mailing list archives
Risks Digest 27.31
From: RISKS List Owner <risko () csl sri com>
Date: Fri, 31 May 2013 15:02:10 PDT
RISKS-LIST: Risks-Forum Digest Friday 31 May 2013 Volume 27 : Issue 31
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at
Captcha fail leaves blind people unable to sign petition (Drew Guarini via
Ruby on Rails vulnerability to compromise servers, create botnet
(Lucian Constantin via Gene Wirchenko)
"Twitter's two-factor authentication can be abused" (Lucian Constantin
via Gene Wirchenko)
From Bad to Worse: Online Repression in the Gulf (EFF via Lauren Weinstein)
Browser 'Back' button may cause student loan application to fail
EFF: Computer Scientists Urge Court to Block Copyright Claims in Oracle
v. Google API Fight (Lauren Weinstein)
The risks of Public Wi-Fi [sic] (Bob Frankston)
Re: Risks of reporting a bug to the wrong place (Paul Robinson)
Re: The Internet is no place for Critical Infrastructure (Bob Frankston)
Re: Risks of spreadsheets (Bob Frankston)
Re: The Hazards of Gambling (Martin Ward)
Die Passwords! Die! (Lauren Weinstein)
Abridged info on RISKS (comp.risks)
Date: Thu, 30 May 2013 18:50:16 -0600
From: Jim Reisert AD1C <jjreisert () alum mit edu>
Subject: Captcha fail leaves blind people unable to sign petition
Drew Guarini, Petition To Help The Blind, 30 May 2013
The Huffington Post
"Thanks in part to a dreaded Captcha code on the White House's petitions
website, it's nearly impossible for blind web users to sign a "We The
People" petition seeking support for an international treaty intended to
help ... the blind."
Date: Thu, 30 May 2013 10:44:44 -0700
From: Gene Wirchenko <genew () telus net>
Subject: Ruby on Rails vulnerability to compromise servers, create botnet
Lucian Constantin, InfoWorld, 29 May 2013
Hackers exploit Ruby on Rails vulnerability to compromise servers,
The targeted vulnerability was patched in January, but many servers
haven't been updated yet
Date: Thu, 30 May 2013 10:46:02 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Twitter's two-factor authentication can be abused"
Lucian Constantin, InfoWorld, 28 May 2013
Attackers could lock users who don't have it enabled out of their
accounts if they steal their log-in credentials, F-Secure researchers say
Date: Thu, 30 May 2013 17:12:25 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: From Bad to Worse: Online Repression in the Gulf (EFF)
"In Kuwait, dozens imprisoned in an effort to stifle online dissent. In
the United Arab Emirates, a sentence of 10 months in prison for describing
a court hearing without "honesty and in bad faith." And in Qatar, a draft
cybercrime law that threatens the relative freedom of expression enjoyed
by residents." http://j.mp/11EILYa (EFF via NNSquad)
Date: Fri, 31 May 2013 20:44:46 +0100
From: John Standen <j.standen () computer org>
Subject: Browser 'Back' button may cause student loan application to fail
Student Finance England (Student Loan Company) have been putting the
following message out on Twitter several times over the last few months:
STUDENT FINANCE ENG @SF_England
Applying online? Don't use the 'back' button of your browser as this
may cause an error on your app that could prevent you from submitting!
A number of students seeking finance for their university tuition fees and
maintenance loan/grant have been finding that on clicking the 'Submit
Application' button are getting a message stating an error has occurred,
asking them to check the data and resubmit. The error message does not state
what the failure is.
In the early days of this year's applications on contacting the support
phone line students were being told to either 'try a different browser' or
'wait 24 hours and try again', only to get the same error.
Students were then told to fill out a paper form (34 pages), and on the
basis of the Twitter post blaming the student for using the browser 'Back
Completing a new student paper form also seems to require parents (if
providing details of household income to get an income based maintenance
loan/grant) to provide information on paper even if it has already been
provided online to support another student.
As a separate issue: the paper form is available as an editable PDF document
allowing a student to enter information for most fields before printing.
Some fields would not accept the required number of characters or were not
aligned with the shaded boxes of the form.
This year I had one student who completed his renewal online and one who got
the error and had to complete the paper form!
