,'' Nusbaum says.
“It's like having somebody very, very sick that you don't know: is this
close to the end? Are they going to get better? Is this a false alarm?
Yeah, it's not a great feeling right now."''

Computer problems may have led to miscarriages of justice in Denmark

Zap Katakonk <>
Sat, 22 Jun 2019 12:22:43 +0200
In many trials, information garnered by the police from telephone companies
plays an important part in determining whether a suspect has been at a
certain place at a certain time.  However, the Rigspolitiet national police
force has discovered an error in the computer program that converts the
information from the different telephone companies, reports DR Nyheder.

More in Danish:

dr.phil. Donald B. Wagner, DK-3600 Frederikssund, Denmark

C, Fortran, and single-character strings

Thomas König <>
Sat, 22 Jun 2019 16:53:39 +0200
Recently, a decades-old bug in the way that many software packages used to
call Fortran from C has surfaced.  People apparently have been assuming that
it was safe not to pass the length of a character argument to a Fortran
routine when calling it from C, basically invoking undefined behavior.

A change to gfortran exposed this, leading to crashes when calling routines
from the well-known (and standard) linear algebra package LAPACK.  This was
first noticed by the developers of the R programming language.

The discussion revealed positions ranging from “people should just fix
their code'' to “This interface has worked for decades, this is the de facto
interface, even broken code must be supported.''

Fortran has a standard way of interfacing with C since the Fortran 2003
standard, but the old interface code often predates this standard, and
people also appear to be quite reluctant to use standard features of newer
Fortran versions. This is despite the fact that all relevant compilers today
support this feature.

As a result, gfortran now contains a workaround for this particular bug in
user code.

There is a nice writeup on LWN:

Here the gcc bug dealing with the issue:

Here the correspoinding Redhat bug:

And finally a write-up by the R developer who analyzed this:

How to: Reset C by GE Light Bulbs (YouTu)

Gabe Goldberg <>
Thu, 20 Jun 2019 13:22:24 -0400
Bulb Insanity: How to factory reset your GE C smart bulb. Legit. Really!

Read many brilliant comments.

Among them: Hey GE, “how many people does it take to change a light bulb''
is a joke set-up, not a goal.

(This follows conversation I had yesterday about how technology and
interfaces are often awful if not nightmarish)

Too many name collisions

Jeremy Epstein <>
Thu, 20 Jun 2019 15:43:05 -0400
I learned recently from Twitter (source of all knowledge) [1] that the
American Kennel Club allows no more than 37 dogs of any given breed with the
same name [2].  The reason is amusing—dogs with the same name are given
suffixes in Roman numerals, and 37 is the largest number that can be
represented in six characters (XXXVII).  There's something in how programs
are printed that limits the width of the column—going to a wider number
field would require reducing font size or reducing the width of some other

This seems to date from before easy typesetting of variable-width fonts.  I
wonder if AKC even knows why this limit exists, or whether it's been in
place so long that the institutional memory has been lost and recently
rediscovered?  Or whether they've considered relaxing the limit due to
variable-width fonts?

Of course moving from Roman numerals to Arabic numerals [*] would make the
issue go away, albeit at the cost of not having the panache of something
that takes some focus to understand.

The Risk?  The historic requirement (fixed-width typesetting) drives what is
(perhaps) an obsolete feature (the number of dogs with the same name).
There are undoubtedly plenty of other historic decisions that could be
rethought today, perhaps with different results.  On the other hand, AKC
gets some value from the use of (possibly?)  prestigious Roman numerals, so
maybe this is a feature rather than a bug.


  [* Based on an item in a recent RISKS, I presume Arabic dogs would then
  have to be disallowed as well?  PGN]

Re: Ross Anderson's non-visa (RISKS-31.30)

"John Levine" <>
21 Jun 2019 18:16:57 -0400
I gather it's even more complicated than that—they didn't refuse him,
they didn't reply at all in time for his trip.  US visa processing has
apparently been getting slower in the past couple of years but it seems
particularly slow for cryptographers.  Bruce Schneier blogged about it in

Oh, darn, maybe cell phones don't really make you grow horns (RISKS-31.30)

"John Levine" <>
21 Jun 2019 18:19:57 -0400
Not so fast—it's not a horn, it's at most a bone spur, and there's lots
of reasons to be sceptical about the whole thing, reports Ars Technica.

