RISKS-LIST: Risks-Forum Digest Tuesday 15 October 2013 Volume 27 : Issue 53 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/27.53.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Azerbaijan releases election results -- before the election started (PGN) Computer Failure Cuts off Access to Food Benefits (PGN) Another botched Black Tuesday for MS (Woody Leonhard via Gene Wirchenko) D-Link SOHO Routers reported to contain backdoor (Bob Gezelter) Russian government's political comment trolling operation exposed (Lauren Weinstein) EFF Resigns from Global Network Initiative (EFF) Re: "Let's build a more secure Internet" (Peter Houppermans, Bob Frankston, Fred Cohen) Re: Why the NSA's attacks on the Internet must be made public (Fred Cohen) Re: NSA data center 'meltdowns' force year-long delay (Paul Saffo) Correction re: Cyber Schools Fleece Taxpayers (Gene Wirchenko) Re: Our Founding Fathers ... (Thor Lancelot Simon) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 9 Oct 2013 22:39:07 PDT From: "Peter G. Neumann" <neumann@csl.sri.com> Subject: Azerbaijan releases election results -- before the election started http://www.washingtonpost.com/blogs/worldviews/wp/2013/10/09/oops-azerbaijan... Azerbaijan's big presidential election, held on Wednesday, was anticipated to be neither free nor fair. President Ilham Aliyev, who took over from his father 10 years ago, has stepped up intimidation of activists and journalists. Rights groups are complaining about free speech restrictions and one-sided state media coverage. The BBC's headline for its story on the election reads `The Pre-Determined President'. <http://www.bbc.co.uk/news/world-europe-24450227> So expectations were pretty low. Even still, one expects a certain ritual in these sorts of authoritarian elections, a fealty to at least the appearance of democracy, if not democracy itself. So it was a bit awkward when Azerbaijan's election authorities released vote results -- a full day before voting had even started. <http://www.eurasianet.org/node/67607?utm_source=dlvr.it&utm_medium=twitter> The vote counts -- spoiler alert: Aliyev was shown as winning by a landslide -- were pushed out on an official smartphone app run by the Central Election Commission. It showed Aliyev as "winning" with 72.76 percent of the vote. That's on track with his official vote counts in previous elections: he won ("won"?) 76.84 percent of the vote in 2003 and 87 percent in 2008. [...] [PGN-ed. The rest of this story is interesting as well. [Also noted by Dan Swinehart, who said, ``This is a variant on the punch line to a joke that I've told for decades. Reality trumps fiction again.'' http://politics.slashdot.org/story/13/10/10/0043217/azerbaijan-election-resu... PGN] ------------------------------ Date: Mon, 14 Oct 2013 16:26:37 PDT From: "Peter G. Neumann" <neumann@csl.sri.com> Subject: Computer Failure Cuts off Access to Food Benefits AP item in *The New York Times*, PGN-ed, 13 Oct 2013: People in 17 states (including NJ and CA) were unable to use their food stamp debit cards for several hours on 12 Oct 2013, because a routine test of backup systems by Xerox failed. (Yes, RISKS readers know nothing is always "routine".) ------------------------------ Date: Thu, 10 Oct 2013 11:30:10 -0700 From: Gene Wirchenko <genew@telus.net> Subject: Another botched Black Tuesday for MS (Woody Leonhard) Woody Leonhard, InfoWorld, 10 Oct 2013 Another botched Black Tuesday: KB 2878890 patch brings back two-year-old KB 951847 -- repeatedly Microsoft's four-month body count: 23 bad patches. It's past time for Microsoft to improve the quality of its Automatic Updates http://www.infoworld.com/t/microsoft-windows/another-botched-black-tuesday-k... [It's a (Bach -> Batch -> BOTCH) FUGUE, which recapitulates the same themes repeatedly, although sometimes in a slightly different form. PGN] ------------------------------ Date: Mon, 14 Oct 2013 03:48:44 -0700 From: "Bob Gezelter" <gezelter@rlgsc.com> Subject: D-Link SOHO Routers reported to contain backdoor Apparently, D-Link SOHO routers sold under their own and some private labels have been reported to contain a "backdoor" which can allow anyone Administrator without the device password. This "feature" is implemented by the codebase using a pre-defined username, which does not need a password. Users are cautioned to act appropriately. When will firm's learn that backdoors are generically dangerous and should not be created? The original article is at: http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/ Bob Gezelter, http://www.rlgsc.com ------------------------------ Date: Thu, 10 Oct 2013 09:12:27 -0700 From: Lauren Weinstein <lauren@vortex.com> Subject: Russian government's political comment trolling operation exposed http://j.mp/GI5Ro3 (*St. Petersburg Times* via NNSquad) "Local reporters have infiltrated a covert organization that hired young people as "Internet operators" near St. Petersburg and discovered that the employees are being paid to write pro-Kremlin postings and comments on the Internet, smearing opposition leader Alexei Navalny and U.S. politics and culture." ------------------------------ Date: Thursday, October 10, 2013 From: *EFF Press* Subject: EFF Resigns from Global Network Initiative Citing Concerns Over NSA's Impact on Corporate Members, EFF Leaves Industry Group San Francisco - The Electronic Frontier Foundation (EFF) today withdrew from the Global Network Initiative (GNI), citing a fundamental breakdown in confidence that the group's corporate members are able to speak freely about their own internal privacy and security systems in the wake of the National Security Agency (NSA) surveillance revelations. EFF has been a civil society member of the multi-stakeholder human rights group since GNI was founded in 2008 to advance freedom of expression and privacy in the global information and communication technologies sector. While much has been accomplished in these five years, EFF can no longer sign its name on joint