mailing list archives
Risks Digest 27.35
From: RISKS List Owner <risko () csl sri com>
Date: Tue, 18 Jun 2013 14:11:06 PDT
RISKS-LIST: Risks-Forum Digest Tuesday 18 June 2013 Volume 27 : Issue 35
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at
Metacharacters bite again (Jeremy Epstein)
Online ballot fraud in Miami (Marc Caputo and Patricia Mazzei)
Accidental bank transfer (Gunnar Peterson via Jeremy Epstein)
FDA issues draft guidance on cybersecurity for medical devices (Kevin Fu)
Static electricity in clothes ignites carpet (Martyn Thomas)
Found a home via wifi (jidanni)
Attacks coming from Amazon Web services (Geoff Kuenning)
An Innovative Inno/Vention (Gabe Goldberg)
Hard to get that much out of the ATM (Paul Robinson)
NSA et al.: it started well before "1984"... (Peter Houppermans)
Richard Clarke: Why you should worry about the NSA (Richard Forno)
Ray Ozzie on Spying (David Farber)
More Intrusive Than Eavesdropping? NSA Collection of Metadata ...
Personal Info ... (Dewayne Hendricks via Dave Farber)
Outsourced: How the FBI and CIA Use Private Contractors to Monitor
Government Secrets and the Need for Whistleblowers (Bruce Schneier)
T-Mobile, Verizon Wireless not under U.S. data watch: foreign ties
Abridged info on RISKS (comp.risks)
Date: Wed, 12 Jun 2013 19:35:45 -0400
From: Jeremy Epstein <jeremy.j.epstein () gmail com>
Subject: Metacharacters bite again
NSF's review system has a method for program officers to redact text from
reviews prior to their release to the person who submitted the proposal
(*). I discovered today that it can accidentally get triggered - if the
characters <<% are in the review, the following text is redacted. Of
course the reviewer who submits a review with these characters doesn't get
a warning, which isn't documented. The program officer indirectly gets a
warning, in the fact that the text in the review is cut off, but can't tell
the system "no, this really isn't a redaction".
Of course any form of special sequences is potentially problematical, and
the number of errors caused by lack of escaping such sequences is probably
And yes, I discovered this because a reviewer used that string, and I
didn't notice the excised text because I had read the review through a
different interface that doesn't excise it.
(*) If you're not familiar with the NSF process, consider this to be
equivalent to a program chair releasing anonymized reviews written by
program committee members to the authors of a paper.
[Excise tacks on more problems? PGN]
Date: Sun, 16 Jun 2013 14:18:41 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Online ballot fraud in Miami (Marc Caputo and Patricia Mazzei)
Marc Caputo and Patricia Mazzei (mcaputo () miamiherald com)
The election scandal dogging Congressman Joe Garcia's campaign and two state
House races makes it clear: Computer techies are supplementing old-school,
block-walking ballot-brokers known as boleteras.
Over just a few days last July, at least two groups of schemers used
computers traced to Miami, India and the United Kingdom to fraudulently
request the ballots of 2,046 Miami-Dade voters.
Garcia said he knew nothing of the plot that recently implicated three
former campaign workers, two employed in his congressional
office. Investigators, meanwhile, have hit a dead end with a larger fraud
involving two state House races.
A third incident cropped up Thursday in Miami=E2=80=99s mayoral race, but
the case appears unrelated to last year=E2=80=99s fraud when two groups
appeared to act separately from each other. They employed different tactics
to target different types of voters, a University of Florida/Miami Herald
analysis of election data indicates.
The ultimate goal was the same: get mail-in ballots into the hands of
voters, a job that many boleterasonce handled on the streets of Miami-Dade.
Now, it's electronic. [...]
Date: Tue, 11 Jun 2013 14:14:11 -0400
From: Jeremy Epstein <jeremy.j.epstein () gmail com>
Subject: Accidental bank transfer (noted by Gunnar Peterson)
"A German bank employee accidentally transferred 222,222,222.222 euros ($295
million) from a customer's account when he fell asleep at his computer."
Date: Thu, 13 Jun 2013 23:28:03 -0400
From: Kevin Fu <kevinfu () umich edu>
Subject: FDA issues draft guidance on cybersecurity for medical devices
FDA has issued a draft guidance document on cybersecurity for medical
devices and hospital networks after several years of growing concern,
punctuated by a recent discovery of 300 hard coded passwords across more
than 50 medical device manufacturers. In other words, manufacturers have
been warned to improve the trustworthiness of medical device software. The
normally staid agency is unusually blunt in its recommendations and
assessment. Public comment is accepted for 90 days.
Further details appear on:
Kevin Fu, Associate Professor, EECS Department, The University of Michigan
kevinfu () umich edu, http://spqr.eecs.umich.edu/, 616-594-0385
Date: Sun, 16 Jun 2013 15:29:13 +0100
From: Martyn Thomas <martyn () thomas-associates co uk>
Subject: Static electricity in clothes ignites carpet
I have never seen this on a risk register ... It sounds incredible. Could
it be true? Martyn
An Australian man built up so much static electricity in his clothes as he
walked that he burned carpets, melted plastic and sparked a mass
evacuation. Frank Clewer, of the western Victorian city of Warrnambool,
was wearing a synthetic nylon jacket and a woolen shirt when he went for a
job interview. As he walked into the building, the carpet ignited from
the 40,000 volts of static electricity that had built up.... ... ...
Date: Sat, 15 Jun 2013 05:55:07 +0800
From: jidanni () jidanni org
Subject: Found a home via wifi
One Amazing Thing I've Seen or Done
I am always terrible with directions. there was this one time when I went to
visit my friend in another city. I got lost the moment I got off the
taxi. my friend tried her best to guide me via phone yet failed. but I
finally found her apartment building all by myself when wandering in that
big community, cos my phone got connected to her wifi when approaching that
Date: Mon, 17 Jun 2013 00:52:13 -0700
From: Geoff Kuenning <geoff () cs hmc edu>
Subject: Attacks coming from Amazon Web services
This is interesting: One of my machines got a probe last week, looking for a
vulnerable PHP script. Here's the relevant log line:
220.127.116.11 - - [12/Jun/2013:01:11:13 -0700] "HEAD /wp-login.php HTTP/1.1" 404 - "-" "Googlebot/2.1
It's not very interesting that they're masquerading as the googlebot, as
if Google would ever use HEAD requests.
What *is* interesting is the IP address:
% host 18.104.22.168
22.214.171.124.in-addr.arpa domain name pointer ec2-50-16-166-199.compute-1.amazonaws.com.
So the bad guys are either cracking Amazon Web Services virtual machines,
or renting them. Probably the former...
Geoff Kuenning geoff () cs hmc edu http://www.cs.hmc.edu/~geoff/
Date: Wed, 12 Jun 2013 23:50:24 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: An Innovative Inno/Vention
Josh Soussan is the team leader on a project called Aegis, which would allow
handguns to be disabled by radio transmitter when brought into a school or
other such environment. "[Aegis] will not alter the weapon's functionality
at all, unless the firearm is within range of [a] signal emitter," he
explained. "With the recent massacre in Newton, Connecticut, we believe that
this is the next crucial step in providing a safe environment for children
Pervasive disabling of firearms via radio signal -- what could possibly go
wrong with this?
Gabriel Goldberg, Computers and Publishing, Inc., 3401 Silver Maple Place,
Falls Church, VA 22042 (703) 204-0433 http://www.linkedin.com/in/gabegold
Date: Thu, 13 Jun 2013 05:24:28 -0700 (PDT)
From: Paul Robinson <paul () paul-robinson us>
Subject: Hard to get that much out of the ATM
A woman is $300,000,000 in debt to her bank and neither she nor the bank
knows why. ABC News reported that Suntrust decided to debit $100,000,000
from a woman's checking account, then while that was being investigated,
they deducted another $100,000,000 from her savings account, then apparently
feeling they hadn't taken enough out (to cover additional overdrafts, I
guess), deducted a second US$100 million out of her checking account.
Suntrust announced they are investigating and have no idea why it happened.
The woman says that she would have known if she had spent 300 million
dollars. Yeah, I do believe that the woman would have known if she had.
Then again, electric bills can be high, maybe the electric company had to
auto-deduct a large power bill. (Some utilities you would normally just pay
anyway like electric companies, have it set up where you can approve them to
make a monthly deduction for the charge each month; they mail you a bill and
issue a draft for the amount due, so your bill is automatically paid.)
This is also common for some mortgage companies. She probably forgot she had
a bill for last month's mortgage on, oh, I guess the entire state of Rhode
Island... Maybe she's wrong and she just forgot she withdrew it. Let's see,
the average cash machine has about $20,000 - 50,000 in it, loaded in
canisters, so the woman would have had to visit - and drain - 3,000 ATM
machines, but since the average bank limits you to $500 a day she'd have to
do it a little at a time. Let's be generous and say the limit is $3000 a day
instead, to make it easier. It would have required she take $3,000 out every
day for just shy of 274 years (273.93 years). Gee, she has been busy. That
is, she, her mother, her grandmother, her great grandmother, her
The Lessons of history teach us - if they teach us anything - that no one
learns the lessons that history teaches us. [Indeed, a motto for RISKS. PGN]
Date: Wed, 12 Jun 2013 23:38:02 +0200
From: Peter Houppermans <ph () privacyclub ch>
Subject: NSA et al.: it started well before "1984"...
Ubiquitous surveillance and its nefarious impact on those so observed was
not originally Orwell's idea. The inspiration for the "1984" novel came
from a prison concept developed by the English philosopher and social
theorist Jeremy Bentham in the late 18th century called Panoptikon - allow
me to refer you to Wikipedia (https://en.wikipedia.org/wiki/Panopticon) for
The reason I'm pointing this out is that it establishes an IMHO
fundamentally clearer purpose: said surveillance model was developed to
establish mental control over inmates, in other words, people already in
prison. Keep this in mind when you are encouraged to agree with any
government intercept program.
Peter Houppermans, The Privacy Club, privacy advisers, Switzerland
Date: June 12, 2013 2:01:44 PM EDT
From: Richard Forno <rforno () infowarrior org>
Subject: Richard Clarke: Why you should worry about the NSA
The just-revealed surveillance stretches the law to its breaking point and
opens the door to future potential abuses
Richard A. Clarke, *New York Daily News*, 12 Jun 2013
(Clarke is a former counterterrorism adviser to Presidents George H.W. Bush,
Bill Clinton and George W. Bush.)
None of us want another terrorist attack in the United States. Equally, most
of us have nothing to hide from the federal government, which already has so
many ways of knowing about us. And we know that the just-revealed National
Security Agency program does not actually listen to our calls; it uses the
phone numbers, frequency, length and times of the calls for data-mining.
So, why is it that many Americans, including me, are so upset with the Obama
administration gathering up telephone records?
My concerns are twofold. First, the law under which President George W. Bush
and now President Obama have acted was not intended to give the government
records of all telephone calls. If that had been the intent, the law would
have said that. It didn't. Rather, the law envisioned the administration
coming to a special court on a case-by-case basis to explain why it needed
to have specific records.
I am troubled by the precedent of stretching a law on domestic surveillance
almost to the breaking point. On issues so fundamental to our civil
liberties, elected leaders should not be so needlessly secretive.
The argument that this sweeping search must be kept secret from the
terrorists is laughable. Terrorists already assume this sort of thing is
being done. Only law-abiding American citizens were blissfully ignorant of
what their government was doing.
Secondly, we should worry about this program because government agencies,
particularly the Federal Bureau of Investigation, have a well-established
track record of overreaching, exceeding their authority and abusing the
law. The FBI has used provisions of the Patriot Act, intended to combat
terrorism, for purposes that greatly exceed congressional intent.
Even if you trust Obama, should we have programs and interpretations of law
that others could abuse now without his knowing it or later in another
administration? Obama thought we needed to set up rules about drones because
of what the next President might do. Why does he not see the threat from
this telephone program?
The answer is that he inherited this vacuum cleaner approach to telephone
records from Bush. When Obama was briefed on it, there was no forceful and
persuasive advocate for changing it. His chief adviser on these things at
the time was John Brennan, a life-long CIA officer. Obama must have been
told that the government needed everyone's phone logs in the NSA's
computers for several reasons.
The bureaucrats surely argued that it was easier to run the big data search
and correlation program on one database. They said there was no law that
could compel the telephone companies to store the records on their own
If the telephone companies did so, government and company lawyers then
certainly said, they would become legally `an agent' of the government and
could be sued by customers for violating the terms of their service
Finally, Obama was certainly told, if the NSA and the FBI had to query
telephone company servers, then the phone companies would know whom the
government was watching, a violation of need-to-know secrecy traditions.
If there had been a vocal and well-informed civil liberties advocate at the
table, Obama might have been told that all those objections were either
specious or easily addressed. Law already requires Internet service
providers to store emails for years so that the government can look at
them. An amendment to existing law could have extended that provision to
telephone logs and given the companies a `safe harbor' provision so they
would not be open to suits. The telephone companies could have been paid to
maintain the records.
If the government wanted a particular set of records, it could tell the
Foreign Intelligence Surveillance Court why -- and then be granted
permission to access those records directly from specially maintained
company servers. The telephone companies would not have to know what data
were being accessed. There are no technical disadvantages to doing it that
way, although it might be more expensive.
Would we, as a nation, be willing to pay a little more for a program
designed this way, to avoid a situation in which the government keeps on its
own computers a record of every time anyone picks up a telephone? That is a
question that should have been openly asked and answered in Congress.
The vocal advocate of civil liberties was absent because neither Bush nor
Obama had appointed one, despite the recommendation of the 9/11 Commission
and a law passed by Congress. Only five years into his administration is our
supposedly civil liberties-loving President getting around to activating a
long-dormant Privacy and Civil Liberties Oversight Board. It will have a lot
of work to do.
Richard Clarke is a former counterterrorism adviser to Presidents George
H.W. Bush, Bill Clinton and George W. Bush.
Date: Wed, 12 Jun 2013 16:34:53 -0400
From: David Farber <farber () gmail com>
Subject: Ray Ozzie on Spying
Ray Ozzie on NSA spying: We got what we asked for. Now it's time to wake up.
The Boston Globe, 7 Jun 213
Ray Ozzie, the creator of Lotus Notes and Microsoft's former software head,
joined the chorus of technical leaders pushing back on the government's
far-reaching surveillance program.
``I hope that people wake up, truly wake up, to what's happening to society,
from both a big brother perspective and little brother perspective,'' he
said during the Nantucket Conference. He said that, after Sept. 11, the
pendulum had swung too far towards government surveillance and data
=93We got what we asked for, and now it's time to pull it back,=94 Ozzie
said, referencing the near-unanimous passage of the PATRIOT Act, noting the
danger that broad data gathering operations present. =93Imagine if you had
an administration targeting journalists or groups of people based on
The current administration, of course, is facing allegations that it did
just that, with the Department of Justice secretly obtaining Associated
Press phone records and investigating a Fox News reporter's personal emails
while the IRS is facing allegations it focused audits on politically
Ozzie has been an advocate of strengthened online privacy and serves on the
board of the Electronic Privacy Information Center, a group that has been
instrumental in bringing to light much of the government's surveillance. He
also said that current protections are simply inadequate and outdated.
=93The privacy act that we're operating under right now was written in
1974,=94 he noted. =93What's happened since 1974?=94 For example, he was
critical of third-party doctrine, which holds that information given to a
third-party =97 such as a phone company, an email host, or social network
like Facebook or Twitter =97 essentially waives Fourth Amendment protections
=93against unreasonable searches and seizures.=94
Given how much information is stored digitally, that means a much wider
array of information is now available without probable cause.
=93It's really dangerous,=94 Ozzie said. =93I hope that what's happened in
the past few days gets people riled up. This is a non-partisan issue. I hope
people wake up a little bit more and don't just build apps and say, I'm
going to sell private information for ads.=94
Date: Jun 12, 2013 5:31 PM
From: "Dewayne Hendricks" <dewayne () warpspeed com>
Subject: More Intrusive Than Eavesdropping? NSA Collection of Metadata Hands
Gov't Sweeping Personal Info (via Dave Farber)
As the American Civil Liberties Union sues the Obama administration over its
secret NSA phone spying program, we look at how the government could use
phone records to determine your friends, medical problems, business
transactions and the places you've visited. While President Obama insists
that nobody is listening to your telephone calls, cybersecurity expert Susan
Landau says the metadata being collected by the government may be far more
revealing than the content of the actual phone calls. A mathematician and
former Sun Microsystems engineer, Landau is the author of the book
"Surveillance or Security?: The Risks Posed by New Wiretapping
Dewayne-Net RSS Feed: <http://www.warpspeed.com/wordpress>
Date: Thu, 13 Jun 2013 17:36:19 -0400 (EDT)
From: Stephen Benavides <messenger () truthout org>
Subject: Outsourced: How the FBI and CIA Use Private Contractors to Monitor
Stephen Benavides, Truthout
Right now, companies like Palantir Technologies Inc, Booze Allen Hamilton
and i2 are mining your Facebook and Twitter data to discern whether you're a
terrorist, have ties to terrorists or maybe just have the potential to
someday become one.
Date: Sat, 15 Jun 2013 01:14:45 -0500
From: Bruce Schneier <schneier () SCHNEIER COM>
Subject: Government Secrets and the Need for Whistleblowers
[Bruce's latest issue is full of commentary on this and related subjects.
I've excerpted just the beginning for RISKS. Copyrighted but
Intentionally Distributable. PGN]
Bruce Schneier, Chief Security Technology Officer, BT
[From CRYPTO-GRAM, 15 Jun 2013 [free monthly newsletter providing summaries,
analyses, insights, and commentaries on security: computer and otherwise.
You can subscribe, unsubscribe, or change your address on the Web at
<http://www.schneier.com/crypto-gram.html>. Back issues are also available
at that URL.]
Recently, we learned that the NSA received all calling records from Verizon
customers for a three-month period starting in April. That's everything
except the voice content: who called who, where they were, how long the call
lasted -- for millions of people, both Americans and foreigners. This
"metadata" allows the government to track the movements of everyone during
that period, and a build a detailed picture of who talks to whom. It's
exactly the same data the Justice Department collected about AP journalists.
The "Guardian" delivered this revelation after receiving a copy of a secret
memo about this -- presumably from a whistleblower. We don't know if the
other phone companies handed data to the NSA too. We don't know if this was
a one-off demand or a continuously renewed demand; the order started a few
days after the Boston bombers were captured by police.
We don't know a lot about how the government spies on us, but we know some
things. We know the FBI has issued tens of thousands of ultra-secret
National Security Letters to collect all sorts of data on people -- we
believe on millions of people -- and has been abusing them to spy on
cloud-computer users. We know it can collect a wide array of personal data
from the Internet without a warrant. We also know that the FBI has been
intercepting cell-phone data, all but voice content, for the past 20 years
without a warrant, and can use the microphone on some powered-off cell
phones as a room bug -- presumably only with a warrant.
We know that the NSA has many domestic-surveillance and data-mining programs
with codenames like Trailblazer, Stellar Wind, and Ragtime -- deliberately
using different codenames for similar programs to stymie oversight and
conceal what's really going on. We know that the NSA is building an enormous
computer facility in Utah to store all this data, as well as faster computer
networks to process it all. We know the U.S. Cyber Command employs 4,000
We know that the DHS is also collecting a massive amount of data on people,
and that local police departments are running "fusion centers" to collect
and analyze this data, and covering up its failures. This is all part of the
militarization of the police.
Remember in 2003, when Congress defunded the decidedly creepy Total
Information Awareness program? It didn't die; it just changed names and
split into many smaller programs. We know that corporations are doing an
enormous amount of spying on behalf of the government: all parts.
We know all of this not because the government is honest and forthcoming,
but mostly through three backchannels -- inadvertent hints or outright
admissions by government officials in hearings and court cases, information
gleaned from government documents received under FOIA, and government
There's much more we don't know, and often what we know is obsolete. We know
quite a bit about the NSA's ECHELON program from a 2000 European
investigation, and about the DHS's plans for Total Information Awareness
from 2002, but much less about how these programs have evolved. We can make
inferences about the NSA's Utah facility based on the theoretical amount of
data from various sources, the cost of computation, and the power
requirements from the facility, but those are rough guesses at best. For a
lot of this, we're completely in the dark.
And that's wrong.
The U.S. government is on a secrecy binge. It overclassifies more
information than ever. And we learn, again and again, that our government
regularly classifies things not because they need to be secret, but because
their release would be embarrassing.
Knowing how the government spies on us is important. Not only because so
much of it is illegal -- or, to be as charitable as possible, based on novel
interpretations of the law -- but because we have a right to know.
Democracy requires an informed citizenry in order to function properly, and
transparency and accountability are essential parts of that. That means
knowing what our government is doing to us, in our name. That means knowing
that the government is operating within the constraints of the
law. Otherwise, we're living in a police state.
We need whistleblowers.
[For lots more, go back to the source. PGN]
Date: Thu, 13 Jun 2013 20:41:37 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: T-Mobile, Verizon Wireless not under U.S. data watch: foreign ties
"Telecom providers T-Mobile US Inc and Verizon Wireless do not directly
contribute to the controversial U.S. surveillance program, partly due to
their overseas ownership ties, the Wall Street Journal reported Thursday,
citing people familiar with the matter."
Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-request () csl sri com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
*** NOTE: Including the string "notsp" at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
is no longer maintained up-to-date except for recent election problems.
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
End of RISKS-FORUM Digest 27.35
- Risks Digest 27.35 RISKS List Owner (Jun 18)