RISKS-LIST: Risks-Forum Digest Friday 14 January 2011 Volume 26 : Issue 30 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/26.30.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: [Catching up with the backlog] For Some Travelers Stranded in Airports, Relief Is in 140 Characters (Kim Severson via Monty Solomon) Risks of not securing public infrastructure (John Sawyer) Against Headphones (Virginia Heffernan via Monty Solomon) The dangers of GPS/GNSS (jidanni) Calif. Supreme Court - cell phones can be searched without warrants (PGN) Login for Facebook (jidanni) Re: Cell phone "emergency mode" *preventing* 911 call (Amos Shapir) Re: Risks of Touring the White House (Steve Wildstrom) Re: Risks of panic about SSNs (John Levine) Re: Health information technology risks (Ken) I am stupid, and it has cost me: Hard Drive woes, Pass 2 (Paul Robinson) Re: I am stupid, and it has cost me (George Adomavicius) Re: "Risk of coffee in the cockpit", maybe, maybe not (Mark Brader) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sat, 1 Jan 2011 13:22:42 -0500 From: Monty Solomon <monty_at_private> Subject: For Some Travelers Stranded in Airports, Relief Is in 140 Characters (Kim Severson) [Source: Kim Severson, *The New York Times*, 29 Dec 2010] http://www.nytimes.com/2010/12/30/us/30airlines.html Atlanta - Some travelers stranded by the great snowstorm of 2010 discovered a new lifeline for help. When all else fails, Twitter might be the best way to book a seat home. While the airlines' reservation lines required hours of waiting - if people could get through at all - savvy travelers were able to book new reservations, get flight information and track lost luggage. And they could complain, too. Since [30 Dec 2010], nine Delta Air Lines agents with special Twitter training have been rotating shifts to help travelers wired enough to know how to "dm," or send a direct message. Many other airlines are doing the same as a way to help travelers cut through the confusion of a storm that has grounded thousands of flights this week. But not all travelers, of course. People who could not send a Twitter message if their life depended on it found themselves with that familiar feeling that often comes with air travel - being left out of yet another inside track to get the best information. For those in the digital fast lane, however, the online help was a godsend. ------------------------------ Date: Fri, 14 Jan 2011 11:17:32 +0000 From: John Sawyer <jpgsawyer_at_private> Subject: Risks of not securing public infrastructure The following report here states that unprotected SIM cards are part of traffic lights in Johannesburg. http://www.joburg.org.za/index.php?option=com_content&view=article&id=6068&catid=88&Itemid=266 No surprises when thieves stole them to make free anonymous calls. So which part of the risk assessment of this design ignored the fact that if the SIM was removed it could be used in any phone to make free calls? The mind boggles. ------------------------------ Date: Sat, 8 Jan 2011 21:40:47 -0500 From: Monty Solomon <monty_at_private> Subject: Against Headphones (Virginia Heffernan) [Source: Virginia Heffernan, *The New York Times*, 7 Jan 2011] http://www.nytimes.com/2011/01/09/magazine/09FOB-medium-t.html One in five teenagers in America can't hear rustles or whispers, according to a study published in August in The Journal of the American Medical Association. These teenagers exhibit what's known as slight hearing loss, which means they often can't make out consonants like T's or K's, or the plinking of raindrops. The word "talk" can sound like "aw." The number of teenagers with hearing loss - from slight to severe - has jumped 33 percent since 1994. Given the current ubiquity of personal media players - the iPod appeared almost a decade ago - many researchers attribute this widespread hearing loss to exposure to sound played loudly and regularly through headphones. (Earbuds, in particular, don't cancel as much noise from outside as do headphones that rest on or around the ear, so earbud users typically listen at higher volume to drown out interference.) Indeed, the August report reinforces the findings of a 2008 European study of people who habitually blast MP3 players, including iPods and smartphones. According to that report, headphone users who listen to music at high volumes for more than an hour a day risk permanent hearing loss after five years. Maybe the danger of digital culture to young people is not that they have hummingbird attention spans but that they are going deaf. ... ------------------------------ Date: Tue, 04 Jan 2011 11:15:55 +0800 From: jidanni_at_private Subject: The dangers of GPS/GNSS "The problem is that nothing works 100%. GPS is very close, but for some users under some circumstances, "very close" is not good enough" Feb 2009 B0x00D6RJE FORSSELL http://mycoordinates.org/the-dangers-of-gpsgnss/ ------------------------------ Date: Tue, 4 Jan 2011 17:02:19 PST From: "Peter G. Neumann" <neumann_at_private> Subject: Calif. Supreme Court - cell phones can be searched without warrants Noted by Lauren Weinstein: http://bit.ly/gV2NbK (SFGate) ------------------------------ Date: Sun, 02 Jan 2011 12:17:01 +0800 From: jidanni_at_private Subject: Login for Facebook http://news.cnet.com/8301-27080_3-20025957-245.html "Another potential problem for Web sites is that an outage at Facebook could affect the ability for people to log in on the other sites using Login for Facebook." "Facebook advises people to make sure that when they are signing up via Login for Facebook on a site that a window pops up in a new browser and that it includes a legitimate Facebook.com Web address. Otherwise, the user could fall prey to a scam that looks like a legitimate Login for Facebook implementation but is instead a ruse to steal log in information." ------------------------------ Date: Tue, 4 Jan 2011 16:17:14 +0200 From: Amos Shapir <amos083_at_private> Subject: Re: Cell phone "emergency mode" *preventing* 911 call (RISKS-26.26) I have tried this on my own phone (a Samsung C3053); since the police emergency number in Israel is 100 rather than 911, I assumed I would not be calling them by mistake -- which the phone promptly did. It seems that the local vendor had pre-programmed the phone to dial 100 as the default emergency number; this number can be dialed by choosing "emergency" from the menu, or by dialing the international emergency code 112 (which is defined to work even if the phone is off). Apparently, dialing 911 also triggers this function, although this is not documented anywhere. In the case described in the referenced article, the phone's default emergency number could have been programmed to a number different than 911 (or not initialized at all), which is where the phone was redirected to when actual 911 code was pressed. ------------------------------ Date: Fri, 14 Jan 2011 09:48:27 -0500 From: Steve Wildstrom <steve_at_private> Subject: Re: Risks of Touring the White House (RISKS-26.29) The White House has long required SSNs from visitors, presumably to facilitate background checks. The problem, of course, is society's penchant for using the SSN both for identification (OK, though a number with some sort of checksum would be better) and authentication (bad.) The best way to end the later would be to follow Marcus Ranum's suggestion of some years ago and make all SSNs public.=20 Check out my new blog at swildstrom.wordpress.com Steve Wildstrom steve_at_private Twitter: www.twitter.com/swildstrom Swildstrom on Facebook & LinkedIn www.wildstrom.com/steve ------------------------------ Date: 14 Jan 2011 18:18:57 -0000 From: John Levine <johnl_at_private> Subject: Re: Risks of panic about SSNs A sensible approach is to consider first, the likelihood of disclosure, and second, the costs if data are disclosed. For the first, the chances of some random bad guy reading e-mail in transit is very low. This concern seems to be left over from the era when coax Ethernet cables snaked through the utility closets of college dormitories. How often do you hear about a bunch of e-mail in transit getting published by mistake? For the second, SSNs are about the least confidential pieces of data around. Every bank, credit card, employer, and landlord has your SSN. In crimeware carder forums, you can buy data dumps with SSN for a dollar or so apiece. The real risk is the fiction that someone who presents your SSN has established that he is you. From a security viewpoint, we'd all be better off if our SSNs were tattooed on our foreheads so nobody thought they were secret. You can certainly argue the the SSN is a lousy identifier, but it's silly to niggle about how it might be transmitted from one place to another. John Levine, johnl_at_private, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly PS: Yeah, but what if the GOVERNMENT is spying on the White House? ------------------------------ Date: Sun, 26 Dec 2010 11:06:41 -0500 From: Ken <kenzolist_at_private> Subject: Re: Health information technology risks (Wears, RISKS-26.25) >[...] the social element of the sociotechnical system that is a >hospital was able to quickly reorganize in multiple ways and >keep essential services operating in at least some fashion for >the duration. Many of these adaptations were made "on the fly" [...] I consider this an example of one of the primary technology (esp. computers) risks to society: When an organization needs to spontaneously reorganize (on the fly or otherwise), and its operations are closely tied into its computer systems, changing the behavior of the organization becomes difficult and sluggish, as it requires the involvement and full cooperation of the relatively few people in the world who know how to change the computer systems, and the skill to do so without breaking them. A relatively large number of people in any given organization know how to reorganize people and systems on the fly. But it's not usually many at all who have the skills to reshape the computer systems behind them. In this story, some computer systems had failed, and one reason the medical center could manage its disaster was because it was temporarily no longer tied to those systems, and it could thusly experience the fluid changes its staff could envision. In a normal course of operations, bypassing the computer systems isn't an option, which makes change that could otherwise be performed by many people expensive and error prone. This is a large societal problem, created by the widespread shift to computer dependency in an era when it's still the case that relatively few people are able to program computers. ------------------------------ Date: Thu, 13 Jan 2011 21:50:54 -0800 (PST) From: Paul Robinson <paul_at_paul-robinson.us> Subject: I am stupid, and it has cost me: Hard Drive woes, Pass 2 In RISKS-26.28, I told how I stupidly knocked over an external USB drive, and it won't work. A reader here made a suggestion: buy a duplicate, try disassembling the old drive, then put the components into a replacement long enough to recover the files to a third unit. Not a bad idea since the files are effectively lost anyway and I can't afford $1100 to have the drive recovered. As I said I'm stupid. I also realized I ran a duplicate file finder a month ago on this drive and it had deleted some 12,000 duplicates, and I didn't even notice anything gone. Therefore my collection of just my lost music files, not counting anything else on the drive, probably isn't a mere 4,000 files, it's probably more like 14,000. It's a Buffalo HB250U2, an external powered USB 2.0 drive and it's so "small" at 250GB they stopped selling them in 2007! So I used a screwdriver and opened it. It's effectively a USB hard drive adapter, and it contains a Western Digital WD250BB standard 3.5" hard drive with a 40-pin ATA (or SATA, I don't know which) adapter and 4-pin power cable. When it's powered up Windows "pings" to indicate it does see a good USB connection but the drive itself just makes a lot of clicks. It could also be that the USB -> ATA conversion circuits are damaged. If another drive would work here, then that's not the case. I really do suspect the drive is damaged rather than the converter circuit but it's worth a try. If the platters are not broken and if it's merely the head unable to move and not platter/spindle damage, then a move to a drive with an undamaged head might work. If I can figure a way to disassemble the drive, then move the old platters into a duplicate drive, I might be able to read the old drive contents onto a new drive. I don't even need a jury-rigged contraption like that to work for a long time; I only have to get it to work long enough to read the old platters. These drives can still be bought now for about $65. So I might be able to solve my problem if two things are true: the old platters themselves are undamaged and I can move them to a duplicate of this drive. Worst case scenario is I waste $65 and find out I can't. So it will still hurt but at least there is a chance. Also, I could try hooking this drive directly to an ATA cable and see if a utility program like Spinrite (that talks to the drive directly) can read it then I don't even have to open it. So I have options. We shall see. ------------------------------ Date: Fri, 14 Jan 2011 05:36:22 -0500 From: "George Adomavicius, Lanzena CCS" <lanzena_at_private> Subject: Re: I am stupid, and it has cost me (Robinson, RISKS-26.28) I just recently wrote an article that Paul's submission completely supports. http://www.garnercitizen.com/2011/01/11/technology-corner-this-year-back-up- your-pc/ "This is by far the greatest computer-ownership failing I encounter, namely that PC owners do not back up their machines or critical data. It's almost like not changing the oil in your car - you can only get away with that for so long." "When I am called on a more catastrophic service call ("Cannot boot up," "So virus-infected, I cannot get to the Internet at all"), I always ask, "Do you have any critical data on the machine, and do you have a backup of it?" The answers for those two questions range from yes/no to yes/sort-of to yes/I've-always-meant-to. If they have a backup, I ask if they have ever tested it or tried to restore from it. Invariably the answer is negative." Paul's experience was my third category of catastrophic failure. The other two were Fire and Theft. George Adomavicius, Cary NC Lanzena Computer & Consulting Services, lanzena_at_private 919-413-1922 http://www.lanzenaccs.com ------------------------------ Date: Fri, 14 Jan 2011 04:29:13 -0500 (EST) From: msb_at_private (Mark Brader) Subject: Re: "Risk of coffee in the cockpit", maybe, maybe not > [Also noted by Charlie Shub. citing the author of the 1961 movie > Ernest K. Gann, and the Glenn Ford movie (1964). PGN] Ernest K. Gann wrote the 1961 *book* "Fate is the Hunter". Harold Medford wrote the movie starring Glenn Ford. By all accounts has little to do with the book; as far as I know, the coffee incident was invented for the movie. ------------------------------ Date: Thu, 29 May 2008 07:53:46 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users should contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 26.30 ************************Received on Fri Jan 14 2011 - 12:31:57 PST
This archive was generated by hypermail 2.2.0 : Fri Jan 14 2011 - 13:47:40 PST