Home page logo

risks logo RISKS Forum mailing list archives

Risks Digest 27.78
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 3 Mar 2014 16:17:24 PST

RISKS-LIST: Risks-Forum Digest  Monday 3 March 2014  Volume 27 : Issue 78

Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at

Startups don't realize the issue with security until it's too late
  (Jenna Wortham and Nicole Perlroth)
Apple Rolls Out CarPlay (Apple Press Info via Monty Solomon)
Keurig Will Use DRM In New Coffee Maker To Lock Out Refill Market (Karl Bode
  via Monty Solomon)
"Yahoo breach exposes naked truth about online security" (Robert X. Cringely
  via Gene Wirchenko)
Snowden made cyber-geek nightmares true. Can 'private' be normal again?
  (Dan Gillmor via Dewayne Hendricks)
Ed Felten at TrustyCon (PGN)
Apple's Serious Security Issue: Update Your iPhone or iPad Immediately
  (Molly Wood via Monty Solomon)
The goto Squirrel (Dennis E. Hamilton)
Re: iPhone's Critical Security Bug: a Single Bad `Goto' (Dimitri Maziuk,
  Henry Baker)
Abridged info on RISKS (comp.risks)


Date: Mon, 3 Mar 2014 11:45:23 -0500
From: Jeremy Epstein <jeremy.j.epstein () gmail com>
Subject: Startups don't realize the issue with security until it's too late
  (Jenna Wortham and Nicole Perlroth)

No surprise here to anyone who's ever worked for a startup -- making
software products secure isn't high on anyone's list.  That's not what
brings in customers, and hence additional funding.

Until someone gets hurt, that is.

Jenna Wortham and Nicole Perlroth, 2 March 2014
When Start-Ups Don't Lock the Doors


Date: Mon, 3 Mar 2014 11:04:26 -0500
From: Monty Solomon <monty () roscom com>
Subject: Apple Rolls Out CarPlay

Apple Rolls Out CarPlay Giving Drivers a Smarter, Safer & More Fun
Way to Use iPhone in the Car
CarPlay Premieres with Leading Auto Manufacturers at the Geneva
International Motor Show

GENEVA--March 3, 2014--Apple today announced that leading auto manufacturers
are rolling out CarPlay, the smarter, safer and more fun way to use iPhone
in the car. CarPlay gives iPhone users an incredibly intuitive way to make
calls, use Maps, listen to music and access messages with just a word or a
touch. Users can easily control CarPlay from the car's native interface or
just push-and-hold the voice control button on the steering wheel to
activate Siri without distraction. Vehicles from Ferrari, Mercedes-Benz and
Volvo will premiere CarPlay to their drivers this week, while additional
auto manufacturers bringing CarPlay to their drivers down the road include
BMW Group, Ford, General Motors, Honda, Hyundai Motor Company, Jaguar Land
Rover, Kia Motors, Mitsubishi Motors, Nissan Motor Company, PSA Peugeot
Citro=EBn, Subaru, Suzuki and Toyota Motor Corp.



Date: Mon, 3 Mar 2014 11:07:44 -0500
From: Monty Solomon <monty () roscom com>
Subject: Keurig Will Use DRM In New Coffee Maker To Lock Out Refill Market
  (Karl Bode)

Karl Bode, 3 Mar 2014

The single coffee cup craze has been rolling now for several years in both
the United States and Canada, with Keurig, Tassimo, and Nespresso all
battling it out to lock down the market. In order to protect their dominant
market share, Keurig makers Green Mountain Coffee Roasters has been on a bit
of an aggressive tear of late. As with computer printers, getting the device
in the home is simply a gateway to where the real money is: refills. But
Keurig has faced the `problem' in recent years of third-party pod refills
that often retail for 5-25% less than what Keurig charges. As people look to
cut costs, there has also been a growing market for reusable pods that
generally run anywhere from five to fifteen dollars.

Keurig's solution to this problem? In a lawsuit (pdf) filed against Keurig
by TreeHouse Foods, they claim Keurig has been busy striking exclusionary
agreements with suppliers and distributors to lock competing products out of
the market. What's more, TreeHouse points out that Keurig is now developing
a new version of their coffee maker that will incorporate the java-bean
equivalent of DRM -- so that only Keurig's own coffee pods can be used in
it: ...





Date: Mon, 03 Mar 2014 14:49:18 -0800
From: Gene Wirchenko <genew () telus net>
Subject: "Yahoo breach exposes naked truth about online security"
  (Robert X. Cringely)

Robert X. Cringely, Infoworld, 28 Feb 2014
The umpteenth violation of our Internet privacy proves once again the
dearth of common sense among us Web users

opening text:

The hits just keep on coming. Yesterday's news that Brit spy mongers
recorded the video chats of 1.8 million Yahoo users over six months left me
numb, as if I had inhaled a frosty Slurpee full of Novocain.  Yahoo claims
no knowledge of the theft -- yeah, I said it, because that's what it is --
but that declaration is worthy of more than a little skepticism.


Date: Sunday, March 2, 2014
From: *Dewayne Hendricks* <dewayne () warpspeed com>
Subject: Snowden made cyber-geek nightmares true. Can 'private' be normal
  again? (Dan Gillmor)

Dan Gillmor, *The Guardian*, 28 Feb 2014
The NSA leaks created everyday interest in products built to protect. At a
security pow-wow turned sour, that's a good thing.

In the nearly nine months since the Edward Snowden revelations began on this
website, some of the most jaw-dropping surveillance news has involved a
company called RSA, which for years has been one of the top computer
security firms in the world. Boiled down, RSA is alleged to have weakened a
core element of a widely used encryption product at the behest of the
National Security Agency, receiving $10 million in the process of providing
a `back door' for government snooping.

RSA issued what amounted to a non-denial denial after Reuters' Joseph Menn
broke a key part of the story back in December. This week, at its annual
cyber-security conference here in San Francisco, the company was on defense
at an event usually reserved for looking forward, not back. Its CEO said
that any weakness was inadvertent, at least on RSA's part, and not the
result of some nefarious deal with the US government. Respected
cryptographer and university professor Matt Blaze summed it up nicely:
``Everyone to RSA: Did you deliberately sell us out, or are you incompetent?
RSA: We're incompetent.''

It's too early to tell whether this incompetence -- or betrayal, take your
pick -- will hit RSA and its $51bn parent company, EMC, where it should: on
the bottom line. And despite a boycott by some scheduled speakers here, the
RSA conference was well-attended. As one security expert who's expressed
contempt for the company's behavior told me, it's still his best chance to
catch up, face-to-face, with other top people in this still burgeoning

But the episode did spark another gathering, held Thursday across the street
from where RSA held its conference, where the topic of the moment wasn't
security, per se. It was trust, a commodity in short supply these days.

`TrustyCon' -- short for the Trustworthy Technology Conference -- came
together in a hurry after Mikko Hypponen, chief research officer for
F-Secure, a Finnish security company, announced in January, in a public
letter to RSA, that he was canceling his scheduled RSA conference talk and
that his own company would skip the event entirely. Hypponen, a rock star in
the computer security world, gave the opening keynote at TrustyCon
instead. It was a pessimistic assessment of technology users' chances to
have a computing and communications they can genuinely trust in an age when
nation-states have taken over as the most dangerous -- even malicious --
hackers on Earth.

``Our worst fears turned out to be fairly accurate,'' Hypponen said of what's
transpired in the security world over the past few years. And he's right: in
the past nine months, it's become clear that many of the people once derided
as paranoid were, if anything, understating the reality of how much we're
all being watched. Certainly, Thursday's revelation on this website that spy
services had become outright peeping toms by hijacking webcam images would
have sounded ridiculous not so long ago.

Alas, from betrayal rose a glimmer of hope in this insidery community --
that privacy might make an everyday comeback, and maybe even sell.

At TrustyCon, for example, technologists updated the audience on an
important security service for whistleblowers and the journalists to whom
they leak documents. This was `SecureDrop', a project started by the late
Aaron Swartz and now run by the Freedom of the Press Foundation which
ensures safe communications by relying on the Tor web-anonymity system. No
one says SecureDrop is perfect. But it is easy to use and robust, a vast
improvement over what journalists have typically deployed. [...]


Date: Sun, 2 Mar 2014 08:13:07 PST
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Ed Felten at TrustyCon

Princeton Professor and USACM Council Co-Vice-Chair Ed Felten gave the final
talk at TrustyCon on 27 Feb 2104.  This begins at 6:32:33 (six and one half
hours into the day's events).  Mikko Hypponen's keynote (see the previous
RISKS item from Dan Gillmor) runs from 0:15:27 to 1:04:20.


The subject matter of TrustyCon (Trustworthy Technology Conference) might
really be thought of as UnTrustyCon, referring to the `Untrustworthy
confidence game' that it pervasively exposes.


Date: Sat, 1 Mar 2014 01:28:00 -0500
From: Monty Solomon <monty () roscom com>
Subject: Apple's Serious Security Issue: Update Your iPhone or iPad
 Immediately (Molly Wood)

This week, Apple rushed out a patch for its iOS 7 and iOS 6 operating
systems to fix a serious security issue. Before I explain further,
let me just say this: If you've gotten the prompt to update and you
haven't, do it now. If you're still running older versions of iOS on
your iPhone, iPod, or iPad, update now.

