mailing list archives
Risks Digest 26.77
From: RISKS List Owner <risko () csl sri com>
Date: Wed, 4 Apr 2012 13:35:15 PDT
RISKS-LIST: Risks-Forum Digest Wednesday 4 April 2012 Volume 26 : Issue 77
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at
Contents: More April Foolishness
ICANN Announces Surprise Termination of Domain Name Expansion
Program; Plans Own Dissolution (Lauren Weinstein)
Unicode in the modern communications world (Mike Tashker)
The Evil Bit, the Angelic Bit, and the "I'm not sure" value! (PGN)
Arizona Internet censorship bill on Gov's desk (Lauren Weinstein)
Reserved Words Anyone? (Marv Schaefer)
DDoS attack disrupts Canadian political party leadership vote (Mark Brader)
Why Your Vote Won't Count (Mark E. Smith)
Tor traffic disguised as Skype video to fool repressive governments
Kazakh gold medal team gets Borat national anthem -- googled! (Rob McCool)
Australian Court Finds Google Guilty of Deceptive Ad Tactics
Tom Tom GPS "Leap Year Bug" (Martyn Thomas)
Second Murdoch hacking scandal (Charles C. Mann)
An end to phones in every home? (David Cay Johnston)
Apple holds the master decryption key when it comes to iCloud
security, privacy (Chris Foresman via Monty Solomon)
Outage of Visa network kept people from using credit, debit cards
for a time Sunday afternoon (Monty Solomon)
Re: Texting error leads to lockdowns at two schools (Paul Wallich)
Re: Not even a tiny bit creepy. After all, Orwell WAS British
Abridged info on RISKS (comp.risks)
Date: Sun, 1 Apr 2012
From: Lauren Weinstein <lauren () vortex com>
Subject: ICANN Announces Surprise Termination of Domain Name Expansion
Program; Plans Own Dissolution
Lauren Weinstein's Blog Update: ICANN Announces Surprise Termination of
Domain Name Expansion Program; Plans Own Dissolution, March 31, 2012
Sunday, 1 April 2012
MARINA DEL REY, California (ZAP) -- In a stunning and unexpected
announcement, the Internet Corporation for Assigned Names and Numbers
(ICANN) has announced the immediate termination of its controversial and
much criticized plan for a vast expansion of generic top-level Internet
domain names (gTLDs), and has set an aggressive timetable for the
dissolution of ICANN itself.
ICANN has been increasingly condemned for what many observers have called
erratic and inappropriate decision-making processes, leading to the
U.S. Department of Commerce refusing to renew a key ICANN function last
month, and ICANN's own outgoing CEO publicly implying that conflicts of
interest on the ICANN board of directors have allowed ICANN to be co-opted
by moneyed "domainer" speculation interests.
ICANN spokesman Seymour Murdochian discussed his organization's drastic
change of course as he snacked on Beluga caviar spread over Wonder Bread,
while watching his Rolls-Royce Silver Shadow being washed and detailed in
"I realize that there are many serious allegations outstanding against ICANN
these days," said Mr. Murdochian. "We're blamed for ignoring the best
interests of the global Internet community. We're accused of implementing
an extortionist protection racket via an enormous domain name expansion
program, that would ultimately suck billions of dollars out of the Internet
economy and would only serve to enrich the "domain-industrial complex"
operating those domains. People claim that we arrogantly ignore legitimate
concerns of trademark holders, are complicit in helping the U.S. government
disable domains around the world without due process, waste money on
unnecessary global travel to exotic locales, have become totally owned by a
"gold rush" mentality via wealthy powers at the top of the DNS food chain,
and even that we use overly expensive hand soap in our office restrooms,"
added Mr. Murdochian.
"I want to be absolutely clear that the ICANN board of directors takes firm
and uncompromising exception to such a characterization. Our hand soap is
not outrageously expensive, and given the amount of hand washing we do
around here, having quality soap available is a necessity, not a luxury,"
Murdochian then explained ICANN's recent change of heart. "After extensive
discussions internally, with our travel agents, and with our personal
portfolio managers, we've decided that the time is ripe for us to bow out of
formal Internet affairs. We want to make way for the creation of new
Internet governance models that can be purpose-built to better serve the
entire Internet community around the world, will reduce the risk of Internet
fragmentation that has been rising as domestic governments increasingly
threaten not to play along with our current schemes, and will help reduce
the risk of a potentially disastrous Internet takeover by
politically-encumbered organizations such as the United Nations or
International Telecommunication Union."
"Therefore, we've announced that effective immediately, all ICANN activities
related to new Internet top-level domains are permanently ended. We will be
refunding all associated fees already paid by applicants, and as a token of
our appreciation for past support will be including with each refund an
approximately 1.5 carat, 'H' color, 'SI' quality diamond from our vaults."
"We have filed appropriate notifications with the Department of Commerce and
foreign governments expressing our intention to cease all ICANN operations
no later than a year from now on 1 April 2013."
"I'll be reachable for additional comments at my summer home on the Riviera
if there are any other questions," said Mr. Murdochian, just before his
chauffeur whisked him away.
Asked about these unexpected, dramatic developments, Lauren Weinstein, a
long-time Internet technologist and vocal critic of ICANN's domain name
plans, said that, "It's indeed encouraging to see ICANN finally doing what's
really right for the entire global Internet community, and abandoning their
plans to fleece the Internet at large for the benefit of domain speculators
and associated opportunists. A new alternative to ICANN and to existing
organizations like the ITU and UN is definitely the way that we need to
proceed to make the Internet better for everyone around the world. It's a
shame though that this process has taken so long, and that this entire
article is only an April Fools' Day posting."
ZAP/NYC 20120401 0916
Date: Sun, 1 Apr 2012
From: "Mike Tashker" <tashkerm () transdecsys com>
Subject: Unicode in the modern communications world
It's occasionally appropriate to reflect on the beneficial effects of some
unsung piece of technology, for example, Unicode. Unicode extends the
original Western-alphabet-based encoding of the digital representation of
characters to almost any language--it provides a unique number for every
character, regardless of the language. This has had a major effect on
A little over 4 years ago (February 2008), analog cellphone service was
turned off in the U.S. Thereafter all cell service (CDMA or GSM) was based
on digital protocols. And while previously, all languages could be spoken
on a cellphone, after the demise of analog, only Western languages (all
letters fit within an octet) plus non-Western languages represented by
Unicode could be transmitted due to the new digitization.
Unicode is now up to version 6.1 and covers almost every language spoken in
the world, making digital cell service near universal from a technical point
of view. Some languages are still not supported, see
http://tinyurl.com/m979dh for a list. This includes archaic forms such as
Linear A as well as. Klingon. But unless you want to speak Klingon on a
cellphone, most currently-spoken languages are covered, making digital
cellphone communications a reality for linking the peoples of the world.
Date: Sun, 1 Apr 2012
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: The Evil Bit, the Angelic Bit, and the "I'm not sure" value!
In his own list, Steve Greenwald noted the following item from RFC 6593 at
Inherently, services not discovered are more secure than those discovered,
due to their obscurity. However, the discoverability or undiscoverability
of a given service is largely independent of its security characteristics.
Instead, an implementor is guided to [RFC3514] to denote evilness (and
associated security) status. Since [RFC3514] only defines evil and
non-evil intent of packets, this document suggests assigning an "I am not
sure" additional value for the evil bit. The intentional ambiguity of
this additional state makes it a perfect third value for a binary bit.
Perhaps the fools are winning, and April Fools Day cannot keep up with the
irrationality of the fools. In RISKS-22.66 on 1 Apr 2003, Steve Bellovin's
Evil Bit (the first item on RFC 3514) and Drew Dean's Angelic Bit (the
second item) -- along with Tony Bartoletti's crimeFree bit -- were
wonderfool contributions. The idea of fuzzy logic being applied thereto
with the "I am not sure" value of a ternary Evil bit (sic) is delicious.
Date: Sun, 1 Apr 2012 14:43:25 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Arizona Internet censorship bill on Gov's desk
Arizona Internet censorship bill on Gov's desk (not a April Fool's joke)
http://j.mp/H8lReN (Media Coalition)
"Arizona House Bill 2549 would update the state's telephone harassment law
to apply to the Internet and other electronic communications. It would
make it a crime to communicate via electronic means speech that is
intended to "annoy," "offend," "harass" or "terrify," as well as certain
sexual speech. However, because the bill is not limited to one-to-one
communications, H.B. 2549 would apply to the Internet as a whole, thus
criminalizing all manner of writing, cartoons, and other protected
material the state finds offensive or annoying."
Date: Mon, 02 Apr 2012 15:35:22 -0400
From: Marv Schaefer <bwapast () verizon net>
Subject: Reserved Words Anyone?
