RISKS-LIST: Risks-Forum Digest Tuesday 2 August 2011 Volume 26 : Issue 52 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/26.52.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: [Catching up. PGN] Motorcycle 'smart key' can disable steering (Steven J Klein) Internet Addiction (Sharon Gaudin via Gene Wirchenko) Researchers Expose Cunning Online Tracking Service That Can't Be Dodged (Lauren Weinstein) House Committee sweepingly hypocritical Internet data retention bill (Lauren Weinstein) Bot-Bashed by Google (Robert X. Cringely via Gene Wirchenko) Re: Study Faults Approval Process for Medical Devices (Kevin Fu) Re: Patient alleges Tufts breached privacy (Steve Loughran) Re: FB & facial recognition software (Peter Houppermans) Re: Risks of verbose automated e-mail (Eriks Ziemelis) Re: Don't throw away Grandma's wind-up desk clock (Kurt Fredriksson, Mark Kramer) Taking over a stranger's phone number (Geoff Kuenning) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 26 Jul 2011 19:59:28 -0400 From: Steven J Klein <steven_at_private> Subject: Motorcycle 'smart key' can disable steering Motorcycle maker Ducati rolled out a new `smart key' that lets riders leave the key in their pocket. When they sit down on the bike, a sensor detects the key, allows the engine to be started, and unlocks the steering. At least that's how it's supposed to work. *The Wall Street Journal* reported: Ducati says that while testing the new bikes it found that -- under very specific conditions -- the electronic steering lock could fail to disengage: a rider could potentially start the bike and begin riding while the steering is still locked -- a situation that could result in a tip-over or collision. Maybe they should call it a stupid key? Source: <http://blogs.wsj.com/drivers-seat/2011/04/30/smart-keys-not-so-smart-for-motorcycles/> Steven Klein * http://yourmacexpert.com/ ------------------------------ Date: Wed, 27 Jul 2011 10:05:31 -0700 From: Gene Wirchenko <genew_at_private> Subject: Internet Addiction (Sharon Gaudin) http://www.itbusiness.ca/it/client/en/cdn/News.asp?id=63479 Sharon Gaudin: Internet as hard to give up as cigarettes, liquor, study says; Losing 'Net access even for a day described as 'nightmare', *ITBusiness*, 27 Jul 2011 How would you handle giving up your Internet connection -- your Facebook friends, Twitter, online news and shopping -- for just a single day? If you think being disconnected for even a day might drive you nuts, you're not alone. A survey of 1,000 people between the ages of 18 and 65 in the U.K. showed that many Britons are as emotionally connected to the Internet and all of their devices as smokers are to their cigarettes. However, not everyone reported being so tied to their digital lives. The survey showed that 23 per cent of respondents said they would feel "free" if they were disconnected from online activities. ------------------------------ Date: Fri, 29 Jul 2011 17:05:09 -0700 From: Lauren Weinstein <lauren_at_private> Subject: Researchers Expose Cunning Online Tracking Service That Can't Be Dodged "Researchers at U.C. Berkeley have discovered that some of the net's most popular sites are using a tracking service that can't be evaded - even when users block cookies, turn off storage in Flash, or use browsers' "incognito" functions. The service, called KISSmetrics, is used by sites to track the number of visitors, what the visitors do on the site, and where they come to the site from - and the company says it does a more comprehensive job than its competitors such as Google Analytics. But the researchers say the site is using sneaky techniques to prevent users from opting out of being tracked on popular sites, including the TV streaming site Hulu.com." http://j.mp/ndoBts (Wired) ------------------------------ Date: Fri, 29 Jul 2011 09:50:53 -0700 From: Lauren Weinstein <lauren_at_private> Subject: House Committee sweepingly hypocritical Internet data retention bill [From Network Neutrality Squad. PGN] Rep. John Conyers of Michigan believes the bill is mislabeled. "This is not protecting children from Internet pornography. It's creating a database for everybody in this country for a lot of other purposes," he says. Rep. Lofgren of California, a leading Democrat in opposition to the bill said was a "stalking horse for a massive expansion of federal power." http://j.mp/plNgUu (Digital Trends) In the usual Congressional demonstration of hypocrisy, the bill is entitled "Protecting Children from Internet Pornographers Act of 2011" but actually allows the collected data to be used for any purpose, including government tracking down of whistleblowers, file sharers, peace activists, or anyone else for virtually any reason. [PGN adds: Lauren later noted on 2 Aug 2011 an item from CNET: How The New 'Protecting