RISKS-LIST: Risks-Forum Digest Thursday 23 October 2008 Volume 25 : Issue 41 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/25.41.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Re: Computer likely caused Qantas plunge (Peter Bernard Ladkin, Dag-Erling Smørgrav, Guy Dawson, Chris Kuan) U.S. Government to Take Over Airline Passenger Vetting (PGN) IEEE Spectrum review process upgrade curiosity (PGN) Dan Wallach's report on a vote-flipping examination (PGN) Deceptive practices in elections (PGN) Straight Party Voting Issues (Leonard Finegold) GAO report on Social Security Numbers (PGN) Re: More Password Reset Procedures (Ralph Jacobs) Re: Amazon e-mail accounts (Dimitri Maziuk, Klaus Johannes Rusch) 2 of 3 navigational devices functioning (Daniel P. B. Smith) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 22 Oct 2008 10:48:19 +0200 From: Peter Bernard Ladkin <ladkin_at_private-bielefeld.de> Re: Computer likely caused Qantas plunge (RISKS-25.40) Re: Rieden and Garret (RISKS-25.40) I don't think it helps to suggest that the manoeuvre would be something passengers are "unlikely to have noticed" (Rieden) or "typical" (Garret). It's not the vertical speed that mattered, it is the acceleration used to get there. The vertical acceleration was -0.8g according to the Airbus All-Operators-Telex, enough to throw unbelted people against the ceiling (but with not quite their full weight) and 14 people were injured seriously enough to be transported by medical helicopter to hospital. The ATSB has classified it as an accident. Their preliminary report is on their WWW site. It was more than a "terrifying plunge", it was one sufficient to break people's bones. Peter Bernard Ladkin, Professor for Computer Networks and Distributed Systems, University of Bielefeld, 33594 Bielefeld, Germany +49 521 880 73 19 [We received a slew of messages on this topic. The following three are more or less representative of different key points. PGN] ------------------------------ Date: Wed, 22 Oct 2008 12:02:35 +0200 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des_at_private> Subject: Re: Investigator: Computer likely caused Qantas plunge (RISKS-25.40) > Rieden: Perhaps this should be re-titled "Risk of Inflammatory reporting". Or perhaps "risk of becoming so cynical that you dismiss the story out of hand instead of doing your own research and finding out that the reporter left out a zero, and that more than forty passengers sustained injuries, fifteen of them serious, in a 6,500-foot drop". Dag-Erling Smørgrav - des_at_private ------------------------------ Date: Wed, 22 Oct 2008 13:30:40 +0100 From: Guy Dawson <guy_at_private> Subject: Re: Computer likely caused Qantas plunge (RISKS-25.40) What does not appear to be considered is that descent during the 20 seconds may not have been linear. There may have been an initial rapid descent followed by a recovery phase. I know that if I were sitting in my airliner seat and suddenly found the cabin seat coming down to meet me at 22mph I'd be pretty scared! Guy Dawson, I.T. Systems Manager, Crossflight Ltd guy_at_private ------------------------------ Date: Thu, 23 Oct 2008 08:54:01 +1000 From: Chris Kuan <mrgazpacho_at_private> Subject: Re: Computer likely caused Qantas plunge (RISKS-25.40) In reply to both Peter and Ron, it seems that while misreporting is to blame here, it is merely vaguely imprecise rather than deliberately misleading. At a press conference, the Australian Transport Safety Bureau played an animation of the incident -- based on recorded flight data. It clearly shows that while the entire incident lasted about 20 seconds, the most severe event was a change in the aircraft's pitch from +2.1 degrees to -8.3 degrees over a period of approximately 1 second. ------------------------------ Date: Thu, 23 Oct 2008 10:19:42 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: U.S. Government to Take Over Airline Passenger Vetting [RISKS has previously reported on the overly aggressive name matching in use of the no-fly list (e.g. David Nelson and Senator Kennedy, RISKS-22.80 22.81, 25.15). This might minimize those problems. However, any error in the databases used for matching may now be even more difficult to surmount in time to catch your plane.] The Department of Homeland Security will take over responsibility for checking airline passenger names against government watch lists beginning in January, and will require travelers for the first time to provide their full name, birth date and gender as a condition for boarding commercial flights, U.S. officials said Wednesday. Security officials say the additional personal information -- which will be given to airlines to forward to the federal agency in charge -- will dramatically cut down on cases of mistaken identity, in which people with names similar to those on watch lists are wrongly barred or delayed from flights. The changes, to be phased in next year, will apply to 2 million daily passengers aboard all domestic flights and international flights to, from or over the United States. By transferring the screening duty from the airlines to the federal government, the Secure Flight program marks the Bush administration's long-delayed fulfillment of a top aviation security priority after the Sept. 11, 2001, terrorist attacks. Homeland Security Secretary Michael Chertoff and Transportation Security Administration (TSA) chief Kip Hawley said yesterday that, except in rare situations, passengers who do not provide the additional information will not be given boarding passes. ... DHS has received more than 43,500 requests for redress since February 2007 and has completed 24,000 of them, with the rest under review or awaiting more documentation, TSA spokesman Christopher White said. But the number of people who actually match the names on the watch lists is minuscule, officials acknowledged. On average, DHS screeners discover a person who is actually on the no-fly list about once a month, usually overseas, and actual selectees daily, Hawley said. To bolster their case for the new program, U.S. officials for their first time disclosed that the no-fly list includes fewer than 2,500 individuals and the selectee list fewer than 16,000. Ten percent of those named on the no-fly list and fewer than half on the selectee list are U.S. citizens, Chertoff said. [Source: Spencer S. Hsu, *The Washington Post*, 23 Oct 2008; PGN-ed] [Of course, if the TSA database information is as riddled with errors and other variations as are the voter registration databases, the employment eligibility verification databases, and so on, there will still be many false positives on would-be fliers.] ------------------------------ Date: Wed, 22 Oct 2008 11:36:02 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: IEEE Spectrum review process upgrade curiosity I just received a note saying that my review of a submitted paper that was due on 22 Nov 2006 was now overdue. To make matters worse, when I tried to bring up the details on their website, my browser found itself an an infinite loop. I clearly thought I had submitted my evaluation two years ago, and queried Elizabeth Bretz -- who does an excellent job overseeing the review process. This is her response: ``Peter -- no worries. They upgraded the peer review system, and a queue of old papers suddenly sprang to life. There's no need for you to do anything, except disregard the e-mails. Apologies for the interruption and aggravation. Elizabeth'' As the RISKS graybeard, I feel Upgrayeded by just one more example of an upgrade that did not work as expected. ------------------------------ Date: Thu, 23 Oct 2008 10:17:59 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: Dan Wallach's report on a vote-flipping examination See Dan Wallach's analysis of vote-flipping in the Hart Intercivic e-slate systems. http://accurate-voting.org/2008/10/22/vote-flipping-on-hart-intercivic-eslate-systems/ ------------------------------ Date: Tue, 21 Oct 2008 10:40:50 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: Deceptive practices in elections Remember that many of the problems with elections are not directly related to the voting systems themselves. For example, two reports were released yesterday that should be of interest to those of you who are not fed up with risks in voting, relating to deceptive campaign practices: E-Deceptive Campaign Practices Electronic Privacy Information Center and The Century Foundation 20 Oct 2008 http://votingintegrity.org/pdf/edeceptive_report.pdf Deceptive Practices 2.0: Legal and Policy Responses Common Cause, The Lawyers Committee for Civil Rights under Law, and the Century Foundation 20 Oct 2008 http://www.tcf.org/print.asp?type=PR&pubid=149 ------------------------------ Date: Tue, 21 Oct 2008 17:34:47 -0400 From: Leonard Finegold <L_at_private> Subject: Straight Party Voting Issues [This is forwarded by Leonard from someone else, who says:] Lest any of you think this is a hoax, i just checked and it is verified as TRUE on Snopes-- <http://www.snopes.com/politics/ballot/straightticket.asp> http://www.snopes.com/politics/ballot/straightticket.asp Unbelievable! I rarely like to pass on stuff but this one i encourage everyone to pass on to EVERYONE so we don't have another 8 years of DISASTER. just got this from a friend of mine, pass it on: "Straight Party Voting" Trap. Here are the details and what to do about it: THE PROBLEM: "Straight party voting" on voting machines is revealing a bad pattern of miscounting and omitting your vote, especially if you are a Democrat. Most recently (Oct. 2008), a firm called Automated Election Services was found to have miscoded the system in heavily Democratic Santa Fe County, New Mexico such that straight party voters would not have their presidential votes counted. STRAIGHT PARTY VOTING is allowed in 15 states. Basically, it means that you can take a shortcut to actually looking at who you are voting for and instead just select a party preference. Then the voting machine makes your candidate choices, supposedly for the party you requested. HOW TO PROTECT THE COUNT against the Straight Party Vote trap: 1) NEVER CHOOSE THE STRAIGHT PARTY VOTE OPTION, because it alerts the computer as to your party preference and allows software code to trigger whatever function the programmer has designed. 2) SEND THIS INFORMATION OUT TO AS MANY PEOPLE AS YOU CAN, blog it, root n' toot it out there to get the word out. 3) ESPECIALLY GET THE WORD OUT TO PEOPLE IN THE FOLLOWING STATES, which have straight party voting options: Alabama, Indiana, Iowa, Kentucky, Michigan, New Mexico, North Carolina, Oklahoma, Pennsylvania, Rhode Island, South Carolina, Texas, Utah, West Virginia, Wisconsin 4) DEMAND COMPLETE AND CAREFUL TESTING OF THE STRAIGHT PARTY OPTION IN LOGIC & ACCURACY TESTS 5) LOOK FOR UNDERVOTES (high profile races with lower-than-average number of votes cast) and flag them, post them, bring them to the attention of others for additional scrutiny. Voting machine miscounts of straight party votes were proven by California researcher Judy Alter in the 2004 New Mexico presidential election; in Alabama Democrat straight party votes were caught going to a Republican, and Wisconsin a whole slew of straight party votes disappeared altogether. Both DRE and optical scan machines are vulnerable. Private contractors are involved; private firms like LHS Associates, Automated Election Services, Harp Enterprises, Casto & Harris and others will program almost all systems in the USA this November. ES&S scanners were involved in examples cited, but Diebold has also issued a cryptic Product Advisory Notice in 2006 about unexpected results from certain Straight Party option programming practices. [Incidentally, I wandered into a voting station in Vancouver, Canada, a couple of weeks ago. They use paper ballots; I asked if they're counted manually, reply "you bet ". They handled more people much more expeditiously than in my PA, USA station, 'cos we have only a couple of voting machines, and they had effectively lots more, and simpler ones...aka ballot boxes. And results were available certainly by next morning (and prob. earlier). LF] Leonard X. Finegold, Physics, Drexel University, 3141 Chestnut Street Phila. PA 19104 1-215.895.2740 L_at_private ------------------------------ Date: Wed, 22 Oct 2008 11:42:02 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: GAO report on Social Security Numbers Social Security Numbers Are Widely Available in Bulk and Online Records, but Changes to Enhance Security Are Occurring GAO-08-1009R September 19, 2008 http://www.gao.gov/products/GAO-08-1009R Summary Various public records in the United States contain Social Security numbers (SSN) and other personal identifying information that could be used to commit fraud and identity theft. For the purposes of this report, public records are generally defined as government agency-held records made available to the public in their entirety for inspection, such as property and court records. Although public records were traditionally accessed locally in county courthouses and government records centers, public record keepers in some states and localities have more recently been maintaining electronic images of their records. In electronic format, records can be made available through the Internet or easily transferred to other parties in bulk quantities. Although we previously reported on the types of public records that contain SSNs and access to those records, less is known about the extent to which public records containing personal identifying information such as SSNs are made available to private third parties through bulk sales. In light of these developments, you asked us to examine (1) to what extent, for what reasons, and to whom are public records that may contain SSNs available for bulk purchase and online, and (2) what measures have been taken to protect SSNs that may be contained in these records. To answer these questions, we collected and analyzed information from a variety of sources. Specifically, we conducted a survey of county record keepers on the extent and reasons for which they make records available in bulk or online, the types of records that they make available, and the types of entities (e.g., private businesses or individuals) that obtain their records. We focused on county record keepers because, in scoping our review, we determined that records with SSNs are most likely to be made available in bulk or online at the county level. We surveyed a sample of 247 counties--including the 97 largest counties by population and a random sample of 150 of the remaining counties, received responses from 89 percent, and used this information to generate national estimates to the extent possible. Our survey covered 45 states and the District of Columbia, excluding five states where recording of documents is not performed at the county level (Alaska, Connecticut, Hawaii, Rhode Island, and Vermont). We used the information gathered in this survey to calculate estimates about the entire population of county record keepers. Many counties make public records that may contain Social Security numbers (SSNs) available in bulk to businesses and individuals in response to state open records laws, and also because private companies often request access to these records to support their business operations. Our sample allows us to estimate that 85 percent of the largest counties make records with full or partial SSNs available in bulk or online, 3 while smaller counties are less likely to do so (41 percent). According to county officials and businesses we interviewed, SSNs are generally found in certain types of records such as property liens and appear relatively infrequently. However, because millions of records are available, many SSNs may be displayed. Counties in our survey cited state laws as the primary reason for making records available, and requests from companies may also drive availability, as several told us they need bulk records to support their businesses models. Counties generally do not control how records are used. Of counties that make records available in bulk or online, only about 16 percent place any restrictions on the types of entities that can obtain these records. We found that title companies are the most frequent recipients of these records, but others such as mortgage companies and data resellers that collect and aggregate personal information often obtain records as well. Private companies we interviewed told us they obtain records to help them conduct their business, including using SSNs as a unique identifier. For example, a title company or data reseller may use the SSN to ensure that a lien is associated with the correct individual, given that many people have the same name. Information from these records may also be used by companies to build and maintain databases or resold to other businesses. Businesses we contacted told us they have various safeguards in place to secure information they obtain from public records, including computer systems that restrict employees' access to records. In some cases, information from these public records is sent overseas for processing, a practice referred to as offshoring. We were not able to determine the extent of offshoring, but both record keepers and large companies that obtain records in bulk told us that it is a common practice. In the course of our work, we found that public records data are commonly sent to at least two countries--India and the Philippines. State and local governments, as well as the federal government, are taking various actions to safeguard SSNs in public records, but these actions are a recent phenomenon. Based on our survey, we estimate that about 12 percent of counties have completed redacting or truncating SSNs that are in public records-- that is, removing the full SSN from display or showing only part of it--and another 26 percent are in the process of doing so. Some are responding to state laws requiring redaction or truncation, but others have acted on their own based on concerns about the potential for identity theft. For example, California and Florida recently passed laws that require record keepers to truncate or redact SSNs in their publicly available documents, while one clerk in Texas told us that in response to public concern about the vulnerability of SSNs to misuse, the county is redacting SSNs from records on its own initiative. In recent years, 25 states have enacted some form of statutory restriction on displaying SSNs in public records. Some states have also enacted laws allowing individuals to request that their SSNs be removed from certain records such as military discharge papers. ------------------------------ Date: Tue, 21 Oct 2008 17:10:08 -0600 From: "Ralph Jacobs" <ralph.jacobs_at_private> Subject: Re: More Password Reset Procedures In response to the Civil Air Patrol example and the statement "This is YOUR government at work, folks."... The vast majority of the Civil Air Patrol is made up of volunteers. The few paid employees that exist work for CAP the non-profit corporation and are not government employees. That doesn't excuse any of the errors described during the password reset process; just that they weren't committed by the government in this case. ------------------------------ Date: Sat, 18 Oct 2008 13:49:33 -0500 From: Dimitri Maziuk <dmaziuk_at_private> Subject: Re: Amazon e-mail accounts (Loughran, RISKS-25.39) > ... an Amazon user does not have a 1:1 mapping of e-mail->userID. Counterpoint: back when PayPal was created, they came up with 1:1 mapping of credit card number->userID. Guess how that works for people with joint bank accounts. (OK, we're weird: my wife kept her maiden name and we don't have 8 credit cards, we only have one. And has the same number for two different cardholder names, unlike our one debit card. Still, we can't be the only two people on the net with a joint visa account.) I wonder if an analysis of my wife's PayPal/Ebay purchase history would get her diagnosed with multiple personality disorder... ------------------------------ Date: Sun, 19 Oct 2008 14:20:54 +0200 From: Klaus Johannes Rusch <KlausRusch_at_private> Subject: Re: Amazon e-mail accounts (Loughran, RISKS-25.39) Amazon's approach to allow multiple accounts with the same e-mail address has advantages when it comes to e-mail address changes. A customer returning to Amazon years later can still login with the original account data, getting access to purchase history, gift certificates, reviews etc. and change the e-mail address from there even when another customer has used the same e-mail address in the meantime. The downside is that a customer can easily end up with multiple accounts, and merging those later requires manual intervention by Amazon staff. Klaus Johannes Rusch KlausRusch@private http://www.atmedia.net/KlausRusch/ ------------------------------ Date: Sun, 19 Oct 2008 12:42:03 -0400 From: "Daniel P. B. Smith" <usenet2006_at_private> Subject: 2 of 3 navigational devices functioning In RISKS-25.37, Mark F wrote: "I've been on commercial flights that weren't permitted to take off because they had only 2 of 3 navigational devices functioning." It was standard practice to equip sailing ships with three chronometers. This requirement forms a pivot for the plot in *Michael, Brother of Jerry*, a very bad and justly obscure 1915 novel by Jack London (better known for *The Call of the Wild*). Here's a key passage (with ethnic slurs redacted). (Needless to say the voyage ends in disaster due to the shipowner's pennypinching ways). "It's a pity," he would suggest to Captain Doane, "that you have only one chronometer. The entire fault may be with the chronometer. Why did you sail with only one chronometer?" "But I WAS willing for two," the owner would defend. "You know that, Grimshaw?" The wheat-farmer would nod reluctantly and Captain would snap: "But not for three chronometers." "But if two was no better than one, as you said so yourself and as Grimshaw will bear witness, then three was no better than two except for an expense." "But if you only have two chronometers, how can you tell which has gone wrong?" Captain Doane would demand. "Search me," would come the pawnbroker's retort, accompanied by an incredulous shrug of the shoulders. "If you can't tell which is wrong of two, then how much harder must it be to tell which is wrong of two dozen? With only two, it's a fifty-fifty split that one or the other is wrong." "But don't you realize--" "I realize that it's all a great foolishness, all this highbrow stuff about navigation. I've got clerks fourteen years old in my offices that can figure circles all around you and your navigation. Ask them that if two chronometers ain't better than one, then how can two thousand be better than one? And they'd answer quick, snap, like that, that if two dollars ain't any better than one dollar, then two thousand dollars ain't any better than one dollar. That's common sense." ------------------------------ Date: Thu, 29 May 2008 07:53:46 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users should contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 25.41 ************************Received on Thu Oct 23 2008 - 15:35:09 PDT
This archive was generated by hypermail 2.2.0 : Thu Oct 23 2008 - 15:55:53 PDT