[RISKS] Risks Digest 26.13

From: RISKS List Owner <risko_at_private>
Date: Mon, 2 Aug 2010 15:35:13 PDT
RISKS-LIST: Risks-Forum Digest  Monday 2 August 2010  Volume 26 : Issue 13

Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at

Another GPS Near-Tragedy (Richard Grady)
Is Your Detergent Stalking You? (Matthew Kruk)
Online Trust Again (Gene Wirchenko)
Citi Discovers Security Flaw in iPhone Application (Nick Bilton via
  Monty Solomon)
The Web Means the End of Forgetting (Jeffrey Rosen via Monty Solomon)
Facebook privacy settings: Who cares? (Danah Boyd & Eszter Hargittai via
  Monty Solomon)
Re: Risks of free-text fields in medical records (Gabe Goldberg)
Re: Electronic business cards anyone? (Jonathan Kamens)
Re: BP: "Will no one rid me of this turbulent alarm?" (Peter Duncanson)
Re: Quiet electric & hybrid cars endanger ... (Paul Wallich, Jonathan Kamens)
Abridged info on RISKS (comp.risks)


Date: Fri, 30 Jul 2010 16:50:40 -0700
From: Richard Grady <richard_at_private>
Subject: Another GPS Near-Tragedy

Three women got stranded in Death Valley, California for three days in
mid-summer, led astray by their GPS.  They got lost on 22 Jul, and were
found on 25 Jul,

  Cooper said she had GPS onboard, and tried to use it. ``It kept telling me
  to go one mile and turn either right or left on Saline Valley Road.''
  Cooper said she never saw a road sign and sometimes she'd go one mile and
  there was no turn at all.

  Cooper said by the time the fuel light came on in her Hyundai Accent, she
  had traveled so many miles there was no turning back. So she kept going
  forward hoping to come out of the desolation to ``a paved road leading


I live 60 miles away from Death Valley, and I know my way around there.
Yet, I would never consider driving there in mid-summer with temperatures
around 125 degrees F.


Date: Sun, 1 Aug 2010 13:37:40 -0600
From: "Matthew Kruk" <mkrukg_at_private>
Subject: Is Your Detergent Stalking You?

Brazil's Omo Uses GPS to Follow Consumers Home With Prizes
Posted by Laurel Wentz on 29 Jul 2010

Unilever's Omo detergent is adding an unusual ingredient to its two-pound
detergent box in Brazil: a GPS device that allows its promotions agency
Bullet to track shoppers and follow them to their front doors.

Starting next week, consumers who buy one of the GPS-implanted detergent
boxes will be surprised at home, given a pocket video camera as a prize and
invited to bring their families to enjoy a day of Unilever-sponsored outdoor
fun. The promotion, called Try Something New With Omo, is in keeping with
the brand's international "Dirt is Good" positioning that encourages parents
to let their kids have a good time even if they get dirty.



Date: Fri, 23 Jul 2010 14:20:55 -0700
From: Gene Wirchenko <genew_at_private>
Subject: Online Trust Again

New twist on trust when storing data online, *InfoWorld Home*, 23 Jul 2010
One reader learns a harsh lesson about online data storage when she
has to beg access to her records after a business breakup

Opening paragraphs:

Gripe Line reader Joan wrote in to warn readers about trusting important
financial and business documents to Web storage services.  "About a year
ago, my business partner embezzled the remaining assets of a trucking
company we founded together," Joan says. "We had been storing our invoices
and trucking contracts on a secure site using the uReach virtual faxing

After her partner scarpered, she tried to get access to those documents but
found she didn't have the passwords. "We paid for the service with my
personal credit card," she says, "but uReach let my partner keep the
account."  Joan was reduced to calling the company and pleading to get
access to her own files.  "It took more time than she wanted," explains
uReach spokesperson Saul Einbinder. "It was a couple of weeks before she was
able to provide the documentation required by our privacy policy. She was
very upset. It was a difficult situation."


Date: Wed, 28 Jul 2010 10:32:01 -0400
From: Monty Solomon <monty_at_private>
Subject: Citi Discovers Security Flaw in iPhone Application (Nick Bilton)

[Source: Nick Bilton, *The New York Times*, 26 Jul 2010; PGN-ed]

Citi The Citigroup iPhone application can be used for mobile banking.

After Citigroup on Monday discovered a potential security flaw in the Apple
iPhone app that its customers use to access its Web site, the bank urged
customers to upgrade to a newer version of the software, which it says will
correct the problem. Citigroup said the original app accidentally saved
information from a banking customer's account into a hidden file on the
iPhone. The statement from Citigroup was first reported by *The Wall Street
Journal*.  Citigroup said the update "deletes any Citi Mobile information
that may have been saved" to a customer's iPhone or computer. The bank also
said the update "eliminates the possibility that this will occur in the
future."  Although Citigroup was working with customers to fix the problem,
the bank said it did not believe its customers' personal information was
affected.  Citigroup also said the bug only affected iPhone users in the
United States, though it did not say how many. ...

  [Peal me a gripe?  PGN]


Date: Sun, 25 Jul 2010 15:24:37 -0400
From: Monty Solomon <monty_at_private>
Subject: The Web Means the End of Forgetting (Jeffrey Rosen)

[Source: Jeffrey Rosen, *The New York Times*, 19 Jul 2010; PGN-ed]

Four years ago, Stacy Snyder, then a 25-year-old teacher in training at
Conestoga Valley High School in Lancaster, Pa., posted a photo on her
MySpace page that showed her at a party wearing a pirate hat and drinking
from a plastic cup, with the caption "Drunken Pirate." After discovering the
page, her supervisor at the high school told her the photo was
"unprofessional," and the dean of Millersville University School of
Education, where Snyder was enrolled, said she was promoting drinking in
virtual view of her under-age students. As a result, days before Snyder's
scheduled graduation, the university denied her a teaching degree. Snyder
sued, arguing that the university had violated her First Amendment rights by
penalizing her for her (perfectly legal) after-hours behavior. But in 2008,
a federal district judge rejected the claim, saying that because Snyder was
a public employee whose photo didn't relate to matters of public concern,
her "Drunken Pirate" post was not protected speech.

When historians of the future look back on the perils of the early digital
age, Stacy Snyder may well be an icon. The problem she faced is only one
example of a challenge that, in big and small ways, is confronting millions
of people around the globe: how best to live our lives in a world where the
Internet records everything and forgets nothing - where every online photo,
status update, Twitter post and blog entry by and about us can be stored
forever. With Web sites like LOL Facebook Moments, which collects and shares
embarrassing personal revelations from Facebook users, ill-advised photos
and online chatter are coming back to haunt people months or years after the
fact. Examples are proliferating daily: there was the 16-year-old British
girl who was fired from her office job for complaining on Facebook, "I'm so
totally bored!!"; there was the 66-year-old Canadian psychotherapist who
tried to enter the United States but was turned away at the border - and
barred permanently from visiting the country - after a border guard's
Internet search found that the therapist had written an article in a
philosophy journal describing his experiments 30 years ago with L.S.D.


Date: Wed, 28 Jul 2010 14:41:21 -0400
From: Monty Solomon <monty_at_private>
Subject: Facebook privacy settings: Who cares? (Danah Boyd & Eszter Hargittai)

Danah Boyd and Eszter Hargittai, First Monday, Vol 15, No 8, 2 Aug 2010

Abstract: With over 500 million users, the decisions that Facebook makes
about its privacy settings have the potential to influence many people.
While its changes in this domain have often prompted privacy advocates and
news media to critique the company, Facebook has continued to attract more
users to its service. This raises a question about whether or not Facebook's
changes in privacy approaches matter and, if so, to whom. This paper
examines the attitudes and practices of a cohort of 18- and 19-year-olds
surveyed in 2009 and again in 2010 about Facebook's privacy settings. Our
results challenge widespread assumptions that youth do not care about and
are not engaged with navigating privacy. We find that, while not universal,
modifications to privacy settings have increased during a year in which
Facebook's approach to privacy was hotly contested. We also find that both
frequency and type of Facebook use as well as Internet skill are correlated
with making modifications to privacy settings. In contrast, we observe few
gender differences in how young adults approach their Facebook privacy
settings, which is notable given that gender differences exist in so many
other domains online.  We discuss the possible reasons for our findings and
their implications. ...



Date: Fri, 30 Jul 2010 19:59:38 -0400
From: Gabe Goldberg <gabe_at_private>
Subject: Re: Risks of free-text fields in medical records (RISKS-26.12)

Regarding "Risks of free-text fields in medical records" -- a presentation I
heard described risks of FIXED-text fields in medical records: that they too
easily lead to accepting incorrect information.

With auto-complete fields, typing the beginning of a drug name can trigger a
pop-up of MANY drugs with the same root, where careless clicking selects the
wrong one, a common problem with Windows' auto-complete function.

Similarly, a pull-down field for dosage can lead to careless selection of an
incorrect value, a common problem with Windows' pull-down selection

I'm not sure what best practice is in entering medical records fields -- and
I'm not suggesting ruling out BOTH fixed- and variable-text fields (what
would that leave?) -- just noting that defining field values is a complex

  [This is one of those issues in which both arguments are partially
  correct.  Fixed fields are risky with poorly defined, overlapping,
  or otherwise confusing.   Free-text fields have many other risks.
  The risks question is much deeper than that dichotomy.  PGN]


Date: Fri, 23 Jul 2010 10:52:31 -0400
From: "Jonathan Kamens" <jik_at_private>
Subject: Re: Electronic business cards anyone? (Scott, RISKS-26.11)

"And what's wrong anyway with a bit of plain, honest text?!!"

Or, for people who want a "functional" business card (e.g., one that can be
imported easily into the recipient's contact list, which is the whole point,
isn't it?), what's wrong with the long-standing (first proposed 15 years
ago) and extremely widely adopted and supported vCard standard
<http://en.wikipedia.org/wiki/VCard> ?

  [Reminds me of the new V Gates at Dulles International.
  V Gates, Mein Herr?  PGN]


Date: Sat, 31 Jul 2010 15:40:10 +0100
From: Peter Duncanson <mail_at_private>
Subject: Re: BP: "Will no one rid me of this turbulent alarm?"

The quotation from a Transocean employee that "...that the system [on the
Deepwater Horizon drilling rig] that automatically sounded a general alarm
had been disabled because rig managers "did not want people woken up at 3
a.m. with false alarms" raises an interesting point. Tired workers are
accident prone, so ensuring that workers get uninterrupted sleep is a safety
matter. There are therefore competing risks: on the one hand there is the
clear risk of people not being warned immediately a dangerous situation has
developed, and on the other the risks of errors by people working when tired
because of losing sleep as a result of false alarms.

If it is not possible to prevent false alarms, it would seem prudent to
insist that off-duty workers sleep on a separate accommodation vessel
where they will be able to sleep undisturbed. The general alarm system
would not then need to be disabled on the drilling rig.

  [So, you put your soundest sleeper on board the rig... and *everyone* gets
  lots of rest -- until the rig blows skyhigh.  PGN]


Date: Thu, 22 Jul 2010 10:23:52 -0400
From: Paul Wallich <pw_at_private>
Subject: Re: Quiet electric & hybrid cars endanger ... (Klein, RISKS-26.11)

This may be a classic example of looking for solutions in the wrong
place. If you listen to cars in parking lots and other places where
pedestrians could get in trouble, a large component of the noise they make
is not engine noise but transmission/tire noise. I wonder if enhancing those
sounds would make cars uniformly detectable (preferably without interfering
with the question for the lowest possible rolling resistance, albeit that
has its own issues).

  [And what if you are deaf?  PGN]


Date: Fri, 23 Jul 2010 11:03:50 -0400
From: "Jonathan Kamens" <jik_at_private>
Subject: Re: Quiet electric & hybrid cars endanger ... (Klein, RISKS-26.11)

Ah, the more things change, the more they stay the same.

I believe I first heard about the problem of electric cars being so quiet
that they would pose a danger to pedestrians (blind and otherwise) and
bicyclists from a kids' science program on TV *27 years ago*.

It's irksome that the car manufacturers haven't solved it yet and that the
governments that regulate vehicle safety haven't yet imposed a solution.
Irksome, but not surprising, since getting out in front of problems is not
something that government bureaucracies are particularly good it, and car
manufacturers tend to fight tooth and nail against any safety improvements
which won't help them sell cars.

Remember the scare campaign by car manufacturers against legislation
requiring new cars to have seatbelts? They actually ran television ads
telling people that seatbelts would make them *less* safe by trapping them
in the car in case of an accident, fire, vehicle plunging into a pond, etc.
That cultural meme started by that campaign is cited to this very day
<http://www.snopes.com/autos/techno/seatbelt.asp> by people too stupid or
clueless to understand risk and statistics, to justify why they don't wear a
seatbelt, don't think they should be legally required to, etc.

  [And don't forget your large dog has to wear a seatbelt, which causes
  him to bark incessantly -- which is likely to distract you.   PGN]


Date: Thu, 29 May 2008 07:53:46 -0900
From: RISKS-request_at_private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.   The mailman Web interface can
 be used directly to subscribe and unsubscribe:
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe_at_private or risks-unsubscribe_at_private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users should contact <Lindsay.Marshall_at_private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
 http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:


End of RISKS-FORUM Digest 26.13
Received on Mon Aug 02 2010 - 15:35:13 PDT

This archive was generated by hypermail 2.2.0 : Mon Aug 02 2010 - 16:52:16 PDT