[RISKS] Risks Digest 27.17

From: RISKS List Owner <risko_at_private>
Date: Sun, 24 Feb 2013 17:05:45 PST
RISKS-LIST: Risks-Forum Digest  Sunday 24 February 2013  Volume 27 : Issue 17

Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at

Rush Holt on the Oscar Voting (PGN)
NASA loses, then restores contact with space station (Jim Reisert)
London Underground blacked out in 2003 (Chris Drewe)
English Closed Captions of a speech given in spanish (David Tarabar)
The Long or Short of the TESLA Tale (Broder vs Musk via PGN)
Electronic health records: teething problems? (DKross)
Gaming the System (Catherine Rampell)
Chinese Army Unit Is Seen as Tied to Hacking Against U.S. (NYTimes)
``Malicious Mandiant Security Report in Circulation'' (Joji Hamada via
  Jim Reisert)
VERY Cold boot attacks on Androids (Anthony Thorn)
"Why Java APIs aren't the same as a Harry Potter novel" (Gene Wirchenko)
YouTube restores video of crash blocked by NASCAR (Lauren Weinstein)
ISP six-strikes starts tomorrow, and the expected results are ...
  (Lauren Weinstein)
IEEE: Can You Trust an Amazon Review? (Lauren Weinstein)
"Nowhere to hide: Video location tech has arrived" (Bill Snyder via
  Gene Wirchenko)
Bad idea: Firefox Will Soon Block Third-Party Cookies (Lauren Weinstein)
Re: Infiltrate anybody, one-click easy (Al Macintyre, Tom Van Vleck)
Microsoft seeks patent for spy tech for Skype (Lauren Weinstein,
  Dossy Shiobara, David Pollak)
18th International Workshop on Formal Methods for Industrial Critical
  Systems: FMICS 2013, Call for papers (Diego Latella)
Abridged info on RISKS (comp.risks)


Date: Sat, 23 Feb 2013 15:40:58 PST
From: "Peter G. Neumann" <neumann_at_private>
Subject: Rush Holt on the Oscar Voting

Rush Holt, Star-Ledger Guest Columnist, 22 Feb 2013
Oscars put online voting problems back in the spotlight: Opinion

Unfortunately, it went poorly, for reasons that shed light on the inherent
difficulty of conducting secure, accessible, credible elections online.

Problems for Oscar voters began at the beginning: logging in. Voters were
required to create special, complex passwords, but when they tried to log in
to the Oscar website, many found their passwords rejected.  After
re-entering passwords several times, voters were locked out of the site
entirely and forced to call a help line. Many then had to wait for new
passwords, delivered by snail-mail.

Even relatively young and tech-savvy voters weren't immune. As 42-year-old
documentarian Morgan Spurloch told the Hollywood Reporter, ``There's even
some young farts like myself that are having problems.''

These problems should sound familiar in New Jersey. Our state just conducted
its own ad hoc experiment with online voting: Days before November's
election, as many of us struggled to recover from Hurricane Sandy, voters
displaced by the storm were told they could vote by e-mail.

The result was chaos. Election clerks reported e-mail systems that were
overwhelmed. In one county, voters were instructed to e-mail ballot requests
to a Hotmail account. Many didn't know that, by law, their e-mail vote was
only a place-holder and that they also had to mail a paper ballot. Others
didn't fully understand that, because their ballot needed to be linked to
their e-mail address to verify eligibility, voting online meant sacrificing
the right to a private ballot. Ultimately, election officials postponed the
voting deadline beyond Election Day to give voters time to overcome
unpredicted obstacles.

  [Rush Holt has been one of the most vocal members of Congress on the
  issues relating to voting system integrity, security, privacy, and so on.
  However, to RISKS readers, voting by e-mail should seem to be one of the
  worst possible alternatives, irrespective of how much is riding on any
  particular election.  You have to trust too many parts of the overall
  process, too many people with insider opportunities for rigging,
  compromised servers, too many opportunities for mistakes, hardships,
  failures, denial of service and man-in-the-middle attacks, and much more.


Date: Tue, 19 Feb 2013 14:03:22 -0700
From: Jim Reisert AD1C <jjreisert_at_private>
Subject: NASA loses, then restores contact with space station

Another relay malfunction.  First New Orleans, now space!

"A main data relay system malfunctioned, and the computer that controls the
station's critical functions switched to a backup, NASA officials said in a
statement. However, the station was still was unable to communicate with the
Tracking and Data Relay satellite network that serves as the outpost's link
to NASA's Mission Control center on the ground."


Jim Reisert AD1C, <jjreisert@private>, http://www.ad1c.us


Date: Sun, 17 Feb 2013 21:50:27 +0000
From: "Chris Drewe" <e767pmk_at_private>
Subject: London Underground blacked out in 2003

  [Re: Super Bowl Blackout (McGill, RISKS-27.16)]

On 28 Aug 2003, parts of London, UK, had a power outage which affected much
of the Underground (subway) during the evening rush-hour (a Google search
for "2003 London blackout" produces loads of info); various factors appeared
to be involved, but the direct cause was reported as a 1 Amp over-current
relay being erroneously fitted instead of a 5 Amp one two years before (via
a current-scaling transformer, of course).  I'm not sure if there are any
similarities with the Super Bowl event, but as someone said, the usual
non-expert comment was "why wasn't it tested thoroughly?", to which the
answer is: how do you rig up a multi-megawatt load bank to a public
electricity supply..?

  [Note: This outage is noted by Phil Thornley in RISKS-22.91 London
  blackout caused by incorrect relay fitting, and subsequently by Peter Amey
  in RISKS-22.97.  I include Chris's item here as another reminder of the
  importance of remembering history in RISKS.  PGN]


Date: Thu, 14 Feb 2013 18:11:26 -0500
From: David Tarabar <dtarabar_at_private>
Subject: English Closed Captions of a speech given in spanish

Marco Rubio gave a live response to the President's State of the Union
Address on 12-Feb. He also taped a Spanish translation of the speech that
was released to the media. Abc.com posted the Spanish language version and
enabled Closed Captioning (CC). The CC was obviously automated, because the
resulting 'translation' was a garbled mess of English words.

Stephen Colbert -- a comedian who plays a political pundit on TV -- used
these captions as the basis for a segment of the Colbert Report.


(As of the morning 14-Feb, abc.com still enabled CC on the speech, but
as of this evening the CC option had been removed.)


Date: Thu, 14 Feb 2013 19:37:30 PST
From: "Peter G. Neumann" <neumann_at_private>
Subject: The Long or Short of the TESLA Tale?

In *The New York Times*, John M. Broder reported that that the Tesla Model S
electric car he was test-driving repeatedly ran out of juice, partly because
cold weather reduces the battery's range by about 10 percent.

Charles Lane, The electric car mistake, *The Washington Post*, 11 Feb 2013
quotes Tesla chief executive Elon Musk, claiming that Broder's report is a
fake, and that the vehicle log showed Broder didn't charge fully, and took
an [unmentioned] long detour.

*The Times* stands by Broder.



Date: Mon, 18 Feb 2013 9:34:43 PST
From: "Peter G. Neumann" <neumann_at_private>
Subject: Electronic health records: teething problems?

  [With thanks to Dr. D. Kross.  PGN]

"Everyone knew there would be teething problems the first few weeks, but
they've never stopped. We've started scheduling fewer patients because of
the time they take to process. The air can turn blue when a senior
consultant finds himself fiddling with a computer instead of seeing


Date: Sun, 17 Feb 2013 10:18:48 PST
From: "Peter G. Neumann" <neumann_at_private>
Subject: Gaming the System (Catherine Rampell)

  [Sometimes it pays to read the fine print.  A loophole in the professor's
  grading system lead an entire class to skip the final, guaranteeing
  them all A's.  People are wily!  Dan Farmer]

Catherine Rampell, *The New York Times*, 14 Feb 2013 [Valentine's Day]

Dollars to doughnuts.

*Inside Higher Ed* had a fascinating article a couple days ago about some
college students who unanimously boycotted their final exam and all got A
[grades] under a grading curve loophole. It's a great example of game theory
at work.

In several computer science courses at Johns Hopkins University, the grading
curve was set by giving the highest score on the final an A, and then
adjusting all lower scores accordingly. The students determined that if they
collectively boycotted, then the highest score would be a zero, and so
everyone would get an A. Amazingly, the students pulled it off.

  [Foreshortened for RISKS, but the last paragraph is worth noting, quoting
  the Professor, Peter Froehlich:]

``I have changed my grading scheme to include that everybody has 0 points
means that everybody gets 0 percent, and I also added a clause stating that
I reserve the right to give everybody 0 percent if I get the impression that
the students are trying to `game' the system again.''


Date: Tue, 19 Feb 2013 9:54:35 PST
From: "Peter G. Neumann" <neumann_at_private>
Subject: Chinese Army Unit Is Seen as Tied to Hacking Against U.S.

David E. Sanger, David Barboza, Nicole Perlroth, *The New York Times*

  "The building off Datong Road, surrounded by restaurants, massage parlors
  and a wine importer, is the headquarters of P.L.A. Unit 61398.  A growing
  body of digital forensic evidence - confirmed by American intelligence
  officials who say they have tapped into the activity of the army unit for
  years - leaves little doubt that an overwhelming percentage of the attacks
  on American corporations, organizations and government agencies originate
  in and around the white tower."


Date: Thu, 21 Feb 2013 23:22:01 -0700
From: Jim Reisert AD1C <jjreisert_at_private>
Subject: ``Malicious Mandiant Security Report in Circulation'' (Joji Hamada)

Written by Joji Hamada, Symantec Employee

  "The report, APT1: Exposing One of China's Cyber Espionage Units,
  published by Mandiant earlier this week has drawn worldwide attention by
  both the security world and the general public. This interest is due to
  the conclusion the report has drawn regarding the origin of targeted
  attacks, using advanced persistent threats (APT), performed by a certain
  group of attackers dubbed the Comment Crew. You can read Symantec=92s
  response to the report here."

  "Today, Symantec has discovered someone performing targeted attacks is
  using the report as bait in an attempt to infect those who might be
  interested in reading it."


  [This might be somewhat self-serving, especially if Symantec's business is
  booming as a result of many prominent companies coming out of the closet
  to admit that they too were victims...  PGN]


Date: Tue, 19 Feb 2013 09:26:24 +0100
From: Anthony Thorn <anthony.thorn_at_private>
Subject: VERY Cold boot attacks on Androids

Thilo Mueller and Michael Spreitzenbarth at Uni Erlangen have published a
report and tools to perform cold boot attacks on Android smartphones.

They describe (https://www1.informatik.uni-erlangen.de/frost) cooling the
phone in a freezer for an hour before proceeding.  Freezing RAM chips to
read their content is not new, nor are cold boot attacks; here a concept has
been proved and the tools made available.

FROST illustrates that attacks (threats) that appeared very difficult and
expensive and hence impracticable and negligible can suddenly become
practical and real risks.

My conclusion is that attacks which are logically possible must be taken
seriously as risks - even if they are currently difficult.

Last but not least, I found the pun irresistible, and in the spirit of


Date: Fri, 15 Feb 2013 09:57:44 -0800
From: Gene Wirchenko <genew_at_private>
Subject: "Why Java APIs aren't the same as a Harry Potter novel"

Oracle seeks to convince appeals court that Google's use of 37 lines of code
is akin to plagiarizing a blockbuster literary work.  InfoWorld, 14 Feb 2013


Date: Sat, 23 Feb 2013 20:05:02 -0800
From: Lauren Weinstein <lauren_at_private>
Subject: YouTube restores video of crash blocked by NASCAR

http://j.mp/15FxO8h  (*The Washington Post* via NNSquad)

  "Our partners and users do not have the right to take down videos from
  YouTube unless they contain content which is copyright infringing, which
  is why we have reinstated the videos."

YouTube has reinstated the video(s) [which I mentioned earlier today] noting
that NASCAR did not have the right to remove them on copyright infringement
grounds.  Good work by the YouTube team.


Date: Sun, 24 Feb 2013 13:15:28 -0800
From: Lauren Weinstein <lauren_at_private>
Subject: ISP six-strikes starts tomorrow, and the expected results are ...

ISP six-strikes starts tomorrow, and the expected results are ...
http://j.mp/W47lA7  (Torrent Freak via NNSquad)

  "The much-discussed U.S. six strikes anti-piracy scheme is expected to go
  live on Monday. The start date hasn't been announced officially by the CCI
  but a source close to the scheme confirmed the plans."

Expected results:

1) Legit users are harassed due to IP address mix-ups, etc.  Remember
   you must pay to file an appeal.

2) Proxy services see a massive up-tick in use.

3) Public Wi-Fi access points in small stores, etc. are decimated.

4) Relatively visible Torrent-based systems are even more rapidly
   replaced with completely underground and well-hidden systems.

5) In relatively short order, the MPAA et al. will be back with their
   Congressional supporters again demanding that the Internet be remade
   to protect their obsolete 20th century profit center models, no
   matter what the costs.


Date: Sat, 23 Feb 2013 16:02:17 -0800
From: Lauren Weinstein <lauren_at_private>
Subject: IEEE: Can You Trust an Amazon Review?

http://j.mp/15F3OcF  (*IEEE Spectrum* via NNSquad)

  "Reviewers are gaming the system at Amazon and elsewhere for mischief,
  politics, and profit."


Date: Thu, 21 Feb 2013 10:18:00 -0800
From: Gene Wirchenko <genew_at_private>
Subject: "Nowhere to hide: Video location tech has arrived" (Bill Snyder)

Bill Snyder, *InfoWorld*, 21 Feb 2013
New technologies are turning Web videos and photos into tools that will
  destroy your privacy


Date: Sat, 23 Feb 2013 13:50:26 -0800
From: Lauren Weinstein <lauren_at_private>
Subject: Bad idea: Firefox Will Soon Block Third-Party Cookies

  "Stanford researcher Jonathan Mayer has contributed a Firefox patch that
  will block third-party cookies by default. It's now on track to land in
  version 22."  http://j.mp/YM28Jh  (Slashdot via NNSquad)

No meaningful privacy enhancements will be provided to users by this
change, but contrary to what Mozilla is saying, it *will* break many
standard functions of many standard Web sites.  Another "politically
correct" step by Mozilla that actually makes users' lives more


Date: Thu, 14 Feb 2013 22:02:39 -0600
From: "Al Mac Wow" <macwheel99_at_private>
Subject: Re: Infiltrate anybody, one-click easy (Summit, RISKS-27.16)

We customers, of anti-virus and other PC security software, we are sheep.
We buy whatever is offered, we do not make demands or even pretty please
requests that future editions of the protection provide specific
improvements.  Not enough of us ask for the same thing.

I want the code which I key in to activate this upgrade printed large enough
so I do not have to use a magnifying glass, or other aids, so the characters
are readable, for my aging eyes.

I want e-mail protection which says ... this hyper link is not what its text
claims to be.  This attachment saying it came from company-X or government
agency-X did not in fact come from that organization.

I want a browser click on ... this site is suspicious.  Then there is a pull
down options ... we select porn, hate site, selling clearly illegal product
or service, promoting assassination of our leaders, whatever the grievance,
or space to enter a comment if other than one of the above.  Then another
option, where we select who to report it to, such as local police, FBI, FTC,
our ISP, the ACLU, whatever.  When they get the "suspicious" reports, we
have already categorized for them, what we think the problem, our identity,
our GPS where we were when we saw it.

When we have a company network, the e-mail should go through a different
brand name anti-virus, anti-phishing protection than what is on the
individual PCs of the network, so one catches what the other protection

When individual PCs try to connect to the company network, run security
software check ... do you have the latest security?  Is it working?  Has it
been patched?  Do you have a virus?  If any answer wrong, then you are
disconnected from the network, your boss is notified, and a technician is
dispatched to your location to fix your PC.

Do you have the same company PC doing your company banking, and that PC
engaged in other Internet activity, like e-mail?  Fire the manager who
decided that was appropriate behavior.

Firewalls and anti-protection should check what's going out, as well as
what's coming in.  Here is confidential personal info going out.  Is it
going to a previously authorized location?

Al Mac (WOW) = Alister William Macintyre


Date: Fri, 15 Feb 2013 10:48:22 -0500
From: Tom Van Vleck <thvv_at_private>
Subject: Re: Infiltrate anybody, one-click easy (Summit, RISKS-27.16)

I heartily agree with Steve Summit's posting in RISKS 27:16.

I advise my friends and family "don't click on links in e-mail messages,"
but I know they do -- because I see the results when they get hacked.

The programs now invoked by e-mail clients to display web pages and
attachments trust those items completely.  I wish we could introduce some
caution and intelligence into this path.

