Home page logo

risks logo RISKS Forum mailing list archives

Risks Digest 27.25
From: RISKS List Owner <risko () csl sri com>
Date: Fri, 19 Apr 2013 12:10:15 PDT

RISKS-LIST: Risks-Forum Digest  Friday 19 April 2013  Volume 27 : Issue 25

Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at

The Boston Marathon bomber: Caught on film? (Kate Dailey via Monty Solomon)
How the Internet Accused a High School Student of Terrorism (PGN)
Citizen Surveillance Helps Officials Put Pieces Together (Fowler/Schectman)
The Shame of Boston's Wireless Woes (Dewayne Hendricks)
American Airlines computer glitch grounds flights (ibm36044)
Venezuela constitution bans recounting of votes ... (Bob Heuman)
Reclaiming the American Republic from the corruption of election funding 
  (KurzweilAI via Michael Cheponis via  Dewayne Hendricks)
Reinhart and Rogoff: 'Full Stop,' We Made A Microsoft Excel Blunder In Our
  Debt Study, And It Makes A Difference (Joe Weisenthal via Geoff Goodfellow)
Economic policy decisions may be affected by spreadsheet errors
  (Jeremy Epstein)
Buggy spreadsheets and the economy (Valdis Kletnieks)
The risks of/when not releasing your code & data (Paul Nash)
Vint Cerf Explains How to Make SDN as Successful as the Internet 
  (Stacey Higginbotham via ACM TechNews)
Video: "The Internet: A Warning From History" (Lauren Weinstein)
DDoS Attack Bandwidth Jumps 718% (Geoff Goodfellow)
Laptop goes up in flames (Jordan Graham via Monty Solomon)
How do you code a secure system? (Earl Boebert)
Fake Twitter accounts earn real money (Mark Thorson)
Lauren Weinstein <lauren () vortex com>
French homeland intelligence threatens a volunteer sysop to delete 
  Wikipedia Article (Lauren Weinstein)
An English language version of the Wikipedia article (NNSquad)
American Express Australia Mail Merge Stuff-up (Don Gingrich)
Abridged info on RISKS (comp.risks)


Date: Wed, 17 Apr 2013 23:38:20 -0400
From: Monty Solomon <monty () roscom com>
Subject: The Boston Marathon bomber: Caught on film? (Kate Dailey)

Kate Dailey, BBC News Magazine, 17 April 2013

More personal videos are being shot now than ever before, and such footage
could help identify the Boston Marathon bomber[s!]. But how is that footage
processed - and could civilians really solve the crime?

There was the marathon runner closing in on the finish line, and the
businessman with offices in a prime position over Boylston Street.

And there were thousands of others crowding the last stretch of the Boston
Marathon, all capturing the events before and after the bombs exploded.

"The reality is with the number of people who are carrying with them the
equivalent of video camera, history is being documented by millions of
people every day," says Karen North, director of University of Southern
California's Annenberg Program on online communities.

Infusing video

In just over a decade, she says, the amount of video being shot by amateurs
has increased dramatically - and so too, has the evidence available to law
enforcement officials. ...



Date: Thu, 18 Apr 2013 16:12:10 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: How the Internet Accused a High School Student of Terrorism

Online morons nearly ruin innocent lives after Boston bombings
(*New York Post*, 18 Apr 2013)

How the Internet Accused a High School Student of Terrorism
Online sleuths thought they nailed two suspects in the Boston bombing -- and
there they were on the cover of the *New York Post* the next day. But now
everyone's backpedaling in a big way."
  http://j.mp/17sAfJA (Daily Beast)

  [Paul Saffo noted to me some remarkable annotated by-stander footage
  before and after the Boston Marathon bombing: http://imgur.com/a/sUrnA 
  He later noted that "Now people are photoshopping pics with the FBI's
  suspects in them..."  PGN]


Date: Fri, 19 Apr 2013 11:39:20 -0400
From: ACM TechNews <technews () HQ ACM ORG>
Subject: Citizen Surveillance Helps Officials Put Pieces Together (WSJ)

*Wall Street Journal*, 17 Apr 2013, Geoffrey A. Fowler, Joel Schectman
[via ACM TechNews, 19 Apr 2013]

The proliferation of surveillance technology to popular commercial products
such as smartphones is proving to be a boon for criminal investigations, as
evidenced by the U.S. Federal Bureau of Investigation using video
surveillance from department store and restaurant cameras, along with photos
from citizens, news organizations, and others, to help identify a suspicious
individual at the Boston Marathon.  Forrester Research says video
surveillance technologies have been adopted by 68 percent of public-sector
and 59 percent of private-sector companies, with another 9 percent planning
to adopt them in the next two years.  Furthermore, more than 1 billion
people now own camera-equipped, Web-linked smartphones.  Integrating
forensic data from professional and personal sources has helped with earlier
investigations, although a lack of full-frontal images makes facial
recognition problematic in large probes.  Moreover, collecting and sifting
through the data is a major challenge, as Boston has one of 77 nationwide
intelligence fusion centers used to pool data and conduct analysis, notes
the Northern California Regional Intelligence Center's Mike Sena.
Meanwhile, researchers at Boston's Northeastern University have organized a
10-person social media research team to run a project that would let people
upload video from the marathon bombing to tag clues.

  [This morning's news media report the seemingly definitive identification
  of the two suspected brothers, the shooting of one, and the manhunt in
  progress for the other.  Not quite incidentally, some analists report a
  considerable increase in popular acceptance of ubiquitous surveillance --
  despite the privacy implications frequently discussed in RISKS.  PGN]


Date: Wednesday, April 17, 2013
From: *Dewayne Hendricks*
Subject: The Shame of Boston's Wireless Woes

The Shame of Boston's Wireless Woes
Anthony Townsend, The Atlantic Cities, 17 Apr 2013

Almost immediately after Monday's tragic bombings at the Boston Marathon,
the city's cellular networks collapsed. The Associated Press initially
reported what many of us suspected, that law enforcement officials had
requested a communications blackout to prevent the remote detonation of
additional explosives. But the claim was soon redacted as the truth became
clear. It didn't take government fiat to shut down the cellular networks.
They fell apart all on their own.

As cell service sputtered under a surge of calls, runners were left in the
dark, families couldn't reach loved ones, and even investigators were
stymied in making calls related to their pursuit of suspects. Admirably,
Boston residents and businesses responded quickly by opening up Wi-Fi
hotspots to help evacuees communicate with loved ones.

The same thing happens every time there is a crisis in a large city.

But most, even the super-connected elite, were knocked offline. As his
Twitter followers know, it took Dennis Crowley, a Massachusetts native and
CEO of New York City-based social network Foursquare, an hour to reunite
with his fiance and family, who were scattered around the finish line as the
bombs went off. Their reunion was coordinated by a handful of SMS messages
he was able to squeeze through the crippled network. He also reported
helping several stunned senior citizens discover the value of their own
phones' texting functions for the first time.

We shouldn't be surprised by the collapse of Boston's cellular networks.
The same thing happens every time there is a crisis in a large city. On an
average day, Americans make nearly 400,000 emergency 911 calls on their
mobile phones. Yet during large-scale crises this vital lifeline is
all-too-frequently cut off.

The culprit is usually congestion. During a disaster, call volumes spike
and overwhelm the over-subscribed capacity of wireless carriers' networks.
On September 11, 2001, fewer than 1 in 20 mobile phone calls in New York
City was connected. The same thing happened after the August 2011
earthquake that shook the East Coast. And on Monday, in Boston.

But, as we learned in the aftermath of Hurricane Sandy, wireless carriers
have also neglected to harden their networks against extended losses of
electrical power. Thousands of towers were knocked offline in the New York
region alone when backup batteries failed. Yet as a member of Governor
Andrew Cuomo's NYS Ready Commission this fall, I was stunned to learn that
wireless carriers had never formally discussed plans with the region's
electric utilities to restore power to cell sites after a major disaster.

The loss of vital wireless communications during disasters is all the more
dismaying because it is largely preventable. After 9/11 a system was put in
place to give government officials priority access to cellular channels
during periods of high demand. (Though it requires pre-registration and a
special code be used when dialing). In the wake of Sandy, New York Senator
Charles Schumer called for stricter federal oversight of backup power and
landline network connections for cell sites. Yet these reforms have been
stalled by industry lobbying. Lacking a redundant cellular system,
Americans will continue to resort to the century-old technology of amateur
radio for lifeline communications during and after large disasters. In
Boston, this technology is still widely used during the marathon because of
past experience with cellular traffic jams.

With over 320 million active wireless subscriber connections, Americans are
a fully untethered people. Our smart phones keep our complicated lives
choreographed across the sprawling metropolitan areas we inhabit.
Psychologists and sociologists have found that we think of these devices as
extensions of our bodies and minds. In Boston, this was all too apparent.
Even when runners, whose mobile batteries were drained after the long run,
could locate a phone, they couldn't recall what numbers to dial, having
long ago given up memorizing phone numbers in favor of their smart phone's
electronic address book. [snip]

Dewayne-Net RSS Feed: <http://www.warpspeed.com/wordpress>


Date: Wed, 17 Apr 2013 06:20:09 +0200
From: IBM-360/44 running OS/360 <ibm36044 () sbcglobal net>
Subject: American Airlines computer glitch grounds flights

American Airlines had to ground all its flights across the US for several
hours on Tuesday due to a fault with its computerized reservation system.
The carrier halted all departures from about 13:30 ET (18:30 GMT), saying
that it was working ""to resolve this issue as quickly as we can".
  [Source: BBC News Business: 17 Apr 2013]

  [Gene Wirchenko noted an article by Ashley Halsey III in *The Washington
  Post* giving the number 900 for flights grounded.  PGN]

  [Bob Heuman noted a Fox News report that ``American Airlines has fixed the
  computer glitch but not told anyone precisely what happened.''  PGN]


Date: Thu, 18 Apr 2013 21:18:01 -0400
From: RsH <robert.heuman () alumni monmouth edu>
Subject: Venezuela constitution bans recounting of votes ...

The Constitution forbids manual recounting of votes in a Presidential Election

You can read the full article, but the following is a quick summary of what
I consider a risk we have discussed forever and a load of bull....  if they
have really implemented a system that makes manual checking impossible.

CARACAS, 17 Apr 2013 (Xinhua) -- Manual vote counting is not possible in
Venezuela, the president of the Supreme Court said Wednesday amid
opposition's request for an audit.  "The electoral system is fully
automated, so there is no manual counting. Anyone who thought that could
really happen has been deceived," Luisa Estella Morales said at a press
conference.  Manual counting was canceled in Venezuela by the 1999
constitution, she said, adding [that] the majority of those asking for a
manual count know it.

R. S. (Bob) Heuman  North York, ON, Canada


Date: April 4, 2013 1:29:22 PM PDT
From: Michael Cheponis <michael.cheponis () gmail com>
Subject: Reclaiming the American Republic from the corruption of election
  funding (KurzweilAI, to risks via  Dewayne Hendricks)

Reclaiming the American Republic from the corruption of election funding
April 3, 2013

There is a corruption at the heart of American politics, caused by the
dependence of Congressional candidates on funding from the tiniest
percentage of citizens That's the argument at the core of a new just-posted
TED talk by legal scholar Lawrence Lessig...  ``He shows how the funding
process weakens the Republic in the most fundamental way, and issues a
rallying bipartisan cry that will resonate with many in the U.S. and
beyond,'' says TED Curator Chris Anderson.

Lawrence Lessig has already transformed intellectual-property law with his
Creative Commons innovation. Now he's focused on an even bigger problem:
The U.S.'s broken political system.

TED is also introducing a media innovation, simultaneously launching a
TED-talk video and accompanying TED Book.LESTERLAND: The Corruption of
Congress and How To End It, which outlines the path to a solution in much
greater detail.

Dewayne-Net RSS Feed: <http://www.warpspeed.com/wordpress>


Date: Wednesday, April 17, 2013
From: Geoff Goodfellow <geoff () iconia com>
Subject: Reinhart and Rogoff: 'Full Stop,' We Made A Microsoft Excel
  Blunder In Our Debt Study, And It Makes A Difference (Joe Weisenthal)

Joe Weisenthal, *Business Insider*, 17 Apr 2013

The big talk in the world of economics continues to be the famous study by
Carmen Reinhart and Ken Rogoff, which claimed that as countries see debt/GDP
going above 90%, growth slows dramatically.

Economists have always been skeptical of the correlation/causality on this.

But yesterday, a new study emerged which claimed that Reinhart and Rogoff
used a faulty dataset to make that claim and (most stunningly) had an excel
error that exacerbated the growth dropoff for countries with debt/GDP higher
than 90%.

After the report dropped (and proceeded to blow up the Internet), Reinhart
and Rogoff rushed out a quick statement claiming that the new study (which
was done by some UMass professors) supported their thesis that growth slowed
as debt to GDP got higher. And Reinhart and Rogoff were quick to reiterate
that even they weren't necessarily implying causation on this (which may be
true, but the fact that they say this is not well known to the politicians
who are always citing the dreaded 90% level).

But in a new response, Reinhart and Rogoff admit they did make an Excel
blunder, and that it mattered!

Here's the key part:...

http://geoff.livejournal.com  *  Geoff () iconia com <javascript:;>


Date: Wed, 17 Apr 2013 09:11:30 -0400
From: Jeremy Epstein <jeremy.j.epstein () gmail com>
Subject: Economic policy decisions may be affected by spreadsheet errors

An error in a formula in an Excel spreadsheet seems to have led to some
incorrect results about the effects of government debt, and thereby may have
affected economic policy.  The error, which was in a formula developed by
the authors of a key paper and not in the Excel software itself, was that a
cell contained the formula AVERAGE(L30:L44) where it should have said

The error led to a small but significant discrepancy in conclusions,
although the authors of the original paper are disputing how important the
error is.

Perhaps we need methods for spreadsheet assurance, just as we need methods
for assuring the security and reliability of our operating systems and

WashPost: "The paper in question is Carmen Reinhart and Kenneth Rogoff's
famous 2010 study -- Growth in a Time of Debt -- which found that economic
growth severely suffers when a country's public debt level reaches 90
percent of GDP. "

A further description and a rebuttal by Reinhart & Rogoff can be found at

Another article
notes "Reinhart and Rogoff are not the only people to have difficulty
navigating the Microsoft product. One of the reasons behind the
so-called London Whale incident at J.P. Morgan, in which the bank took
a $6.2 billion trading loss, was a spreadsheet error in their model."


Date: Thu, 18 Apr 2013 19:26:20 -0400
From: Valdis Kletnieks <Valdis.Kletnieks () vt edu>
Subject: Buggy spreadsheets and the economy

In today's *New York Magazine*, Thomas Herndon explains how he found a
problem with Reinhart and Rogoff's work that has been used as a basis for
austerity spending by governments.

"I clicked on cell L51, and saw that they had only averaged rows 30 through
44, instead of rows 30 through 49."

Given the economic damage done by austerity spending over the past few
years, this is quite likely by far the most expensive programming error ever



Date: Friday, April 19, 2013
From: *Paul Nash*
Subject: The risks of/when not releasing your code & data

Quite apart from being "clumsy" with their Excel model, they forgot the
first rule of research:  correlation does not imply causation.

So when are they going to resign, and when are the various central bankers
who used their model to impose austerity going to change tack?  Or will
they just brush it aside and get on with screwing the working man?


Date: Fri, 19 Apr 2013 11:39:20 -0400
From: ACM TechNews <technews () HQ ACM ORG>
Subject: Vint Cerf Explains How to Make SDN as Successful as the Internet

Stacey Higginbotham, Google's Vint Cerf Explains How to Make SDN as
Successful as the Internet (GigaOm.com) 16 Apr 2013

Google chief Internet evangelist and ACM president Vint Cerf believes that
software defined networking (SDN) could benefit from some of the Internet's
design flaws and lessons learned in creating the Internet.  For example,
open standards should be implemented, with differentiation stemming from
branded versions of standard protocols rather than from patented protocols.
Interoperability is essential for stable networks, and that requires
standards, notes Cerf.  As companies create SDNs, they also should take into
account the successful design features of the Internet, including the loose
pairing of underlying equipment instead of a heavily integrated solution,
the modular approach, and open source technologies.  However, he says SDNs
can improve on the Internet's traffic routing, which now relies on sending
packets to a physical port.  Instead of this physical port, the OpenFlow
protocol changes the destination address to a table entry, enabling a new
type of networking that is better suited to the collaborative Web of the
future.  Another option could be content-based routing, in which the content
of a packet determines its destiny.  SDN's basic principal, dividing the
control plane and the data plane, should have been incorporated into the
Internet's design, Cerf notes.  In the future, SDN could improve controlled
access to intellectual property to help prevent piracy, and could bring
together various existing networks.


Date: Thu, 18 Apr 2013 16:19:28 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Video: "The Internet: A Warning From History"

  "The Internet was one of the greatest disasters to befall mankind.  Now
  its survivors share their experiences of the tragedy."
  http://j.mp/14A3HBy (YouTube via NNSquad)

    [Caution: Grain of Salt required.  PGN]


Date: Apr 18, 2013 4:44 PM
From: Geoff Goodfellow <geoff () iconia com>
Subject: DDoS Attack Bandwidth Jumps 718% (via Dave Farber's IP)

The average bandwidth seen in distributed denial-of-service (DDoS) attacks
has recently increased by a factor of seven, jumping from 6 Gbps to 48 Gbps.
Furthermore, 10% of DDoS attacks now exceed 60 Gbps.

Those findings come from a new report released Wednesday by DDoS mitigation
service provider Prolexic Technologies, which saw across-the-board increases
in DDoS attack metrics involving the company's customers...

http://geoff.livejournal.com * Geoff () iconia com


Date: Sun, 7 Apr 2013 15:21:58 -0400
From: Monty Solomon <monty () roscom com>
Subject: Laptop goes up in flames (Jordan Graham)

Jordan Graham, *Boston Herald*, 7 Apr 2013
90 Framingham students displaced

An overheated laptop burst into flames inside a Framingham State University
dorm room Friday in what officials warn is the latest in a string of
computer-related fires.

Firefighters also were called to a blaze caused by a laptop in Western
Massachusetts several weeks ago, and crews declared a Milford home a total
loss two weeks ago after an unattended laptop left on some cardboard sparked
an inferno, State Fire Marshal Stephen D. Coan said. ...



Date: Wed, 3 Apr 2013 13:36:28 -0600
From: Earl Boebert <boebert () swcp com>
Subject: How do you code a secure system?

Here's a screed I wrote for a journalist who asked "how do you code a secure

First, you don't code secure systems, you design them. All the important
stuff takes place at a level of abstraction above that of coding. Once you
have a design you have internalized both your problem and your
solution. Coding is then mechanical, and code verification will be
straightforward. So how do you get a design?  Start by studying exploits
that have defeated the kinds of systems you're interested in.

The various development life cycles attempt to sanitize the inherently dirty
and reactive business of secure systems design. The late Rick Proto, who
retired as the director of research for the National Security Agency said it
best: "Theories of Security come from Theories of Insecurity." Or, in my
favorite quote from Seneca, "There is a great deal of difference between a
person who chooses not to sin and one who doesn't know how." Your goal in
this phase is to become like Sherlock Holmes and have a first-class criminal
mind without a criminal temperament. Being a good guy who thinks like a bad
guy lets you have all the intellectual fun without running the risk of
coming to a sticky end.

Your study of exploits should focus on forming Theories of Insecurity,
factors that are common to whole classes of exploits. Stack games are a well
known example. A good approach is to analyze exploits using the "bindings
model." A binding is an important association between two values. For
example, a system may maintain a binding between a user name and a set of
privileges. A second binding may be between that user name and a human
being. Important systems decisions may assume that both bindings are
valuable, i.e., my access to my files. Exploits then can be characterized as
breaking or forging significant bindings. Looking at things this way will
get you familiar with two valuable concepts: bindings and dependencies.

After you've developed your Theories of Insecurity you then invert them to
form your Theories of Security. If you're up on your systems engineering
(which you should be) then the Theories of Security are, in effect, the
specifications of the desired emergent properties of your system. They will
almost all expressed as negatives, that is, things that aren't supposed to
happen. As such they will not be testable and must be verified (as far as
possible) by analytic methods. What you've done so far will provide the
basis for your analysis plan. Your object, and the best you can probably do,
is to force attackers to expend the resources to come up with a new class of
exploit, instead of sticking it to you by putting a systems-specific spin on
something they already know how to do. And of course you have to do the
functional requirements, the stuff that pays the rent, whatever problem your
system is supposed to solve while being secure.

Then you go through the design process du jour and come up with a modular
decomposition in the descriptive notation du jour and submit progress
reports in the life cycle process du jour to keep the marketeers and
spreadsheet jockeys happy. To keep yourself up on progress I strongly
recommend the use of Earned Value Management, which you can implement with a
sheet of graph paper you keep up on a nearby bulletin board. Within all this
you submit your design to an intensive analysis from every direction you can
think of. As a minimum you should understand how it enforces critical
bindings and you should also construct a dependency diagram. This is a tree
based on the "uses" concept Dave Parnas came up with 40 years ago or
so. Module A "uses" Module B if the correctness of A depends on the
correctness of B. Modules at the bottom (those that lots of things depend
on) should be scheduled for extra scrutiny in the implementation
stage. Circularities in the diagram are deadly. These are spots where A
depends on B and B depends on A. A circularity means your modularity is an
illusion, A and B are actually one "blob."

After you've got the cleanest design you can devise it's just a problem of
pounding code in the implementation language du jour and integrating. The
motto of the integration team should be "integrate early, integrate often."
Put stuff together as soon as it's ready and feed it test cases that only
touch the modules you have.

When it all works you have the victory celebration and deploy. Sooner or
later you're going to get whacked. First thing you do after rolling the
alert PR squadron is to analyze the exploit (which you should be good at by
now) and determine if it is a variation on a class you thought you handled
or something completely different. If it's a variation on a class you
thought you handled then the chances are good there's a low-level coding
flaw that can be patched. If it's something completely different then it's
time for Rev 2, starting with a rethink of your Theory of Security and going
all the way down to code.

And so it goes, round and round, white hats vs. black hats. Computer
security fits the description a diplomat once gave of diplomacy: all you do
is buy time, and if you buy enough time you get to die in bed and it becomes
somebody else's problem :-)


Date: Sun, 7 Apr 2013 13:25:39 -0700
From: Mark Thorson <eee () sonic net>
Subject: Fake Twitter accounts earn real money

Fake followers and fake retweets have become a large and growing market.

"There are now more than two dozen services that sell fake Twitter accounts,
but Mr. Stroppa and Mr. De Micheli said they limited themselves to the most
popular networks, forums and Web sites, which include Fiverr, SeoClerks,
InterTwitter, FanMeNow, LikedSocial, SocialPresence and Viral Media
Boost. Based on the number of accounts for sale through those services --
and eliminating overlapping accounts -- they estimate that there are now as
many as 20 million fake follower accounts."


As the technology of software to create and manage large numbers of fake
entities is refined, how will people discern real from fake?  They won't,
and a putative Twitter follower will have as little value as a review on


Date: Sat, 6 Apr 2013 12:08:59 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: French homeland intelligence threatens a volunteer sysop to delete
  a Wikipedia Article

http://j.mp/16C8Cxn  (Wikimedia France)

  "Unhappy with the Foundation's answer, the DCRI summoned a Wikipedia
  volunteer in their offices on April 4th. This volunteer, which was one of
  those having access to the tools that allow the deletion of pages, was
  forced to delete the article while in the DCRI offices, on the
  understanding that he would have been held in custody and prosecuted if he
  did not comply. Under pressure, he had no other choice than to delete the
  article, despite explaining to the DCRI this is not how Wikipedia
  works. He warned the other sysops that trying to undelete the article
  would engage their responsibility before the law.  This volunteer had no
  link with that article, having never edited it and not even knowing of its
  existence before entering the DCRI offices. He was chosen and summoned
  because he was easily identifiable, given his regular promotional actions
  of Wikipedia and Wikimedia projects in France."

The return of "Vichy France" mentalities, apparently.


Date: Sat, 6 Apr 2013 12:30:40 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: An English language version of the Wikipedia article (NNSquad)

Here is apparently an English language version of the article that France
attempted to censor with threats

http://j.mp/16CbqKF  (Google+)

This apparently is a newly translated version of the French Wikipedia
article that France attempted to censor by threatening a non-associated
Wikipedia volunteer in France.  And it wasn't lobbying -- it was direct
threats.  (English and French material.)

"Streisand Effect" fully engaged.


Date: Wed, 17 Apr 2013 13:02:55 +1000
From: Don Gingrich <gingrich () internode on net>
Subject: American Express Australia Mail Merge Stuff-up

I just received an e-mail on 11 April from AMEX touting a few current
offers, but the name in the message was not mine -- luckily the final digits
*were* from my card, though it could also have been his and, though
unlikely, just happened to be the same.

When I contacted AMEX about it I received the following:

  - ------

Dear Cardmember,

On the 11th April 2013 you received an e-mail from us entitled 'Enjoy more
rewards in more places'. Due to a technical issue this e-mail was
incorrectly addressed.

We confirm this e-mail and the offers enclosed were intended for you. We
would also like to assure you that your privacy and security has not been
compromised in any way.

We would like to sincerely apologise for any confusion this may have caused
to you.

Yours sincerely,

American Express Australia

  - ------

This apparently went out to everyone who received the original message.

The real problem for me was the lack of awareness on the part of the person
with whom I spoke at AMEX. It took a long time to convince them that this
sort of stuff-up is a real problem. I'm also not completely convinced of the
statements in the second paragraph.


Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:


End of RISKS-FORUM Digest 27.25

  By Date           By Thread  

Current thread:
  • Risks Digest 27.25 RISKS List Owner (Apr 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]