Home page logo

risks logo RISKS Forum mailing list archives

Risks Digest 27.27
From: RISKS List Owner <risko () csl sri com>
Date: Sat, 4 May 2013 22:13:13 PDT

RISKS-LIST: Risks-Forum Digest  Saturday 4 April 2013  Volume 27 : Issue 27

Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at

US election fraud (Gary Hinson)
Computer Problems in Three States Hamper Student Proficiency Tests (AP item
  via Monty Solomon)
"McAfee spots Adobe Reader PDF-tracking flaw" (Jeremy Kirk via Gene Wirchenko)
Cellphone Thefts Grow, but the Industry Looks the Other Way (Monty Solomon)
News on Lulszec hackers (PGN)
Dutch cyberattack suspect arrested in Spain (Lauren Weinstein)
This Powerful Spy Software Is Being Abused By Governments Around The World
  (Geoff Goodfellow)
What happens when pirates play a game development simulator and then go
  bankrupt because of piracy?  (Patrick via Richard Berlin via Dave Farber)
"Malware hijacks Twitter accounts to send dangerous links" (Jeremy Kirk via
  Gene Wirchenko)
"The taxman cometh for cloud services" (Caroline Craig via Gene Wirchenko)
"Cloud computing gets CIA endorsement" (CDN Staff via Gene Wirchenko)
Anyone can send private messages to the deceased person (jidanni)
UK Gov passes Instagram Act: All your pics belong to everyone now (LW)
U.S. Lawmaker Proposes New Criteria for Choosing NSF Grants (ScienceInsider
  via Dave Farber)
Fake Post Erasing $136 Billion Shows Markets Need Humans (Monty Solomon)
More on That Spreadsheet Error (James Madison via Richard S. Russell)
Microsoft re-releases botched patch as KB 2840149, but problems remain
  (Woody Leonhard via Gene Wirchenko)
Shame on Verizon:: Some Customers in Manhattan, NYC Out Since Sandy --
  186 Days and Counting (Bruce Kushnick via Dewayne Hendricks via DF)
"EFF reports reveals tech's loosest lips, tightest grips" (RXC via
  Gene Wirchenko)
LAX sign story just gets better and better... (Brian Sumers via Paul Saffo)
"The Delete Squad: Google, Twitter, Facebook and the new global battle
  over the future of free speech" (TNR via LW)
Re: The Shame of Boston's Wireless Woes (Chris Drewe)
Re: Economic policy decisions may be affected by spreadsheet errors
  (Michael Kohne, Amos Shapir)
Re: Risks of ASCII-formatting mathematics (Steven Bellovin)
Re: Taiwan issues duplicate license plate numbers (Bob Frankston)
Two items on Internet use, etc. vs. distracted driving (Bob Frankston)
Re: Laptop goes up in flames (David Tarabar)
Re: New lithium ion battery design (Anthony Thorn)
Call for Full Papers and Structured Abstracts - 2013 LASER Workshop:
  Learning from Authoritative Security Experiment Results (Edward Talbot)
Abridged info on RISKS (comp.risks)


Date: Sat, 27 Apr 2013 13:47:47 +1200
From: "Gary Hinson" <Gary () isect com>
Subject: US election fraud

I'm sure the final paragraph will cause long-time RISKS-listers to raise an
eyebrow, perhaps both: "Nees previously told Fox News that the fraud was
clearly evident, "because page after page of signatures are all in the same
handwriting," and that nobody raised any red flags "because election workers
in charge of verifying their validity were the same people faking the

  We don' need no steenkin' divisions of responsibility.

Gary Hinson, CEO IsecT Ltd, NZ, www.SecurityMetametrics.com, PRAGMATIC
metrics www.NoticeBored.com; non-stop awareness www.ISO27001security.com ...


Date: Thu, 2 May 2013 08:37:54 -0400
From: Monty Solomon <monty () roscom com>
Subject: Computer Problems in Three States Hamper Student Proficiency Tests



Date: Wed, 01 May 2013 10:10:28 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "McAfee spots Adobe Reader PDF-tracking flaw" (Jeremy Kirk)

Jeremy Kirk, InfoWorld, 29 Apr 2013
The flaw in Adobe Reader could allow an attacker to see when and where a PDF
is opened.


Date: Thu, 2 May 2013 08:32:32 -0400
From: Monty Solomon <monty () roscom com>
Subject: Cellphone Thefts Grow, but the Industry Looks the Other Way

When a teenage boy snatched the iPhone out of Rose Cha's hand at a bus stop
in the Bronx in March, she reported the theft to her carrier and to the
police - just as she had done two other times when she was the victim of
cellphone theft. Again, the police said they could not help her.

Ms. Cha's phone was entered in a new nationwide database for stolen
cellphones, which tracks a phone's unique identifying number to prevent it
from being activated, theoretically discouraging thefts.  But police
officials say the database has not helped stanch the ever-rising numbers of
phone thefts, in part because many stolen phones end up overseas, out of the
database's reach, and in part because the identifiers are easily modified.

Some law enforcement authorities, though, say there is a bigger issue - that
carriers and handset makers have little incentive to fix the problem. ...



Date: Sat, 27 Apr 2013 9:59:58 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: News on Lulszec hackers

LulzSec arrest in Australia
Federal police charge IT worker, 24, with attacking government website and
say he has claimed to be a leader of hacker group

LulzSec hacking suspect arrested in Sydney

Australian police have arrested a man they say is affiliated with the
international hacking collective LulzSec on a charge of attacking and
defacing a government website.

The 24-year-old senior IT worker, whose name was not released, was arrested
on Tuesday night at his Sydney office, the Australian Federal Police
said. The man, who police say has claimed to be a high-level member of the
hacking group, was charged with two counts of unauthorised modification of
data to cause impairment, and one count of unauthorised access to, or
modification of, restricted data. If convicted he could face up to 12 years
in jail.


  [Thanks to Don Hutson for noting this item.  PGN]


Date: Fri, 26 Apr 2013 11:13:41 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Dutch cyberattack suspect arrested in Spain

  "Prosecutors say a Dutch citizen has been arrested in Spain in connection
  with what experts described as the biggest cyberattack in the history of
  the Internet, launched against an anti-spam watchdog group last month.
  The Netherlands National Prosecution Office said a 35-year-old suspect it
  identified only by his initials, S.K., was arrested Thursday at his home
  in Barcelona. Authorities also seized computers and mobile phones."
  http://j.mp/14WmE1m  (New Tribune / AP, via NNSquad)


Date: May 2, 2013 7:19:58 PM EDT
From: Geoff Goodfellow <geoff () iconia com>
Subject: This Powerful Spy Software Is Being Abused By Governments Around
  The World

A new report presents overwhelming evidence that sophisticated spying
software is being abused by governments around the world.  The findings by
The Citizen Lab, a digital research laboratory at the University of Toronto,
detail how the software marketed to track criminals is being used against
dissidents and human rights activists.

Titled "For Their Eyes Only: The Commercialization of Digital Spying," the
report focuses on a type of surveillance software called FinSpy that can
remotely monitor webmail and social networks in real time as well as collect
encrypted data and communications of unsuspecting targets...



Date: May 3, 2013 2:14:34 PM EDT
From: Richard Berlin <richard.berlin () stanfordalumni org>
Subject: What happens when pirates play a game development simulator and
  then go bankrupt because of piracy?  (Patrick via Dave Farber)


Patrick  April 29, 2013 256 Comments

When we released our very first game, Game Dev Tycoon (for Mac, Windows and
Linux) yesterday, we did something unusual and as far as I know unique. We
released a cracked version of the game ourselves, minutes after opening our
Store. ...


Date: Wed, 24 Apr 2013 11:10:54 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Malware hijacks Twitter accounts to send dangerous links" (J.Kirk)

Jeremy Kirk, InfoWorld Home, 23 Apr 2013
Trusteer has found malicious software that leverages Twitter to infect more


Date: Fri, 03 May 2013 10:22:22 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "The taxman cometh for cloud services" (Caroline Craig)

Caroline Craig, InfoWorld, 03 May 2013
Cash-strapped states are enacting new taxes on computing and cloud-based
services, opening a possible Pandora's box of confusion and lost cost


Date: Wed, 24 Apr 2013 11:21:32 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Cloud computing gets CIA endorsement" (CDN Staff)

Cloud Services Infrastructure, 23 Apr 2013
Cloud computing gets CIA endorsement

"Say what you will about the Central Intelligence Agency (CIA), but the
American spy shop is usually pretty concerned about security. So their
endorsement of cloud computing is certainly of note.  According to a report
from FCW, the CIA has inked a cloud computing contract with Amazon Web
Services (AWS) worth as much as $600 million over 10 years."

      [But what sort of note is it?]


Date: Wed, 24 Apr 2013 19:01:02 +0800
From: jidanni () jidanni org
Subject: Anyone can send private messages to the deceased person



Date: Mon, 29 Apr 2013 07:44:51 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: UK Gov passes Instagram Act: All your pics belong to everyone now

http://j.mp/ZYYP0a (The Register via NNSquad)

  "How so? Previously, and in most of the world today, ownership of your
  creation is automatic, and legally considered to be an individual's
  property. That's enshrined in the Berne Convention and other international
  treaties, where it's considered to be a basic human right. What this means
  in practice is that you can go after somebody who exploits it without your
  permission - even if pursuing them is cumbersome and expensive.  The UK
  coalition government's new law reverses this human right. When last year
  Instagram attempted to do something similar, it met a furious
  backlash. But the Enterprise and Regulatory Reform Act has sailed through
  without most amateurs or semi-professionals even realising the


Date: Mon, 29 Apr 2013 11:48:06 -0400
From: "David J. Farber" <farber () gmail com>
Subject: U.S. Lawmaker Proposes New Criteria for Choosing NSF Grants


The new chair of the House of Representatives science committee has drafted
a bill that, in effect, would replace peer review at the National Science
Foundation (NSF) with a set of funding criteria chosen by Congress. For good
measure, it would also set in motion a process to determine whether the same
criteria should be adopted by every other federal science agency.

The legislation, being worked up by Representative Lamar Smith (R-TX),
represents the latest -- and bluntest -- attack on NSF by congressional
Republicans seeking to halt what they believe is frivolous and wasteful
research being funded in the social sciences. Last month, Senator Tom Coburn
(R-OK) successfully attached language to a 2013 spending bill that prohibits
NSF from funding any political science research for the rest of the fiscal
year unless its director certifies that it pertains to economic development
or national security. Smith's draft bill, called the "High Quality Research
Act," would apply similar language to NSF's entire research portfolio across
all the disciplines that it supports.

ScienceInsider has obtained a copy of the legislation, labeled "Discussion
Draft" and dated 18 April, which has begun to circulate among members of
Congress and science lobbyists. In effect, the proposed bill would force NSF
to adopt three criteria in judging every grant. Specifically, the draft
would require the NSF director to post on NSF's Web site, prior to any
award, a declaration that certifies the research is:

1) "... in the interests of the United States to advance the national
   health, prosperity, or welfare, and to secure the national defense by
   promoting the progress of science;

2) "... the finest quality, is groundbreaking, and answers questions or
   solves problems that are of utmost importance to society at large; and

3) "... not duplicative of other research projects being funded by the
   Foundation or other Federal science agencies."

NSF's current guidelines ask reviewers to consider the "intellectual merit"
of a proposed research project as well as its "broader impacts" on the
scientific community and society.

Two weeks ago, Republicans on the science committee took to task both John
Holdren, the president's science adviser, and Cora Marrett, the acting NSF
director, during hearings on President Barack Obama's proposed 2014 science
budget. They read the titles of several grants, questioned the value of the
research, and asked both administration officials to defend NSF's decision
to fund the work.

On Thursday, Smith sent a letter to Marrett asking for more information on
five recent NSF grants. In particular, he requested copies of the comments
from each reviewer, as well as the notes of the NSF program officer managing
the awards.

In his letter, a copy of which ScienceInsider obtained, Smith wrote: "I have
concerns regarding some grants approved by the Foundation and how closely
they adhere to NSF's 'intellectual merit' guideline." Today, Smith told
ScienceInsider in a statement that "the proposals about which I have
requested further information do not seem to meet the high standards of most
NSF funded projects."

Smith's request to NSF didn't sit well with the top Democrat on the science
committee, Representative Eddie Bernice Johnson (D-TX). On Friday, she sent
a blistering missive to Smith questioning his judgment and his motives.

"In the history of this committee, no chairman has ever put themselves
forward as an expert in the science that underlies specific grant proposals
funded by NSF," Johnson wrote in a letter obtained by ScienceInsider. "I
have never seen a chairman decide to go after specific grants simply because
the chairman does not believe them to be of high value."

