RISKS-LIST: Risks-Forum Digest Friday 8 August 2008 Volume 25 : Issue 27 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/25.27.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Strange Yahoo! vote count (PGN) Trust TSA? Maybe... Trust Akamai...? (David Lesher) "How reliable is DNA in identifying suspects?" (Robert P Schaefer) GPS causes nightmare vacation (PGN) Re: Another small interface risk (Thomas Wicklund) Re: Unsuspected travelers' laptops may be detained at border (Thomas Hamann) Re: Neglecting to logout from Skype (Dimitri Maziuk) Pizza delivery and postal addresses (Mark Brader) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 7 Aug 2008 13:52:46 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: Strange Yahoo! vote count The original statement from the Yahoo! Annual Meeting suggested strong support for the Yahoo! board. However, reportedly exactly 200 million votes seemed to have vanished from some of the expected totals. Subsequently, the final numbers showed some large discrepancies -- an EXACTLY 100 million vote change for two of the directors, and an EXACTLY 200 million vote change for three of the directors. That is, half of that number of votes were misallocated -- first FOR, then AGAINST for those candidates. (Four others were unchanged.) The anomalies were apparently blamed on "truncation errors", which seems very curious. Once again, who knows what really happened? Sources: http://breakoutperformance.blogspot.com/2008/08/missing-200-million-yahoo-shares-from.html http://www.techcrunch.com/2008/08/06/yahoo-vote-recount-shows-how-close-yang-and-bostock-were-to-being-ousted-from-the-board/ ------------------------------ Date: Fri, 8 Aug 2008 16:13:03 -0400 (EDT) From: "David Lesher" <wb8foz_at_private> Subject: Trust TSA? Maybe... Trust Akamai...? $ https://www.tsa.gov www.tsa.gov uses an invalid security certificate. The certificate is only valid for a248.e.akamai.net Is it any wonder we can't teach people about phishing when..... ------------------------------ Date: Thu, 7 Aug 2008 07:45:54 -0400 From: "Schaefer, Robert P \(US SSA\)" <robert.p.schaefer_at_private> Subject: "How reliable is DNA in identifying suspects?" The risks of database searches: http://www.latimes.com/news/local/la-me-dna20-2008jul20,0,1506170,full.s tory "State crime lab analyst Kathryn Troyer was running tests on Arizona's DNA database when she stumbled across two felons with remarkably similar genetic profiles." ------------------------------ Date: Thu, 7 Aug 2008 9:51:44 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: GPS causes nightmare vacation Convoy Rescued After GPS Led to Utah Cliff; GPS Device Was a 'Nightmare' and 'A Vacation from Hell', Associated Press item, 7 Aug 2008 Trying to go from Bryce Canyon to the Grand Canyon by lesser traveled roads, a convoy of tourists (16 adults and 10 children) attempted to use a GPS device, which led them with various wrong turns onto inappropriate dirt roads to the edge of a sheer cliff deep inside the Grand Staircase-Escalante National Monument. One vehicle got stuck in soft sand, two others ran low on fuel. http://abcnews.go.com/Travel/Weather/wireStory?id=5522295 [TNX to Lauren Weinstein for spotting this one.] ------------------------------ Date: Thu, 7 Aug 2008 09:46:16 -0700 (PDT) From: Thomas Wicklund <wicklund_at_private> Subject: Re: Another small interface risk (RISKS-25.26) Security questions such as birth city have always seemed to be very difficult. I found one site which had a security question (mother's maiden name I think) but required that the field be at least 8 characters. Something of a problem. Worse are the sites where the only questions are "what is your favorite xyz". I find my favorite "xyz" can vary from day to day and the only solution is to write the answers down someplace. I had to call to to get access to my new health insurance's web site because I had that insurance 5 years ago, was still registered, and didn't have any idea what I used for an answer to one of their "favorite" questions. Comparing these answers seems a programmer's nightmare. It can't be case sensitive. Spaces have to be normalized. Did I type "Kansas City" or "Kansas City, MO" as my answer? What if I leave off the comma? ------------------------------ Date: Fri, 8 Aug 2008 12:12:56 +0200 From: Thomas Hamann <T.D.Hamann_at_private> Subject: Re: Unsuspected travelers' laptops may be detained at border (R-25.16) This policy seems like a major risk to the US economy should it ever be seriously enforced. It seems to basically provide a legal means for massive industrial and scientific espionage. I know the article mentions that "reasonable measures must be taken to protect business information and attorney-client privileged material", but the US government's track record on the enforcements of such measures is spotty, to say the least (also note that '(unpublished) scientific information' isn't specifically listed...). >They also cover "all papers and other written documentation," including books, >pamphlets and "written materials commonly referred to as 'pocket trash' >or 'pocket litter.' " This rings all alarm bells (also, the words 'police state' come to mind). I think that anyone who is considering traveling to the US should think twice before doing so. I wonder what would happen to anyone who has the 'wrong' combination of digital data and paperwork on him... ------------------------------ Date: Thu, 07 Aug 2008 09:43:13 -0500 From: Dimitri Maziuk <dmaziuk_at_private> Subject: Re: Neglecting to logout from Skype (RISKS-25.26) > Date: Tue, 05 Aug 2008 20:32:32 +0200 > From: "Michael Weiner" <michael_weiner_at_private> > Subject: Neglecting to logout from Skype means sharing your Instant Messages > ... According to several messages on the Skype Community forum, Skype > considers the ability to remain logged in to the same account on several > machines a "feature" and sees no need to fix anything. There are legitimate reasons for logging on to more than one office computer (that is why I never used Gnome: the early versions wouldn't let one do so) and there are legitimate reasons for having your messages arrive at more than one computer. I'd side with Skype on this and blame you: what you did is effectively give your friend your password. Auto-login is a bad default in this case, however, it's a convenient one and in the case of one computer - one user it's not unreasonable. The risk is believing that software will magically know where you want to go today and will take you there when you click on start button. In reality default out of the box configuration may (or may not) work for what developers imagine their average user to be, but it probably won't work right for you -- in real life "one size fits all" doesn't fit anyone in particular. ------------------------------ Date: Thu, 7 Aug 2008 17:14:46 -0400 (EDT) From: msb_at_private (Mark Brader) Subject: Pizza delivery and postal addresses [Posted by David Cantrell <david_at_private> in uk.transport.london] The building I live in has three flats in it, numbered 1, 2 and 3. Flats 2 and 3 share a common front door and hallway, having their own doors off that. As far as normal people are concerned, that's three flats and three addresses. Post for flats 2 and 3 is delivered through a single letterbox. Consequently, as far as the post office is concerned, there are only *two* addresses, one for flat 1, and one for the shared letterbox of flats 2 and 3. This is quite irritating, especially when stupid programmers working for stupid companies insist that I tell them my address by typing in my postcode and then selecting one of the addresses that the post office think exist. Normally it doesn't matter, of course, but it does matter when I'm trying to do something like order a pizza late at night and want the delivery boy to ring *my* doorbell and not have to guess at random between mine and my upstairs neighbour's. [Note added by David Cantrell when giving permission to forward to Risks] It's worth noting, however, that *most* companies who use the PAF do allow the user to type it in themselves if their address isn't in the list. It's some time since I last read the PAF docs, but I *think* they recommend doing that, because of, eg, people living in brand new developments which haven't yet filtered through to your local copy of the database, which might only get updated once a quarter or once a year. ------------------------------ Date: Thu, 29 May 2008 07:53:46 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users should contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 25.27 ************************Received on Fri Aug 08 2008 - 17:43:55 PDT
This archive was generated by hypermail 2.2.0 : Fri Aug 08 2008 - 18:06:18 PDT