Home page logo
/

risks logo RISKS Forum mailing list archives

Risks Digest 27.48
From: RISKS List Owner <risko () csl sri com>
Date: Tue, 24 Sep 2013 14:57:11 PDT

RISKS-LIST: Risks-Forum Digest  Tuesday 24 September 2013  Volume 27 : Issue 48

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/27.48.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Girl's Suicide Points to Rise in Apps Used by Cyberbullies (Lizette Alvarez
  via Monty Solomon)
Police: BMW Door Locks Contributed To 14-Year-Old Girl's Death (Erik Rosales
  via Lauren Weinstein)
Another major government IT failure (Peter Bernard Ladkin)
United Airlines Agrees to Honor Accidental $0 Tickets (Joshua Freed via
  Monty Solomon)
Million Second Quiz gets overloaded (Paul Robinson)
Fake online reviews crackdown in New York sees 19 companies fined
  (Lauren Weinstein)
"Verizon's diabolical plan to turn the Web into pay-per-view" (Bill Snyder
  via Gene Wirchenko)
Freedom and the Social Contract (Vint Cerf via Dave Farber)
WiReD: Apple's Fingerprint ID May Mean You Can't 'Take the Fifth'
  (Marcia Hoffman via Lauren Weinstein)
The US government has betrayed the Internet. We need to take it back
  (Bruce Schneier via Matthew Kruk)
FBI Admits It Controlled Tor Servers Behind Mass Malware Attack
  (Kevin Poulsen via Monty Solomon)
Gov't standards agency "strongly" discourages use of NSA-influenced
  algorithm (Larson and Elliott via Monty Solomon)
*The New York Times* provides new details about NSA backdoor (Ars Technica
  via David Farber)
Malware Mining Civil Aviation Data - AVweb flash Article (Gabe Goldberg)
E-ZPasses Get Read All Over New York, Not Just At Toll Booths (Kashmir Hill
  via Henry Baker)
"Adobe issues critical security updates for Flash Player, Reader and
   Shockwave Player" (Lucian Constantin via Gene Wirchenko)
"Microsoft pulls botched KB 2871630, while many Office patch  problems
  remain" (Woody Leonhard via Gene Wirchenko)
Sharing due to phone failure (Karl Goetz)
HuffPost Essay by Charles Perrow on Fukushima (John Bosley via Dave Farber)
BOOK: Rebecca Slayton, Arguments that Count (PGN)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sun, 15 Sep 2013 01:31:47 -0400
From: Monty Solomon <monty () roscom com>
Subject: Girl's Suicide Points to Rise in Apps Used by Cyberbullies
  (Lizette Alvarez)

Lizette Alvarez, *The New York Times*, 13 Sep 2013

MIAMI - The clues were buried in her bedroom. Before leaving for school on
Monday morning, Rebecca Ann Sedwick had hidden her schoolbooks under a pile
of clothes and left her cellphone behind, a rare lapse for a 12-year-old
girl.

Inside her phone's virtual world, she had changed her user name on Kik
Messenger, a cellphone application, to "That Dead Girl" and delivered a
message to two friends, saying goodbye forever. Then she climbed a platform
at an abandoned cement plant near her home in the Central Florida city of
Lakeland and leaped to the ground, the Polk County sheriff said.

In jumping, Rebecca became one of the youngest members of a growing list of
children and teenagers apparently driven to suicide, at least in part, after
being maligned, threatened and taunted online, mostly through a new
collection of texting and photo-sharing cellphone `applications. Her suicide
raises new questions about the proliferation and popularity of these
applications and Web sites among children and the ability of parents to keep
up with their children's online relationships.

For more than a year, Rebecca, pretty and smart, was cyberbullied by a
coterie of 15 middle-school children who urged her to kill herself, her
mother said. The Polk County sheriff's office is investigating the role of
cyberbullying in the suicide and considering filing charges against the
middle-school students who apparently barraged Rebecca with hostile text
messages. Florida passed a law this year making it easier to bring felony
charges in online bullying cases. [...]

http://www.nytimes.com/2013/09/14/us/suicide-of-girl-after-bullying-raises-worries-on-web-sites.html

------------------------------

Date: Fri, 13 Sep 2013 17:37:40 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Police: BMW Door Locks Contributed To 14-Year-Old Girl's Death
  (Erik Rosales)

  [This is not the first time I've heard of such problems with these
  electronic locking systems.  LW]

http://www.kmph.com/story/23421319/police-bmw-door-locks-contribute-to-14-year-old-girls-death

------------------------------

Date: Thu, 12 Sep 2013 08:42:31 +0200
From: Peter Bernard Ladkin <ladkin () rvs uni-bielefeld de>
Subject: Another major government IT failure

12 Sep 2013: "..... the [UK] Department for Work and Pensions (DWP) could
write off up to 161 million pounds spent on an IT system for ambitious
welfare changes......."

Full story at http://gu.com/p/3ty4n

------------------------------

Date: Sun, 15 Sep 2013 01:35:14 -0400
From: Monty Solomon <monty () roscom com>
Subject: United Airlines Agrees to Honor Accidental $0 Tickets (Joshua Freed)

Joshua Freed, The Associated Press, 14 Sep 2013

United Airlines said on Friday that it will honor the tickets it
accidentally gave away for free.  The decision is good news for people who
snapped up the tickets on Thursday after United listed airfares at $0. Many
customers got tickets for $5 or $10, paying only the cost of the Sept. 11
security fee.

The mistake was an especially good deal for any passengers who bought
tickets for travel within the next week. For instance, a Houston to
Washington Dulles flight for next weekend would have cost $877, according to
United's website on Friday. ...

http://www.dailyfinance.com/2013/09/14/united-airlines-price-error-free-tickets/

------------------------------

Date: Wed, 11 Sep 2013 17:17:32 -0700 (PDT)
From: Paul Robinson <paul () paul-robinson us>
Subject: Million Second Quiz gets overloaded

Last night on the NBC TV network program "The Million Second Quiz," Host
Ryan Seacrest admitted two things. (1) The App to allow viewers to play
along with the TV show at home is the most-downloaded free app ever provided
on iTunes. (2) So many people were playing the home game app that it crashed
the servers.

Tonight they admitted that there aren't even that many downloading the app,
a mere 1000 downloads a minute.  While that doesn't indicate how many were
connecting to the servers, clearly a game where the money accumulating as a
contestant is playing is $10/second and the grand prize which the 4 top
winners (all of whom will probably have won a minimum six figures each by
the time the game completes) will be going after is US$2,000,000 and it's
possible for a home game contestant to be invited on the show (a "line
jumper" as they call it), that it should have been obvious the home game
would be getting a lot of hits on their servers.

With inadequate provisioning like this, it doesn't even require attackers to
try to DDOS or otherwise disable a system, the users can do it just by too
many of them showing up all at once!

------------------------------

Date: Mon, 23 Sep 2013 14:03:45 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Fake online reviews crackdown in New York sees 19 companies fined

http://j.mp/16CqA2Q  (*The Guardian* via NNSquad)

  "Eric Schneiderman announced agreements with 19 firms Monday that
  commissioned fake reviews and several reputation-enhancement companies
  that helped place reviews on sites like Citysearch, Google, Yahoo and
  Yelp. They were fined a total of $350,000."

------------------------------

Date: Thu, 12 Sep 2013 10:59:51 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Verizon's diabolical plan to turn the Web into pay-per-view"
  (Bill Snyder)

Bill Snyder, InfoWorld, 12 Sep 2013

The carrier wants to charge websites for carrying their packets, but
if they win it'd be the end of the Internet as we know it
http://www.infoworld.com/d/the-industry-standard/verizons-diabolical-plan-turn-the-web-pay-view-226662

------------------------------

Date: Thu, 12 Sep 2013 09:06:42 -0400
From: David Farber <farber () gmail com>
Subject: Freedom and the Social Contract, by Vint Cerf

  [In the CACM  -- Vint's Comments on the Role of Government.  DF]

FROM THE PRESIDENT (of the ACM)
Freedom and the Social Contract
By Vinton G. Cerf
Communications of the ACM, Vol. 56 No. 9, Page 7
10.1145/2500468.2500470

The last several weeks (as of this writing) have been filled with
disclosures of intelligence practices in the U.S. and elsewhere. Edward
Snowden's unauthorized release of highly classified information has stirred
a great deal of debate about national security and the means used to
preserve it.

In the midst of all this, I looked to Jean-Jacques Rousseau's well-known
18th-century writings on the Social Contract (Du Contrat Social, Ou
Principes du Droit Politique) for insight. Distilled and interpreted through
my perspective, I took away several notions. One is that in a society, to
achieve a degree of safety and stability, we as individuals give up some
absolute freedom of action to what Rousseau called the sovereign will of the
people. He did not equate this to government, which he argued was distinct
and derived its power from the sovereign people.

I think it may be fair to say that most of us would not want to live in a
society that had no limits to individual behavior. In such a society, there
would be no limit to the potential harm an individual could visit upon
others. In exchange for some measure of stability and safety, we voluntarily
give up absolute freedom in exchange for the rule of law. In Rousseau's
terms, however, the laws must come from the sovereign people, not from the
government. We approximate this in most modern societies creating
representative government using public elections to populate the key parts
of the government.

I think it is also likely to be widely agreed that a society in which there
was no privacy and every action or plan was visible to everyone might not be
a place in which most of us might like to live. I am reminded, however, of
my life in a small village of about 3,000 people in Germany. In the 1960s,
no one had phones at home (well, very few). You went to the post office to
mail letters, pick up mail, and make or receive phone calls. In some sense,
the Postmaster was the most well-informed person about the doings of the
town. He saw who was calling or writing to whom. There was not a lot of
privacy. The modern notion of privacy may in part have derived from the
growth of large urban concentrations in which few people know one another.

In today's world, threats to our safety and threats to national security
come from many directions and not all or even many of them originate from
state actors. If I can use the term "cyber-safety" to suggest safety while
making use of the content and tools of the Internet, World Wide Web, and
computing devices in general, it seems fair to say the expansion of these
services and systems has been accompanied by a growth in their
abuse. Moreover, it has been frequently observed that there is an asymmetry
in the degree of abuse and harm that individuals can perpetrate on citizens,
and on the varied infrastructure of our society. Vast harm and damage may be
inflicted with only modest investment in resources. Whether we speak of
damage and harm using computer-based tools or damage from lethal, homemade
explosives, the asymmetry is apparent. While there remain serious potential
threats to the well-being of citizens from entities we call nation- states,
there are similarly serious potential threats originating with individuals
and small groups.

Presuming we have accepted the theory that safety is partly found through
voluntarily following law, we must also recognize that there are parties
domestic and otherwise who wish us individual and collective harm. The
societal response to this is to provide for law enforcement and intelligence
gathering (domestic and non-domestic) in an attempt to detect and thwart
harmful plans from becoming harmful reality. We do not always succeed.

The tension we feel between preserving privacy and a desire to be protected
from harm feeds the debate about the extent to which we are willing to trade
one for the other. Not everyone, nor every culture, will find the same point
of equilibrium. Moreover, as technology and society evolve, the equilibrium
points may shift. It has been said that "security" is not found in
apprehending a guilty party but in preventing the harm from occurring. While
this notion can surely be overextended, it can also be understood to justify
a certain degree of intelligence gathering in the service of safety and
security.

There is some irony in the fact that our privacy is more difficult than ever
to preserve, given the advent of smartphones, tablets, laptops, the Web and
the Internet, but that the threats against our safety and security use the
same infrastructure to achieve nefarious ends. Our discipline, computer
science, is deeply involved in the many dimensions of this conundrum and we
owe it to our fellow citizens to be thoughtful in response and to contribute
to reasoned consideration of the balance our society needs between potential
policy extremes.

Vinton G. Cerf, ACM PRESIDENT

Permission to make digital or hard copies of part or all of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and full citation on the first page. Copyright for
components of this work owned by others than ACM must be
honored. Abstracting with credit is permitted. To copy otherwise, to
republish, to post on servers, or to redistribute to lists, requires prior
specific permission and/or fee. Request permission to publish from
permissions () acm org or fax (212) 869-0481.

------------------------------

Date: Fri, 13 Sep 2013 17:21:13 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Wired: Apple's Fingerprint ID May Mean You Can't 'Take the Fifth'
  (Marcia Hoffman)

http://j.mp/17VN56u (Marcia Hoffman in *WiReD.com* via NNSquad)

  "But if we move toward authentication systems based solely on physical
  tokens or biometrics -- things we have or things we are, rather than things
  we remember -- the government could demand that we produce them without
  implicating anything we know. Which would make it less likely that a valid
  privilege against self-incrimination would apply."

------------------------------

Date: Thu, 19 Sep 2013 20:48:59 -0600
From: "Matthew Kruk" <mkrukg () gmail com>
Subject: The US government has betrayed the Internet. We need to take it back

Bruce Schneier, *The Guardian*, Thursday 5 September 2013 20.04 BST
The NSA has undermined a fundamental social contract. We engineers built the
Internet - and now we have to fix it
http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying

------------------------------

Date: Sun, 15 Sep 2013 01:54:43 -0400
From: Monty Solomon <monty () roscom com>
Subject: FBI Admits It Controlled Tor Servers Behind Mass Malware Attack
  (Kevin Poulsen)

Kevin Poulsen, *WiReD.com*, 13 Sep 2013

It wasn't ever seriously in doubt, but the FBI yesterday acknowledged that
it secretly took control of Freedom Hosting last July, days before the
servers of the largest provider of ultra-anonymous hosting were found to be
serving custom malware designed to identify visitors.

Freedom Hosting's operator, Eric Eoin Marques, had rented the servers from
an unnamed commercial hosting provider in France, and paid for them from a
bank account in Las Vegas. It's not clear how the FBI took over the servers
in late July, but the bureau was temporarily thwarted when Marques somehow
regained access and changed the passwords, briefly locking out the FBI until
it gained back control.

The new details emerged in local press reports from a Thursday bail hearing
in Dublin, Ireland, where Marques, 28, is fighting extradition to America on
charges that Freedom Hosting facilitated child pornography on a massive
scale. He was denied bail today for the second time since his arrest in
July.

Freedom Hosting was a provider of turnkey "Tor hidden service" sites -
special sites, with addresses ending in .onion, that hide their geographic
location behind layers of routing, and can be reached only over the Tor
anonymity network. Tor hidden services are used by sites that need to evade
surveillance or protect users' privacy to an extraordinary degree -
including human rights groups and journalists.  But they also appeal to
serious criminal elements, child-pornography traders among them.

On August 4, all the sites hosted by Freedom Hosting - some with no
connection to child porn - began serving an error message with hidden code
embedded in the page. Security researchers dissected the code and found it
exploited a security hole in Firefox to identify users of the Tor Browser
Bundle, reporting back to a mysterious server in Northern Virginia. The FBI
was the obvious suspect, but declined to comment on the incident. The FBI
also didn't respond to inquiries from WIRED today. ...

http://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi/

------------------------------

Date: Sun, 15 Sep 2013 01:57:35 -0400
From: Monty Solomon <monty () roscom com>
Subject: Gov't standards agency "strongly" discourages use of
  NSA-influenced algorithm (Larson and Elliott)

NIST: "we are not deliberately... working to undermine or weaken encryption."

Jeff Larson and Justin Elliott, ProPublica.org
Sept 13 2013
Ars Technica

Following revelations about the National Security Agency's (NSA) covert
influence on computer security standards, the National Institute of
Standards and Technology, or NIST, announced earlier this week it is
revisiting some of its encryption standards. But in a little-noticed
footnote, NIST went a step further, saying it is "strongly" recommending
against even using one of the standards.

The institute sets standards for everything from the time to weights to
computer security that are used by the government and widely adopted by
industry.

As ProPublica, The New York Times, and The Guardian reported last week,
documents provided by Edward Snowden suggest that the NSA has heavily
influenced the standard, which has been used around the world. In its
statement Tuesday, the NIST acknowledged that the NSA participates in
creating cryptography standards "because of its recognized expertise" and
because the NIST is required by law to consult with the spy agency. "We are
not deliberately, knowingly, working to undermine or weaken encryption,"
NIST chief Patrick Gallagher said at a public conference Tuesday.

Various versions of Microsoft Windows, including those used in tablets and
smartphones, contain implementations of the standard, though the
NSA-influenced portion isn't enabled by default.  Developers creating
applications for the platform must choose to enable it. ...

... elliptic curve-based deterministic random bit generator

http://arstechnica.com/security/2013/09/government-standards-agency-strongly-suggests-dropping-its-own-encryption-standard/

------------------------------

Date: Wed, 11 Sep 2013 04:42:17 -0400
From: David Farber <dave () farber net>
Subject: *The New York Times* provides new details about NSA backdoor

http://arstechnica.com/security/2013/09/new-york-times-provides-new-details-about-nsa-backdoor-in-crypto-spec/

NSA leaks, Ars Technica

Of course NSA can crack crypto. Anyone can. The question is, how much?
Long-shot bill forbidding NSA backdoors in encryption has renewed attention
Spooks break most Internet crypto, but how?
Google speeding up end-to-end crypto between data centers worldwide
Let us count the ways: How the feds (legally, technically) get our data

Today, *The New York Times* reported that an algorithm for generating random
numbers, which was adopted in 2006 by the National Institute of Standards
and Technology (NIST), contains a backdoor for the NSA. The news followed a
*NYT* report from last week, which indicated that the National Security
Agency (NSA) had circumvented widely used (but then-unnamed) encryption
schemes by placing backdoors in the standards that are used to implement the
encryption.

In 2007, cryptographers Niels Ferguson and Dan Shumow presented research
suggesting that there could be a potential backdoor in the Dual_EC_DRBG
algorithm, which NIST had included in Special Publication 800-90. If the
parameters used to define the algorithm were chosen in a particular way,
they would allow the NSA to predict the supposedly random numbers produced
by the algorithm. It wasn't entirely clear at the time that the NSA had
picked the parameters in this way; as Ars noted last week, the rationale for
choosing the particular Dual_EC_DRBG parameters in SP 800-90 was never
actually stated.

Today, *The NYT* says that internal memos leaked by Edward Snowden confirm
that the NSA generated the Dual_EC_DRBG algorithm. Publicly, however, the
agency's role in development was significantly underbilled: ``In publishing
the standard, NIST acknowledged 'contributions' from NSA, but not primary
authorship,'' wrote the NYT. From there, the NSA pushed the International
Organization for Standardization to adopt the algorithm, calling it ``a
challenge in finesse'' to convince the organization's leadership.

``Eventually, NSA became the sole editor'' of the international standard,
 according to one classified memo seen by the NYT.

The details come just as NIST released a promise to reopen the public
vetting process for SP 800-90.  ``We want to assure the IT cybersecurity
community that the transparent, public process used to rigorously vet our
standards is still in place,'' a memo from the Institute read. ``NIST would
not deliberately weaken a cryptographic standard. We will continue in our
mission to work with the cryptographic community to create the strongest
possible encryption standards for the US government and industry at large.''

Still, NIST asserted that its purpose was to protect the federal government
first: ``NIST's mandate is to develop standards and guidelines to protect
federal information and information systems. Because of the high degree of
confidence in NIST standards, many private industry groups also voluntarily
adopt these standards.''

The public comment period on SP 800-90 ends November 6, 2013.

------------------------------

Date: Tue, 17 Sep 2013 10:02:00 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Malware Mining Civil Aviation Data - AVweb flash Article

A computer security company, TrendMicro, Thursday reported that it has found
a particular family of malware gathering information "related to the civil
aviation sector."

  [but doesn't mention how such a sector is targeted]

The best defense against the Sykipot malware is to keep your computer
systems updated with the most current security software.

  [Profoundly advises a company selling security software]

Sykipot attacks normally arrive via email attachments that exploit
applications like Adobe Reader and Microsoft Office but has evolved to use a
target's operating system, web browsers and Java scripts.

  [Exploiting such innovative attack vectors...]

http://www.avweb.com/avwebflash/news/Malware-Mining-Civil-Aviation-sykipot-attack220572-1.html

------------------------------

Date: Sat, 14 Sep 2013 05:17:12 -0700
From: Henry Baker <hbaker1 () pipeline com>
Subject: E-ZPasses Get Read All Over New York, Not Just At Toll Booths
  (Kashmir Hill)

Of course, with license plate readers everywhere, this is now old news...

http://www.forbes.com/sites/kashmirhill/2013/09/12/e-zpasses-get-read-all-over-new-york-not-just-at-toll-booths/

Kashmir Hill, *Forbes*, 12 Sep 2013 (PGN-ed)

After spotting a police car with two huge boxes on its trunk -- that turned
out to be license-plate-reading cameras -- a man in New Jersey became
obsessed with the loss of privacy for vehicles on American roads. (He's not
the only one.) The man, who goes by the Internet handle Puking Monkey, did
an analysis of the many ways his car could be tracked and stumbled upon
something rather interesting: his E-ZPass, which he obtained for the purpose
of paying tolls, was being used to track his car in unexpected places, far
away from any toll booths.

Puking Monkey is an electronics tinkerer, so he hacked his RFID-enabled
E-ZPass to set off a light and a `moo cow' every time it was being
read. Then he drove around New York. His tag got milked multiple times on
the short drive from Times Square to Madison Square Garden in mid-town
Manhattan, and also on his way out of New York through Lincoln Tunnel, again
in a place with no toll plaza.

At Defcon, where he presented his findings, Puking Monkey said he found the
reading of the E-ZPass outside of where he thought it would be read when he
put it in his car ``intrusive and unsettling,'' quoting from Sen. Chuck
Schumer's remarks about retailers tracking people who come into their stores
using their cell phones.  [...]

  [Also noted by Monty Solomon.  PGN]

------------------------------

Date: Fri, 13 Sep 2013 10:59:35 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Adobe issues critical security updates for Flash Player,
  Reader and Shockwave Player" (Lucian Constantin)

Does it seem to you that it has been a bad time lately for patches?

Lucian Constantin, InfoWorld, 11 Sep 2013
The new updates address vulnerabilities that could allow attackers to
compromise computers
http://www.infoworld.com/d/security/adobe-issues-critical-security-updates-flash-player-reader-and-shockwave-player-226621

------------------------------

Date: Fri, 13 Sep 2013 10:54:23 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Microsoft pulls botched KB 2871630, while many Office patch
  problems remain" (Woody Leonhard)

Woody Leonhard, *InfoWorld*, 12 Sep 2013
Pulling the KB 2871630 patch took Microsoft more than 14 hours after the
first warnings appeared, and admins are furious. What's Microsoft doing
wrong?
http://www.infoworld.com/t/microsoft-windows/microsoft-pulls-botched-kb-2871630-while-many-office-patch-problems-remain-226690

  [Gene previously had noted an earlier article:
It must be Wretched Wednesday -- the day after Black Tuesday. Watch
out for automatic patches KB 2817630, KB 2810009, KB 2760411, KB 2760588,
  and KB 2760583.   PGN-ed]
http://www.infoworld.com/t/microsoft-windows/microsoft-botches-still-more-patches-in-latest-automatic-update-226594

------------------------------

Date: Fri, 20 Sep 2013 19:23:13 +1000
From: Karl Goetz <karl () kgoetz id au>
Subject: Sharing due to phone failure

My partner's phone developed problems in the last few weeks and was finally
taken in for repair this week.

I will brush over the risks associated with over dependence on mobile
devices (we have no fixed voice line so depend on our mobiles heavily) to
consider what I found the most interesting bit of the experience.

The loaner phone she was given still had the last users messages on it!

I can see three places someone should have checked for data that shouldn't
be shared:

- when the previous user was done with the phone
- when the shop received the phone back
- before the phone was given out again

An interesting vector for data leakage.

------------------------------

Date: September 23, 2013 9:43:56 AM EDT
From: John Bosley <jandpbosley () verizon net>
Subject: HuffPost Essay by Charles Perrow on Fukushima (via Dave Farber)

Dr. Perrow has a long history of studying how safe systems seem to go wrong.
http://www.huffingtonpost.com/charles-perrow/fukushima-forever_b_3941589.html

------------------------------

Date: Tue, 24 Sep 2013 11:37:07 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: BOOK: Rebecca Slayton, Arguments that Count

Rebecca Slayton
Arguments that Count:
Physics, Computing, and Missile Defense, 1949-2012
MIT Press, 2013
xi + 325 (including 76 pages of end notes and a 21-page index)

Here is a remarkably well researched and comprehensive book that is totally
within the mainstream of RISKS.  The MIT Press release includes this text:

  She compares how two different professional communities -- physicists
  and computer scientist -- constructed arguments about the risks of
  missile defense, and how these changed over time.

------------------------------

Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 27.48
************************


  By Date           By Thread  

Current thread:
  • Risks Digest 27.48 RISKS List Owner (Sep 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]