[28712] in RISKS Forum
Risks Digest 29.19
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Mon Dec 28 14:50:26 2015
From: RISKS List Owner <risko@csl.sri.com>
Date: Mon, 28 Dec 2015 11:50:13 PST
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Monday 28 December 2015 Volume 29 : Issue 19
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/29.19.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents: [Oops: A gratuitous old issue got out to comp.risks. Sorry. PGN]
"Listen up, FBI: Juniper code shows the problem with backdoors"
(Fahmida Rashid)
NSA Helped British Spies Find Security Holes In Juniper Firewalls
(Gallagher and Greenwald)
More on Juniper backdoor (Henry Baker)
China passes law requiring tech firms to hand over encryption keys
(Mark Wilson via Henry Baker)
China's New Big Brother Law Is A Clone Of The West's Bad Ideas (HuffPo)
Dangerous helicopter bird strikes on the rise, FAA warns (KSL via LW)
Techno-skeptics objection growing louder (WashPo)
U.S. Says Hacker Stole IDs and Unreleased Scripts From Host of Celebrities
(NYTimes)
Re: Reply by Karl Auerbach to The Moral Failure of Computer Scientists
(Gene Wirchenko)
Re: Super-literate software reads and comprehends better than humans
(Gene Wirchenko)
Re: Vulnerability in popular bootloader puts locked-down Linux, computers at
risk (Mike Rechtman)
Re: Lie-detecting Software uses Machine Learning to Achieve 75%
accuracy (Erling Kristiansen)
Re: Hotmail and how not to block spam (John Levine)
Re: Driverless Cars (John Levine)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Thu, 24 Dec 2015 10:50:47 -0800
From: Gene Wirchenko <genew@telus.net>
Subject: "Listen up, FBI: Juniper code shows the problem with backdoors"
(Fahmida Rashid)
Fahmida Y. Rashid, InfoWorld, 23 Dec 2015
FBI director James Comey should be taking notes: The Juniper debacle
shows why security experts are up in arms over government-ordered backdoors
http://www.infoworld.com/article/3018029/virtual-private-network/listen-up-fbi-juniper-code-shows-the-problem-with-backdoors.html
opening text:
Government officials keep asking technology companies to put encryption
backdoors in their products. But the saga of the Juniper VPN backdoor is an
object lesson on how attackers can use this avenue for nefarious purposes.
Last week, Juniper Networks announced that during a routine internal audit,
it had found unauthorized code in ScreenOS, the operating system used in
products including firewalls and VPN gateways. The spying code would allow
someone monitoring VPN traffic flowing through NetScreen to decrypt the
traffic and monitor all communications. A second vulnerability provides
attackers with administrator access to NetScreen devices via a hard-coded
master password. Security researchers believe a backdoor was already present
in Juniper's code, and unknown attackers simply took advantage of it.
------------------------------
Date: Thursday, December 24, 2015
From: Dewayne Hendricks <dewayne@warpspeed.com>
Subject: NSA Helped British Spies Find Security Holes In Juniper Firewalls
(Gallagher and Greenwald)
Ryan Gallagher and Glenn Greenwald, The Intercept, 23 Dec 2015
https://theintercept.com/2015/12/23/juniper-firewalls-successfully-targeted-by-nsa-and-gchq/
<https://www.documentcloud.org/documents/2653542-Juniper-Opportunity-Assess=
ment-03FEB11-Redacted.html> *A TOP-SECRET* document dated February 2011
reveals that British spy agency GCHQ, with the knowledge and apparent
cooperation of the NSA, acquired the capability to covertly exploit security
vulnerabilities in 13 different models of firewalls made by Juniper
Networks, a leading provider of networking and Internet security gear.
The six-page document, titled *Assessment of Intelligence Opportunity
Juniper*, raises questions about whether the intelligence agencies were
responsible for or culpable in the creation of security holes disclosed
<https://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554>
by Juniper last week. While it does not establish a certain link between
GCHQ, NSA, and the Juniper hacks, it does make clear that, like the
unidentified parties behind those hacks, the agencies found ways to
penetrate the NetScreen line of security products, which help companies
create online firewalls and virtual private networks, or VPNs. It further
indicates that, also like the hackers, GCHQ's capabilities clustered around
an operating system called ScreenOS, which powers only a subset of products
sold by Juniper, including the NetScreen line. Juniper's other products,
which include high-volume Internet routers, run a different operating system
called JUNOS.
