RISKS-LIST: Risks-Forum Digest Sunday 13 November 2011 Volume 26 : Issue 61 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/26.61.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Panel Emphasizes Safety in Digitization of Health Records (Steve Lohr) The Coming Fascist Internet (Lauren Weinstein) First national Emergency Alert System (EAS) test: FAIL in many areas (Lauren Weinstein) "747's are big flying Unix hosts" (Gabe Goldberg) Underground call-centre for identity theft uncovered (Gene Wirchenko) The Dark Side Of Biometrics: 9 Million Israelis' Hacked (FastCompany) "Sloppy use of Amazon cloud can expose users to hacking" (Gene Wirchenko) Re: Gmail goes Colbert (Dag-Erling Smørgrav) Re: ANA plane goes nearly belly up ... wrong knob turned (Pete Disdale, Richard S. Russell, Joe Keane) Fun Yahoo! term of service (jidanni) Humorous illustration of computer security (David Hollman) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 9 Nov 2011 20:19:23 PST From: "Peter G. Neumann" <neumann_at_private> Subject: Panel Emphasizes Safety in Digitization of Health Records (Steve Lohr) Poorly designed, hard-to-use computerized health records are a threat to patient safety, and an independent agency should be set up to investigate injuries and deaths linked to health information technology, according to a federal study just released by the Institute of Medicine. The proposed investigative agency should be modeled after the National Transportation Safety Board. The report also called for tracking the safety performance of electronic health records in use. Results from studies done so far, the report said, are mixed. Success stories are offset by reports of patients harmed. [Source: Steve Lohr, *The New York Times*, 8 Nov 2011; PGN-ed; Thanks to Marc Rotenberg.] http://www.nytimes.com/2011/11/09/technology/federal-panel-emphasizes-safety-in-push-for-digital-health-records.html?_r=1&hpw [This is as always a scary double-edged sword. The doctors will probably have to spend more time with their computers and less with patients, could indeed make more errors, which would not be challenged by other doctors and nurses because they would be likely to believe in the infallibility of computers -- ignoring the high rates of fallibility of people! Remember the Risks! PGN] ------------------------------ Date: Sun, 13 Nov 2011 13:39:49 -0800 (PST) From: Lauren Weinstein <lauren_at_private> Subject: The Coming Fascist Internet (((((( Lauren Weinstein's Blog Update: The Coming Fascist Internet )))))) November 13, 2011 http://lauren.vortex.com/archive/000911.html Around four decades ago or so, at the U.S. Defense Department funded ARPANET's first site at UCLA -- what would of course become the genesis of the global Internet -- I spent a lot of time alone in the ARPANET computer room. I'd work frequently at terminals sandwiched between two large, noisy, minicomputers, a few feet from the first ARPANET router -- Interface Message Processor (IMP) #1, which empowered the "blindingly fast" 56 Kb/s ARPANET backbone. Somewhere I have a photo of the famous "Robby the Robot" standing next to that nearly refrigerator-sized cabinet and its similarly-sized modem box. I had a cubicle I shared elsewhere in the building where I also worked, but I kept serious hacker's hours back then, preferring to work late into the night, and the isolation of the computer room was somehow enticing. Even the muted roar of the equipment fans had its own allure, further cutting off the outside world (though likely not particularly good for one's hearing in the long run). Occasionally in the wee hours, I'd shut off the room's harsh fluorescent lights for a minute or two, and watch the many blinking lights play across the equipment racks, often in synchronization with the pulsing and clicking sounds of the huge disk drives. There was a sort of hypnotic magic in that encompassing, flickering darkness. One could sense the technological power, the future coiled up like a tight spring ready to unwind and energize many thousands of tomorrows. But to be honest, there was little then to suggest that this stark room -- in conjunction with similar rooms scattered across the country at that time -- would trigger a revolution so vast and far-reaching that governments around the world, decades later, would cower in desperate efforts to leash it, to cage its power, to somehow turn back the clock to a time when communications were more firmly under the thumbs of the powers-that-be. There were some clues. While it was intended that the ARPANET's resource sharing capabilities would be the foundation of what we now call the "cloud," the ARPANET was (somewhat to the consternation of various Defense Department overseers) very much a social space from the beginning. Starting very early on, ARPANET communications began including all manner of personal discussions and interests, far beyond the narrow confines of "relevant" technical topics. A "wine tasting enthusiasts" mailing list triggered reprimands from DoD when it became