Risks Digest 27.32

[RISKS List Owner <risko () csl sri com>]

RISKS-LIST: Risks-Forum Digest  Tuesday 4 June 2013  Volume 27 : Issue 32

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/27.32.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
BA plane's emergency landing at LHR caused by maintenance error
  (Gwyn Topham via PGN)
`Ultra-secure' online primary in France disrupted by multiple and
  fake voting (John Lichfield via NNSquad)
Public Internet election in France marred by vulnerabilities that
  were demonstrated by journalists (PGN)
UK takes more moves toward true police state status  (Alison Langley via
  NNSquad)
"FBI Internet-tapping good for criminals, bad for everyone else"
  (Ted Samson via Gene Wirchenko)
Google's new Moto X superphone will spy on you 24/7, and you'll like it
  (Joly MacFie)
Google cuts grace period on exploits from 60 days to 7 (Mark Thorson)
Free Android app to skim credit cards (Prashanth Mundkur)
Apple says you can't use the iTunes/App Store when you travel abroad
  (Vassilis Prevelakis)
"Spam catchers catching spammers better" (Woody Leonhard via Gene Wirchenko)
Launch of OpenBook Wisconsin -- One for targeted advertisers
  (Dimitri Maziuk)
I thought it was a fake Flickr message (jidanni)
NFP regarding the "blind captcha" problem (Danny Burstein)
Re: The Hazards of Gambling (Chris Drewe)
Re: The Internet is no place for Critical Infrastructure (Chris Drewe)
Re: Risks of spreadsheets (Pete Kaiser)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sat, 1 Jun 2013 13:42:41 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: BA plane's emergency landing at LHR caused by maintenance error

Investigators call on Airbus to again tell operators to ensure essential
safety checks are made on cowl closures, a known safety risk

After a British Airways A319 made an emergency landing at Heathrow on 24 May
2013, it was photographically evident that the cowls were not properly shut
-- causing the 40kg metal coverings to fly loose during takeoff on what
would have been a flight to Oslo.  The right-hand engine caught fire, and
the plane had to be landed on one engine.  [Source: Gwyn Topham, *The
Guardian*, 31 May 2013; PGN-ed]  http://gu.com/p/3g929

------------------------------

Date: Sun, 2 Jun 2013 19:26:15 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: `Ultra-secure' online primary in France disrupted by multiple and
  fake voting (John Lichfield)

John Lichfield, Fake votes mar France's first electronic election,
*The Independent* via NNSquad
http://j.mp/17hqQcj

  ``What was already shaping up as a tense and close election was thrown into
  utter confusion at the weekend. Journalists from the news site Metronews
  proved that it was easy to breach the allegedly strict security of the
  election and vote several times using different names.  To register their
  vote on-line, Parisians were supposed to make a credit-card payment of 3
  euros and give the name and address of someone on the city's electoral
  roll.  Metronews said that one of its journalists had managed to vote five
  times, paying with the same credit card, using names, including that of
  Nicolas Sarkozy.''

------------------------------

Date: Sun, 2 Jun 2013 19:00:51 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Public Internet election in France marred by vulnerabilities that
  were demonstrated by journalists

More from the same article:

This `electronic' election had been touted as "fraud-proof" and
"ultra-secure", but apparently permitted multiple voting and fraudulent
voting for other people, with little difficulty.  Journalists turned into
whistle-blowers.
http://www.independent.co.uk/news/world/europe/fake-votes-mar-frances-first-electronic-election-8641345.html

------------------------------

Date: Mon, 3 Jun 2013 16:14:30 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: UK takes more moves toward true police state status (Alison Langley)

Alison Langley, UK considers stepping up Internet blocking,
*Columbia Journalism Review* (via NNSquad)
http://j.mp/18K4eiI

  Her suggested remedy is a three-pronged approach: ban more organizations
  and Muslim schools that the government believes are inciting hate; block
  extremist websites, and revive the Communications Data Bill, which would
  which would require Internet service providers and mobile companies to
  keep records of every user's browsing activities, email correspondences,
  and texts for 12 months. Phone companies in the UK already are required to
  retain email and telephone contact data.

  Some filters against extremist websites have been in place since 2010,
  [Home Secretary Theresa] May told the BBC. Since then, police have gotten
  more than 5,500 postings deleted from the Internet, she added. Police and
  governments routinely request that Internet companies and Web hosts take
  down, block, or filter content they deem to be offensive or illegal.
  Companies can voluntarily comply or wait for a court order to do so.

  Now May would like to examine whether officials should have broader power
  to demand that content be removed.

  Home Office spokeswoman Sally Henfield said in a telephone interview that
  the examination will be part of the government's Extremist and
  Radicalization Task Force, established this week in the aftermath of the
  Woolwich stabbing. Further details have yet to be decided.

  The conservative government's coalition partner, the Liberal Democrats,
  said that in the wake of the Woolwich murder, they would agree to some
  parts of the draft Communications Data Bill, which they blocked in April
  over privacy concerns.

 - - -

The UK is declining into true police state status faster than anywhere else
in the world that I know of. How long before they try to ban VPNs and
proxies?

------------------------------

Date: Tue, 04 Jun 2013 13:27:56 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "FBI Internet-tapping good for criminals, bad for everyone else"
  (Ted Samson)

Ted Samson, InfoWorld, 31 May 2013
Bruce Schneier says 'eavesdroppable' Internet communication products
would hurt innocent users and tech companies
http://www.infoworld.com/t/internet-privacy/security-guru-fbi-internet-tapping-good-criminals-bad-everyone-else-219727

------------------------------

Date: Monday, June 3, 2013
From: *Joly MacFie*
Subject: Google's new Moto X superphone will spy on you 24/7, and you'll
  like it

http://qz.com/89410/google-moto-x-smartphone-will-spy-on-you-247-and-youll-like-it/
  [via Dave Farber's IP]

Dennis Woodside, CEO of Motorola, Google's wholly owned phone-making
subsidiary, walked onto a stage yesterday with the company's rumored new
superphone and while he refused to take it out of his pocket, he confirmed
that it's real and that it's launching in October of this year.
<http://qz.com/46411/google-x-phone-with-long-battery-life-wireless-charging-and-an-unbreakable-case/>,
<http://allthingsd.com/20130529/moto-x-coming-out-by-october-and-its-all-about-sensors-and-will-be-built-in-texas/>,

He also dropped a number of technical details about the phone, known as the
Moto X, which indicate that, essentially, it's the world's most
sophisticated cluster of sensors you can wear on your person, and it's going
to know every single thing you do, whether it's driving, sleeping or taking
a walk around the block. Google is betting that you will love your pocket
Stasi so much you'll never want to be without it -- and Google is right.

Joly MacFie  218 565 9365 Skype:punkcast  WWWhatsup NYC - http://wwwhatsup.com
http://pinstand.com http://punkcast.com  VP (Admin) ISOC-NY http://isoc-ny.org

------------------------------

Date: Mon, 3 Jun 2013 20:50:49 -0700
From: Mark Thorson <eee () sonic net>
Subject: Google cuts grace period on exploits from 60 days to 7

Google discovers many bugs in other companies software, and previously
allowed them 60 days to roll out a fix before making the exploit known to
third parties.  Now, that period is reduced to 7 days.

http://siliconangle.com/blog/2013/05/31/google-gives-companies-just-seven-days-to-fix-security-exploits/

------------------------------

Date: Sat, 01 Jun 2013 14:42:42 -0700
From: Prashanth Mundkur <prashanth.mundkur () gmail com>
Subject: Free Android app to skim credit cards

Android users now tired of having their information and credit stolen can
now fight back!  With a free Android app, they can now read the credit card
information of other people, provided their cards have an embedded NFC chip.
Even better, CBC News has done the QA and confirmed that this works.

http://www.cbc.ca/news/canada/manitoba/story/2013/04/23/mb-smartphones-skimmer-credit-card-winnipeg.html

The next time I'm in a checkout line, I'm going to be wondering how many
people are secretly stealing each other's credit card info ...

------------------------------

Date: Mon, 3 Jun 2013 14:22:46 +0200
From: Vassilis Prevelakis <prevelakis () ida ing tu-bs de>
Subject: Apple says you can't use the iTunes/App Store when you travel abroad

According to the Apple iTunes/App Store terms of agreement, if you use the
Apple iTunes/App Store when you are traveling abroad, you are in violation
of your contract.

Here is the US version of the agreement, but it also applies to all the
other national agreements I could check (and read).

http://www.apple.com/legal/internet-services/itunes/us/terms.html

> THE ITUNES STORE SERVICE [...] REQUIREMENTS FOR USE OF THE SERVICE
> [...]

> The iTunes Service is available to you only in the United States, its
> territories, and possessions. You agree not to use or attempt to use the
> iTunes Service from outside these locations. Apple may use technologies to
> verify your compliance.

So the global product is in fact a national product, available strictly
within national boundaries, even in the case of EU countries where a common
market is supposedly in effect.

I think that somebody liked the DVD-style partitioning of the world into
distinct markets (where a product purchased in one market cannot be used in
another) so much that they decided to apply it to its extreme. What is
coming next? having each state designated as a separate market, so that you
can use your iphone in New Jersey, but not in New York?

Vassilis Prevelakis, Institut fuer Datentechnik und Kommunikationsnetze
Technische Universitaet Braunschweig Germany

------------------------------

Date: Tue, 04 Jun 2013 13:31:55 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Spam catchers catching spammers better" (Woody Leonhard)

Woody Leonhard, InfoWorld, 31 May 2013
After a decline in the capabilities of spam-catching software, it's
heartening to see that the good guys are getting better
http://www.infoworld.com/t/anti-spam/spam-catchers-catching-spammers-better-219760

selected text:

  "It would be natural to expect those sources all to be Internet service
  providers, with the top positions occupied by ISPs in developing
  countries, where many people run cracked and thus unpatched versions of
  Windows XP -- a dream for botherers."

But no, that isn't what Ken found. The No. 1 source of spam in Ken's study
is The Planet, a Web service offered by SoftLayer, a Web hosting company
with 436 employees and an active abuse team. Second was a German firm,
STRATO, also known for Web hosting. Third was yet another Web hosting firm,
of dubious pedigree. Of the top 25 spamming sources in the study, only six
were ISPs.

------------------------------

Date: Tue, 04 Jun 2013 16:43:45 -0500
From: Dimitri Maziuk <dmaziuk () bmrb wisc edu>
Subject: Launch of OpenBook Wisconsin -- One for targeted advertisers

When you get to the last sentence, keep in mind that UW-Madison, like
many other places, has a searchable employee directory with work
address, telephone numbers, and e-mail address.

- - ------ Original Message --------
Date: Tue, 4 Jun 2013 16:29:05 -0500
Subject: Launch of OpenBook Wisconsin
From: Vice Chancellor Darrell Bazzell <vcfa () vc wisc edu>

Date: June 4, 2013
To: All UW-Madison Employees
From: Vice Chancellor for Finance and Administration Darrell Bazzell
Re: Launch of OpenBook Wisconsin

As some of you may know, the State of Wisconsin is preparing to launch a new
expenditure website called OpenBook Wisconsin,
<http://budget.wisc.edu/budget-news/state-to-launch-openbook-wisconsin-website/>
The site is part of an ongoing effort to make state government more
transparent for the citizens of Wisconsin.

The site launch will be conducted in phases, but we cannot predict with
certainty when OpenBook will go live. We are communicating now with the
intent of giving employees as much notice and consideration of the site
launch as possible.

The OpenBook website stems from 2011 Wisconsin Act 32, s.16.413 of the
Wisconsin Statutes, which requires the Department of Administration to
create a searchable website with information about all state agency
expenditures in excess of $100.  For ease of administration, UW-Madison will
report all expenditures, regardless of amount.

The database will eventually include state and UW salaries and fringe
benefits, grants paid by state agencies, and contract payments made by any
agency or UW institutions.

At this time, the university is taking steps to ensure that employees with
legitimate personal safety needs that require removal of their name from the
OpenBook database will be protected. Such legitimate personal safety
concerns for removal from the OpenBook website would include having been the
victim of a crime (e.g., domestic abuse) or circumstances involving court
orders that would require the removal of the employee's name.

In the event that an employee would like to request his or her name be
redacted from this database, based on the stated safety concerns, they need
to contact Zubin Mufti (e-mail: <zmufti () ohr wisc edu>, phone: (608)
262-4587) from the Office of Human Resources to discuss a possible
redaction.

If an employee has currently been removed from the university directory for
a reason consistent with the above factors, the employee's name will also be
removed from OpenBook.

It must be emphasized that only the employee name will be removed. The
expenses an employee submits and the payroll information will be included on
the website, but the name will be withheld from the related
expenditure. OpenBook will not post Social Security numbers, home addresses
or home telephone numbers of any employee.

------------------------------

Date: Mon, 03 Jun 2013 07:19:24 +0800
From: jidanni () jidanni org
Subject: I thought it was a fake Flickr message

> > > > > "F" == Flickr  <yahoo () service yahoo-email com> writes:

F> Smile. Everyone now gets a free terabyte of space.

That's an about face from the previous measly 200 picture allowance,
plus there isn't a single link to Flickr.com in the message, but instead
just links to "yahoo-email.com". SpamAssassin analysis gives:

 0.4 NO_DNS_FOR_FROM        DNS: Envelope sender has no MX or A DNS records
-0.5 RP_MATCHES_RCVD        Envelope sender domain matches handover relay domain
 0.6 HTML_IMAGE_RATIO_04    BODY: HTML has a low ratio of text to image area
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.0 T_DKIM_INVALID         DKIM-Signature header exists but is not valid
 0.0 UNPARSEABLE_RELAY      Informational: message has unparseable relay lines
 0.0 T_REMOTE_IMAGE         Message contains an external image

Ho hum, just another scam message. But wait, browsing Flickr.com shows
it is real.

------------------------------

Date: Fri, 31 May 2013 19:29:41 -0400 (EDT)
From: Danny Burstein <dannyb () panix com>
Subject: NFP regarding the "blind captcha" problem (Guarini, RISKS-27.31)

- Every so often, usually after numerous fails of trying to resolve a Google
  captcha, I ask it to kick over the audio.

Fuggedabitit. Completely unusable.

- Come to think of it, since the audio is meant to be heard and transcribed
by a human, it might as well be a completely clear and simple word like
"cat" or the number "123".

------------------------------

Date: Tue, 04 Jun 2013 22:30:28 +0100
From: Chris Drewe <e767pmk () yahoo co uk>
Subject: Re: The Hazards of Gambling (Ward, RISKS-27.31)

My favourite quote here is "a politician who robs Peter to pay Paul can
probably rely on Paul's vote".  If the Government takes money off rich
people and gives it to poor people, this may seem to be "fairer" and reduce
inequality, but it rewards people who rely on welfare and punishes those who
provide for themselves (hence in the UK a lifetime on welfare is quite a
popular career option).  If Government spending rises faster that the
general level of wealth in the country (GDP growth), then the Government
will eventually run out of money; its only sources of income are taxes or
borrowing, and if it tries to borrow too much, then either creditors stop
lending (as in Greece), or the interest payments become crippling (as in the
UK, which has to borrow to pay the interest on existing debt).

Another favourite quote is from the obituary in the newspaper of an
economist called Professor James Buchanan (1919-2013):

  In modern democracies, Buchanan argued, politicians and bureaucrats come
  under constant pressure to placate interest groups with subsidies, tax
  breaks, regulation and uneconomic public investment; to take on ever more
  responsibilities to show they are `doing something'; and to expand budget
  deficits because they cannot square competing demands to spend more and to
  tax less. Politicians tend to regard political decisions of this sort as
  somehow independent of the economy and therefore immune from the sort of
  cost-benefit approach applied in the private sector, justifying them with
  reference to concepts such as `public good' or the `public interest'.

-- which in two sentences describes exactly why western countries are how
they are now, though not how to improve things.  The risk here looks like
governments gambling on getting enough money from "the rich" to match their
spending ambitions, and losing.

------------------------------

Date: Tue, 04 Jun 2013 22:30:28 +0100
From: Chris Drewe <e767pmk () yahoo co uk>
Subject: Re: The Internet is no place for Critical Infrastructure (R 27 31)

> This begs the question of what one means by "The Internet". ...

It's not only critical infrastructure.  Several recent criminal events in
the UK are alleged to have been encouraged by the availability of "extreme"
material on the internet, inevitably followed by demands for it to be made
illegal, with ISPs, search engines, or whoever required to block it (Google
has come in for particularly fierce criticism, as if web sites were only
accessible via them).  As Bob Frankston says, given the worldwide, amorphous
nature of the internet and the huge volume of constantly-changing
information in web sites, it's by no means clear who could be held liable or
how effective blocking could be, or even what is and isn't unacceptable
material, though of course that doesn't stop people from trying.

------------------------------

Date: Sat, 01 Jun 2013 09:12:35 +0200
From: Pete Kaiser <djc () resiak org>
Subject: Re: Risks of spreadsheets (RISKS-27.30)

The discussion here centers, as does discussion in the European Spreadsheet
Risks Interest Group (www.eusprig.org), on errors in creating spreadsheets.

But spreadsheet programs are software and have bugs.  It's quite possible to
program a spreadsheet that's correct and appropriate in every way, but for
the spreadsheet to deliver a wrong result.  One can think of ways to
mitigate that possibility, but they require effort, possibly lots of it.

In the late 1980s I found a calculation bug in DEC's spreadsheet program for
VAX/VMS; and since I was working there at the time, I reported it through
the internal mechanism which should have given it elevated attention.  I
followed up and checked with the engineering group from time to time, and in
fact nothing was done about the bug for years, during which the calculation
engine -- with the bug -- became part of the workstation product.  As new
releases came out, they all still had the calculation bug.  Several years
after it was reported, the engineering group apparently made a sweep through
as-yet unresolved problems and called me to ask if it had been fixed!  When
the young guy who called me heard it was still present, he followed it up,
and it was finally diagnosed as a problem with the compiler used to compile
the software.  Final resolution: it was too much work to try to debug *that*
problem, and the calculation bug was never fixed.

Luckily by that time there was PC software to replace it.  And we can be
sure there are no problems there.

------------------------------

Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 27.32
************************