Our heating/air condition serviceman just pointed me to news about the NYC
school system's newest attempt to eschew vocabulary and concepts that could
adversely affect test performance by minority or disadvantaged students.
I don't read the *New York Post*, but found their online article. At
first, I thought this to be a satirical piece on their part, but there was
substantiation from CBS and ABC news. I'm, frankly distraught over this and
have difficulty imagining which topics other than some aspects of the hard
sciences can still be in the curriculum. I find it particularly jarring
given recent anti-higher-education statements by a leading presidential
candidate and numerous anti-reason/anti-science statements being made by
other politicians at a time of such need for an educated populace in the
face of unemployment..
Anyway, the *NYPost* ran a story with the headline "PC student tests forbid
dance, dinos & lots more", these words representing topics that are to be
banned from future NYC exams. The article, found at http://nyp.st/H8soqi ,
reads in Part:
"In a bizarre case of political correctness run wild, educrats have banned
references to dinosaurs, birthdays, Halloween, and dozens of other topics
on city-issued tests. That's because they fear such topics ``could evoke
unpleasant emotions in the students.'' Dinosaurs, for example, call to
mind evolution, which might upset fundamentalists; birthdays aren't
celebrated by Jehovah's Witnesses; and Halloween suggests paganism. Even
dancing is taboo, because some sects object. But the city did make an
exception for ballet."
Their list, pulled from the website, is this:
Full list of topics banned on NYC school exams
Last Updated: 2:36 PM, 30 Mar 2012
Here's the full list of topics that if included on city exams would
probably cause a selection to be deemed unacceptable by the New York
City Department of Education:
Abuse (physical, sexual, emotional, or psychological)
Alcohol (beer and liquor), tobacco, or drugs
Cancer (and other diseases)
Catastrophes/disasters (tsunamis and hurricanes)
Children dealing with serious issues
Cigarettes (and other smoking paraphernalia)
Computers in the home (acceptable in a school or public library setting)
Creatures from outer space
Dancing (ballet is acceptable)
Death and disease
Dinosaurs and prehistoric times
Expensive gifts, vacations, and prizes
Gambling involving money
Homes with swimming pools
In-depth discussions of sports that require prior knowledge
Loss of employment
Occult topics (i.e. fortune-telling)
Religious holidays and festivals (including but not limited to
Christmas, Yom Kippur, and Ramadan)
Television and video games (excessive use)
Traumatic material (including material that may be particularly
upsetting such as animal shelters)
Vermin (rats and roaches)
War and bloodshed
Weapons (guns, knives, etc.)
Witchcraft, sorcery, etc.
Source: NYC Department of Education Request for Proposals
Date: Tue, 27 Mar 2012 15:33:21 -0400 (EDT)
From: msb () vex net (Mark Brader)
Subject: DDoS attack disrupts Canadian political party leadership vote
In Canada's federal elections last May, the New Democratic Party (NDP) under
leader Jack Layton rose from their usual third-place finish to reach second
place for the first time. But in August Layton died. So on March 23-24,
the NDP held a convention to choose a new leader, who would therefore become
the Leader of the Opposition in Parliament.
To maximize turnout, about 130,000 party members were eligible to vote
online, either in advance (using a preferential ballot) or during the
In fact some 58,000 advance votes were received. But despite the relatively
small number of in-person votes at the actual convention, ballot results
were badly delayed and voting was completely shut down for a while. The
total delays amounted to hours.
Subsequently it was reported that this was a the result of a distributed
denial-of-service attack (DDoS), with spurious connection attempts made from
over 10,000 IP addresses.
The company that ran the voting, Scytl [http://www.scytl.com], says that an
audit showed that the voting itself, which elected Thomas Mulcair to the
leadership, was not compromised, and that "Obviously, this has now allowed
us to capture additional data to incorporate into the security measures of
Mark Brader, Toronto, msb () vex net | "Fast, cheap, good: choose any two."
[The Scytl press release is online, but much too long to include here.
Date: Sat, 31 Mar 2012 23:54:18 -0700
From: "Mark E. Smith" <mymark () gmail com>
Subject: Why Your Vote Won't Count
The security of the vote casting and tallying processes have nothing to do
with whether or not your vote will count. Even with the most secure
electoral system possible and imaginable, your vote won't necessarily
count. The problem is inherent in the Constitution.
In order to ensure that those who owned the country would always run the
country, and to prevent ordinary voters from ever being able to use the
electoral system to bring about a more democratic form of government where
public opinion was able to influence policy decisions, the framers wrote
the Constitution in such a way as to ensure that the popular vote would not
be the final say in US elections.
There is no Constitutional guarantee that the popular vote be counted at
all, no less that it be counted in a way that is verifiable and subject to
public oversight. The popular vote can be overridden by fraudulent vote
counts, the Electoral College, Congress, or the Supreme Court.
The risk to the public is not in the way that votes are or are not counted,
or even in the fact that more than 90% of US ballots are counted by central
tabulators that cannot be verified in a timely manner, it is in the false
belief that voting constitutes a voice in government rather than consent to
be governed by, and a blank check along with full power of attorney, to
No matter how much money and effort is devoted to suppressing the vote or
trying to take away the vote, a vote is of no value whatsoever unless 1) it
has to be counted, 2) it must be counted in a way that is verifiable in a
timely manner, and 3) it can influence policy decisions rather than just
delegating such decisions to people who cannot be held accountable.
Would anyone take American Idol seriously if they announced that they
didn't have to count the votes, the vote count could not be verified until
after the winners had been chosen, and that the judges could ignore the
votes and select the winners without regard to the votes?
A reminder that votes don't have to be counted:
Why voting isn't a solution:
Some reasons to boycott elections:
Date: Tue, 3 Apr 2012 14:26:38 PDT
From: Lauren Weinstein <lauren () vortex com>
Subject: Tor traffic disguised as Skype video to fool repressive governments
"Recently released software makes communications sent through Tor appear
almost identical to a Skype video chat to anyone monitoring the
connection." http://j.mp/HIzfIO (ars technica)
Memo to Ministry of Communications Suppression: Block all Skype
traffic effective immediately.
Date: Fri, 23 Mar 2012 11:39:08 -0700 (PDT)
From: Rob McCool <robm () robm com>
Subject: Kazakh gold medal team gets Borat national anthem -- googled!
This situation again illustrates the dangers of relying on Google (and
Wikipedia in other cases) without digging any deeper. The article says it
Kazakhstan's shooting team has been left stunned after a comedy national
anthem from the film Borat was played at a medal ceremony at championships
in Kuwait instead of the real one. The team's coach told Kazakh media the
organisers had downloaded the parody from the internet by mistake. People
still fail to realize that Google's ranking algorithms do not always rank
for correctness. They frequently favor popularity over correctness.
Date: Tue, 3 Apr 2012 10:35:14 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Australian Court Finds Google Guilty of Deceptive Ad Tactics
At issue are sponsored links that show up in search results. "Google's
conduct involved the use by an advertiser of a competitors name as a
keyword triggering an advertisement for the advertiser with a matching
headline," ACCC chairman Rod Sims said in a statement. "As the Full Court
said this was likely to mislead or deceive a consumer searching for
information on the competitor." http://j.mp/HbTq12 (PC Mag)
I can't emphasize enough how potentially dangerous this sort of reasoning is
to free speech on the Net generally. If courts are going to hold search
engines responsible for the content of materials that they do not themselves
generate but that their algorithms select and display, the negative impacts
could ultimately go far beyond ads, directly to other forms of content
broadly. These are just the sort of perverse restrictions that various
repressive individuals, organizations, and governments would love to impose
on us all to control and dictate information availability.
- Network Neutrality Squad: http://www.nnsquad.org
- People For Internet Responsibility: http://www.pfir.org
- Data Wisdom Explorers League: http://www.dwel.org
- Global Coalition for Transparent Internet Performance: http://www.gctip.org
- PRIVACY Forum: http://www.vortex.com
Tel: +1 (818) 225-2800 / Skype: vortex.com
Date: Tue, 03 Apr 2012 17:07:37 +0100
From: Martyn Thomas <martyn () thomas-associates co uk>
Subject: Tom Tom GPS "Leap Year Bug"
Some GPS devices by the Dutch company Tom Tom had been hit by a leap-year
bug. The interesting point was that the devices had failed not on Feb. 29
or March 1, but on March 31.
Full story at:
Date: Mon, 26 Mar 2012 23:28:05 +0000 (UTC)
From: "Charles C. Mann" <ccmann () comcast net>
Subject: Second Murdoch hacking scandal
"The witnesses allege a software company NDS, owned by News Corp, cracked
the smart card codes of rival company ONdigital. ONdigital, owned by the ITV
companies Granada and Carlton, eventually went under amid a welter of
counterfeiting by pirates, leaving the immensely lucrative pay-TV field
clear for Sky."
