RISKS Forum mailing list archives
Risks Digest 27.77
From: RISKS List Owner <risko () csl sri com>
Date: Fri, 28 Feb 2014 14:15:57 PST
RISKS-LIST: Risks-Forum Digest Friday 28 February 2014 Volume 27 : Issue 77 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/27.77.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Fake Computer Science Papers (Rebecca Mercuri) France's 'Anti-Amazon' law takes the wrong approach (Hugo Beniada via Gene Wirchenko) "Study: IRS exposing Social Security numbers online" (Tony Bradley via Gene Wirchenko) EFF: Bad Facts, Really Bad Law: Court Orders Google to Censor Controversial Video Based on Spurious Copyright Claim (Lauren Weinstein) "Pony malware targeting passwords and Bitcoins uncovered" (Candice So via Gene Wirchenko) Scholarship for Women Studying Information Security (Jeremy Epstein) Re: Lawmakers consider broad safety exemptions to bypass FDA (Robert L Wears) "New iOS flaw allows malicious apps to record touch screen presses" Lucian Constantin via Gene Wirchenko) "Apple's security flaws: Are you paranoid enough yet?" (Caroline Craig via Gene Wirchenko) Re: iPhone's Critical Security Bug: a Single Bad `Goto' (Chuck Petras, Dimitri Maziuk, David Hedley, Phil Smith) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 26 Feb 2014 09:38:26 -0500 From: Rebecca Mercuri <notable () mindspring com> Subject: Fake Computer Science Papers There is some software (called SCIgen) out of MIT that generates scientific-looking papers. And some number of these have actually squeaked through in (supposedly) reviewed conference proceedings, as well as into IEEE and ACM databases! Here's the research paper (not fake but 2 examples are in Appendix A) about the fake papers: http://hal.archives-ouvertes.fr/docs/00/71/35/55/PDF/0-FakeDetectionSci-Perso.pdf A new check-box in paper review forms is suggested: "Utter Bullbleep!" [This is a very unsettling article. The title is Duplicate and Fake Publications in the Scientific Literature: How many SCIgen papers in Computer Science? Cyril Labbe' and Dominique Labbe', Institut d'Etudes Politiques de Grenoble, First.Last () iep-grenoble fr 22 Jun 2012 ; Scientometrics; DOI 10.1007/s11192-012-0781-y Abstract Two kinds of bibliographic tools are used to retrieve scientific publications and make them available online. For one kind, access is free as they store information made publicly available online. For the other kind, access fees are required as they are compiled on information provided by the major publishers of scientific literature. The former can easily be interfered with, but it is generally assumed that the latter guarantee the integrity of the data they sell. Unfortunately, duplicate and fake publications are appearing in scientific conferences and, as a result, in the bibliographic services. We demonstrate a software method of detecting these duplicate and fake publications. Both the free services (such as Google Scholar and DBLP) and the charged-for services (such as IEEE Xplore) accept and index these publications. keyword: Bibliographic Tools, Scientific Conferences, Fake Publications, Text-Mining, Inter- Textual Distance, Google Scholar, Scopus, WoK Introduction Several factors are substantially changing the way the scientific community shares its knowledge. On the one hand, technological developments have made the writing, publication and dissemination of documents quicker and easier. On the other hand, the "pressure" of individual evaluation of researchers-publish or perish-is changing the publication process. This combination of factors has led to a rapid increase in scientific document production. The three largest tools referencing scientific texts are: Scopus (Elsevier), ISI-Web of Knowledge (WoK Thomson-Reuters) and Google Scholar. Google Scholar is undoubtedly the tool which references the most material. It is free and it offers wide coverage, both of which are extremely useful to the scientific community. Google Scholar allows grey literature to be more visible and more accessible (technical reports, long versions and/or tracts of previously published papers, etc). Google Scholar systematically indexes everything that looks like a scientific publication on the Internet, and, inside these documents and records, it indexes references to other documents. Thus, it gives a picture of which documents are the most popular. However, the tool, much like the search engine Google, is sensitive to "Spam" [2], mainly through techniques, similar to link farms that artificially increase the "ranking" of web pages. Faked papers like those by Ike Antkare [12] (see 2.2 below) may also be mistakenly indexed. This means that documents indexed by Google Scholar are not all bona fide scientific ones, and information on real documents (such as the number of citations found) 1 hal-00641906, version 2 - 2 Jul 2012 Author manuscript, published in "Scientometrics (2012) 10.1007/s11192-012-0781-y" DOI : 10.1007/s11192-012-0781-y can be manipulated. This type of tool, using information publicly and freely available on the Web, faces some reproducibility and quality control problems [22, 10]. The full paper is well worth reading. PGN] ------------------------------ Date: Fri, 28 Feb 2014 10:24:19 -0800 From: Gene Wirchenko <genew () telus net> Subject: France's 'Anti-Amazon' law takes the wrong approach (Hugo Beniada) Hugo Beniada, Fueled, 27 Feb 2014 http://www.itbusiness.ca/blog/frances-anti-amazon-law-takes-the-wrong-approach/46802 selected text: After taking aim at U.S. Internet giants, including Yahoo Inc. and Google Inc., France's new target is the online retailer Amazon.com Inc. Last month, the French Senate has approved the so-called "Anti-Amazon" law, aimed to protect local book retailers. Basically, this law modernizes a 1918 law that established a fixed price for books sold in France. The Lang law, which carries the name of Jack Lang (the Minister of Culture of that time), enables book retailers to only discount up to 5 percent below the publisher's price. Created to preserve France's cultural exception, the government happens to really forget about the primordial access to Culture with this law. French rural inhabitants don't always have the chance live right next to a bookshop. Driving to the closest bookshop and paying for gas seems to be really more inconvenient than waiting for a book to be delivered for free to your mailbox. [I just noticed that in addition to selling new copies of my "Computer-Related Risks" (1995) book at a nice discount, Amazon is offering 15 used copies available for $0.01 plus shipping. I'm delighted the book is still recirculating. So much of it is still relevant today, as we keep making the same mistakes over and over again. PGN] ------------------------------ Date: Wed, 26 Feb 2014 09:51:55 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Study: IRS exposing Social Security numbers online" (Tony Bradley) Tony Bradley, InfoWorld, 25 Feb 2014 An analysis of public tax returns from non-profit organizations found an estimated 630,000 Social Security numbers were exposed online PC Worldhttp://www.infoworld.com/d/security/study-irs-exposing-social-security-numbers-online-237089 opening text: This tax season you may have more to worry about than how much you owe. A new study from Identity Finder finds the IRS is not properly protecting social security numbers in some tax returns. Personal tax returns are not public, but the tax returns of non-profit organizations are public domain. ------------------------------ Date: Wed, 26 Feb 2014 20:01:12 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: EFF: Bad Facts, Really Bad Law: Court Orders Google to Censor Controversial Video Based on Spurious Copyright Claim "It's an old legal adage that bad facts lead to bad legal decisions, and today we've got a classic example in Garcia v. Google-the "Innocence of Muslims" case. Based on a copyright claim that is dubious at best, the Ninth Circuit Court of Appeals has ordered Google to take offline a video that is the center of public controversy. We can still talk about it, but we can't see what we are talking about. We're hard-pressed to think of a better example of copyright maximalism trumping free speech." http://j.mp/1hiSWHI (EFF) ------------------------------ Date: Thu, 27 Feb 2014 11:32:35 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Pony malware targeting passwords and Bitcoins uncovered" (Candice So) Candice So, *IT Business*, 26 Feb 2014 http://www.itbusiness.ca/news/pony-malware-targeting-passwords-and-bitcoins-uncovered/47143 ------------------------------ Date: Fri, 28 Feb 2014 12:50:12 -0500 From: Jeremy Epstein <jeremy.j.epstein () gmail com> Subject: Scholarship for Women Studying Information Security Since 2011, Applied Computer Security Associates, sponsor of the ACSAC and NSPW conferences, has offered scholarships for women in their undergraduate and masters' degree programs through the Scholarships for Women Studying Information Security (SWSIS, www.swsis.org). Thanks to a $250,000 4-year contribution by Hewlett-Packard company, ACSA plans to offer an increased number of scholarships for the 2014-15 academic year. Also new in 2014-15, the Committee on the Status of Women in Computing Research (CRA-W), an arm of the Computing Research Alliance, is joining SWSIS, and will lead selection of scholarship winners. SWSIS winners will be invited to attend flagship conferences sponsored by ACSA, HP, and CRA-W, and will be encouraged to participate in HP's summer internship program. Applicants must provide: * An essay describing their interest and background in the information security field. * A current transcript. * A resume or CV. * Letters of reference (typically from faculty members). * Their university name and class status. The scholarship is renewable for a second year, given proof of satisfactory academic progress. Preference is for US citizens or permanent residents; funds are available for use at any US campus of a US university. Applications may be submitted starting 30 Mar 2014, and will be accepted until 1 May 2014. More information at www.swsis.org or swsis () swsis org Jeremy Epstein, Director, Scholarship Programs Applied Computer Security Associates, Inc. ------------------------------ Date: Thu, 27 Feb 2014 14:00:34 -0500 From: "Robert L Wears, MD, MS, PhD" <wears () ufl edu> Subject: Re: Lawmakers consider broad safety exemptions to bypass FDA (Fu, RISKS-27.76) Kevin Fu's post notes that proposed legislation exempting health information technology from independent oversight would create "disturbing loopholes" that could compromise safety ... It's even worse than that. Patient safety is already compromised by buggy, poorly usable systems. The legislation would just enshrine the status quo as the state of the art. Robert L Wears, MD, MS, PhD, University of Florida Imperial College London wears () ufl edu 1-904-244-4405 r.wears () imperial ac uk +44 (0)791 015 2219 ------------------------------ Date: Wed, 26 Feb 2014 09:53:30 -0800 From: Gene Wirchenko <genew () telus net> Subject: "New iOS flaw allows malicious apps to record touch screen presses" Lucian Constantin, InfoWorld, 25 Feb 2014 Attack is the equivalent of keylogging, and the captured touch screen data could be used to reconstruct what users type http://www.infoworld.com/d/security/new-ios-flaw-allows-malicious-apps-record-touch-screen-presses-237070 ------------------------------ Date: Fri, 28 Feb 2014 10:17:52 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Apple's security flaws: Are you paranoid enough yet?" (Caroline Craig) Caroline Craig | InfoWorld, 28 Feb 2014 Apple's SSL encryption fail and iOS keylogging flaw juiced anxiety levels in an industry already reeling from security fatigue http://www.infoworld.com/t/vulnerability-assessment/apples-security-flaws-are-you-paranoid-enough-yet-237332 ------------------------------ Date: Wed, 26 Feb 2014 11:22:48 -0800 From: Chuck_Petras () selinc com Subject: Re: iPhone's Critical Security Bug: a Single Bad `Goto' (RISKS-27.76) What horrible coding style. To me it looks like it was specifically written to embed that exploit! The Apple code snippet is a great example of why curly brackets should be mandatory. If I was reviewing that code I'd have made them re-write it along the lines of: err = 0; if ( ( (err = (SSLHashSHA1.update(&hashCtx, &serverRandom)) ) != 0 ) || ( (err = (SSLHashSHA1.update(&hashCtx, &signedParams)) ) != 0 ) || ( (err = (SSLHashSHA1.final(&hashCtx, &hashOut)) ) != 0 ) ) { // Do fail stuff here SSLFreeBuffer(&signedHashes); SSLFreeBuffer(&hashCtx); } return err; Chuck Petras, PE**, Schweitzer Engineering Laboratories, Inc Pullman, WA 99163 USA http://www.selinc.com Tel: +1.509.332.1890 ------------------------------ Date: Tue, 25 Feb 2014 18:47:29 -0600 From: Dimitri Maziuk <dmaziuk () bmrb wisc edu> Subject: Re: iPhone's Critical Security Bug: a Single Bad `Goto' (RISKS-27.76) Just as a side note: but there's several scenarios where computer practitioners consider it better than the alternative. The code below is the textbook illustration for one: cleaning up after yourself, in this case: freeing up memory.
SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer=
signedParams, uint8_t *signature, UInt16 signatureLen)
=20
{
OSStatus err;
...
if <error>
goto fail;
...
if <another error>
goto fail;
...
if <yet another error>
goto fail;
...
fail:
SSLFreeBuffer(&signedHashes);
SSLFreeBuffer(&hashCtx);
return err;
}
Because if you copy-paste the clean-up ("fail") block into a dozen "if"
blocks you will mess one of them up. Or somebody updating the code will
mess one up eventually.
What you'll get then is the dreaded memory leak that every computer
scientist knew was considered harmful.
Dimitri Maziuk, BioMagResBank, UW-Madison -- http://www.bmrb.wisc.edu
------------------------------
Date: Wed, 26 Feb 2014 10:14:46 +0000
From: David Hedley <david.hedley () 3-c coop>
Subject: Re: iPhone's Critical Security Bug: a Single Bad `Goto' (RISKS-27.76)
This fault demonstrates a dangerous feature of the C language and its
derivatives.
This programming mistake is not possible in an Algol or Fortran based
language, which would read:
IF (err ... != 0) THEN goto fail ENDIF;
and the (presumed) botched cut and paste edit would fail compilation.
So I propose that the use of C is a risk.
------------------------------
Date: Thu, 27 Feb 2014 09:34:00 -0800
From: Phil Smith <phil () voltage com>
Subject: Re: iPhone's Critical Security Bug: a Single Bad `Goto' (RISKS-27.76)
Baker:
But every computer scientist already knew that GOTO's are considered harmful!
I have for 35 years and continue to take exception to this blanket
statement, and do not believe from my reading of the early discussions that
this belief was the intention of the original writers. "GOTOs *without
discipline* are harmful" is closer to what I believe they meant.
In other words, GOTOs *can* make code much less readable, maintainable,
stable, reliable, and other good words ending in -ble. But that isn't
necessarily the case: indeed, code where the mainline never does a GOTO
*except* to branch out to error handlers (yes, I'm mainly talking about
non-OO code here) can be far more -ble.
Specifically, it reduces the levels of nesting. Consider the following
(p-code):
Function1()
If rc !=3D 0 then...
Function2()
If rc !=3D 0 then ...
Function3()
If rc !=3D 0 then ...
Function4()
If rc !=3D 0 then ...
End
End
End
End
/* Did everything above work? */
If rc !=3D 0 then ...
End
Those nested IFs get pretty painful if you use indention (required for some
of the -bles!), especially if the blocks are large (another topic for theo
logical discussion, but out of scope here). Far more -ble IMHO:
Function1()
If rc !=3D 0 then goto FAILED1
Function2()
If rc !=3D 0 then goto FAILED2
Function3()
If rc !=3D 0 then goto FAILED3
Function4()
If rc !=3D 0 then goto FAILED4
/* If we get here, everything worked so far */
I would MUCH rather read and maintain the latter: I can see what the
mainline is doing, and if I need to know what happens if a specific call
fails, I go follow that up. This in no way diminishes the importance of
error handling: indeed, it enhances it, by allowing a bunch of error
handlers to be adjacent, making it easier to keep their behavior consistent.
How many times have you fixed a memory leak caused by an error case that
forgot to release a buffer that the other 27 error handlers all remembered
to do? If those had all been adjacent, it should (I almost wrote "would",
but that's a wish) be easier for the person adding a handler to say "Oh,
yeah, look, they all release that, I should at least see whether I need to
do that as well".
This requires some rigor to make sure that the FAILEDx handlers all
themselves wind up at an appropriate exit point, but then, this is all about
rigor.
It helps if the error handlers actually DO something, of course; in Apple's
case, "fail:" didn't do much except assume that an error had occurred. In
system-level code, I'd consider that alone to be inexcusably sloppy.
Something like this should be returning an error AND a reason: the error
handler forces the error, and the reason would be what fell out of the
specific call ("rc" vs. "errno", in many cases).
So the problem here wasn't the GOTOs per se: it was poorly structured, lazy
code. Not a new risk, alas.
------------------------------
Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
http://lists.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-request () csl sri com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
*** NOTE: Including the string "notsp" at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
is no longer maintained up-to-date except for recent election problems.
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 27.77
************************
Current thread:
- Risks Digest 27.77 RISKS List Owner (Feb 28)