Risks Digest 27.62

[RISKS List Owner <risko () csl sri com>]

RISKS-LIST: Risks-Forum Digest  Monday 25 November 2013  Volume 27 : Issue 62

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/27.62.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Massive cargo plane that landed at wrong Kansas airport finally
  makes it to right one (Dylan Stableford)
Repeated attacks hijack huge chunks of Internet traffic (Dan Goodin)
Subject: Sweden to give police and others realtime access to citizens'
  phone, e-mail, more (NNSquad)
US and UK struck secret deal to allow NSA to 'unmask' Britons'
 personal data (*The Guardian*)
US senators say there's 'no evidence' bulk metadata surveillance is useful
  (Cyrus Farivar via Dewayne Hendricks)
As if there weren't enough reasons to hate the wireless carriers
  (DV Henkel-Wallace)
Op-ed: Lavabit's founder responds to cryptographer's criticism
  (Ladar Levison)
"Jailbreak a phone, go to jail: Copyright law, the TPP way"
  (Robert X. Cringely via Gene Wirchenko)
Computer Scientists Not Totally Clueless About Passwords (Dan Goodin)
"GitHub bans weak passwords after brute-force attack results in compromised
   accounts" (Lucian Constantin)
Web Companies Slam Ruling In Libel Case [as well they should
  (Lauren Weinstein)
Hackers actively exploiting JBoss vulnerability to compromise servers
  (Lucian Constantin via Gene Wirchenko)
Germany threatens to fine and/or jail Carl Malamud for doing his usual thing
  (Lauren Weinstein)
Metadata vs. data: the real issue (Geoff Kuenning)
HP sending *styrofoam* junk mail (Joe Touch via Dave Farber)
Alternate definition of GIGO (Paul Wexelblat)
Re: UK conservatives attempting to erase their Internet history
  (Scott Miller)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Thu, 21 Nov 2013 9:27:00 PST
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Massive cargo plane that landed at wrong Kansas airport finally
  makes it to right one (Dylan Stableford)

A Boeing 747 LCF Dreamlifter bound from JFK to McConnell Air Force Base in
Kansas landed by mistake at the much smaller Jabara Airport about 12 miles
to the north, with a runway considered 3000 feet too short for a normal
takeoff for that aircraft.

  [If you build it, they will come -- `out in left field', and laboriously
  wind up in (the) `right field'?  PGN]

http://news.yahoo.com/dreamlifter-cargo-plane-wrong-airport-wichita-135024064.html
http://news.yahoo.com/gigantic-plane-stuck-tiny-airport-153357709.html

------------------------------

Date: Wednesday, November 20, 2013
From: *Dewayne Hendricks
Subject: Repeated attacks hijack huge chunks of Internet traffic
  (Dan Goodin)

Dan Goodin, Ars Technica, 20 Nov 2013
Man-in-the-middle attacks divert data on scale never before seen in the wild.
http://arstechnica.com/security/2013/11/repeated-attacks-hijack-huge-chunks=
-of-internet-traffic-researchers-warn/

Huge chunks of Internet traffic belonging to financial institutions,
government agencies, and network service providers have repeatedly been
diverted to distant locations under unexplained circumstances that are
stoking suspicions the traffic may be surreptitiously monitored or modified
before being passed along to its final destination.

Researchers from network intelligence firm Renesys made that sobering
assessment in a blog post published Tuesday. Since February, they have
observed 38 distinct events in which large blocks of traffic have been
improperly redirected to routers at Belarusian or Icelandic service
providers. The hacks, which exploit implicit trust placed in the border
gateway protocol used to exchange data between large service providers,
affected "major financial institutions, governments, and network service
providers" in the US, South Korea, Germany, the Czech Republic, Lithuania,
Libya, and Iran.

The ease of altering or deleting authorized BGP routes, or of creating new
ones, has long been considered a potential Achilles Heel for the Internet.
Indeed, in 2008, YouTube became unreachable for virtually all Internet
users after a Pakistani ISP altered a route in a ham-fisted attempt to block
the service in just that country. Later that year, researchers at the Defcon
hacker conference showed how BGP routes could be manipulated to redirect
huge swaths of Internet traffic. By diverting it to unauthorized routers
under control of hackers, they were then free to monitor or tamper with any
data that was unencrypted before sending it to its intended recipient with
little sign of what had just taken place.

"This year, that potential has become reality," Renesys researcher Jim Cowie
wrote. "We have actually observed live man-in-the-middle (MitM) hijacks on
more than 60 days so far this year. About 1,500 individual IP blocks have
been hijacked, in events lasting from minutes to days, by attackers working
from various countries."

At least one unidentified voice-over-IP provider has also been targeted. In
all, data destined for 150 cities have been intercepted. The attacks are
serious because they affect the Internet equivalents of a US interstate that
can carry data for hundreds of thousands or even millions of people.  And
unlike the typical BGP glitches that arise from time to time, the attacks
observed by Renesys provide few outward signs to users that anything is
amiss.

"The recipient, perhaps sitting at home in a pleasant Virginia suburb
drinking his morning coffee, has no idea that someone in Minsk has the
ability to watch him surf the Web," Cowie wrote. "Even if he ran his own
traceroute to verify connectivity to the world, the paths he'd see would be
the usual ones. The reverse path, carrying content back to him from all over
the world, has been invisibly tampered with."

Guadalajara to Washington via Belarus

Renesys observed the first route hijacking in February when various routes
across the globe were mysteriously funneled through Belarusian ISP
GlobalOneBel before being delivered to their final destination. One trace,
traveling from Guadalajara, Mexico, to Washington, DC, normally would have
been handed from Mexican provider Alestra to US provider PCCW in Laredo,
Texas, and from there to the DC metro area and then, finally, delivered to
users through the Qwest/Centurylink service provider. According to Cowie:

Instead, however, PCCW gives it to Level3 (previously Global Crossing), who
is advertising a false Belarus route, having heard it from Russia's
TransTelecom, who heard it from their customer, Belarus Telecom. Level3
carries the traffic to London, where it delivers it to Transtelecom, who
takes it to Moscow and on to Belarus. Beltelecom has a chance to examine the
traffic and then sends it back out on the `clean path' through Russian
provider ReTN (recently acquired by Rostelecom). ReTN delivers it to
Frankfurt and hands it to NTT, who takes it to New York. Finally, NTT hands
it off to Qwest/Centurylink in Washington DC, and the traffic is delivered.

------------------------------

Date: Wed, 20 Nov 2013 22:39:49 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: Sweden to give police and others realtime access to citizens'
  phone, e-mail, more (NNSquad)

  "Swedish citizens will get all their phone calls and e-mail traffic
  wiretapped in real time not just by the Swedish NSA branch, but also by
  police, customs, the tax authority, and others. These plans were revealed
  today by the Ny Teknik magazine, sending shockwaves among civil rights
  activists. This follows a previous law change that gave the Swedish NSA
  branch, the FRA, realtime access to all Internet traffic that crossed the
  country borders - effectively wiretapping everybody warrantlessly all the
  time."
    http://j.mp/I67Qnu  (Falkvinge)
http://falkvinge.net/2013/11/19/swedish-regime-to-give-police-customs-tax-authorities-realtime-access-to-citizens-phone-mail-more/

------------------------------

Date: Thu, 21 Nov 2013 08:36:40 -0500
From: Dave Farber <dave () farber net>
Subject: US and UK struck secret deal to allow NSA to 'unmask' Britons'
 personal data

http://www.theguardian.com/world/2013/nov/20/us-uk-secret-deal-surveillance-personal-data

------------------------------

Date: Wednesday, November 20, 2013
From: *Dewayne Hendricks* (via Dave Farber)
Subject: US senators say there's 'no evidence' bulk metadata surveillance
   is useful (Cyrus Farivar)

Cyrus Farivar, 19 Nov 2013
http://arstechnica.com/tech-policy/2013/11/us-senators-say-theres-no-evidence-bulk-metadata-surveillance-is-useful/

Sen. Mark Udall (D-CO) and others join as amici to lawsuit filed against
NSA.  As we reported back in July 2013, the Electronic Frontier Foundation
and its allies filed a new federal lawsuit challenging government spying in
the wake of the Snowden leaks.

This case, First Unitarian Church v. NSA, challenges the government's
collection of telephone call information, saying the practice violates the
First, Fourth, and Fifth Amendments of the United States Constitution. The
complaint states that Verizon, AT&T, and Sprint all participate in the
government's collection of data, including originating and terminating phone
numbers, trunk identifiers, calling card numbers, and time and duration of
calls.

Now, the First Unitarian Church and its fellow plaintiffs have new allies in
three United States senators who have been at the forefront of surveillance
policy reform. In a new amicus brief filed on Tuesday, Senators Mark Udall
(D-CO), Ron Wyden (D-OR), and Martin Heinrich (D-NM) say that they ``have
seen no evidence that the bulk collection of Americans' phone records has
provided any intelligence of value that could not have been gathered through
less intrusive means.'' In this case, the plaintiffs argue that the
National Security Agency's collection of phone data is unconstitutional, not
just because it affects their rights to be free of illegal searches but
because it affects their free speech rights as well. The lawsuit alleges
that the government is impinging on First Amendment rights of activist
groups to communicate anonymously, as well as "the right to associate
privately and the right to engage in political advocacy free from government
interference."

The new brief critiques several prominent cases that government officials
have used to justify their spying program, including the Najibullah Zazi
case and the Basaaly Moalin case. Zazi pleaded guilty in 2010 to an
attempted bombing of the New York City subway system and is scheduled for
sentencing in February 2014. Moalin's attorneys continue to challenge the
government's case. The government has also argued that Khalid al-Mihdhar,
one of the September 11, 2001 hijackers who had been living in the United
States, could have been identified earlier with the bulk phone records
program in place. ...

Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/>

------------------------------

Date: Nov 19, 2013 2:41 PM
From: "DV Henkel-Wallace" <gumby () henkel-wallace org>
Subject: As if there weren't enough reasons to hate the wireless carriers

You are probably aware that some DAs are pushing for phones to support a
"kill switch" to reduce phone theft.

According to today's *The New York Times*, although the phone manufacturers
are willing, the carriers are not.  SF's DA says, "the carriers are
concerned that the software would eat into the profit they make from the
insurance programs many consumers buy to cover lost or stolen phones."

Interestingly, Apple (whose customer is the end user, not the carrier) had
no problem adding this feature.  So now the carriers are hurting not only
their customers but their vendors too.

http://bits.blogs.nytimes.com/2013/11/19/carriers-reject-a-kill-switch-for-preventing-cellphone-theft/

  [Gene Wirchenko noted Martyn Williams, InfoWorld Home, 21 Nov 2013
  Law enforcement officials in New York and San Francisco called the
  carriers' response 'highly disturbing'.  PGN]
http://www.infoworld.com/d/mobile-technology/mobile-carriers-slammed-rejecting-smartphone-kill-switch-231373

------------------------------

Date: Fri, 22 Nov 2013 14:30:04 -0700
From: "Cipher Editor" <cipher-editor () ieee-security org>
Subject: Op-ed: Lavabit's founder responds to cryptographer's criticism
  (Ladar Levison)

http://arstechnica.com/security/2013/11/op-ed-lavabits-founder-responds-to-cryptographers-criticism/
Ladar Levison, Ars Technica, 7 Nov 2013

"Ladar Levison, who shut down his secure e-mail service under US government
pressure, has learned a lot."  His vision was protection for e-mail "at rest"
in a way that would make government search warrants useless.  Instead, he
got hit with a demand for the system's "data in transit" keys, implying a
network surveillance capability that caught him unawares.

-------------------------------------------------------------------

Date: Thu, 21 Nov 2013 09:43:37 -0800
From: Gene Wirchenko <genew () telus net>
Subject: "Jailbreak a phone, go to jail: Copyright law, the TPP way"
  (Robert X. Cringely)

Robert X. Cringely, InfoWorld, 21 Nov 2013
Even more examples of ill-informed thinking lurk in the Trans-Pacific
Partnership, the SOPA/CISPA/PIPA redux
http://www.infoworld.com/t/cringely/jailbreak-phone-go-jail-copyright-law-the-tpp-way-231331

------------------------------

Date: Fri, 22 Nov 2013 14:30:04 -0700
From: "Cipher Editor" <cipher-editor () ieee-security org>
Subject: Computer Scientists Not Totally Clueless About Passwords (Dan Goodin)

Dan Goodin, Ars Technica , 8 Nov 2013

http://arstechnica.com/security/2013/11/its-official-computer-scientists-pick-stronger-passwords/

"It's official: Computer scientists pick stronger passwords.  Landmark study
says people in business school choose weakest passwords."

While it seems unsurprising that computer scientists, on the average, choose
slightly better passwords than their peers in the arts, it is surprising
that those in the arts surpass those in business school.  Apparently the
profit motive is insufficient.

------------------------------

Date: Thu, 21 Nov 2013 11:06:48 -0800
From: Gene Wirchenko <genew () telus net>
Subject: "GitHub bans weak passwords after brute-force attack results in
  compromised accounts" (Lucian Constantin)

Lucian Constantin, InfoWorld, 20 Nov 2013
Some GitHub accounts have had their passwords, access tokens, and SSH
keys reset
http://podcasts.infoworld.com/d/security/github-bans-weak-passwords-after-brute-force-attack-results-in-compromised-accounts-231273

------------------------------

Date: Fri, 22 Nov 2013 08:26:25 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: Web Companies Slam Ruling In Libel Case [as well they should

  The Web companies say in their papers that Bertelsman interpreted the
  Communications Decency Act too narrowly. "Virtually every website includes
  features that invite and encourage users to enter particular types of
  content," the companies argue. "A site devoted to reviews of restaurants
  or other businesses might well have specific language explaining the value
  and importance readers place on 'negative' reviews and soliciting users to
  submit details of their negative experiences with a business."  The
  companies add that all Web sites that invite negative reviews or contents
  could lose their immunity for libel, under Bertelsman's view of the law.
    http://j.mp/1bXYuEZ  (Mediapost via NNSquad)

------------------------------

Date: Tue, 19 Nov 2013 14:57:06 -0800
From: Gene Wirchenko <genew () telus net>
Subject: Hackers actively exploiting JBoss vulnerability to compromise servers
  (Lucian Constantin)

Lucian Constantin, InfoWorld, 18 Nov 2013
Hackers exploit exposed JBoss management interfaces and invokers to
install Web shells on servers
http://www.infoworld.com/d/security/hackers-actively-exploiting-jboss-vulnerability-compromise-servers-231091

------------------------------

Date: Fri, 22 Nov 2013 08:37:06 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: Germany threatens to fine and/or jail Carl Malamud for doing his
  usual thing

  One of the most important public safety laws in Europe is Dir.
  2001/95/EC, which regulates general product safety.  Public.Resource.Org,
  in our ongoing quest to make legally-mandated public safety codes
  available, purchased the German instantiation of 40 of these essential
  codes and made them available on the Internet. Every country in the EU is
  required to implement and publish these standards.  "Imagine our surprise
  when we were served notice to appear in Hamburg District Court in
  Germany."  http://j.mp/1bXZSr4 (Boing Boing via NNSquad)

------------------------------

Date: Nov 21, 2013 4:21 AM
From: "Geoff Kuenning" <geoff () cs hmc edu>
Subject: Metadata vs. data: the real issue (via Dave Farber's IP)

In recent months, much has been about the NSA's collection of phone dialing
records and similar information.  The government is quick to label what they
collect as "metadata", even though that is something of a misnomer in the
current situation.  The follow-on to that characterization is the claim that
metadata doesn't threaten privacy, because the actual *content* of phone
calls, texts, and e-mails remains hidden.

Many people have pointed out that because large amounts of metadata can
reveal important information, it is itself a privacy threat.  And they're
correct: for example, in the last few days I've searched "Munich weather"
several times.  It doesn't take much insight to figure out what's in my
immediate future.

But what the government's argument (quite deliberately) glosses over is
another critical difference between metadata and raw data: metadata is
designed for computer processing.  Anybody who has used a voice recognition
or voice transcription system knows how hard it is to successfully eavesdrop
on millions of phone calls simultaneously.  But the metadata from those
millions of calls can easily filter out a few hundred that are then passed
to humans for detailed snooping.

And *that* is why the collection of metadata is a problem.

  Geoff Kuenning   geoff () cs hmc edu   http://www.cs.hmc.edu/~geoff/
  Statistics don't bore people, people bore people.

------------------------------

Date: Wednesday, November 20, 2013
From: *Joe Touch* (via Dave Farber)
Subject: HP sending *styrofoam* junk mail

Today I received a package from HP, advertising their new ZBook family of
laptop computers.

That itself would be unremarkable. What was remarkable was the packaging:

  - a 13" x 9"x 0.75" chunk of styrofoam, inside a
  - paper box and brochure, wrapped in
  - "shrinkwrap" plastic

I appreciate their intent -- to demonstrate the size of their computer by
sending me something of the same dimension. Given the dimensions are
basically the same as most low-end laptops for the past 15 years, that seems
just a waste of time.

What is more disconcerting is *shipping* styrofoam that has no functional
use (corrugated paper would have worked equally well).

This wins the wasted packaging award IMO. I guess HP isn't all that
concerned about environmental issues, despite having a web page dedicated
to claiming otherwise:

http://www8.hp.com/us/en/hp-information/environment/

I'll let Consumer Reports know (they highlight cases inside the back cover
of every issue), but I thought this list might find this interesting too.

------------------------------

Date: Thu, 21 Nov 2013 10:21:47 -0500
From: Paul Wexelblat <wex () cs uml edu>
Subject: Alternate definition of GIGO (Re: Epstein, RISKS-27.61)

Very old, fairly common alternate definition of GIGO is Garbage In, Gospel
Out.  As when the electric company insists that you used $113,047.15 of
electricity last month, "because the computer says so".

------------------------------

Date: Wed, 20 Nov 2013 11:36:01 -0500
From: "Scott Miller" <SMiller () unimin com>
Subject: Re: UK conservatives attempting to erase their Internet history
  (RISKS-27.61)

All one must do to retroactively remove the entire history of a web page (or
entire domain) from the so-called Wayback Machine is publish a "robots.txt"
directive under the appropriate url? Is that the correct interpretation
here? If so, I'm very disappointed with archive.org. It's one thing to honor
"robots.txt" prospectively, it's quite another to allow its use to
effectively erase content after the fact. To me, this renders the Internet
Archive essentially useless. On further investigation, the retroactive
attribute is confirmed by the IA FAQ, and Alexa Internet seems to be the
culprit. Not that my conclusions about IA are altered in any way by that
finding...

------------------------------

Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 27.62
************************