precedence: bulk Subject: Risks Digest 26.36 RISKS-LIST: Risks-Forum Digest Saturday 5 March 2011 Volume 26 : Issue 36 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can be found at Contents: Swiss Officials Order Citizens to Wear Masks in Public -- Ban Tourists Posting Photos on Web (Lauren Weinstein) An Outbreak Of Out Of Order Moles Whac-a-moles (Hans Polzer) Matt Blaze: "Shaking Down Science" (PGN) Raining on cloud computing: Gmail outage (Mark Thorson) 500,000 Gmail accounts go offline, some users lose all their data (David Farber) Restoration of Gmail accounts from tape almost completed (Lauren Weinstein) Mac OS X backdoor Trojan, now in beta? (Chester Wisniewski via Monty Solomon) Risks in health records (DKross) NY Assembly candidate's law shoots him in the foot (Celeste Katz) SSD Erasure Unreliable (Gene Wirchenko) "Can You Frisk a Hard Drive?" (David K. Shipler) Facebook To Share Users' Home Addresses, Phone Numbers With External Sites (Huffington Post) Vulnerable social networking platforms (jidanni) Re: Kill Switch, Anyone? (Jonathan Kamens) Re: Tree octopus exposes Internet illiteracy (Daniel A Graifer) Susan Landau: Surveillance or Security? (PGN) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 24 Feb 2011 14:04:22 -0800 From: Lauren Weinstein Subject: Swiss Officials Order Citizens to Wear Masks in Public -- Ban Tourists Posting Photos on Web BERNE (ZAP) -- In a bold move to demonstrate that the Swiss government is as serious about privacy for its citizens as it has historically been regarding the protection of illicit foreign assets in Swiss bank accounts, the head of the newly created Switzerland Federal Department of Facial Anonymity, Nicolas J. Biellmann, today issued a preliminary order requiring that all Swiss citizens wear "full head coverage" masks at all times when outside their homes or places of business within the borders of Switzerland. This groundbreaking move, being enthusiastically supported by radical pro-privacy groups in Switzerland and around the world, comes on the heels of previous Swiss orders that search giant Google must obscure every single human face -- even if this must be done manually -- that appears in their "Street View" images, or else potentially terminate Street View services for Switzerland ( http://j.mp/gj2V68 [Lauren's Blog] ). "Upon due reflection," said Biellmann, "we realized that Google Street View was only the tip of the iceberg. After all, Street View imagery is usually only updated after months or even years. But there are lots of other people out there taking photos of Swiss faces every day -- whom we must protect our citizens against as well." The "mask order" comes in conjunction with other new regulations banning tourists in Switzerland from posting to the Internet any photos of Swiss citizens, even taken in public places and gatherings. Under this new law, any such photos that are subsequently posted to the Web, will bring about swift action by Swiss authorities. This may involve Web site shutdown orders, extradition of the tourist photographers back to Switzerland if they have already left the country, and in extreme cases the so-called Swiss "doomsday" option -- the remote and permanent shutdown of any and all cuckoo clocks associated with the photos' perpetrators. At a press conference in downtown Berne today, reporters were provided with examples of the government-approved masks that would be required under the new order [editors, see photo DS0393-A3 - http://j.mp/fUrVNf (Lauren's Blog)]. Officials noted that approved masks would be available in a wide range of styles, and would include characteristics of popular Swiss folk heroes, characters from major films, and even a wide range of cute animals. In answer to a reporter's question, Biellmann explained that approved masks would be constructed from special materials that are essentially transparent to government real-time surveillance closed-circuit television (CCTV) cameras. "We want to assure everyone that the government will still be able to track your every move via our CCTV systems. Our goal here is simply to make sure that firms like Google, and individual tourists, are blocked from citizen photography. You can be confident that law enforcement and other aspects of the government will have full access to your actual faces at all times, everywhere you go in public. Your ugliness will not be seen by anyone else," said Biellmann. After a brief comment period, the new masking and anti-tourist photography regulations are expected to become law on April 1, 2011. http://lauren.vortex.com/archive/000818.html - - - Update (February 25, 2011): Yes, except for the part about Switzerland demanding that Google obscure every single Swiss face in Street View -- even if it has to be done manually -- the rest of the story described in this posting is of course a satire. But you already knew that. Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren People For Internet Responsibility: http://www.pfir.org Network Neutrality Squad: http://www.nnsquad.org http://lauren.vortex.com Tel: +1 (818) 225-2800 ------------------------------ Date: Mon, 28 Feb 2011 12:59:47 PST From: "Peter G. Neumann" Subject: An Outbreak Of Out Of Order Moles Whac-a-moles (Hans Polzer) [From Hans Polzer via Will Tracz (Editor of the ACM SIGSOFT Software Engineering Notes, and General Chair ACM SIGSOFT 2012 - FSE 20 http://www.sigsoft.org/fse20; +1 607 741-2666). PGN] An Outbreak of Out-of-Order Moles [OoOoOMs!] What happens when your Whac-A-Moles stop popping up? Well, the game gets slapped with an out of order sign and no longer generates any revenue...it just takes up space. So when an unusual outbreak of Whac-A-Mole malfunctions forced amusement park operators to start making service requests, did anyone think much of it? Well, yes, and no. http://www.cfmediaview.com/lp1.aspx?v=13_11270447_688_5 http://www.todaysfacilitymanager.com/facilityblog/2011/02/friday-funny-an-outbreak-of-out-of-order-moles.html ------------------------------ Date: Mon, 28 Feb 2011 12:59:47 PST From: "Peter G. Neumann" Subject: Matt Blaze: "Shaking Down Science" Some time in January, the IEEE apparently quietly revised its copyright policy to explicitly forbid us authors from sharing the "final" versions of our papers on the web, now reserving that privilege to themselves (available to all comers, for the right price). http://www.crypto.com/blog/copywrongs [typo fixed in archive. PGN] [This item by Matt is very important for you all to read. I am inclined to openly include Matt's entire text here, but it is even more important for RISKS readers to go to the source and see how this item fits in to the rest of what Matt has available. Organizations such as ACM and IEEE are clearly having difficulties adapting to the non-print world of the Internet. But preventing authors who believe in the importance of openness in research from distributing their own publications is a horrendous step backwards. PGN] ------------------------------ Date: Mon, 28 Feb 2011 14:02:47 -0800 From: Mark Thorson Subject: Raining on cloud computing: Gmail outage Yesterday, Google wiped out the e-mail for an unknown number of users. Early estimates were as high as 150,000, but later estimates have pared that down to a number still in the tens of thousands. http://news.yahoo.com/s/ap/20110228/ap_on_hi_te/us_tec_google_e_mail_problem_3 Google predicts being able to restore all accounts by the end of today (2/28). http://news.yahoo.com/s/afp/20110228/tc_afp/usitcompanyinternetgmailgoogle_20110228205419 I've been skeptical about the whole concept of cloud computing since I first heard about it. You're taking your most important stuff -- your data and applications -- and placing it out of your control in the cloud. How many more incidents like this will it take to completely discredit cloud computing? When will cloud computing have its Hindenburg disaster? ------------------------------ Date: Mon, 28 Feb 2011 10:30:15 -0500 From: David Farber Subject: 500,000 Gmail accounts go offline, some users lose all their data Geek.com: http://www.geek.com/articles/geek-pick/500000-gmail-accounts-go-offline-som= e-users-lose-all-their-data-20110228/ ------------------------------ Date: Tue, 1 Mar 2011 13:11:50 -0800 From: Lauren Weinstein Subject: Restoration of Gmail accounts from tape almost completed A number of people have asked me about this incident, especially the "how could multiple copies of data be damaged/lost?" question. While I wouldn't assert that this example is strictly relevant in this particular case, RAID may provide a useful example. I've been warning folks for years that even the higher levels of RAID (Redundant Array of Independent Disks) protection do not necessarily mean that data won't be lost, especially when those disks all share a single controller. If the controller in such a situation fails in a particularly nasty way, it could potentially corrupt enough of the data across the entire array of RAID disks to cause unrecoverable data loss. Even when your redundant data is stored at different locations, it is possible for failure (in this case, likely a software-related problem) to cause data loss or corruption that may not be detected until it has been copied across to other replicated versions of the files. Even if you kept multiple copies of an e-mail index, it's possible to have failure modes where problems in one copy spread to the other copies prior to detection. That's why having completely isolated backups -- such as tape in Google's case -- makes excellent sense. And for those of you attempting to use this case as an argument against cloud computing, I would simply note that only a relatively small number of Google's users were affected, it appears that their data will be successfully recovered, and when most people's home or business PC disks fail, they probably haven't been backed up at all. Technical term for that: S.O.L. http://j.mp/hN0gYu (Official Gmail Blog) Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren People For Internet Responsibility: http://www.pfir.org Network Neutrality Squad: http://www.nnsquad.org +1 (818) 225-2800 PRIVACY Forum: http://www.vortex.com ------------------------------ Date: Mon, 28 Feb 2011 09:19:53 -0500 From: Monty Solomon Subject: Mac OS X backdoor Trojan, now in beta? (Chester Wisniewski) Chester Wisniewski. *Sophos*, 26 Feb 2011 It appears there is a new backdoor Trojan in town and it targets users of Mac OS X. As even the malware itself admits, it is not yet finished, but it could be indicative of more underground programmers taking note of Apple's increasing market share. SophosLabs analyzed the sample we received and determined that it is a variant of a well-known Remote Access Trojan (RAT) for Windows known as darkComet. The author of the Trojan refers to it as the 'BlackHole RAT', as you can see from the screenshots, but Sophos calls it OSX/MusMinim-A, or 'MusMinim' for short. The name 'Black Hole' is already used by a legitimate application which actually aims to increase security on your Mac by helping you get rid of potentially sensitive information such as recently-used file lists, data left in the clipboard, and more. MusMinim is very basic and there appears to be a mix of German and English in the user interface. Its functions include: * Placing text files on the desktop * Sending a restart, shutdown or sleep command * Running arbitrary shell commands * Placing a full screen window with a message that only allows you to click reboot * Sending URLs to the client to open a website * Popping up a fake "Administrator Password" window to phish the target... http://nakedsecurity.sophos.com/2011/02/26/mac-os-x-backdoor-trojan-now-in-beta/ ------------------------------ Date: Mon, 28 Feb 2011 14:48:53 PST From: "Peter G. Neumann" Subject: Risks in health records [Thanks to dkross] http://online.wsj.com/article/SB10001424052748703312904576146371931841968.html?mod=WSJ_0_0_WP_2715_RIGHTTopCarousel_1 "... What's more, some health-care experts say the number of errors could jump in coming years. That's because the 2009 economic-stimulus legislation included $19 billion in spending to encourage the use of electronic health records—a major source of billing mistakes, says Ross Koppel, a sociology professor at University of Pennsylvania's Center for Clinical Epidemiology and Biostatistics who has studied electronic records extensively. The U.S. Department of Health and Human Services estimates that 80% of hospitals will use electronic records by 2014, up from 16% now. ... But those bills are sometimes inaccurate—often as a result of electronic billing snafus. Among their benefits, electronic records can reduce the risk of duplicate testing by enabling doctors to track patients' care. David Blumenthal, national coordinator for electronic health records at the U.S. Department of Health and Human Services, says the technology helps prevent potentially fatal errors such as prescribing medication that a patient is allergic to. Electronic health records will "improve care for patients and bring about greater cost-effectiveness in our health sector," he says...." ------------------------------ Date: Wed, 23 Feb 2011 16:12:21 PST From: "Peter G. Neumann" Subject: NY Assembly candidate's law shoots him in the foot (Celeste Katz) Celeste Katz, Dem Frank Skartados doomed by vague election law crafted by his own lawyer, *New York Daily News*, 21 Feb 2011 http://www.nydailynews.com/authors/Celeste%20Katz Assembly Speaker Sheldon Silver's former adviser wrote the state law that may have cost him his powerful, veto-proof, Democratic supermajority. Democrat Frank Skartados was forced to concede the seat for the 100th Assembly District last week when he was a mere 15 votes behind. In his heart of hearts, he believes he won. But in a double whammy of irony, Skartados was seemingly doomed by a vague election law that was crafted by his own lawyer, Kathleen O'Keefe, while she worked as Silver's chief election counsel. O'Keefe's strict interpretation of her own law walled off one of Skartados' last hopes of fighting for the seat. "I couldn't do anything with the way the law was written," said Skartados, who conceded to Republican Tom Kirwan after one of the most drawn-out contests in state history. "But I feel that justice was not served because the voices of everyone were silenced by the courts." A Brooklyn appeals court ruled unanimously in favor of Kirwan when it tossed out about 60 contested affidavit ballots. That left Skartados just 15 votes behind. In New York City, Board of Elections rules automatically require a hand inspection of the paper trail from voting machines in any election where the margin is 0.5% or less. State election law doesn't - and in races as close as the one for this Hudson Valley seat, it could make all the difference. "New York law offers very little guidance as to when a full recount is required," elections law expert Jerry Goldfeder said. "The law needs to be clarified." http://www.nydailynews.com/ny_local/2011/02/21/2011-02-21_oops_when_not_all_votes_really_count.html#ixzz1EeWe9CI3 http://www.nydailynews.com/ny_local/2011/02/21/2011-02-21_oops_when_not_all_votes_really_count.html#ixzz1EeSlVZzj ------------------------------ Date: Tue, 22 Feb 2011 12:48:24 -0800 From: Gene Wirchenko Subject: SSD Erasure Unreliable InfoWorld Home / InfoWorld Tech Watch Woody Leonhard, *InfoWorld*, 22 Feb 2011 http://www.infoworld.com/t/solid-state-drives/flash-based-solid-state-drives-nearly-impossible-erase-263 Flash-based solid-state drives nearly impossible to erase Think you got rid of that confidential information on your SSD? The results of a new study will come as a rude awakening selected text: Researchers from the University of California at San Diego delivered a paper at the FAST-11 Conference in San Jose, Calif., last week that shows it's almost impossible to reliably erase data from a solid state drive. The tome, "Reliably Erasing Data from Flash-Based Solid State Drives" (PDF), goes through all of the known techniques for erasing data and comes up short in every case. The study's method is straightforward: They put repeating data on an SSD or USB drive, tried using various erasing techniques, took the SSD or USB drive apart, and pulled raw data off the chips. If any of the original data remained, erasing didn't work. The culprit? SSD's so-called Flash Translation Layer, a firmware interface that makes an SSD appear to the PC like a big fat, uh, FAT device. Operating systems want to work with file allocation tables and clusters. SSDs have to deal with the vagaries of Flash media, which are quite different from rotating magnetic layers. For example, SSD blocks have to be erased before they can be written, and erasing takes a lot of time. FTL figures out how to erase unused blocks of memory when the SSD isn't doing anything else. SSD devices wear out faster if the same blocks are written and rewritten, so FTL balances the write load across all of the available memory. You might imagine with all of these delayed erases running around and blocks of data being intentionally scattered to remote corners, there's some potential for error. Ends up, there's more than just a potential. Perhaps some day we'll see the recommendations applied to an SSD device. In the meantime, the only sure way to erase the data on an SSD or USB drive requires a very large hammer. - - - [PGN adds: Lauren Weinstein commented in his various distributions on this quote: "Our results show that naively applying techniques designed for sanitizing hard drives on SSDs, such as overwriting and using built-in secure erase commands is unreliable and sometimes results in all the data remaining intact. Furthermore, our results also show that sanitizing single files on an SSD is much more difficult than on a traditional hard drive." With the rise of SSD memory as a replacement for traditional hard disks, the security and privacy aspects of this situation seem quite noteworthy, to say the least. You can bet that those parties (legit or not) who wish to extract data from laptops, iPads, smartphones, or other SSD-based devices will already be ahead of the curve. Ya' think you really deleted that cleartext before sending out the encrypted version? You sure you actually deleted that company confidential material (or that porn!) before you head back through U.S. Customs? Lauren] ------------------------------ Date: Sun, 20 Feb 2011 20:12:09 -0800 From: Lauren Weinstein Subject: "Can You Frisk a Hard Drive?" (David K. Shipler) David K. Shipler), Can You Frisk a Hard Drive? *The New York Times*, 19 Feb 2011 http://j.mp/geIRBa My comments: Anyone who travels internationally with a laptop containing anything significant beyond the bare necessities for accessing cloud-based data under password and/or other security controls, is unfortunately simply asking for trouble. This holds especially true for the vast majority of travelers -- who have done nothing wrong -- but may still have their devices' (laptops, smartphones, etc.) data copied and searched in detail without a warrant or any indication that they are criminals, terrorists, or even overdue library book villains. A laptop similar to Google's CR-48 and a good SSH program (e.g. in a Java applet), can be an enormous help in this regard. In the long run, a more formal approach, as I outlined in: "Urgent Call for Privacy-Enhanced Mobile Data Storage and Self-Destruct Mechanisms - http://j.mp/gE1jUF (Lauren's Blog) would seem useful at least for consideration. Lauren Weinstein (lauren@vortex.com) http://www.vortex.com/lauren People For Internet Responsibility: http://www.pfir.org +1 (818) 225-2800 Network Neutrality Squad: http://www.nnsquad.org ------------------------------ Date: Tue, 1 Mar 2011 05:29:39 -0500 From: David Farber Subject: Facebook To Share Users' Home Addresses, Phone Numbers With External Sites http://www.huffingtonpost.com/2011/02/28/facebook-home-addresses-phone-numb= ers_n_829459.html ------------------------------ Date: Tue, 01 Mar 2011 09:40:40 +0800 From: jidanni@jidanni.org Subject: Vulnerable social networking platforms http://socialnetworksecurity.org/en/vulnerable-websites.php 01 facebook.com 600,000,000 02 vk.com 135,000,000 03 bebo.com 130,000,000 04 badoo.com 110,000,000 05 netlog.com 74,000,000... This website was launched with the goal to publish security related vulnerabilities found on any social networking platform. In the past the authors of this website have found lots of security related issues on well known social networking platform and tried to contact the responsible owners to provide detailed information on the found issues. During this we got really frustrated because often there is no secur[e] e-mail available on the social networking platform which means that we had to try to contact the website providers via their "normal" help desk or ticketing system. This had the consequence that in most case we got no answer or it took weeks till we got any answers. When you initially contacted the vendors and asked for a public PGP key or s/mime so that we can send the information encrypted, we often got an answer saying that they don't use PGP or s/mime in their company and that we should provide them the information via clear-text email protocol. Some of them even asked us what is a PGP key or even worse - they sent us their private PGP key (for their luck without the needed password). ------------------------------ Date: Tue, 22 Feb 2011 10:04:02 -0500 From: Jonathan Kamens Subject: Re: Kill Switch, Anyone? (Wirchenko, RISKS-26.35) I think it's actually pretty clear how mooo.com came to be seized along with other child porn domains. There must have been trafficking happening on some of the subdomains created by users underneath mooo.com, and the people assembling the list of domains to seize categorized the entire second-level domain, rather than the individual subdomains within it, as a trafficking domain. This is not a terribly surprising error. I would imagine that the percentage of Internet .com domains where subdomains are owned and completely controlled by different people than the second-level domain is minuscule, and the community that utilizes such domains tends to be somewhat self-contained and not familiar to people who aren't part of it. Perhaps I'm wrong, but I don't think FreeDNS is particularly mainstream. Note: I'm not trying to excuse the error; I'm just trying to explain how it happened. [Note: Simplistic overreactions sometimes lead to simplistic over-and-under-overreactions: Mark Rockwell, Bill explicitly prohibits Internet shut down http://www.gsnmagazine.com/node/22491?c=cyber_security In hopes of dispelling fears of a federal "Internet kill switch," Senate homeland security and financial management leaders introduced a cybersecurity reform bill that would explicitly prohibit the President from shutting down the Internet. PGN] ------------------------------ Date: Mon, 21 Feb 2011 09:36:56 -0500 From: Daniel A Graifer Subject: Re: Tree octopus exposes Internet illiteracy (RISKS-26.35) My minimal legal knowledge is that courts have never accepted photographic evidence as incontrovertible. They have always required the testimony of the person who took the photo along with it -- i.e., testify that he/she took the photo at the place and time alleged, and didn't alter it. ------------------------------ Date: Wed, 23 Feb 2011 17:14:37 PST From: "Peter G. Neumann" Subject: Susan Landau: Surveillance or Security? Susan Landau Surveillance or Security? The Risks Posed by New Wiretapping Technologies MIT Press, 2011 This is an absolutely mandatory source book for everyone interested in the would-be conflicts represented between and within each side of the "or" in the title. It is truly remarkable, incisive, important, timely, superbly researched, and copiously footnoted for those who want to dig even deeper. Please read it. Of course, as RISKS readers are well aware, at the moment we seem to have surveillance without security, and without sufficient controls. However, the challenges of achieving adequate security *and* legitimate surveillance *and* meaningful privacy (however you might wish to define them) may be eternally unreachable -- especially in the absence of security. Here's a quote from Jonathan Zittrain from the back jacket of the book: ``Susan Landau has taken an exceptionally complex but vital subject and presented it in a clear and compelling way. The ability of a citizen to securely communicate with her peers lies at the heart of the rule of law. Landau demonstrates the necessity of protecting that right amidst the technological changes that can greatly alter the balance of power between citizens and governments.'' ------------------------------ Date: Thu, 29 May 2008 07:53:46 -0900 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request@csl.sri.com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users should contact . => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: for browsing, or .ps for printing ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 26.36 ************************