For display of links in messages, I'd like to use a specialized web
page mail-link browser that's passed information like "this obfuscated
URL came from a mail message, ostensibly from wellsfargo.com, sent via
a mail server in Russia."  (I got one of these recently.)  The browser
could consider multiple factors when deciding how to show the content.
It might, for example, display an alert border; disable Flash, Java,
Javascript; disable or indicate IFRAMEd content, etc.

Similarly, I'd like the option to send file attachments to a sandboxed
program that just displayed text contents.


Date: Thu, 21 Feb 2013 09:05:51 -0800
From: Lauren Weinstein <lauren_at_private>
Subject: Microsoft seeks patent for spy tech for Skype

   "A technology called Legal Intercept that Microsoft hopes to patent
    would allow the company to secretly intercept, monitor and record
    Skype calls. And it's stoking privacy concerns."
    (*Computerworld* via NNSquad)  http://j.mp/WV2pKr


Date: Feb 21, 2013 10:37 AM
From: "Dossy Shiobara" <dossy_at_private>
Subject: Re: Microsoft Patents Skype Interception Tool (via Dave Farber)

>From an intellectual property perspective, wouldn't it make a lot of sense
for a company to patent or otherwise protect snooping and/or
security-related technology to prevent others (bad actors, competitors,
etc.) from implementing the functionality and using it?

While the chilling effect of the privacy implications are a concern, this
kind of patent seems like an obvious defensive strategy, as well?


Date: Feb 21, 2013 11:20 AM
From: "David Pollak" <dpp_at_private>
Subject: Re Microsoft Patents Skype Interception Tool (via Dave Farber)

FWIW, I described a Skype interception tool on this list 6+ years ago. I
wonder if my description counts as prior art to the patent.


Date: Fri, 15 Feb 2013 11:52:18 +0100
From: Diego Latella <Diego.Latella_at_private>
Subject: 18th International Workshop on Formal Methods for Industrial
  Critical Systems: FMICS 2013, Call for papers

                           FMICS 2013
                  18th International Workshop on
          Formal Methods for Industrial Critical Systems
                      September 23-24, 2013
                          Madrid (Spain)
                    Co-located with SEFM 2013
    [truncated for RISKS; see the URL for the full announcement.  PGN]

Call for Papers

The aim of the FMICS workshop series is to provide a forum for researchers
who are interested in the development and application of formal methods in
industry.  In particular, FMICS brings together scientists and engineers who
are active in the area of formal methods and interested in exchanging their
experiences in the industrial usage of these methods. The FMICS workshop
series also strives to promote research and development for the improvement
of formal methods and tools for industrial applications.

Topics of interest include (but are not limited to):
* Design, specification,  code generation and testing  based on formal
* Methods,  techniques  and   tools  to  support  automated  analysis,
  certification, debugging,  learning, optimization and transformation
  of complex, distributed, real-time systems and embedded systems.
* Verification  and validation  methods that  address  shortcomings of
  existing  methods  with respect  to  their industrial  applicability
  (e.g., scalability and usability issues).
* Tools for the development of formal design descriptions.
* Case studies  and experience  reports on industrial  applications of
  formal methods, focusing on lessons learned or identification of new
  research directions.
* Impact of the adoption of  formal methods on the development process
  and associated costs.
* Application  of  formal methods  in  standardization and  industrial

Submissions must describe authors' original research work and their
results. Contributions should not exceed 15 pages formatted according to the
LNCS style (Springer), and should be submitted as Portable Document Format
(PDF) files using the EasyChair submission site:

Paper submissions by May 3rd.

Michael Dierkes (Rockwell Collins, France)
Charles Pecheur (Universit=E9 catholique de Louvain, Belgium)

Dott. Diego Latella - Senior Researcher - CNR/ISTI, Via Moruzzi 1, 56124
Pisa, IT (http:www.isti.cnr.it)
FM&&T Laboratory (http://fmt.isti.cnr.it)
http://www.isti.cnr.it/People/D.Latella - phone: +39 0503152982 - mob:
+39 348 8283101 - fax +39 0503152040


Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request_at_private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe_at_private or risks-unsubscribe_at_private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall_at_private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:


End of RISKS-FORUM Digest 27.17
Received on Sun Feb 24 2013 - 17:05:45 PST

This archive was generated by hypermail 2.2.0 : Sun Feb 24 2013 - 17:45:29 PST