mailing list archives
Risks Digest 27.22
From: RISKS List Owner <risko () csl sri com>
Date: Sat, 23 Mar 2013 17:01:42 PDT
RISKS-LIST: Risks-Forum Digest Saturday 23 March 2013 Volume 27 : Issue 22
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at
Small furry animals and slithering snakes vs Electric Utilities (Ishikawa)
Panama Canal Railway upgrade problems (Robert Heuman)
National Vulnerability Database is hacked! (Mark Thorson)
Re: Weapons Experts Raise Doubts About Israel's Antimissile System
Feds announce massive scanning of private Internet communications
Google's trust problem (Ezra Klein via Dewayne Hendricks)
"Smile, you're on Google Glass, whether you like it or not" (Caroline Craig
via Gene Wirchenko)
"Andrew Auernheimer joins growing list of so-called hackers facing
harsh justice" (Ted Samson via Gene Wirchenko)
Security hole lets Apple passwords be reset with e-mail addr, DoB
(Chris Welch via Jim Reisert)
Re: Electronic health records: teething problems?" (William Pociengel)
Re: Mars Rover is Repaired, NASA Says (William Pociengel)
Re: Fake silicone fingers strike again (Amos Shapir)
Re: Attorney General's testimony on Aaron Swartz raises more ... (Wol)
Microwave oven interference robustness mode (Jidanni)
Abridged info on RISKS (comp.risks)
Date: Fri, 22 Mar 2013 14:39:12 +0900
From: ishikawa <ishikawa () yk rim or jp>
Subject: Small furry animals and slithering snakes vs Electric Utilities
In the never-ending saga of small furry animals and slithering snakes vs
electric utilities, here is the latest and more horrifying incident.
Martin Fackler, Fukushima Blackout Hints at Plant's Vulnerability, *The
New York Times*, 19 Mar 2013
Martin Fackler, Rat Body Linked to Blackout at Atomic Site, *The New York
Times*, 20 Mar 2013
A lot of Japanese must have gone through uncomfortable moments. Initially,
when I learned that there was a re-wiring work was going on, I thought there
was some type of human error. Now a rodent is implicated.
In either case, TEPCO is losing public trust, well, at least from me. If an
important piece for feeding electricity is not protected from a rodent, how
can we tell the piece won't fall down or break down if another reasonably
large earthquake hits the area (and this is no idle threat in Japan, the
virtually the busiest center of earthquakes in the world.)
I would not mind losing electricity for my home for a few hours or even half
a day after a big earthquake. That is life in this corner of the world. Many
households in Japan stock water/food/battery, etc. just in case. We can't
argue with earthquakes as the saying goes here. (The other two, we can't
argue in the saying are thunderbolts, and one's father.)
But a crippled nuclear reactor site with many used fuel rods that requires
continuous cooling needs better care than typical households.
BTW, I found a few similar incidents in RISKS:
RISKS-8.75 SRI attacked by kamikaze squirrels?
RISKS-8.77 Re: Power outages
(A raccoon hit U. of Utah and disturbed a
room-temperature fusion experiment, and it was mentioned
that JPL had seen similar attacks, er, incidents. )
RISKS-18.52 Rats take down Stanford power and Silicon Valley Internet service
RISKS-19.88 Japanese snake vs. railroad electrical supply
RISKS-23.39 Boa triggers blackout in Honduras
(Nation-wide blackout for 15 minutes! Beat other animals to
date in the scale of the incident.)
I thought that utility companies would have learned from these off-angle
attacks from the nature by now.
Date: Sat, 23 Mar 2013 19:38:20 -0400
From: "R.S. (Bob) Heuman" <robert.heuman () alumni monmouth edu>
Subject: Panama Canal Railway upgrade problems
Reuters (Panama City), 22 Mar 2013
Thousands of containers have been stuck at Panamanian ports after a computer
glitch hampered communication with the railway, causing significant delays,
officials said on Friday. The Panama Canal Railway Co transports about
1,500 containers daily between the only port on the Pacific entrance to the
Panama Canal and three ports on the Atlantic, said Thomas Kenna, director of
operations for the railway. But a computer upgrade on Wednesday by Panama
Ports Co, which manages two of those ports, caused severe lags, Kenna said.
Since then, the railway has moved only about 350 containers a day.
Traffic picked up on Friday, and the system should be operating normally
by Monday, Kenna added.
Date: Thu, 21 Mar 2013 16:53:56 -0700
From: Mark Thorson <eee () sonic net>
Subject: National Vulnerability Database is hacked!
Their server is offline due to malware infection. They probably clicked on
an ad in an e-mail. The exploit used a vulnerability in Adobe's ColdFusion
Date: Sun, 24 Mar 2013 01:02:09 +0200
From: Amos Shapir <amos083 () gmail com>
Subject: Re: Weapons Experts Raise Doubts About Israel's Antimissile System
The following article by the Israel Institute for National Security Studies
contains a detailed debunking of the arguments used by some of the
researches which had produced these results. It seems to be a yet another
case of "how to lie with statistics"...
Date: Thu, 21 Mar 2013 20:39:59 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Feds announce massive scanning of private Internet communications
http://j.mp/Z5d4TP (Google+ via NNSquad)
http://j.mp/11n0qzS (Reuters / New York Times)
"Under the program, critical infrastructure companies will pay the
providers, which will use the classified information to block attacks
before they reach the customers. The classified information involves
suspect web addresses, strings of characters, e-mail sender names and the
Here we go! It's out in the open at last. Encrypt deeply now, or forever
hold your peace. CHARACTER STRINGS? EMAIL SENDER NAMES? Who do they think
Date: Friday, March 22, 2013
From: Dewayne Hendricks
Subject: Google's trust problem (Ezra Klein)
Ezra Klein, *The Washington Post*, 21 Mar 2013
James Fallows likes software meant to help him organize and simplify his
life. So, naturally, he moved immediately to download Google Keep, the
search giant's ``new app for collecting notes, photos, and info.'' The
problem, Fallows quickly realized, is that he wasn't sure he could trust it.
Google now has a clear enough track record of trying out, and then
canceling, `interesting' new software that I have no idea how long Keep will
be around. When Google launched its Google Health service five years ago, it
had an allure like Keep's: here is the one place you could store your
prescription info, test readings, immunizations, and so on and know that you
could get at them. That's how I used it -- until Google canceled this
`experiment' last year. Same with Google Reader, and all the other products
in the Google Graveyard that Slate produced last week.
And if there's even a 25 percent chance that Google Keep will be canceled
in two years, do you really want to be the sucker who spent endless hours
organizing your life around it?
Now, most people don't use Google Reader, or even know it's being canceled.
Same for Google Wave, Google Buzz, Google Health and Picnik, and all the
rest of the beloved little apps that have been sent to that cloud above the
cloud, where data is stored forever and servers never overload. This is a
pained whine emanating almost exclusively from Google power users.
Most people, however, also aren't the sort of early adopters who will rush
to download Google Keep. But Fallows is that kind of early adopter. So am
I. And Google needs early adopters. They need weirdos to rush to download
their new apps, try them out, offer feedback, and, ultimately, proselytize
to their friends. And I do all that! For instance, have you ever tried using
Sleep Cycle? This isn't an early adopter thing -- the app has been around
for awhile -- but I just started using it and am now annoying everyone I
know badgering them to try waking up to Sleep Cycle. It'll change your life.
But I'm not sure I want to be a Google early adopter anymore. I love Google
Reader. And I used to use Picnik all the time. I'm tired of losing my
In fact, I'm starting to worry a bit about Gmail, which is at the core of
pretty much my entire life. I know, I know -- Gmail is safe. The data it
feeds into the Google mainframe is extremely valuable to the search giant.
They won't let anything happen to it.
But I'm a heavy user of Gmail. And so I've been buying more space on
Google's servers. Recently, I hit 30 gigs -- and learned Google won't let me
purchase any more room. The service which once swore I'd never have to
delete a message now tells me my only option is to delete gigabyte after
gigabyte of past e-mails.
That's their right, of course. But it was a reminder that Google's core
business isn't running an e-mail system or selling data storage. The thing
I wanted to pay them to do wasn't something they make much money off. So
now I'm a bit nervous: I freed up a good number of gigabytes, but now I've
run through much of the low-hanging fruit, and the bar measuring how far I
am from my storage unit is beginning to tick up again.
The problem, I'm beginning to think, is simply mismatch. The core services
of Google's business are often not the Google services I rely on most. And
even when their core products and my needs do meet, the business connection
is indirect. ...
Dewayne-Net RSS Feed: <http://www.warpspeed.com/wordpress>
Date: Mon, 18 Mar 2013 10:14:31 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Smile, you're on Google Glass, whether you like it or not"
Caroline Craig, InfoWorld, 15 Mar 2013
Google Glass's style points are debatable, but one thing's for sure:
Data collection and user privacy will never be the same
Date: Tue, 19 Mar 2013 11:13:37 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Andrew Auernheimer joins growing list of so-called hackers facing
harsh justice" (Ted Samson)
Ted Samson, InfoWorld, 18 Mar 2013
The 26-year-old security researcher sentenced to 41 months in prison
for pulling e-mail address from public-facing server
Date: Fri, 22 Mar 2013 14:11:11 -0600
From: Jim Reisert AD1C <jjreisert () alum mit edu>
Subject: Security hole lets Apple passwords be reset with e-mail addr, DoB
Chris Welch, 22 Mar 2013 @chriswelch
"Apple yesterday rolled out two-step verification, a security measure that
promises to further shield Apple ID and iCloud accounts from being
hijacked. Unfortunately, today a new exploit has been discovered that
affects all customers who haven't yet enabled the new feature. It allows
anyone with your e-mail address and date of birth to reset your password --
using Apple's own tools. We've been made aware of a step-by-step tutorial
(which remains available as of this writing) that explains in detail how to
take advantage of the vulnerability. The exploit involves pasting in a
modified URL while answering the DOB security question on Apple's iForgot
page. It's a process just about anyone could manage, and The Verge has
confirmed the glaring security hole firsthand."
Date: Fri, 22 Mar 2013 14:20:05 -0500
From: William Pociengel <wpociengel () yahoo com>
Subject: Re: Electronic health records: teething problems?" (RISKS-27.18)
Actually you just need to use a screen name and something that looks like a
valid e-mail address. It accepts and posts your comment; but yes it is a bit
odd to request an e-mail address.
Date: Fri, 22 Mar 2013 08:37:08 -0500
From: William Pociengel <wpociengel () yahoo com>
Subject: Re: Mars Rover is Repaired, NASA Says (Re: RISKS-27.21)
Since when did NASA stop using 3 computers for deep space exploration? They
always used to have every critical system in 3's for this very reason.
Date: Fri, 22 Mar 2013 11:32:33 +0200
From: Amos Shapir <amos083 () gmail com>
Subject: Re: Fake silicone fingers strike again (RISKS-27.21)
It is amazing that the system would be vulnerable to this attack, especially
since the vulnerability has been suggested long before such systems have
even existed. In his movie Sleeper, released in 1973, Woody Allen employs
exactly this method to subvert a fingerprint scanning system; I'm quite sure
he was not the first to suggest it either.
Date: Fri, 22 Mar 2013 15:27:32 +0000
From: Wol <antlists () youngman org uk>
Subject: Re: Attorney General's testimony on Aaron Swartz raises more ...
It's interesting to see how other jurisdictions handle this.
There's been a recent case in the UK where the prosecutor did this (quote a
maximum sentence). And on appeal this was all the justification the appeal
court needed to throw a guilty plea out of the window and overturn the
The message is clear. In the UK this is totally unacceptable practice.
Date: Sat, 23 Mar 2013 10:30:41 +0800
From: jidanni () jidanni org
Subject: Microwave oven interference robustness mode
The IEEE 802.11 committee that developed the Wi-Fi specification conducted
an extensive investigation into the interference potential of microwave
ovens. A typical microwave oven uses a self-oscillating vacuum power tube
called a magnetron and a high voltage power supply with a half-wave
rectifier (often with voltage doubling) and no DC filtering. This produces
an RF pulse train with a duty cycle below 50% as the tube is completely off
for half of every AC mains cycle: 8.33 ms in 60 Hz countries and 10 ms in 50
This property gave rise to a Wi-Fi "microwave oven interference robustness"
mode that segments larger data frames into fragments each small enough to
fit into the oven's "off" periods.
Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-request () csl sri com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
*** NOTE: Including the string "notsp" at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
is no longer maintained up-to-date except for recent election problems.
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
End of RISKS-FORUM Digest 27.22
- Risks Digest 27.22 RISKS List Owner (Mar 24)