Home page logo

risks logo RISKS Forum mailing list archives

Risks Digest 27.82
From: RISKS List Owner <risko () csl sri com>
Date: Sat, 29 Mar 2014 19:14:39 PDT

RISKS-LIST: Risks-Forum Digest  Saturday 29 March 2014  Volume 27 : Issue 82

Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at

Reconsidering Malaysian MH 370 (PGN)
A prosecution trend to watch out for: liking a Facebook post
  (Privacy Surgeon)
Smart key, pretty dumb: Chevy Volt (Tim Duncan)
Carmaker Misled Grieving Families on a Lethal Flaw (NYT)
CASL destined to be challenged on grounds it violates Charter rights:
  lawyers (Brian Jackson via Gene Wirchenko)
NSA: Fixing Internet vulnerabilities compromises national security
  (Henry Baker)
Police Keep Quiet About Cell-Tracking Technology (Jack Gillum via
  Monty Solomon)
Can You Trust 'Secure' Messaging Apps? (Molly Wood via Monty Solomon)
Previewing e-mail in Outlook can lead to malware infection (Lewis Morgan
  via Gene Wirchenko)
Third-Party Hotel Booking Sites Can Mislead Consumers (Alina Tugend via
  Monty Solomon)
Obama to Call for End to N.S.A.'s Bulk Data Collection (Charlie Savage via
  Monty Solomon)
Turkey Moves To Block Twitter At The IP Level (Lauren Weinstein)
Turkey blocks Google's DNSs (tkalama)
Closing the Gap to Human-Level Performance in Face Verification
  (Taigman et al. via Monty Solomon)
Abridged info on RISKS (comp.risks)


Date: Wed, 26 Mar 2014 17:01:07 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Reconsidering Malaysian MH 370

Understanding of the saga of Malaysian MH 370 is still considerably murky.
The currently plausible seems to be that the plane apparently suffered some
sort of electrical technological failure with fire and intense smoke, or
perhaps human-aided catastrophic failure mode that might have eventually led
to the incapacitation of the crew (and presumably everyone on board) --
despite all of the aircraft's would-be modular redundancy.  In its last few
hours, the autopilot had evidently been enabled (only a single button push
is required to continue on the existing course), and the plane apparently
then continued to fly without any crew member's assistance until it ran out
of fuel somewhere in the south Indian Ocean.  Even with the limited radar
and electronic tracking, computation of the exact location of its demise is
subject to many real-time variables (winds, altitude, temperature, and so
on) in a very remote area.  Very little seems known about the reasons for
and effects of the earlier large changes in direction (an initial zig and
then zag) and altitude (up and then down).  There are still many unanswered
questions -- as to the cause, the reasons for the initial zig-zag (perhaps
the pilot frantically tried to head toward an emergency landing on the
nearest island with a landing strip), how the crew became disabled, and
whether the sequence of unanticipated events unfolded, with perhaps some
combination of inadvertent and/or malicious human actions involved.  It
appears that unanticipated accidental causes, possibly with together pilot
inability to cope with overwhelming circumstances, are sufficient to explain
most of what happened, although the possibility of some malicious human
actions is still not out of the question.  The Malaysian government and
other geopolitical forces certainly contributed to the overall confusion.

In response, some people have suggested that black-box data should be
transmitted in real time to reliable remote repositories (truly cloud
servers?).  That might have been very effective in this case, to help
determine the initial series of events, although it might not have helped to
pinpoint the site of the ultimate crash site -- where adequate satellite
communication coverage may not have existed, and where the data may have
been simply overwritten after the subsequent hours of continued flight.


Date: Tue, 25 Mar 2014 13:40:22 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: A prosecution trend to watch out for: liking a Facebook post

  [Thanks to Simon Davies <simon () privacy org> for spotting this one.  PGN]

UK police action over "liking" a Facebook post could signal a dangerous
prosecution trend

  [like a look?  look alike?  MITI likes arose?  PGN]


Date: Tue, 25 Mar 2014 14:46:56 -0400
From: Tim Duncan <tim () duncan cx>
Subject: Smart key, pretty dumb: Chevy Volt

What if you don't want your Smart Key to automatically unlock the doors of
your Chevrolet Volt when it gets within three feet of the car? Well,
unfortunately, Chevrolet (General Motors) apparently never thought about
this scenario as they didn't design in a way to turn off this feature.

Interesting story about a woman who can't take her key with her surfing
(because it isn't water proof) and can't lock it in her car either because
it will automatically unlock her doors if she does.



Date: Wed, 26 Mar 2014 11:41:37 -0400
From: Monty Solomon <monty () roscom com>
Subject: Carmaker Misled Grieving Families on a Lethal Flaw

Hilary Stout, Bill Vlasic, Danielle Ivory and Rebecca R. Ruiz
*The New York Times*, 24 Mar 2014

It was nearly five years ago that any doubts were laid to rest among
engineers at General Motors about a dangerous and faulty ignition switch. At
a meeting on May 15, 2009, they learned that data in the black boxes of
Chevrolet Cobalts confirmed a potentially fatal defect existed in hundreds
of thousands of cars.

But in the months and years that followed, as a trove of internal documents
and studies mounted, G.M. told the families of accident victims and other
customers that it did not have enough evidence of any defect in their cars,
interviews, letters and legal documents show. Last month, G.M. recalled 1.6
million Cobalts and other small cars, saying that if the switch was bumped
or weighed down it could shut off the engine's power and disable air
bags. ...



Date: Tue, 25 Mar 2014 12:54:39 -0700
From: Gene Wirchenko <genew () telus net>
Subject: CASL destined to be challenged on grounds it violates Charter
  rights: lawyers (Brian Jackson)

Brian Jackson, *IT Business*, 24 Mar 2014

opening text:

Canada's regulations to limit unwanted e-mail messages from businesses have
been four years in the making, but if organizations representing the
business community get their way, it could unravel much faster than that.

Canada's Anti-Spam Legislation (CASL) is set to come into effect July 1 and
requires businesses to receive consent from consumers before sending them
commercial messages via e-mail or any other digital channel. But members of
the business community and lawyers critical of the new law say the first
organization fined by the enforcement regime will likely challenge it in
court on the basis that it violates the Charter's protection of free
speech. In this case, it would be a limitation on commercial speech.


Date: Fri, 21 Mar 2014 15:26:34 -0700 (GMT-07:00)
From: hbaker1 <hbaker1 () pipeline com>
Subject: NSA: Fixing Internet vulnerabilities compromises national security

Richard Ledgett, Deputy Director of the NSA, recently responded to Edward Snowden in a 30-minute TED Talk interview 
with Chris Anderson:


also on YouTube:


Although this interview has been covered in the press, so far the articles
I've seen missed an important exchange between Ledgett and Anderson.

At ~7:40 into this interview, Chris asked Richard about the NSA's BULLRUN
program to weaken Internet encryption standards, and then at ~27:30 Chris
asks about the NSA's exploitation of existing Internet vulnerabilities.
Richard never directly answered the question about weakening encryption, but
he did declare that the NSA discloses to vendors the "overwhelming majority"
of vulnerabilities that the NSA finds.  Of course, no actual statistics were
given about the number of vulnerabilities that were disclosed, nor how long
the NSA took before such disclosures were made, nor how ethical it would be
for the NSA to leave US citizens, companies, banks, and state & local
governments at continuing risk of attacks from the vulnerabilities that the
NSA preferred not to disclose.

But Ledgett emphatically claimed that Snowden's disclosures of these
vulnerabilities compromised national security, thus equating "Internet
vulnerabilities" with "national security"; i.e., it is the NSA's policy to
preserve Internet vulnerabilities in the interest of "national security".

Nine months after Snowden's disclosures, I'm still trying to get my head
around how an agency of the U.S. government which is paid by my tax dollars
and which is sworn to protect me, arrogantly thinks that keeping me, my
identity, and my computers vulnerable to all the bad actors in the world is
somehow improving my "national security".

The NSA has apparently taken up Saddam Hussein's tactics and decided to use
me -- and you and every American citizen with a computer -- as a "human
shield" against terrorists.  Any damage to our identities and bank accounts
are merely collateral damage and acceptable losses in this war on
terrorists, drug dealers and paedophiles.  In the best gung-ho
Vietnam-war-like bravado, "we [the NSA] had to destroy the Internet in order
to save it".

At the very minimum, the NSA's view is an exceedingly provincial and warped
view of "national security".

It's time for these NSA guys/gals to "come out of the cold" and get a real
job in the commercial sector to help to actually protect each and all of us
from those bad actors on the Internet.


Date: Wed, 26 Mar 2014 11:41:37 -0400
From: Monty Solomon <monty () roscom com>
Subject: Police Keep Quiet About Cell-Tracking Technology (Jack Gillum)

Jack Gillum, Associated Press, 22 Mar 2014

Police across the country may be intercepting phone calls or text messages
to find suspects using a technology tool known as Stingray.  But they're
refusing to turn over details about its use or heavily censoring files when
they do.

Police say Stingray, a suitcase-size device that pretends it's a cell tower,
is useful for catching criminals, but that's about all they'll say.

For example, they won't disclose details about contracts with the device's
manufacturer, Harris Corp., insisting they are protecting both police
tactics and commercial secrets. The secrecy - at times imposed by
nondisclosure agreements signed by police - is pitting obligations under
private contracts against government transparency laws.

Even in states with strong open records laws, including Florida and Arizona,
little is known about police use of Stingray and any rules governing it.

A Stingray device tricks all cellphones in an area into electronically
identifying themselves and transmitting data to police rather than the
nearest phone company's tower. Because documents about Stingrays are
regularly censored, it's not immediately clear what information the devices
could capture, such as the contents of phone conversations and text
messages, what they routinely do capture based on how they're configured or
how often they might be used. ...



Date: Sun, 23 Mar 2014 00:23:45 -0400
From: Monty Solomon <monty () roscom com>
Subject: Can You Trust 'Secure' Messaging Apps? (Molly Wood)

Molly Wood, *The New York Times*, blog, 19 Mar 2014

It's officially a post-Snowden and post-WhatsApp world, and my inbox is
filled with pitches from companies promoting their secure messaging
apps. But can you trust them?

As the messaging wars heat up, security seems to be the big differentiator
-the levels of security range from "military grade" to lightweight,
depending on the app. But all of them have one thing in common, said the
cryptographer and security expert Bruce Schneier: You shouldn't use them if
your life is on the line.

Mr. Schneier said when it comes to evaluating the security of a secure
messaging app, the real question lies in why you need it. ...



Date: Tue, 25 Mar 2014 12:56:23 -0700
From: Gene Wirchenko <genew () telus net>
Subject: Previewing e-mail in Outlook can lead to malware infection
  (Lewis Morgan)

Lewis Morgan, IT Governance, 25 Mar 2014
Microsoft 'zero day' vulnerability

opening text:

On 24 March Microsoft released details about a vulnerability in Microsoft
Word that can be used to infect computers with malware. The disturbing part
however, is that computers can be infected from just 'previewing' an e-mail
in Microsoft Outlook.


Date: Sun, 23 Mar 2014 00:23:45 -0400
From: Monty Solomon <monty () roscom com>
Subject: Third-Party Hotel Booking Sites Can Mislead Consumers
  (Alina Tugend)

Alina Tugend, *The New York Times*, 21 Mar 2014

This is the situation: Customers search for a particular hotel and click on
a link. They think they've landed on the official hotel website, but
unknowingly they really have arrived at an unrelated site of a hotel booking

They're promised great deals - and warned that rooms are going fast - but it
turns out these so-called bargains are often worse than what's offered
directly by the hotel. Many people have discovered this practice the hard
way. Randy Ratliff, a lawyer in Kentucky; Debbie Greenspan, a hospitality
expert in Maryland; and dozens of other people have posted comments online
saying they were duped when they thought they were booking rooms on hotel
websites, only to wind up fighting credit card charges from companies they
had never heard of. ...



