RISKS Forum mailing list archives

Risks Digest 29.19


From: RISKS List Owner <risko () csl sri com>
Date: Mon, 28 Dec 2015 11:50:13 PST

RISKS-LIST: Risks-Forum Digest  Monday 28 December 2015  Volume 29 : Issue 19

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/29.19.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents: [Oops: A gratuitous old issue got out to comp.risks. Sorry.  PGN]
"Listen up, FBI: Juniper code shows the problem with backdoors"
  (Fahmida Rashid)
NSA Helped British Spies Find Security Holes In Juniper Firewalls
  (Gallagher and Greenwald)
More on Juniper backdoor (Henry Baker)
China passes law requiring tech firms to hand over encryption keys
  (Mark Wilson via Henry Baker)
China's New Big Brother Law Is A Clone Of The West's Bad Ideas (HuffPo)
Dangerous helicopter bird strikes on the rise, FAA warns (KSL via LW)
Techno-skeptics objection growing louder (WashPo)
U.S. Says Hacker Stole IDs and Unreleased Scripts From Host of Celebrities
  (NYTimes)
Re: Reply by Karl Auerbach to The Moral Failure of Computer Scientists
  (Gene Wirchenko)
Re: Super-literate software reads and comprehends better than humans
  (Gene Wirchenko)
Re: Vulnerability in popular bootloader puts locked-down Linux, computers at
  risk (Mike Rechtman)
Re: Lie-detecting Software uses Machine Learning to Achieve 75%
  accuracy (Erling Kristiansen)
Re: Hotmail and how not to block spam (John Levine)
Re: Driverless Cars (John Levine)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Thu, 24 Dec 2015 10:50:47 -0800
From: Gene Wirchenko <genew () telus net>
Subject: "Listen up, FBI: Juniper code shows the problem with backdoors"
  (Fahmida Rashid)

Fahmida Y. Rashid, InfoWorld, 23 Dec 2015
FBI director James Comey should be taking notes: The Juniper debacle
shows why security experts are up in arms over government-ordered backdoors
http://www.infoworld.com/article/3018029/virtual-private-network/listen-up-fbi-juniper-code-shows-the-problem-with-backdoors.html

opening text:

Government officials keep asking technology companies to put encryption
backdoors in their products. But the saga of the Juniper VPN backdoor is an
object lesson on how attackers can use this avenue for nefarious purposes.

Last week, Juniper Networks announced that during a routine internal audit,
it had found unauthorized code in ScreenOS, the operating system used in
products including firewalls and VPN gateways. The spying code would allow
someone monitoring VPN traffic flowing through NetScreen to decrypt the
traffic and monitor all communications. A second vulnerability provides
attackers with administrator access to NetScreen devices via a hard-coded
master password. Security researchers believe a backdoor was already present
in Juniper's code, and unknown attackers simply took advantage of it.

------------------------------

Date: Thursday, December 24, 2015
From: Dewayne Hendricks <dewayne () warpspeed com>
Subject: NSA Helped British Spies Find Security Holes In Juniper Firewalls
  (Gallagher and Greenwald)

Ryan Gallagher and Glenn Greenwald, The Intercept, 23 Dec 2015
https://theintercept.com/2015/12/23/juniper-firewalls-successfully-targeted-by-nsa-and-gchq/

<https://www.documentcloud.org/documents/2653542-Juniper-Opportunity-Assess=
ment-03FEB11-Redacted.html> *A TOP-SECRET* document dated February 2011
reveals that British spy agency GCHQ, with the knowledge and apparent
cooperation of the NSA, acquired the capability to covertly exploit security
vulnerabilities in 13 different models of firewalls made by Juniper
Networks, a leading provider of networking and Internet security gear.

The six-page document, titled *Assessment of Intelligence Opportunity
Juniper*, raises questions about whether the intelligence agencies were
responsible for or culpable in the creation of security holes disclosed
<https://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554>
by Juniper last week. While it does not establish a certain link between
GCHQ, NSA, and the Juniper hacks, it does make clear that, like the
unidentified parties behind those hacks, the agencies found ways to
penetrate the NetScreen line of security products, which help companies
create online firewalls and virtual private networks, or VPNs. It further
indicates that, also like the hackers, GCHQ's capabilities clustered around
an operating system called ScreenOS, which powers only a subset of products
sold by Juniper, including the NetScreen line. Juniper's other products,
which include high-volume Internet routers, run a different operating system
called JUNOS.

The possibility of links between the security holes and the intelligence
agencies is particularly important given an ongoing debate in the U.S. and
the U.K. over whether governments should have backdoors allowing access to
encrypted data. Cryptographers and security researchers have raised the
possibility that one of the newly discovered Juniper vulnerabilities stemmed
from an encryption backdoor engineered by the NSA and co-opted by someone
else. Meanwhile, U.S. officials are reviewing
<http://www.nytimes.com/reuters/2015/12/21/technology/21reuters-juniper-networks-cyberattack-cisco-systems.html>
how the Juniper hacks could affect their own networks, putting them in the
awkward position of scrambling to shore up
<http://www.cnn.com/2015/12/18/politics/juniper-networks-us-government-security-hack/index.html>
their own encryption even as they criticize the growing use of encryption by
others.

------------------------------

Date: Thu, 24 Dec 2015 16:38:47 -0800
From: Henry Baker <hbaker1 () pipeline com>
Subject: More on Juniper backdoor

So, is Juniper liable for this Dual_EC screwup if it's their own code ?

Is Juniper liable for this Dual_EC screwup if NSA/FBI/FISA issued an NSL to
Juniper ?

Or with all the waivers Congress passed, *no one* is liable ?

Time to trot out Dan Geer's comments on software liability:

http://geer.tinho.net/geer.blackhat.6viii14.txt

 - -

Everyone should also be aware of *Certicom's patent application*
that talks about a very Juniper-like back door.

'An elliptic curve random number generator avoids *escrow keys* by
choosing a point Q on the elliptic curve as verifiably random.'

'The relationship between P and Q is used as an *escrow key* and
stored by for a security domain'

https://projectbullrun.org/dual-ec/patent.html

Pub. No.: US 2007/0189527 Al

Pub. Date: Aug. 16, 2007

ELLIPTIC CURVE RANDOM NUMBER GENERATION

Inventors: Daniel R. L. Brown, Mississauga (CA); Scott A. Vanstone, Campbellville (CA)

Appl. No.: 11/336,814

Filed: Jan. 23, 2006

Related U.S. Application Data

Provisional application No. 60/644,982, filed on Jan. 21, 2005.

Publication Classification

ABSTRACT

An elliptic curve random number generator avoids *escrow keys* by
choosing a point Q on the elliptic curve as verifiably random.  An
arbitrary string is chosen and a hash of that string computed.  The
hash is then converted to a field element of the desired field, the
field element regarded as the x-coordinate of a point Q on the
elliptic curve and the x-coordinate is tested for validity on the
desired elliptic curve.  If valid, the x-coordinate is decompressed to
the point Q, wherein the choice of which is the two points is also
derived from the hash value.  Intentional use of escrow keys can
provide for back up functionality.  The relationship between P and Q
is used as an *escrow key* and stored by for a security domain.  The
administrator logs the output of the generator to *reconstruct the
random number with the escrow key.*

------------------------------

Date: Sun, 27 Dec 2015 15:43:04 -0800
From: Henry Baker <hbaker1 () pipeline com>
Subject: China passes law requiring tech firms to hand over encryption keys

FYI -- It's not clear what happens if the company doesn't *have* any keys --
i.e., they are only in the hands of the end-user.

"This latest move is one that will be view very suspiciously by foreign
companies operating within China, or looking to do so."

http://betanews.com/2015/12/27/china-passes-law-requiring-tech-firms-to-hand-over-encryption-keys/

Mark Wilson, BetaNews, 27 Dec 2015

Apple may have said that it opposes the idea of weakening encryption and
providing governments with backdoors into products, but things are rather
different in China.  The Chinese parliament has just passed a law that
requires technology companies to comply with government requests for
information, including handing over encryption keys.

http://betanews.com/2015/12/22/apple-wants-the-uk-government-to-rein-in-snoopers-charter/

http://betanews.com/2015/11/11/apples-tim-cook-on-weakening-encryption-any-backdoor-is-a-backdoor-for-everyone/

Under the guise of counter-terrorism, the controversial law is the Chinese
government's attempt to curtail the activities of militants and political
activists.  China already faces criticism from around the world not only for
the infamous Great Firewall of China, but also the blatant online
surveillance and censorship that takes place.  This latest move is one that
will be view very suspiciously by foreign companies operating within China,
or looking to do so.

China's infringement of freedom of speech and the hard line it takes on
those opposing the government is well-recorded.  While the government
insists that there will be no requirement for companies to install
backdoors, the country has already earned itself a reputation that is going
to be very difficult to shake off.

The deputy head of the Chinese parliament's criminal law division tried to
play down the controversy surrounding the new law.  Li Shouwei said:

http://www.reuters.com/article/us-china-security-idUSKBN0UA07220151227

"This rule accords with the actual work need of fighting terrorism and is
basically the same as what other major countries in the world do."

As well as granting new powers within China's borders, the new law also
permits overseas action by the People's Liberation Army -- something which
will be eyed with suspicion and likely opposed by for foreign nations.
There is also a provision, as reported by Reuters, that "media and social
media cannot report on details of terror activities that might lead to
imitation, nor show scenes that are 'cruel and inhuman' " -- something else
which will bring about accusation of standing in the way of free speech.

http://www.reuters.com/article/us-china-security-idUSKBN0UA07220151227

  [The law that actually passed is slightly different.  See this item.  PGN]
http://www.wsj.com/article_email/china-antiterror-law-doesnt-require-encryption-code-handovers-1451270383-lMyQjAxMTE1NDI3ODAyMTgyWj

------------------------------

Date: Sun, 27 Dec 2015 11:04:13 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: China's New Big Brother Law Is A Clone Of The West's Bad Ideas
  (HuffPo)

http://www.huffingtonpost.com/entry/china-anti-terror-law-encryption_56801192e4b014efe0d86ed0

  Li Shouwei, a government spokesman, told Reuters that companies won't have
  to fear any backdoors -- entryways that bypass a traditional security
  mechanism -- into their products and services. But a draft of the
  legislation that the International Association of Privacy Professionals
  analyzed in March shows that's untrue: China's new law requires Internet
  service providers and telecommunications providers to install
  government-accessible backdoors and provide encryption keys for any data
  stored on their servers. Shouwei also told Reuters that China was "simply
  doing what other major nations already do in asking technology firms to
  help fight terror." He cited Western nations' actions as justification,
  Reuters reported. Although US leaders have condemned China's laws, they
  are engaging in the same rhetoric of national security stateside,
  suggesting that technology companies find a magical way to create secure
  backdoors through a Manhattan-like project despite technologists and
  experts resolutely telling politicians that to do so is to mandate
  insecurity.

------------------------------

Date: Sun, 27 Dec 2015 09:13:52 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: Dangerous helicopter bird strikes on the rise, FAA warns

https://www.ksl.com/?nid=151&sid=37912384&title=dangerous-helicopter-bird-strikes-on-the-rise-faa-warns

  Reports of helicopter bird strikes are up dramatically in recent years,
  including incidents, like the one in Dallas, that damage the aircraft and
  create the potential for crashes, according to the Federal Aviation
  Administration. In 2013, there were 204 reported helicopter bird strikes,
  a 68 percent increase from 2009 when there were 121 reports and an
  increase of over 700 percent since the early 2000s, said Gary Roach, an
  FAA helicopter safety engineer.

In response, the FAA has announced that all birds must register online
and pay $5 via credit card every three years.

------------------------------

Date: Sun, 27 Dec 2015 10:39:53 -0500
From: "Dave Farber" <farber () gmail com>
Subject: Techno-skeptics objection growing louder (The Washington Post)

https://www.washingtonpost.com/classic-apps/techno-skeptics-objection-growing-louder/2015/12/26/e83cf658-617a-11e5-8e9e-dce8a2a2a679_story.html

------------------------------

From: Monty Solomon <monty () roscom com>
Date: Sun, 27 Dec 2015 00:02:01 -0500
Subject: U.S. Says Hacker Stole IDs and Unreleased Scripts From Host of
  Celebrities (NYTimes)

The charges against Alonzo Knowles illustrate the ease with which private
email contacts, even for security-conscious entertainers, can be exploited.
http://www.nytimes.com/2015/12/23/nyregion/us-says-hacker-stole-ids-and-unreleased-scripts-from-host-of-celebrities.html

------------------------------

Date: Thu, 24 Dec 2015 18:58:30 -0800
From: Gene Wirchenko <genew () telus net>
Subject: Re: Reply by Karl Auerbach to The Moral Failure of Computer
  Scientists (RISKS-29.18)

  [Paragraphs which start with "GW:" are by me; the others are by
  Mr. Auerbach.]

GW:  Mr. Auerbach referred to the following article:
http://www.mercurynews.com/news/ci_29245938/university-of-california-pressured-to-count-computer-science-toward-high-school-math-requirement

Apparently the University of California is being pushed to count high-school
computer science courses taken by applying students as if those were
mathematics or science courses.

This disturbs me for several reasons.

First is that I have only on occasion found computer science to be a
substitute for the kind of intellectual disciple any of the hard sciences.

GW: As have I.  In 2010, I graduated from Thompson Rivers University (TRU)
with a Bachelor of Computing Science degree.

GW: I worked with a few students who were math students double majoring in
computing science.  (Call them MCs.)  They were not, and I am not aware of
any who were, computing science students double majoring in math.  (Call
these hypothetical students CMs.)  The distinction is important.

GW: In fact, I am unaware of any computing-science-major-only student (CSMO)
taking any more than the bare requirement of math courses (two) with one
exception: me.  I minored in math.  I was told by the computing science
chair that I was the only CSMO to ever do so.

GW: I found that CSMOs avoided math like the plague.

Second is that what is being called `computer science' at the high school
level is typically simple programming.  There is no doubt that it would be
useful if everyone coming out of high school had at least a thin knowledge
of what programming is.

GW: It was also true at TRU.  Courses that were coding and very close were
the ones of interest.  A special topics course on professionality in the
computing field was canceled due to lack of interest.  I would have liked
to have taken that course.  I wanted to take a course in computation theory.
There were supposedly three courses on the books for it, but only one had
ever been taught and that one only once.  I ended doing it as independent
study through the math department.

GW: I snipped the remainder of Mr. Auerbach's comments.  In short, I agree
that there is too much emphasis on tools and not enough on the higher
levels.

------------------------------

Date: Thu, 24 Dec 2015 19:53:00 -0800
From: Gene Wirchenko <genew () telus net>
Subject: Re: Super-literate software reads and comprehends better than humans
  (RISKS-29.18)

(https://www.newscientist.com/article/mg22830512-600-super-literate-software-reads-and-comprehends-better-than-humans/)
This article [noted in the previous RISKS issue] concludes with:

  There are still some issues to overcome, however, such as dealing with
  text in unusual formats. For example, names are particularly important to
  the Declassification Engine, and the system relies on the capital letters
  at the start of names to find them. But the cables come in all capitals, a
  relic of the Telex system that conveyed them around the planet. Rambow is
  confident he can get over the hurdle. "I hope that in the next month or
  two the humming will start," he says.

Is anyone else skeptical of the humming timeline?

------------------------------

Date: Fri, 25 Dec 2015 05:59:10 +0200
From: Mike Rechtman <mike () rechtman com>
Subject: Re: Vulnerability in popular bootloader puts locked-down Linux,
  computers at risk (Constantin, RISKS-29.18)

Grub2 bootloader's password protection and allow a hacker to install
malware on a locked-down Linux system

Two minor points:
  One: The breakin require physical access. Once you have that, you
    can own the Desktop/Server/Device using several methods.
  Two:  Not new, and IIRC fixed some time back.

------------------------------

Date: Fri, 25 Dec 2015 17:41:07 +0100
From: Erling Kristiansen <erling.kristiansen () xs4all nl>
Subject: Re: Lie-detecting Software uses Machine Learning to Achieve 75%
  accuracy (RISKS-29.18)

What one would want is separate performance figures for false positives and
false negatives. Those are mostly not identical, and might actually be very
different.

One would hope that the false positive (accusing somebody of lying, when
actually truthful) rate is significantly lower than the false negative (not
detecting a liar) rate in this case.

------------------------------

Date: 24 Dec 2015 23:56:58 -0000
From: "John Levine" <johnl () iecc com>
Subject: Re: Hotmail and how not to block spam (RISKS-29.18)

Large mail services have been managing sender reputation this way for the
better part of a decade.  The hack to report competitors' mail as spam, and
the reverse, to report your own cruddy mail as not-spam, are well known, and
mail providers have ways to detect and deal with them, although for obvious
reasons they don't publish the details.

Mailers who grouse about their wonderful mail getting blocked this way
invariably turn out to be sending "greymail", it's not exactly spam, but the
recipients care whether they get it.  If real users missed it, they would be
complaining or at least marking it as not-spam.  And if a mailer can't
detect and block bulk signups by competitors, well, sheesh.

(Incidentally,) Sometimes a free service is worth what you pay for it,
although in this case it seems to be working as designed.

------------------------------

Date: 24 Dec 2015 23:43:47 -0000
From: "John Levine" <johnl () iecc com>
Subject: Re: Driverless Cars (Analog)

Robot cars, of today, know the rules of the road, but not the psychology
of other participants on the highways.

Perhaps the people who write for Analog don't read the *Wall Street Journal*.
This article appeared in September:

  Google Inc. designed its self-driving cars to follow the rules of the
  road. Now it's teaching them to drive like people, by cutting corners,
  edging into intersections and crossing double-yellow lines. ...

http://www.wsj.com/articles/google-tries-to-make-its-cars-drive-more-like-humans-1443463523

------------------------------

Date: Mon, 17 Nov 2014 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string `notsp' at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 29.19
************************


Current thread: