Home page logo
/

risks logo RISKS Forum mailing list archives

Risks Digest 26.86
From: RISKS List Owner <risko () csl sri com>
Date: Wed, 30 May 2012 16:55:04 PDT

RISKS-LIST: Risks-Forum Digest  Wednesday 30 May 2012  Volume 26 : Issue 86

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/26.86.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Patient Died at New York VA Hospital After Alarm Was Ignored o (Ornstein/Weber
  via Monty Solomon)
Driverless cars (Martyn Thomas)
Delta overcharges some fliers because of computer glitch (Monty Solomon)
Hidden Danger of the Fukushima Daiichi Spent Fuel Pool 4 (Tobin Maginnis)
"Customers irked by Quickbooks Online outage" (Chris Kanaracus via
  Gene Wirchenko)
Vint Cerf warns Web freedom is under attack (Lauren Weinstein)
Utility network protection?  No. (PGN)
Bogus story: no Chinese backdoor in military chip (Errata Security via
  Lauren Weinstein)
RSA [In]SecureID software token (Ben Moore)
The Axis of Weevil? (PGN)
Researchers Propose Way to Thwart Fraudulent Digital Certificates
  (Brian Prince)
"iCloud user tracks down iPhone thief using photo stream" (Karen Haslam via
  Gene Wirchenko)
Web billing biz ransacked, smashed offline by hacktivists (John Leyden via
  Monty Solomon)
"New Trojan empties online customers' bank accounts"
  Gene Wirchenko)
Thailand convicts Webmaster for posted site comments (Fuller/Drew via
  Lauren Weinstein)
New York Legislation Would Ban Anonymous Online Speech (Lauren Weinstein)
UK surveillance program could expose private lives (Lauren Weinstein)
Internet Voting Still Faces Hurdles in U.S. (ACM Tech News)
IBM Outlaws Siri, Worried She Has Loose Lips (Robert McMillan via
  Monty Solomon)
"Should you care that Siri is taking notes?" (Ted Samson via Gene Wirchenko)
Re: Never Trust a Robot (Jane Hesketh)
Dag-Erling Sm=C3=B8rgrav <des () des no>
Re: Illuminating dialog with a scammer (Alister William Macintyre)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 25 May 2012 22:32:36 -0400
From: Monty Solomon <monty () roscom com>
Subject: Patient Died at New York VA Hospital After Alarm Was Ignored
  (Ornstein/Weber)

Patient Died at New York VA Hospital After Alarm Was Ignored

Charles Ornstein and Tracy Weber, ProPublica, 15 May 2012

Registered nurses at a Manhattan Veterans Affairs hospital failed to notice
a patient had become disconnected from a cardiac monitor until after his
heart had stopped and he could not be revived, according to a report Monday
from the VA inspector general.

The incident from last June was the second such death at the hospital
involving a patient connected to a monitor in a six-month period. The first,
along with two earlier deaths at a Denver VA hospital, raised questions
about nursing competency in the VA system, ProPublica reported last month.

The deaths also prompted a broader review of skills and training of VA
nurses. Only half of 29 VA facilities surveyed by the inspector general in a
recent report had adequately documented that their nurses had skills to
perform their duties. Even though some nurses "did not demonstrate
competency in one or more required skills," the government report stated,
there was no evidence of retraining. ...

http://www.propublica.org/article/patient-died-at-new-york-va-hospital-after-alarm-was-ignored

------------------------------

Date: Tue, 29 May 2012 15:36:26 +0100
From: Martyn Thomas <martyn () thomas-associates co uk>
Subject: Driverless cars

http://www.bbc.co.uk/news/technology-18248841

A convoy of self-driven cars has completed a 200km (125-mile) journey on a
Spanish motorway, in the first public test of such vehicles.  ... The cars
are fitted with special features such as cameras, radar and laser sensors -
allowing the vehicle to monitor the lead vehicle and also other vehicles in
their immediate vicinity. Using wireless communication, the vehicles in the
platoon "mimic" the lead vehicle using autonomous control - accelerating,
braking and turning in exactly the same way as the leader.  The vehicles
drove at 85kph (52mph) with the gap between each vehicle just 6m (19ft).

People think that autonomous driving is science fiction, but the fact is
that the technology is already here. From the purely conceptual viewpoint,
it works fine and road train will be around in one form or another in the
future," says Ms Wahlstroem.  "We've focused really hard on changing as
little as possible in existing systems. Everything should function without
any infrastructure changes to the roads or expensive additional components
in the cars.  Apart from the software developed as part of the project, it
is really only the wireless network installed between the cars that set them
apart from other cars available in showrooms today."

The project aims to herald a new age of relaxed driving.  According to
Volvo, drivers "can now work on their laptops, read a book or sit back and
enjoy a relaxed lunch" while driving.

What could possibly go wrong ...?

  [See Peter Houppermans's item in RISKS-26.83.  PGN]

------------------------------

Date: Sat, 19 May 2012 01:23:39 -0400
From: Monty Solomon <monty () roscom com>
Subject: Delta overcharges some fliers because of computer glitch
  (Nancy Trejos)

Nancy Trejos, *USA Today*, 15 May 2012

Delta Air Lines says a computer glitch caused inconsistencies in airfares
between fliers who were logged into the airline's website and those who were
not.  Delta spokesman Paul Skrbec told *Today in the Sky* that fares were
higher for some passengers and lower for others. The carrier has not yet
determined how many customers were affected, he said.

Minneapolis' WCCO first reported on the discrepancies after business
executives Patrick Smith and Steve Lisle, who happened to be booking flights
side-by-side from Minneapolis to St. Louis a few weeks ago, were given two
different prices for an economy seat. Lisle was not logged into his SkyMiles
account and was offered a ticket for $300 less. ...

http://travel.usatoday.com/flights/post/2012/05/delta-overcharges-some-fliers-because-of-computer-glitch/695130/1

2 Same Flights, 2 Different Prices: Frequent Flyer Discrepancies
May 15, 2012
http://minnesota.cbslocal.com/2012/05/15/2-same-flights-2-different-prices-frequent-flyer-discrepancies/

------------------------------

Date: May 30, 2012 9:07 AM
From: "Tobin Maginnis" <ptm () pix cs olemiss edu>
Subject: Hidden Danger of the Fukushima Daiichi Spent Fuel Pool 4

  [From David Farber's IP distribution.  PGN]

Your readers may like to see this Japanese documentary report on Fukushima
Daiichi Spent Fuel Pool 4 (click the the closed caption button at the bottom
to view English translation) that lays out how if supports fail in one
building it can precipitate a world-wide radio-active contamination event.

At 23:00: Shin-ichi Sano, Author:

The world had not choice but to pay attention.

Q: People have said that we must gather expertises from around the world in
order to solve the current problem. Regarding Fukushima, this has to
happen, don't you think?

A: Indeed. As you say, there is no time for silly arguments. If anything
happens, this is not just about the end of Japan, probably start of the end
of the world. I would like them to realize that we are in such crisis
situation.

A Hidden Danger of the Fukushima Daiichi Spent Fuel Pool 4
http://www.youtube.com/watch?v=zuxFQewzPjk#
Published on May 29, 2012 by Goldieluvmj

IP Archives: https://www.listbox.com/member/archive/247/=now

------------------------------

Date: Mon, 28 May 2012 10:30:52 -0700
From: Gene Wirchenko <genew () ocis net>
Subject: "Customers irked by Quickbooks Online outage"

Chris Kanaracus, *IT Business*, 25 May 2012
Intuit says it has restored all customers, but angry sentiments linger.
http://www.itbusiness.ca/it/client/en/Home/News.asp?id=67640

Intuit's Quickbook on-demand accounting system was switched over to its
backup center to maintain continuity of service with continued data
replication, while upgrading the primary system to fix a detected
performance problem.  However, during this process, an unspecified error
introduced a `synchronization gap', requiring both the primary and backup
systems to be taken off-line.  5700 customers were reportedly affected, with
varying degrees of delay and difficulty.  [PGN-ed]

------------------------------

Date: Mon, 21 May 2012 09:54:11 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Vint Cerf warns Web freedom is under attack

  "Father of the Internet" Vint Cerf on Monday warned that Internet freedom
  is under threat from governments around the world, including the United
  States.  Cerf, a computer scientist who was instrumental in the Internet's
  creation, now employed by Google as its "Internet evangelist," said
  officials in the United States, United Kingdom and Europe are using
  intellectual property and cybersecurity issues "as an excuse for
  constraining what we can and can't do on the 'net."  http://j.mp/KFXskP
  (The Hill)

------------------------------

Date: Thu, 24 May 2012 6:14:08 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Utility network protection?  No.

  [Thanks to Gene Spafford.  PGN]

http://www.csmonitor.com/USA/2012/0517/Cybersecurity-How-US-utilities-passed-up-chance-to-protect-their-networks

One argument in favor of regulation because companies won't do it themselves.

------------------------------

Date: May 28, 2012 9:24:44 PM PDT
From: Lauren Weinstein <lauren () vortex com>
Subject: Bogus story: no Chinese backdoor in military chip

http://erratasec.blogspot.com/2012/05/bogus-story-no-chinese-backdoor-in.html>
 (Errata Security)

"Today's big news is that researchers have found proof of Chinese
manufacturers putting backdoors in American chips that the military uses.
This is false.  While they did find a backdoor in a popular FPGA chip, there
is no evidence the Chinese put it there, or even that it was intentionally
malicious."

  [I agree with this article's analysis.  The original story was
  cyber-scaremongering.  LW]

    [See a lengthy blog item, Bogus story: no Chinese backdoor in military
    chip.  PGN]
http://erratasec.blogspot.com/2012/05/bogus-story-no-chinese-backdoor-in.html

------------------------------

Date: Thu, 24 May 2012 16:02:56 GMT
From: "Ben Moore" <ben.moore () juno com>
Subject: RSA [In]SecureID software token

The folks at RSA are at it again. SensePost's blog discussed how to derive
the device serial number of RSA's Windows SecureID software token.

"...the device serial number is dependent on the system's host name and
current user's windows security identifier (SID). An attacker, with access
to these values, can easily calculate the target token's device serial
number and bypass the [RSA SecureID] protection."
http://www.sensepost.com/blog/7045.html

------------------------------

Date: Thu, 24 May 2012 12:04:06 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: The Axis of Weevil?

Yahoo! today released its Axis extension for Chrome -- and accidentally
leaked its private security key that could allow anyone to create malicious
plugins masquerading as official Yahoo! software

http://www.theregister.co.uk/2012/05/24/yahoo_ships_private_certificate_by_accident/
  [Thanks to Phil Porras.  PGN]

There are signs that the Axis release was just a *bit* rushed.  Users have
found chunks of the development environment in the released code, and Yahoo
appears to have accidentally included their *private* crypto signing key as
well:
  http://j.mp/Jpgmw2   (Google+)

And their Terms of Service link at the moment leads to a placeholder:
  http://j.mp/JpfKX8  (Google+)
    [Thanks to Lauren Weinstein.  PGN]

------------------------------

Date: Wed, 30 May 2012 11:24:58 -0400
From: ACM TechNews <technews () HQ ACM ORG>
Subject: Researchers Propose Way to Thwart Fraudulent Digital Certificates

Brian Prince, eWeek, 24 May 2012 [via ACM TechNews, Wednesday, May 30, 2012]

Security researchers Moxie Marlinspike and Trevor Perrin say an extension to
the transport layer security (TLS) protocol could help address spoofing
attacks on the Secure Sockets Layer certificate ecosystem.  They have
proposed an approach called Trust Assertions for Certificate Keys (TACK),
which enables a Web site to sign its TLS server's public keys with a TACK
key.  Clients can pin a hostname to the TACK key without requiring sites to
make changes to their existing certificate chains or limiting their ability
to deploy different certificate chains on different servers or change
certificate chains at any time.  Marlinspike and Perrin note that inside the
TACK is a public key and signature.  "Once a client has seen the same
[hostname, TACK public key] pair multiple times, the client will 'activate'
a pin between the hostname and TACK key for a period equal to the length of
time the pair has been observed for," the researchers say.  "This 'pin
activation' process limits the impact of bad pins resulting from transient
network attacks or operator error."  The browser will reject the session and
alert the user when it comes across a fraudulent certificate on a pinned
site.
http://www.eweek.com/c/a/Security/Researchers-Propose-Way-to-Thwart-Fraudulent-Digital-Certificates-121509/