Date: Fri, 31 May 2013 08:13:28 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: EFF: Computer Scientists Urge Court to Block Copyright Claims in
Oracle v. Google API Fight
"The law is already clear that computer languages are mediums of
communication and aren't copyrightable. Even though copyright might cover
what was creatively written in the language, it doesn't cover functions
that must all be written in the same way," said EFF Staff Attorney Julie
Samuels. "APIs are similarly functional - they are specifications allowing
programs to communicate with each other. As Judge Alsup found, under the
law APIs are simply not copyrightable material."
http://j.mp/17aWEj9 (EFF via NNSquad)
Date: Fri, 31 May 2013 13:25:53 -0400
From: "Bob Frankston" <Bob19-0501 () bobf frankston com>
Subject: The risks of Public Wi-Fi [sic]
I've been find that I often have to shut off the Wi-Fi connection on my
portable device (AKA Smartphone) in order to get simple things like map
searches to work. I suspect the reason is that even after I've gone through
an authentication cycle with a service like XfinityWiFi it may decide to ask
me again. Same for agree screens.
One problem is that the failure is not explained - I simply see a wait
indicator. For an app like email I might not even know I'm missing the
critical message because there is no obvious difference between failure and
no having any email. Yet the phone itself seems to work because the voice
path tests for Wi-Fi connectivity and uses cellular if it can't get a
connection. The apps and the base networking software aren't so smart.
I put the "[sic]" in the title because Wi-Fi is just the name of a
technology and the problem is in confusing the Internet with the web and
then assuming only eyeballs browse and not having the concept of agency
(programs) working on others' behalf.
Date: Thu, 30 May 2013 23:58:01 -0700 (PDT)
From: Paul Robinson <paul () paul-robinson us>
Subject: Re: Risks of reporting a bug to the wrong place (RISKS-27.30)
Dr J R Stockton <J.R.Stockton () physics org> wrote
The Gregorian Calendar was first used in 1582, not 1583.
In most of your supposed country, not at the time a country, the use of
Gregorian started in 1752.
True, but the Papal Bull was issued February 24, 1582 so it was not "used"
for a full year. The first year the Gregorian calendar was used starting on
January 1 was 1583. :)
Date: Wed, 29 May 2013 19:54:32 -0400
From: "Bob Frankston" <bob2-39 () bobf frankston com>
Subject: Re: The Internet is no place for Critical Infrastructure (R 27 30)
This begs the question of what one means by "The Internet". There is no such
thing or place -- the Internet is just a technique for using any available
means for communicating without being limited to the channels of traditional
telecom or depending on a third party (the "provider") to "understand" what
you are trying to do in order to make each application work.
If anything "The Internet" is the technique for what we might call "critical
infrastructure" because it is about taking responsibility rather than
dependence. Unfortunately the more we treat the Internet as a thing and try
to solve issues such "security" within the network the more we are at risk.
Not depending on the Internet is the risk.
In http://rmf.vc/PurposeVsDiscovery I try to address this misunderstanding
by explaining how the Internet is the antithesis of the dependencies
inherent in traditional telecommunications. We must not confuse redundancy
with resilience. This also begs the question of what we mean by "critical
infrastructure". Failure is always an option -- the question is how we are
prepared to deal with it and at what scale.
The danger is in confusing the Internet with traditional telecommunication
and becoming complacent because rigid infrastructure seems so reliable ...
until it isn't. We compound this by confusing uses such as the web with
something called "The Internet".
Date: Wed, 29 May 2013 22:17:35 -0400
From: "Bob Frankston" <bob2-39 () bobf frankston com>
Subject: Re: Risks of spreadsheets (RISKS-27.30)
The real risk here is having programmers miss the point by trying to fit
(electronic) spreadsheets into traditional programming paradigms.
As the article notes spreadsheets are a tool that gives people with domain
expertise the ability to play with their ideas. In doing so it can amplify
misunderstandings in the way that any computer is shines light on ones
misunderstandings. Sure one can use spreadsheets as an alternative to lava
but one can also use Matlab and other tools.
I saw the reference to Mike Schrage's comment about the government being
"outspreadsheeted". Translation -- people with domain expertize didn't let
programmers get in the way but in doing so their understanding gets tested.
These aren't spreadsheet errors any more than bad writing is a typing error.
What about the errors introduced when a domain expert tries to speak to a
The real question is how do we educate people so they avoid being seduced by
the seeming authority of numbers. One example is understanding the concept
of significant digits so they don't looking a five year projection and
assuming if you subtract one number from another in the last column a small
difference is meaningful. There is also the problem with confusing
guesstimates with hard numbers. We see this in confusing a strike price with
a hard number and then building trillion dollar derivatives on such a basis.
Of course there are programming-like errors in terms of dealing with
spreadsheet ranges and other artifacts but the solution is less in
preventing errors than learning how to do reality checking and not be
dazzled by the pretty tables. In that sense releasing untested spreadsheet
software is no different than releasing untested code.
By calling these "spreadsheet" errors we shift responsibility from coming to
terms with the new literacy to blaming the tool. This is similar to the
other Risks post in complaining about using Internet as critical
infrastructure rather viewing it as a technique for using available
Date: Thu, 30 May 2013 11:43:21 +0100
From: Martin Ward <martin () gkc org uk>
Subject: Re: The Hazards of Gambling (Unger, RISKS-27.30)
Steve Unger mentions the biggest losers (gambling addicts), people who spend
excessive amounts and people on low income who are lured into buying lottery
tickets, but there is a much larger problem with gambling: that all gambling
results in a net loss of value!
The best discussion I have found on this issue is by John Nevil Maskelyne in
his book "Sharps and Flats":
"It must be obvious to any one who will take the trouble to think over the
matter, that chances which are fair and equal are a question of proportion
rather than of actual amounts and odds. At first sight, however, it would
appear that if a man stands an equal chance of winning or losing a certain
amount, nothing fairer could possibly be imagined, from whatever point of
view one may regard it. I venture to say, nevertheless, that this is not
so. Suppose for the moment that you are a poor man, and that you meet a
rich acquaintance who insists upon your spending the day with him, and
having what the Americans call 'a large time.' At the end of the day he
says to you, 'I will toss you whether you or I pay this day's expenses.'
Such a proposition is by no means uncommon, and suppose you win, what is
the loss to him? Comparatively nothing. He may never miss the amount he
has to pay; but if you lose, your day's outing may have to be purchased by
many weeks of inconvenience.
"A bet of a hundred pounds is a mere bagatelle to a rich man, but it may
be everything to a poor one. In the one case the loss entails no
inconvenience, in the other it means absolute ruin. It must be granted,
then, in matters of this kind, that proportion is the chief factor, not
the actual figures. If you are with me so far, you are already a step
nearer to my way of thinking.
"Let us proceed a step further, and see how it is that a bet is
necessarily unfair to both parties. The simple fact is that no two men
can make a wager, however seemingly fair, or however obviously unfair,
without at once reducing the actual value to them of their joint
possessions. This can be proved to a demonstration. We will take a case
in which the chances of winning are exactly equal, both in amount and in
proportion to the wealth of two bettors. Suppose that your possessions
are precisely equal in amount to those of a friend, and that your
circumstances are similar in every respect. There can be, then, no
disparity arising from the fact of a bet being made between you, where the
chances of winning or losing a certain amount are the same to each. To
present the problem in its simplest form, we will say that you each stake
one-half of your possessions upon the turn of a coin. If it turns up head
you win, if it falls 'tail up' your friend wins. Nothing could possibly
be fairer than this from a gambler's point of view. You have each an
equal chance of winning, you both stake an equal amount, you both
stand to lose as much as you can win, and, above all, the amount staked
bears the same value, proportionately, to the wealth of each person. One
cannot imagine a bet being made under fairer conditions, yet how does it
work out in actual fact? You may smile when you read the words, but you
both stand to lose more than you can possibly win! You doubt it! Well,
we shall see if it cannot be made clear to you.
"Suppose the turn of the coin is against you, and therefore you lose half
your property; what is the result? To-morrow you will say, 'What a fool I
was to bet! I was a hundred per cent. better off yesterday than I am
to-day.' That is precisely the state of the case; you were exactly a
hundred per cent. better off. Now, the most feeble intellect will at
once perceive that a hundred per cent. can only be balanced by a hundred
per cent. If you stood a chance of being that much better off yesterday
than you are to-day, to make the chances equal you should have had an
equal probability of being a hundred per cent. better off to-day than you
were yesterday. That is obvious upon the face of it, since we agree that
these questions are, beyond dispute, matters of proportion, and not of
"Then we will suppose you win the toss, and thus acquire half your
friend's property; what happens then? When the morrow arrives you can
only say, 'I am fifty per cent better off to-day than I was yesterday.'
That is just it. If you lose, your losses have amounted to as much as you
still possess, whilst, if you win, your gains amount only to one-third of
what you possess. The plain facts of the case, then, are simply that the
moment you and your friend have made the bet referred to, you have
considerably reduced the value of your joint possessions. Not in actual
amount, it is true, but in actual fact, nevertheless; for whichever way
the bet may go, the loss sustained by one represents a future deprivation
to that one far greater than the future proportional advantage gained by
the other. The mere fact of one having gained precisely as much as the
other has lost does not affect the ultimate result in the least. The
inconvenience arising from any loss is always greater than the convenience
resulting from an equal gain." -- "Sharps and Flats", Chapter XIV, by
John Nevil Maskelyne
The argument above is a purely economic one: that gambling necessarily
involves the destruction of value. A corollary is that imposing high taxes
on the rich and using the money for public public welfare (schools,
hospitals, roads etc.), or just giving the money to the poor, does not just
shift value around but actually *creates* value. Conversely, the current UK
and US government policies of cutting public spending to fund tax cuts for
the rich are destroying value.
The *moral* argument, that gambling is essentially theft, is also discussed
"The absolute immorality of gambling--the desire to obtain money to which
one has no right--in any form is beyond dispute; and the sooner this fact
is generally recognised, the better it will be for the world at large.
There are some, of course, in whom the passion is ingrained, and from
whose natures it can never be wholly eradicated. But everyone should
clearly understand that the vice is as reprehensible in proportion to its
magnitude as that, for instance, of either lying or stealing."
For some, this argument is stronger than the economic one. But even those
who believe that economics trumps morality should be convinced by the
STRL Reader in Software Engineering and Royal Society Industry Fellow
martin () gkc org uk http://www.cse.dmu.ac.uk/~mward/
Date: Fri, 31 May 2013 11:53:53 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Die Passwords! Die!
Die Passwords! Die!
In one form or another -- verbal, written, typed, semaphored, grunted, and
more -- passwords broadly defined have been part of our cultures pretty much
since the dawn of humans at least. Whether an 18-character mixed-case
password replete with unusual symbols, or the limb-twisting motions of a
secret handshake, we've always needed means for authentication and identity
verification, and we've long used the concept of a communicable "secret" of
some kind to fill this need.
As we plow our way ever deeper into the 21st century, it is notable that
most of our Internet and other computer-based systems still depend on the
basic password motif for access control. And despite sometimes herculean
efforts to keep password-based environments viable, it's all too clear that
we're rapidly reaching the end of the road for this venerable mechanism.
That this was eventually inevitable has long been clear, but recent
events seem to be piling up and pointing at a more rapid degeneration
of password security than many observers had anticipated, and this is
taking us quickly into the most complex realms of identity and
Advances in mathematical techniques, parallel processing, and
particularly in the computational power available to password crackers
(now often using very high speed graphics processing units to do the
number crunching) are undermining long held assumptions about the
safety of passwords of any given length or complexity, and rendering
even hashed password files increasingly vulnerable to successful
attacks. If a single configuration error allows such files to fall
into the wrong hands, even the use of more advanced password hashing
algorithms is no guarantee of protection against the march of
computational power and techniques that may decimate them in the
What seems like an almost daily series of high profile password
breaches has triggered something of a stampede to finally implement
multiple-factor authentication systems of various kinds, which are
usually a notch below even more secure systems that use a new password
for every login attempt (that is, OTP - One-Time Password systems,
which usually depend on a hardware device or smartphone app to
generate disposable passwords).
As you'd imagine, the ultimate security of what we might call these
"enhanced password" environments depends greatly on the quality of
their implementations and maintenance. A well designed multiple
factor system can do a lot of good, but a poorly built and vulnerable
one can give users a false sense of security that is actually even
more dangerous than a basic password system alone.
Given all this, it's understandable that attention has now turned
toward more advanced methodologies that -- we hope -- will be less
vulnerable than any typical password-based regimes.
There are numerous issues. Ideally, you don't want folks routinely
using passwords at all in the conventional sense. Even relatively
strong passwords become especially problematic when they're used on
multiple systems -- a very common practice. The old adage of the
weakest link in the chain holds true here as well. And the less said
about weak passwords the better (such as "12345" -- the kind of
password, as noted in Mel Brooks' film "Spaceballs" -- that "an idiot
would have on his luggage") -- or worse.
So, much focus now is on "federated" authentication systems, such as
OAuth and others.
At first glance, the concept appears simple enough. Rather than
logging in separately to every site, you authenticate to a single site
that then (with your permission) shares your credentials via "tokens"
that represent your desired and permitted access levels. Those other
sites never learn your password per se, they only see your tokens,
which can be revoked on demand. For example, if you use Google+, you
can choose to use your Google+ credentials to access various other
cooperating sites. An expanding variety of other similar environments
are also in various stages of availability.
This is a significant advance. But if you're still using simple
passwords for access to a federated authentication system, many of the
same old vulnerabilities may still be play. Someone gaining illicit
access to your federated identity may then have access to all
associated systems. This strongly suggests that when using federated
login environments you should always use the strongest currently
available practical protections -- like multiple-factor
All that being said, it's clear that the foreseeable future of
authentication will appropriately depend heavily on federated
environments of one form or another, so a strong focus there is
Given that the point of access to a federated authentication system is
so crucial, much work is in progress to eliminate passwords entirely
at this level, or to at least associate them with additional physical
means of verification.
An obvious approach to this is biometrics -- fingerprints, iris scans,
and an array of other bodily metrics. However, since biometric
identifiers are so associated with law enforcement, cannot be
transferred to another individual in cases of emergency, and are
unable to be changed if compromised, the biometric approach alone may
not be widely acceptable for mass adoption outside of specialized,
relatively high-security environments.
Wearable devices may represent a much more acceptable compromise for
many more persons. They could be transferred to another individual
when necessary (and stolen as well, but means to render them impotent
in that circumstance are fairly straightforward).
A plethora of possibilities exist in this realm -- electronically
enabled watches, bracelets, rings, temporary tattoos, even swallowable
pills -- to name but a few. Sound like science-fiction? Nope, all of
these already exist or are in active development.
Naturally, such methods are useless unless the specific hardware
capabilities to receive their authentication signals is also present,
when and where you need it, so these devices probably will not be in
particularly widespread use for the very short term at least. But
it's certainly possible to visualize them being sold along with a
receiver unit that could be plugged into existing equipment. As
always, price will be a crucial factor in adoption rates.
Yet while the wearable side of the authentication equation has the
coolness factor, the truth is that it's behind the scenes where the
really tough challenges and the most seriously important related
policy and engineering questions reside.
No matter the chosen methods of authentication -- typed, worn, or
swallowed -- one of the most challenging areas is how to appropriately
design, deploy, and operate the underlying systems. It is incumbent
on us to create powerful federated authentication environments in ways
that give users trustworthy control over how their identity
credentials are managed and shared, what capabilities they wish to
provide in specific environments, how these factors interact with
complex privacy parameters, and a whole host of associated questions,
including how to provide for pseudonymous and anonymous activities
Not only do we need to understand the basic topology of these
questions and develop policies that represent reasonable answers, we
must actually build and deploy such systems in secure and reliable
ways, often at enormous scale by historical standards. It's a
fascinating area, and there is a tremendous amount of thinking and
work ongoing toward these goals -- but in many ways we're only just at
the beginning. Interesting times.
One thing is pretty much certain, however. Passwords as we've
traditionally known them are on the way out. They are doomed. The
sooner we're rid of them, the better off we're all going to be.
Especially if your password is "12345" ...
Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-request () csl sri com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
*** NOTE: Including the string "notsp" at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
is no longer maintained up-to-date except for recent election problems.
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
End of RISKS-FORUM Digest 27.31
- Risks Digest 27.31 RISKS List Owner (May 31)