statements knowing now that GNI's corporate members have been blocked from sharing crucial information about how the US government has meddled with these companies' security practices through programs such as PRISM and BULLRUN. "We know that many within the industry do not like or approve of such government interference, and GNI has, in statements, made it clear that member companies want permission from the US government to engage in greater transparency," EFF's International Director Danny O'Brien and Director for International Freedom of Expression Jillian C. York write in a letter to GNI leadership. "However, until serious reforms of the US surveillance programs are in place, we no longer feel comfortable participating in the GNI process when we are not privy to the serious compromises GNI corporate members may be forced to make. Nor do we currently believe that audits of corporate practice, no matter how independent, will uncover the insecurities produced by the US government's--and potentially other governments'--behavior when operating clandestinely in the name of national security." EFF's involvement with GNI included helping to define its founding principles over two years of negotiations; coordinating opposition to the United Kingdom's Communications Data Bill in 2011; releasing a paper addressing free-speech issues surrounding account deactivation and content removal; and collaborating with fellow members in internal international technical and policy analysis. However, EFF can no longer stand behind the credibility of what had been one of GNI's most significant achievements--third-party privacy and freedom of expression assessments of service providers, including Google, Microsoft and Yahoo. Moving forward, EFF plans to continue to provide guidance to the GNI and engage companies directly, but as an external organization. EFF supports the other organizations and individuals that continue to work within the GNI for the free speech and privacy rights of users worldwide. "Although EFF is taking a step back, GNI can still serve an important role as a collaborative project between human rights groups, companies, investors and academics," York said. "If the United States government truly supports international 'Internet freedom,' it would recognize the damage its policies are doing to weaken such efforts and the world's confidence in American companies." For the text of the letter: https://www.eff.org/document/gni-resignation-letter-0 For this release: https://www.eff.org/press/releases/eff-resigns-global-network-initiative About EFF The Electronic Frontier Foundation is the leading organization protecting civil liberties in the digital world. Founded in 1990, we defend free speech online, fight illegal surveillance, promote the rights of digital innovators, and work to ensure that the rights and freedoms we enjoy are enhanced, rather than eroded, as our use of technology grows. EFF is a member-supported organization. Find out more at https://www.eff.org. Electronic Frontier Foundation Media Release For Immediate Release: Thursday, October 10, 2013 Jillian C. York Director for International Freedom of Expression Electronic Frontier Foundation jillian@eff.org <javascript:;> +1 415 436-9333 x118 ------------------------------ Date: Thu, 10 Oct 2013 09:39:37 +0200 From: Peter Houppermans <peter@houppermans.net> Subject: Re: "Let's build a more secure Internet" (Dourado, RISKS-27.52) With all due respect to the respective people involved, in my opinion you have the problem backwards. By attempting to create a trustworthy Internet, you are ignoring the fact that practically any platform carrying data over the Internet only survives by exactly NOT doing that. The nice thing about not trusting the network layer is that it then becomes irrelevant what the carrier is: a comfy "hard shell, soft centre" insider threat corporate LAN, or a shaky "I have only 1 bar and my battery is dying" EDGE connection somewhere out in the field. Well, irrelevant from a security perspective :). Only when we ensure that everything that travels over the Internet has at least a basic level of security attached can we progress, and there is much to fix. Why do websites still default to FTP uploads? Why is encrypted SMTP not the default for inter-party email exchange? You improve security by adjusting the equation effort & risk vs. reward, and use tools you control yourself: content, framing and encryption. What is out of your control is by default untrusted, and doing it right also means that it's no longer worth doing the lower level intercept. Finally, in context I appreciate the irony of sending that submission from a Google account :) ------------------------------ Date: Thursday, October 10, 2013 From: *Bob Frankston* Subject: Re: Let's Build a More Secure Internet (Dourado, RISKS-27.51) [via Dave Farber's IP distribution. PGN] This assumes that the Internet is a layer on top of a physical infrastructure -- a notion which misses the revolutionary idea of the Internet. The Internet is not the switches. It is a way we use the physical infrastructure as a resource rather than a dependency. For that matter the very wording assumes there is an Internet that is apart from everything else when many of the issues are in the practices both in the way we exchange bits and the service we create using connectivity. As long as we require that operators and service providers make a profit we force the creation of the meta data that can then be used to analyze our usage of the network. If we have funding model that doesn't require every wire be a profit center than we wouldn't need to disclose (as much) metadata and the network operators wouldn't obliged to monetize it. There is a risk in seeking the social and business problems in technology rather than in understanding. ------------------------------ Date: Mon, 14 Oct 2013 06:44:50 -0700 From: Fred Cohen <fc@all.net> Subject: Let's Build a More Secure Internet - hardly... (Re: RISKS-27.51)

Eli Dourado, *The New York Times*, 8 Oct 2013 Can we ever trust the Internet again?

As usual, the press gets it wrong soup to nuts. Starting with the premise that the Internet was ever worthy of trust in the first place, which leads to the question - trust for what? If you trusted the Internet for integrity, confidentiality, availability, use control, or accountability, you were making a mistake, and this is nothing new. I refer you to the series of articles I wrote in the mid-1990s called Internet Holes and the continuation of that series through the present day (http://all.net/Analyst/index.html). Not that the problems began then...

In the wake of the disclosures about the National Security Agency's surveillance programs, considerable attention has been focused on the agency's collaboration with companies like Microsoft, Apple and Google, which according to leaked documents appear to have programmed "back door" encryption weaknesses into popular consumer products and services like Hotmail, iPhones and Android phones.

The difference being that they used legal process or money to get willing cooperation? Does anybody really believe that this wasn't being done earlier by planted insiders? And why worry about the NSA when they are only one of more than 100 countries likely undertaking the same sort of thing (many known to be doing so) since the beginning of the Internet.

But while such vulnerabilities are worrisome, equally important - and because of their technical nature, far less widely understood - are the weaknesses that the N.S.A. seems to have built into the very infrastructure of the Internet.

We didn't need them to build weaknesses in. The commercial companies are perfectly capable of doing it intentionally and by accident. Weaknesses were always there. In terms of understanding, while I believe the press widely ignored these issues for much of the last 30+ years, the information protection field has been pointing them out since the technology was put into use.

The concern is that even if consumer software companies like Microsoft and telecommunications companies like AT&T and Verizon stop cooperating with the N.S.A., your online security will remain compromised as long as the agency can still take advantage of weaknesses in the Internet itself.

As they always have and always likely will.

Fortunately, there is something we can do: encourage the development of an "open hardware" movement - an extension of the open-source movement that has led to software products like the Mozilla browser and the Linux operating system.

Open software has nothing on closed software in terms of protection, In fact, arguably, closed source has produced fewer vulnerabilities per line of code over time than open source. I say "arguably" because, as a field, we have few and poorly collected metrics of such things. But those metrics seem to indicate that open source is not more secure as a rule.

The open-source movement champions an approach to product development in which there is universal access to a blueprint, as well as universal ability to modify and redistribute the blueprint. Wikipedia is perhaps the best-known example of a product inspired by the movement. Open-source advocates typically emphasize two kinds of freedom that their products afford: they are available free of charge, and they can be used and manipulated free of restrictions.

