RISKS Forum mailing list archives
Risks Digest 27.26
From: RISKS List Owner <risko () csl sri com>
Date: Tue, 23 Apr 2013 17:06:02 PDT
RISKS-LIST: Risks-Forum Digest Tuesday 23 April 2013 Volume 27 : Issue 26 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/27.26.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: LAX terminal signs hacked (Paul Saffo) AP fooled by phishing attack (Lauren Weinstein) Taiwan issues duplicate license plate numbers (jidanni) EU Car Type-Approval Awkwardness (Chris Drewe) FAA Approves Boeing 787 Battery Fix Allowing Flight Resumptions (Bloomberg) New lithium ion battery design (PGN) Two items on Internet use, etc. vs. distracted driving (Lauren Weinstein) More in New York City Qualify as Gifted After Error Is Fixed (Al Baker via Jim Reisert) Neil Richards on the Dangers of Surveillance (Lauren Weinstein) Crowdsourcing a lynch mob (Mark Thorson) Re: The Shame of Boston's Wireless Woes (Bob Frankston) Re: Economic policy decisions may be affected by spreadsheet errors (John Levine, Amos Shapir) Re: American Express Australia Mail Merge Stuff-up (John Levine) Churnalism: Discover When News Copies from Other Sources (Lauren Weinstein) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 22 Apr 2013 23:04:20 -0700 From: Paul Saffo <psaffo () discern com> Subject: LAX terminal signs hacked http://www.latimes.com/local/lanow/la-me-ln-hacker-lax-flight-boards-20130= 422,0,6739919.story LAX flight status boards hacked, telling passengers to exit terminal Andrew Blankstein and Robert J. Lopez, latimes.com, 22 Apr 2013 Authorities were searching the Tom Bradley International Terminal at Los Angeles International Airport on Monday night for someone who hacked into multiple flight status boards to write: "Emergency Leave the Terminal," law enforcement authorities told *The Times*. The rogue message was changed about five minutes after it was noticed about 10 p.m., authorities said. It was unclear whether any passengers had left the terminal. Multiple travelers reported the message to airport police. The status boards are located in the B aisle area of the terminal. Additional officers were dispatched to the terminal while LAX officials investigated who was responsible for the hacking. Earlier this month, an electronic sign near USC was apparently hacked to display inappropriate messages about the Los Angeles Police Department. [That should be known as REALLY LAX security! PGN] ------------------------------ Date: Tue, 23 Apr 2013 13:45:20 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: AP fooled by phishing attack http://j.mp/13XGzfH (Techcrunch via NNSquad) The AP Twitter hack which sent the stock market briefly crashing was caused by a phishing attack, according to the AP. The news organization now says the attack on Twitter was "preceded by a phishing attempt on AP's corporate network." [Lots to choose from: lame passwords, cross-site scripting, compromised insider access routes, whatever. CNN suggests ``social engineering''. PGN] ------------------------------ Date: Wed, 24 Apr 2013 07:16:40 +0800 From: jidanni () jidanni org Subject: Taiwan issues duplicate license plate numbers The legislator held out two license plates -- one in green and one in red -- that were both labeled "AB-123," and asked the premier if he could tell the difference between them. When the premier said he could not, lawmaker Yeh noted that they were from two different types of vehicles yet have the same number. http://www.chinapost.com.tw/taiwan/national/national-news/2013/04/10/375627/Govt-made.htm ------------------------------ Date: Tue, 23 Apr 2013 20:55:53 +0100 From: "Chris Drewe" <e767pmk () yahoo co uk> Subject: EU Car Type-Approval Awkwardness In the cars section of last Saturday's newspaper (April 20th), there was a letter from a reader with a new Audi R8 V8 with manual transmission. Complaint was very sluggish acceleration from 30mph (50km/hr) in 3rd gear; interrogating the OBD-II port showed a temporary throttle part-closure, which turned out to be programmed in to get good figures in the drive- by noise test required for EU Type Approval. It's good to have cars that aren't too loud, but awkward to discover this in the middle of a tricky passing manoeuvre... ------------------------------ Date: Fri, 19 Apr 2013 15:32:19 -0400 From: "David J. Farber" <farber () gmail com> Subject: FAA Approves Boeing 787 Battery Fix Allowing Flight Resumptions http://www.bloomberg.com/news/2013-04-19/faa-approves-boeing-787-battery-fi= x-allowing-flight-resumptions.html Boeing' 787 Dreamliner won U.S. approval to return to service with a redesigned lithium-ion battery, more than three months into the government's longest grounding of a commercial model in the jet age. Restoring the 787 to flight status will allow the eight current operators to end the use of temporary replacements and start routes that had been put on hold with the Dreamliners unavailable. Chicago-based Boeing will be able to resume deliveries, a pivotal step because it gets bulk payments when aircraft are handed over. The plane will continue to have permission to fly as far as 180 minutes from an airport, FAA spokeswoman Laura Brown said in response to questions. That is the same as the plane was originally certified to fly. That allows it to fly across oceans, mountain ranges or the poles. ``A team of FAA certification specialists observed rigorous tests we required Boeing to perform and devoted weeks to reviewing detailed analysis of the design changes to reach this decision,'' FAA Administrator Michael Huerta said in a statement. Next week the FAA will publish regulations on how to alter the batteries in the U.S. Federal Register, allowing Boeing and airlines to proceed with the fixes. Boeing has sent teams around the world to help fit new battery kits into the 49 Dreamliners in airline fleets. Each installation will take four to five days, Boeing has said. Once those jets are fixed, work will turn to dozens of 787s stored around Boeing factories. To contact the