[RISKS] Risks Digest 25.11

From: RISKS List Owner (risko@private)
Date: Wed Apr 09 2008 - 16:18:43 PDT


RISKS-LIST: Risks-Forum Digest  Wednesday 9 April 2008  Volume 25 : Issue 11

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/25.11.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Crossed wires cited in recent UAL skidding incidents (Monty Solomon)
Unanticipated GPS risk: foreign translations (Paul Schreiber)
Census to scrap handheld computers for 2010 count (Bob Schaefer)
Boston city complaint line lags (Donovan Slack via Monty Solomon)
Indiana school district wipes out high school grades (Danny Burstein)
Re: Search engine bait? (Martin Ward)
Another genuine mail that looks like a phish (Andy Piper)
Nissan GT-R sports car recognizes racetrack coordinates and aftermarket parts
  (Clark Family)
REVIEW: "Security Data Visualization", Greg Conti (Rob Slade)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 1 Apr 2008 09:11:28 -0400
From: Monty Solomon <monty@private>
Subject: Crossed wires cited in recent UAL skidding incidents

Crossed wires cited in recent skidding incidents
Two United A320s went off runway in recent months after wheels locked up
http://www.msnbc.msn.com/id/23887919/

   [For inspections of MD-80 wheel-well wiring, American Airlines canceled
   more than 500 flights on 8 Apr, and 1000 flights on 9 Apr.  PGN]

------------------------------

Date: Tue, 8 Apr 2008 00:10:56 -0700
From: Paul Schreiber <shrub@private>
Subject: Unanticipated GPS risk: foreign translations

I just discovered this problem:

<http://paulschreiber.com/blog/2008/04/08/lost-in-translation/>

In English, when reading numbers out loud, one often chunks the numbers into
smaller groups. For example, when reading the phone number 555-1212, one
would say five five five, one two one two, not five hundred fifty-five, one
thousand two hundred and twelve.

Similarly, one would call Interstate 280 interstate two eighty, not
interstate two hundred and eighty.

Toyota's Prius GPS does this. It's an example of good design -- speak the
language your customers speak.

However, this falls apart when you switch the Prius over to French.  Exit
420 becomes exit quatre (4) vingt (20). The problem? In most parts of the
French-speaking world, 80 is also pronounced quatre vingts (four twenties).

In this case, you have to listen to your GPS and read the screen to be sure
you take the right exit.

------------------------------

Date: Thu, 3 Apr 2008 13:48:11 PDT
From: "Peter G. Neumann" <neumann@private>
Subject: Census to scrap handheld computers for 2010 count

Yet another computer related project over budget and behind schedule.
  [thanks to Bob Schaefer.]

http://www.nextgov.com/nextgov/ng_20080403_9574.php

------------------------------

Date: Sun, 6 Apr 2008 23:29:37 -0400
From: Monty Solomon <monty@private>
Subject: Boston city complaint line lags

Donovan Slack, *The Boston Globe*, 6 Apr 2008
City complaint line lags;
Despite Menino's vow, a system to track citizen calls is still years away

When Boston officials rolled out their ambitious plans for a citizen
complaint tracking system like the ones that are commonplace in cities
across the country, Mayor Thomas M. Menino announced, "The city's changing,
and my administration has to change, too."

Nearly two years later, the administration has not changed much, leaving
Boston far behind other cities such as New York, Chicago, Baltimore, and
even Somerville and Hartford - and leaving untold numbers of citizen
complaints by the wayside.

City officials have spent $2 million. They've hired outside
consultants. They've bought furniture and telephones for a complaint call
center in City Hall, and painted the room a pale shade of blue.  But senior
officials say it could be nearly two more years and $2 million more before
the administration has a citywide system to keep track of residents'
complaints about everything from burned out street lights to missed trash
pickups. ...
http://www.boston.com/news/local/articles/2008/04/06/city_complaint_line_lags/

------------------------------

Date: Tue, 1 Apr 2008 19:45:40 -0400 (EDT)
From: Danny Burstein <dannyb@private>
Subject: Indiana school district wipes out high school grades

from the school's website of Evansville, Indiana

"... The Evansville Vanderburgh School Corporation recently experienced a
hardware malfunction with its AS400 computer server resulting in a loss of
student grades...

" Following scheduled maintenance on March 27, 2008, disk errors occurred.
After working with IBM engineers around the clock to mitigate data loss, the
engineers determined that due to an unfortunate and very rare combination of
hardware problems and backup configuration settings, all student grade book
assignment data for the current grading period is no longer in the
system. Harrison, North and Bosse High Schools and Harwood Middle School -
all on the six-week grading period - lost four weeks of individual
assignment grades that had been posted."

rest: http://www.evscschools.com/

  [Also noted by Jim Reisert.
    http://news.yahoo.com/s/ap/20080401/ap_on_re_us/grades_gone_1
  PGN]

------------------------------

Date: Fri, 28 Mar 2008 10:40:49 +0000
From: Martin Ward <martin@private>
Subject: Re: Search engine bait? (RISKS-25.09)

> Read the descriptions of the products.

> ... they are in fact crafted by taking a genuine English description (from
> a manufacturer's site, perhaps?)  and then applying a randomized
> thesaurus-based word replacement algorithm.

My guess is that the changes are designed to make each page look different,
so as to avoid being marked down for having many similar pages.

martin@private http://www.cse.dmu.ac.uk/~mward/
G.K.Chesterton web site: http://www.cse.dmu.ac.uk/~mward/gkc/

------------------------------

Date: Thu, 03 Apr 2008 10:17:31 +0100
From: Andy Piper
Subject: Another genuine mail that looks like a phish

Yesterday I received an invitation from TaxCalc to purchase the new 2008
version [for those in the US, the UK tax year starts April 6th]:

"We are delighted to inform you that TaxCalc 2008 is available for immediate
download."

It goes on:

"Go to
<http://response.pure360.com/_act/link.php?mId=A833682651665220042396&tId=7258777>www.taxcalc.com
to order now." plus assorted other links where the URL is not actually the
same as the supplied text.

Which to me looks like a phishing attempt more than anything else. It seems
though that pure360.com is a marketing organization that handles this sort
of thing for a number of companies and the mail is in fact genuine. I'm
guessing that if I click through the link [I'm not going to!] I will end up
at taxcalc.com eventually, but why do they even do this? Why not just put up
the real URL if I am going to end up there anyway?

I sent a mail to pure360 CC'ing the taxcalc sales team, and to their credit
they (taxcalc) gave me a call within the hour, although I didn't get the
impression they were going to do anything about it.  The call was
clever/disturbing as well - I never gave my number out in my mail, and I
used a different mail address from the one I have registered with them; they
must have deduced who I was from the "phish"-link and looked up my number in
their records.

Now I am really paranoid. The link above clearly identifies me individually,
am I giving out something to RISKS that puts me at even more RISK?! .... so
I click through the link and end up at a taxcalc login page. Clearly some
form of sanity has prevailed.

The RISK, as always, is how can we expect to educate the public when
reputable companies do things like this. Maybe they need to look at some
basic material such as Dr Seuss' Internet guide - "One phish, two phish -
red phish, blue phish" ...

------------------------------

Date: Tue, 04 Mar 2008 14:58:56 -0800
From: Clark Family <cclark@private>
Subject: Nissan GT-R sports car recognizes racetrack coordinates and
  aftermarket parts

Apparently the Nissan Corp. has ruined the fun of aftermarket tuners on the
latest GT-R high performance street sportscar in Japan.  The ECU is set on a
hair trigger and balks at many aftermarket performance upgrades as well as
non-factory installed tires and wheels through the run-flat detectors.

But more ominously, the onboard navigation system watches your speed via GPS
and recognizes popular racetrack locations.  You must scroll through a
series of menus and agree to disable the 180kph (111mph) speed limiter.
Then after thrashing it on the track, you must take it for a $1000 Nissan
High Performance Center safety check or the warranty is void.

Big Brother is your co-pilot.

------------------------------

Date: Tue, 08 Apr 2008 10:21:38 -0800
From: Rob Slade <rmslade@private>
Subject: REVIEW: "Security Data Visualization", Greg Conti

BKSCDTVS.RVW   20071124

"Security Data Visualization", Greg Conti, 2007, 978-1-59327-143-5,
U$49.95/C$59.95
%A   Greg Conti www.gregconti.com
%C   555 De Haro Street, Suite 250, San Francisco, CA   94107
%D   2007
%G   978-1-59327-143-5 1-59327-143-3
%I   No Starch Press
%O   U$49.95/C$59.95 415-863-9900 fax 415-863-9950 info@private
%O  http://www.amazon.com/exec/obidos/ASIN/1593271433/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/1593271433/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1593271433/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   244 p.
%T   "Security Data Visualization: Graphical Techniques for Network
      Analysis"

Data visualization is very valuable.  It is, however, difficult to
perform properly in many situations: interpretation of data into
graphics can be extremely useful, but it is often difficult to
determine how best to present the information, and in the same way
that proper visualization can be tremendously helpful, the wrong
choice can be terrifically misleading.  Conti somewhat avoids this
issue in the introduction, since all he claims for the book is
inspiration.

Chapter one provides a number of data visualization and user interface
examples.  Some simple data visualization experiments in chapter two show a
few interesting ideas that can be explored with text and simple graphics
files, as well as comparative images as simple processing is pursued.  The
port scan data displays suggested in chapter three don't seem to work quite
as well.  Similarly, chapter four looks at vulnerability scanning, but the
recommendations presented don't appear to add much of value in displaying
the data.  Slightly better results seem to be obtained using real Internet
data in chapter five, since some notion of the implications of the
information can be taken from the illustrations.  Chapter six contains a
number of examples of impressive visualization of security data, but there
is limited discussion as to how to determine the best means of displaying
data of different types.  The aspects of creation of visualizations, for
firewall logs, is dealt with in chapter seven, and with IDS (Intrusion
Detection System) data in eight.  Chapter nine discusses ways of attacking
visualizations, usually by injecting spurious data.  General principles for
building visualization systems are in chapter ten.  Chapter eleven turns to
areas for additional research on the topic in the future.  Chapter twelve
lists references and resources.

The book is pretty, and it may provide inspiration.  However, it
probably won't provide an awful lot of assistance in getting your data
effectively visualized.

copyright Robert M. Slade, 2007   BKSCDTVS.RVW   20071124
rslade@private     slade@private     rslade@private
http://victoria.tc.ca/techrev/rms.htm

------------------------------

Date: 17 Oct 2007 (LAST-MODIFIED)
From: RISKS-request@private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.   The mailman web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request@private
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe@private or risks-unsubscribe@private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users should contact <Lindsay.Marshall@private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks@private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
 http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 25.11
************************



This archive was generated by hypermail 2.1.3 : Wed Apr 09 2008 - 16:43:28 PDT