publicly known thanks to a magazine article, and I won't even delve here into the varied wonders of the "network hackers" and "mary hartman" mailing lists. In fact, the now ubiquitous mailing list "digest" format was originally invented as a "temporary" expedient when "high volumes" of traffic (by standards of the time) threatened the orderly distribution of the science-fiction and fantasy oriented "sf-lovers" mailing list. Many other features that we take for granted today in email systems were created or enhanced largely in reaction to these sorts of early "social" communications on the very young Net. The early ARPANET was mostly restricted to the U.S., but as international points began to come online the wonders expanded. I still remember the day I found myself in a "talk" (chat) link with a party at a military base in Norway -- my first international live contact on the Net that I knew of. I remember thinking then that someday, AT&T was going to start getting concerned about all this. The power of relatively unfiltered news was also becoming apparent back then. One of my projects involved processing newswire data (provided to me over the ARPANET on a friendly but "unofficial" basis from another site) and building applications to search that content and alert users (both textually and via a synthesized voice phone-calling system -- one of my other pet projects) about items of interest. For much of the Net's existence, both phone companies and governments largely ignored (or at least downplayed) the ARPANET, even as it evolved toward the Internet of today. AT&T and the other telcos had explicitly expressed disinterest early on, and even getting them to provide the necessary circuits had at times been a struggle. Governments didn't really seem to be worried about an Internet "subculture" that was limited mostly to the military, academia, and a variety of "egghead" programmers variously in military uniforms and bell-bottoms, whether sporting crew cuts, scruffy longhairs, or somewhere in-between. But with the fullness of time, the phone companies, cable companies, governments, and politicians galore came to most intensely pay attention to the Internet, as did the entertainment industry behemoths and a broad range of other "intellectual property" interests. Their individual concerns actually vary widely at the detailed level, but in a broader context their goals are very much singular in focus. They want to control the Internet. They want to control it utterly, completely, in every technologically possible detail (and it seems in various technically impossible ways as well). The freedom of communications with which the Internet has empowered ordinary people -- especially one-to-many communications that historically have been limited to governments and media empires themselves -- is viewed as an existential threat to order, control, and profits -- that is, to historical centers of power. Outside of the "traditional" aspects of government control over their citizenries, another key element of the new attempts to control the Net are desperate longings by some parties to turn back the technological clock to a time when music, movies, and other works could not so easily be duplicated and disseminated in "authorized" fashions. The effective fall of copyright in this context was preordained by human nature (we are physical animals, and the concept of non-physical "property" plays against our natures) and there's been a relentless "march of bits" -- with text, music, and movies entering the fray in turn as ever more data could be economically stored and transferred. In their efforts to control people and protect profits, governments and associated industries (often in league with powerful Internet Service Providers -- ISPs -- who in some respects are admittedly caught in the middle), seem willing to impose draconian, ultimately fascist censorship, identification, and other controls on the Internet and its users, even extending into the basic hardware in our homes and offices. I've invoked fascism in this analysis , and I do not do so lightly. The attacks on fundamental freedoms to communicate that are represented by various government repression of the Internet around the world, and in the U.S. by hypocritical legislation like PROTECT IP and SOPA (E-PARASITE), are fundamentally fascist in nature, despite between wrapped in their various flags of national security, anti-piracy profit protection, motherhood, and apple pie. Anyone or anything that is an enabler of communications not willingly conforming to this model are subject to attack by authorities from a variety of levels -- with the targets ranging from individuals like you and me, to unbiased enablers of organic knowledge availability like Google. For all the patriotic frosting, the attacks on the Internet are really attacks on what has become popularly known as the 99%, deployed by the 1% powers who are used to having their own way and claiming the largest chunks of the pie, regardless of how many ants (that's us!) are stomped in the process. This is not a matter of traditional political parties and alliances. In the U.S., Democrats and Republican legislators are equally culpable in these regards. This is a matter of raw power that transcends other ideologies, of the desire of those in control to shackle the Internet to serve their bidding, while relegating free communications for everyone else to the dustbin of history. It is very much our leaders telling us to sit down, shut up, and use the Internet only in the furtherance of their objectives -- or else. To me, these are the fundamental characteristics of a fascist world view, perhaps not in the traditional sense but clearly in the ultimate likely impacts. The Internet is one of the most important tools ever created by mankind. It certainly ranks with the printing press, and arguably in terms of our common futures on this tiny planet perhaps even with fire. The question is, are we ready and willing to fight for the Net as it should be in the name of civil rights and open communications? Or will we sit back compliantly, happily gobble down the occasional treats tossed in our direction, and watch as the Internet is perverted into a monstrous distortion to control speech and people alike, rather than enabling the spread of freedom. Back in that noisy computer room so many years ago, I couldn't imagine that I was surrounded by machines and systems that would one day lead to such a question, and to concerns of such import. The blossoming we've seen of the Internet was not necessarily easy to predict back then. But the Internet's fascist future is much more clear, unless we fight now -- right now -- to turn back the gathering evil. ------------------------------ Date: Wed, 9 Nov 2011 11:17:00 -0800 From: Lauren Weinstein <lauren_at_private> Subject: First national Emergency Alert System (EAS) test: FAIL in many areas [From Network Neutrality Squad] Apparently the first ever national test of the Emergency Alert System (EAS) can be declared a failure in many areas. Reports are coming in of broadcast stations that did not show the test, even while local cable systems did, and places where broadcast stations did alert and cable systems failed to activate their warning systems. Here in L.A., I monitored and recorded two outlets: KCBS-DT (2) via an antenna, and CNN HD on Time Warner Cable. KCBS broadcast *did* run the test as planned. Time Warner Cable (at least here in the West Valley) did not. Normally for EAS activations (tests, weather alerts, etc.) TW triggers a red banner warning that overrides programming on all cable channels. This did *not* occur for the national test at 11am PST today. FAIL. Lauren Weinstein (lauren@private): http://www.vortex.com/lauren, Network Neutrality Squad: http://www.nnsquad.org +1-818-225-2800 Skype: vortex.com ------------------------------ Date: Tue, 08 Nov 2011 22:50:10 -0500 From: Gabe Goldberg <gabe_at_private> Subject: "747's are big flying Unix hosts" Craig S Wright says: "I was contracted to test the systems on a Boeing 747. They had added a new video system that ran over IP. They segregated this from the control systems using layer 2 - VLANs. We managed to break the VLANs and access other systems and with source routing could access the Engine management systems." https://plus.google.com/u/0/110897184785831382163/posts/5qsNxFEaiML Gabriel Goldberg, Computers and Publishing, Inc., 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433 http://www.linkedin.com/in/gabegold ------------------------------ Date: Thu, 10 Nov 2011 10:39:17 -0800 From: Gene Wirchenko <genew_at_private> Subject: Underground call-centre for identity theft uncovered Call me about an important financial matter? http://www.itbusiness.ca/it/client/en/home/News.asp?id=64887 Underground call-centre for identity theft uncovered by security researchers Identity thieves use professional calling services to obtain missing pieces of information about victims. 11/10/2011 6:00:00 AM By: Lucian Constantin opening paragraph: Researchers from security vendor Trusteer have come across a professional calling service that caters to cybercriminals. The business offers to extract sensitive information needed for bank fraud and identity theft from individuals. ------------------------------ Date: Tue, 25 Oct 2011 12:39:34 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: The Dark Side Of Biometrics: 9 Million Israelis' Hacked [Thanks to Richard M. Smith for spotting this one. PGN] Part of Israel's online population registry has been compromised, resulting in massive leakage of personal information of 9 million Israelis. A contract worker at the Israeli Welfare Ministry has been arrested, and is accused of stealing Israel's national biometric database in 2006 that includes names, dates of birth, and detailed health information. [Source: FastCompany item, PGN:ed] http://www.fastcompany.com/1790444/the-downside-of-biometrics-9-million-israelis-records-hacked ------------------------------ Date: Thu, 10 Nov 2011 10:16:43 -0800 From: Gene Wirchenko <genew_at_private> Subject: "Sloppy use of Amazon cloud can expose users to hacking" http://www.infoworld.com/t/cloud-computing/sloppy-use-amazon-cloud-can-expose-users-hacking-178575 InfoWorld Home / InfoWorld Tech Watch November 09, 2011 Sloppy use of Amazon cloud can expose users to hacking New research exposes the potential for vulnerabilities from the non-secure use of virtual images in the public cloud By Ted Samson | InfoWorld opening paragraph: Using Amazon's EC2 (Elastic Compute Cloud) can pose a security threat to organizations and individuals alike, though Amazon's not to blame, according to researchers from Eurecom, Northeastern University, and SecludIT. Rather, third parties evidently are not following best security practices when using preconfigured virtual machine images available in Amazon's public catalog, leaving users and providers open to such risks as unauthorized access, malware infections, and data loss. ------------------------------ Date: Sun, 13 Nov 2011 01:01:07 +0100 From: Dag-Erling =?utf-8?Q?Sm=C3=B8rgrav?= <des_at_private> Subject: Re: Gmail goes Colbert (Morris, RISKS-26.60) james.morris_at_private writes: > The new gmail that apparently is going to be forced on everyone is not an > improvement as far as I can see. This isn't just Google Mail, they've "revamped" Google Docs and Google Reader in a similar manner (and probably other services as well, but these are the ones I use). Not only has usability been reduced due to hiding more functions behind fewer buttons and menus and replacing text buttons with non-obvious icons, but the new interface wastes a *lot* of screen real estate, which is a serious problem on ultraportables like the Asus Eee or HP Mini. ------------------------------ Date: Sat, 12 Nov 2011 10:39:36 +0000 (GMT) From: Pete Disdale <risks_at_private> Subject: Re: ANA plane goes nearly belly up ... wrong knob turned (Re: McCool, RISKS-26.60) > An ANA 737 went nearly belly up during cruise flight after the first officer > turned the wrong knob to let the captain back into the cockpit. The knob for > the rudder is similar to the knob to unlock the door and both are located in > close proximity to each other. I am not an airline pilot, but find this astonishing. I had always believed that flight deck controls (knobs, levers etc.) were required to be "different" - i.e. different colours, shapes - in order to avoid or minimise any confusion by the pilot. For example when the flight deck fills with smoke or suffers a lighting blackout, s/he should be able to "feel" for the necessary controls. That two such controls with very different functions are similar and co-located seems like an accident waiting to happen. As the 737 has been around for a long time, is this door-unlock knob a retrofit in response to flight deck strengthening since 9/11? If so, it would appear that the solution is as bad as or worse than the original problem. Another example of "security feature causes (or nearly causes) accident" to add to the list. ------------------------------ Date: Sat, 12 Nov 2011 12:58:37 -0600 From: "Richard S. Russell" <richardsrussell_at_private> Subject: Re: ANA plane goes nearly belly up ... wrong knob turned (Re: McCool, RISKS-26.60) For a dramatization of this piece of system design, we turn to the film "Monsters vs. Aliens": http://www.youtube.com/watch?v=L1CxlyMoFRs Richard S. Russell, a Bright (http://the-brights.net) 2642 Kendall Av. #2, Madison WI 53705-3736 608+233-5640 • RichardSRussell_at_private http://richardsrussell.livejournal.com/ I have discovered that there are two types of command interfaces in the world of computing: good interfaces and user interfaces. -- Daniel J. Bernstein ------------------------------ Date: Fri, 11 Nov 2011 20:46:38 +0000 (UTC) From: jgk_at_private (Joe Keane) Subject: Re: ANA plane goes nearly belly up ... wrong knob turned (Re: McCool, RISKS-26.60) Didn't they put different beer handles on the nuclear reactors? ------------------------------ Date: Sun, 13 Nov 2011 21:11:11 +0800 From: jidanni_at_private Subject: Fun Yahoo! term of service 'You agree to not use the Yahoo! Services to: ... cause a screen to "scroll" faster than other users of the Yahoo! Services are able to type...' ------------------------------ Date: Fri, 28 Oct 2011 14:26:28 -0400 From: David Hollman <dah8_at_private> Subject: Humorous illustration of computer security The cartoon XKCD often combines good fun with a real point, such as in this illustration: http://xkcd.com/970/ I can't think of the last time I was asked to double-enter something of importance *other* than my e-mail address! (On the other hand, I don't want to have to do everything twice either.) [This cartoon is actually rather appropriate for RISKS. TNX. PGN] ------------------------------ Date: Mon, 6 Jun 2011 20:01:16 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 26.61 ************************Received on Sun Nov 13 2011 - 15:13:10 PST
This archive was generated by hypermail 2.2.0 : Sun Nov 13 2011 - 21:52:59 PST