RISKS-LIST: Risks-Forum Digest Tuesday 21 June 2011 Volume 26 : Issue 48 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/26.48.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: [Will try to shorten the backlog. Busy time. PGN] United Airlines system-wide computer failure (PGN) The Bitcoin fiasco (Mark Thorson) A new speed record for exposing plagiarism by web search? (Mark Brader) Risks of automatically generated weather forecast data (Nick Brown) Citi Says Credit Card Customers' Data Was Hacked (Chris V. Nicholson via Monty Solomon) SecurIDs Come Under Siege (Siobhan Gorman and Shara Tibken via Monty) Hackers steal quantum code (Peter Houppermans) Spam "e-books" becoming a major problem on Kindle e-book store (Lauren Weinstein) Nissan Leaf reportedly leaks data via RSS, including location/speed Casey Halverson via Lauren Weinstein) Subject: Fwd: British Spies Replace Terrorists' Online Bomb Instructions with Cupcake Recipe (Paisley Dodd via Monty Solomon) iPhone app measures frequency of common passcodes (Mark Thorson) RSA Insecurity (Nelson D. Schwartz and Christopher Drew via Monty Solomon) Customers angry at RSA over delay in admitting depth of breach (Lauren Weinstein) Conceal your breaches, and steel your breeches? (Dan Goodin) Spyware, the FBI, and The Failure of ISPs (John Dvorak via Monty Solomon) Fox News mistakenly uses Tina Fey picture in Sarah Palin story (Monty) Re: Skype is reportedly reverse-engineered (Rob Slade) Re: Cars that drive themselves (Spencer Cheng) Re: "Automatic Updates" considered Zombieware (David Gillett) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 21 Jun 2011 15:18:22 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: United Airlines system-wide computer failure Passengers were stranded at airports across the country Friday night [17 Jun 2011]after a failure in United Airlines' computer system. The disruption set off widespread delays at airports in San Francisco, Chicago and Washington, with many passengers left sitting in terminals or stuck on planes that were grounded. United said in a statement that the problems began at 8:15 p.m. New York time, when the computer failure knocked out its flight departures, airport processing and reservations systems. The statement did not address the nationwide delays, and a spokesman did not return a phone call seeking comment. http://www.nytimes.com/2011/06/18/us/18united.html AND THEN ON Slashdot: *United Airlines Passengers Stranded By Computer Outage*<https://tech.slashdot.org/story/11/06/18/0327241/United-Airlines-Passengers-Stranded-By-Computer-Outage> A computer outage with effects to dwarf those of the one that [0]stranded thousands of US Airways passengers last week. This time, it's United Airlines' systems that are [1] out of commission and [2] unable to handle passenger reservations, [3] leaving passengers stranded all over the U.S. Experiencing the resultant delays first-hand at Dulles Airport, our reporter saw United planes being sent on -- along with their passengers' luggage -- to the cities from which they're to leave tomorrow morning, in anticipation of the computer system being fixed in the interim. Links: 0. http://tech.slashdot.org/story/11/06/11/1625223/Computer-Glitch-Friday-Grounded-US-Airways-Flights 1. http://www.suntimes.com/6024132-417/computer-outage-delays-departures-of-united-airline-flights.html 2. http://www.nbcchicago.com/news/local/ohare-united-airlines-flights-124114134.html 3. http://seattletimes.nwsource.com/html/localnews/2015353612_united18m.html Also: http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2011/06/17/BA4A1JVO6F.DTL&tsp=1 http://www.airliners.net/aviation-forums/general_aviation/read.main/5174667/ http://www.cnn.com/2011/US/06/18/united.flight.disruption/index.html?eref=mrss_igoogle_cnn http://travel.usatoday.com/flights/story/2011/06/Uniteds-flight-mess-latest-caused-by-computer-glitches/48564346/1 Also (from Lauren Weinstein): United Airlines blames 5 hour computer outage on "network connectivity issue" http://j.mp/iWp4Zu (This message in Google Buzz) http://j.mp/kvDxid (NPR Article) who added his own interpretation: United's explanation is a bit vague, but luckily through my own sources I've been able to obtain photographic evidence of the actual cause: http://j.mp/m865A7 (Lauren's Blog [JPG]) ------------------------------ Date: Mon, 20 Jun 2011 16:04:42 -0700 From: Mark Thorson <eee_at_private> Subject: The Bitcoin fiasco I first heard about the electronic currency Bitcoin from this article: http://falkvinge.net/2011/05/29/why-im-putting-all-my-savings-into-bitcoin/ Naturally, I was a bit skeptical about a so-called currency not backed up by a government or hard assets, but the implementation seemed technically sweet. I didn't have to wait long for my doubts to be confirmed. http://www.dailytech.com/article.aspx?newsid=21877 Oooh! Loses a third of its value in one day! I better watch the market a little longer before jumping in. http://arstechnica.com/tech-policy/news/2011/06/bitcoin-the-decentralized-virtual-currencyrisky-currency-500000-bitcoin-heist-raises-questions.ars Whoa! Some guy got hacked and lost bitcoins "worth" $500,000. This is obviously not a game for amateurs. Wonder what that guy was doing with so many bitcoins in the first place? http://www.dailytech.com/Inside+the+MegaHack+of+Bitcoin+the+Full+Story/article21942.htm Yikes! The main bitcoin exchange just got robbed for $8.75M! What were the purported reasons for using this "currency"? I know the arguments that the guy who got hacked wasn't using proper security (he admits it) and the problem at the exchange had nothing to do with the underlying Bitcoin technology model. I tend to think, though, that a currency invented by an anonymous computer programmer is not something to jump right into. If it's still around in 10 years, I might re-evaluate, but in the meantime I'll stick to currencies that have been around a couple hundred years. ------------------------------ Date: Tue, 14 Jun 2011 19:47:30 -0400 (EDT) From: msb_at_private (Mark Brader) Subject: A new speed record for exposing plagiarism by web search? At the University of Alberta, Philip Baker, the dean of medicine and dentistry, was beginning an inspiring commencement speech when some people in the audience thought they remembered a distinctive expression -- a reference to a made-up medical term "velluvial matrix". They pulled out their smartphones and quickly found the entire speech online on *The New Yorker*'s web site at http://www.newyorker.com/online/blogs/newsdesk/2010/06/gawande-stanford-speech.html The speech was actually written by Atul Gawande (who writes for the New Yorker and has is the author of several books, as well as being a professor and a surgeon), to give last year at Stanford University. Baker has apologized to Gawande. See: http://www.globaltvedmonton.com/events/any/4937399/story.html http://www.thestar.com/news/canada/article/1007465--any I include a CBC link because I'm sure it will be durable, but their version is less dramatic in that it doesn't mention the plagiarism being exposed while in progress: http://www.cbc.ca/news/canada/edmonton/story/2011/06/12/edm-university-alberta-speech.html ------------------------------ Date: Tue, 14 Jun 2011 13:02:33 +0200 From: Nick Brown <Nick.BROWN_at_private> Subject: Risks of automatically generated weather forecast data Looks like householders in Bridgwater, England should prepare for, umm, very high winds this coming weekend. And the coldest June night in history, with an effective temperature of about -30C after factoring in wind chill. http://www.freezepage.com/1308049042EIPKOEAORE (Sanity checks on data ? Who needs 'em ?) Nick Brown, Strasbourg, France ------------------------------ Date: Thu, 9 Jun 2011 10:11:53 -0400 From: Monty Solomon <monty_at_private> Subject: Citi Says Credit Card Customers' Data Was Hacked (Chris V. Nicholson) Citigroup acknowledged on Thursday that unidentified hackers had breached its security and gained access to the data of hundreds of thousands of its credit card customers in North America. ... [Source: Chris V. Nicholson, *The New York Times*, 9 Jun 2011] http://dealbook.nytimes.com/2011/06/09/citigroup-card-customers-data-hacked/ ------------------------------ Date: Mon, 6 Jun 2011 23:25:09 -0400 From: Monty Solomon <monty_at_private> Subject: SecurIDs Come Under Siege (Siobhan Gorman and Shara Tibken) SecurIDs Come Under Siege: Security Breach Forces RSA to Offer to Replace Millions of 'Tokens' Siobhan Gorman and Shara Tibken, *The Wall Street Journal*, 7 Jun 2011 RSA Security is offering to provide security monitoring or replace its well-known SecurID tokens-devices used by millions of corporate workers to securely log on to their computers-"for virtually every customer we have," the company's Chairman Art Coviello said in an interview. In a letter to customers Monday, the EMC Corp. unit openly acknowledged for the first time that intruders had breached its security systems at defense contractor Lockheed Martin Corp. using data stolen from RSA. SecurID tokens have become a fixture of office life at thousands of corporations, used when employees log onto computers or sensitive software systems. The token is an essential piece of security, acting as an ever-changing password that flashes a series of six digits that should be virtually impossible to duplicate. ... http://online.wsj.com/article/SB10001424052702304906004576369990616694366.html ------------------------------ Date: Sun, 19 Jun 2011 11:48:51 +0200 From: Peter Houppermans <peter_at_private> Subject: Hackers steal quantum code href="http://physicsworld.com/cws/article/news/46305">http://physicsworld.com/cws/article/news/46305 "While in principle unbreakable, quantum cryptography is known to have weaknesses in practice. One shortcoming has now been graphically illustrated by physicists in Singapore and Norway, who have been able to copy a secret quantum key without revealing their presence to either sender or receiver. The researchers are now working to remove the loophole they have exposed." And so the arms race continues... ------------------------------ Date: Fri, 17 Jun 2011 15:27:25 -0700 From: Lauren Weinstein <lauren_at_private> Subject: Spam "e-books" becoming a major problem on Kindle e-book store [From Network Neutrality Squad, http://www.nnsquad.org. PGN] "Spam has hit the Kindle, clogging the online bookstore of the top-selling eReader with material that is far from being book worthy and threatening to undermine Amazon.com Inc's publishing foray." http://reut.rs/m7GzvC (Reuters) ------------------------------ Date: Tue, 14 Jun 2011 09:01:21 -0700 From: Lauren Weinstein <lauren_at_private> Subject: Nissan Leaf reportedly leaks data via RSS, including location/speed [From Network Neutrality Squad, http://www.nnsquad.org. PGN] http://j.mp/kB3GYB (This message on Google Buzz) http://j.mp/kRtCEs (Casey Halverson) "Looking at the GET string above, "lat" and "lon" variables contain the current position of the vehicle, "speed" is the vehicle speed, "car_dir" is the direction of the car, and "lat_dst" and "lon_dst" is your destination configured in your navigation system ... All of these lovely values are being provided to any third party RSS provider you configure: CNN, Fox News, Weather Channel, it doesn't matter! While a lot of these providers are probably not aware of these (rather valuable) parameters the car passes, they probably sit in thousands of HTTP logs already, waiting to be parsed out - or perhaps supported in the future." "Update June 13 3:23 PDT: While nobody bothered to inform the customers, Nissan does document this functionality in this obscure Japanese developer document. http://lab.nissan-carwings.com/CWL/Spec.cgi [Google Translated]." ------------------------------ Date: Sun, 12 Jun 2011 10:37:13 -0400 From: Monty Solomon <monty_at_private> Subject: Fwd: British Spies Replace Terrorists' Online Bomb Instructions with Cupcake Recipe Paisley Dodd, 3 Jun 2011 LONDON -- Britain's spy agencies have a new message for terrorists: make cupcakes, not war. Intelligence agents managed to hack into the extremist Inspire magazine, replacing its bomb-making instructions with a recipe for cupcakes. It's the first time the agents sabotaged the English-language magazine linked to U.S.-born Yemeni cleric Anwar al-Awlaki, an extremist accused in several recent terror plots. The quarterly online magazine, which is sent to websites and email addresses as a pdf file, had offered an original page titled "Make a Bomb in the Kitchen of Your Mom" in one of its editions last year. The magazine's pages were corrupted, however, and the instructions replaced with the cupcake recipe. ... http://www.huffingtonpost.com/2011/06/03/british-spies-terrorist-bomb-cupcake-recipe_n_870882.html MI6 attacks al-Qaeda in 'Operation Cupcake' British intelligence has hacked into an al-Qaeda online magazine and replaced bomb-making instructions with a recipe for cupcakes. Duncan Gardham, Security Correspondent, 02 Jun 2011 The cyber-warfare operation was launched by MI6 and GCHQ in an attempt to disrupt efforts by al-Qaeda in the Arabian Peninsular to recruit "lone-wolf" terrorists with a new English-language magazine, the Daily Telegraph understands. ... The code, which had been inserted into the original magazine by the British intelligence hackers, was actually a web page of recipes for "The Best Cupcakes in America" published by the Ellen DeGeneres chat show. ... http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/8553366/MI6-attacks-al-Qaeda-in-Operation-Cupcake.html ------------------------------ Date: Wed, 15 Jun 2011 08:13:22 -0700 From: Mark Thorson <eee_at_private> Subject: iPhone app measures frequency of common passcodes An iPhone app has been indirectly capturing and compiling statistics on the distribution of passcodes. About 10% are either 1234 or 0000. http://www.dailymail.co.uk/sciencetech/article-2003654 This reminds me of something that happened about 30 years ago. I had scanned nearly a thousand 800 numbers looking for interesting things, and I gave a list of anomalous numbers to a friend of mine. A day or two later he told me that one of the numbers was a call diverter with the password 321. I said "I'll bet you tried 320 numbers before you found that out." He replied "More than that. I tried all the obvious stuff first, like 111, 222, 333 . . .". ------------------------------ Date: Wed, 8 Jun 2011 22:36:14 -0400 From: Monty Solomon <monty_at_private> Subject: RSA Insecurity (Nelson D. Schwartz and Christopher Drew) Nelson D. Schwartz and Christopher Drew, RSA Faces Angry Users After Breach *The New York Times*, 7 Jun 2011 http://www.nytimes.com/2011/06/08/business/08security.html The nation's biggest banks and large technology companies like SAP rushed Tuesday to accept RSA Security's offer to replace their ubiquitous SecurID tokens as many computer security experts voiced frustration with the company. The company's admission of the RSA tokens' vulnerability on Monday was a shock to many customers because it came so long after a hacking attack on RSA in March and one on Lockheed Martin last month. The concern of customers and consultants over the way RSA, a unit of the tech giant EMC, communicated also raises the possibility that many customers will seek alternative solutions to safeguard remote access to their computer networks. Bank of America, JPMorgan Chase, Wells Fargo and Citigroup said they planned to replace the tokens as soon as possible. The banks declined to say how many customers would be affected, although SAP said that most of its 50,000 employees used RSA's tokens and that it was seeking to replace them all. ... ------------------------------ Date: Wed, 8 Jun 2011 15:37:21 -0700 From: Lauren Weinstein <lauren_at_private> Subject: Customers angry at RSA over delay in admitting depth of breach Customers angry at RSA over delay in admitting depth of breach http://j.mp/j2IwKk (This message in Google Buzz) http://j.mp/jlNAhg (New York Times) "For now, however, the biggest worry for RSA is how to appease angry customers as well as mollify computer security consultants, who have been increasingly critical of how long it took the company to acknowledge the severity of the problem." Just a quick opinion: Once a firm has a reasonable handle on the depth of a security problem that will affect customers, it is in both the company's and the customers' best interests for the firm to "come clean" at least regarding the seriousness of the situation, even if all technical details are not yet available or in a form that can be reasonably communicated with customers. It is crucial that users understand to what extent they may have been made vulnerable, so that they can take appropriate protective steps themselves at least in the short run. Most of all, trying to publicly minimize the seriousness of a situation below the level you know to be true, or lying about how serious matters really are, can be counted upon to make a bad situation worse. This applies pretty much equally in technology and in the rest of our lives (just ask Rep. Anthony Weiner). Lauren Weinstein (lauren@private): http://www.vortex.com/lauren Network Neutrality Squad: http://www.nnsquad.org http://www.pfir.org PRIVACY Forum: http://www.vortex.com +1 (818) 225-2800 ------------------------------ Date: Fri, 10 Jun 2011 10:40:52 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: Conceal your breaches, and steel your breeches? (Dan Goodin) Dan Goodin, Senator Sisyphus tries again, *The Register*, 8 Jun 2011 http://www.theregister.co.uk/2011/06/08/data_breach_bill/ US-based companies would be required to report data breaches that threaten consumer privacy and could face stiff penalties for concealing them under federal legislation that was introduced in the Senate on Tuesday. The Personal Data Privacy and Security Act aims to set national standards for protecting the growing amount of personally identifiable information being stored online. Its approval by the Senate Judiciary Committee represents the fourth year the bill has been introduced, said its sponsor, Senator Patrick Leahy of Vermont. The latest incarnation comes amid a glut of high-profile hack attacks on networks operated by Sony, email marketer Silverpop Systems, gossip publisher Gawker Media, and others, which have exposed sensitive data for hundreds of millions of Americans in the past six months. ------------------------------ Date: Thu, 9 Jun 2011 07:17:02 -0400 From: Monty Solomon <monty_at_private> Subject: Spyware, the FBI, and The Failure of ISPs (John Dvorak) John C. Dvorak, 1 Jun 2011 Why can't ISPs routinely look at network activity and use deep-packet sniffing to find infected machines and tell the customer in the first place? Operation Adeona, it was called. It involved the FBI. Spyware. Intrigue. Controversy. The FBI took it upon itself to attack one of the miserable botnets that plagues the Internet to figure out how to intercept its "calling home function." And essentially it ended up giving it new and less destructive instructions. Let me try to explain. Botnets generally consist of thousands of infected computers that have some specific piece of malware installed. Your computer at home may be one of them. The malicious code is usually in the form of a Trojan Horse that was planted by a Web site or some code you mistakenly clicked on. Once installed on your computer it doesn't really do much until called into action. The idea nowadays is to inhabit your machine for nefarious purposes including mailing spam from your account, pinging a target computer to harass someone, or even to do odd sorts of market research. Most of the time these infected machines do their dirty work after hours and seldom during the day when an observant owner might spot the dubious activity. It is a public nuisance. I cannot emphasize enough how people should run some good scanners to ferret out these programs. Millions of machines are infected. Anyway, so the FBI decided to counterattack one of the major botnets called Coreflood, which is used to loot bank accounts. The FBI was to replace the servers communicating with infected Coreflood machines with its own servers, and also to disable the Coreflood malware on the infected machines. This process seems to have gone well and the botnet was mostly silenced and had no way of getting any more nefarious instructions, rendering it useless. The problem is that the code is still on the machines. Now it gets dicey. ... http://www.pcmag.com/article2/0,2817,2385959,00.asp ------------------------------ Date: Tue, 7 Jun 2011 11:13:18 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: Hacker Community Infiltrated? "The underground world of computer hackers has been so thoroughly infiltrated in the US by the FBI and secret service that it is now riddled with paranoia and mistrust, with an estimated one in four hackers secretly informing on their peers, a Guardian investigation has established." [Source: *The Guardian*, 6 Jun 2011.] http://www.guardian.co.uk/technology/2011/jun/06/us-hackers-fbi-informer On the Internet, no one should even trust his dog. PGN] ------------------------------ Date: Fri, 10 Jun 2011 6:02:13 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: The Thomas Drake case Thomas Drake, a former NSA employee who had been indicted on 10 counts relating to retaining classified information and leaking it to a *Baltimore Sun* reporter, pleaded guilty to a single misdemeanor charge for `exceeding authorized use of a government computer', with the remaining charges being dropped. Jesselyn Radack (who represented Drake) said, ``This was the wrong person, this was the wrong case, and the Espionage Act was an overreach.'' [Source: Kim Hairston, *The Baltimore Sun*, 10 Jun 2011; PGN-ed] http://www.baltimoresun.com/news/maryland/bs-md-nsa-leak-case-20110609,0,3140011.story?page=2&track=rss ------------------------------ Date: Fri, 10 Jun 2011 02:46:44 -0400 (EDT) From: msb_at_private (Mark Brader) Subject: CD cover art not best place for a bar code In 2005, Sony BMG released a 3-CD set entitled Electric 80s The cover art for this compilation of "the greatest Eighties electric hits" featured a reproduction of a UPC bar code, with the title "ELECTRIC 80s" placed in the space at the bottom of the bar code where the human-readable numbers corresponding to that code would usually appear. (The real bar code -- the one used for scanning the price of the item at checkout counters -- was placed in a corner on the back of the packaging, as it is for nearly every similar item.) http://www.snopes.com/business/market/cdbarcode.asp What could possibly go wrong? Right. The reproduction bar code was a real one, so if the clerk selling you the CD scanned the wrong side, you were charged the wrong price. ------------------------------ Date: Wed, 08 Jun 2011 12:27:30 +0800 From: jidanni_at_private Subject: Cloud computing: back to the VAX All this talk about cloud computing. So now our marriage to the PC has soured, and we return back to the dumb terminal and the university/cloud's VAX/PDP where we started. [It takes me back to MIT's CTSS in the early 1960s and Multics beginning in 1965. Not just full circle, but perhaps 720 or 1080 degrees. And The Shadow (from the 1940s radio shows), with the ability to *cloud* men's minds. PGN] ------------------------------ Date: Thu, 9 Jun 2011 07:08:20 -0400 From: Monty Solomon <monty_at_private> Subject: Fox News mistakenly uses Tina Fey picture in Sarah Palin story Fox News found out the hard way that there's nothing like the real thing when it comes to Sarah Palin, especially when it comes to Palin impersonator Tina Fey. A story on "America's News Headquarters" about Palin's current bus tour, in which she may be testing the waters for a 2012 presidential bid, was illustrated with a graphic of Fey portraying Palin, according to Mediaite.com. The snafu was particularly glaring since Palin works for Fox as a correspondent. ... [Source: *LA Times*] http://latimesblogs.latimes.com/showtracker/2011/06/fox-news-mistakenly-uses-tina-fey-as-palin-in-palin-bus-story.html ------------------------------ Date: Thu, 9 Jun 2011 07:08:20 -0400 From: Monty Solomon <monty_at_private> Subject: Fox News mistakenly uses Tina Fey picture in Sarah Palin story Fox News found out the hard way that there's nothing like the real thing when it comes to Sarah Palin, especially when it comes to Palin impersonator Tina Fey. A story on "America's News Headquarters" about Palin's current bus tour, in which she may be testing the waters for a 2012 presidential bid, was illustrated with a graphic of Fey portraying Palin, according to Mediaite.com. The snafu was particularly glaring since Palin works for Fox as a correspondent. ... [Source: *LA Times*] http://latimesblogs.latimes.com/showtracker/2011/06/fox-news-mistakenly-uses-tina-fey-as-palin-in-palin-bus-story.html ------------------------------ Date: Tue, 7 Jun 2011 12:10:22 -0800 From: Rob Slade <rMslade_at_private> Subject: Re: Skype is reportedly reverse-engineered (RISKS-26.46) I've always been wary of Skype for their SBO stance, despite the many security friends who have used it, love it, and promote it at every turn. Prior to this year's disclosures of increasing success in attempts to decode the thing (and the purchase by Microsoft), I was even thinking that I might have to jump on the bandwagon and start using it, as one of the most realistic ways of phoning home from various countries overseas. This new wrinkle in the situation reminds me of the battle royal, many years ago, between Microsoft and AOL over instant messaging functions. (Little good can come out of the fight, I suspect, other than the high probability that someone will come up with some form of realistic alternative to Skype.) In the instant messaging scrap, both sides worked furiously on developing new versions of their client software that would be incompatible with the other. This activity culminated in one vendor creating one with a buffer overflow situation. Not by accident: this was done deliberately so that some instant messaging functions could *only* be accessed by a buffer overflow, thus reducing the (comparative) functionality of the other client. Not the actions of a vendor that has user security at heart ... rslade_at_private slade_at_private rslade_at_private victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links http://blogs.securiteam.com/index.php/archives/author/p1/ ------------------------------ Date: Mon, 6 Jun 2011 22:13:53 -0400 From: Spencer Cheng <spencer_at_private> Subject: Re: Cars that drive themselves (Kamens, RISKS-26.47) [Kamens'] point is valid. However, if we consider the probability of a human driver hitting a pedestrian, the distribution is probably random (X incidents per 100K driver/year - dependent on a large variety of factors). Think of it as wetware fault. With self-driving car, the control S/W will be the same, or very similar, across millions of cars so any S/W fault could be expressed by millions of cars when a given set of input occurs. The distribution of incidences is not likely to be random but rather predictable. While formal methods and rigorous testing would reduce the number of residual bugs, a S/W system like self-driving cars, which is probably very complex and has millions of LOC, will not be bug free. Have we exchanged the risk of a random incident, wetware failure, with the risk of a rare but large scale S/W fault that could cause thousands of incidents in very short period of time? ------------------------------ Date: Tue, 7 Jun 2011 15:20:22 -0700 From: "David Gillett" <gillettdavid_at_private> Subject: Re: "Automatic Updates" considered Zombieware (Baker, RISKS-26.45) wouldn't jump to the conclusion that all of the delta in disk space between an initial Windows installation and an updated one is "the updates" per se. Some of it is probably uninstall info for those updates, and some System Restore points providing another method to roll them back. All of which would be completely unnecessary if those updates were flawless -- but if Microsoft had THAT capability, there would never be any need to update Windows at all! Memorable flaws include: * WGA, already noted, multiple versions, * Repeated delivery and installation of non-functional ATI video drivers based on Windows Update (or ATI) misidentifying my installed hardware, * Nightly server reboots caused by an update whose automatic installation would consistently fail AFTER noting that a reboot would be required (manual installation mysteriously succeeded)..... In the balance, review a top ten list of Windows worms of recent years to see how many exploited a vulnerability for which the corrective patch had been available as an update for at least three months. How badly do you prefer being in the Problem Set over being in the Solution Set? ------------------------------ Date: Mon, 6 Jun 2011 20:01:16 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 26.48 ************************Received on Tue Jun 21 2011 - 16:46:31 PDT
This archive was generated by hypermail 2.2.0 : Tue Jun 21 2011 - 22:15:57 PDT