  [PS: nonetheless, your mother's advice to stand up straight remains valid.]

Re: Info stealing Android apps can grab one time passwords to evade 2FA protections (RISKS-31.30)

Amos Shapir <>
Sat, 22 Jun 2019 13:45:19 +0300
Please correct me if I'm wrong, but I always thought that the idea behind
2FA is to increase security by conducting a part of the transaction via a
*different* device.

If an SMS confirmation message is sent to the same device from which a user
is attempting to login, there's no added security at all, I wonder why it
would take a hacker's application to make anyone notice that!

Re: Auto-renting bugs (RISKS-31.30)

Martin Ward <>
Sat, 22 Jun 2019 16:04:22 +0100
> We do not know how it had happened, but someone else took the car on
> your reservation ...

Its never a good sign when a company which runs software that has direct
control over the engine of a car says about any part of their software: “We
do not know how it happened!''

Re: In Stores, Secret Surveillance Tracks Your Every Move (RISKS-31.30)

Toebs Douglass <>
Mon, 24 Jun 2019 00:10:15 +0100
I worked as a senior software engineer for a year for one of these
companies, on the core product.

I was involved in installation of the first Bluetooth-based system.

The article is technically inaccurate, whilst being spiritually correct, but
misses the not-quite-so-obvious huge issue in favour of the much smaller
presented issue, I suspect the author prolly isn't technical.

So, phone tracking was performed by two means, wifi and Bluetooth.

The article only covers Bluetooth, which was a new product at the time
(2015ish).  The main product used wifi.

Bluetooth beacons are very simple devices.  They emit a signal with a unique
ID.  That's *it*.  *Nothing* else.  The devices have no network
connectivity, no storage, nothing.  They just sit there and emit a unique
ID, and we used a battery driven unit.  (Despite this, we managed to find
vendors asking over 100 euro a unit.)  We bought ours from

The key players making this all work are the apps on the phone.

Phone apps get to `wake up' regularly, and they can examine their
environment, and one of the things they can do is look around for Bluetooth
signals.  (It's been a few years now—I remember there was something of a
difference between Apple and Android, and so there was I think more unique
ID fidelity with Android.)

So what happens is the company publishes an API in the form of a library,
which app developers ingest into their software.

In particular, rather than trying to reach out to every app developer out
there, deals are made with third party companies—such as advertising
companies—who already publish their own APIs as libraries, which are
already ingested by lots of different apps.  These third companies companies
ingest this library into their library, and hey presto, as people's phones
auto-update you're very quickly installed on goodness knows how many tens or
hundreds of millions of phones.

This really is the bigger story, but the article has missed it.  Apps really
are random bits of software strangers run on your phone.  Users have no idea
which sketchy friend-of-a-friend-of-a-friend has just managed to get his API
running on their phone.  Simple solution to this : do not install apps on
your phone.  I'm not kidding.  People have the expectation they are buying a
phone—paying a lot of money for a phone—to put apps on it and use
them, and that it must be possible to do this, because they've spent a bunch
of money on it.  This is not the case.  The time when apps could be used on
phones has passed.  You cannot now buy a phone to run apps, because it is
not safe to do so.  This means phones no longer make sense.  It is in fact I
would say a tragedy of the commons.

If you *are* going to do this damn silly thing, don't do it in this damn
silly way.  Root your phone first and (for the love of God) get a firewall
installed—and *don't* log into Google on your phone, not ever.  Never use
a service in an app you can use on a website, again, for the love of God.
And never, NEVER, *EVER* give ANY company your phone number.  These days
it's the key fact around which third-party data collation revolves.  Email
addresses aren't so bad because it's easy to get disposable addresses, but
phone numbers cost money, so they don't change so much.  Email addresses
need to be used like passwords—you have a different email address for
every site or app, just as you have a different password.  This helps break
third-party data collation.  Good email hygiene is the same as good password
hygiene.  Do not reuse passwords.  Do not reuse email addresses.