Date: Wed, 26 Mar 2014 11:41:37 -0400
From: Monty Solomon <monty () roscom com>
Subject: Obama to Call for End to N.S.A.'s Bulk Data Collection
  (Charlie Savage)

Charlie Savage, *The New York Times*, 24 Mar 2014

WASHINGTON - The Obama administration is preparing to unveil a legislative
proposal for a far-reaching overhaul of the National Security Agency's
once-secret bulk phone records program in a way that - if approved by
Congress - would end the aspect that has most alarmed privacy advocates
since its existence was leaked last year, according to senior administration

Under the proposal, they said, the N.S.A. would end its systematic
collection of data about Americans' calling habits. The bulk records would
stay in the hands of phone companies, which would not be required to retain
the data for any longer than they normally would.  And the N.S.A. could
obtain specific records only with permission from a judge, using a new kind
of court order. ...


Date: Sat, 22 Mar 2014 15:43:25 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Turkey Moves To Block Twitter At The IP Level

  "In its effort to curtail access to Twitter, Turkey is getting more
  aggressive with a block of the service's IP address, according to sources
  inside Turkey as well as a DNS provider.  That means that changing their
  DNS server, whether it be Google DNS or OpenDNS, will no longer work for
  residents in the country ... But the latest move by the government will
  make it more difficult, but not quite impossible, for residents to access
  Twitter. By blocking Twitter at the IP level, DNS services will no longer
  work. Instead, citizens are being urged to access the service via VPN or
  by using the Tor anonymity network."
    http://j.mp/NE9nmr  (Techcrunch via NNSquad)

 - - -

If the government of Turkey comes knocking on the Internet Governance
door any time soon as things stand now, slam it in their face.

  [This has no end, apparently.  For example, browse on `Turkey blocks
  YouTube days after Twitter ban'.  PGN]


Date: Sun, 23 Mar 2014 11:07:27 +0200
From: tkalama <tkalama1 () gmail com>
Subject: Turkey blocks Google's DNSs

[...] Many groups have voiced outrage and many have suggested manually
changing the DNS servers so that twitter can be accessed again. A day later,
Google's DNSs ( and also have been blocked in Turkey.
Likewise, the IP addresses belonging to twitter.com have also been blocked.

Despite all these measures of censorship, the use of Twitter in Turkey has
exploded, thanks to proxy servers, alternative DNS servers, and VPN servers.

It has been said that Egypt's Mubarrak has remained in power for only 16
days after banning social networks in the country, thus Turks are hopeful
that already three of those sixteen days have already gone by.


Date: Sun, 23 Mar 2014 15:12:54 -0400
From: Monty Solomon <monty () roscom com>
Subject: Closing the Gap to Human-Level Performance in Face Verification
  (Taigman et al.)

Yaniv Taigman, Ming Yang, Marc'Aurelio Ranzato, Lior Wolf
DeepFace: Closing the Gap to Human-Level Performance in Face Verification
Conference on Computer Vision and Pattern Recognition (CVPR)


In modern face recognition, the conventional pipeline consists of four
stages: detect => align => represent => classify. We revisit both the
alignment step and the representation step by employing explicit 3D face
modeling in order to apply a piecewise affine transformation, and derive a
face representation from a nine-layer-deep neural network. This deep network
involves more than 120 million parameters using several locally connected
layers without weight sharing, rather than the standard convolutional
layers.  Thus we trained it on the largest facial dataset to date, an
identity-labeled dataset of four million facial images belonging to more
than 4,000 identities, where each identity has an average of over a thousand
samples.  The learned representations coupling the accurate model-based
alignment with the large facial database generalize remarkably well to faces
in unconstrained environments, even with a simple classifier. Our method
reaches an accuracy of 97.25% on the Labeled Faces in the Wild (LFW)
dataset, reducing the error of the current state of the art by more than
25%, closely approaching human-level performance. ...


  [Potentially an interesting advance.  This might work fairly well for
  small groups of subjects.  But note that a 2.75% inaccuracy rate would
  represent 27,500 false identifications for each million subjects.  One
  potential question for Homeland Security: For how many known terrorists
  are there 1000 images, and for how many unknown terrorists are there any
  known images?  PGN]


Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string `notsp' at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:


End of RISKS-FORUM Digest 27.82

  By Date           By Thread  

Current thread:
  • Risks Digest 27.82 RISKS List Owner (Mar 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]