Home page logo
/

risks logo RISKS Forum mailing list archives

Risks Digest 27.01
From: RISKS List Owner <risko () csl sri com>
Date: Thu, 30 Aug 2012 11:19:13 PDT

RISKS-LIST: Risks-Forum Digest  Thursday 30 August 2012  Volume 27 : Issue 01

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/27.01.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
United Airlines Network Outage (Jonathan B Spira)
Observation Deck: What Happens When Cars Start Talking to Each Other?
  (Gabe Goldberg)
The Cadillac Your Livery Driver Has Been Dreaming Of (John Pearley Huffman
  via Monty Solomon)
Study says drivers, not cellphones, pose the accident risk (Hiawatha Bray
  via Monty Solomon)
New malware infects VMware VMs (Bob DeSilets)
Shared private key can apparently compromise RuggedComSCADA gear (Digital
  Bond via NNSquad)
"How to Secure Data by Addressing the Human Element" (Thor Olavsrud via
  Gene Wirchenko)
"Your car, tracked: the rapid rise of license plate readers"
  (Cyrus Farivar via Monty Solomon)
Data so secure even you can't read it (Ben Moore)
I've Got That Syncing Feeling (Craig Forman via Monty Solomon)
How to Hack your own Hotmail account (Jeremy Ardley)
Don't download that app: US presidential candidates will STALK you with it
  John Leyden via Monty Solomon)
"Buying Their Way to Twitter Fame" (Austin Considine via Lauren Weinstein)
"Twitter's fake followers: Influence for sale" (Bill Snyder via
   Gene Wirchenko)
Lauren Weinstein <lauren () vortex com>
5 Design Tricks Facebook Uses To Affect Your Privacy Decisions
Doug Jones: guest editorial on voter registration (PGN)
Re: "How to avoid an Elections-Ontario-style data-breach fiasco"
  (Gene Wirchenko)
Spyware Matching FinFisher Can Take Over IPhone and BlackBerry (Dave Farber,
  John Fricker)
Re: Knight Capital software upgrade costs $440m (Amos Shapir)
Re: NYPD unveils new $40 million super computer system (Raj Mathur)
Re: Announcement of civil timekeeping meeting (mathew)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 28 Aug, 2012 9:01 PM
From: "Jonathan B Spira" <jspira () basex com>
Subject: United Airlines Network Outage (via Dave Farber's IP)

  [United Airlines' SHARES passenger reservation system had a two-hour
  system-wide outage on 28 Aug 2012 that affected United's website, flight
  check-in, and boarding, and also caused ground-stops at UAL hubs in
  Houston, Newark, and SFO.  SHARES (the former Continental system) has had
  various troubles since it was adopted by UAL after the merger.  PGN]

Among other interesting tidbits, United was handing out hand-written
boarding passes today (dozens of pictures of these posted on Twitter).

More details on the outage here plus picture of boarding pass: *United
Airlines Network Outage Snarls Air Traffic*

http://www.frequentbusinesstraveler.com/2012/08/united-airlines-network-outage-snarls-air-traffic/

  [An earlier item noted by Dave Farber: United reservation system crashes,
    FAA issues ground stop.  PGN]
http://travel.usatoday.com/flights/post/2012/08/united-reservation-system-crashes-faa-issues-ground-stop/833343/1

------------------------------

Date: Mon, 27 Aug 2012 20:56:58 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Observation Deck: What Happens When Cars Start Talking to Each
  Other?

What could go wrong? I mean, aside from flocks of birds and schools of fish
having had millions of years to evolve compatibly, and there being
Windows/iOS/Android cars trying to collaborate seamlessly in real time.
Plus people having rooted their cars...

  [See the article by Adam Rogers:]
http://www.wired.com/autopia/2012/08/observation-deck-what-happens-when-cars-start-talking-to-each-other/

Gabriel Goldberg, Computers and Publishing, Inc., 3401 Silver Maple Place,
Falls Church, VA 22042  (703) 204-0433  http://www.linkedin.com/in/gabegold

------------------------------

Date: Fri, 24 Aug 2012 22:49:53 -0500
From: Monty Solomon <monty () roscom com>
Subject: The Cadillac Your Livery Driver Has Been Dreaming Of
  (John Pearley Huffman)

... What replaces many of those buttons is Cadillac's intuitive new CUE
system, which uses a large touch screen at the center of the dashboard;
think of it as an embedded iPad.  Using Apple-style gestures and swipes, the
driver can scroll through various apps until finding the right one for a
particular task. Those tasks include navigation, sound system and Bluetooth
phone controls.  Throw in some voice controls and the CUE interface sets a
new standard for ease of use.  Also replacing some switches are
touch-sensitive strips that control the ventilation system while continuing
the design theme. This effectively and elegantly extends the use of
gesture-based controls beyond the touch screen. ...

  [Source: John Pearley Huffman, *The New York Times*, 26 Aug 2012]
http://www.nytimes.com/2012/08/26/automobiles/autoreviews/the-cadillac-your-livery-driver-has-been-dreaming-of.html

------------------------------

Date: Mon, 27 Aug 2012 22:21:16 -0500
From: Monty Solomon <monty () roscom com>
Subject: Study says drivers, not cellphones, pose the accident risk
  (Hiawatha Bray)

Hiawatha Bray, *The Boston Globe*, 27 Aug 2012,
Cellphones' role in crashes doubted

Don't blame the technology.

For those who argue that a ban on cellphone use while driving will make
highways safer, there's bad news: People who chat behind the wheel often
drive more aggressively even after they hang up, according to a study from
the Massachusetts Institute of Technology,

"The people who are more willing to frequently engage in cellphone use are
higher-risk drivers, independent of the phone," said Bryan Reimer, associate
director of MIT's New England University Transportation Center. "It's not
just a subtle difference with those willing to pick up the phone. This is a
big difference."

Reimer and a team of MIT researchers studied the behavior of 108 Greater
Boston drivers. About half acknowledged frequent phone use when driving; the
rest said they rarely used their phones behind the wheel. ...

http://bostonglobe.com/business/2012/08/26/not-cellphone-but-driver-that-high-risk-not-cellphone-but-driver-that-high-risk/nVKDgqQTnn91287ZZ30v7N/story.html?s_campaign=8315

------------------------------

Date: Aug 28, 2012 11:52 AM
From: "Bob DeSilets" <desilets () mail med upenn edu>
Subject: New malware infects VMware VMs (ZDNet via Dave Farber's IP)

Great,

Just when you though you were safe running a VM:

The Windows version of a piece of Malware discovered in July, called Crisis,
has been found to be capable of infecting VMware virtual machines as well as
Windows Mobile devices, and removable USB drives.  When originally
discovered Crisis was thought to target just Windows and Mac OS users.  It
has the capability to record Skype conversations, capture traffic from
instant messaging programs, and track websites visited in Firefox or
Safari. According to Symantec, Crisis "searches for a VMware virtual machine
image on the compromised computer and, if it finds an image, it mounts the
image and then copies itself onto the image by using a VMware Player
tool. This may be the first malware that attempts to spread on to a virtual
machine."   [ZDnet, 22 Aug 2012]

http://www.v3.co.uk/v3-uk/news/2200412/crisis-malware-infects-vmware-virtual-machines
http://www.zdnet.com/crisis-malware-targets-virtual-machines-7000002986/

Bob DeSilets, Information Security Officer, Perelman School of Medicine
University of Pennsylvania  desilets () mail med upenn edu (215)746-5578

------------------------------

Date: Wed, 22 Aug 2012 13:13:13 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Shared private key can apparently compromise RuggedCom SCADA gear

http://j.mp/O6UCpX (Digital Bond via NNSquad)

  "Justin Clarke and ICS-CERT unveiled another vulnerability in RuggedCom
  devices yesterday.  This time, Justin took a different track with the
  device firmware and showed that all products use the same SSL private key,
  hard-coded in the firmware.  This is fairly typical in cheap
  consumer-grade embedded products, and has the unfortunate effect that easy
  Man-In-The-Middle attacks can be performed against products.  For example,
  any compromised host on the switch management network can be used to spoof
  affected RuggedCom switches, meaning that the bad guy or gal could capture
  legitimate usernames and passwords for the switch."

  [This item is all over the Web, including slashdot.  But check out the
  DigitalBond.com website. with Dale Peterson and others.  It is loaded with
  RISKS-related goodies.  PGN]

------------------------------

Date: Tue, 21 Aug 2012 15:21:38 -0700
From: Gene Wirchenko <genew () ocis net>
Subject: "How to Secure Data by Addressing the Human Element" (Thor Olavsrud)

  A double-hitter here.  (Two Risks in One!)

http://www.cio.com/article/713753/How_to_Secure_Data_by_Addressing_the_Human_Element

Thor Olavsrud, CIO.com, 15 Aug 2012

Your sensitive data is only as secure as the weakest link in your
organization, and in many cases the weak link is your employees. A properly
established security awareness and training program can pay huge dividends.


1. The article reports on a DEFCON 18 contest to do human engineering.
   Standard RISKS stuff.

2. At one point is this interesting paragraph:

"We find surprisingly little variation in guessing difficulty; every
identifiable group of users generated a comparably weak password
distribution," Bonneau writes. "Security motivations such as the
registration of a payment card have no greater impact than demographic
factors such as age and nationality. Even proactive efforts to nudge users
towards better password choices with graphical feedback make little
difference. More surprisingly, even seemingly distant language communities
choose the same weak passwords and an attacker never gains more than a
factor of 2 efficiency gain by switching from the globally optimal
dictionary to a population-specific lists."

------------------------------

Date: Mon, 20 Aug 2012 09:56:41 -0400
From: Monty Solomon <monty () roscom com>
Subject: "Your car, tracked: the rapid rise of license plate readers"
  (Cyrus Farivar)

Cyrus Farivar, Ars Technica, Aug 15 2012
Largely unregulated, cameras now collect millions of travel records every day.

Tiburon, a small but wealthy town just northeast of the Golden Gate Bridge,
has an unusual distinction: it was one of the first towns in the country to
mount automated license plate readers (LPRs) at its city borders-the only
two roads going in and out of town. Effectively, that means the cops are
keeping an eye on every car coming and going.

A contentious plan? Not in Tiburon, where the city council approved the
cameras unanimously back in November 2009.

The scanners can read 60 license plates per second, then match observed
plates against a "hot list" of wanted vehicles, stolen cars, or criminal
suspects. LPRs have increasingly become a mainstay of law enforcement
nationwide; many agencies tout them as a highly effective "force multiplier"
for catching bad guys, most notably burglars, car thieves, child molesters,
kidnappers, terrorists, and-potentially-undocumented immigrants.

Today, tens of thousands of LPRs are being used by law enforcement agencies
all over the country-practically every week, local media around the country
report on some LPR expansion. But the system's unchecked and largely
unmonitored use raises significant privacy concerns. License plates, dates,
times, and locations of all cars seen are kept in law enforcement databases
for months or even years at a time. In the worst case, the New York State
Police keeps all of its LPR data indefinitely. No universal standard governs
how long data can or should be retained.

Not surprisingly, the expanded use of LPRs has drawn the ire of privacy
watchdogs. In late July 2012, the American Civil Liberties Union and its
affiliates sent requests to local police departments and state agencies
across 38 states to request information on how LPRs are used. ...

http://arstechnica.com/tech-policy/2012/08/your-car-tracked-the-rapid-rise-of-license-plate-readers/

------------------------------

Date: Fri, 24 Aug 2012 15:52:34 GMT
From: "Ben Moore" <ben.moore () juno com>
Subject: Data so secure even you can't read it

Victorinox is allowing its security program's VeriSign certificate to lapse
on September 15th. Without this certificate the contents of the secure
partition can't be decrypted..

"Swiss army knife maker Victorinox has decided to take the sting out of
ditching support for the security software in its range of USB-knife drives by offering customers a full refund.

I"n a message posted to Facebook but not apparently anywhere else, the
company said customers unhappy with the ending of the security features on
the company's combined penknife/flash memory drives could send them back
for a refund.

"The company announced the end of support for the security features a few
days ago in an ambiguous Facebook post that failed to clarify that all of
the drive's security features - including an encrypted partition,
biometric authentication and secure password management - would cease
functioning.

"However, the seriousness of the issues was underlined by the company
setting 15 September as the date by which customers must back up all data on
the encrypted section of the drives."

http://news.techworld.com/security/3377751/victorinox-offers-refunds-after-usb-swiss-army-drives-lose-security/

http://www.engadget.com/2012/08/21/victorinox-stops-software-updates-secure-usb-drives/

------------------------------

Date: Tue, 28 Aug 2012 13:02:15 -0400
From: Monty Solomon <monty () roscom com>
Subject: I've Got That Syncing Feeling (Craig Forman)

Your devices are eager to make all your content line up nicely.  Sometimes
the results are not so nice.

Craig Forman, *Wall Street Journal*, 26 Aug 2012
http://online.wsj.com/article/SB10000872396390443324404577594873646163262.html

The trouble started when I innocently downloaded a free IKEA catalog app to
my iPad. The trouble nearly ended with a $1,200 charge from AT&T.

I was traveling in Europe for a short family trip. Before leaving the U.S.,
I downloaded the image-heavy catalog using a standard broadband connection.
Aware of the costs of digital Internet access while abroad, my wife, son and
I thought we had taken all the correct precautions.

Were location-based services off? Check. Notifications off? Check.
All three iPhones switched to Wi-Fi only? Check, check and check.

So the midnight e-mail from AT&T came as a surprise: "Unusually high volumes
of data. 750 megabytes downloaded. Please check your phone."  I checked my
phone-but all potential digital gotchas had been put to rest. We were jet
lagged and exhausted. Surely a couple hours' sleep couldn't put us in
digital harm's way?

But in these modern days of anytime, anywhere, cloud-based synchronization,
those few hours of shut-eye were plenty costly. I awoke to a buzzing of my
phone, an SMS and an e-mail from AT&T: The data download had nearly doubled
while I was sleeping. My account was in imminent danger of being shut off
unless I called them. ...

------------------------------

Date: Mon, 27 Aug 2012 13:37:10 +0800
From: Jeremy Ardley <jeremy.ardley () gmail com>
Subject: How to Hack your own Hotmail account

http://youtu.be/YB5WsZjtses

(Watch in HD full-screen to see text)

Is a video of how to change the text and headers of an e-mail in your own
Hotmail account.

It is perfectly legal and is acknowledged by Microsoft as a design feature
of their Windows Live Hotmail client.

Up until this was described by myself, Richard Boddington, and Grant Boxall,
it was assumed that Hotmail e-mails could not be altered. As such they have
been used as evidence in court cases.

Our paper is available to Subscribers of the Journal of Digital Forensics,
Security and Law http://www.jdfsl.org/

The technique we show can tracelessly alter any part of an e-mail including
all headers. It is possible for instance to create a fictitious e-mail sent
at some date in the past and with wording as desired.

Examples of this could be forging an e-mail admitting liability or offering
to pay money. The list is endless.

The 'hack' works because Microsoft introduced a new protocol called
DeltaSync that enables Windows Live clients to synchronize e-mails across
machines via Hotmail.

Altering a local copy of an e-mail on a client and then syncing will
cause that copy to overwrite the Hotmail copy and as well overwrite
copies on other clients.

Using this technique you can also add payloads to an e-mail - e.g. some
malware and have it automatically delivered to a target machine. As an
example in ingenious felon could break into some-ones house and insert
malware into an e-mail and by syncing the package could then get onto a
synced work computer bypassing any mail scanning system.

We looking are at similar schemes with e-mail syncing via web-server -- e.g.,
IMAP

------------------------------

Date: Tue, 21 Aug 2012 09:06:48 -0400
From: Monty Solomon <monty () roscom com>
Subject: Don't download that app: US presidential candidates will STALK
 you with it (John Leyden)

John Leyden, *The Register*, 20 Aug 2012
Romney mobile application even requests permission to record audio ...

Security researchers have uncovered privacy shortcomings in the mobile
applications offered by both the Barack Obama and Mitt Romney presidential
campaigns.  The campaign teams of the incumbent US President and his
Republican challenger have each released apps for both iOS and Android, in
good time for the election on November 6.

Experts at GFI Software looked at the Android versions of both apps,
discovering both to be surprisingly invasive.  Obama for America and Mitt's
VP request permissions, access to services and data, and capabilities beyond
their core mandate.  For example, each of the apps features the ability to
cross-post on users' behalf and report back to base. One app even has a tool
to encourage users to go canvassing on behalf of the candidate, which in
GFI's test directed Obama supporters to an unsafe part of a US town - just
north of downtown Clearwater, Florida.

Both Android apps slurp the details of users' contacts and log location
data, as a rundown by GFI on both apps and the permissions they seek
explains. The Romney app even requests permission to record audio for
unspecified (and so-far unactivated) purposes. ...

http://www.theregister.co.uk/2012/08/20/us_pres_campaign_mobile_app_privacy/

------------------------------

Date: Thu, 23 Aug 2012 20:55:52 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: "Buying Their Way to Twitter Fame" (Austin Considine)

Source: Austin Considine, *The New York Times*, 23 Aug 2012, via NNSquad
http://j.mp/O7snpe

  "It may be the worst-kept secret in the Twittersphere. That friend who
  brags about having 1,000, even 100,000 Twitter followers may not have
  earned them through hard work and social networking; he may have simply
  bought them on the black market.  And it's not just ego-driven blogger
  types. Celebrities, politicians, start-ups, aspiring rock stars, reality
  show hopefuls - anyone who might benefit from having a larger social media
  footprint - are known to have bought large blocks of Twitter followers."

------------------------------

Date: Thu, 30 Aug 2012 09:39:33 -0700
From: Gene Wirchenko <genew () ocis net>
Subject: "Twitter's fake followers: Influence for sale" (Bill Snyder)

Bill Snyder, *InfoWorld*, 30 Aug 2012
From Lady Gaga to Obama, paid tweets and inflated followings game
  online reputations and call the whole system into question
http://www.infoworld.com/d/the-industry-standard/twitters-fake-followers-influence-sale-201295

selected text:

Organizations are in fact buying fake followers, including both major
candidates for the White House, numerous other politicians, and scads of
celebrities. Republican presidential nominee Mitt Romney, for example, had
673,002 followers on July 20. One day later, that number soared by 17
percent, or 117,000 new followers. On the other side of the partisan divide,
President Barack Obama's campaign boasts that he has nearly 19 million
followers. However, an analysis by StatusPeople, a social media management
company based in London, shows that only 30 percent of them actually exist
or have active accounts. To be fair, it's possible that spam bots are
creating at least some of the fake accounts.

The implications are serious: Twitter has changed how politics is reported
in the United States and has been a weapon used by pro-democracy advocates
in countries like Egypt and Iran. It's also a tool used by businesses to
stay in touch with customers. To its credit, Twitter has tried to stop the
spread of fake accounts and the like, but cheaters and petty profiteers are
still eroding its value as a communications tool.  Sincerely,

------------------------------

Date: Sun, 26 Aug 2012 15:04:25 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: 5 Design Tricks Facebook Uses To Affect Your Privacy Decisions

http://j.mp/PKSimw  (Techcrunch via NNSquad)

  "In fact, Facebook keeps "improving" their design so that more of us will
  add apps on Facebook without realizing we're granting those apps (and
  their creators) access to our personal information."

------------------------------

Date: Fri, 24 Aug 2012 10:17:10 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Doug Jones: guest editorial on voter registration

  Doug Jones, a long-time observer of elections, has written an excellent
  guest editorial in the Iowa Press-Citizen on risks of using databases to
  disqualify voters.  As this is a problem that is increasingly prevalent,
  it seems worth noting here.  PGN

http://www.press-citizen.com/article/20120823/OPINION02/308230009

------------------------------

Date: Tue, 21 Aug 2012 15:04:00 -0700
From: Gene Wirchenko <genew () ocis net>
Subject: Re: "How to avoid an Elections-Ontario-style data-breach fiasco"
  (RISKS-26.94)

You thought that the Elections Ontario submission was a winner?  I got this
from a reader:

Woah! The staff thought that encryption meant zipping it up. LOL. Utterly
amazing. No wonder there is very little effort needed to crash e-mail
accounts and FTP server accounts. :) Most people don't understand even
the basics. Amazing.

   Unfortunately, winning means losing here.

------------------------------

Date: Wed, 29 Aug 2012 12:29:58 -0400
From: Dave Farber <dave () farber net>
Subject: Spyware Matching FinFisher Can Take Over IPhone and BlackBerry

  [Via Dave Farber's IP distribution.  PGN]

http://www.bloomberg.com/news/2012-08-29/spyware-matching-finfisher-can-take-over-iphone-and-blackberry.html

FinFisher spyware made by U.K.-based Gamma Group can take control of a range
of mobile devices, including Apple Inc.'s iPhone and Research in Motion Ltd.
(RIM)'s BlackBerry, an analysis of presumed samples of the software shows.

Systems that can be targeted include Microsoft Corp.'s Windows Mobile, the
Apple iPhone's iOS, BlackBerry and Google Inc.'s Android, according to the
company's literature.  The program can secretly turn on a device's
microphone, track its location and monitor e-mails, text messages and voice
calls, according to the findings, being published today by the University of
Toronto Munk School of Global Affairs' Citizen Lab.  Researchers used newly
discovered malicious software samples to further pull back the curtain on
the elusive cyberweapon. ...

------------------------------

Date: Aug 29, 2012 1:17 PM
From: "John Fricker" <john.fricker () gmail com>
Subject: Re: Spyware Matching FinFisher Can Take Over IPhone and BlackBerry

  [Re: via Dave Farber's IP]

Interesting but wrong when it comes to iOS and the iPhone and iPad.

"A mobile device's user can become infected by being tricked into going to
a Web link and downloading the malware, which can be disguised as something
other than FinSpy.

As Gamma's promotional video illustrates, the process can be as simple as
sending someone a text message with a link that looks like it comes from
the phone maker, and asking the user to ``please install this system
update,'' Marquis-Boire says."

It's impossible to install software on iOS in this manner. The May 2012
white paper from Apple (
http://images.apple.com/ipad/business/docs/iOS_Security_May12.pdf) explains
why (see Execute Never).

------------------------------

Date: Wed, 22 Aug 2012 17:33:11 +0300
From: Amos Shapir <amos083 () hotmail com>
Subject: Re: Knight Capital software upgrade costs $440m

This gives new meaning to the term "Fly by Knight"...

Seriously, as others had already pointed out, the problem is not a software
bug, but the fact that the trading system had accepted the bad data as
genuine.  The problem is, the system has no sanity checks; but as long as
money can be made by insane actions (whether intended or not), I'm afraid
that insanity will stay as an inherent part of the system.

------------------------------

Date: Tue, 21 Aug 2012 10:30:21 +0530
From: "Raj Mathur <raju () linux-delhi org>
Subject: Re: NYPD unveils new $40 million super computer system (RISKS 26.98)

Am I the only one who sees the RISKS attendant on this partnership and a
off-the-shelf crime prevention and investigation system?  [UNLIKELY!  PGN]
Off the top of my head (and based on the minimal information available in
the article):

* Expectation of sales will certainly dilute the quality and effectiveness
  of the product for the original client.  Instead of being made purely on
  the merits of functionality and usefulness for NYPD, decisions on features
  and fixes will instead be vetted through a commercial viability test.  The
  product is likely to end up as bloatware, losing all contact with the
  needs of the force on the ground in the process.

* Presumably this product is not Free/Open Source Software.  Unless there's
  an existing understanding that clients (other than NYPD) will have access
  to the source code, with permission to modify for their own requirements,
  popularity of the product would result in straitjacketing of procedures at
  other police forces.  What suits NYPD may not be right for New Delhi or
  Rome.  Heck, it may not even be right for Des Moines.  Easy availability
  of such a package would promote processes and documentation that works for
  the NYPD, at the cost of local innovation and locally appropriate
  processes.

  Unless the original design and development has been done with full
  customisability as one of the primary criteria (an expensive,
  time-consuming and ultimately still limited process), we are more likely
  to see police forces adapting to the system rather than the other way
  around.

* If the product becomes even reasonably popular, vulnerabilities and
  exploits will eventually be available in the wild to permit criminals to
  game -- or worse, misuse -- the system.

* [Rant] Is there any reason at all for a police force to become a
  commercially viable entity?  In my opinion, crime prevention and law
  enforcement on the one hand and economic viability on the other are
  completely separate objectives, and mixing the two is unlikely to result
  in any benefit to the first.

Raj Mathur  http://otheronepercent.blogspot.com  raju () kandalaya org
            http://kandalaya.org http//schizoid.in

------------------------------

Date: Thu, 23 Aug 2012 09:42:11 -0500
From: mathew <meta () pobox com>
Subject: Re: Announcement of civil timekeeping meeting (RISKS-26.92,93,98)

The Science Time idea is good, but I have a much simpler suggestion.

Keep UTC exactly as it is for civil timekeeping. And the people who don't
like leap seconds or find them hard to deal with can switch to TAI, which
already exists. Need a cheap local source of TAI? Get a GPS. And start
setting up an NTP network of TAI timeservers -- anyone doing this yet?

The people who don't want leap seconds in their timescale can stop having
them today. There's nothing much standing in their way, except perhaps lack
of a good way to indicate TAI in Internet timestamps. But instead, the
proposal is to abolish UTC.  I use the word 'abolish' because the whole
point of UTC is that it's kept in sync with astronomical time via leap
second adjustments; if you get rid of the leap seconds, you just have TAI
with a fixed offset.

So the calls to abolish UTC are really about tricking people into switching
to TAI for civil timekeeping without knowing they're doing it. That way we
don't have to get governments involved and have a democratic discussion,
right?

If the proposal was to switch to TAI for system clocks and then apply
appropriate translation to civil time for display, I'd support it.

http://www.pobox.com/~meta/

------------------------------

Date: Mon, 6 Jun 2011 20:01:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 27.01
************************


  By Date           By Thread  

Current thread:
  • Risks Digest 27.01 RISKS List Owner (Aug 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault