Home page logo

risks logo RISKS Forum mailing list archives

Risks Digest 26.78
From: RISKS List Owner <risko () csl sri com>
Date: Tue, 10 Apr 2012 16:51:31 PDT

RISKS-LIST: Risks-Forum Digest  Tuesday 10 April 2012  Volume 26 : Issue 78

Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at

More on The Evil Bit and the "I'm not sure" value! (Ben Okopnik)
Tacocopters delivering hot tacos on the fly (Peter Bernard Ladkin)
The Addictiveness of Games (Sam Anderson)
Voting machine flaw (Joseph Lorenzo Hall)
"Computer Science for the Rest of Us" (Randall Stross via Erwin Gianchandani)
"Facial recognition tech could help stop drunk drivers" (Nestor E. Arellano
  via Gene Wirchenko)
NIST ISPAB recommendation about cybersecurity risks of medical devices
  (Kevin Fu)
Hacking medical devices (Jack Holleran)
Updating auto software over the Internet (Robert Schaefer)
FBI: Smart Meter Hacks Likely to Spread (Robert Schaefer)
US government hires company to hack into video game consoles (Robert Schaefer)
"The computer did it" (Paul Wallich)
Nano Particles--Giga Benefits, Giga Risks (Stephen Unger)
"Flaw in popular mobile apps exposes users to identity theft" (Ted Samson
via Gene Wirchenko)
Police Are Using Phone Tracking as a Routine Tool (Eric Lichtblau via
  Matthew Kruk)
Unraveling a massive click fraud scheme (WSJ item via Lauren Weinstein)
The Risks of Advertising (Gene Wirchenko
DRM is crushing indie booksellers online (Lauren Weinstein)
Hotspots using Deep Packet Inspection (Lauren Weinstein)
Internet Use Promotes Democracy Best in Countries Already Partially Free
  (Lauren Weinstein)
Re: The Moral Network (Bob Frankston)
Abridged info on RISKS (comp.risks)


Date: Wed, 4 Apr 2012 19:42:54 -0400
From: Ben Okopnik <ben () okopnik com>
Subject: More on The Evil Bit and the "I'm not sure" value! (Re: RISKS-26.77)

The intentional ambiguity of this additional state makes it a perfect
third value for a binary bit.

The correct solution is so blatantly obvious that I blush to mention it -
but The Security of The Free World, as well as Baseball, Mom, and Apple Pie
are at Stake (mmm, steak and apple pie... but I digress), and thus I feel I
have no choice.

The solution does involve sacrificing one additional 3-state bit (along
with the traditional goat), and the truth table would look like this:

0   0   Lawful Good
0   1   Lawful Neutral
0   2   Lawful Evil
1   0   Neutral Good
1   1   Neutral
1   2   Neutral Evil
2   0   Chaotic Good
2   1   Chaotic Neutral
2   2   Chaotic Evil

The mechanism for enforcement is trivial, and thus left to the indvidual
student - but does involve the classic die-rolling algorithm.

We now return you to our scheduled programming.

Ben Okopnik  443-250-7895   http://okopnik.com   http://twitter.com/okopnik


Date: Wed, 04 Apr 2012 22:06:33 +0200
From: Peter Bernard Ladkin <ladkin () rvs uni-bielefeld de>
Subject: Tacocopters delivering hot tacos on the fly

  [See Peter Ladkin's blog on the risks involved in a proposed effort
  summarized by the subject line above.  PGN]


Peter Bernard Ladkin, Professor of Computer Networks and Distributed Systems,
Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Tel+msg +49 (0)521 880 7319  www.rvs.uni-bielefeld.de

  [PBL's blog item is serious, although the concept of remotely programmable
  special-purpose drones for public use opens up quite a few foolish but
  not-so-Aprilly possibilities.  However, it also reminded me a little of
  when I was in the Computer Science Lab at Bell Labs in Murray Hill in the
  1960s: Vic Vyssotsky came up with the concept of a programmable
  cable-laying satellite, complete with calculations on how to manage smooth
  payout despite would-be obstructions and how to avoid snapback when the
  cable was cut.  Vic was also the ghost author of the wonderful article on
  The Chaostron: An Important Advance in Learning Machine, an AI spoof
  attributed to J.B. Cadwallader-Cohen, W.W. Zysiczk and R.B. Donnelly --
  which was reprinted in a special foolish section that I edited for the
  April 1984 issue of the ACM Communications, pp. 356--357, a sort of 25th
  anniversary collection of computer-related humor and whimsey that also
  included among other contributions Lawrence Clark's COME-FROM statement in
  response to the GO-TO controversy, Don Knuth's delicious analysis of the
  Complexity of Songs, and a delightfully self-referential heavily annotated
  item on an Ada package for automatic footnote generation written by a
  long-time RISKS contributor (see volume 1 number 1 at www.risks.org) under
  the anagrammatic pen-name of Preet J Nedginn along with Trebor L. Bworn
  (whose last name was rather unfortunately and somewhat surprisingly
  msicorekted to Brown in the table of contents of the issue by the editor
  (who must have thought it was a typo!).  PGN]


Date: Mon, 9 Apr 2012 10:05:17 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: The Addictiveness of Games (Sam Anderson via PGN)

The front page of *The New York Times Magazine* on 8 Apr 2012 had this text
in a very large font (with interspersed small graphics of birds, a pig, and
a monkey):

  The Hyperaddictive, Time-Sucking, Relationship-Busting, Mind-Crushing
  Power and Allure of Silly Digital Games

Below that, in a much smaller font, is this text:

  (Which is not to say we don't love them too.)  By Sam Anderson

On page 28 of the magazine, the cover article begins with the caption

  Just One More Game ...
  How time-wasting vidoe games escaped the arcade, jumped
  into our pockets, and took over our lives.

This is a remarkably well-conceived article about computer-related
addictions, spanning not only Tetris to Angry Birds (which moved from
iPhones to everywhere else), but also Zynga (Draw Something), Frank Lantz's
Drop7, Facebook, and much more.

The article ends with a discussion with Lantz talking about his relationship
with poker:

  ``It was like a tightrope walk between this transcendently beautiful and
  cerebral thing that gave you all kinds of opportunities to improve
  yourself -- through study and self-discipline, making your mind stronger
  like a muscle -- and at the same time it was pure self-destruction."

This is a really important article for game creators, gamers, psychologists,
and people trying to understand erratic behaviors of their loved ones.


Date: Apr 5, 2012 4:00 PM
From: "Joseph Lorenzo Hall" <joehall () gmail com>
Subject: Voting machine flaw (via Dave Farber's IP)

As far as we've been able to understand it, this "flaw" in the voting system
back-end software occurs when someone edits the database after having
already printed the ballots.  That can knock the contests on a ballot out of
sync, which can mean that totals for one contest are assigned to
another... unfortunately, it requires that someone detect the error and that
a recount or risk-limiting audit be performed to correct this kind of error.
One would think that such voting system databases should refuse to allow
edits after ballot printing, but apparently that's not the case!

Joseph Lorenzo Hall, Postdoctoral Research Fellow, Media, Culture and
Communication, New York University  https://josephhall.org/

  E-voting system awards election to wrong candidates in Florida village
  Analysts warn that same Dominion Sequoia machines are used in nearly 300
  U.S. municipalities

  Dominion Voting Inc.'s Sequoia Voting Systems device mistakenly awarded
  two Wellington Village Council seats to candidates who were found in a
  post-election audit to have lost their races.  The results were officially
  changed last weekend after a court-sanctioned public hand count of the


Date: Sun, Apr 1, 2012 at 11:12 AM
From: Erwin Gianchandani <erwin () cra org>
Subject: "Computer Science for the Rest of Us" (Randall Stross via IP)


An article in *The New York Times* (1 Apr 2012) [is] making the rounds --
written by Randall Stross, an author and professor of business at San Jose
State University: READING, writing and -- refactoring code?

Many professors of computer science say college graduates in every major
should understand software fundamentals. They don't argue that everyone
needs to be a skilled programmer. Rather, they seek to teach "computational
thinking" -- the general concepts programming languages employ.

In 2006, Jeannette M. Wing, head of the computer science department at
Carnegie Mellon University, wrote a manifesto arguing that basic literacy
should be redefined to include understanding of computer
processes. "Computational thinking is a fundamental skill for everyone, not
just for computer scientists," she wrote. "To reading, writing and
arithmetic, we should add computational thinking to every child's analytical

There is little agreement within the field, however, about what exactly are
the core elements of computational thinking. Nor is there agreement about
how much programming students must do, if any, in order to understand it.

Most important, the need for teaching computational thinking to all students
remains vague [more after the jump].

Erwin Gianchandani <erwin () cra org>


Date: Wed, 04 Apr 2012 08:36:22 -0700
From: Gene Wirchenko <genew () ocis net>
Subject: "Facial recognition tech could help stop drunk drivers"
  (Nestor E. Arellano)

Nestor E. Arellano, *IT Business*, 3 Apr 2012
Facial recognition tech could help stop drunk drivers
The face recognition software developed by University of Windsor
students will prevent drivers from circumventing a vehicle-interlock
system which immobilizes a car when its driver is drunk.

selected text:

The face recognition system developed by Ray and Saha is designed to
authenticate the identity of the driver. Driver ID will take pictures of
authorized drivers and store them in the system's database. Only drivers
whose photos are in the database can operate the car. A small onboard
infrared camera will snap a photo of whoever is on the driver's seat and
compare that photo with the image stored in the database.

The author expresses concern about how the system could be fooled, but there
are other risks.  1) False negatives could be nasty.  2) Going on a picnic
or going camping at a remote location could be a real bother if one's host
has a heart attack.  How do you get him out if you are not on the authorised
driver list?


Date: Mon, 9 Apr 2012 10:57:36 -0400
From: Kevin Fu <kevinfu () cs umass edu>
Subject: NIST ISPAB recommendation about cybersecurity risks of medical devices

The NIST Information Security & Privacy Advisory Board made the following
recommendation about the issue of maintaining security in medical devices.
The letter paints a somewhat grim future if the forces at play remain
unchecked, but the Board made several recommendations to better manage and
mitigate the risks.


An audio webcast of the panel appears on


Date: Tue, 10 Apr 2012 10:43:13 -0400
From: Jack Holleran <jcholleran () verizon net>
Subject: Hacking medical devices

At Defcon 2011, Jay Radcliffe looked at the ethics that his insulin pump
could be hacked to give too much or too little insulin when needed, possibly
causing death.  He demonstrated the possibility on stage.

  [Jack's message is in response to a note from Kenneth Olthoff:

    Those of us in the security business have speculated for years about how
    pacemakers and other medical devices could be hacked or attacked, but
    the BBC today has the first article that I recall seeing in the popular
    press covering that issue. I'm sure there probably been others that I
    didn't see or don't recall, but FWIW...


Date: Mon, 9 Apr 2012 07:49:01 -0400
From: Robert Schaefer <rps () haystack mit edu>
Subject: Updating auto software over the Internet

This new system upgrades on the fly, he said, the first such in-car
application to do so. It's seamless to the customer,'' Link said.  ``I have
a friend who was excited about his system upgrade, which required him to
plug in his stick and leave his car running for 45 minutes. Who wants to do
that? In a process called reflashing, the Mercedes system can turn on the
car operating system (CU), download the new application, then cut itself
off. It doesn't require you to do anything at all.''

It seems so easy, what can go wrong?

Robert Schaefer Atmospheric Sciences Group MIT Haystack Observatory
Westford, MA 01886  1-781-981-5767 http://www.haystack.mit.edu


Date: Tue, 10 Apr 2012 07:43:42 -0400
From: Robert Schaefer <rps () haystack mit edu>
Subject: FBI: Smart Meter Hacks Likely to Spread

"A series of hacks perpetrated against so-called `smart meter' installations
over the past several years may have cost a single U.S. electric utility
hundreds of millions of dollars annually, the FBI said in a cyber
intelligence bulletin obtained by KrebsOnSecurity."