Open source is not the same as free, not the same as anybody can (legally) modify it, or any such thing. It just means you can see the "blueprint".

But there is a third kind of freedom inherent in open-source systems: the freedom to audit. With open-source software, independent security experts can scrutinize the code for vulnerabilities - whether accidentally or intentionally introduced. The more auditing by the programming masses, the better the security. As the open-source software advocate Eric S. Raymond has put it, "given enough eyeballs, all bugs are shallow."

This is a fallacy. It is simply not true that more eyes makes better security or that "all bugs are shallow" as a side effect. Experiments have historically shown that even if we point out the location of an intentional Trojan horse to within a few hundred lines of code, experts don;t find it. And automated software doesn't even look for the sorts of intentional subversion that is used in many Trojan horses.

Perhaps the greatest open-source success story is the Internet itself - at least its "soft" parts. The Internet's communications protocols and the software that implements them are collaboratively engineered by loose networks of programmers working outside the control of any single person, company or government. The Internet Engineering Task Force, which develops core Internet protocols, does not even have formal membership and seeks contributions from developers all over the world.

And the Internet is full of holes. It is the best example of how open source does not provide protection. And its success is largely because it (the process) doesn't seek to provide protection. The Internet is designed for functionality - widespread, general, rapidly deployed, easily developed, flexible, changeable, etc. functionality. As such, it is designed to support rapid change, not stability. It is designed to be redundant, recoverable, etc. NOT private, unalterable, etc. "Security" is afforded by this approach, but not secrecy, integrity, use control, or accountability. Availability is somewhat questionable. The security provided is the ability to change, learn, adapt, create, do your own thing, etc.

But the problem is that the physical layer of the Internet's infrastructure - the hardware that transmits, directs and relays traffic online, as well as its closely knit software (or "firmware") - is not open-source. It is made by commercial computing companies like Cisco, Hewlett-Packard and Juniper Networks according to proprietary designs, and then sold to governments, universities, private companies and anyone else who wants to set up a network.

Making it "open source" will not help the situation. It will likely reveal far more vulnerabilities, but not fix them, and not reveal the tricky ones. But it will certainly cause these companies financial problems as their technical advantages over competitors will collapse, and their investment in new technology be reduced, thus reducing innovation and rate of progress.

There is reason to be skeptical about the security of these networking products. The hardware firms that make them often compete for contracts with the United States military and presumably face considerable pressure to maintain good relations with the government. It stands to reason that such pressure might lead companies to collaborate with the government on surveillance-related requests.

And those made in China have Chinese Trojan horses.

Because these hardware designs are closed to public scrutiny, it is relatively easy for surveillance at the Internet's infrastructural level to go undetected. To make the Internet less susceptible to mass surveillance, we need to recreate the physical layer of its infrastructure on the basis of open-source principles.

This won't work. It will just make it more expensive to run the government surveillance programs, costing the taxpayers more money and forcing the NSA back into the darker corners.

At the moment, the open hardware movement is limited mostly to hobbyists - engineers who use the Internet to collaboratively build "open" devices like the RepRap 3D printer.

Which uses what open source processor chips? None! They all depend on proprietary chips.

But the Internet community, through a concerted effort like the one that currently sustains the Internet's software architecture, could also develop open-source, Internet-grade hardware. Governments like Brazil's that have forsworn further involvement with American Internet companies could adopt such nonproprietary equipment designs and have them manufactured locally, free from any N.S.A. interference.

As if this would free them. It won't.

The result would be Internet infrastructure, both hardware and software, that was 100 percent open and auditable.

Again, a fantasy. Even if realized, it would not accomplish the stated goal. The "open source" version of the Internet would not be an improvement. It is already largely open source, and has all of the problems that the Information age portends. It is an inherent property of the information age that in order to have effective protection, we need to restrain ourselves from doing the wrong thing in high volume and an effective government has to restrain itself or be restrained by its people. But this is nothing new. Perhaps we need well armed Internet militias. Draft of the Xth amendment: A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Internet Arms, shall not be infringed. Fred Cohen - 925-454-0171 - All.Net & Affiliated Companies http://all.net/ PO Box 811 Pebble Beach, CA 93953 ------------------------------ Date: Mon, 14 Oct 2013 07:01:57 -0700 From: Fred Cohen <fc@all.net> Subject: Re: Why the NSA's attacks on the Internet must be made public (Schneier, RISKS-27.51)

Among IT security professionals, it has been long understood that the public disclosure of vulnerabilities is the only consistent way to improve security. That's why researchers publish information about vulnerabilities in computer software and operating systems, cryptographic algorithms, and consumer products like implantable medical devices, cars, and CCTV cameras.