reporter on this story: Alan Levin in Washington -- alevin24 () bloomberg net ------------------------------ Date: Mon, 22 Apr 2013 18:51:45 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: New lithium ion battery design http://bit.ly/11gIo1S, noted by Marv Schaefer New lithium-ion battery design that's 2,000 times more powerful, recharges 1,000 times faster Researchers at the University of Illinois at Urbana-Champaign have developed a new lithium-ion battery technology that is 2,000 times more powerful than comparable batteries. According to the researchers, this is not simply an evolutionary step in battery tech, ``It's a new enabling technology: it breaks the normal paradigms of energy sources. It's allowing us to do different, new things.'' [Lots of new risks as well, much faster and with lower power? PGN] ------------------------------ Date: Tue, 23 Apr 2013 15:35:43 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Two items on Internet use, etc. vs. distracted driving Two items on Internet use, etc. vs. distracted driving How Federal Distracted-Driving Guidelines Will Shape Your Next Phone = http://j.mp/15F5EMF (Wired via NNSquad) Study: Voice-activated texting while driving no safer than typing http://j.mp/15F5tRA (Washington Post via NNSquad) It seems clear that regulators are focusing not only on built-in but also portable devices. It seems inevitable that they will also direct attention to "wearable" devices as well at some stage. ------------------------------ Date: Sat, 20 Apr 2013 07:56:03 -0600 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: More in New York City Qualify as Gifted After Error Is Fixed Al Baker, *The New York Times, 19 Apr 2013 Nearly 2,700 New York City students were wrongly told in recent weeks they were not eligible for seats in public school gifted and talented programs because of errors in scoring the tests used for admission, the Education Department said on Friday. ... According to Pearson, three mistakes were made. Students' ages, which are used to calculate their percentile ranking against students of similar age, were recorded in years and months, but should also have counted days to be precise. Incorrect scoring tables were used. And the formula used to combine the two test parts into one percentile ranking contained an error. https://www.nytimes.com/2013/04/20/education/score-corrections-qualify-near= ly-2700-more-pupils-for-gifted-programs.html ------------------------------ Date: Tue, 23 Apr 2013 14:12:05 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Neil Richards on the Dangers of Surveillance Law professor makes a case for legally recognizing the Dangers of Surveillance http://j.mp/ZNfh3H (Network World via NNSquad) The Dangers of Surveillance, written by Neil M. Richards, Professor of Law at Washington University in St. Louis, was recently published on the Social Science Research Network. In it, Richards proposed "four principles that should guide the future development of surveillance law." Yet he said we must first recognize that: "Surveillance transcends the public-private divide;" that "secret surveillance is illegitimate;" that "total surveillance is illegitimate" and that "surveillance is harmful." The courts may understand that surveillance could be potentially harmful, but "have struggled to clearly understand why." ------------------------------ Date: Sat, 20 Apr 2013 13:51:55 -0700 From: Mark Thorson <eee () sonic net> Subject: Crowdsourcing a lynch mob (More on RISKS-27.25) In the confusion surrounding the Boston Marathon bombings, some users of the popular Reddit site misidentified a missing Brown University student as the bomber. http://usnews.nbcnews.com/_news/2013/04/19/17826915-missing-brown-university-students-family-dragged-into-virally-fueled-false-accusation-in-boston This event seems to be first demonstration of the collision between mass data available over the Internet and the echo chamber of blogs, comments, and social media for spawning and amplifying spurious identifications of the perpetrators of high-profile criminal acts. If we stay on the current trajectory (as we most certainly will) the data will become ever more prompt and detailed. "The bomber is Mark Thorson and Google says he's at his mother's house at 1505 Spruce St. right now! Let's go get him!" ------------------------------ Date: Sun, 21 Apr 2013 11:16:06 -0400 From: "Bob Frankston" <bob2-39 () bobf frankston com> Subject: Re: The Shame of Boston's Wireless Woes (RISKS-27.25) There is a real risk in confusing technical and economic problems. Focusing on problem of "congestion" as cited in the Atlantic City cities misses the point because that congestion is a necessary consequence of the economic architecture of today's telecommunications system. The alternative is simple -- don't do that. As a common infrastructure we could use Wi-Fi (for starters) to make the vast existing capacity of the common infrastructure immediately available. The idea of trying to make our ability to communicate a profit center is foolish at best -- it's akin to shutting down public transportation systems if they are not profitable in themselves. Doing so would cause severe harm to society. The business of providing telecommunications at a profit requires limiting capacity and funneling traveling through billing points (AKA cell towers). Until we understand the interplay of technology and economics we are likely to work at cross-purposes with ourselves. I'm not an expert on the story of the closing of the Los Angeles trolley system but when the New York subways failed to turn a profit the system took responsibility for them rather than shutting it down. ------------------------------ Date: 19 Apr 2013 21:07:10 -0000 From: "John Levine" <johnl () iecc com> Subject: Re: Economic policy decisions may be affected by spreadsheet errors (Epstein, RISKS-27.25)
Perhaps we need methods for spreadsheet assurance, just as we need methods for assuring the security and reliability of our operating systems and applications?
Back in the 1980s I was one of the authors of a program called Javelin, a time series modeling package that you could use to do a lot of the same stuff that people do with spreadsheets. One of our selling points was that Javelin models were a lot more reliable than 1-2-3 or Excel models. Data were stored in named variables each of which could be a time series, which largely prevented the kind of error that R+R made, since if you said A=SUM(B), it automatically summed up all of B. We had spreadsheet-like editing, but you were editing a view of the underlying model, not anonymous cells. In marketing focus groups, we learned two things: a) any spreadsheet large enough to be interesting had bugs, and b) nobody cared. One telling comment was "it's my manager's job to check that my spreadsheet is correct." ------------------------------ Date: Tue, 23 Apr 2013 17:16:24 +0300 From: Amos Shapir <amos083 () gmail com> Subject: Re: Economic policy decisions may be affected by spreadsheet errors They used cell L44 instead of L49?? Come on, meaningful symbolic names for variables have been around at least since IBM's RPG language (introduced in 1959)! No wonder almost all Excel spreadsheets contain errors; this sort of programming simply guarantees that. http://www.marketwatch.com/story/88-of-spreadsheets-have-errors-2013-04-17) I'm not surprised that Microsoft would force such antediluvian practices upon all of us; but I am surprised that there is still no prevalent alternative. ------------------------------ Date: 19 Apr 2013 21:20:53 -0000 From: "John Levine" <johnl () iecc com> Subject: Re: American Express Australia Mail Merge Stuff-up (Gingrich, RISKS-27.25)
I just received an e-mail on 11 April from AMEX touting a few current offers, but the name in the message was not mine -- luckily the final digits *were* from my card, though it could also have been his ...
I have two Amex cards. Both have the same last five digits, which is a pain in the patoot when I'm trying to figure out which account I used for a charge slip or online purchase. How likely is it that? 1/100,000? Not by a long shot. Credit card numbers from a particular issuer all have the same structure. In Amex's case, the first two digits are always 37, the next two are the currency (with many different digit pairs for common currencies like US dollars), then there's the account number, a three digit card number, and a check digit. The card number for the primary cardholder on each account is card number 100, which only changes if the card is lost or stolen and reissued. So in fact, nearly all account numbers end with X100Y where X is the last digit of the account number, and Y is the check digit. The check digit is computed from the rest of the number using the Luhn "mod 10" algorithm which is intended to detect digit transpositions and to be easy to compute, not to be cryptographically secure. Since the other digits in the number are not very random, the check digit isn't either. If the X and Y were random, the chances of those five digits being the same would be a little under 1%, but since the check digit isn't random, it's a little more than that. So anyway, partial credit card numbers are only arguably adequate for showing that a message is from your bank and not a phish, and useless for anything stronger. ------------------------------ Date: Tue, 23 Apr 2013 14:13:32 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Churnalism: Discover When News Copies from Other Sources Churnalism: Discover When News Copies from Other Sources http://j.mp/ZNeRdy (Sunlight Foundation via NNSquad) "Churnalism US is a new web tool and browser extension that allows anyone to compare the news you read against existing content to uncover possible instances of plagiarism. It is a joint project with the Media Standards Trust." ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 27.26 ************************
Current thread:
- Risks Digest 27.26 RISKS List Owner (Apr 23)