Robert Schaefer, Atmospheric Sciences Group, MIT Haystack Observatory
Westford MA 01886 781-981-5767 http://www.haystack.mit.edu rps () haystack mit edu


Date: Mon, 9 Apr 2012 07:51:55 -0400
From: Robert Schaefer <rps () haystack mit edu>
Subject: US government hires company to hack into video game consoles

The U.S. Navy says it is looking to hack into used consoles to extract any
sensitive information exchanged through their messaging services.  The
organization says it will only use the technology on consoles belonging to
nations overseas, because the law doesn't allow it to be used on any US



Date: Mon, 09 Apr 2012 14:42:08 -0400
From: Paul Wallich <pw () panix com>
Subject: "The computer did it"

This story (and the judicial opinion linked from it) show what kinds of
trouble you can cause (and get into) when you code up financial-transaction
software without thinking about the law governing those transactions.


(Among other things, the company apparently wrote its software so that --
contrary to the loan contracts and the law -- various fees were silently
deducted from payments before applying the payments to the outstanding
balance, thus generating additional fees and so on. Even after the loans in
question had become part of bankruptcy filings, which apparently bars such
fees from being applied.) Given the money to be made (in the no-litigation
case) by re-ordering transactions, it seems quite plausible to me that the
people familiar with the law and the contract text might have accidentally
failed to stress the importance of proper sequence to the people whom wrote
the code, or missed the legal implications on review. But with tens or
hundreds of thousands of cases nationwide, all presumably handled by the
same software, the liability starts adding up.


Date: Wed, 4 Apr 2012 18:03:09 -0400 (EDT)
From: Stephen Unger <unger () cs columbia edu>
Subject: Nano Particles--Giga Benefits, Giga Risks

Uses of materials in a form consisting of particles with at least one
dimension less than 100 nanometers (a nanometer is a billionth of a meter)
are proliferating at a great rate. We are seeing this exciting new
technology applied to increasing numbers of consumer products, industrial
materials, and medical procedures. And it appears that this is just the
beginning. This is the good news. The bad news is that the same properties
that make nanoparticles so useful also make them potentially dangerous, both
to humans and to the general environment. What is being done to protect us
against us against such hazards?

My effort to explain the situation is accessible at:

Stephen H. Unger, Professor Emeritus, Computer Science and Electrical
Engineering, Columbia University


Date: Mon, 09 Apr 2012 20:09:40 -0700
From: Gene Wirchenko <genew () ocis net>
Subject: "Flaw in popular mobile apps exposes users to identity theft"
  (Ted Samson)

Ted Samson, *InfoWorld*, 9 Apr 2012
Flawed mobile apps for Facebook, Dropbox, LinkedIn, and likely others
save user authentication data as easy-to-swipe plain text files


Date: Sun, 1 Apr 2012 02:16:29 -0600
From: "Matthew Kruk" <mkrukg () gmail com>
Subject: Police Are Using Phone Tracking as a Routine Tool (Eric Lichtblau)

[Source: Eric Lichtblau, *The New York Times*, 31 Mar 2012; PGN-ed]

Law enforcement tracking of cellphones, once the province mainly of federal
agents, has become a powerful and widely used surveillance tool for local
police officials, with hundreds of departments, large and small, often using
it aggressively with little or no court oversight, documents show.

The practice has become big business for cellphone companies, too, with a
handful of carriers marketing a catalog of "surveillance fees" to police
departments to determine a suspect's location, trace phone calls and texts
or provide other services. Some departments log dozens of traces a month for
both emergencies and routine investigations. ...


Date: Tue, 10 Apr 2012 10:25:07 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Unraveling a massive click fraud scheme (NNSquad)

  "You have heard about fraud and online advertising. You may have seen the
  Wall Street Journal video "Porn Sites Scam Advertisers", or even read the
  story at today's Wall Street Journal about "Off Screen, Porn Sites Trick
  Advertisers" (Hint: to avoid the WSJ paywall, search the title of the
  article through Google News and click from there, to read the full
  article).  Since I am intimately familiar with the story covered by WSJ
  (i.e., I was part of the team at AdSafe that uncovered it), I thought it
  would be also good to cover the technical aspects in more detail,
  uncovering the way in which this advertising fraud scheme operated.  It is
  long but (I think) interesting. It is a story of a
  one-man-making-a-million-dollar-per-month fraud scheme. It shows how a
  moderately sophisticated advertising fraud scheme can generate very
  significant monetary benefits for the fraudster: Profits of millions of
  dollars per year."
   http://j.mp/HyfRhj  (A Computer Scientist in a Business School)


Date: Tue, 10 Apr 2012 10:49:10 -0700
From: Gene Wirchenko <genew () ocis net>
Subject: The Risks of Advertising

I listen to music off YouTube.  Lately, YouTube has changed my listening
experience.  Yes, advertisements.  Longer advertisements.

Well, it finally happened.  The full advertisement was 2:41 long.  The song
that I wanted to listen to was 2:33 long.  ("Skip Ad" is useful.)

I wonder what the advertisers who create these 2+ minute ads are thinking.

  ["Money?"  PGN]


Date: Sat, 7 Apr 2012 10:33:25 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: DRM is crushing indie booksellers online

  "DRM is supposed to prevent piracy and illegal file sharing. In order to
  provide DRM, you need at least $10,000 up front to cover software, server,
  and administration fees, plus ongoing expenses associated with the
  software. In other words, much bigger operating expenses than a small
  business can afford. By requiring retailers to encrypt e-books with DRM,
  big publishers are essentially banning indie retailers from the online
  marketplace.  DRM is like the anti-theft sensors by the doors at the
  drugstore. The sensors go off all the time, but they still can't stop a
  crafty teenager who knows how to remove a magnetic tag - nor can they stop
  criminals who break in and steal directly from the till."
  http://j.mp/Hqp35O  (paidContent, via NNSquad)


Date: Sat, 7 Apr 2012 10:40:49 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Hotspots using Deep Packet Inspection

  "After some sleuthing, Mr. Watt, who has a background in developing Web
  advertising tools, realized that the quirk was not confined to his
  site. The hotel's Internet service was secretly injecting lines of code
  into every page he visited, code that could allow it to insert ads into
  any Web page without the knowledge of the site visitor or the page's
  creator."  http://j.mp/HqpLjf  (*The New York Times* via NNSquad)


Date: Wed, 4 Apr 2012 21:16:26 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Internet Use Promotes Democracy Best in Countries Already Partially
  Free (via NNSquad)

  Researchers at Ohio State University found that the Internet spurs
  pro-democratic attitudes most in countries that already have introduced
  some reforms in that direction.  "Instead of the Internet promoting
  fundamental political change, it seems to reinforce political change in
  countries that already have at least some level of democratic freedoms


Date: Sun, 1 Apr 2012 19:00:14 -0400
From: "Bob Frankston" <bob2-39 () bobf frankston com>
Subject: Re: The Moral Network (Berninger, RISKS-26.76)

I'm not sure if I understand Dan's concerns. Letting carriers just shut down
PSTN without assuring unfettered IP connectivity would be a disaster. That's
a reason to assure connectivity rather increasing our reliance on providers,
especially when that reliance is costing us $2 trillion dollars each year.

We need to be wary of using moral justifications to preserve the PSTN as an
artifact. Remember that many at ATT did indeed believe in the highest
traditions of serving the public good. The problem is that tradition allowed
for only one definition of "good".  The Internet is a very different concept
because it provides a way to have multiple definitions of "good". In place
of "reliability" we have "resilience" -- an important concept for Risks

In a sense the net-heads and bell-heads are both trying to do us good by our
solving problems in the network. For example, moving 9-1-1 type services
outside a network would allow us to rapidly evolve alternatives such as
sending rich information directly to fire departments. With multiple
services coexisting we don't have to force a single interconnect. What does
it even mean to interconnect inside a network?

At the heart of the problem is the idea the services are provided by the
network operators rather than created using the network. It's that meme that
enables Telia to justify blocking VoIP (http://j.mp/H5Uq1T) and Brisbane's
police to think they need to protect networks (http://j.mp/GIuwRC).


Date: Mon, 6 Jun 2011 20:01:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:


End of RISKS-FORUM Digest 26.78

  By Date           By Thread  

Current thread:
  • Risks Digest 26.78 RISKS List Owner (Apr 11)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]