------------------------------

Date: Fri, 25 May 2012 09:48:29 -0700
From: Gene Wirchenko <genew () ocis net>
Subject: "iCloud user tracks down iPhone thief using photo stream"
  (Karen Haslam)

http://www.itbusiness.ca/it/client/en/cdn/News.asp?id=67617
Karen Haslam, *IT Business*, 24 May 2012
Stolen iPhone beams back photos, displayed in Facebook album

------------------------------

Date: Wed, 23 May 2012 19:38:40 -0400
From: Monty Solomon <monty () roscom com>
Subject: Web billing biz ransacked, smashed offline by hacktivists
  (John Leyden)

WHMCS calls the Feds after credit-card megaleak
John Leyden, 22 May 2012

WHMCS, which provides billing and customer support tech to many web hosts,
was comprehensively hacked on Monday and remains offline.

Hackers tricked WHMCS's own hosting firm into handing over admin credentials
to its servers. The group that carried out the hack, UGNazi, subsequently
extracted the billing company's database before deleting files, essentially
trashing the server and leaving services unavailable in the process. The
compromised server hosted WHCMS's main website and supported customers'
installations of its technology.

UGNazi also gained access to WHMCS's Twitter account, which it used to
publicise a series of posts on Pastebin that contained links to locations
from which the billing firm's customer records and other sensitive data
might be downloaded. A total of 500,000 records, including customer credit
card details, were leaked as a result of the hack. ...

http://www.theregister.co.uk/2012/05/22/whmcs_breach/

Hacker group UGNazi leaks and deletes billing service's database

The group used social engineering to access WHMCS's customer
database, then leaked 500,000 records online
May 22, 2012
http://www.infoworld.com/t/hacking/hacker-group-ugnazi-leaks-and-deletes-billing-services-database-193867

Hackers Impersonate Web Billing Firm's Staff To Spill 500,000 Users'
Passwords And Credit Cards
May 22, 2012
http://www.forbes.com/sites/andygreenberg/2012/05/22/hackers-impersonate-web-billing-firms-staff-to-spill-500000-users-passwords-and-credit-cards/

------------------------------

Date: Wed, 23 May 2012 09:51:44 -0700
From: Gene Wirchenko <genew () ocis net>
Subject: "New Trojan empties online customers' bank accounts"

Antone Gonsalves, The Tatanga Trojan was first spotted by German banks,
cybersecurity firm Trusteer says.  *IT Business*, 22 May 2012
  http://www.itbusiness.ca/it/client/en/Home/News.asp?id=67572

------------------------------

Date: Wed, 30 May 2012 08:29:55 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Thailand convicts Webmaster for posted site comments

  Thomas Fuller and Kevin Drew, *The New York Times*, 30 May 2012
  "Google and human rights groups reacted strongly on Wednesday to a Thai
  court's decision to convict the webmaster of an Internet message board for
  comments posted by users that insulted the Thai royal family."
  http://j.mp/KwEzjC

Unfortunately, an entirely predictable development. Ultimately, governments
want to control Internet content. They vary in their approaches and degrees,
but free expression of the sort the Internet enables, fundamentally
undermines traditional information control regimes.

  [Unblessed be the Thai that blinds.  PGN]

------------------------------

Date: Tue, 22 May 2012 13:27:13 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: New York Legislation Would Ban Anonymous Online Speech

  Did you hear the one about New York state lawmakers who forgot about the
  First Amendment in the name of combating cyberbullying and "baseless
  political attacks"?  Proposed legislation in both chambers would require
  New York-based websites, such as blogs and newspapers, to "remove any
  comments posted on his or her website by an anonymous poster unless such
  anonymous poster agrees to attach his or her name to the post." ...
  David Kravels, WiReD, 22 May 2012http://j.mp/KwmzAX

Probability that the legislators involved are opportunists and/or clueless?
  = 100%

Probability that such legislation could pass Constitutional muster? = 0%

Infuriating that they even waste time on this nonsense.

------------------------------

Date: Fri, 18 May 2012 10:38:37 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: UK surveillance program could expose private lives (NNSquad)

  "British officials have given their word: "We won't read your emails."
  But experts say the government's proposed new surveillance program will
  gather so much data that spooks won't have to read your messages to guess
  what you're up to."  http://j.mp/LeF0dS  (AP / Quad City Times)

The seriously disingenuous aspect of Kane's comments is his equating
government collection of mass header and traffic analysis data on an
involuntary basis -- with voluntary usage of Web-based services.  Trying to
equate the two in the privacy realm is fundamentally dishonest.

------------------------------

Date: Fri, 25 May 2012 11:18:19 -0400
From: ACM TechNews <technews () HQ ACM ORG>
Subject: Internet Voting Still Faces Hurdles in U.S.

More than two dozen states will accept some form of electronic or faxed
ballots in the U.S. 2012 elections, according to the Verified Voting
Foundation.  However, computer security experts contend that any system can
be hacked or manipulated, which poses a big threat to online voting systems.
"You have computer systems such as those of Google, the Pentagon, and
Facebook, which have all fallen victim to intrusion," notes University of
Michigan computer scientist J. Alex Halderman.  Meanwhile, other countries
are moving forward with Internet voting plans.  For example, French citizens
living abroad this year will be able to vote on the Internet in a
parliamentary election.  In Estonia, a record 25 percent of voters cast
Internet ballots in 2011.  In the United States, election officials are
examining the costs of the technology while struggling with how to make
voting more accessible, says Ohio deputy election administrator Matt
Masterson.  He notes online voting can help boost participation and address
the issue of voters who cannot get to a polling station.  The U.S. National
Institute of Standards and Technology recently concluded that Internet
voting systems cannot currently be audited with a comparable level of
confidence in the audit results as those for polling stations.  [Agence
France-Presse, 24 May 2012]
  http://www.turkishpress.com/news.asp?id=382334

------------------------------

Date: Tue, 22 May 2012 21:18:40 -0400
From: Monty Solomon <monty () roscom com>
Subject: IBM Outlaws Siri, Worried She Has Loose Lips (Robert McMillan)

Robert McMillan, 22 May 2012

If you work for IBM, you can bring your iPhone to work, but forget about
using the phone's voice-activated digital assistant. Siri isn't welcome on
Big Blue's networks.

The reason? Siri ships everything you say to her to a big data center in
Maiden, North Carolina. And the story of what really happens to all of your
Siri-launched searches, e-mail messages and inappropriate jokes is a bit of
a black box.

IBM CIO Jeanette Horan told MIT's Technology Review this week that her
company has banned Siri outright because, according to the magazine, "The
company worries that the spoken queries might be stored somewhere."

It turns out that Horan is right to worry. In fact, Apple's iPhone Software
License Agreement spells this out: "When you use Siri or Dictation, the
things you say will be recorded and sent to Apple in order to convert what
you say into text," Apple says. Siri collects a bunch of other information -
names of people from your address book and other unspecified user data, all
to help Siri do a better job.

How long does Apple store all of this stuff, and who gets a look at it?
Well, the company doesn't actually say. Again, from the user agreement: "By
using Siri or Dictation, you agree and consent to Apple's and its
subsidiaries' and agents' transmission, collection, maintenance, processing,
and use of this information, including your voice input and User Data, to
provide and improve Siri, Dictation, and other Apple products and services."

Because some of the data that Siri collects can be very personal, the
American Civil Liberties Union put out a warning about Siri just a couple of
months ago. ...

http://www.wired.com/wiredenterprise/2012/05/ibm-bans-siri/

Note to Self: Siri Not Just Working for Me, Working Full-Time for Apple, Too
By Nicole Ozer, ACLU of Northern California (Mar 12, 2012 at 10:00 am)
https://www.aclunc.org/issues/technology/blog/note_to_self_siri_not_just_working_for_me,_working_full-time_for_apple,_too.shtml

------------------------------

Date: Fri, 25 May 2012 09:24:25 -0700
From: Gene Wirchenko <genew () ocis net>
Subject: "Should you care that Siri is taking notes?" (Ted Samson)

Ted Samson, InfoWorld, InfoWorld Tech Watch, 25 May 2012
Should you care that Siri is taking notes?
IBM blocks Siri on networked devices even as it acknowledges it sees
no threat in Apple capturing voice commands from users
http://www.infoworld.com/t/data-security/should-you-care-siri-taking-notes-194136

opening paragraph:

If you ask Siri, the iPhone's voice-controlled personal assistant, to
schedule a sales meeting with a potential new client at a restaurant across
town, Siri will dutifully carry out your command (barring any service
hiccups) -- and send that information to server farm in North Carolina to be
converted into text and saved. That revelation has bubbled up in the tech
world after IBM CIO Jeanette Horan recently told MIT's Technology Review
that Big Blue blocks Siri on employees' iOS devices because Apple stores
potentially sensitive voice-inputted data.

------------------------------

Date: Sat, 19 May 2012 12:10:31 +0100
From: Jane Hesketh <>
Subject: Re: Never Trust a Robot (RISKS-26.83)

As a cruising sailor of some years experience, I'd like to point out that
there is a simpler explanation for the sad accident than the one where
experienced sailors fail to use electronic charts sensibly.

The maximum hull speed of a Hunter 376 (the boat in the incident) is 7.6
knots (8.75 mph / 14.1kph). Enough to hit the rocks, but not at car-crash
speeds.  People sailing or motoring at this speed try to take the quickest
course. If there is an obstruction, common practice is to set a GPS waypoint
close to it (good) or even on it (bad) with an alarm, so that on reaching it
you are prompted to change course to go round.  These alarms aren't loud,
they're only intended to alert someone in the cockpit, not wake the whole
boat. If there is only one person on watch, and they fail to respond and
change course, depending on the boat's electronic systems it is entirely
possible that it will just keep going on the current course. If the crew
member on watch has fallen overboard, maybe trying to fix a problem or (if
male) is relieving himself over the side and loses his balance - a
depressingly common occurrence - that is what will happen. Reports say the
middle-aged male skipper was found separate from the others.  Unless the
rest of the crew are alerted quickly, the casualty is left behind and the
boat sails on potentially unsupervised.

In this scenario there are still RISKS of course. Firstly making it easy to
have a single point of failure. Technology helps people sail more
short-handed than was once the case. The racing yachts would more likely
have a number of people active on board, who would notice if someone fell
off and hear an alert even one crew member down. Secondly technology's
inability to operate beyond the world it is designed for, to recognise when
it is outside its competence.

------------------------------

Date: Tue, 29 May 2012 12:31:33 +0200
From: Dag-Erling Sm=C3=B8rgrav <des () des no>
Subject: Re: Disruptions: Indiscreet Photos, Glimpsed Then Gone (RISKS-26.83)

http://www.youtube.com/watch?v=IFe9wiDfb0E

That link doesn't seem to work any more.
  [It does.  I failed to delete two extra `3D' strings that your mail system
  coerces. Now fixed.  PGN]

Here's the original:
  http://www.tomscott.com/life/

I should have probably have provided a summary: the video is an artist's
impression of what you'd see if your consciousness was uploaded to silicon
upon your death.  It includes a sequence where the system edits the
subject's memories to remove all occurrences of copyrighted works because
the subject's estate can't afford the $19,000 monthly licensing fee.

------------------------------

Date: Mon, 28 May 2012 15:09:58 -0500
From: "Al Mac Wow = Alister William Macintyre" <macwheel99 () wowway com>
Subject: Re: Illuminating dialog with a scammer

There are several variations on this phone call phishing, which I think is a
great risk to unsophisticated PC users.  I have had several calls where I
suspect this criminal underworld now has a data base of info they elicited
from me in prior scam calls, to try to refine their technique.

They now know I have two PCs in my house, and can tell me which one they are
calling about.

Internet Storm Center (ISC of SANS) is now tracking those Phishing phone
calls, in Indian accent, which say they are from Microsoft Support, or some
such variation. If you get one, you can now add your experiences to their
statistics.

https://isc.sans.edu/reportfakecall.html

------------------------------

Date: Mon, 6 Jun 2011 20:01:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 26.86
************************
precedence: bulk
Subject: Risks Digest 26.86

RISKS-LIST: Risks-Forum Digest  Wednesday 30 May 2012  Volume 26 : Issue 86

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/26.86.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Patient Died at New York VA Hospital After Alarm Was Ignored (Ornstein/Weber
  via Monty Solomon)
Driverless cars (Martyn Thomas)
Delta overcharges some fliers because of computer glitch (Monty Solomon)
Hidden Danger of the Fukushima Daiichi Spent Fuel Pool 4 (Tobin Maginnis)
"Customers irked by Quickbooks Online outage" (Chris Kanaracus via
  Gene Wirchenko)
Vint Cerf warns Web freedom is under attack (Lauren Weinstein)
Utility network protection?  No. (PGN)
Bogus story: no Chinese backdoor in military chip (Errata Security via
  Lauren Weinstein)
RSA [In]SecureID software token (Ben Moore)
The Axis of Weevil? (PGN)
Researchers Propose Way to Thwart Fraudulent Digital Certificates
  (Brian Prince)
"iCloud user tracks down iPhone thief using photo stream" (Karen Haslam via
  Gene Wirchenko)
Web billing biz ransacked, smashed offline by hacktivists (John Leyden via
  Monty Solomon)
"New Trojan empties online customers' bank accounts"
  Gene Wirchenko)
Thailand convicts Webmaster for posted site comments (Fuller/Drew via
  Lauren Weinstein)
New York Legislation Would Ban Anonymous Online Speech (Lauren Weinstein)
UK surveillance program could expose private lives (Lauren Weinstein)
Internet Voting Still Faces Hurdles in U.S. (ACM Tech News)
IBM Outlaws Siri, Worried She Has Loose Lips (Robert McMillan via
  Monty Solomon)
"Should you care that Siri is taking notes?" (Ted Samson via Gene Wirchenko)
Re: Never Trust a Robot (Jane Hesketh)
Re: Disruptions: Indiscreet Photos, Glimpsed Then Gone (Dag-Erling Sm?rgrav)
Re: Illuminating dialog with a scammer (Alister William Macintyre)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 25 May 2012 22:32:36 -0400
From: Monty Solomon <monty () roscom com>
Subject: Patient Died at New York VA Hospital After Alarm Was Ignored
  (Ornstein/Weber)

Patient Died at New York VA Hospital After Alarm Was Ignored

Charles Ornstein and Tracy Weber, ProPublica, 15 May 2012

Registered nurses at a Manhattan Veterans Affairs hospital failed to notice
a patient had become disconnected from a cardiac monitor until after his
heart had stopped and he could not be revived, according to a report Monday
from the VA inspector general.

The incident from last June was the second such death at the hospital
involving a patient connected to a monitor in a six-month period. The first,
along with two earlier deaths at a Denver VA hospital, raised questions
about nursing competency in the VA system, ProPublica reported last month.

The deaths also prompted a broader review of skills and training of VA
nurses. Only half of 29 VA facilities surveyed by the inspector general in a
recent report had adequately documented that their nurses had skills to
perform their duties. Even though some nurses "did not demonstrate
competency in one or more required skills," the government report stated,
there was no evidence of retraining. ...

http://www.propublica.org/article/patient-died-at-new-york-va-hospital-after-alarm-was-ignored

------------------------------

Date: Tue, 29 May 2012 15:36:26 +0100
From: Martyn Thomas <martyn () thomas-associates co uk>
Subject: Driverless cars

http://www.bbc.co.uk/news/technology-18248841

A convoy of self-driven cars has completed a 200km (125-mile) journey on a
Spanish motorway, in the first public test of such vehicles.  ... The cars
are fitted with special features such as cameras, radar and laser sensors -
allowing the vehicle to monitor the lead vehicle and also other vehicles in
their immediate vicinity. Using wireless communication, the vehicles in the
platoon "mimic" the lead vehicle using autonomous control - accelerating,
braking and turning in exactly the same way as the leader.  The vehicles
drove at 85kph (52mph) with the gap between each vehicle just 6m (19ft).

People think that autonomous driving is science fiction, but the fact is
that the technology is already here. From the purely conceptual viewpoint,
it works fine and road train will be around in one form or another in the
future," says Ms Wahlstroem.  "We've focused really hard on changing as
little as possible in existing systems. Everything should function without
any infrastructure changes to the roads or expensive additional components
in the cars.  Apart from the software developed as part of the project, it
is really only the wireless network installed between the cars that set them
apart from other cars available in showrooms today."

The project aims to herald a new age of relaxed driving.  According to
Volvo, drivers "can now work on their laptops, read a book or sit back and
enjoy a relaxed lunch" while driving.

What could possibly go wrong ...?

  [See Peter Houppermans's item in RISKS-26.83.  PGN]

------------------------------

Date: Sat, 19 May 2012 01:23:39 -0400
From: Monty Solomon <monty () roscom com>
Subject: Delta overcharges some fliers because of computer glitch
  (Nancy Trejos)

Nancy Trejos, *USA Today*, 15 May 2012

Delta Air Lines says a computer glitch caused inconsistencies in airfares
between fliers who were logged into the airline's website and those who were
not.  Delta spokesman Paul Skrbec told *Today in the Sky* that fares were
higher for some passengers and lower for others. The carrier has not yet
determined how many customers were affected, he said.

Minneapolis' WCCO first reported on the discrepancies after business
executives Patrick Smith and Steve Lisle, who happened to be booking flights
side-by-side from Minneapolis to St. Louis a few weeks ago, were given two
different prices for an economy seat. Lisle was not logged into his SkyMiles
account and was offered a ticket for $300 less. ...

http://travel.usatoday.com/flights/post/2012/05/delta-overcharges-some-fliers-because-of-computer-glitch/695130/1

2 Same Flights, 2 Different Prices: Frequent Flyer Discrepancies
May 15, 2012
http://minnesota.cbslocal.com/2012/05/15/2-same-flights-2-different-prices-frequent-flyer-discrepancies/

------------------------------

Date: May 30, 2012 9:07 AM
From: "Tobin Maginnis" <ptm () pix cs olemiss edu>
Subject: Hidden Danger of the Fukushima Daiichi Spent Fuel Pool 4

  [From David Farber's IP distribution.  PGN]

Your readers may like to see this Japanese documentary report on Fukushima
Daiichi Spent Fuel Pool 4 (click the the closed caption button at the bottom
to view English translation) that lays out how if supports fail in one
building it can precipitate a world-wide radio-active contamination event.

At 23:00: Shin-ichi Sano, Author:

The world had not choice but to pay attention.

Q: People have said that we must gather expertises from around the world in
order to solve the current problem. Regarding Fukushima, this has to
happen, don't you think?

A: Indeed. As you say, there is no time for silly arguments. If anything
happens, this is not just about the end of Japan, probably start of the end
of the world. I would like them to realize that we are in such crisis
situation.

A Hidden Danger of the Fukushima Daiichi Spent Fuel Pool 4
http://www.youtube.com/watch?v=zuxFQewzPjk#
Published on May 29, 2012 by Goldieluvmj

IP Archives: https://www.listbox.com/member/archive/247/=now

------------------------------

Date: Mon, 28 May 2012 10:30:52 -0700
From: Gene Wirchenko <genew () ocis net>
Subject: "Customers irked by Quickbooks Online outage"

Chris Kanaracus, *IT Business*, 25 May 2012
Intuit says it has restored all customers, but angry sentiments linger.
http://www.itbusiness.ca/it/client/en/Home/News.asp?id=67640

Intuit's Quickbook on-demand accounting system was switched over to its
backup center to maintain continuity of service with continued data
replication, while upgrading the primary system to fix a detected
performance problem.  However, during this process, an unspecified error
introduced a `synchronization gap', requiring both the primary and backup
systems to be taken off-line.  5700 customers were reportedly affected, with
varying degrees of delay and difficulty.  [PGN-ed]

------------------------------

Date: Mon, 21 May 2012 09:54:11 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Vint Cerf warns Web freedom is under attack

  "Father of the Internet" Vint Cerf on Monday warned that Internet freedom
  is under threat from governments around the world, including the United
  States.  Cerf, a computer scientist who was instrumental in the Internet's
  creation, now employed by Google as its "Internet evangelist," said
  officials in the United States, United Kingdom and Europe are using
  intellectual property and cybersecurity issues "as an excuse for
  constraining what we can and can't do on the 'net."  http://j.mp/KFXskP
  (The Hill)

------------------------------

Date: Thu, 24 May 2012 6:14:08 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Utility network protection?  No.

  [Thanks to Gene Spafford.  PGN]

http://www.csmonitor.com/USA/2012/0517/Cybersecurity-How-US-utilities-passed-up-chance-to-protect-their-networks

One argument in favor of regulation because companies won't do it themselves.

------------------------------

Date: May 28, 2012 9:24:44 PM PDT
From: Lauren Weinstein <lauren () vortex com>
Subject: Bogus story: no Chinese backdoor in military chip

http://erratasec.blogspot.com/2012/05/bogus-story-no-chinese-backdoor-in.html>
 (Errata Security)

"Today's big news is that researchers have found proof of Chinese
manufacturers putting backdoors in American chips that the military uses.
This is false.  While they did find a backdoor in a popular FPGA chip, there
is no evidence the Chinese put it there, or even that it was intentionally
malicious."

  [I agree with this article's analysis.  The original story was
  cyber-scaremongering.  LW]

    [See a lengthy blog item, Bogus story: no Chinese backdoor in military
    chip.  PGN]
http://erratasec.blogspot.com/2012/05/bogus-story-no-chinese-backdoor-in.html

------------------------------

Date: Thu, 24 May 2012 16:02:56 GMT
From: "Ben Moore" <ben.moore () juno com>
Subject: RSA [In]SecureID software token

The folks at RSA are at it again. SensePost's blog discussed how to derive
the device serial number of RSA's Windows SecureID software token.

"...the device serial number is dependent on the system's host name and
current user's windows security identifier (SID). An attacker, with access
to these values, can easily calculate the target token's device serial
number and bypass the [RSA SecureID] protection."
http://www.sensepost.com/blog/7045.html

------------------------------

Date: Thu, 24 May 2012 12:04:06 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: The Axis of Weevil?

Yahoo! today released its Axis extension for Chrome -- and accidentally
leaked its private security key that could allow anyone to create malicious
plugins masquerading as official Yahoo! software

http://www.theregister.co.uk/2012/05/24/yahoo_ships_private_certificate_by_accident/
  [Thanks to Phil Porras.  PGN]

There are signs that the Axis release was just a *bit* rushed.  Users have
found chunks of the development environment in the released code, and Yahoo
appears to have accidentally included their *private* crypto signing key as
well:
  http://j.mp/Jpgmw2   (Google+)

And their Terms of Service link at the moment leads to a placeholder:
  http://j.mp/JpfKX8  (Google+)
    [Thanks to Lauren Weinstein.  PGN]

------------------------------

Date: Wed, 30 May 2012 11:24:58 -0400
From: ACM TechNews <technews () HQ ACM ORG>
Subject: Researchers Propose Way to Thwart Fraudulent Digital Certificates

Brian Prince, eWeek, 24 May 2012 [via ACM TechNews, Wednesday, May 30, 2012]

Security researchers Moxie Marlinspike and Trevor Perrin say an extension to
the transport layer security (TLS) protocol could help address spoofing
attacks on the Secure Sockets Layer certificate ecosystem.  They have
proposed an approach called Trust Assertions for Certificate Keys (TACK),
which enables a Web site to sign its TLS server's public keys with a TACK
key.  Clients can pin a hostname to the TACK key without requiring sites to
make changes to their existing certificate chains or limiting their ability
to deploy different certificate chains on different servers or change
certificate chains at any time.  Marlinspike and Perrin note that inside the
TACK is a public key and signature.  "Once a client has seen the same
[hostname, TACK public key] pair multiple times, the client will 'activate'
a pin between the hostname and TACK key for a period equal to the length of
time the pair has been observed for," the researchers say.  "This 'pin
activation' process limits the impact of bad pins resulting from transient
network attacks or operator error."  The browser will reject the session and
alert the user when it comes across a fraudulent certificate on a pinned
site.
http://www.eweek.com/c/a/Security/Researchers-Propose-Way-to-Thwart-Fraudulent-Digital-Certificates-121509/

------------------------------

Date: Fri, 25 May 2012 09:48:29 -0700
From: Gene Wirchenko <genew () ocis net>
Subject: "iCloud user tracks down iPhone thief using photo stream"
  (Karen Haslam)

http://www.itbusiness.ca/it/client/en/cdn/News.asp?id=67617
Karen Haslam, *IT Business*, 24 May 2012
Stolen iPhone beams back photos, displayed in Facebook album

------------------------------

Date: Wed, 23 May 2012 19:38:40 -0400
From: Monty Solomon <monty () roscom com>
Subject: Web billing biz ransacked, smashed offline by hacktivists
  (John Leyden)

WHMCS calls the Feds after credit-card megaleak
John Leyden, 22 May 2012

WHMCS, which provides billing and customer support tech to many web hosts,
was comprehensively hacked on Monday and remains offline.

Hackers tricked WHMCS's own hosting firm into handing over admin credentials
to its servers. The group that carried out the hack, UGNazi, subsequently
extracted the billing company's database before deleting files, essentially
trashing the server and leaving services unavailable in the process. The
compromised server hosted WHCMS's main website and supported customers'
installations of its technology.

UGNazi also gained access to WHMCS's Twitter account, which it used to
publicise a series of posts on Pastebin that contained links to locations
from which the billing firm's customer records and other sensitive data
might be downloaded. A total of 500,000 records, including customer credit
card details, were leaked as a result of the hack. ...

http://www.theregister.co.uk/2012/05/22/whmcs_breach/

Hacker group UGNazi leaks and deletes billing service's database

The group used social engineering to access WHMCS's customer
database, then leaked 500,000 records online
May 22, 2012
http://www.infoworld.com/t/hacking/hacker-group-ugnazi-leaks-and-deletes-billing-services-database-193867

Hackers Impersonate Web Billing Firm's Staff To Spill 500,000 Users'
Passwords And Credit Cards
May 22, 2012
http://www.forbes.com/sites/andygreenberg/2012/05/22/hackers-impersonate-web-billing-firms-staff-to-spill-500000-users-passwords-and-credit-cards/

------------------------------

Date: Wed, 23 May 2012 09:51:44 -0700
From: Gene Wirchenko <genew () ocis net>
Subject: "New Trojan empties online customers' bank accounts"

Antone Gonsalves, The Tatanga Trojan was first spotted by German banks,
cybersecurity firm Trusteer says.  *IT Business*, 22 May 2012
  http://www.itbusiness.ca/it/client/en/Home/News.asp?id=67572

------------------------------

Date: Wed, 30 May 2012 08:29:55 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Thailand convicts Webmaster for posted site comments

  Thomas Fuller and Kevin Drew, *The New York Times*, 30 May 2012
  "Google and human rights groups reacted strongly on Wednesday to a Thai
  court's decision to convict the webmaster of an Internet message board for
  comments posted by users that insulted the Thai royal family."
  http://j.mp/KwEzjC

Unfortunately, an entirely predictable development. Ultimately, governments
want to control Internet content. They vary in their approaches and degrees,
but free expression of the sort the Internet enables, fundamentally
undermines traditional information control regimes.

  [Unblessed be the Thai that blinds.  PGN]

------------------------------

Date: Tue, 22 May 2012 13:27:13 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: New York Legislation Would Ban Anonymous Online Speech

  Did you hear the one about New York state lawmakers who forgot about the
  First Amendment in the name of combating cyberbullying and "baseless
  political attacks"?  Proposed legislation in both chambers would require
  New York-based websites, such as blogs and newspapers, to "remove any
  comments posted on his or her website by an anonymous poster unless such
  anonymous poster agrees to attach his or her name to the post." ...
  David Kravels, WiReD, 22 May 2012http://j.mp/KwmzAX

Probability that the legislators involved are opportunists and/or clueless?
  = 100%

Probability that such legislation could pass Constitutional muster? = 0%

Infuriating that they even waste time on this nonsense.

------------------------------

Date: Fri, 18 May 2012 10:38:37 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: UK surveillance program could expose private lives (NNSquad)

  "British officials have given their word: "We won't read your emails."
  But experts say the government's proposed new surveillance program will
  gather so much data that spooks won't have to read your messages to guess
  what you're up to."  http://j.mp/LeF0dS  (AP / Quad City Times)

The seriously disingenuous aspect of Kane's comments is his equating
government collection of mass header and traffic analysis data on an
involuntary basis -- with voluntary usage of Web-based services.  Trying to
equate the two in the privacy realm is fundamentally dishonest.

------------------------------

Date: Fri, 25 May 2012 11:18:19 -0400
From: ACM TechNews <technews () HQ ACM ORG>
Subject: Internet Voting Still Faces Hurdles in U.S.

More than two dozen states will accept some form of electronic or faxed
ballots in the U.S. 2012 elections, according to the Verified Voting
Foundation.  However, computer security experts contend that any system can
be hacked or manipulated, which poses a big threat to online voting systems.
"You have computer systems such as those of Google, the Pentagon, and
Facebook, which have all fallen victim to intrusion," notes University of
Michigan computer scientist J. Alex Halderman.  Meanwhile, other countries
are moving forward with Internet voting plans.  For example, French citizens
living abroad this year will be able to vote on the Internet in a
parliamentary election.  In Estonia, a record 25 percent of voters cast
Internet ballots in 2011.  In the United States, election officials are
examining the costs of the technology while struggling with how to make
voting more accessible, says Ohio deputy election administrator Matt
Masterson.  He notes online voting can help boost participation and address
the issue of voters who cannot get to a polling station.  The U.S. National
Institute of Standards and Technology recently concluded that Internet
voting systems cannot currently be audited with a comparable level of
confidence in the audit results as those for polling stations.  [Agence
France-Presse, 24 May 2012]
  http://www.turkishpress.com/news.asp?id=382334

------------------------------

Date: Tue, 22 May 2012 21:18:40 -0400
From: Monty Solomon <monty () roscom com>
Subject: IBM Outlaws Siri, Worried She Has Loose Lips (Robert McMillan)

Robert McMillan, 22 May 2012

If you work for IBM, you can bring your iPhone to work, but forget about
using the phone's voice-activated digital assistant. Siri isn't welcome on
Big Blue's networks.

The reason? Siri ships everything you say to her to a big data center in
Maiden, North Carolina. And the story of what really happens to all of your
Siri-launched searches, e-mail messages and inappropriate jokes is a bit of
a black box.

IBM CIO Jeanette Horan told MIT's Technology Review this week that her
company has banned Siri outright because, according to the magazine, "The
company worries that the spoken queries might be stored somewhere."

It turns out that Horan is right to worry. In fact, Apple's iPhone Software
License Agreement spells this out: "When you use Siri or Dictation, the
things you say will be recorded and sent to Apple in order to convert what
you say into text," Apple says. Siri collects a bunch of other information -
names of people from your address book and other unspecified user data, all
to help Siri do a better job.

How long does Apple store all of this stuff, and who gets a look at it?
Well, the company doesn't actually say. Again, from the user agreement: "By
using Siri or Dictation, you agree and consent to Apple's and its
subsidiaries' and agents' transmission, collection, maintenance, processing,
and use of this information, including your voice input and User Data, to
provide and improve Siri, Dictation, and other Apple products and services."

Because some of the data that Siri collects can be very personal, the
American Civil Liberties Union put out a warning about Siri just a couple of
months ago. ...

http://www.wired.com/wiredenterprise/2012/05/ibm-bans-siri/

Note to Self: Siri Not Just Working for Me, Working Full-Time for Apple, Too
By Nicole Ozer, ACLU of Northern California (Mar 12, 2012 at 10:00 am)
https://www.aclunc.org/issues/technology/blog/note_to_self_siri_not_just_working_for_me,_working_full-time_for_apple,_too.shtml

------------------------------

Date: Fri, 25 May 2012 09:24:25 -0700
From: Gene Wirchenko <genew () ocis net>
Subject: "Should you care that Siri is taking notes?" (Ted Samson)

Ted Samson, InfoWorld, InfoWorld Tech Watch, 25 May 2012
Should you care that Siri is taking notes?
IBM blocks Siri on networked devices even as it acknowledges it sees
no threat in Apple capturing voice commands from users
http://www.infoworld.com/t/data-security/should-you-care-siri-taking-notes-194136

opening paragraph:

If you ask Siri, the iPhone's voice-controlled personal assistant, to
schedule a sales meeting with a potential new client at a restaurant across
town, Siri will dutifully carry out your command (barring any service
hiccups) -- and send that information to server farm in North Carolina to be
converted into text and saved. That revelation has bubbled up in the tech
world after IBM CIO Jeanette Horan recently told MIT's Technology Review
that Big Blue blocks Siri on employees' iOS devices because Apple stores
potentially sensitive voice-inputted data.

------------------------------

Date: Sat, 19 May 2012 12:10:31 +0100
From: Jane Hesketh <>
Subject: Re: Never Trust a Robot (RISKS-26.83)

As a cruising sailor of some years experience, I'd like to point out that
there is a simpler explanation for the sad accident than the one where
experienced sailors fail to use electronic charts sensibly.

The maximum hull speed of a Hunter 376 (the boat in the incident) is 7.6
knots (8.75 mph / 14.1kph). Enough to hit the rocks, but not at car-crash
speeds.  People sailing or motoring at this speed try to take the quickest
course. If there is an obstruction, common practice is to set a GPS waypoint
close to it (good) or even on it (bad) with an alarm, so that on reaching it
you are prompted to change course to go round.  These alarms aren't loud,
they're only intended to alert someone in the cockpit, not wake the whole
boat. If there is only one person on watch, and they fail to respond and
change course, depending on the boat's electronic systems it is entirely
possible that it will just keep going on the current course. If the crew
member on watch has fallen overboard, maybe trying to fix a problem or (if
male) is relieving himself over the side and loses his balance - a
depressingly common occurrence - that is what will happen. Reports say the
middle-aged male skipper was found separate from the others.  Unless the
rest of the crew are alerted quickly, the casualty is left behind and the
boat sails on potentially unsupervised.

In this scenario there are still RISKS of course. Firstly making it easy to
have a single point of failure. Technology helps people sail more
short-handed than was once the case. The racing yachts would more likely
have a number of people active on board, who would notice if someone fell
off and hear an alert even one crew member down. Secondly technology's
inability to operate beyond the world it is designed for, to recognise when
it is outside its competence.

------------------------------

Date: Tue, 29 May 2012 12:31:33 +0200
From: Dag-Erling Sm=C3=B8rgrav <des () des no>
Subject: Re: Disruptions: Indiscreet Photos, Glimpsed Then Gone (RISKS-26.83)

http://www.youtube.com/watch?v=IFe9wiDfb0E

That link doesn't seem to work any more.
  [It does.  I failed to delete two extra `3D' strings that your mail system
  coerces. Now fixed.  PGN]

Here's the original:
  http://www.tomscott.com/life/

I should have probably have provided a summary: the video is an artist's
impression of what you'd see if your consciousness was uploaded to silicon
upon your death.  It includes a sequence where the system edits the
subject's memories to remove all occurrences of copyrighted works because
the subject's estate can't afford the $19,000 monthly licensing fee.

------------------------------

Date: Mon, 28 May 2012 15:09:58 -0500
From: "Al Mac Wow = Alister William Macintyre" <macwheel99 () wowway com>
Subject: Re: Illuminating dialog with a scammer

There are several variations on this phone call phishing, which I think is a
great risk to unsophisticated PC users.  I have had several calls where I
suspect this criminal underworld now has a data base of info they elicited
from me in prior scam calls, to try to refine their technique.

They now know I have two PCs in my house, and can tell me which one they are
calling about.

Internet Storm Center (ISC of SANS) is now tracking those Phishing phone
calls, in Indian accent, which say they are from Microsoft Support, or some
such variation. If you get one, you can now add your experiences to their
statistics.

https://isc.sans.edu/reportfakecall.html

------------------------------

Date: Mon, 6 Jun 2011 20:01:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 26.86
************************


  By Date           By Thread  

Current thread:
  • Risks Digest 26.86 RISKS List Owner (May 31)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault