[RISKS] Risks Digest 26.30

From: RISKS List Owner <risko_at_private>
Date: Fri, 14 Jan 2011 12:31:57 PST
RISKS-LIST: Risks-Forum Digest  Friday 14 January 2011  Volume 26 : Issue 30

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/26.30.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents: [Catching up with the backlog]
For Some Travelers Stranded in Airports, Relief Is in 140 Characters
 (Kim Severson via Monty Solomon)
Risks of not securing public infrastructure (John Sawyer)
Against Headphones (Virginia Heffernan via Monty Solomon)
The dangers of GPS/GNSS (jidanni)
Calif. Supreme Court - cell phones can be searched without warrants (PGN)
Login for Facebook (jidanni)
Re: Cell phone "emergency mode" *preventing* 911 call (Amos Shapir)
Re: Risks of Touring the White House (Steve Wildstrom)
Re: Risks of panic about SSNs (John Levine)
Re: Health information technology risks (Ken)
I am stupid, and it has cost me: Hard Drive woes, Pass 2 (Paul Robinson)
Re: I am stupid, and it has cost me (George Adomavicius)
Re: "Risk of coffee in the cockpit", maybe, maybe not (Mark Brader)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sat, 1 Jan 2011 13:22:42 -0500
From: Monty Solomon <monty_at_private>
Subject: For Some Travelers Stranded in Airports, Relief Is in 140 Characters
  (Kim Severson)

[Source: Kim Severson, *The New York Times*, 29 Dec 2010]
http://www.nytimes.com/2010/12/30/us/30airlines.html

Atlanta - Some travelers stranded by the great snowstorm of 2010 discovered
a new lifeline for help. When all else fails, Twitter might be the best way
to book a seat home.  While the airlines' reservation lines required hours
of waiting - if people could get through at all - savvy travelers were able
to book new reservations, get flight information and track lost luggage. And
they could complain, too.

Since [30 Dec 2010], nine Delta Air Lines agents with special Twitter
training have been rotating shifts to help travelers wired enough to know
how to "dm," or send a direct message. Many other airlines are doing the
same as a way to help travelers cut through the confusion of a storm that
has grounded thousands of flights this week.

But not all travelers, of course. People who could not send a Twitter
message if their life depended on it found themselves with that familiar
feeling that often comes with air travel - being left out of yet another
inside track to get the best information.

For those in the digital fast lane, however, the online help was a godsend.

------------------------------

Date: Fri, 14 Jan 2011 11:17:32 +0000
From: John Sawyer <jpgsawyer_at_private>
Subject: Risks of not securing public infrastructure

The following report here states that unprotected SIM cards are part of
traffic lights in Johannesburg.
http://www.joburg.org.za/index.php?option=com_content&view=article&id=6068&catid=88&Itemid=266

No surprises when thieves stole them to make free anonymous calls. So which
part of the risk assessment of this design ignored the fact that if the SIM
was removed it could be used in any phone to make free calls?

The mind boggles.

------------------------------

Date: Sat, 8 Jan 2011 21:40:47 -0500
From: Monty Solomon <monty_at_private>
Subject: Against Headphones (Virginia Heffernan)

[Source: Virginia Heffernan, *The New York Times*, 7 Jan 2011]
http://www.nytimes.com/2011/01/09/magazine/09FOB-medium-t.html

One in five teenagers in America can't hear rustles or whispers, according
to a study published in August in The Journal of the American Medical
Association. These teenagers exhibit what's known as slight hearing loss,
which means they often can't make out consonants like T's or K's, or the
plinking of raindrops. The word "talk" can sound like "aw." The number of
teenagers with hearing loss - from slight to severe - has jumped 33 percent
since 1994.

Given the current ubiquity of personal media players - the iPod appeared
almost a decade ago - many researchers attribute this widespread hearing
loss to exposure to sound played loudly and regularly through
headphones. (Earbuds, in particular, don't cancel as much noise from outside
as do headphones that rest on or around the ear, so earbud users typically
listen at higher volume to drown out interference.) Indeed, the August
report reinforces the findings of a 2008 European study of people who
habitually blast MP3 players, including iPods and smartphones. According to
that report, headphone users who listen to music at high volumes for more
than an hour a day risk permanent hearing loss after five years.

Maybe the danger of digital culture to young people is not that they
have hummingbird attention spans but that they are going deaf. ...

------------------------------

Date: Tue, 04 Jan 2011 11:15:55 +0800
From: jidanni_at_private
Subject: The dangers of GPS/GNSS

"The problem is that nothing works 100%. GPS is very close, but for
some users under some circumstances, "very close" is not good enough"
Feb 2009 B0x00D6RJE FORSSELL
http://mycoordinates.org/the-dangers-of-gpsgnss/

------------------------------

Date: Tue, 4 Jan 2011 17:02:19 PST
From: "Peter G. Neumann" <neumann_at_private>
Subject: Calif. Supreme Court - cell phones can be searched without warrants

  Noted by Lauren Weinstein:
http://bit.ly/gV2NbK  (SFGate)

------------------------------

Date: Sun, 02 Jan 2011 12:17:01 +0800
From: jidanni_at_private
Subject: Login for Facebook

http://news.cnet.com/8301-27080_3-20025957-245.html

"Another potential problem for Web sites is that an outage at Facebook could
affect the ability for people to log in on the other sites using Login for
Facebook."

"Facebook advises people to make sure that when they are signing up via
Login for Facebook on a site that a window pops up in a new browser and that
it includes a legitimate Facebook.com Web address. Otherwise, the user could
fall prey to a scam that looks like a legitimate Login for Facebook
implementation but is instead a ruse to steal log in information."

------------------------------

Date: Tue, 4 Jan 2011 16:17:14 +0200
From: Amos Shapir <amos083_at_private>
Subject: Re: Cell phone "emergency mode" *preventing* 911 call (RISKS-26.26)

I have tried this on my own phone (a Samsung C3053); since the police
emergency number in Israel is 100 rather than 911, I assumed I would not be
calling them by mistake -- which the phone promptly did.

It seems that the local vendor had pre-programmed the phone to dial 100 as
the default emergency number; this number can be dialed by choosing
"emergency" from the menu, or by dialing the international emergency code
112 (which is defined to work even if the phone is off).  Apparently,
dialing 911 also triggers this function, although this is not documented
anywhere.

In the case described in the referenced article, the phone's default
emergency number could have been programmed to a number different than 911
(or not initialized at all), which is where the phone was redirected to when
actual 911 code was pressed.

------------------------------

Date: Fri, 14 Jan 2011 09:48:27 -0500
From: Steve Wildstrom <steve_at_private>
Subject: Re: Risks of Touring the White House (RISKS-26.29)

The White House has long required SSNs from visitors, presumably to
facilitate background checks. The problem, of course, is society's penchant
for using the SSN both for identification (OK, though a number with some
sort of checksum would be better) and authentication (bad.)  The best way to
end the later would be to follow Marcus Ranum's suggestion of some years ago
and make all SSNs public.=20

Check out my new blog at swildstrom.wordpress.com

Steve Wildstrom steve_at_private Twitter: www.twitter.com/swildstrom
Swildstrom on Facebook & LinkedIn www.wildstrom.com/steve

------------------------------

Date: 14 Jan 2011 18:18:57 -0000
From: John Levine <johnl_at_private>
Subject: Re: Risks of panic about SSNs

A sensible approach is to consider first, the likelihood of disclosure, and
second, the costs if data are disclosed.

For the first, the chances of some random bad guy reading e-mail in transit
is very low. This concern seems to be left over from the era when coax
Ethernet cables snaked through the utility closets of college dormitories.
How often do you hear about a bunch of e-mail in transit getting published
by mistake?

For the second, SSNs are about the least confidential pieces of data around.
Every bank, credit card, employer, and landlord has your SSN.  In crimeware
carder forums, you can buy data dumps with SSN for a dollar or so apiece.
The real risk is the fiction that someone who presents your SSN has
established that he is you. From a security viewpoint, we'd all be better
off if our SSNs were tattooed on our foreheads so nobody thought they were
secret.

You can certainly argue the the SSN is a lousy identifier, but it's silly to
niggle about how it might be transmitted from one place to another.

John Levine, johnl_at_private, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly

PS: Yeah, but what if the GOVERNMENT is spying on the White House?

------------------------------

Date: Sun, 26 Dec 2010 11:06:41 -0500
From: Ken <kenzolist_at_private>
Subject: Re: Health information technology risks (Wears, RISKS-26.25)

>[...] the social element of the sociotechnical system that is a
>hospital was able to quickly reorganize in multiple ways and
>keep essential services operating in at least some fashion for
>the duration.  Many of these adaptations were made "on the fly" [...]

I consider this an example of one of the primary technology (esp. computers)
risks to society: When an organization needs to spontaneously reorganize (on
the fly or otherwise), and its operations are closely tied into its computer
systems, changing the behavior of the organization becomes difficult and
sluggish, as it requires the involvement and full cooperation of the
relatively few people in the world who know how to change the computer
systems, and the skill to do so without breaking them.  A relatively large
number of people in any given organization know how to reorganize people and
systems on the fly.  But it's not usually many at all who have the skills to
reshape the computer systems behind them.

In this story, some computer systems had failed, and one reason the medical
center could manage its disaster was because it was temporarily no longer
tied to those systems, and it could thusly experience the fluid changes its
staff could envision.  In a normal course of operations, bypassing the
computer systems isn't an option, which makes change that could otherwise be
performed by many people expensive and error prone.  This is a large
societal problem, created by the widespread shift to computer dependency in
an era when it's still the case that relatively few people are able to
program computers.

------------------------------

Date: Thu, 13 Jan 2011 21:50:54 -0800 (PST)
From: Paul Robinson <paul_at_paul-robinson.us>
Subject: I am stupid, and it has cost me: Hard Drive woes, Pass 2

In RISKS-26.28, I told how I stupidly knocked over an external USB drive,
and it won't work.  A reader here made a suggestion: buy a duplicate, try
disassembling the old drive, then put the components into a replacement long
enough to recover the files to a third unit.  Not a bad idea since the files
are effectively lost anyway and I can't afford $1100 to have the drive
recovered.

As I said I'm stupid.  I also realized I ran a duplicate file finder a month
ago on this drive and it had deleted some 12,000 duplicates, and I didn't
even notice anything gone.  Therefore my collection of just my lost music
files, not counting anything else on the drive, probably isn't a mere 4,000
files, it's probably more like 14,000.

It's a Buffalo HB250U2, an external powered USB 2.0 drive and it's so
"small" at 250GB they stopped selling them in 2007!  So I used a screwdriver
and opened it.  It's effectively a USB hard drive adapter, and it contains a
Western Digital WD250BB standard 3.5" hard drive with a 40-pin ATA (or SATA,
I don't know which) adapter and 4-pin power cable.  When it's powered up
Windows "pings" to indicate it does see a good USB connection but the drive
itself just makes a lot of clicks.

It could also be that the USB -> ATA conversion circuits are damaged.  If
another drive would work here, then that's not the case.  I really do
suspect the drive is damaged rather than the converter circuit but it's
worth a try.

If the platters are not broken and if it's merely the head unable to move
and not platter/spindle damage, then a move to a drive with an undamaged
head might work. If I can figure a way to disassemble the drive, then move
the old platters into a duplicate drive, I might be able to read the old
drive contents onto a new drive. I don't even need a jury-rigged contraption
like that to work for a long time; I only have to get it to work long enough
to read the old platters.

These drives can still be bought now for about $65.

So I might be able to solve my problem if two things are true: the old
platters themselves are undamaged and I can move them to a duplicate of this
drive.  Worst case scenario is I waste $65 and find out I can't.  So it will
still hurt but at least there is a chance.

Also, I could try hooking this drive directly to an ATA cable and see if a
utility program like Spinrite (that talks to the drive directly) can read it
then I don't even have to open it. So I have options.

We shall see.

------------------------------

Date: Fri, 14 Jan 2011 05:36:22 -0500
From: "George Adomavicius, Lanzena CCS" <lanzena_at_private>
Subject: Re: I am stupid, and it has cost me (Robinson, RISKS-26.28)

I just recently wrote an article that Paul's submission completely supports.
http://www.garnercitizen.com/2011/01/11/technology-corner-this-year-back-up-
your-pc/

"This is by far the greatest computer-ownership failing I encounter, namely
that PC owners do not back up their machines or critical data. It's almost
like not changing the oil in your car - you can only get away with that for
so long."

"When I am called on a more catastrophic service call ("Cannot boot up," "So
virus-infected, I cannot get to the Internet at all"), I always ask, "Do you
have any critical data on the machine, and do you have a backup of it?"

The answers for those two questions range from yes/no to yes/sort-of to
yes/I've-always-meant-to. If they have a backup, I ask if they have ever
tested it or tried to restore from it. Invariably the answer is negative."

Paul's experience was my third category of catastrophic failure.  The other
two were Fire and Theft.

George Adomavicius, Cary NC

Lanzena Computer & Consulting Services, lanzena_at_private 919-413-1922
http://www.lanzenaccs.com

------------------------------

Date: Fri, 14 Jan 2011 04:29:13 -0500 (EST)
From: msb_at_private (Mark Brader)
Subject: Re: "Risk of coffee in the cockpit", maybe, maybe not

>    [Also noted by Charlie Shub. citing the author of the 1961 movie
>    Ernest K. Gann, and the Glenn Ford movie (1964).  PGN]

Ernest K. Gann wrote the 1961 *book* "Fate is the Hunter".
Harold Medford wrote the movie starring Glenn Ford.  By all
accounts has little to do with the book; as far as I know,
the coffee incident was invented for the movie.

------------------------------

Date: Thu, 29 May 2008 07:53:46 -0900
From: RISKS-request_at_private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.   The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request_at_private
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe_at_private or risks-unsubscribe_at_private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users should contact <Lindsay.Marshall_at_private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
 http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 26.30
************************
Received on Fri Jan 14 2011 - 12:31:57 PST

This archive was generated by hypermail 2.2.0 : Fri Jan 14 2011 - 13:47:40 PST