This is a fallacy. There is no substantial science behind the asserted claim (that disclosure improves protection) and no statistics behind the actual claim (that IT security professionals have long understood that or even agree to the asserted claim). The rest of the article repeats this mistake. It asserts cause and effect without a substantial basis.

It's folly to believe that any NSA hacking technique will remain secret for very long.

Really! You may rest assured that they have plenty of methods that, while published long ago in some form, remain largely a secret to anyone who is affected by them. That's because, as a community, we don't bother to review the literature before proclaiming ourselves experts. Nothing I have seen published about what the NSA is asserted to have done is a big secret in terms of the ability to do it. The secret (if there is one) is that they did do it, with whom, etc. The techniques I have heard about are hardly a secret. Bribe a company, extort a company, plant an insider, plant a Trojan, not new, not secret methods. In terms of longevity, I would bet that there are lots of things still secret from the 1950s, some of which died with those who held them.

The NSA has two conflicting missions. Its eavesdropping mission has been getting all the headlines, but it also has a mission to protect US military and critical infrastructure communications from foreign attack. Historically, these two missions have not come into conflict. During the cold war, for example, we would defend our systems and attack Soviet systems.

The equities issue has always been present, and the equities have historically always favored attack over defense. The question that needs to be addressed is how this balance should be as opposed to how it has been. My personal view is that the defense should be favored far more than it is at present or has been in the past, but then I am a defender. The reason for my view? Because the US and our allies are asymmetrically dependent on information and technology. So successful attack can hurt us a lot more than it hurts them. Meanwhile, successful defense depends on knowledge, skills, effort, etc. which we presumably have more of then our enemies. So if we build strong defenses that require ongoing effort, we will win as long as we are willing to spend the effort and they are not. Of course if it takes too much effort, it will sap our strength... and somewhere in there is an equation to be produced and solved. Fred Cohen - 925-454-0171 - All.Net & Affiliated Companies http://all.net/ PO Box 811 Pebble Beach, CA 93953 ------------------------------ Date: Wed, 09 Oct 2013 20:05:33 -0700 From: Paul Saffo <psaffo@me.com> Subject: Re: NSA data center 'meltdowns' force year-long delay (RISKS-27.52) ... it appears the problem isn't with the grid supplying the power, but with the electrical system on the NSA site. ------------------------------ Date: Wed, 09 Oct 2013 21:54:01 -0700 From: Gene Wirchenko <genew@telus.net> Subject: Correction re: Cyber Schools Fleece Taxpayers (RISKS-27.51) The link for the first item ("Cyber Schools Fleece Taxpayers for Phantom Students and Failing Grades") is actually: http://www.prwatch.org/news/2013/10/12257/junk-bonds-junk-schools-cyber-scho... (The item's link was missing "cyber-schools-".) ------------------------------ Date: Fri, 11 Oct 2013 01:28:48 +0000 (UTC) From: tls@panix.com (Thor Lancelot Simon) Subject: Re: Our Founding Fathers ... (Robinson, RISKS-27.51)

A couple thousand years ago, the way you moved from Slave or peon to Citizen in Imperial Rome was you raised enough money to afford a sword and shield ...

This is empirically false, and it's a shame to see made-up "facts" given credibility by appearing in RISKS. Without this and the several other similar assertions of "fact" in the piece I quote above, I'm not sure there is any support for its argument at all. If you'd like to know how changes in status really took place in Imperial (or pre-Imperial) Rome, I can recommend Crook, J.A., _Law and Life Of Rome_, 90 B.C. - A.D. 212 (Ithaca: Cornell, 1967). Thor Lancelot Simon, : Public Access Networks Corp., tls@panix.com ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request@csl.sri.com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall@newcastle.ac.uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 27.53 ************************