Done? O.K., good.

 - - - -

Apple Issues Fix for Security Problem on Macs
Molly Wood, *The New York Times* blogs, 25 Feb 2014

Apple has finally issued a security update to its OS X Mavericks software
for Macintosh computers, patching a bug that could have let hackers
eavesdrop on supposedly encrypted connections and steal everything from
usernames and passwords to location data.

Version 10.9.2 comes four days after Apple patched iOS, its mobile operating
system, to close the same hole. The OS X update addresses several security
issues, including the so-called `goto fail' code bug, which Apple said could
allow an attacker to capture or modify data in sessions users believe are
protected by the Secure Sockets Layer (SSL) or Transportation Layer Security
(TLS) encryption methods. ...



Date: Fri, 28 Feb 2014 16:55:22 -0800
From: "Dennis E. Hamilton" <dennis.hamilton () acm org>
Subject: The goto Squirrel (Re: Petra et al., RISKS-27.77)

Oh look, a misplaced goto statement that short-circuits a security


It is amazing to me that, once the specific defect is disclosed (and the
diff of the actual change has also been published), the discussion has
devolved into one of coding style and whose code is better.  I remember
similar distractions around the Ariane 501 defect too, although in that case
there was nothing wrong with the code -- the error was that it was being run
when it wasn't needed and it was not simulation tested with new launch
parameters under the mistaken assumption that if the code worked for Ariane
4, it should work for Ariane 5.

It is not about the code.  It is not about the code.  It is not about goto.
It is not about coming up with ways to avoid introducing this particular
defect by writing the code differently.

I say this is all about the engineering and delivery process that allowed
this gaff to be introduced into production code for a security-important
procedure and allowed to remain there until someone noticed externally.  The
coding style could have been perfect, with the code still not establishing
security correctly and it would have been put into the live release, all
else being equal.  Some of the offered alternatives, I daresay, offer many
ways to inject a comparable defect that is much less apparent.

The defect was introduced when code was being patched to change the
signature of some of the functions being called.  This strikes me as a
classic lapse about not testing what is thought to be obvious, although I
have no idea what the actual scenario was.

There are any ways the particular defect could have been detected and
remedied well before the code was committed to the code base.  A walkthrough
would likely catch it, assuming a skilled human other than the original
programmer simply read through it.  I bet explaining it on a walkthrough
would probably have led the originator to notice it.

A pretty-printer (or any IDE that reflows indentation) would point it out.

So would a modern IDE that identifies unreachable code.

Any practical code-coverage testing would reveal it too.

Furthermore, it is incomprehensible to me that a change to security-
important code wasn't subjected to regression testing and confirmation of
the procedure.  For that matter, I'm a little disappointed that a review and
commit by a senior technical-staff member was evidently not required.

What's appalling to me is the evident absence of risk management and
procedures for detection and mitigation of regressions.

It is incumbent on all of us to stand back from the code and look at the
process by which injection of a regression was allowed to sit there and
fester all this time.


Date: Fri, 28 Feb 2014 17:57:48 -0600
From: Dimitri Maziuk <dmaziuk () bmrb wisc edu>
Subject: Re: iPhone's Critical Security Bug: a Single Bad `Goto'

 ... algol, curlies, bad code, fortran, oo ...

Or Apple could just read the fine manual for the compiler they presumably
downloaded together with the rest of xBSD:

 gcc -Wunreachable-code -Werr

would've told them:

cc1: warnings being treated as errors
 ... In function 'SSLVerifySignedServerKeyExchange':
 ,.. error: will never be executed

Dimitri Maziuk BioMagResBank, UW-Madison -- http://www.bmrb.wisc.edu


Date: Sat, 01 Mar 2014 04:35:51 -0800
From: Henry Baker <hbaker1 () pipeline com>
Subject: Re: iPhone's Critical Security Bug: a Single Bad `Goto'

There's not enough space or patience in comp.risks to re-litigate the GOTO
wars.  However, for anyone interested in a deep understanding of the issues,
you can start with Steele & Sussman's excellent paper `LAMBDA: The Ultimate
Imperative' (and then read most of the papers in the computer science
literature that reference this one):


In particular, one must have a thorough understanding of the term
`continuation-passing style' before it is possible to have a useful
discussion on the subject of GOTO's.


Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string `notsp' at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:


End of RISKS-FORUM Digest 27.78

  By Date           By Thread  

Current thread:
  • Risks Digest 27.78 RISKS List Owner (Mar 04)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]