In her letter, Johnson warns Smith that "the moment you compromise both the
merit review process and the basic research mission of NSF is the moment you
undo everything that has enabled NSF to contribute so profoundly to our
national health, prosperity, and welfare." She asks him to "withdraw" his
letter and offers to work with him "to identify a less destructive, but more
effective, effort" to make sure NSF is meeting that mission.

Smith's bill would require NSF's oversight body, the National Science Board,
to monitor the director's actions and issue a report in a year. It also asks
Holdren's office to tell Congress how the principles laid down in the
legislation "may be implemented in other Federal science agencies."


Date: Thu, 25 Apr 2013 10:25:40 -0400
From: Monty Solomon <monty () roscom com>
Subject: Fake Post Erasing $136 Billion Shows Markets Need Humans



Date: Wed, 24 Apr 2013 12:59:21 -0500
From: "Richard S. Russell" <richardsrussell () tds net>
Subject: More on That Spreadsheet Error

Of all the enemies of true liberty, war is, perhaps, the most to be dreaded,
because it comprises and develops the germ of every other.

War is the parent of armies; from these proceed debts and taxes; and armies,
and debts, and taxes are the known instruments for bringing the many under
the domination of the few.

In war, too, the discretionary power of the executive is extended; its
influence in dealing out offices, honors and emoluments is multiplied; and
all the means of seducing the minds are added to those of subduing the
force, of the people.

The same malignant aspect in republicanism may be traced in the inequality
of fortunes, and the opportunities of fraud, growing out of a state of war,
and in the degeneracy of manner and of morals, engendered in both.

No nation can preserve its freedom in the midst of continual warfare.

James Madison (1809-1817), 4th US president, "father" of the Constitution
 and Bill of Rights

Richard S. Russell, 2642 Kendall Av. #2, Madison  WI  53705-3736
608+233-5640  RichardSRussell () tds net http://richardsrussell.livejournal.com/


Date: Fri, 26 Apr 2013 10:54:47 -0700
From: Gene Wirchenko <genew () telus net>
Subject: Microsoft re-releases botched patch as KB 2840149, but problems remain
  (Woody Leonhard)

Woody Leonhard, InfoWorld, 24 Apr 2013
The saga of botched patch MS13-036 takes new twists and turns --
including a problem with Multiple Master fonts

According to this article, not only are there continuing problems, but the
details were not properly disseminated and details are lacking:

In an obscure Microsoft Security Response Center post on Thursday, Microsoft
recommended that "all customers who have installed security update 2823324
should follow the guidance that we have provided in KB2839011 to uninstall
it." Just about every Vista and Win7 customer who had Windows Automatic
Update turned on got the patch, but I'd guess that only about one in 100,000
customers saw the notice to uninstall the patch -- and of those, maybe one
in 10 actually did it.

But wait, that's only part of the story. MS13-036 had two different
patches. This botched patch fixed the system file ntfs.sys ...
eventually. The other patch -- known as KB 2808735 -- replaced the file
win32k.sys on all versions of Windows and Server since Windows XP, up to and
including Windows 8, Windows RT, and Windows Server 2012. (There's a full
list at the end of Security Bulletin MS13-036.)  The KB article says that
"[a]fter you install this security update, certain Multiple Master fonts
cannot be installed." Unfortunately, Microsoft doesn't mention which
Multiple Master fonts can't be installed, whether installed MM fonts would
get zapped, or if there are modified versions of the MM fonts that might
work. The KB article also doesn't say why the MM fonts can't be installed,
so it begs the question of whether this is a highly isolated incident, or if
symptoms might manifest with other installers or other fonts.


Date: May 3, 2013 8:47:22 AM EDT
From: Dewayne Hendricks <dewayne () warpspeed com>
Subject: [Dewayne-Net] Shame on Verizon:: Some Customers in Manhattan, NYC
  Out Since Sandy -- 186 Days and Counting (via Dave Farber's IP)

[Note:  This item comes from friend Bruce Kushnick.  DLH]

Date: May 2, 2013 9:56:08 PM PDT
From: Bruce Kushnick <bruce () newnetworks com>
Subject: Shame on Verizon:: Some Customers in Manhattan, NYC Out Since Sandy -- 186 Days and Counting.

New Networks

Shame on Verizon: There Are Customers in Manhattan, New York City Who Still
Don't Have Service After Sandy -- 186 Days and Counting.

Read the article <http://www.newnetworks.com/VerizonNYC.htm>
Download the article. <http://www.newnetworks.com/VerizonNYCSandy.pdf>

This is a foreboding glimpse into your future communications services if you
live in the USA.

I'm sitting in a high ceiling parlor in an aged brownstone at the E.9th
Street Block Association meeting.  People are telling me, somewhat muting
their anger, that some have had no phone service since Sandy, October 28th
2012 ---- 186 days ago, almost 6 months, almost half a year.  Some had their
service restored over the last month, only being out for about 5 months.

I'm in a roomful of people in the middle of Manhattan, New York City, and I
can't believe my ears. I've been a telecom analyst for 31 years and thought
I'd heard everything before - but this?

Mayor Bloomberg, with claims that New York City is a world center for
technology announced his new campaign, ``We Are Made in NY'' in 2013,
stating we're ``strengthening the city as a global hub for innovation.''

Being out of service is only one of the Manhattanites' problems. Almost all
of those without Verizon service have continued to be billed for services

What's the problem?  How could this be happening in America?

To read the rest of this article: <http://www.newnetworks.com/VerizonNYC.htm>
Download the article: <http://www.newnetworks.com/VerizonNYCSandy.pdf>

Dewayne-Net RSS Feed: <http://www.warpspeed.com/wordpress>


Date: Thu, 02 May 2013 11:37:37 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "EFF reports reveals tech's loosest lips, tightest grips" (RXC)

Robert X. Cringely, InfoWorld, 01 May 2013
EFF rates how Apple, AT&T, Google, Twitter, and more share data with
Uncle Sam -- see which tech leaders come out on top


Date: Tue, 23 Apr 2013 21:20:14 -0700
From: Paul Saffo <paul () saffo com>
Subject: LAX sign story just gets better and better...

It was an accident...

LAX worker accidentally puts up order to evacuate terminals on monitors
Brian Sumers, Daily Breeze

Monitors at Los Angeles International Airport's international terminal
briefly told passengers there was an emergency and asked them to leave the
facility Monday night because of an error made by a contracted airline

At a little before 9:47 p.m., the message read: "An emergency has been
declared in the terminal. Please evacuate." An airport police source said
officers responded to the scene at the Tom Bradley International Terminal,
believing the system had been hacked. But an airport spokeswoman said it was
an honest mistake.

"After investigating what caused the erroneous posting, LAX Airport Ops and
Information Technology staffers reported that an airline contract employee,
who is authorized to access the display system, was programming airline
check-in information into a set of monitors for a particular flight when he
accidentally activated the preprogrammed emergency message," airport
spokeswoman Nancy Castles said in a statement.

Castles said there were no reports of passengers evacuating the terminal and
the problem was fixed within about 10 minutes.

She said airport officials are looking into ways to ensure a similar problem
does not occur again.

Brian Sumers


Date: Mon, 29 Apr 2013 14:39:12 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: "The Delete Squad: Google, Twitter, Facebook and the new global
  battle over the future of free speech"

http://j.mp/ZwjUDS  (*New Republic* via NNSquad)

  "As online communication proliferates-and the ethical and financial costs
  of misjudgments rise-the Internet giants are grappling with the challenge
  of enforcing their community guidelines for free speech.  Some Deciders
  see a solution in limiting the nuance involved in their protocols, so that
  only truly dangerous content is removed from circulation. But other
  parties have very different ideas about what's best for the
  Web. Increasingly, some of the Deciders have become convinced that the
  greatest threats to free speech during the next decade will come not just
  from authoritarian countries like China, Russia, and Iran, who practice
  political censorship and have been pushing the United Nations to empower
  more of it, but also from a less obvious place: European democracies
  contemplating broad new laws that would require Internet companies to
  remove posts that offend the dignity of an individual, group, or


Date: Sat, 27 Apr 2013 21:51:51 +0100
From: "Chris Drewe" <e767pmk () yahoo co uk>
Subject: Re: The Shame of Boston's Wireless Woes (RISKS-27.25)

"Bob Frankston (RISKS-26.25)
There is a real risk in confusing technical and economic problems.

Well... when I worked in telecoms, lore indeed was that if you didn't have
some congestion in busy times, you had too much capacity, and it's obviously
a matter of commercial judgement as to balancing the cost of losing
revenue-earning traffic in the peaks against having expensive equipment
lying idle much of the time.  I don't know how cellphone or Wi-Fi networks
'scale', but presumably having enough capacity always available to work
normally during Boston-type once-in-a-lifetime (we hope!) events would be
mighty costly, which has be be paid for somehow, either by telecoms
companies' customers, or taxpayers if run by a Government department as a
public service (like transit).  Looks like the problem here is managing
people's expectations; yes you can have a service that stands up to sudden
spikes in demand better, but how much more are you willing to pay?  And do
you want to cope with the once-in-5-years event, or once-in-15, or
once-in-50..?  After all, when emergencies happened years ago, everyone knew
that it would be difficult to find what happened or trace loved ones, now
they get angry if they can't do this immediately.  It's a bit like readers'
letters in the travel section of the newspaper, complaining about the high
price and limited availability of the Internet on cruise ships at sea;
there's no land-lines in the middle of the ocean, and those satellites are


Date: Tue, 23 Apr 2013 21:13:42 -0400
From: Michael Kohne <mhkohne () kohne org>
Subject: Re: Economic policy decisions may be affected by spreadsheet errors
  (Shapir, RISKS-27.26)

First off, MS (for all that I dislike many things about them) isn't forcing
anything on this one. They provide a tool that does what it claims to do
(give a grid to put stuff in, add, subtract, fold, spindle and mutilate as
directed). The fact that it's a bad one for sophisticated economic modeling
isn't really their fault.

No one is forcing companies to buy this tool, or forcing them to create
their simulations and economic models in it. They do it because it seems
EASY, and it's the tool they've got handy (it came with their word
processor, after all). Dump the numbers in, put a couple formulas in and
BANG - there's the answer!

And that's the root of the problem - it's easy to do, and no one has to show
you how.  So no one ever mentions that you should find some way to test the
thing.  No one ever explains all subtleties that happen when you insert
cells mid-row.  No one ever looks over your shoulder to see if anything
coming out of your model makes any sense at all.  No one ever lets on that
you are in fact PROGRAMMING. And that perhaps some care should be taken.

As to alternatives - there's more than one package out there that lets you
manipulate numbers. But they aren't 'grid of numbers' simple, and a single
license can in some cases cost more than the entire MS Office suite! If it's
something that has to go through the budget committee, then it's not going
to get bought at many companies.

So yes, there's a problem, but blaming MS will not fix it, and detracts from
any real thinking on the problem.


Date: Wed, 24 Apr 2013 16:43:09 +0300
From: Amos Shapir <amos083 () gmail com>
Subject: Re: Economic policy decisions may be affected by spreadsheet errors
  (Kohne, RISKS-27.27)

Michael, My point is this: since the MS Office is what the system is
designed to work with, it is de facto bundled.  Surely anyone can use any
utility, but the fact is, a vast majority of Windows users who need a
spreadsheet, end up using Excel.  In principle, the basic utilities of the
system -- those which are in common use by laypersons -- should be made as
simple, robust and intuitive as possible.  NotePad is a good example, Word
used to be, Excel is not.

As you say, casual users may not even be aware they are programming.  Well,
they should, and should be given the tools to do the job; symbolic names for
variables is the most basic of these, and has been around since the 1950's.
Leaving Excel in this primitive state is certainly MS's fault.


Date: Sat, 27 Apr 2013 22:27:46 -0400
From: Steven Bellovin <smb () cs columbia edu>
Subject: Re: Risks of ASCII-formatting mathematics (Stewart, RISKS-27.24)

 What's new is that someone has managed to turn the weaknesses into a real
 exploit, albeit one that needs at least 224 and preferably 230 encryptions
 of the same plaintext to work.

Except he almost certainly didn't write that; the numbers were presumably
2**24 and 2**30, expressed in some notation that didn't survive some
reformatting process somewhere.

Yup.  If you click on the link to the original post, you'll see that I
wrote it correctly -- using the <sup>...</sup> HTML tags.  It's perfectly
valid HTML 4 (http://www.w3.org/TR/REC-html40/struct/text.html#edef-SUP)
-- but copy/paste to ASCII turns 2<sup>24</sup> into 224.  (It will be
amusing to see how this paragraph gets translated to HTML.)

It's possible to handle copy/paste correctly.  On a Mac, I did a copy/paste
of some footnoted text from a Word document into an ASCII email message.
It rendered the footnote references as [1] and [2].  I was impressed.

Steve Bellovin, https://www.cs.columbia.edu/~smb


Date: Tue, 23 Apr 2013 21:22:08 -0400
From: "Bob Frankston" <bob2-39 () bobf frankston com>
Subject: Re: Taiwan issues duplicate license plate numbers (Jidanni, R-27.26)

I had a very similar color confusion after asking my office manager to order
numbered labels for equipment with one color for borrowed (red) and another
for the equipment we owned. It never occurred to me I'd get labels with the
same number in each series. But then why should someone not versed in
databases and computer technology realize that color was not normally stored
with other information in the database?

For that matter, before the advent of xerography, fax, Mylar typewriter
ribbons and computer printers typewriters had two color ribbons so that
negative numbers could be typed in red.


Date: Tue, 23 Apr 2013 21:36:50 -0400
From: "Bob Frankston" <bob2-39 () bobf frankston com>
Subject: Two items on Internet use, etc. vs. distracted driving (RISKS-27.26)

There are multiple risks in building technology policy such as "don't text"
into devices. Such policies put implicit assumptions about context and usage
in between us and the technologies we use. In the case of texting in
particular do we ban apps that might semi-automatically text on our behalf?
That's aside from the practical implementation issues such as determine
whether the user is a passenger or a driver. Today would Motor-ola have been
able to introduce the distractions of car radios?

Of course basing policies on studies is something that should be done very
cautiously as this note appeared in the same issue of Risks as reports of
flawed economic studies that served as the basis for major public policy
decisions. We also need to remember that bans on using devices in airplanes
seem as much if not more due to the social concerns about people talking on
a cell phone than real issues with the technology.

The larger issue is more subtle and part of the problem of tying technology
to specific purposes. When we do so we are throwing sand into the engine of
"innovation" - the opportunity to reimagine our technologies in the same way
IP allowed us to repurpose the telecom infrastructure. In the 1970s
computers become much more valuable to society when IBM was forced to sell
its hardware without limiting it their applications.


Date: Wed, 24 Apr 2013 09:14:57 -0400
From: David Tarabar <dtarabar () acm org>
Subject: Re: Laptop goes up in flames (RISKS-27.25)

This item is slightly misleading. The laptop was left on a bed with the
power on. The heat from the laptop caused the bedding to catch fire .. and
then the laptop went up in flames.



Date: Wed, 24 Apr 2013 15:04:58 +0200
From: Anthony Thorn <anthony.thorn () atss ch>
Subject: Re: New lithium ion battery design (PGN, RISKS-27.26)

[Lots of new risks as well, much faster and with lower power?  PGN]

" 2,000 times more powerful  "   is LOWER power ?

That is not a risk - that's dangerous!

   [PGN is either silly or preoccupied, or else he meant something like this:
     ``[Lots of new risks as well, much faster and even with lower power?]''?


Date: Wed, 24 Apr 2013 18:17:05 -0700
From: Edward Talbot <edward.talbot () gmail com>
Subject: Call for Full Papers and Structured Abstracts - 2013 LASER
 Workshop: Learning from Authoritative Security Experiment Results

The Organizing Committee for LASER 2013 would like to invite you to submit
a paper for this year's workshop.

The goal of this workshop is to help the security community quickly
identify and learn from both success and failure.  The workshop focuses on
research that has a valid hypothesis and reproducible experimental
methodology, but where the results were unexpected or did not validate the
hypotheses, where the methodology addressed difficult and/or unexpected
issues, or where unsuspected confounding issues were found in prior work.

Topics include, but are not limited to:

   - Unsuccessful research in experimental security
   - Methods and designs for security experiments
   - Experimental confounds, mistakes, and mitigations
   - Successes and failures reproducing experimental techniques and/or
   - Hypothesis and methods development (e.g., realism, fidelity, scale)

The specific security results of experiments are of secondary interest for
this workshop.

*June 27, 2013* is the submission deadline for LASER 2013.

You can find out more about the workshop at http://www.laser-workshop.org.
 The website has a link to the CFP but I've copied the CFP along with
Submission Guidelines below for your convenience.

Remember that the purpose of this workshop is to quickly identify and learn
from both success and failure, so unexpected results are welcome.


Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:


End of RISKS-FORUM Digest 27.27

  By Date           By Thread  

Current thread:
  • Risks Digest 27.27 RISKS List Owner (May 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]