The possibility of links between the security holes and the intelligence
agencies is particularly important given an ongoing debate in the U.S. and
the U.K. over whether governments should have backdoors allowing access to
encrypted data. Cryptographers and security researchers have raised the
possibility that one of the newly discovered Juniper vulnerabilities stemmed
from an encryption backdoor engineered by the NSA and co-opted by someone
else. Meanwhile, U.S. officials are reviewing
<http://www.nytimes.com/reuters/2015/12/21/technology/21reuters-juniper-networks-cyberattack-cisco-systems.html>
how the Juniper hacks could affect their own networks, putting them in the
awkward position of scrambling to shore up
<http://www.cnn.com/2015/12/18/politics/juniper-networks-us-government-security-hack/index.html>
their own encryption even as they criticize the growing use of encryption by
others.
------------------------------
Date: Thu, 24 Dec 2015 16:38:47 -0800
From: Henry Baker <hbaker1@pipeline.com>
Subject: More on Juniper backdoor
So, is Juniper liable for this Dual_EC screwup if it's their own code ?
Is Juniper liable for this Dual_EC screwup if NSA/FBI/FISA issued an NSL to
Juniper ?
Or with all the waivers Congress passed, *no one* is liable ?
Time to trot out Dan Geer's comments on software liability:
http://geer.tinho.net/geer.blackhat.6viii14.txt
- -
Everyone should also be aware of *Certicom's patent application*
that talks about a very Juniper-like back door.
'An elliptic curve random number generator avoids *escrow keys* by
choosing a point Q on the elliptic curve as verifiably random.'
'The relationship between P and Q is used as an *escrow key* and
stored by for a security domain'
https://projectbullrun.org/dual-ec/patent.html
Pub. No.: US 2007/0189527 Al
Pub. Date: Aug. 16, 2007
ELLIPTIC CURVE RANDOM NUMBER GENERATION
Inventors: Daniel R. L. Brown, Mississauga (CA); Scott A. Vanstone, Campbellville (CA)
Appl. No.: 11/336,814
Filed: Jan. 23, 2006
Related U.S. Application Data
Provisional application No. 60/644,982, filed on Jan. 21, 2005.
Publication Classification
ABSTRACT
An elliptic curve random number generator avoids *escrow keys* by
choosing a point Q on the elliptic curve as verifiably random. An
arbitrary string is chosen and a hash of that string computed. The
hash is then converted to a field element of the desired field, the
field element regarded as the x-coordinate of a point Q on the
elliptic curve and the x-coordinate is tested for validity on the
desired elliptic curve. If valid, the x-coordinate is decompressed to
the point Q, wherein the choice of which is the two points is also
derived from the hash value. Intentional use of escrow keys can
provide for back up functionality. The relationship between P and Q
is used as an *escrow key* and stored by for a security domain. The
administrator logs the output of the generator to *reconstruct the
random number with the escrow key.*
------------------------------
Date: Sun, 27 Dec 2015 15:43:04 -0800
From: Henry Baker <hbaker1@pipeline.com>
Subject: China passes law requiring tech firms to hand over encryption keys
FYI -- It's not clear what happens if the company doesn't *have* any keys --
i.e., they are only in the hands of the end-user.
"This latest move is one that will be view very suspiciously by foreign
companies operating within China, or looking to do so."
http://betanews.com/2015/12/27/china-passes-law-requiring-tech-firms-to-hand-over-encryption-keys/
Mark Wilson, BetaNews, 27 Dec 2015
Apple may have said that it opposes the idea of weakening encryption and
providing governments with backdoors into products, but things are rather
different in China. The Chinese parliament has just passed a law that
requires technology companies to comply with government requests for
information, including handing over encryption keys.
http://betanews.com/2015/12/22/apple-wants-the-uk-government-to-rein-in-snoopers-charter/
http://betanews.com/2015/11/11/apples-tim-cook-on-weakening-encryption-any-backdoor-is-a-backdoor-for-everyone/
Under the guise of counter-terrorism, the controversial law is the Chinese
government's attempt to curtail the activities of militants and political
activists. China already faces criticism from around the world not only for
the infamous Great Firewall of China, but also the blatant online
surveillance and censorship that takes place. This latest move is one that
will be view very suspiciously by foreign companies operating within China,
or looking to do so.
China's infringement of freedom of speech and the hard line it takes on
those opposing the government is well-recorded. While the government
insists that there will be no requirement for companies to install
backdoors, the country has already earned itself a reputation that is going
to be very difficult to shake off.
The deputy head of the Chinese parliament's criminal law division tried to
play down the controversy surrounding the new law. Li Shouwei said:
http://www.reuters.com/article/us-china-security-idUSKBN0UA07220151227
"This rule accords with the actual work need of fighting terrorism and is
basically the same as what other major countries in the world do."
As well as granting new powers within China's borders, the new law also
permits overseas action by the People's Liberation Army -- something which
will be eyed with suspicion and likely opposed by for foreign nations.
There is also a provision, as reported by Reuters, that "media and social
media cannot report on details of terror activities that might lead to
imitation, nor show scenes that are 'cruel and inhuman' " -- something else
which will bring about accusation of standing in the way of free speech.
http://www.reuters.com/article/us-china-security-idUSKBN0UA07220151227
[The law that actually passed is slightly different. See this item. PGN]
http://www.wsj.com/article_email/china-antiterror-law-doesnt-require-encryption-code-handovers-1451270383-lMyQjAxMTE1NDI3ODAyMTgyWj
------------------------------
Date: Sun, 27 Dec 2015 11:04:13 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: China's New Big Brother Law Is A Clone Of The West's Bad Ideas
(HuffPo)
http://www.huffingtonpost.com/entry/china-anti-terror-law-encryption_56801192e4b014efe0d86ed0
Li Shouwei, a government spokesman, told Reuters that companies won't have
to fear any backdoors -- entryways that bypass a traditional security
mechanism -- into their products and services. But a draft of the
legislation that the International Association of Privacy Professionals
analyzed in March shows that's untrue: China's new law requires Internet
service providers and telecommunications providers to install
government-accessible backdoors and provide encryption keys for any data
stored on their servers. Shouwei also told Reuters that China was "simply
doing what other major nations already do in asking technology firms to
help fight terror." He cited Western nations' actions as justification,
Reuters reported. Although US leaders have condemned China's laws, they
are engaging in the same rhetoric of national security stateside,
suggesting that technology companies find a magical way to create secure
backdoors through a Manhattan-like project despite technologists and
experts resolutely telling politicians that to do so is to mandate
insecurity.
------------------------------
Date: Sun, 27 Dec 2015 09:13:52 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Dangerous helicopter bird strikes on the rise, FAA warns
https://www.ksl.com/?nid=151&sid=37912384&title=dangerous-helicopter-bird-strikes-on-the-rise-faa-warns
Reports of helicopter bird strikes are up dramatically in recent years,
including incidents, like the one in Dallas, that damage the aircraft and
create the potential for crashes, according to the Federal Aviation
Administration. In 2013, there were 204 reported helicopter bird strikes,
a 68 percent increase from 2009 when there were 121 reports and an
increase of over 700 percent since the early 2000s, said Gary Roach, an
FAA helicopter safety engineer.
In response, the FAA has announced that all birds must register online
and pay $5 via credit card every three years.
------------------------------
Date: Sun, 27 Dec 2015 10:39:53 -0500
From: "Dave Farber" <farber@gmail.com>
Subject: Techno-skeptics objection growing louder (The Washington Post)
https://www.washingtonpost.com/classic-apps/techno-skeptics-objection-growing-louder/2015/12/26/e83cf658-617a-11e5-8e9e-dce8a2a2a679_story.html
------------------------------
From: Monty Solomon <monty@roscom.com>
Date: Sun, 27 Dec 2015 00:02:01 -0500
Subject: U.S. Says Hacker Stole IDs and Unreleased Scripts From Host of
Celebrities (NYTimes)
The charges against Alonzo Knowles illustrate the ease with which private
email contacts, even for security-conscious entertainers, can be exploited.
http://www.nytimes.com/2015/12/23/nyregion/us-says-hacker-stole-ids-and-unreleased-scripts-from-host-of-celebrities.html
------------------------------
Date: Thu, 24 Dec 2015 18:58:30 -0800
From: Gene Wirchenko <genew@telus.net>
Subject: Re: Reply by Karl Auerbach to The Moral Failure of Computer
Scientists (RISKS-29.18)
[Paragraphs which start with "GW:" are by me; the others are by
Mr. Auerbach.]
GW: Mr. Auerbach referred to the following article:
http://www.mercurynews.com/news/ci_29245938/university-of-california-pressured-to-count-computer-science-toward-high-school-math-requirement
Apparently the University of California is being pushed to count high-school
computer science courses taken by applying students as if those were
mathematics or science courses.
This disturbs me for several reasons.
First is that I have only on occasion found computer science to be a
substitute for the kind of intellectual disciple any of the hard sciences.
GW: As have I. In 2010, I graduated from Thompson Rivers University (TRU)
with a Bachelor of Computing Science degree.
GW: I worked with a few students who were math students double majoring in
computing science. (Call them MCs.) They were not, and I am not aware of
any who were, computing science students double majoring in math. (Call
these hypothetical students CMs.) The distinction is important.
GW: In fact, I am unaware of any computing-science-major-only student (CSMO)
taking any more than the bare requirement of math courses (two) with one
exception: me. I minored in math. I was told by the computing science
chair that I was the only CSMO to ever do so.
GW: I found that CSMOs avoided math like the plague.
Second is that what is being called `computer science' at the high school
level is typically simple programming. There is no doubt that it would be
useful if everyone coming out of high school had at least a thin knowledge
of what programming is.
GW: It was also true at TRU. Courses that were coding and very close were
the ones of interest. A special topics course on professionality in the
computing field was canceled due to lack of interest. I would have liked
to have taken that course. I wanted to take a course in computation theory.
There were supposedly three courses on the books for it, but only one had
ever been taught and that one only once. I ended doing it as independent
study through the math department.
GW: I snipped the remainder of Mr. Auerbach's comments. In short, I agree
that there is too much emphasis on tools and not enough on the higher
levels.
------------------------------
Date: Thu, 24 Dec 2015 19:53:00 -0800
From: Gene Wirchenko <genew@telus.net>
Subject: Re: Super-literate software reads and comprehends better than humans
(RISKS-29.18)
(https://www.newscientist.com/article/mg22830512-600-super-literate-software-reads-and-comprehends-better-than-humans/)
This article [noted in the previous RISKS issue] concludes with:
There are still some issues to overcome, however, such as dealing with
text in unusual formats. For example, names are particularly important to
the Declassification Engine, and the system relies on the capital letters
at the start of names to find them. But the cables come in all capitals, a
relic of the Telex system that conveyed them around the planet. Rambow is
confident he can get over the hurdle. "I hope that in the next month or
two the humming will start," he says.
Is anyone else skeptical of the humming timeline?
------------------------------
Date: Fri, 25 Dec 2015 05:59:10 +0200
From: Mike Rechtman <mike@rechtman.com>
Subject: Re: Vulnerability in popular bootloader puts locked-down Linux,
computers at risk (Constantin, RISKS-29.18)
> Grub2 bootloader's password protection and allow a hacker to install
> malware on a locked-down Linux system
Two minor points:
One: The breakin require physical access. Once you have that, you
can own the Desktop/Server/Device using several methods.
Two: Not new, and IIRC fixed some time back.
------------------------------
Date: Fri, 25 Dec 2015 17:41:07 +0100
From: Erling Kristiansen <erling.kristiansen@xs4all.nl>
Subject: Re: Lie-detecting Software uses Machine Learning to Achieve 75%
accuracy (RISKS-29.18)
What one would want is separate performance figures for false positives and
false negatives. Those are mostly not identical, and might actually be very
different.
One would hope that the false positive (accusing somebody of lying, when
actually truthful) rate is significantly lower than the false negative (not
detecting a liar) rate in this case.
------------------------------
Date: 24 Dec 2015 23:56:58 -0000
From: "John Levine" <johnl@iecc.com>
Subject: Re: Hotmail and how not to block spam (RISKS-29.18)
Large mail services have been managing sender reputation this way for the
better part of a decade. The hack to report competitors' mail as spam, and
the reverse, to report your own cruddy mail as not-spam, are well known, and
mail providers have ways to detect and deal with them, although for obvious
reasons they don't publish the details.
Mailers who grouse about their wonderful mail getting blocked this way
invariably turn out to be sending "greymail", it's not exactly spam, but the
recipients care whether they get it. If real users missed it, they would be
complaining or at least marking it as not-spam. And if a mailer can't
detect and block bulk signups by competitors, well, sheesh.
(Incidentally,) Sometimes a free service is worth what you pay for it,
although in this case it seems to be working as designed.
------------------------------
Date: 24 Dec 2015 23:43:47 -0000
From: "John Levine" <johnl@iecc.com>
Subject: Re: Driverless Cars (Analog)
> Robot cars, of today, know the rules of the road, but not the psychology
> of other participants on the highways.
Perhaps the people who write for Analog don't read the *Wall Street Journal*.
This article appeared in September:
Google Inc. designed its self-driving cars to follow the rules of the
road. Now it's teaching them to drive like people, by cutting corners,
edging into intersections and crossing double-yellow lines. ...
http://www.wsj.com/articles/google-tries-to-make-its-cars-drive-more-like-humans-1443463523
------------------------------
Date: Mon, 17 Nov 2014 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-request@csl.sri.com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users may contact <Lindsay.Marshall@newcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line.
*** NOTE: Including the string `notsp' at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
is no longer maintained up-to-date except for recent election problems.
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 29.19
************************