Unlike the "phone-hacking" scandal, which mainly involved reporters
listening to answering machines whose owners hadn't bothered to set their
passwords, this (if it pans out) seems to feature actual computer
Charles C. Mann, P.O. Box 66, Amherst, MA 01004-0066 www.charlesmann.org
Date: Apr 2, 2012 2:31 PM
From: "Dewayne Hendricks" <dewayne () warpspeed com>
Subject: An end to phones in every home? (David Cay Johnston)
(via Dave Farber's IP)
The guarantee of landline telephone service at almost any address, a legal
right many Americans may not even know they have, is quietly being
legislated away in our U.S. state capitals.
AT&T and Verizon, the dominant telephone companies, want to end their
99-year-old universal service obligation known as "provider of last resort."
They say universal landline service is a costly and unfair anachronism that
is no longer justified because of a competitive market for voice services.
Date: Tue, 3 Apr 2012 19:53:00 -0400
From: Monty Solomon <monty () roscom com>
Subject: Apple holds the master decryption key when it comes to iCloud
security, privacy (Chris Foresman)
Ars recently attempted to delve into the inner workings of the security
built into Apple's iCloud service. Though we came away reasonably certain
that iCloud uses industry best practices that Apple claims it uses to
protect data and privacy, we warned that your information isn't entirely
protected from prying eyes. At the heart of the issue is the fact that Apple
can, at any time, review the data synced with iCloud, and under certain
circumstances might share that information with legal authorities.
We consulted several sources to understand the implications of iCloud's
security and encryption model, and to understand what types of best
practices could maximize the security and privacy of user data stored in
increasingly popular cloud services like iCloud. In short, Apple is taking
measures to prevent access to user data from unauthorized third parties or
hackers. However, iCloud isn't recommended for the more stringent security
requirements of enterprise users, or those paranoid about their data being
accessed by authorities. ... Chris Foresman, Ars Technica,
Date: Sun, 1 Apr 2012 23:32:00 -0400
From: Monty Solomon <monty () roscom com>
Subject: Outage of Visa network kept people from using credit, debit cards
Outage of Visa network kept people from using credit, debit cards for
a time Sunday afternoon, Associated Press, 1 Apr 2012
A technical problem affecting the Visa network barred some people around the
United States from using their credit and debit cards for about 45 minutes
on Sunday. The outage was caused by a recent update Visa has made to its
system, said Visa Inc. spokeswoman Sandra Chu. She said Visa had trouble
processing some transactions as a result, but the system is operating
normally now. ...
Date: Sun, 01 Apr 2012 12:25:36 -0400
From: Paul Wallich <pw () panix com>
Subject: Re: Texting error leads to lockdowns at two schools (Reisert, R-26.76)
The text, saying "gunman be at west hall today," was received and reported
to police around 11:30 a.m. But after police tracked the number, they
learned the auto correct feature on the new cellphone changed "gunna" to
It might well still have auto-corrected to "gunman". Or not. Trying this on
my oldish android phone, I see "gunman" as the fourth correction offered for
"gunna". "Gonna" comes earlier in the list (it's in the phone's dictionary)
and is of course recognized when typed. But there are alternate input
methods such as swype (recognizes a finger track rather than individual
presses) that could do all kinds of things. My phone seemed to want to turn
both "gonna" and "gunna" into "funds", although "guns" and "bombs" were
available further down the correction list.
(I do wonder whether this might eventually lead to a new version of the old
O Henry cipher -- or, alternately, cockney rhyming slang -- in which the
plaintext is given by some set of alternate spellings of the ciphertext on a
particular virtual keyboard.)
Date: Sat, 31 Mar 2012 18:49:55 +0100
From: Marcus Rowland <forgottenfutures () gmail com>
Subject: Re: Not even a tiny bit creepy. After all, Orwell WAS British
An obvious problem with this - a few weeks ago I bought a motorbike that had
been off the road for several months and was not insured. Although I
arranged insurance by phone before I left the dealer, I very much doubt that
it went through the system (which is already used to make sure that people
can't get road tax [equivalent to US license plate fees] for an uninsured
vehicle) and was on line by the time I stopped to fill the tank with petrol,
approximately five minutes later.
Date: Mon, 6 Jun 2011 20:01:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-request () csl sri com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
The full info file may appear now and then in RISKS issues.
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
*** NOTE: Including the string "notsp" at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
is no longer maintained up-to-date except for recent election problems.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
End of RISKS-FORUM Digest 26.77
- Risks Digest 26.77 RISKS List Owner (Apr 04)