RISKS-LIST: Risks-Forum Digest Saturday 4 June 2011 Volume 26 : Issue 46 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/26.46.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Ash clouds: No Man is an Island (Der Spiegel) Another role for provers? (Martyn Thomas) Diebold employee accused of loading fake money into ATM machines (Henry K Lee) Russian Company Cracks IOS 4 Hardware Encryption (John E. Dunn via Steve Goldstein) Lockheed Martin: Uh-Oh! (Randall Webmail) Updated rogue AV installs on Macs without password (Elinor Mills via Monty Solomon) Sour Cookies in the UK (Gene Wirchenko) Skype is reportedly reverse-engineered: Skype threatens to crush open-source versions (Lauren Weinstein) Excerpted items from Lauren Weinstein's Network Neutrality Squad (PGN) Graffiti meets YouTube (Rob Slade) On the risks of an incompletely implemented idea (Jon Seymour) Left hand doesn't talk to right hand (Rick Gee) Study Sees Way to Win Spam Fight (John Markoff via Monty Solomon) Virtual slave labor in China (Mark Thorson) Different banks' ATMs have different masking policies (jidanni) 'A Google Oddity' in the echoes of Y2K (Joe Loughry) Re: "Automatic Updates" considered Zombieware (Steve Loughran) Re: Car Talk and Talk and... (Steve Loughran, Peter Houppermans) Re: You must enable javascript to view this page (Joseph Brennan) Re: REVIEW: "The Black Swan", Nassim Nicholas Taleb (Stephen Bounds) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 25 May 2011 10:21:34 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: Ash clouds: No Man is an Island Ash Cloud Caused Flight Disruption in Germany (Der Spiegel Online) Hundreds of flights were canceled in Germany and tens of thousands of passengers were forced to change their travel plans on Wednesday after the ash cloud from an Icelandic volcano shut the airports of Berlin, Hamburg and Bremen. [as well as in Ireland and Britain, ... ] http://www.spiegel.de/international/europe/0,1518,764795,00.html ------------------------------ Date: Wed, 01 Jun 2011 08:41:08 +0100 From: Martyn Thomas <martyn_at_thomas-associates.co.uk> Subject: Another role for provers? The complexity of an esoteric Hong Kong financial instrument has come back to haunt Goldman Sachs after an simple typographical slip threatened to cost it HK$350m (27m UK pounds). The error appeared in the small print of a phone book-sized prospectus accompanying the issue in February of four so-called "exchange-traded warrants" which offered exposure to Japan's Nikkei index of leading shares. In a formula to calculate the value of the warrants a multiplication symbol appeared where their should have been a division. The potentially costly error appeared in the bank's paperwork despite it having been scrutinised and approved by the Hong Kong stock exchange. Such warrants are hugely popular in Hong Kong, with 14,400 similar products said to have been issued last year by large investment banks. It was not until the end of March -- almost seven weeks after the warrants had been issued -- that a lawyer from Goldman reported the mistake to the stock exchange. For almost two hours the price of warrants began to soar until trading was suspended at the bank's request. Goldman has offered to buy back warrants at a 10% premium, an offer accepted by 75% of holders. However, a hard core of large investors believe they are contractually entitled to considerably more. One told the Economist magazine the bank's offer was worth HK$10m, whereas a strict application of the formula suggested the warrants could be worth $350m. http://www.guardian.co.uk/business/2011/may/31/goldman-sachs-libya-investment (final paragraphs). ------------------------------ Date: Tue, 31 May 2011 19:05:08 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: Diebold employee accused of loading fake money into ATM machines Henry K. Lee at hlee_at_private, ATM repairman accused of loading fake money, *San Francisco Chronicle*, 26 May 2011 http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2011/05/26/BANQ1JLBKP.DTL&tsp=1 An employee of an ATM servicing company has been charged with swapping $200,000 in fake bills for real cash at machines in Daly City and San Francisco. Samuel Kioskli, 64, of San Francisco was wanted on a warrant when he was arrested during a routine traffic stop in Phoenix on May 11, 10 months after the thefts. Kioskli was an employee of Diebold, which services ATMs for Bank of America. On 4 July 2010, Kioskli went to six bank branches in San Francisco and one in Daly City and stole about $200,000 by replacing cash in the machine trays with counterfeit or photocopied $20 bills, Kioskli used his work card key to access the ATMs and was captured on video at all seven locations. The next day, Kioskli "abandoned his wife and disappeared." His wife reported him missing, and angry Bank of America customers contacted the bank to complain about the fake money. He pleaded not guilty in San Mateo County Superior Court to charges of burglary, embezzlement, forgery and possession of counterfeiting apparatus. He is being held in lieu of $25,000 bail. He faces similar charges in San Francisco. ------------------------------ Date: May 25, 2011 8:57:32 AM PDT From: Steve Goldstein <steve.goldstein_at_private> Subject: Russian Company Cracks IOS 4 Hardware Encryption [Note: This item comes from Dewayne Hendricks via Dave Farber's IP.] John E. Dunn, IDG-News-Service, London-bureau, 25 May 2011 <http://www.pcworld.com/businesscenter/article/228625/russian_company_cracks_ios_4_hardware_encryption.html> Having cracked Apple iPhone backups last year, Russian security company ElcomSoft appears to have found a reliable way to beat the layered encryption system used to secure data held on the smartphone itself. Since the advent of iOS 4 in June 2010, Apple has been able to secure data on compatible devices using a hardware encryption system called Data Protection, which stores a user's passcode key on an internal chip using 256-bit AES encryption. Adding to this, each file stored on an iOS device is secured with an individual key computed from the device's Unique ID (UID). Apple products containing this security design include all devices from 2009 onwards, including the iPhone 3GS (which can be upgraded to iOS 4), iPhone 4, iPad, iPad 2 and recent iPod Touch models. ElcomSoft has not explained how it hacked the hardware-stored key system in detail for commercial reasons, but the first point of attack appears to have been the user system passcode itself as all other keys are only vulnerable to attack once the device is in an unlocked state. The company said it had been aided by subtle weaknesses in the security architecture used by Apple, starting with the default passcode length of 4 digits. This yields only 10,000 possible number variations, which the company said most users would likely use to secure their devices without question. The only limitation in breaking this key using a brute-force attack was the need to run through the possible combinations on the iPhone or iOS device itself, which took between 10 and 40 minutes, far longer than would have been the case using a desktop PC. ------------------------------ Date: May 27, 2011 9:56:34 PM EDT From: Randall Webmail <rvh40_at_private> Subject: Lockheed Martin: Uh-Oh! [From Dave Farber's IP distribution. PGN] Reuters is reporting that unknown hackers have broken into the networks of Lockheed Martin and other major defense contractors and may have gained access to sensitive information on present and future weapons systems. Reuters had reported earlier on Friday that "Lockheed Martin, the Pentagon's No. 1 supplier, is experiencing a major disruption to its computer systems that could be related to a problem with network security." The disruption began last Sunday, when security experts detected an intrusion. According to an anonymous source with knowledge of the attacks, the hackers used data stolen in March from the RSA security division of EMC Corp. to duplicate security keys which gave them access to the networks. [SNIP] http://www.rawstory.com/rs/2011/05/27/hackers-penetrate-u-s-defense-contractors-security-networks/ ------------------------------ Date: Wed, 25 May 2011 22:34:26 -0400 From: Monty Solomon <monty_at_private> Subject: Updated rogue AV installs on Macs without password (Elinor Mills) A new version of rogue antivirus malware that targets the Macintosh operating system does not need victims to type in their administrator passwords to install and infect the machine. The latest version of the malware has been overhauled to look like a native Mac OS X application and is using the application name MacGuard, according to an Intego blog post. But particularly concerning is the fact that unlike previous versions, which were dubbed Mac Defender, MacProtector, and MacSecurity, MacGuard installs itself without prompting for the admin password. [Source: Elinor Mills, CNET, 25 May 2011] http://news.cnet.com/8301-27080_3-20066174-245.html How bad is the Mac malware scare? (FAQ) http://news.cnet.com/8301-27080_3-20064394-245.html How to remove MacDefender fake antivirus program http://download.cnet.com/8301-2007_4-20064445-12.html Securing your Mac from the new MacGuard malware variant http://reviews.cnet.com/8301-13727_7-20066173-263.html How to avoid or remove Mac Defender malware http://support.apple.com/kb/ht4650 ------------------------------ Date: Tue, 31 May 2011 11:27:09 -0700 From: Gene Wirchenko <genew_at_private> Subject: Sour Cookies in the UK Nearly all UK business websites now technically illegal (EU sites to follow) 31 May 2011 http://successfulsoftware.net/2011/05/31/nearly-all-uk-business-websites-now-technically-illegal-eu-sites-to-follow/ On 26 May 2011, the rules on the use of cookies changed for UK businesses. You now have to explicitly ask every visitor to your website if they want to opt-in to `non-essential' cookies. This includes tracking and analytics cookies. The penalty for not doing so is a fine of up to 500,000 pounds. The situation remains fluid at present. The introduction of this new law has been so shambolic that the UK government is giving businesses 12 months grace before they start enforcing it. I don't even know if the ruling applies to businesses based in the UK, web servers based in the UK or any website with UK visitors (if you do know, please comment below). Perhaps Google et al will dream up a technical solution that keeps the EU happy without me having to make any changes to my website. Maybe pressure from businesses will force the government to back down. Perhaps someone will find a loophole (e.g. setting up a company outside the EU to host your website). Or maybe so many businesses will ignore this ridiculous law that it will be unenforceable. I am going to wait a few months to see how things play out. This change in the law comes from an EU directive, so any of you reading this in EU countries other than the UK can stop smirking -- it is coming your way as well. ------------------------------ Date: Sat, 4 Jun 2011 09:33:40 -0700 From: Lauren Weinstein <lauren_at_private> Subject: Skype is reportedly reverse-engineered: Skype threatens to crush open-source versions http://j.mp/kt72Ke (phoronix) "Yesterday we reported on a freelance researcher reverse-engineering the Skype protocol and beginning to write open-source code that would work with this popular VoIP network. A representative of Skype has now contacted Phoronix to inform us they will be taking "all necessary steps" to stop this effort." - - - A quote from Skype (whose new master is Microsoft, let's remember) is quite telling: "This unauthorized use of our application for malicious activities like spamming/phishing infringes on Skype's intellectual property. We are taking all necessary steps to prevent/defeat nefarious attempts to subvert Skype's experience. Skype takes its users' safety and security seriously and we work tirelessly to ensure each individual has the best possible experience." Taking a play from other opponents of free speech and open source, we see Skype attempting to immediately associate open source compatibility efforts with criminal activities such as spamming/phishing ("safety and security"). I particularly enjoyed the use of the word "nefarious" in the quote, which is one of my favorite lexemes for invoking "Snidely Whiplash" bad-guy imagery. http://www.vortex.com/lauren +1 (818) 225-2800 / Skype: vortex.com People For Internet Responsibility: http://www.pfir.org Network Neutrality Squad: http://www.nnsquad.org PRIVACY Forum: http://www.vortex.com ------------------------------ Date: Fri, 3 Jun 2011 11:19:05 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: Excerpted items from Lauren Weinstein's Network Neutrality Squad [Lauren has had a lot of RISKS-worthy items lately on his Network Neutrality Squad: www.nnsquad.org . Here are a few summarized, encouraging you to check out his analyses that are omitted here. PGN] Skype reportedly reverse-engineered: Skype threatens to crush open-source versions http://j.mp/kZLjWL (This message on Google Buzz) Pentagon says black-hat hacking can be an act of war (with LW's analysis) http://j.mp/j94Sse (This message on Google Buzz) http://j.mp/iwIzdz (WSJ) The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force ... Pentagon officials believe the most-sophisticated computer attacks require the resources of a government. For instance, the weapons used in a major technological assault, such as taking down a power grid, would likely have been developed with state support, Pentagon officials say." State lawmakers write law so badly it could criminalize casual password sharing among friends or relatives. http://j.mp/jRUzrs (Huffington) New Scientist: New media laws could mean jail for ordinary users http://j.mp/jj3Set (New Scientist) Virtually all Syria access to Google services appears to have been disrupted http://j.mp/iXlwK9 (Google Transparency Report) Why PROTECT IP Web Censorship Will Fail - But Lead to Much Worse http://lauren.vortex.com/archive/000858.html Twitter exposes British user in court "privacy" vendetta (with LW's analysis) "The social network has passed the name, e-mail address and telephone number of a south Tyneside councillor accused of libeling the local authority via a series of anonymous Twitter accounts. South Tyneside council took the legal fight to the superior court of California, which ordered Twitter, based in San Francisco, to hand over the user's private details. It is believed to be the first time Twitter has bowed to legal pressure to identify anonymous users and comes amid a huge row over privacy and free speech online." http://j.mp/kWI7qx (This message on Google Buzz) http://j.mp/mBYtYL (UK Guardian) ------------------------------ Date: Thu, 26 May 2011 10:02:37 -0800 From: Rob Slade <rmslade_at_private> Subject: Graffiti meets YouTube A company called Autonomy, which has been selling image search technology, has launched an apparently freely available (open?) project called Aurasma. At the moment only available on iPhone 4, this allows you to "augment" the reality (that the mobile device sees) by adding video to overlay it. http://www.bbc.co.uk/news/technology-13558137 In the article, the reporter/commentator opines that this is a cute trick, but only that. I'm going to go out on a limb and predict that this assessment is short- sighted (albeit only if the technology expands to other platforms). Given that YouTube users are uploading 48 hours of video to the site every minute of the day, I suspect that the ability to create video graffiti, and "tag" it to any vista, location, or object, will be irresistible. Apparently the company thinks this will be a platform that companies will use to create ads, to promote their products or shops at related locations. They probably will. However, myriad users will be creating other content, for the same images, and we will have SEO (Search Engine Optimization) battles that will make the malware and phishing sites we see now pale in comparison. The Tokyo Chamber of Commerce or tourism board may wish to overlay video over certain landscapes or landmarks, but how will they stand up against thousands of geeks who've all seen Godzilla? rslade_at_private slade_at_private rslade_at_private victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links http://blogs.securiteam.com/index.php/archives/author/p1/ http://twitter.com/rslade ------------------------------ Date: Wed, 25 May 2011 19:54:57 +1000 From: Jon Seymour <jon.seymour_at_private> Subject: On the risks of an incompletely implemented idea purl.org is a website dedicated to an idea. That idea is that resources of worth should be named with persistent URLs. So, even if the host of a resource changes overtime, the resource itself can be located by its long-lived, persistent URL. To this end, purl.org has long maintained a database of such URLs. The way it works is that you register with the site, create a subdomain of the purl.org URL namespace and register URLs in that subdomain and define associated redirects that point to the actual resource. People who ask for a resource via its persistent URL are redirected to the website that currently hosts the resource. If the location of a resource ever changes, the maintainer of the URL can update the redirect and consumers of the URL are unaffected by the relocation of the resource. Nice idea, except that there is a problem. The site: * does not have a password reset feature for maintainer accounts * does not document how to reset the password * does not respond to e-mails with questions about how to reset such passwords * doesn't obviously have a mechanism to recover URL space from maintainers who die Remarkable. We have an organisation that has dedicated its entire existence to the idea that PURLs should be long lived and persistent, but fails to deal with the problem of a URL maintainer forgetting a password or dying before revealing the password. Without a strategy for dealing with such possibilities, what is the point of a PURL? ------------------------------ Date: Thu, 26 May 2011 13:27:26 -0700 From: Rick Gee <RGEE_at_private> Subject: Left hand doesn't talk to right hand Recently I logged on the City of Kelowna (BC, Canada) website to claim the home owner grant against my property taxes. The login asks for the Roll Number and an Access Code, both provided on the tax statement, received via snailmail. My Roll Number is five digits followed by a period followed by three digits. When you enter it that way, you receive an error message, rebuking you for entering the period. There is no indication on the login screen that the period must not be entered. Of course, the script handling the login could remove it, but that might be too simple. The truly wonderful part of the story is that, once you have logged in, everywhere the Roll Number is shown, the period is included. Rick Gee, Computer Science department, Okanagan College, Kelowna, BC http://people.okanagan.bc.ca/rgee 250 762 5445 local 4634 ------------------------------ Date: Sun, 29 May 2011 18:51:57 -0400 From: Monty Solomon <monty_at_private> Subject: Study Sees Way to Win Spam Fight (John Markoff) John Markoff, 19 May 2011, *The New York Times*, 19 May 2011 For years, a team of computer scientists at two University of California campuses has been looking deeply into the nature of spam, the billions of unwanted e-mail messages generated by networks of zombie computers controlled by the rogue programs called botnets. They even coined a term, "spamalytics," to describe their work. Now they have concluded an experiment that is not for the faint of heart: for three months they set out to receive all the spam they could (no quarantines or filters need apply), then systematically made purchases from the Web sites advertised in the messages. The hope, the scientists said, was to find a "choke point" that could greatly reduce the flow of spam. And in a paper to be presented on Tuesday at the annual IEEE Symposium on Security and Privacy in Oakland, Calif., they will report that they think they have found it. It turned out that 95 percent of the credit card transactions for the spam-advertised drugs and herbal remedies they bought were handled by just three financial companies - one based in Azerbaijan, one in Denmark and one in Nevis, in the West Indies. The researchers looked at nearly a billion messages and spent several thousand dollars on about 120 purchases. No single purchase was more than $277. [Nick Weaver presented their paper at the IEEE Symposium on Security and Privacy in May 2011. PGN] http://www.nytimes.com/2011/05/20/technology/20spam.html ------------------------------ Date: Sat, 28 May 2011 11:29:37 -0700 From: Mark Thorson <eee_at_private> Subject: Virtual slave labor in China Article alleges prison labor is forced to earn virtual gold in World of Warcraft, which is then sold for real money, a practice called "gold farming". http://www.guardian.co.uk/world/2011/may/25/china-prisoners-internet-gaming-scam The risk is creating a virtual world with such value that it affects the real world. The article claims that the trade in virtual gold is outside the control of the proprietors of World of Warcraft, but how can that be possible? They control every aspect of their virtual world. If they don't control it, it is because they have decided not to control it. ------------------------------ Date: Fri, 03 Jun 2011 13:05:07 +0800 From: jidanni_at_private Subject: Different banks' ATMs have different masking policies Different banks' ATMs have different masking policies. So you guessed it, looking at just a couple of a pocketful of VISA(tm) Cash Advance receipts, 435117851*8*2*8* HUA NAN COMM'L TAIPEI 435117******2188 TAIPEI FUBON B TAIPEI 435117851187**** TAIWAN COOPERA TAIPEI even a five-year old can figure out the card number. ------------------------------ Date: Mon, 16 May 2011 22:56:58 +0100 From: Joe Loughry <joe.loughry_at_private> Subject: 'A Google Oddity' in the echoes of Y2K The chemistry blog 'In the Pipeline' on 16th May 2011 pointed out an interesting higher-order effect possibly attributable to Y2K errors: '...if you search the word "biotechnology" in Google's Ngram search engine, something odd happens. There's the expected rise in the 1970s and 80s, but there's also a bump in the early 1900s, for no apparent reason. Curious about this, I ran several other high-tech phrases through and found the exact same effect. 'Here's a good example, with some modern physics phrases. And you get the same thing if you search "nanotechnology", "ribosome", "atomic force microscope", "RNA interference", "laser", "gene transfer", "mass spectrometer" or "nuclear magnetic resonance". There's always a jump back in exactly the same period on the early 1900s.' The brief fashion amongst Victorians for writing articles about string theory and dark matter could be the result of '1999 + 1 = 1900'. Perhaps. But how likely is that really, a decade past Y2K? Is it not more plausible that today's students remain unaware of results in dusty journals on library stacks that are not easily available on-line yet? The Higgs boson was found was in Prague in 1925. It just hasn't got through peer review yet. Source: http://pipeline.corante.com/archives/2011/05/16/a_google_oddity.php#comments Joe Loughry, Doctoral student, Computing Laboratory, St Cross College, Oxford ------------------------------ Date: Wed, 25 May 2011 10:38:47 +0100 From: Steve Loughran <steve.loughran_at_private> Subject: Re: "Automatic Updates" considered Zombieware Henry Baker complains about the amount of network traffic dedicated to downloading background updates. Consider this 1. Every program that is capable of parsing untrusted content from remote web sites is potentially vulnerable to exploits of parser errors or other security holes. 2. Every program that can open files downloaded from web sites is capable or parsing untrusted content. 3. By default, Internet Explorer, Firefox and other browsers will hand off remote content to the application that is registered to handle it, based on MIME type and file extension. 4. Therefore, every program that can open a file is potentially a security risk that has to be kept patched. When you also add in function creep -- especially in the Acroread family -- the vulnerability of applications increases. Who knew that Excel spreadsheets could host Flash content with 0-day exploits until RSA got owned that way? Who knew that Acroread had JavaScript support until exploits for it started appearing in the wild. Keeping every Internet-connected application is essential -- which means every application you have installed. Yet neither Windows or OS/X has a service that allows third party applications to keep themselves up to date; instead they must install their own "updater" applications, which slow down system boot, increase the memory footprint, and which don't collaborate to keep bandwidth allocated to updates under control. At least on linux, the updater tools, apt and yum, do keep everything up to date in one go, even if there is a potential lag between a vendor-released patch and the new binaries getting into the Linux repositories. But don't think the bandwidth used for Linux updates is any less -- it's just that you can schedule your weekly update to a time that suits you, not the programs. ------------------------------ Date: Wed, 25 May 2011 10:24:07 +0100 From: Steve Loughran <steve.loughran_at_private> Subject: Re: Car Talk and Talk and... (Joseph B. White) The idea of having cars talk to each other or the infrastructure seems to miss an important point: As of 2008 in the UK, the majority of people Killed or Seriously Injured (KSI) are not actually in motor vehicles: they are people on foot or bicycle [1]. While in a decade driving has become safer, due to all the features added to cars, a side effect has been that per passenger mile, walking and cycling has become more dangerous relative to being in a car. Yet it is the people driving that are the primary sources of death and (serious) injury. Any feature in cars that allows drivers to pay less attention to the road isn't going to increase road safety; it will become another risk compensation feature, especially in cities: "now you can check in to facebook while driving!" Clearly car manufacturers would like to sell these features either in terms of passenger safety, fuel economy and a way of introducing technical obsolescence in vehicles that would otherwise last for many years, and companies whose business models depend on people consuming data or voice (telcos, web companies) would support it too. However it's not clear to me how much it would improve safety compared to adding black-box systems to cars; to log the actions prior to any collision, the state of the vehicle, maybe even off-car data rates, videos from the car and neighbouring cars after a collision event. These may change people's behaviour better than saying "don't worry about hitting anything, as the computer in your car will look out for you". [1] http://www.dft.gov.uk/adobepdf/162469/221412/221549/227755/rrcgb2008.pdf ------------------------------ Date: Wed, 25 May 2011 08:27:53 +0200 From: Peter Houppermans <peter_at_private> Subject: Re: Car Talk and Talk and (26.45) Regarding "Car Talk and Talk and.." (Joseph B. White via Eli the Bearded) - RISKS 26.45 There are indeed a number of issues I would like to see worked out first. A small selection: * Who is liable when I'm not really in charge of my car and an accident occurs? These systems can have a better reaction time than a human being, but they "cannat change the laaw of physics" (apologies for my poor rendering of an irreplaceable Scottish accent). * The better reaction time will give indeed an adoption cycle problem, similar to what took place with early ABS systems: your equipped car may manage a panic stop, but the likelihood of being rear-ended by a non-equipped car is very high (been there..). * Not a word on fighting external influences. Car connectivity is already giving rise to concerns as it provides a gateway to onboard electronics (which presently appear to have somewhere between poor to no defense at all against "creative engineering"). It's just over a year ago that a research team found they could hack into a car on remote, and gain so much control over the onboard electronics that they could disable the breaks(*). That's a really fun virus to spread in a chain of cars that follow each other to minimise wind resistance. * Speaking of wind resistance - this will need some algorithm to change the front end car which is taking the economy hit for being up front. Indeed, I can see some home hacks which may stop a car from chaining if it is upfront, leaving others to pick up the bill.. Et cetera ad infinitum - the above was without even coffee in my system, so a dedicated research team or someone with malicious intent will most certainly come up with more.. 2012: A *car* Odyssey? (*) http://www.autosec.org/pubs/cars-oakland2010.pdf ------------------------------ Date: Thu, 26 May 2011 09:43:13 -0400 From: Joseph Brennan <brennan_at_private> Subject: Re: You must enable javascript to view this page (jidanni, R 26 45) > You must enable javascript to view this page. This is a requirement of > our licensing agreement with music Gracenote. Besides that, lynx lists an incredible 218 links on that page, most of which are not visible in Firefox. I pasted into Firefox one of the links of the form 'http://lyrics.wikia.com/User:string' and it gave me write access to the user's profile, blog, favorite pages, pages the user is following, and photo. ------------------------------ Date: Wed, 25 May 2011 01:44:26 +0000 From: "Stephen Bounds" <km_at_private> Subject: Re: REVIEW: "The Black Swan", Nassim Nicholas Taleb I actually think Taleb's "Fooled by Randomness" is a better book. In my opinion, it makes the case for being aware of "Extremistan's" power law distributions much better. Taleb does spend a long time to say not very much. But I feel there are three key lessons that all "RISKS" readers should learn: 1. Don't assume a Gaussian distribution ("Mediocristan") of event propensities in a given situation. Try to check if in fact a power law distribution ("Extremistan") applies. 2. Recognise that people who wrongly assume Mediocristan will take inadequate mitigation steps, due to their false presumption that large deviations from the observed mean are vanishingly small. 3. Design your systems and processes to be resilient rather than protective. This will allow a rapid recovery from any event, even those you didn't foresee. ------------------------------ Date: Thu, 29 May 2008 07:53:46 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users should contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 26.46 ************************Received on Sat Jun 04 2011 - 22:54:32 PDT
This archive was generated by hypermail 2.2.0 : Sun Jun 05 2011 - 04:43:37 PDT