Children' Bill Puts You At Risk: Last Thursday the U.S. House of Representatives passed a bill that makes the online activity of every American available to police and attorneys upon request under the guise of protecting children from pornography. http://j.mp/o2eVhO (CNET)] ------------------------------ Date: Wed, 27 Jul 2011 13:42:43 -0700 From: Gene Wirchenko <genew_at_private> Subject: Bot-Bashed by Google (Robert X. Cringely) Robert X. Cringely: When Google bots go wrong -- one user's story; Dylan Marcheschi felt the full brunt of a faulty Google algorithm; now he's urging the company to offer real customer support http://www.infoworld.com/t/cringely/when-google-bots-go-wrong-one-users-story-168212 Dylan Marcheschi found out the hard way what happens when you get on Google's bad side. Worse, he didn't do anything to deserve it, and he was victimized not by a human but by a bot. About two weeks ago, the artist from Brooklyn was having an e-mail conversation with a friend in Thailand when he received a message telling him his Google account had been disabled. Everything he'd built up over the past seven years had just gone poof. Worse, there was no one to talk to about it. There is no customer support line for Google -- no e-mail support, no live chat. All you can do is post a message on a forum and hope that somebody -- anybody -- weighs in with an answer. But for Dylan, nobody did. So Marcheschi went public. [and all hell broke loose. PGN] ------------------------------ Date: Mon, 1 Aug 2011 23:17:51 -0400 From: Kevin Fu <kevinfu_at_private> Subject: Re: Study Faults Approval Process for Medical Devices (Meier, R-26.51) > [Can we learn anything from this relating to computer systems being > trustworthy and effective? PGN] As one of the writers commissioned by this Institute of Medicine (IOM) panel and a regular attendee of related workshops and Senate/House hearings over the last few years, I would say yes. But it's complicated at so many levels. The IOM released multiple publications on this topic. The earlier publication includes my commissioned report on "Trustworthy Medical Device Software" along with several other fascinating topics that relate to medical device safety and effectiveness (think epidemiology). Download the chapter via the no-paywall and watch the webcast respectively on: http://www.nap.edu/catalog.php?record_id=13020 http://www.tvworldwide.com/events/iom/100728/default.cfm Caveat lector: the intended audience is primarily that of physicians and healthcare professionals. There was only one computer scientist on the IOM panel. If you consider yourself a computer scientist, put on your HCP cap before reading. You can download the panel's 246-page final recommendations (cited in last week's NYT) from http://www.nap.edu/catalog.php?record_id=13150 Safety and effectiveness share many themes with trustworthiness, but it's not a bijection. Security is a part of trustworthiness. I believe that Nancy Leveson briefly compares and contrasts safety with security in her 1995 book, "Safeware: System Safety and Computers." Both safety and security are negative goals, for instance. Kevin Fu, Assoc. Professor, Computer Science Department http://spqr.cs.umass.edu/ University of Massachusetts Amherst Ph: 616-594-0385 Fax: 413-545-1249 ------------------------------ Date: Tue, 2 Aug 2011 10:56:53 +0100 From: Steve Loughran <steve.loughran_at_private> Subject: Re: Patient alleges Tufts breached privacy (Chris D., RISKS-26.49) Chris D. raises the issues of the NHS still using faxes to communicate. I can reassure him that my local GP has a special defence against spoof faxes: namely they lose them and deny they were ever received. Unfortunately, this security system can be bypassed by turning up with a printout of an e-mail from the hospital saying "we faxed it" and a phone number which they will then dial to get the prescription repeated, rather than dialing the hospital's exchange: http://www.1060.org/blogxter/entry?publicid=2AF115A1F11CA5CAC3791BBF7673E80B To get a fake prescription all you have to do bring a fake e-mail printout and have an accomplice at the end of the line who appears to not know who you are, be uninterested in the problem but eventually able to find your paperwork and read out what the prescription is. And yes, certificate based signed/encrypted e-mail with a requirement that all e-mails are in the domain nhs.gov.uk and mail servers dropping out of network e-mails from that domain would work better. In fact, they'd be better of fixing the e-mail infrastructure than trying to do a national patient record system, as at least moving the health service to e-mail may actually be possible -and if it isn't, there's no point trying anything more ambitious. ------------------------------ Date: Tue, 02 Aug 2011 06:59:16 +0200 From: Peter Houppermans <peter_at_private> Subject: Re: FB & facial recognition software (Klein, RISKS-26.51) I've been aware of the potential for facial recognition code to be applied to public pictures for a while. Facebook and Google are working along the same path, although FB would at least link tagging to existing accounts (allowing you to undo the tagging), whereas Google's Picasa did not. Although images are not always taken to the exacting standards that a passport biometric requires, it seems to me quite possible that someone will develop a way to create a usable average from a collection of pictures. Some experimenting with software called Portrait Professional yielded an interesting discovery: it also subtly adjusts facial geometry, which gave me an idea. I wonder if it would not be possible to craft an application that creates a sufficiently subtle deviation in facial characteristics to throw off facial recognition code. We humans tend to have a far greater tolerance level for variation than most facial recognition code so it would not create *human* recognition issues. It would only throw a spanner into the works of unauthorised automated online identity data collection. Having said that, if you're going as far as digitally adjusting images of yourself you could consider a simpler approach: not posting them at all :-). ------------------------------ Date: Tue, 2 Aug 2011 10:22:33 -0700 (PDT) From: Eriks Ziemelis <eriks.ziemelis_at_private> Subject: Re: Risks of verbose automated e-mail Seems like there are two risks here, and one not being Jet Blue's fault. As Paul pointed out, SMS is wide-spread, and that Jet Blue's notification system does not have an SMS option seems to be a bit of a poor design, what with just about every notification system of the ilk I've used has SMS capabilities. The real risk is trying to force a feature/system to work in a manner that it was not designed for (and the vast majority of "Average Joes/Janes" do not know or care about) and expect success. ------------------------------ Date: Tue, 02 Aug 2011 20:47:42 +0200 From: Kurt F <kurt.fredriksson_at_private> Subject: Re: Don't throw away Grandma's wind-up desk clock I am bit surprised that no-one has mentioned that the frequency is the main factor in the control of an electricity grid. If the load increases, the frequency will drop and more electricity must be generated until the frequency is back to normal again. If the load decreases, the frequency will go up, and less electricity must be generated. It is thus the amount of electricity generated and consumed in real time that will result in small variations in frequency. And a very small variation indeed. ------------------------------ Date: Tue, 2 Aug 2011 13:23:40 -0400 From: Mark Kramer <c28f62_at_private> Subject: Re: Don't throw away Grandma's wind-up desk clock (Lee, RISKS-26.49) Ted Lee asks "how much is 'just over'" when a clock gains 14 seconds a day? 86400 seconds in a day. To see 86414 in a day, the reference frequency must be 86414/86400 too high. E.g., 60*86414/86400 = 60.009722 Hz. Not very far over at all. [Also noted by Anthony DeRobertis. PGN] ------------------------------ Date: Sat, 30 Jul 2011 03:29:59 -0700 From: Geoff Kuenning <geoff_at_private> Subject: Taking over a stranger's phone number A year ago I went on sabbatical and rented out my house. I asked my tenants to take over my phone number so that I would be able to recover it when I returned, and I called Verizon and authorized that action. However, the tenants misunderstood and got an entirely new number, so from Verizon's point of view I had canceled my account and my number went back into the pool. When I returned a few weeks ago, I set up new phone service with a different company. Thinking that my tenants had only recently closed their Verizon account, I asked that my number be ported to the new company. You can guess what's coming: it worked. No sooner had my phone been connected than it rang; it was the old number's new owner, trying to reach his house. Once I figured out what had happened, I arranged to give the number back to the innocent stranger. But that took over a week. What saddens me is that if you call up Verizon and try to do something simple to your account, such as enable voicemail, they will take you through a painful ID verification process. So why did they let a third party grab a phone number without any attempt to ensure that the request was valid? Geoff Kuenning geoff@private http://www.cs.hmc.edu/~geoff/ ------------------------------ Date: Mon, 6 Jun 2011 20:01:16 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 26.52 ************************Received on Tue Aug 02 2011 - 15:25:24 PDT
This archive was generated by hypermail 2.2.0 : Tue Aug 02 2011 - 18:32:37 PDT