Home page logo
/

risks logo RISKS Forum mailing list archives

Risks Digest 26.93
From: RISKS List Owner <risko () csl sri com>
Date: Thu, 19 Jul 2012 15:17:51 PDT

RISKS-LIST: Risks-Forum Digest  Thursday 19 July 2012  Volume 26 : Issue 93

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/26.93.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Washington State wants to register voters via Facebook (Peter Houppermans)
Facebook security 'checkpoint' hits user roadblock (Antone Gonsalves via
  Gene Wirchenko)
Passwords leaked from Yahoo: Boozy, preachy, angry -- and easy (Stephen
  Lawson via Gene Wirchenko)
Bitcoinica exchange funds hacked, again (Mark Thorson)
Accidents due to confusion of units of measurement (jidanni)
Mom accessed school system 110 times to change kids' grades
  (Emil Protalinski via Monty Solomon)
Online identity theft up 200% since 2010 (Emil Protalinski via
  Monty Solomon)
Warning: Scams surrounding 2012 Olympics have already begun
  (Emil Protalinski via Monty Solomon)
"GPS watch to keep tabs on kids, seniors could hit Canada by autumn"
  (Christine Wong via Gene Wirchenko)
Re: FDA spied on its own people - and then the evidence leaked
  (Steven J Klein, Ken Knowlton)
Re: In the UK, encryption implies potential guilt? (David Alexandero
Re: Major Snafu in New Zealand Election was 'Human Error' (Gregor Ronald)
Re: Taxing old browsers out of existence (Dimitri Maziuk, Henry Baker,
  Jonathan Kamens, Arthur T.)
Re: Privacy trumps cybersecurity! (Dick Mills)
"Apple wins patent for transparent scroll bar" (Gene Wirchenko)
Re: Announcement of civil timekeeping meeting (J R Stockton)
Tests (Monty Solomon)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 18 Jul 2012 13:46:09 +0200
From: Peter Houppermans <peter () houppermans com>
Subject: Washington State wants to register voters via Facebook

  "Facebook users in Washington state will have something else to brag about
  to their online friends: that they registered to vote on Facebook.  The
  secretary of state's office said Tuesday it will have an application on
  its Facebook page that allows residents to register to vote and then
  "like" the application and recommend it to their friends. It's expected to
  launch as early as next week."
http://hosted.ap.org/dynamic/stories/U/US_VOTER_REGISTRATION_FACEBOOK?SITE=CAANR&SECTION=HOME&TEMPLATE=DEFAULT

Pay particular attention to the bright idea to get users used to trusting
page overlays on Facebook.  With "friends" like that..

  [... presumably with multiple aliases and personas, as well.  An obvious
  next step might be legislation requiring would-be voters to cast their
  votes on Facebook or other social networking media.  That would clearly
  solve all our concerns for security, integrity, equal access, and privacy?
  PGN]

------------------------------

Date: Tue, 17 Jul 2012 13:09:44 -0700
From: Gene Wirchenko <genew () ocis net>
Subject: Facebook security 'checkpoint' hits user roadblock (Antone Gonsalves)

Antone Gonsalves, *InfoWorld*, 13 Jul 2012
Facebook security 'checkpoint' hits user roadblock;
Some Facebook users say their accounts were locked when they tried to
use the new Malware Checkpoint service
https://www.infoworld.com/d/security/facebook-security-checkpoint-hits-user-roadblock-197716

------------------------------

Date: Tue, 17 Jul 2012 13:13:17 -0700
From: Gene Wirchenko <genew () ocis net>
Subject: Passwords leaked from Yahoo: Boozy, preachy, angry -- and easy
  (Stephen Lawson)

Stephen Lawson, *InfoWorld*, 13 Jul 2012
Passwords leaked from Yahoo: Boozy, preachy, angry -- and easy;
The account passwords taken from a Yahoo database reveal much about
users, good and bad
https://www.infoworld.com/d/security/passwords-leaked-yahoo-boozy-preachy-angry-and-easy-197696

------------------------------

Date: Tue, 17 Jul 2012 16:14:24 -0700
From: Mark Thorson <eee () sonic net>
Subject: Bitcoinica exchange funds hacked, again

After the Bitcoinica exchange for the Bitcoin cryptocybercurrency was hacked
in May, they changed all their passwords but they did not change an
uncompromised password they used on another system.  Unfortunately that
password was the same as one of the compromised passwords.  Oops.  About
USD$350,000 gone.

http://siliconangle.com/blog/2012/07/16/bitcoinica-cant-catch-a-break-recent-breach-hemorrhages-40000-btc/

------------------------------

Date: Thu, 19 Jul 2012 09:41:12 +0800
From: jidanni () jidanni org
Subject: Accidents due to confusion of units of measurement

Don't forget your units, programmer dudes.
  http://en.wikipedia.org/wiki/Metrication#Accidents_and_incidents

... ran out of fuel in mid-flight. The incident was caused, in a large part,
by the confusion over the conversion among litres, kilograms, and pounds,
resulting in the aircraft receiving 22,300 pounds of fuel instead of the
required 22,300 kg.

... approximately 10 - 12% of bridge strikes involved foreign lorries.  This
is disproportionately high in terms of the number of foreign lorries on the
road network.

------------------------------

Date: Thu, 19 Jul 2012 13:01:51 -0400
From: Monty Solomon <monty () roscom com>
Subject: Mom accessed school system 110 times to change kids' grades

Summary: A former secretary successfully changed her daughter's grade from
an F to an M and her son's grade from a 98 to a 99. She used the school
district's superintendent's password to pull off the deeds.

45-year-old Catherine Venusto allegedly changed her children's grades by
using passwords she obtained while working for their school district. She
was charged with three counts each of unlawful use of a computer and
computer trespass. The former secretary was arraigned Wednesday on a
half-dozen felony counts and released on $30,000 unsecured bail, court
records show. State police say she admitted changing the grades, and while
she agreed her actions were unethical, she didn't think they were
illegal. ...  [Source: Emil Protalinski, ZDNet, 19 Jul 2012]
http://www.zdnet.com/mom-accessed-school-system-110-times-to-change-kids-grades-7000001230/

------------------------------

Date: Thu, 19 Jul 2012 13:01:51 -0400
From: Monty Solomon <monty () roscom com>
Subject: Online identity theft up 200% since 2010

Summary: Following the recent slew of attacks against various websites that
resulted in millions of user accounts being compromised, comes this little
statistic: fraudsters traded 12 million pieces of personal information
online in just Q1 2012.

In Q1 2012, fraudsters traded 12 million pieces of personal information
online, or a 200 percent increase over 2010. Most people were unaware their
identity had been stolen until they were denied access to
something. Identity theft victims commonly experience refusal of loans or
credit cards (14 percent), debts being run up in their name (9 percent),
refusal of mobile phone contracts (7 percent), and being chased by debt
collectors for money they do not owe (7 percent). ...
  [Source: Emil Protalinski, ZDNet, 19 Jul 2012]
http://www.zdnet.com/online-identity-theft-up-200-since-2010-7000001170/

------------------------------

Date: Thu, 19 Jul 2012 13:01:51 -0400
From: Monty Solomon <monty () roscom com>
Subject: Warning: Scams surrounding 2012 Olympics have already begun
  (Emil Protalinski)

Summary: This year's Summer Olympics are less than two weeks away.  That
means you should already be wary of scams and spam heading your way. Be sure
to remind family and friends to avoid e-mails and websites claiming you've
won something related to the Games.

Source: Emil Protalinski, ZDNet, 18 Jul 2012
http://www.zdnet.com/warning-scams-surrounding-2012-olympics-have-already-begun-7000001151/

------------------------------

Date: Wed, 18 Jul 2012 09:39:53 -0700
From: Gene Wirchenko <genew () ocis net>
Subject: "GPS watch to keep tabs on kids, seniors could hit Canada by autumn"
  (Christine Wong)

Christine Wong, *IT Business*, 17 Jul 2012
GPS watch to keep tabs on kids, seniors could hit Canada by autumn
A U.S. startup is marketing the watches as back-to-school items. It's
also keeping a close eye on Canadian Eric Migicovsky's Pebble watch story.7
http://www.itbusiness.ca/it/client/en/Home/News.asp?id=68279

What kid is going to want to be tracked 24-7?  "Oh, I left it in my locker."
Or aesthetics.  "Suzie's was a nicer colour, so we traded."

------------------------------

Date: Tue, 17 Jul 2012 19:32:10 -0400
From: Steven J Klein <steven () yourmacexpert com>
Subject: Re: FDA spied on its own people - and then the evidence leaked

In RISKS-26.92, Peter Houppermans linked to a *New York Times* article about
the FDA tracking email sent by its scientists. Mr Houppermans submission
included this:

  Note that the FDA has come up with a new "crime": people are guilty of
  RECEIVING confidential information.

The article does not say the FDA considered it a crime, and the phrase he
puts in quotes does not appear anywhere in the article.

The article mentioned some people were "were suspected of receiving
confidential information,'' which is very different from what Mr
Houppermans implied.

------------------------------

Date: Tue, 17 Jul 2012 17:32:56 -0400 (EDT)
From: Ken Knowlton <kcknowlton () aol com>
Subject: Re: FDA spied on its own people - and then the evidence leaked

  Crime of receiving confidential Info?

Re: Peter Houppermans, RISKS-26.92, noting that the FDA has come up with a
new `crime' - that of being ``guilty of RECEIVING confidential
information'', an obvious thought: Couldn't Julian Assange and WikiLeaks
have fun with that!  For that matter, is there anyone in the country who is
not already guilty?

------------------------------

Date: Wed, 18 Jul 2012 08:24:54 +0100 (BST)
From: David Alexandero <davidalexander440 () btinternet com>
Subject: Re: In the UK, encryption implies potential guilt? (RISKS-26.92)

  [I received several complaints about the cited item in the previous issue.
  Actually, it was not submitted to RISKS, but when I saw it elsewhere, I
  thought it was worth including as a heads-up either for a bad policy, or a
  very bad / perhaps inaccurate / misguided piece of so-called journalism.
  The SUBJECT line was mine, including the question mark.  PGN]

I have just read the item in the link about encryption law in the UK. Oh
dear. I'm sorry but this is scaremongering and sloppy journalism of the very
worst sort.  The Regulation of Investigatory Powers Act 2000 (RIPA) has been
in effect for over 10 years, and to my knowledge there hasn't been a single
instance in which an miscarriage of justice of this sort has occurred.
Contrary to popular belief the Criminal Justice Organizations in the UK do
have access to expert and competent advisors in this field. We have a
National Technical Authority that does know about these matters and isn't
afraid to consult external experts if appropriate.  I can tell you that,
before this law came into effect, there was a case of a suspected paedophile
who had his data seized, under correct forensic procedures, and the CJOs
couldn't break the encryption used to protect it. The person in question
refused to divulge the key and had to be released.  There is no doubt that
RIPA has contributed materially to the safety of the citizen and state in
the UK from terrorist and organized criminal activity. As far as I am
concerned there is a wholly justifiable case to be made for this legislation
and no sane, responsible individual can possibly argue otherwise. The phrase
"You can have security or privacy. Pick one." is very emotive and requires
qualification about the people who have control and oversight, but it's a
good debating point. My choice is "Security, with as much privacy as
possible."  Let's keep this in proportion, more than 99.999% of the
population will never have their data examined by the UK authorities. I
can't vouch for other nation states, and can understand why Americans are so
touchy when abuses of power of this nature (e.g the FDA spying item in
Volume 26 issue 92 of the Risks List) are identified on a regular basis but
please judge us in the UK by your standards.

In the interest of fairness and objectivity, I should say that other areas
of the RIPA do appear to have been abused by local authorities in the
UK. Some surveillance powers appear to have been used for the purposes other
than that for which they were originally intended. Debate is going on about
how to fix that right now.

------------------------------

Date: Wed, 18 Jul 2012 14:51:34 +1200
From: Gregor Ronald <gregor.ronald () gmail com>
Subject: Re: Major Snafu in New Zealand Election was 'Human Error' (R-26.92)

A minor clarification: this election wasn't for any national or regional
political unit. It was an election for members of a community-owned trust
which in turn owns half of the local power utility.

TECT is the Tauranga Energy Consumer Trust, which is a part owner of energy
utility TrustPower.

It's still an unforgivable, and easily prevented, snafu, all the same - but
our NZ government is not at stake here, just the board of a local power
company.

Gregor Ronald, Christchurch, New Zealand  http://gregorronald.blogspot.com/

------------------------------

Date: Tue, 17 Jul 2012 16:19:42 -0500
From: Dimitri Maziuk <dmaziuk () bmrb wisc edu>
Subject: Re: Taxing old browsers out of existence (Baker, RISKS-26.92)

On the gripping hand, many of the webpages I consider actually useful will
still work in lynx or mosaic. Whereas search for "software updates" in RISKS
yields "zombieware", "distributes malware", and "a menace and a problem", to
pick a few.

Thank you Microsoft for Windows 7, specifically for intercepting all 3rd
party auto-updaters and letting me click "No" whenever firefox wants to wrap
itself in yet another layer of bloat. I hope they'll add "remember my answer
and do this automagically from now on" check box in Windows 8, then I will
upgrade my PC to stop it from automatically upgrading (at least some parts
of) itself.

Dimitri Maziuk  Programmer/sysadmin
BioMagResBank, UW-Madison -- http://www.bmrb.wisc.edu

------------------------------

Date: Tue, 17 Jul 2012 14:22:48 -0700
From: Henry Baker <hbaker1 () pipeline com>
Subject: Re: Taxing old browsers out of existence (Kamens, RISKS-26.90)

Normally, I might agree with Jonathan, but this isn't just a browser issue.
He is blithely assuming that newer browsers are better browsers, and that
all progress is "forward" progress.

I've noticed that with every browser "update", the browser gets noticeably
slower & bigger, and noticeably more vulnerable to unpleasant hacking:
there's usually a flurry of 5-10 fixes for each new update to fix all the
new security flaws that the "update" introduced.

Many of the browser "updates" also appear to enhance the ability of
websites to spy on their visitors with new capabilities.

Also, the browsers on many older machines are no longer updated -- e.g.,
older Macs, phones, etc., so this is effectively a disenfranchisement of
those with older machines.

I've been forced to use "NoScript" to run with Javascript _normally
disabled_, and only selectively enable Javascript on the smallest subset
of sites that enables minimal functionality.  In particular, Google's
Javascript cleverness is so annoying that I have had to block Javascript
on all of Google's sites.

All of Adobe's & Semantec's bloatware have been removed from my machines,
as 95% of their code does nothing for me but open up huge security holes.

I have to manually disable "automatic updates" (aka "automatic virus
installers") on each and every program; among other things, these "updates"
appear to be for the sole purpose of turning their stupid & often dangerous
default settings back on (e.g., Apple iTunes).

I have to disable the camera & microphone at the operating system level
to deter some spyware; I suppose on the next generation of Windows, I'll
have to physically destroy the camera & microphone with my power drill
before starting to use the machine.

Virtually every "improvement" has its downside: look at the swath of damage
caused by the "autorun" feature of Windows that begs for the opportunity to
install a new virus every time you plug something into your machine.

------------------------------

Date: Tue, 17 Jul 2012 17:55:17 -0400 (EDT)
From: Jonathan Kamens <jik () kamens us>
Subject: Re: Taxing old browsers out of existence (Baker, RISKS-26.90)

Henry, You cannot defeat the inexorable tide of progress in computer
hardware and software. You may not view it as progress, but in that view you
are in a small minority, and that is not likely to change.

The vast majority of users who are using very old browsers are not doing so
because of carefully considered concerns about security. They are doing so
because they haven't bothered to update for whatever reason. Because they
have not taken the precautions you have taken to make their old browsers
secure, they are vulnerable. There are a lot more of them than there are of
people like you. Therefore, in terms of measuring the greatest good for the
greatest number of people, forcing people to upgrade their browsers is
clearly a net positive.

As for your point about "disenfranchising" users of old computers, I don't
hear anybody complaining that it's unfair that you can't get any decent
software for the Apple ][+ nowadays. Hardware becomes obsolete, and as the
pace of advances in hardware has increased, the pace of its obsolescence has
as well. As I started with, you can't fight progress and expect to win.

------------------------------

Date: Tue, 17 Jul 2012 20:03:40 -0400
From: "Arthur T." <Risk201207.risk.atsjbt () xoxy net>
Subject: Re: Taxing old browsers out of existence (RISKS-26.90)

 From an economic point of view, the evolution and roll-out of new browsers
is a bane on the existence of web developers. It costs companies real money
in terms of rewriting perfectly good code to take advantage of the latest
bells and whistles that *someone* in the company thinks the web site should
have or support. The old site will support the new browsers fine with no
changes.

 From a progress point of view, the resources spent taking advantage of new
features for no other reason than that those features exist raises the
question, "Is this progress, or is this just change?"

All of the new browsers support everything the old browsers do. If you want
to save money, add content, not bling. The economic problem is not
supporting old browsers, but trying to take advantage of every new feature
of every new browser that comes along.

I use an old browser. I know all of the keyboard shortcuts.  I know what
click does, what shift-click does, what shift-ctrl-click does, etc. I'd be
wasting a lot of my own time constantly learning how to use new browsers,
and, more importantly, trying to forget years worth of old habits.

You are free to write your site in a way that requires new browsers. I am
free to go elsewhere. If you have a site, you probably want people to use
it. Why drive people to your competitors?

------------------------------

Date: Wed, 18 Jul 2012 09:41:17 -0400
From: Dick Mills <dickandlibbymills () gmail com>
Subject: Re: Privacy trumps cybersecurity! (RISKS-26.92)

The cited article misses the point.  To many American people, privacy is not
the main issue.  Rather they perceive our own government and big business as
the primary risks.

In the name of cybersecurity, the fox is asking for the keys to the hen
house.

It sounds less controversial to say that we are concerned about privacy,
than to say that government is the problem, not the solution.

------------------------------

Date: Thu, 19 Jul 2012 09:54:41 -0700
From: Gene Wirchenko <genew () ocis net>
Subject: "Apple wins patent for transparent scroll bar"

  This is patentable?

Mark Hattersley, Apple wins patent for transparent scroll bar:
Apple has secured a patent to a major interface design motif in the
ongoing patent wars, *IT Business*, 18 Jul 2012
http://www.itbusiness.ca/it/client/en/cdn/News.asp?id=68298

------------------------------

Date: Wed, 18 Jul 2012 19:52:12 +0100
From: Dr J R Stockton <reply1229 () merlyn demon co uk>
Subject: Re: Announcement of civil timekeeping meeting (Seaman, RISKS-26.92)

The ordinary people, who are the democratic majority, want local civil time
- LCT - to be 24 hours of 60 minutes of 60 seconds per mean solar day.  They
can tolerate seasonal clock changes, and time zone changes when traveling.
They can have no rational objection to the occasional sub-ppm-scale change
in the length of a civil second.

Scientists - physicists and astronomers in particular - need a numbered
scale of exact SI seconds, without separation into minutes, hours, days,
etc.

The answer, then, is to disseminate, in principle from BIPM/BIH, both the SI
seconds scale and, every few months, the duration to be used, in integer SI
nanoseconds, for the civil second.  That announced figure will be used for
an integer number of GMT months, changing at GMT month turnover.  Let us say
at the beginning of each quarter- or half- GMT year.  Effectively, leap
seconds are issued in tiny pieces, once per civil second.

Engineers of all sorts can use one or the other of those scales, or if
essential generate whatever variety their profession needs - they are clever
enough to do it.

The electronics needed to lock GMT to SI in that fashion should be within
the capability of any National time lab, any major observatory, any GMT
disseminator - and could be provided commercially.  Those who disseminate
LCT would include time zone and summer time contributions for the locality.

http://www.merlyn.demon.co.uk/ http://www.merlyn.demon.co.uk/programs/
Dates - miscdate.htm estrdate.htm js-dates.htm pas-time.htm critdate.htm etc.

------------------------------

Date: Wed, 18 Jul 2012 07:38:24 -0400
From: Monty Solomon <monty () roscom com>
Subject: Tests

  Excerpted from
Teaching After The Test: An argument for a national school schedule
http://scienceblogs.com/gregladen/2012/05/16/teaching-after-the-test-an-arg/

 From another teacher at a different school I heard a horror story about a
bunch of students who, part way through the two day long state test, pressed
the wrong button and are now locked out of finishing the rest of it having
only done half. (One of those "Are you done, click continue to end test OK
to continue test?: OK, Continue, Cancel" dialogs where "OK" means you are
done and "Continue" you are -- no wait, I have that backwards.)

------------------------------

Date: Mon, 6 Jun 2011 20:01:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 26.93
************************


  By Date           By Thread  

Current thread:
  • Risks Digest 26.93 RISKS List Owner (Jul 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault