RISKS-LIST: Risks-Forum Digest Monday 2 August 2010 Volume 26 : Issue 13 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/26.13.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Another GPS Near-Tragedy (Richard Grady) Is Your Detergent Stalking You? (Matthew Kruk) Online Trust Again (Gene Wirchenko) Citi Discovers Security Flaw in iPhone Application (Nick Bilton via Monty Solomon) The Web Means the End of Forgetting (Jeffrey Rosen via Monty Solomon) Facebook privacy settings: Who cares? (Danah Boyd & Eszter Hargittai via Monty Solomon) Re: Risks of free-text fields in medical records (Gabe Goldberg) Re: Electronic business cards anyone? (Jonathan Kamens) Re: BP: "Will no one rid me of this turbulent alarm?" (Peter Duncanson) Re: Quiet electric & hybrid cars endanger ... (Paul Wallich, Jonathan Kamens) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 30 Jul 2010 16:50:40 -0700 From: Richard Grady <richard_at_private> Subject: Another GPS Near-Tragedy Three women got stranded in Death Valley, California for three days in mid-summer, led astray by their GPS. They got lost on 22 Jul, and were found on 25 Jul, Cooper said she had GPS onboard, and tried to use it. ``It kept telling me to go one mile and turn either right or left on Saline Valley Road.'' Cooper said she never saw a road sign and sometimes she'd go one mile and there was no turn at all. Cooper said by the time the fuel light came on in her Hyundai Accent, she had traveled so many miles there was no turning back. So she kept going forward hoping to come out of the desolation to ``a paved road leading somewhere.'' http://pvtimes.com/news/lost-and-found-in-death-valley/ I live 60 miles away from Death Valley, and I know my way around there. Yet, I would never consider driving there in mid-summer with temperatures around 125 degrees F. ------------------------------ Date: Sun, 1 Aug 2010 13:37:40 -0600 From: "Matthew Kruk" <mkrukg_at_private> Subject: Is Your Detergent Stalking You? Brazil's Omo Uses GPS to Follow Consumers Home With Prizes Posted by Laurel Wentz on 29 Jul 2010 Unilever's Omo detergent is adding an unusual ingredient to its two-pound detergent box in Brazil: a GPS device that allows its promotions agency Bullet to track shoppers and follow them to their front doors. Starting next week, consumers who buy one of the GPS-implanted detergent boxes will be surprised at home, given a pocket video camera as a prize and invited to bring their families to enjoy a day of Unilever-sponsored outdoor fun. The promotion, called Try Something New With Omo, is in keeping with the brand's international "Dirt is Good" positioning that encourages parents to let their kids have a good time even if they get dirty. http://adage.com/globalnews/article?article_id=145183 ------------------------------ Date: Fri, 23 Jul 2010 14:20:55 -0700 From: Gene Wirchenko <genew_at_private> Subject: Online Trust Again New twist on trust when storing data online, *InfoWorld Home*, 23 Jul 2010 One reader learns a harsh lesson about online data storage when she has to beg access to her records after a business breakup http://www.infoworld.com/d/adventures-in-it/new-twist-trust-when-storing-data-online-025?source=IFWNLE_nlt_blogs_2010-07-23 Opening paragraphs: Gripe Line reader Joan wrote in to warn readers about trusting important financial and business documents to Web storage services. "About a year ago, my business partner embezzled the remaining assets of a trucking company we founded together," Joan says. "We had been storing our invoices and trucking contracts on a secure site using the uReach virtual faxing service." After her partner scarpered, she tried to get access to those documents but found she didn't have the passwords. "We paid for the service with my personal credit card," she says, "but uReach let my partner keep the account." Joan was reduced to calling the company and pleading to get access to her own files. "It took more time than she wanted," explains uReach spokesperson Saul Einbinder. "It was a couple of weeks before she was able to provide the documentation required by our privacy policy. She was very upset. It was a difficult situation." ------------------------------ Date: Wed, 28 Jul 2010 10:32:01 -0400 From: Monty Solomon <monty_at_private> Subject: Citi Discovers Security Flaw in iPhone Application (Nick Bilton) [Source: Nick Bilton, *The New York Times*, 26 Jul 2010; PGN-ed] http://bits.blogs.nytimes.com/2010/07/26/citi-discovers-security-flaw-in-iphone-application/ Citi The Citigroup iPhone application can be used for mobile banking. After Citigroup on Monday discovered a potential security flaw in the Apple iPhone app that its customers use to access its Web site, the bank urged customers to upgrade to a newer version of the software, which it says will correct the problem. Citigroup said the original app accidentally saved information from a banking customer's account into a hidden file on the iPhone. The statement from Citigroup was first reported by *The Wall Street Journal*. Citigroup said the update "deletes any Citi Mobile information that may have been saved" to a customer's iPhone or computer. The bank also said the update "eliminates the possibility that this will occur in the future." Although Citigroup was working with customers to fix the problem, the bank said it did not believe its customers' personal information was affected. Citigroup also said the bug only affected iPhone users in the United States, though it did not say how many. ... [Peal me a gripe? PGN] ------------------------------ Date: Sun, 25 Jul 2010 15:24:37 -0400 From: Monty Solomon <monty_at_private> Subject: The Web Means the End of Forgetting (Jeffrey Rosen) [Source: Jeffrey Rosen, *The New York Times*, 19 Jul 2010; PGN-ed] https://www.nytimes.com/2010/07/25/magazine/25privacy-t2.html Four years ago, Stacy Snyder, then a 25-year-old teacher in training at Conestoga Valley High School in Lancaster, Pa., posted a photo on her MySpace page that showed her at a party wearing a pirate hat and drinking from a plastic cup, with the caption "Drunken Pirate." After discovering the page, her supervisor at the high school told her the photo was "unprofessional," and the dean of Millersville University School of Education, where Snyder was enrolled, said she was promoting drinking in virtual view of her under-age students. As a result, days before Snyder's scheduled graduation, the university denied her a teaching degree. Snyder sued, arguing that the university had violated her First Amendment rights by penalizing her for her (perfectly legal) after-hours behavior. But in 2008, a federal district judge rejected the claim, saying that because Snyder was a public employee whose photo didn't relate to matters of public concern, her "Drunken Pirate" post was not protected speech. When historians of the future look back on the perils of the early digital age, Stacy Snyder may well be an icon. The problem she faced is only one example of a challenge that, in big and small ways, is confronting millions of people around the globe: how best to live our lives in a world where the Internet records everything and forgets nothing - where every online photo, status update, Twitter post and blog entry by and about us can be stored forever. With Web sites like LOL Facebook Moments, which collects and shares embarrassing personal revelations from Facebook users, ill-advised photos and online chatter are coming back to haunt people months or years after the fact. Examples are proliferating daily: there was the 16-year-old British girl who was fired from her office job for complaining on Facebook, "I'm so totally bored!!"; there was the 66-year-old Canadian psychotherapist who tried to enter the United States but was turned away at the border - and barred permanently from visiting the country - after a border guard's Internet search found that the therapist had written an article in a philosophy journal describing his experiments 30 years ago with L.S.D. ------------------------------ Date: Wed, 28 Jul 2010 14:41:21 -0400 From: Monty Solomon <monty_at_private> Subject: Facebook privacy settings: Who cares? (Danah Boyd & Eszter Hargittai) Danah Boyd and Eszter Hargittai, First Monday, Vol 15, No 8, 2 Aug 2010 Abstract: With over 500 million users, the decisions that Facebook makes about its privacy settings have the potential to influence many people. While its changes in this domain have often prompted privacy advocates and news media to critique the company, Facebook has continued to attract more users to its service. This raises a question about whether or not Facebook's changes in privacy approaches matter and, if so, to whom. This paper examines the attitudes and practices of a cohort of 18- and 19-year-olds surveyed in 2009 and again in 2010 about Facebook's privacy settings. Our results challenge widespread assumptions that youth do not care about and are not engaged with navigating privacy. We find that, while not universal, modifications to privacy settings have increased during a year in which Facebook's approach to privacy was hotly contested. We also find that both frequency and type of Facebook use as well as Internet skill are correlated with making modifications to privacy settings. In contrast, we observe few gender differences in how young adults approach their Facebook privacy settings, which is notable given that gender differences exist in so many other domains online. We discuss the possible reasons for our findings and their implications. ... http://www.uic.edu/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/3086/2589 ------------------------------ Date: Fri, 30 Jul 2010 19:59:38 -0400 From: Gabe Goldberg <gabe_at_private> Subject: Re: Risks of free-text fields in medical records (RISKS-26.12) Regarding "Risks of free-text fields in medical records" -- a presentation I heard described risks of FIXED-text fields in medical records: that they too easily lead to accepting incorrect information. With auto-complete fields, typing the beginning of a drug name can trigger a pop-up of MANY drugs with the same root, where careless clicking selects the wrong one, a common problem with Windows' auto-complete function. Similarly, a pull-down field for dosage can lead to careless selection of an incorrect value, a common problem with Windows' pull-down selection function. I'm not sure what best practice is in entering medical records fields -- and I'm not suggesting ruling out BOTH fixed- and variable-text fields (what would that leave?) -- just noting that defining field values is a complex issue. [This is one of those issues in which both arguments are partially correct. Fixed fields are risky with poorly defined, overlapping, or otherwise confusing. Free-text fields have many other risks. The risks question is much deeper than that dichotomy. PGN] ------------------------------ Date: Fri, 23 Jul 2010 10:52:31 -0400 From: "Jonathan Kamens" <jik_at_private> Subject: Re: Electronic business cards anyone? (Scott, RISKS-26.11) "And what's wrong anyway with a bit of plain, honest text?!!" Or, for people who want a "functional" business card (e.g., one that can be imported easily into the recipient's contact list, which is the whole point, isn't it?), what's wrong with the long-standing (first proposed 15 years ago) and extremely widely adopted and supported vCard standard <http://en.wikipedia.org/wiki/VCard> ? [Reminds me of the new V Gates at Dulles International. V Gates, Mein Herr? PGN] ------------------------------ Date: Sat, 31 Jul 2010 15:40:10 +0100 From: Peter Duncanson <mail_at_private> Subject: Re: BP: "Will no one rid me of this turbulent alarm?" The quotation from a Transocean employee that "...that the system [on the Deepwater Horizon drilling rig] that automatically sounded a general alarm had been disabled because rig managers "did not want people woken up at 3 a.m. with false alarms" raises an interesting point. Tired workers are accident prone, so ensuring that workers get uninterrupted sleep is a safety matter. There are therefore competing risks: on the one hand there is the clear risk of people not being warned immediately a dangerous situation has developed, and on the other the risks of errors by people working when tired because of losing sleep as a result of false alarms. If it is not possible to prevent false alarms, it would seem prudent to insist that off-duty workers sleep on a separate accommodation vessel where they will be able to sleep undisturbed. The general alarm system would not then need to be disabled on the drilling rig. [So, you put your soundest sleeper on board the rig... and *everyone* gets lots of rest -- until the rig blows skyhigh. PGN] ------------------------------ Date: Thu, 22 Jul 2010 10:23:52 -0400 From: Paul Wallich <pw_at_private> Subject: Re: Quiet electric & hybrid cars endanger ... (Klein, RISKS-26.11) This may be a classic example of looking for solutions in the wrong place. If you listen to cars in parking lots and other places where pedestrians could get in trouble, a large component of the noise they make is not engine noise but transmission/tire noise. I wonder if enhancing those sounds would make cars uniformly detectable (preferably without interfering with the question for the lowest possible rolling resistance, albeit that has its own issues). [And what if you are deaf? PGN] ------------------------------ Date: Fri, 23 Jul 2010 11:03:50 -0400 From: "Jonathan Kamens" <jik_at_private> Subject: Re: Quiet electric & hybrid cars endanger ... (Klein, RISKS-26.11) Ah, the more things change, the more they stay the same. I believe I first heard about the problem of electric cars being so quiet that they would pose a danger to pedestrians (blind and otherwise) and bicyclists from a kids' science program on TV *27 years ago*. It's irksome that the car manufacturers haven't solved it yet and that the governments that regulate vehicle safety haven't yet imposed a solution. Irksome, but not surprising, since getting out in front of problems is not something that government bureaucracies are particularly good it, and car manufacturers tend to fight tooth and nail against any safety improvements which won't help them sell cars. Remember the scare campaign by car manufacturers against legislation requiring new cars to have seatbelts? They actually ran television ads telling people that seatbelts would make them *less* safe by trapping them in the car in case of an accident, fire, vehicle plunging into a pond, etc. That cultural meme started by that campaign is cited to this very day <http://www.snopes.com/autos/techno/seatbelt.asp> by people too stupid or clueless to understand risk and statistics, to justify why they don't wear a seatbelt, don't think they should be legally required to, etc. [And don't forget your large dog has to wear a seatbelt, which causes him to bark incessantly -- which is likely to distract you. PGN] ------------------------------ Date: Thu, 29 May 2008 07:53:46 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users should contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 26.13 ************************Received on Mon Aug 02 2010 - 15:35:13 PDT
This archive was generated by hypermail 2.2.0 : Mon Aug 02 2010 - 16:52:16 PDT