RISKS-LIST: Risks-Forum Digest Sunday 1 March 2009 Volume 25 : Issue 59 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/25.59.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Iridium and Cosmos satellites collide (Ken Knowlton) When your files are online and you aren't (Hiawatha Bray via Monty Solomon) Man charged $81 billion for a fuel fill-up (Peter Gregory) Computer "Glitch" Results in $31 billion Error (Malcolm Pack) Best Buy swindled for $31 million by chip supplier (Jim Haynes) Google Gaffe: Gmail Outage Shows Pitfalls of Online Services (Jonathan B Spira) Power outage disables power failure alarm (Jim Haynes) UK building society online account open to DOS attack (Andy Repton) Wikileaks cracks key NATO document on Afghan war (Jeff Nye) Re: Hiding in plain sight (Al Macintyre, Mark Feit, Phil Smith III, Steve Lamont, Marcos H. Woehrmann) Urban legends in RISKS (David Guaspari) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, 22 Feb 2009 20:31:24 EST From: KCKnowlton_at_private Subject: Iridium and Cosmos satellites collide Reported in *The Week* magazine 27 Feb 2009 and its website: Two satellites have collided in orbit, destroying both, creating two large clouds of debris: an old Russian Cosmos satellite and an Iridium satellite (one of a fleet of communication satellites launched by Motorola in the late 90s and early 2000s). Nicholas Johnson of NASA said "This is the first time we've ever had two intact spacecraft accidentally run into each other." http://www.theweek.com/article/index/93177/Iridiums_satellite_collision ------------------------------ Date: Fri, 20 Feb 2009 11:12:02 -0500 From: Monty Solomon <monty_at_private> Subject: When your files are online and you aren't (Hiawatha Bray) Hiawatha Bray, When your files are online and you aren't, *The Boston Globe*, 19 Feb 2009 Funny thing about cloud computing - it's useless at 35,000 feet. In cloud computing, you rely on applications running on the Internet instead of on your personal machine. So rather than write a file in Microsoft Corp.'s Word or Excel, you might use Google Docs. This online suite from Google Inc. features word processor and spreadsheet programs and stores your documents in the Internet cloud. But online documents aren't much use when you're disconnected from the Internet - like when you're flying. Airline companies are beginning to deploy on-board Wi-Fi service, but it'll be a couple of years before it is generally available. And even on the ground, you can't always find an Internet connection. With earthbound copies of critical files, you can work on them as needed and upload any changes to the Net, first chance you get. And if you work on multiple computers, you can share updated files with all your other machines. If you're a Google Docs user, get a copy of Gears. This free program, available at gears.google.com, lets you download your Google-generated documents onto your computer. Work with them even when you're offline, and when you log in again, Gears uploads your modified documents to the Google Docs Internet server, so your up-to-date document is available on any Internet-connected machine. Gears isn't just for Google Docs fans; it works with other cloud computing services, including Zoho, a rival online document editing service, and Google's Gmail messaging service. You can plow through your e-mail on the plane, write up replies, then transmit them once you're back online. But Gears has its limitations. For instance, you can edit your existing Google Docs when offline, but you can't create new ones. Besides, Gears gives you no easy way to share multimedia files, like video, audio, and digital photographs. ... http://www.boston.com/business/technology/articles/2009/02/19/when_your_files_are_online_and_you_arent/ ------------------------------ Date: Fri, 27 Feb 2009 12:20:25 -0800 (PST) From: Peter Gregory <petergregory_at_private> Subject: Man charged $81 billion for a fuel fill-up Washington State resident Juan Zamora filled his Camaro at a local Conoco station using his PayPal debit card just as he does every week. The pump registered $26, but his account was debited $81,400,836,908 instead. The cause of the error has not yet been identified. http://seattletimes.nwsource.com/html/localnews/2008790918_webbigbill27.html Peter Gregory, CISA, CISSP, DRCE | Security and Risk Manager petergregory_at_private | www.peterhgregory.com | Biometrics For Dummies ------------------------------ Date: Wed, 25 Feb 2009 10:40:59 +0000 From: Malcolm Pack <risks.2009.02.25_at_private> Subject: Computer "Glitch" Results in $31 billion Error <http://news.bbc.co.uk/1/hi/business/7909627.stm> UBS in $31bn bond order mistake A Japanese unit of Swiss banking group UBS has mistakenly placed an order for 3 trillion yen ($31bn) of bonds. UBS Securities Japan said the error was caused by a glitch in its computer system, and that it had asked the Tokyo Stock Exchange to cancel the order. According to reports, this request has now been granted by the stock exchange." [...] This is not the first time that a UBS unit has given the Tokyo Stock Exchange an incorrect order. In 2001, a UBS business mistakenly issued an order to sell shares in Japanese advertising firm Dentsu. USB subsequently had to buy more stock in Dentsu in order to honour the order. This and a number of incidents by other firms saw the Tokyo Stock Exchange introduce new rules in 2007 that allow the cancellation of large-scale erroneous orders. Increasingly we see new mitigations being put into place for bad outcomes from risks that ought, by right, to be mitigated at source. A little sense-checking on such trades - don't sell more than you own (or significantly more, if automated short trading is to be allowed), don't spend more than a billion Yen in a single automated transaction, that kind of thing - should not be beyond the wit of the programmers, nor the wit of the bank's risk managers. ------------------------------ Date: Tue, 24 Feb 2009 11:19:10 -0600 (CST) From: Jim Haynes <jhhaynes_at_private> Subject: Best Buy swindled for $31 million by chip supplier Deerfield couple swindled $31 million from Best Buy, federal court documents say; $2.75 million used to buy the land and build their house were `the proceeds of fraud' Jeff Long, Chicago Tribune, 24 Feb 2009 http://www.chicagotribune.com/business/chi-best-buy-fraudfeb24,0,6558363.story ------------------------------ Date: February 26, 2009 3:51:52 PM EST From: "Jonathan B Spira" <jspira_at_private> Subject: Google Gaffe: Gmail Outage Shows Pitfalls of Online Services [From Dave Farber's IP list] I didn't realize the number of Gmail users was so large until the outage. "Google's Gmail system was down for 2.5 hours earlier this week, the sixth such outage in the past eight months. It isn=92t unusual that an e-mail system crashes, but most such occurrences are limited to one organization. When Gmail, a service Google touts to businesses as more reliable and easier to use than Microsoft Exchange and Lotus Notes/Domino, goes down, it makes headlines - as well it should. " ... Just imagine if all of the phone lines to your office failed - not today but ten years ago, when the telephone was the most important means of communication (along with fax, I should add). That's what Gmail's users were facing on Monday. The silence was deafening..." http://www.basexblog.com/2009/02/26/google-gaffe-gmail-outage-shows-pitfalls-of-online-services/ Jonathan B. Spira, CEO and Chief Analyst, Basex, Inc. 8 www.basex.com ------------------------------ Date: Tue, 24 Feb 2009 11:05:24 -0600 (CST) From: Jim Haynes <jhhaynes_at_private> Subject: Power outage disables power failure alarm An item in Santa Cruz Sentinel for 24 Feb 2009 tells of a power outage affecting pumps that provide water to a storage tank, causing the tank to run dry. "Power also was cut to the communication lines designed to alert the district to a problem." ------------------------------ Date: Tue, 24 Feb 2009 15:04:16 +0000 From: Andy Repton <risks_at_private> Subject: UK building society online account open to DOS attack Recently, I needed to access my online account with the Nationwide building society. I'd recorded my secret number in an encrypted store, but had mistyped one digit. After three attempts to log in to my account I received the message that my account was now locked and I should re-register and wait for up to 5 days for the new details to appear through the post. I called the internet helpline and they confirmed that there is nothing they can do, the system forces the lockout and indeed I had to re-register. I pointed out the potential denial of service aspects of this approach but the only response was "Why would anyone do that?" ------------------------------ Date: Fri, 27 Feb 2009 11:24:08 -0500 From: Jeff Nye <jpn213_at_private> Subject: Wikileaks cracks key NATO document on Afghan war The best encryption in the world won't help you if your passphrase sucks. Jeff - --------- Forwarded message ---------- From: Wikileaks Press Office <press-office_at_private> Date: Fri, Feb 27, 2009 at 08:11 Subject: [WIKILEAKS] Wikileaks cracks key NATO document on Afghan war To: wl-press_at_private WIKILEAKS EDITORIAL Fri Feb 27 13:10:25 GMT 2009 "Wikileaks cracks key NATO document on Afghan war" Wikileaks has cracked the encryption a key NATO document relating to the war in Afghanistan. The document, titled "NATO in Afghanistan: Master Narrative", details the key facts and themes NATO representatives are to give--and to avoid giving--to the world press. Among the revelations, which we encourage the public to review in detail, is Jordan's presence as secret member of the US lead occupation force. The encrypted document, from October, and believed still to be current, can be found on the Pentagon Central Command website "oneteam.centcom.mil": http://oneteam.centcom.mil/isc/Shared%20Documents/NATO%20Master%20Narrative.doc The password is "progress", which perhaps reflects the Pentagon's desire to stay on-message, even to itself. Jordan is a US backed middle eastern monarchy, and historically the CIA's closest partner in its extraordinary renditions program. In Jordan, "the practice of torture is routine", according to a January 2007 report by UN special investigator for torture, Manfred Nowak. NATO spokespersons are instructed conceal the country's involvement in the ISAF coalition. Publicly, Jordan withdrew in 2001. It does not appear on the current (Feb 13, 2009) NATO list of ISAF member states: http://www.nato.int/isaf/docu/epub/pdf/isaf_placemat.pdf Some other sensitive instructions on what not to say are: * Any decision on the end date/end state will be taken by the respective national and/or Alliance political committee. Under no circumstances should the mission end-date be a topic for speculation in public by any NATO/ISAF spokespeople. * The term "compensation" is inappropriate and should not be used because it brings with it legal implications that do not apply. * Any talk of stationing or deploying Russian military assets in Afghanistan is out of the question and has never been the subject of any considerations. Only if pressed: ISAF forces are frequently fired at from inside Pakistan, very close to the border. In some cases defensive fire is required, against specific threats. Wherever possible, such fire is pre-coordinated with the Pakistani military. Altogether four classified or restricted NATO documents of interest on the Pentagon site were discovered to share the 'progress' password. Wikileaks has decrypted the documents and released them in full: * http://wikileaks.org/wiki/NATO_Media_Operations_Centre:_NATO_in_Afghanistan:_Master_Narrative%2C_6_Oct_2008 * http://wikileaks.org/wiki/ISAF_Afghanistan_Theatre_Strategic_Communications_Strategy%2C_25_Oct_2008 * http://wikileaks.org/wiki/NATO-ISAF_Afghanistan_Strategic_Communications_External_Linkages%2C_20_Oct_2008 * http://wikileaks.org/wiki/NATO-ISAF_Strategic_Communications_Ends%2C_Ways_and_Means%2C_slide%2C_20_Oct_2008 ------------------------------ Date: Sun, 22 Feb 2009 23:02:00 -0600 From: Al Macintyre <macwheel99_at_private> Subject: Re: Hiding in plain sight (PHSIII, RISKS-25.57) IBM does the same thing with all of its specialized kinds of computer lines ... business, scientific, mainframe, servers. There is a move afoot to merge IBM "I" business line with the "p" scientific, so soon there will be a few less types of IBM systems. Supposedly if you know about IBM's fantastic systems, you don't need to use a search engine to find out about them. But the reality is that there's lots of non-IBM companies serving the IBM market place, and it can be hard to locate them when IBM changes its product naming so often, into generic words and letters. There are conspiracy theorists that speculate IBM is killing off a line of computers deliberately. They are high performance, unhackable, have never been hit by malware, upwardly compatible, incompatible with Microsoft, so they don't have to be replaced as often. IBM would sell a lot more computers if they broke down as often as the competition. On the 400, now i5/OS, an asterisk is pervasive. names starting with asterisk are like keywords, functions, types of objects names ending with asterisk are wild cards ------------------------------ Date: Mon, 23 Feb 2009 05:45:37 -0500 From: Mark Feit <mfeit_at_private> Subject: Re: Hiding in plain sight (PHSIII, RISKS-25.57) > I can't imagine what their marketroids were thinking. Me either, but "IBM i" and "System i" (without the quotes) return the right page as the first hit when put into Google. I can only imagine how difficult it must be for British secret agents to find Q when they need new gadgets. :-) ------------------------------ Date: Mon, 23 Feb 2009 08:14:04 -0500 From: "Phil Smith III" <lists_at_private> Subject: Re: Hiding in plain sight (RISKS-25.58) Re: Al Macintyre: Mmm, no, they haven't done the same with the other lines. There are four IBM hardware lines: System p -- Power (AIX machines) System x -- x86 (Intel) System z -- mainframes i -- which do indeed use Power hardware, same as System p. That's the convergence, and I've seen the speculation that IBM is trying to kill i5/OS. (I write about this stuff for trade rags, and I also just checked http://www-03.ibm.com/systems/i/, http://www-03.ibm.com/systems/p/, http://www-03.ibm.com/systems/x/, and http://www-03.ibm.com/systems/z/.) They are inconsistent, though: the i page just calls it "i", System p and System x use those names, and the mainframe page says "Mainframe" and then mentions both "System z" and "IBM z Can Do IT". But the mainframe is the world I mostly live in, and I've been assured by Poughkeepsie that "System z" is the real name; the latter usage is just shorthand. Or perhaps I misunderstood what you were saying? P.S. Mark Feit noted that "... 'IBM I' and 'System I' (without the quotes) return the right page as the first hit when put into Google." Interesting (and an improvement over a few months ago). I wonder if that took search engine placement work, or if Google is just smarter? Of course, in any OTHER case (such as searching in a document), the "i" nomenclature is still impossible to find. ------------------------------ Date: Wed, 25 Feb 2009 17:13:43 -0800 From: Steve Lamont <spl_at_private> Subject: Re: Hiding in plain sight (PHSIII, RISKS-25.58) IBM i. Easy to find. Typing "IBM i" into the search field in Google gives as the first hit http://www.ibm.com/systems/i/ ------------------------------ Date: Mon, 23 Feb 2009 10:05:01 -0800 From: ""Marcos H. Woehrmann" <marcosw_at_private> Subject: Re: Hiding in plain sight (PHSIII, RISKS-25.58) The original name of Archy was "The Human Environment" which was officially shortened to "THE". Needless to say it wasn't searchable either . Though it appears it now would be; searching for "THE" on Google brings up theonion.com as the top hit. However, Yahoo! might be the winner in this odd contest, it brings up a the band "The The" as the second result, just after "The N Network" (which is a website for teens and has nothing to do with the pejorative term for persons of African descent). ------------------------------ Date: Mon, 23 Feb 2009 11:14:00 -0500 From: David Guaspari <davidg_at_atc-nycorp.com> Subject: Urban legends in RISKS A recent RISKS posting referred (in a throwaway aside) to "the ex-President who'd never seen a grocery store scanner." As this newsgroup is populated by rational people glad to have even trivial errors corrected, I'll note out that the story of Bush 41's supposed amazement at seeing a scanner has been pretty thoroughly debunked. Snopes has a detailed discussion: http://www.snopes.com/history/american/bushscan.asp David Guaspari, ATC-NY, 33 Thornwood Drive, Suite 500, Ithaca NY 14850 (607) 266-7114 davidg_at_atc-nycorp.com [Also noted by Brent Krupp. PGN] ------------------------------ Date: Thu, 29 May 2008 07:53:46 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users should contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 25.59 ************************Received on Sun Mar 01 2009 - 19:58:54 PST
This archive was generated by hypermail 2.2.0 : Sun Mar 01 2009 - 20:23:26 PST