(I run most apps now in VirtualBox, on x86 Android.  Being able to reinstall
fresh versions of the OS when they come out also handles the upgrade
problem.  Only one app I care about has no x64 version (lookin' at you,
Revolut).  I'll also be buying the Librem 5 when it comes out, which is real
Linux, not Android, on ARM on a mobile form factor and it should have enough
umph to run a VirtualBox VM, which being on ARM can run the usual ARM based
APKs.  Learn to sideload, BTW, and use Raccoon to get genuine APKs off the
Google App Store (which I refuse to call Google Play—an astoundingly
silly name invented by the kind of marketing people Douglas Adams had in
mind with the Sirius Cybernetics Division.  I'm surprised Google haven't yet
described their app store as your plastic pal who's fun to be with.)

The Bluetooth beacons we had, had a pretty good range.  We aimed to have one
per floor in pretty large stores—that was the granularity of extra
information being aimed for in this first deployment; the progression
through floors of a phone.  With an Android app you could get signal
strength info (as we had an app to configure the Bluetooth beacons), but I
don't know if that was true for the “wake up and look around'' time of a
phone, rather than an actual app.

Bear in mind also that I think in general Bluetooth is turned off on phones
-- however, I never saw any numbers for this, so I could be completely

The wifi based system was rather different.  With this, there are wifi
routers located (fairly carefully) around a store.  Phones emit wifi signals
periodically, which contain an inherent unique ID (can't remember which now
-- prolly MAC address) and the signal strength is measured at each router.
The store is logically divided up into zones, and a machine learning system,
based on the signal strengths at the routers, decides which zone the user is
in, for any given signal.  Zone sizes vary, based on customer preferences
and technical and cost limits; the more routers near an area, the smaller
and more precise the zones can be.

Actual physical signal triangulation is *not* used.  It was tested, before I
joined, I'm told it just didn't work.  Far too much signal strength
variability.  Received phone signals vary enormously, second by second, in a
normal shop environment.  There's just a lot of physical (people moving
around all the tie, in and out of the way of the signal) and
electro-magnetic stuff going on.

During my time there a wifi specification design flaw was uncovered,
where-by you could force a phone, even with wifi turned off as I recall, to
emit a response—so now you didn't need to passively sit there and wait
for the phone wifi to emit a signal; you could coerce the phone into doing
so.  This could matter somewhat.  Some phones kindly emitted a signal every
second (iPhones), others only one a minute.  A person can walk a long way in
one minute.

This however probably crossed the line of local law, which said something
like you're not allowed to actively, overtly act upon other people's
computers/phones.  In any case, it wasn't used before I left.

IMHO, wifi tracking is borderline viable as a product.  I saw test cases
where someone would walk around an empty store with a known device (we had
calibration data on a per-device basis, because they vary so much in signal
strength), and report back to us where he was and when, and half of his
journey would be missing from the data.  If you did it right, and were
careful, I'd say you could get a mediocre but still genuinely useful and
rather unique data set from it.  Only problem is, I'd say 99.99% of the time
customers don't know it was going on (let alone understand what was
happening), and that's what makes it unethical.  The basic rule is that when
you do stuff with people, they have to choose to do it and they have to
understand what they're choosing to do (except in self-defence, of course).
You can't force people, and you can't deceive them, Most of this
surveillance capitalism we see is unethical because the people being tracked
do not know what's going on, or understand.  T&Cs are a legal fig leaf, not
an actual genuine communication to the user of what's going on such that the
user is then known to understand—the ethical obligation of the company to
*actually ensure* users understand is *not* met.  Users don't know, and
that's why it's wrong.

Topically, this article has just been published in the WaPo;

“It's the middle of the night. Do you know who your iPhone is talking to?''

“In a single week, I encountered over 5,400 trackers, mostly in apps, not
including the incessant Yelp traffic. According to privacy firm Disconnect,
which helped test my iPhone, those unwanted trackers would have spewed out
1.5 gigabytes of data over the span of a month. That's half of an entire
basic wireless service plan from AT&T.''

Please report problems with the web pages to the maintainer