RISKS Forum mailing list archives
Risks Digest 27.31
From: RISKS List Owner <risko () csl sri com>
Date: Fri, 31 May 2013 15:02:10 PDT
RISKS-LIST: Risks-Forum Digest Friday 31 May 2013 Volume 27 : Issue 31 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/27.31.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Captcha fail leaves blind people unable to sign petition (Drew Guarini via Jim Reisert) Ruby on Rails vulnerability to compromise servers, create botnet (Lucian Constantin via Gene Wirchenko) "Twitter's two-factor authentication can be abused" (Lucian Constantin via Gene Wirchenko)
From Bad to Worse: Online Repression in the Gulf (EFF via Lauren Weinstein)
Browser 'Back' button may cause student loan application to fail (John Standen) EFF: Computer Scientists Urge Court to Block Copyright Claims in Oracle v. Google API Fight (Lauren Weinstein) The risks of Public Wi-Fi [sic] (Bob Frankston) Re: Risks of reporting a bug to the wrong place (Paul Robinson) Re: The Internet is no place for Critical Infrastructure (Bob Frankston) Re: Risks of spreadsheets (Bob Frankston) Re: The Hazards of Gambling (Martin Ward) Die Passwords! Die! (Lauren Weinstein) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 30 May 2013 18:50:16 -0600 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: Captcha fail leaves blind people unable to sign petition Drew Guarini, Petition To Help The Blind, 30 May 2013 The Huffington Post "Thanks in part to a dreaded Captcha code on the White House's petitions website, it's nearly impossible for blind web users to sign a "We The People" petition seeking support for an international treaty intended to help ... the blind." http://www.huffingtonpost.com/2013/05/30/we-the-people-blind-petition_n_3361075.html ------------------------------ Date: Thu, 30 May 2013 10:44:44 -0700 From: Gene Wirchenko <genew () telus net> Subject: Ruby on Rails vulnerability to compromise servers, create botnet (Lucian Constantin) Lucian Constantin, InfoWorld, 29 May 2013 Hackers exploit Ruby on Rails vulnerability to compromise servers, create botnet The targeted vulnerability was patched in January, but many servers haven't been updated yet http://akamai.infoworld.com/d/security/hackers-exploit-ruby-rails-vulnerability-compromise-servers-create-botnet-219537 ------------------------------ Date: Thu, 30 May 2013 10:46:02 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Twitter's two-factor authentication can be abused" (Lucian Constantin) Lucian Constantin, InfoWorld, 28 May 2013 Attackers could lock users who don't have it enabled out of their accounts if they steal their log-in credentials, F-Secure researchers say https://www.infoworld.com/d/security/twitters-two-factor-authentication-can-be-abused-219398 ------------------------------ Date: Thu, 30 May 2013 17:12:25 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: From Bad to Worse: Online Repression in the Gulf (EFF) "In Kuwait, dozens imprisoned in an effort to stifle online dissent. In the United Arab Emirates, a sentence of 10 months in prison for describing a court hearing without "honesty and in bad faith." And in Qatar, a draft cybercrime law that threatens the relative freedom of expression enjoyed by residents." http://j.mp/11EILYa (EFF via NNSquad) ------------------------------ Date: Fri, 31 May 2013 20:44:46 +0100 From: John Standen <j.standen () computer org> Subject: Browser 'Back' button may cause student loan application to fail Student Finance England (Student Loan Company) have been putting the following message out on Twitter several times over the last few months: STUDENT FINANCE ENG @SF_England Applying online? Don't use the 'back' button of your browser as this may cause an error on your app that could prevent you from submitting! A number of students seeking finance for their university tuition fees and maintenance loan/grant have been finding that on clicking the 'Submit Application' button are getting a message stating an error has occurred, asking them to check the data and resubmit. The error message does not state what the failure is. In the early days of this year's applications on contacting the support phone line students were being told to either 'try a different browser' or 'wait 24 hours and try again', only to get the same error. Students were then told to fill out a paper form (34 pages), and on the basis of the Twitter post blaming the student for using the browser 'Back button'. Completing a new student paper form also seems to require parents (if providing details of household income to get an income based maintenance loan/grant) to provide information on paper even if it has already been provided online to support another student. As a separate issue: the paper form is available as an editable PDF document allowing a student to enter information for most fields before printing. Some fields would not accept the required number of characters or were not aligned with the shaded boxes of the form. This year I had one student who completed his renewal online and one who got the error and had to complete the paper form! ------------------------------ Date: Fri, 31 May 2013 08:13:28 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: EFF: Computer Scientists Urge Court to Block Copyright Claims in Oracle v. Google API Fight "The law is already clear that computer languages are mediums of communication and aren't copyrightable. Even though copyright might cover what was creatively written in the language, it doesn't cover functions that must all be written in the same way," said EFF Staff Attorney Julie Samuels. "APIs are similarly functional - they are specifications allowing programs to communicate with each other. As Judge Alsup found, under the law APIs are simply not copyrightable material." http://j.mp/17aWEj9 (EFF via NNSquad) ------------------------------ Date: Fri, 31 May 2013 13:25:53 -0400 From: "Bob Frankston" <Bob19-0501 () bobf frankston com> Subject: The risks of Public Wi-Fi [sic] I've been find that I often have to shut off the Wi-Fi connection on my portable device (AKA Smartphone) in order to get simple things like map searches to work. I suspect the reason is that even after I've gone through an authentication cycle with a service like XfinityWiFi it may decide to ask me again. Same for agree screens. One problem is that the failure is not explained - I simply see a wait indicator. For an app like email I might not even know I'm missing the critical message because there is no obvious difference between failure and no having any email. Yet the phone itself seems to work because the voice path tests for Wi-Fi connectivity and uses cellular if it can't get a connection. The apps and the base networking software aren't so smart. I put the "[sic]" in the title because Wi-Fi is just the name of a technology and the problem is in confusing the Internet with the web and then assuming only eyeballs browse and not having the concept of agency (programs) working on others' behalf. http://frankston.com ------------------------------ Date: Thu, 30 May 2013 23:58:01 -0700 (PDT) From: Paul Robinson <paul () paul-robinson us> Subject: Re: Risks of reporting a bug to the wrong place (RISKS-27.30) Dr J R Stockton <J.R.Stockton () physics org> wrote
The Gregorian Calendar was first used in 1582, not 1583. In most of your supposed country, not at the time a country, the use of
Gregorian started in 1752. True, but the Papal Bull was issued February 24, 1582 so it was not "used" for a full year. The first year the Gregorian calendar was used starting on January 1 was 1583. :) ------------------------------ Date: Wed, 29 May 2013 19:54:32 -0400 From: "Bob Frankston" <bob2-39 () bobf frankston com> Subject: Re: The Internet is no place for Critical Infrastructure (R 27 30) This begs the question of what one means by "The Internet". There is no such thing or place -- the Internet is just a technique for using any available means for communicating without being limited to the channels of traditional telecom or depending on a third party (the "provider") to "understand" what you are trying to do in order to make each application work. If anything "The Internet" is the technique for what we might call "critical infrastructure" because it is about taking responsibility rather than dependence. Unfortunately the more we treat the Internet as a thing and try to solve issues such "security" within the network the more we are at risk. Not depending on the Internet is the risk. In http://rmf.vc/PurposeVsDiscovery I try to address this misunderstanding by explaining how the Internet is the antithesis of the dependencies inherent in traditional telecommunications. We must not confuse redundancy with resilience. This also begs the question of what we mean by "critical infrastructure". Failure is always an option -- the question is how we are prepared to deal with it and at what scale. The danger is in confusing the Internet with traditional telecommunication and becoming complacent because rigid infrastructure seems so reliable ... until it isn't. We compound this by confusing uses such as the web with something called "The Internet". ------------------------------ Date: Wed, 29 May 2013 22:17:35 -0400 From: "Bob Frankston" <bob2-39 () bobf frankston com> Subject: Re: Risks of spreadsheets (RISKS-27.30) The real risk here is having programmers miss the point by trying to fit (electronic) spreadsheets into traditional programming paradigms. As the article notes spreadsheets are a tool that gives people with domain expertise the ability to play with their ideas. In doing so it can amplify misunderstandings in the way that any computer is shines light on ones misunderstandings. Sure one can use spreadsheets as an alternative to lava but one can also use Matlab and other tools. I saw the reference to Mike Schrage's comment about the government being "outspreadsheeted". Translation -- people with domain expertize didn't let programmers get in the way but in doing so their understanding gets tested. These aren't spreadsheet errors any more than bad writing is a typing error. What about the errors introduced when a domain expert tries to speak to a programmer? The real question is how do we educate people so they avoid being seduced by the seeming authority of numbers. One example is understanding the concept of significant digits so they don't looking a five year projection and assuming if you subtract one number from another in the last column a small difference is meaningful. There is also the problem with confusing guesstimates with hard numbers. We see this in confusing a strike price with a hard number and then building trillion dollar derivatives on such a basis. Of course there are programming-like errors in terms of dealing with spreadsheet ranges and other artifacts but the solution is less in preventing errors than learning how to do reality checking and not be dazzled by the pretty tables. In that sense releasing untested spreadsheet software is no different than releasing untested code. By calling these "spreadsheet" errors we shift responsibility from coming to terms with the new literacy to blaming the tool. This is similar to the other Risks post in complaining about using Internet as critical infrastructure rather viewing it as a technique for using available facilities. ------------------------------ Date: Thu, 30 May 2013 11:43:21 +0100 From: Martin Ward <martin () gkc org uk> Subject: Re: The Hazards of Gambling (Unger, RISKS-27.30) Steve Unger mentions the biggest losers (gambling addicts), people who spend excessive amounts and people on low income who are lured into buying lottery tickets, but there is a much larger problem with gambling: that all gambling results in a net loss of value! The best discussion I have found on this issue is by John Nevil Maskelyne in his book "Sharps and Flats": "It must be obvious to any one who will take the trouble to think over the matter, that chances which are fair and equal are a question of proportion rather than of actual amounts and odds. At first sight, however, it would appear that if a man stands an equal chance of winning or losing a certain amount, nothing fairer could possibly be imagined, from whatever point of view one may regard it. I venture to say, nevertheless, that this is not so. Suppose for the moment that you are a poor man, and that you meet a rich acquaintance who insists upon your spending the day with him, and having what the Americans call 'a large time.' At the end of the day he says to you, 'I will toss you whether you or I pay this day's expenses.' Such a proposition is by no means uncommon, and suppose you win, what is the loss to him? Comparatively nothing. He may never miss the amount he has to pay; but if you lose, your day's outing may have to be purchased by many weeks of inconvenience. "A bet of a hundred pounds is a mere bagatelle to a rich man, but it may be everything to a poor one. In the one case the loss entails no inconvenience, in the other it means absolute ruin. It must be granted, then, in matters of this kind, that proportion is the chief factor, not the actual figures. If you are with me so far, you are already a step nearer to my way of thinking. "Let us proceed a step further, and see how it is that a bet is necessarily unfair to both parties. The simple fact is that no two men can make a wager, however seemingly fair, or however obviously unfair, without at once reducing the actual value to them of their joint possessions. This can be proved to a demonstration. We will take a case in which the chances of winning are exactly equal, both in amount and in proportion to the wealth of two bettors. Suppose that your possessions are precisely equal in amount to those of a friend, and that your circumstances are similar in every respect. There can be, then, no disparity arising from the fact of a bet being made between you, where the chances of winning or losing a certain amount are the same to each. To present the problem in its simplest form, we will say that you each stake one-half of your possessions upon the turn of a coin. If it turns up head you win, if it falls 'tail up' your friend wins. Nothing could possibly be fairer than this from a gambler's point of view. You have each an equal chance of winning, you both stake[319] an equal amount, you both stand to lose as much as you can win, and, above all, the amount staked bears the same value, proportionately, to the wealth of each person. One cannot imagine a bet being made under fairer conditions, yet how does it work out in actual fact? You may smile when you read the words, but you both stand to lose more than you can possibly win! You doubt it! Well, we shall see if it cannot be made clear to you. "Suppose the turn of the coin is against you, and therefore you lose half your property; what is the result? To-morrow you will say, 'What a fool I was to bet! I was a hundred per cent. better off yesterday than I am to-day.' That is precisely the state of the case; you were exactly a hundred per cent. better off. Now, the most feeble intellect will at once perceive that a hundred per cent. can only be balanced by a hundred per cent. If you stood a chance of being that much better off yesterday than you are to-day, to make the chances equal you should have had an equal probability of being a hundred per cent. better off to-day than you were yesterday. That is obvious upon the face of it, since we agree that these questions are, beyond dispute, matters of proportion, and not of actual amounts. "Then we will suppose you win the toss, and thus acquire half your friend's property; what happens then? When the morrow arrives you can only say, 'I am fifty per cent better off to-day than I was yesterday.' That is just it. If you lose, your losses have amounted to as much as you still possess, whilst, if you win, your gains amount only to one-third of what you possess. The plain facts of the case, then, are simply that the moment you and your friend have made the bet referred to, you have considerably reduced the value of your joint possessions. Not in actual amount, it is true, but in actual fact, nevertheless; for whichever way the bet may go, the loss sustained by one represents a future deprivation to that one far greater than the future proportional advantage gained by the other. The mere fact of one having gained precisely as much as the other has lost does not affect the ultimate result in the least. The inconvenience arising from any loss is always greater than the convenience resulting from an equal gain." -- "Sharps and Flats", Chapter XIV, by John Nevil Maskelyne http://www.gutenberg.org/files/41169/41169-h/41169-h.htm The argument above is a purely economic one: that gambling necessarily involves the destruction of value. A corollary is that imposing high taxes on the rich and using the money for public public welfare (schools, hospitals, roads etc.), or just giving the money to the poor, does not just shift value around but actually *creates* value. Conversely, the current UK and US government policies of cutting public spending to fund tax cuts for the rich are destroying value. The *moral* argument, that gambling is essentially theft, is also discussed by Maskelyne: "The absolute immorality of gambling--the desire to obtain money to which one has no right--in any form is beyond dispute; and the sooner this fact is generally recognised, the better it will be for the world at large. There are some, of course, in whom the passion is ingrained, and from whose natures it can never be wholly eradicated. But everyone should clearly understand that the vice is as reprehensible in proportion to its magnitude as that, for instance, of either lying or stealing." For some, this argument is stronger than the economic one. But even those who believe that economics trumps morality should be convinced by the economic argument. STRL Reader in Software Engineering and Royal Society Industry Fellow martin () gkc org uk http://www.cse.dmu.ac.uk/~mward/ ------------------------------ Date: Fri, 31 May 2013 11:53:53 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Die Passwords! Die! Die Passwords! Die! http://lauren.vortex.com/archive/001035.html In one form or another -- verbal, written, typed, semaphored, grunted, and more -- passwords broadly defined have been part of our cultures pretty much since the dawn of humans at least. Whether an 18-character mixed-case password replete with unusual symbols, or the limb-twisting motions of a secret handshake, we've always needed means for authentication and identity verification, and we've long used the concept of a communicable "secret" of some kind to fill this need. As we plow our way ever deeper into the 21st century, it is notable that most of our Internet and other computer-based systems still depend on the basic password motif for access control. And despite sometimes herculean efforts to keep password-based environments viable, it's all too clear that we're rapidly reaching the end of the road for this venerable mechanism. That this was eventually inevitable has long been clear, but recent events seem to be piling up and pointing at a more rapid degeneration of password security than many observers had anticipated, and this is taking us quickly into the most complex realms of identity and privacy. Advances in mathematical techniques, parallel processing, and particularly in the computational power available to password crackers (now often using very high speed graphics processing units to do the number crunching) are undermining long held assumptions about the safety of passwords of any given length or complexity, and rendering even hashed password files increasingly vulnerable to successful attacks. If a single configuration error allows such files to fall into the wrong hands, even the use of more advanced password hashing algorithms is no guarantee of protection against the march of computational power and techniques that may decimate them in the future. What seems like an almost daily series of high profile password breaches has triggered something of a stampede to finally implement multiple-factor authentication systems of various kinds, which are usually a notch below even more secure systems that use a new password for every login attempt (that is, OTP - One-Time Password systems, which usually depend on a hardware device or smartphone app to generate disposable passwords). As you'd imagine, the ultimate security of what we might call these "enhanced password" environments depends greatly on the quality of their implementations and maintenance. A well designed multiple factor system can do a lot of good, but a poorly built and vulnerable one can give users a false sense of security that is actually even more dangerous than a basic password system alone. Given all this, it's understandable that attention has now turned toward more advanced methodologies that -- we hope -- will be less vulnerable than any typical password-based regimes. There are numerous issues. Ideally, you don't want folks routinely using passwords at all in the conventional sense. Even relatively strong passwords become especially problematic when they're used on multiple systems -- a very common practice. The old adage of the weakest link in the chain holds true here as well. And the less said about weak passwords the better (such as "12345" -- the kind of password, as noted in Mel Brooks' film "Spaceballs" -- that "an idiot would have on his luggage") -- or worse. So, much focus now is on "federated" authentication systems, such as OAuth and others. At first glance, the concept appears simple enough. Rather than logging in separately to every site, you authenticate to a single site that then (with your permission) shares your credentials via "tokens" that represent your desired and permitted access levels. Those other sites never learn your password per se, they only see your tokens, which can be revoked on demand. For example, if you use Google+, you can choose to use your Google+ credentials to access various other cooperating sites. An expanding variety of other similar environments are also in various stages of availability. This is a significant advance. But if you're still using simple passwords for access to a federated authentication system, many of the same old vulnerabilities may still be play. Someone gaining illicit access to your federated identity may then have access to all associated systems. This strongly suggests that when using federated login environments you should always use the strongest currently available practical protections -- like multiple-factor authentication. All that being said, it's clear that the foreseeable future of authentication will appropriately depend heavily on federated environments of one form or another, so a strong focus there is utterly reasonable. Given that the point of access to a federated authentication system is so crucial, much work is in progress to eliminate passwords entirely at this level, or to at least associate them with additional physical means of verification. An obvious approach to this is biometrics -- fingerprints, iris scans, and an array of other bodily metrics. However, since biometric identifiers are so associated with law enforcement, cannot be transferred to another individual in cases of emergency, and are unable to be changed if compromised, the biometric approach alone may not be widely acceptable for mass adoption outside of specialized, relatively high-security environments. Wearable devices may represent a much more acceptable compromise for many more persons. They could be transferred to another individual when necessary (and stolen as well, but means to render them impotent in that circumstance are fairly straightforward). A plethora of possibilities exist in this realm -- electronically enabled watches, bracelets, rings, temporary tattoos, even swallowable pills -- to name but a few. Sound like science-fiction? Nope, all of these already exist or are in active development. Naturally, such methods are useless unless the specific hardware capabilities to receive their authentication signals is also present, when and where you need it, so these devices probably will not be in particularly widespread use for the very short term at least. But it's certainly possible to visualize them being sold along with a receiver unit that could be plugged into existing equipment. As always, price will be a crucial factor in adoption rates. Yet while the wearable side of the authentication equation has the coolness factor, the truth is that it's behind the scenes where the really tough challenges and the most seriously important related policy and engineering questions reside. No matter the chosen methods of authentication -- typed, worn, or swallowed -- one of the most challenging areas is how to appropriately design, deploy, and operate the underlying systems. It is incumbent on us to create powerful federated authentication environments in ways that give users trustworthy control over how their identity credentials are managed and shared, what capabilities they wish to provide in specific environments, how these factors interact with complex privacy parameters, and a whole host of associated questions, including how to provide for pseudonymous and anonymous activities where appropriate. Not only do we need to understand the basic topology of these questions and develop policies that represent reasonable answers, we must actually build and deploy such systems in secure and reliable ways, often at enormous scale by historical standards. It's a fascinating area, and there is a tremendous amount of thinking and work ongoing toward these goals -- but in many ways we're only just at the beginning. Interesting times. One thing is pretty much certain, however. Passwords as we've traditionally known them are on the way out. They are doomed. The sooner we're rid of them, the better off we're all going to be. Especially if your password is "12345" ... ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 27.31 ************************
Current thread:
- Risks Digest 27.31 RISKS List Owner (May 31)