Home page logo
/

risks logo RISKS Forum mailing list archives

Risks Digest 27.26
From: RISKS List Owner <risko () csl sri com>
Date: Tue, 23 Apr 2013 17:06:02 PDT

RISKS-LIST: Risks-Forum Digest  Tuesday 23 April 2013  Volume 27 : Issue 26

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/27.26.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
LAX terminal signs hacked (Paul Saffo)
AP fooled by phishing attack (Lauren Weinstein)
Taiwan issues duplicate license plate numbers (jidanni)
EU Car Type-Approval Awkwardness (Chris Drewe)
FAA Approves Boeing 787 Battery Fix Allowing Flight Resumptions (Bloomberg)
New lithium ion battery design (PGN)
Two items on Internet use, etc. vs. distracted driving (Lauren Weinstein)
More in New York City Qualify as Gifted After Error Is Fixed (Al Baker via
  Jim Reisert)
Neil Richards on the Dangers of Surveillance (Lauren Weinstein)
Crowdsourcing a lynch mob (Mark Thorson)
Re: The Shame of Boston's Wireless Woes (Bob Frankston)
Re: Economic policy decisions may be affected by spreadsheet errors
  (John Levine, Amos Shapir)
Re: American Express Australia Mail Merge Stuff-up (John Levine)
Churnalism: Discover When News Copies from Other Sources (Lauren Weinstein)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Mon, 22 Apr 2013 23:04:20 -0700
From: Paul Saffo <psaffo () discern com>
Subject: LAX terminal signs hacked

http://www.latimes.com/local/lanow/la-me-ln-hacker-lax-flight-boards-20130=
422,0,6739919.story

LAX flight status boards hacked, telling passengers to exit terminal
Andrew Blankstein and Robert J. Lopez, latimes.com, 22 Apr 2013

Authorities were searching the Tom Bradley International Terminal at Los
Angeles International Airport on Monday night for someone who hacked into
multiple flight status boards to write: "Emergency Leave the Terminal," law
enforcement authorities told *The Times*.

The rogue message was changed about five minutes after it was noticed about
10 p.m., authorities said. It was unclear whether any passengers had left
the terminal.

Multiple travelers reported the message to airport police. The status boards
are located in the B aisle area of the terminal.

Additional officers were dispatched to the terminal while LAX officials
investigated who was responsible for the hacking.

Earlier this month, an electronic sign near USC was apparently hacked to
display inappropriate messages about the Los Angeles Police Department.

  [That should be known as REALLY LAX security! PGN]

------------------------------

Date: Tue, 23 Apr 2013 13:45:20 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: AP fooled by phishing attack

http://j.mp/13XGzfH  (Techcrunch via NNSquad)

  The AP Twitter hack which sent the stock market briefly crashing was
  caused by a phishing attack, according to the AP. The news organization
  now says the attack on Twitter was "preceded by a phishing attempt on AP's
  corporate network."

    [Lots to choose from: lame passwords, cross-site scripting, compromised
    insider access routes, whatever. CNN suggests ``social
    engineering''. PGN]

------------------------------

Date: Wed, 24 Apr 2013 07:16:40 +0800
From: jidanni () jidanni org
Subject: Taiwan issues duplicate license plate numbers

The legislator held out two license plates -- one in green and one in red --
that were both labeled "AB-123," and asked the premier if he could tell the
difference between them. When the premier said he could not, lawmaker Yeh
noted that they were from two different types of vehicles yet have the same
number.
http://www.chinapost.com.tw/taiwan/national/national-news/2013/04/10/375627/Govt-made.htm

------------------------------

Date: Tue, 23 Apr 2013 20:55:53 +0100
From: "Chris Drewe" <e767pmk () yahoo co uk>
Subject: EU Car Type-Approval Awkwardness

In the cars section of last Saturday's newspaper (April 20th), there was a
letter from a reader with a new Audi R8 V8 with manual transmission.
Complaint was very sluggish acceleration from 30mph (50km/hr) in 3rd gear;
interrogating the OBD-II port showed a temporary throttle part-closure,
which turned out to be programmed in to get good figures in the drive- by
noise test required for EU Type Approval.  It's good to have cars that
aren't too loud, but awkward to discover this in the middle of a tricky
passing manoeuvre...

------------------------------

Date: Fri, 19 Apr 2013 15:32:19 -0400
From: "David J. Farber" <farber () gmail com>
Subject: FAA Approves Boeing 787 Battery Fix Allowing Flight Resumptions

http://www.bloomberg.com/news/2013-04-19/faa-approves-boeing-787-battery-fi=
x-allowing-flight-resumptions.html

Boeing' 787 Dreamliner won U.S. approval to return to service with a
redesigned lithium-ion battery, more than three months into the government's
longest grounding of a commercial model in the jet age.

Restoring the 787 to flight status will allow the eight current operators to
end the use of temporary replacements and start routes that had been put on
hold with the Dreamliners unavailable. Chicago-based Boeing will be able to
resume deliveries, a pivotal step because it gets bulk payments when
aircraft are handed over.

The plane will continue to have permission to fly as far as 180 minutes from
an airport, FAA spokeswoman Laura Brown said in response to questions. That
is the same as the plane was originally certified to fly. That allows it to
fly across oceans, mountain ranges or the poles.

``A team of FAA certification specialists observed rigorous tests we
required Boeing to perform and devoted weeks to reviewing detailed analysis
of the design changes to reach this decision,'' FAA Administrator Michael
Huerta said in a statement.

Next week the FAA will publish regulations on how to alter the batteries in
the U.S. Federal Register, allowing Boeing and airlines to proceed with the
fixes.

Boeing has sent teams around the world to help fit new battery kits into the
49 Dreamliners in airline fleets. Each installation will take four to five
days, Boeing has said. Once those jets are fixed, work will turn to dozens
of 787s stored around Boeing factories.

To contact the reporter on this story: Alan Levin in Washington --
alevin24 () bloomberg net

------------------------------

Date: Mon, 22 Apr 2013 18:51:45 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: New lithium ion battery design

http://bit.ly/11gIo1S, noted by Marv Schaefer

New lithium-ion battery design that's 2,000 times more powerful, recharges
1,000 times faster

Researchers at the University of Illinois at Urbana-Champaign have developed
a new lithium-ion battery technology that is 2,000 times more powerful than
comparable batteries. According to the researchers, this is not simply an
evolutionary step in battery tech, ``It's a new enabling technology: it
breaks the normal paradigms of energy sources. It's allowing us to do
different, new things.''

  [Lots of new risks as well, much faster and with lower power?  PGN]

------------------------------

Date: Tue, 23 Apr 2013 15:35:43 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Two items on Internet use, etc. vs. distracted driving

Two items on Internet use, etc. vs. distracted driving

How Federal Distracted-Driving Guidelines Will Shape Your Next Phone =

http://j.mp/15F5EMF  (Wired via NNSquad)

Study: Voice-activated texting while driving no safer than typing

http://j.mp/15F5tRA  (Washington Post via NNSquad)

It seems clear that regulators are focusing not only on built-in but also
portable devices.  It seems inevitable that they will also direct attention
to "wearable" devices as well at some stage.

------------------------------

Date: Sat, 20 Apr 2013 07:56:03 -0600
From: Jim Reisert AD1C <jjreisert () alum mit edu>
Subject: More in New York City Qualify as Gifted After Error Is Fixed

Al Baker, *The New York Times, 19 Apr 2013

Nearly 2,700 New York City students were wrongly told in recent weeks they
were not eligible for seats in public school gifted and talented programs
because of errors in scoring the tests used for admission, the Education
Department said on Friday. ...  According to Pearson, three mistakes were
made. Students' ages, which are used to calculate their percentile ranking
against students of similar age, were recorded in years and months, but
should also have counted days to be precise. Incorrect scoring tables were
used. And the formula used to combine the two test parts into one percentile
ranking contained an error.

https://www.nytimes.com/2013/04/20/education/score-corrections-qualify-near=
ly-2700-more-pupils-for-gifted-programs.html

------------------------------

Date: Tue, 23 Apr 2013 14:12:05 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Neil Richards on the Dangers of Surveillance

Law professor makes a case for legally recognizing the Dangers of Surveillance
http://j.mp/ZNfh3H  (Network World via NNSquad)

  The Dangers of Surveillance, written by Neil M. Richards, Professor of Law
  at Washington University in St. Louis, was recently published on the
  Social Science Research Network. In it, Richards proposed "four principles
  that should guide the future development of surveillance law." Yet he said
  we must first recognize that: "Surveillance transcends the public-private
  divide;" that "secret surveillance is illegitimate;" that "total
  surveillance is illegitimate" and that "surveillance is harmful." The
  courts may understand that surveillance could be potentially harmful, but
  "have struggled to clearly understand why."

------------------------------

Date: Sat, 20 Apr 2013 13:51:55 -0700
From: Mark Thorson <eee () sonic net>
Subject: Crowdsourcing a lynch mob (More on RISKS-27.25)

In the confusion surrounding the Boston Marathon bombings, some users of the
popular Reddit site misidentified a missing Brown University student as the
bomber.

http://usnews.nbcnews.com/_news/2013/04/19/17826915-missing-brown-university-students-family-dragged-into-virally-fueled-false-accusation-in-boston

This event seems to be first demonstration of the collision between mass
data available over the Internet and the echo chamber of blogs, comments,
and social media for spawning and amplifying spurious identifications of the
perpetrators of high-profile criminal acts.  If we stay on the current
trajectory (as we most certainly will) the data will become ever more prompt
and detailed.  "The bomber is Mark Thorson and Google says he's at his
mother's house at 1505 Spruce St. right now!  Let's go get him!"

------------------------------

Date: Sun, 21 Apr 2013 11:16:06 -0400
From: "Bob Frankston" <bob2-39 () bobf frankston com>
Subject: Re: The Shame of Boston's Wireless Woes (RISKS-27.25)

There is a real risk in confusing technical and economic problems.

Focusing on problem of "congestion" as cited in the Atlantic City cities
misses the point because that congestion is a necessary consequence of the
economic architecture of today's telecommunications system. The alternative
is simple -- don't do that. As a common infrastructure we could use Wi-Fi
(for starters) to make the vast existing capacity of the common
infrastructure immediately available.

The idea of trying to make our ability to communicate a profit center is
foolish at best -- it's akin to shutting down public transportation systems
if they are not profitable in themselves. Doing so would cause severe harm
to society. The business of providing telecommunications at a profit
requires limiting capacity and funneling traveling through billing points
(AKA cell towers).

Until we understand the interplay of technology and economics we are likely
to work at cross-purposes with ourselves. I'm not an expert on the story of
the closing of the Los Angeles trolley system but when the New York subways
failed to turn a profit the system took responsibility for them rather than
shutting it down.

------------------------------

Date: 19 Apr 2013 21:07:10 -0000
From: "John Levine" <johnl () iecc com>
Subject: Re: Economic policy decisions may be affected by spreadsheet errors
  (Epstein, RISKS-27.25)

Perhaps we need methods for spreadsheet assurance, just as we need methods
for assuring the security and reliability of our operating systems and
applications?

Back in the 1980s I was one of the authors of a program called Javelin, a
time series modeling package that you could use to do a lot of the same
stuff that people do with spreadsheets.

One of our selling points was that Javelin models were a lot more reliable
than 1-2-3 or Excel models.  Data were stored in named variables each of
which could be a time series, which largely prevented the kind of error that
R+R made, since if you said A=SUM(B), it automatically summed up all of B.
We had spreadsheet-like editing, but you were editing a view of the
underlying model, not anonymous cells.

In marketing focus groups, we learned two things: a) any spreadsheet large
enough to be interesting had bugs, and b) nobody cared.  One telling comment
was "it's my manager's job to check that my spreadsheet is correct."

------------------------------

Date: Tue, 23 Apr 2013 17:16:24 +0300
From: Amos Shapir <amos083 () gmail com>
Subject: Re: Economic policy decisions may be affected by spreadsheet errors

They used cell L44 instead of L49??  Come on, meaningful symbolic names for
variables have been around at least since IBM's RPG language (introduced in
1959)!  No wonder almost all Excel spreadsheets contain errors; this sort of
programming simply guarantees that.
http://www.marketwatch.com/story/88-of-spreadsheets-have-errors-2013-04-17)

I'm not surprised that Microsoft would force such antediluvian practices
upon all of us; but I am surprised that there is still no prevalent
alternative.

------------------------------

Date: 19 Apr 2013 21:20:53 -0000
From: "John Levine" <johnl () iecc com>
Subject: Re: American Express Australia Mail Merge Stuff-up
  (Gingrich, RISKS-27.25)

I just received an e-mail on 11 April from AMEX touting a few current
offers, but the name in the message was not mine -- luckily the final digits
*were* from my card, though it could also have been his ...

I have two Amex cards.  Both have the same last five digits, which is a pain
in the patoot when I'm trying to figure out which account I used for a
charge slip or online purchase.  How likely is it that?  1/100,000?  Not by
a long shot.

Credit card numbers from a particular issuer all have the same structure.
In Amex's case, the first two digits are always 37, the next two are the
currency (with many different digit pairs for common currencies like US
dollars), then there's the account number, a three digit card number, and a
check digit.

The card number for the primary cardholder on each account is card number
100, which only changes if the card is lost or stolen and reissued.  So in
fact, nearly all account numbers end with X100Y where X is the last digit of
the account number, and Y is the check digit.  The check digit is computed
from the rest of the number using the Luhn "mod 10" algorithm which is
intended to detect digit transpositions and to be easy to compute, not to be
cryptographically secure.  Since the other digits in the number are not very
random, the check digit isn't either.  If the X and Y were random, the
chances of those five digits being the same would be a little under 1%, but
since the check digit isn't random, it's a little more than that.

So anyway, partial credit card numbers are only arguably adequate for
showing that a message is from your bank and not a phish, and useless for
anything stronger.

------------------------------

Date: Tue, 23 Apr 2013 14:13:32 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Churnalism: Discover When News Copies from Other Sources

Churnalism: Discover When News Copies from Other Sources

http://j.mp/ZNeRdy  (Sunlight Foundation via NNSquad)

  "Churnalism US is a new web tool and browser extension that allows anyone
  to compare the news you read against existing content to uncover possible
  instances of plagiarism. It is a joint project with the Media Standards
  Trust."

------------------------------

Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 27.26
************************


  By Date           By Thread  

Current thread:
  • Risks Digest 27.26 RISKS List Owner (Apr 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault