precedence: bulk Subject: Risks Digest 27.24 RISKS-LIST: Risks-Forum Digest Sunday 7 April 2013 Volume 27 : Issue 24 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can be found at Contents: Chinese Government To Buy Dell (Steven J. Greenwald) Deeper Meaning in a Live YouTube April Fools' Gag (Lauren Weinstein) New Test for Computers - Grading Essays at College Level (Gabe Goldberg) "Fix your DNS servers or risk aiding DDoS attacks" (Ted Samson via Gene Wirchenko) "Cyber criminals tying up emergency phone lines through TDoS attacks" (Ted Samson via Gene Wirchenko) Prenda Law's Attorneys Take The Fifth Rather Than Answer Judge Wright's Questions (Lauren Weinstein) "Firefox 20 ups HTML5 support, adds dev tools and per-tab Private Browsing" (Gene Wirchenko on Ted Samson) MS apologizes for employee's Xbox Durango 'always-online' tweets (Lauren Weinstein) "Ransomware uses victims' browser histories for increased credibility" (Lucian Constantin via Gene Wirchenko) ZIP Codes Are Definitely "Personal Identification Information" (Monty Solomon) Everything We Know About What Data Brokers Know About You (Monty Solomon) Mozilla Firefox CPU hog ?? (Henry Baker) `Massive' Cyberattack Wasn't Really So Massive (David Talbot) Risks of ASCII-formatting mathematics (Bill Stewart) Sears Discloses User-Selected PIN (Richard Karash) Online tax returns, You're Doing It Wrong... (Valdis Kletnieks) Wow! Are we still in the 1990s? (Gene Spafford) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 1 Apr 2013 16:41:28 -0400 (GMT-04:00) From: "Steven J. Greenwald" Subject: Chinese Government To Buy Dell http://news.yahoo.com/china-to-buy-dell-source-155247372--sector.html Chinese Government To Buy Dell By Carl Michaels and Michael Silver | Rueters - Monday, Apr 1, 2013 NEW YORK / BEIJING (Rueters) - Dell Inc announced today that the Chinese government would purchase them in a leveraged buy out. Michael Dell and private equity firm Silver Lake Partners have announced that they welcome the leveraged buy out. "It's the best of all the alternatives that the company's board had explored," said Dell in a prepared statement to shareholders. Carl Icahn has proposed paying $15 per share for 58 percent of Dell, while Blackstone Group has indicated it can pay $14.25 per share. But both deals would involve saddling the troubled tech company with massive debt and keeping it public. Silver Lake Partners would offer all cash at $13.65 per share and take Dell private in the reverse of an IPO: an LBO or so-called "leveraged buy out" where a failing public company goes private at a severe loss to the shareholders and usually with massive firing of competent employees while retaining the incompetent ones. But Xia Xiahuang, head of the Technology Investment Government Workers Group, a Chinese government agency, said that China would pay $17.75 per share to acquire the ailing tech company. "We need more competition in the Pan-Asian PC market. As a growing world economy China needs more than just Lenovo," said Xiahuang at a press conference where she announced the decision. "If successful in our leveraged buy out then we plan on moving Dell to Government City Number 23 where we have lots of unemployed tech workers." She extolled the virtues of corporate competition in her statement. "We learned a lot from the Americans, especially about how capitalism works with a centrally managed economy." When asked about the history of that, she said, "Maybe we have a language issue here, but no, we don't call that 'fascism' here." Government City Number 23, a super-secret facilty, used to make advanced nuclear weapons for the Chinese government. It is located, according to sources, somewhere near the Chinese Mongolian border. "We don't need more hydrogen bombs. We can get all of those that we want from North Korea. And cheap!" When asked why, she said, "We need more PCs, tablets, and smartphones." Xiahuang then said, "Also, we have all of these U.S. Treasury bonds just sitting around doing squat. If we can use a few of those to buy a has-been company like Dell, why not? Better than earning almost no interest like Amercian retirees." When asked about the business model for the decision, Xiahuang said, "Well, we don't see much of a domestic market, but we definitely have a guaranteed market with the U.S. government with Dell's Federal Systems Division." When pressed for details, she said, "We don't foresee any consumer demand at all for Dell products. We'll focus on selling hardware and software to the U.S. Government. We have an excellent relationship with their procurement agencies." Michael Dell could not be reached for comment. A written press release by Dell warned that any levereged recapitalization, even by a major government, was risky. "While we have no objection to moving to Mongolia, especially given how we now are headquartered in Round Rock, Texas, we do feel compelled to mention that the telephone system near Mongolia would not support our outsourced customer service model." Additional questions were deferred for later according to the press release, to comply with Sarbannes-Oxley. Outside analysts dismissed this, noting that Dell long ago abandoned any pretense of good customer service for anyone, especially low-level consumers. "The Chinese will whip them in line," said Ani Prox, a financial sector tech analyst. "I can't wait until they screw over a relative of the Central Committee and then the Chinese publically execute a few of their so-called 'customer support' drones." When asked if he thought this a good move, Prox said, "I don't want to say that I'm literally jumping with joy. But I am. Those damned monsters had it coming." Many American analysts have concerns about the proposed U.S. cyber-espionage rule that would limit Chinese imports of information technology products in the wake of alleged Chinese hacking attacks on the U.S.. When asked about those concerns, Chinese government spokesperson Xiahuang said, "The Chinese government does not engage in hacking. Hello? If we did would we buy a company with such strong customer dissatisfaction as Dell?" She went on to dispute that the U.S. has evidence of hacking attacks by China and claimed that more than half of the attacks actualy originate from Dell PCs in the United States. "Let's face it; we do the Americans a huge favor here which the Obama Administration knows. We don't foresee any problems with this minor acquisition of a failed and widely-hated company." According to the U.S. Congressional Research Service, the United States imports about $129 billion worth of "advanced technology products" form China, which includes PCs, laptops, tablets, smartphones, music players, gaming devices, and military drones. U.S. military and intelligence community purchases of these products has tripled in the past year under Obama Administration rules. Chinese state media, including Xinhua, the China Daily, and the People's Daily, quoted a spokeperson for the Chinese Ministry of Commerce. "The proposed U.S. bill sends a very wrong signal. Don't they want us to buy that awful Dell company to use up some of the massive amounts of U.S. T-bills we bought? We already buy up all of their real-estate that we can to prop them up." "This abuse of so-called national security measures is unfair to Chinese enterprises and people, and extends the discriminatory practice of presumption of guilt," said the article in the official People's Daily. "This severely damages mutual trust between the U.S. and China." China Daily, in an editorial widely believed to be written by the government, said, "Besides, China does the U.S. taxpayers a favor by taking this awful company off their hands. Does the U.S. want another bailout of a failed company on their hands?" Technology security lawyer Stuart Bleaker wrote in a recent blog post that China could claim that the United States is violating World Trade Organization rules. However, because Beijing hasn't signed a WTO agreement setting international rules for government procurement, it may not be successful in its challenge, even though no one actually pays attention to WTO rules when big players like China are involved. Chinese foreign ministry spokesman Hong Lei also urged the U.S. to abandon the law at a news conference on Thursday. "This bill uses Internet security as an excuse to take discriminatory steps against Chinese companies," he said. "Let us buy Dell already! What's your problem? Frankly, we do you Americans a huge favor. You can't possibly want this awful company. We'll take it off your hands, get rid of some of the debt you owe us, and employ a bunch of people near Mongolia. A win-win for everyone." A U.S. State Department spokesperson could not be reached for comment. ------------------------------ Date: Mon, 1 Apr 2013 17:10:33 -0700 From: Lauren Weinstein Subject: Deeper Meaning in a Live YouTube April Fools' Gag (NNSquad) Deeper Meaning in a Live YouTube April Fools' Gag http://lauren.vortex.com/archive/001018.html As I'm typing this at around 16:45 PDT on April Fools' Day, Google's YouTube is running one of the funniest stunts I've seen in years. On this currently live video feed ( http://j.mp/X9E9pj ) we have a pair of presenters reading the titles and uploader descriptions of seemingly rather randomly selected YouTube videos. They're not showing the videos mind you (except for a few being "spotlighted") -- just reading texts from large piles of red and white YouTube cards, in a manner reminiscent of some twisted awards ceremony from an alternative universe. And in fact, this April Fools' Day event is part of a larger gag (one of many deployed by Google for today -- others included "Gmail Blue," "Google Nose," and more). In this case our presenters are purportedly in the process of announcing every video ever uploaded to YouTube, in preparation for shutting down YouTube for a decade, while the corpus of existing videos is reviewed to select the "best of them all" -- to be announced in 2023, of course. What's so very fine about this particular joke is the way the pair of presenters (Donald and Kendra) are playing it all absolutely straight, with barely a smile cracked as they intone out loud video descriptions ranging from touching to ludicrous, all of which appear to be 100% absolutely legit. And of course, the juxtaposition of completely unrelated descriptions only adds to the amusement. But as this delightful spectacle continues to stream onto a screen to my left at this very moment, I'm thinking that there is a deeper meaning in play. Those YouTube video descriptions -- from serious to silly, from banal to urbane -- and by definition the videos associated with them -- are a cross-section of real life, in all its stupendous variety and wonder. Soldiers in battle. Dog eating burger. Bad guitar players. A tribute to a lost friend. Millions and millions and millions of videos, every single one meaning something to whomever took the time to upload them. Lots of people make money posting on YouTube, but vastly more post simply for the joy of sharing what they care about, and within those piles of cards being read aloud today is the very essence of that meaning -- remarkably clear even absent the actual videos themselves. I think this is a truth worth noting. And since D and K were just provided with chairs at last, it looks like the show may be good to go for quite a while yet! Even in the midst of this great April Fools' concept, there is a teachable moment in every video upload, in every video description. Together they're a distillation of so many persons' loves (and hates), desires, fantasies and memories. That's quite remarkable, really. And it's no joke. ------------------------------ Date: Thu, 04 Apr 2013 17:13:20 -0400 From: Gabe Goldberg Subject: New Test for Computers - Grading Essays at College Level (NYTimes.com) Imagine taking a college exam, and, instead of handing in a blue book and getting a grade from a professor a few weeks later, clicking the `send' button when you are done and receiving a grade back instantly, your essay scored by a software program. And then, instead of being done with that exam, imagine that the system would immediately let you rewrite the test to try to improve your grade... http://www.nytimes.com/2013/04/05/science/new-test-for-computers-grading-essays-at-college-level.html?hp What could go wrong? [For example, students who reverse engineer the software or gain experience from the program's behavior can adjust their writing styles to just barely get a good grade -- without ever really learning how to write effectively. By the way, Harvard now ``admits that the e-mail surveillance was wider than the school originally admitted.'' Perhaps U.C. Santa Cruz had a better idea to do away with grades and grade-point averages -- which might cause problems only when an undergrad wants to get admitted to a graduate school other than UCSC. But we seem to be generally dumbing down education wholesale at many levels, leading to lowest-common-denominator curricula, narrowing what is or can be taught, and reducing personal contacts with teachers. Autograding certainly might be another step in that direction. PGN] ------------------------------ Date: Mon, 01 Apr 2013 13:59:26 -0700 From: Gene Wirchenko Subject: "Fix your DNS servers or risk aiding DDoS attacks" (Ted Samson) Ted Samson, InfoWorld, 01 Apr 2013 Perpetrators of the DDoS ambush against Spamhaus exploited open DNS resolvers in third-party servers http://www.infoworld.com/t/security/fix-your-dns-servers-or-risk-aiding-ddos-attacks-215510 [Not an April-Fools' piece. It seems to have been a light year. PGN] ------------------------------ Date: Tue, 02 Apr 2013 13:00:45 -0700 From: Gene Wirchenko Subject: "Cyber criminals tying up emergency phone lines through TDoS attacks" (Ted Samson) Ted Samson, InfoWorld, 01 Apr 2013 Similar to DDoS attacks, TDoS also used to extort cash from targets, including businesses and public service agencies http://www.infoworld.com/t/cyber-crime/cyber-criminals-tying-emergency-phone-lines-through-tdos-attacks-215585 ------------------------------ Date: Tue, 2 Apr 2013 16:05:23 -0700 From: Lauren Weinstein Subject: Prenda Law's Attorneys Take The Fifth Rather Than Answer Judge Wright's Questions http://j.mp/16uxXLr (Popehat via NNSquad) "Today the Prenda Law enterprise encountered an extinction-level event. Faced with a federal judge's demand that they explain their litigation conduct, Prenda Law's attorney principals - and one paralegal - invoked their right to remain silent under the Fifth Amendment to the United States Constitution. As a matter of individual prudence, that may have been the right decision. But for the nationwide Prenda Law enterprise, under whatever name or guise or glamour, it spelled doom." Such a cheerful word in this particular case: "doom." ------------------------------ Date: Wed, 03 Apr 2013 08:12:15 -0700 From: Gene Wirchenko Subject: "Firefox 20 ups HTML5 support, adds dev tools and per-tab Private Browsing" I had not thought of the risk presented in the use case quoted, probably because I am the only one who uses my computers. I have read accounts of people searching for something on the Web and then getting bombarded with ads for it for some time after. http://www.infoworld.com/t/applications/firefox-20-ups-html5-support-adds-dev-tools-and-tab-private-browsing-215672 Ted Samson, InfoWorld, 02 Apr 2013 Firefox 20 ups HTML5 support, adds dev tools and per-tab Private Browsing Mozilla's latest browser release unlocks HTML5 features and supports ARM processors for low-power smartphones "Privacy buffs will likely be most interested in per-tab Private Browsing feature, which lets you open a new window for an Internet session during which no site- or page-specific data -- such as history, passwords, downloads, or cookies -- is saved to your machine. You can then freely switch back and forth between private-session windows and the regular one. Mozilla provides a fairly innocent example of a use case: a user browsing online for a surprise gift." ------------------------------ Date: Fri, 5 Apr 2013 19:56:26 -0700 From: Lauren Weinstein Subject: MS apologizes for employee's Xbox Durango 'always-online' tweets http://j.mp/10mgja9 (The Next Web via NNSquad) "On Thursday, Microsoft Studios creative director Adam Orth sent out a slew of tweets implying that he sees nothing wrong with rumors of Microsoft's next Xbox, codenamed Durango, requiring an "always-on" Internet connection to function. Unsurprisingly, the backlash from users was massive, and although Orth ended up setting his Twitter account to private to hide them from the general public, by then the damage had already been done. Microsoft on Friday released an official statement regarding the tweets: ..." As the song says, "When will they evvvvvver learn?" Tweets are public. Public is public. Period. ------------------------------ Date: Tue, 02 Apr 2013 12:57:48 -0700 From: Gene Wirchenko Subject: "Ransomware uses victims' browser histories for increased credibility" (Lucian Constantin) http://www.infoworld.com/d/security/ransomware-uses-victims-browser-histories-increased-credibility-215560 Lucian Constantin, IDG News Service, InfoWorld, 1 Apr 2013 Visited websites are listed as source of illegal material to make bogus police messages more believable, researcher says ------------------------------ Date: Mon, 1 Apr 2013 10:50:32 -0400 From: Monty Solomon Subject: ZIP Codes Are Definitely "Personal Identification Information" Massachusetts Supreme Court Rules ZIP Codes Are Definitely "Personal Identification Information" http://privacylaw.proskauer.com/2013/04/articles/uncategorized/massachusetts-supreme-court-rules-zip-codes-are-definitely-personal-identification-information/ ------------------------------ Date: Tue, 2 Apr 2013 01:14:33 -0400 From: Monty Solomon Subject: Everything We Know About What Data Brokers Know About You http://www.propublica.org/article/everything-we-know-about-what-data-brokers-know-about-you ------------------------------ Date: Tue, 02 Apr 2013 11:00:32 -0700 From: Henry Baker Subject: Mozilla Firefox CPU hog ?? I usually visit most web sites with Javascript turned *off*, which traditionally has saved a lot of CPU effort, because Javascript isn't constantly busy sending my mouse position back to the web page I'm visiting. However, I've noticed that in the most recent versions of Mozilla Firefox (19, perhaps even 18) -- even with Javascript turned off -- my Windows CPU is working so hard for Firefox that it has trouble mouse tracking my other applications. I know this because the moment I exit Firefox, my mouse tracking returns to normal. Also, Windows Task Manager reports exceptional usage by Firefox. Neither the Internet Explorer nor the Opera browser require such heavy CPU activity, so this issue is specific to Firefox. I don't know if Firefox has gone over to the 'dark side', and is now spying on its users full time, but there is no legitimate reason for all of this heavy duty CPU activity. ------------------------------ Date: Tue, Apr 2, 2013 at 6:48 AM From: Dewayne Hendricks Subject: `Massive' Cyberattack Wasn't Really So Massive (David Talbot) [Note: This item comes to DLH via Mike Cheponis, and thence via Dave Farber.] Date: April 1, 2013 1:28:17 AM PDT From: Michael Cheponis Subject: Denial of Service Attack on Spamhaus Was Enabled by Lax Server David Talbot, `Massive' Cyberattack Wasn't Really So Massive *MIT Technology Review*, 29 Mar 2013 A decade-old fix could have easily stopped this weekend's attack on an anti-spam company, but the truth is many Web companies simply ignore such fixes. http://www.technologyreview.com/news/512911/massive-cyberattack-wasnt-really-so-massive/ An attack that disrupted Internet service over the past week would have been stopped by a simple Web server configuration fix that's been understood for a decade but is widely ignored by Web companies, experts say. The prolonged assault targeted Spamhaus, a European nonprofit that reports where spam is coming from and publishes a list of implicated Web servers. The apparent flashpoint was the addition of CyberBunker, a Dutch data-storage company, to its roster. The unidentified attackers used a botnet -- a network of infected ordinary computers -- to attack Spamhaus's website and then the servers of CloudFlare, a content-delivery company that stepped in to help Spamhaus manage the influx of traffic. The attack also affected regional Internet servers that are transit points for not only the two targeted companies but also many others. While some observers have suggested that the scale of the attack was smaller than most reports indicated, according to a blog by the Austrian Computer Emergency Response Team (CERT), the attack caused ``disruption in some parts of the Internet.'' The kind of attack that occurred is called `distributed denial-of-service' because many computers are tricked into sending chunks of data at one target, overwhelming it. This attack took advantage of a weakness in domain-name servers, or DNS servers, where typed Web addresses are resolved into the numerical codes that correspond to the machines that hold the relevant information. The attack involved sending DNS servers requests forged to look as if they came from the target. These DNS servers responded by overwhelming the target with data it didn't actually ask for. The impact can be amplified because the DNS servers -- depending how they are configured -- can be asked to send large amounts of data. [...] ------------------------------ Date: Sun, 31 Mar 2013 23:47:51 -0700 From: Bill Stewart Subject: Risks of ASCII-formatting mathematics (Bellovin, RISKS-27.23) What's new is that someone has managed to turn the weaknesses into a real exploit, albeit one that needs at least 224 and preferably 230 encryptions of the same plaintext to work. Except he almost certainly didn't write that; the numbers were presumably 2**24 and 2**30, expressed in some notation that didn't survive some reformatting process somewhere. (Either way, it's interesting math and a good practical article.) ------------------------------ Date: Sun, 7 Apr 2013 09:45:35 -0400 From: Richard Karash Subject: Sears Discloses User-Selected PIN Sears has a "rewards" program called Shop Your Way Rewards. Users are given a membership number and are invited to select a PIN of 4-8 digits (good). To help users remember their credentials, the program sends regular e-mails (sounds OK). These e-mails contain the membership number and the user-selected PIN (bad). Making a bad situation even worse, the program gives you a membership card with your number -- and your selected PIN printed right on the card. Why have a PIN if it is printed right on the card? The risk arises because I, like most users, have a favorite memorable PIN and use it at multiple sites. The risk is, by using Shop Your Way Rewards, MY PIN has now been exposed. [Of course, THAT'S bad! PGN] Richard Karash -- Richard@Karash.com -- Karash Associates LLC +1 617-308-4750 -- http://Karash.com ------------------------------ Date: Sat, 06 Apr 2013 19:58:44 -0400 From: Valdis Kletnieks Subject: Online tax returns, You're Doing It Wrong... Just seen on Google+, slightly redacted for privacy. All three gentlemen share the same LASTNAME... Will LASTNAME originally shared this post: To Robert LASTNAME: congrats, your federal tax return has been accepted. To Wade LASTNAME: unfortunately your tax return was rejected because you included the wrong birth date. To both you: learn your friggin e-mail address Both of you input my e-mail address into TurboTax, so now I'm getting all your tax-related e-mails. And to +TurboTax: what the heck are you thinking, not actually verifying people's e-mail address before you start sending personal information in e-mails?! ------------------------------ Date: Wed, 3 Apr 2013 13:38:21 -0400 From: Gene Spafford Subject: Wow! Are we still in the 1990s? I had a problem with pages at Starbucks.com displaying properly on Mac (using Safari). I sent an e-mail to them, pointing out the problem. Enclosed is the response. I don't think I need to say a lot, but it is clear that they are stuck in the 1990s, don't know about standards-compliance, and appear to not value customer security and choice. I was amazed to get a reply like this in 2013 -- and not on April Fools! Begin forwarded message: > From: Starbucks Customer Care > Date: April 3, 2013, 1:26:56 PM EDT > Dear Gene, > Thank you for contacting Starbucks. > Please note, if you are attempting to access Starbucks.com through a browser such as Firefox or Safari, some portions of the site may not function properly or permit access. We recommend using Microsoft Internet Explorer for optimum performance. If you continue to experience difficulty, please feel free to call 1-800-STARBUC and a representative will be happy to assist you. ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request@csl.sri.com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact . => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: for browsing, or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 27.24 ************************