[RISKS] Risks Digest 26.72

From: RISKS List Owner <risko_at_private>
Date: Sun, 12 Feb 2012 14:35:02 PST
RISKS-LIST: Risks-Forum Digest  Sunday 12 February 2012  Volume 26 : Issue 72

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/26.72.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Programming error doomed Russian Mars probe (Lauren Weinstein)
... or maybe radiation, not programming, killed the Russian probe (LW)
The Research Works Act (PGN)
HGI scientists break satellite telephony security standards (Horst Goertz Inst)
PayPal STILL doesn't get it (Jim Garrison)
FBI to track social networks (Antony Savvas via Gene Wirchenko)
Twitter can now block tweets in specific countries (Stephen Lawson via GW)
Evidence of massive Iranian Internet blocking -- SSL, etc. (LW)
"Man-in-the-middle" corporate attack in the wild (Jim Ausman)
Symantec recommends disabling pcAnywhere (via Monty Solomon)
"Got remote access? Lock it down" (Robert Lemos via GW)
Aloha Privacy! - Hawaii bill would track all Web surfing in detail (via LW)
Privacy on the Barbie! - Australia considers unlimited communications data
  retention (via LW)
Lawyer sues ex-girlfriend over Google Search results (via LW)
Inside China's censorship machine (via LW)
Hackers take over Boston Police Department website; message cites
  handling of Occupy Boston protest (via Monty Solomon)
Risks: Conviction of Card Scam operators. How the Scam worked. (Len Spyker)
Would the US Extradite UK Blogger for Linking to Works in the Public Domain
  in Other Countries? (Dewayne Hendricks via Dave Farber's IP)
The Heartbreaking Truth About Online Dating Privacy (EFF)
Over 3 years later, "deleted" Facebook photos are still online (via LW)
Re: deducing causality (Richard O'Keefe)
Re: Pocket-dialed 911 calls increasingly common (Danny Burstein)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 7 Feb 2012 11:28:23 -0800
From: Lauren Weinstein <lauren_at_private>
Subject: Programming error doomed Russian Mars probe

A report presented to Russian Deputy Prime Minister Dmitry Rogozin concludes
that the primary source of the failure of Russia's Phobos-Grunt Mars
spacecraft launched on 9 Nov 2011 was a programing error that "led to a
simultaneous reboot of two working channels of an onboard computer" that
prevented the probe from escaping earth orbit.
  http://news.discovery.com/space/programming-error-doomed-mars-probe.html

------------------------------

Date: Tue, 7 Feb 2012 14:14:41 -0800
From: Lauren Weinstein <lauren_at_private>
Subject: ... or maybe radiation, not programming, killed the Russian probe

http://www.newscientist.com/blogs/shortsharpscience/2012/02/space-radiation-killed-russian.html

------------------------------

Date: Fri, 27 Jan 2012 13:24:18 PST
From: "Peter G. Neumann" <neumann_at_private>
Subject: The Research Works Act

This bill would make it illegal to require researchers to make their work
available publicly.

  [Does the Research Works Act work?  Probably not.
   Do Research Works act?  No, although this act might seem theatrical!
   Does Research work?  Yes.  Sometimes it can be very valuable,
     even if often ignored in development communities.  However, much
     past research is widely ignored.  On the other hand, the answer is No,
     if its existence is hidden or otherwise obscured!
   PGN]

> Date: Thu, 26 Jan 2012 17:21:43 -0500
> From: David Farber <dave_at_private>
> Subject: [IP] A small bill in the US, a giant impact for research worldwide

> http://theconversation.edu.au/a-small-bill-in-the-us-a-giant-impact-for-research-worldwide-4996

------------------------------

Date: 8 Feb 2012 17:45:13 +0100
From: Newsletter of the Horst Goertz Institute of IT Security in Bochum
Subject: HGI scientists break satellite telephony security standards

Satellite telephony was thought to be secure against eavesdropping.
Researchers at the Horst Goertz Institute for IT-Security (HGI) at the Ruhr
University Bochum have cracked the encryption algorithms of the European
Telecommunications Standards Institute (ETSI), which is used globally for
satellite telephones, and revealed significant weaknesses.  With simple
equipment, they found the crypto key which is needed to intercept telephone
conversations. Using open-source software and building on their previous
research results, they were able to exploit the security weaknesses.

Telephoning via satellite

In some regions of the world standard cell phone communication is still
not available. In war zones, developing countries and on the high seas,
satellite phones are used instead. Here, the telephone is connected via
radio directly to a satellite. This passes the incoming call to a
station on the ground. From there, the call is fed into the public
telephone network. So far this method, with the ETSI’s encryption
algorithms A5-GMR-1 and A5-GMR-2, was considered secure.

Simple equipment -- fast decryption

For their project, the interdisciplinary group of researchers from the areas
of Embedded Security and System Security used commercially available
equipment, and randomly selected two widely used satellite phones. A simple
firmware update was then loaded from the provider's website for each phone
and the encryption mechanism reconstructed. Based on the analysis, the
encryption of the GMR-1 standard demonstrated similarities to the one used
in GSM, the most common mobile phone system.  ``Since the GSM cipher had
already been cracked, we were able to adopt the method and use it for our
attack,'' explained Benedikt Driessen, of the Chair for Embedded Security
(Prof. Christof Paar). To verify the results in practice, the research group
recorded their own satellite telephone conversations and developed a new
attack based on the analysis.  ``We were surprised by the total lack of
protection measures, which would have complicated our work drastically'',
said Carsten Willems of the Chair for System Security at the RUB.

Invasion of privacy

Encryption algorithms are implemented to protect the privacy of the
user. ``Our results show that the use of satellite phones harbours dangers
and the current encryption algorithms are not sufficient'', emphasized Ralf
Hund of the Chair for System Security (Prof. Thorsten Holz). There is, as
yet, no alternative to the current standards. Since users cannot rely on
their security against interception, similar to the security of standard
cell phones, they will have to wait for the development of new technologies
and standards, or make use of other means of communication for confidential
calls.

  "We were able to completely reverse engineer the encryption algorithms
  employed," said Benedikt Driessen and Ralf Hund of Ruhr University Bochum
  as they announced their report, "Don't Trust Satellite Phones".

------------------------------

Date: Fri, 10 Feb 2012 10:41:07 -0800
From: Jim Garrison <jhg_at_private>
Subject: PayPal STILL doesn't get it

Last week I received an e-mail from PayPal with the subject

  Your action is needed to continue using your PayPal account

and containing lines like

  Log in to agree to our Electronic Communications Delivery Policy
    ...
  an important NOTICE FROM PayPal: YOUR CONSENT IS REQUIRED

	LOGIN TO CONSENT [link]

Of course, this looks *exactly* like the millions of other phishing e-mails
that are this very moment flying across the Internet.  But this one looked
really well put together, unlike most others, so I took a look at the
source.

It's real.  All the links are legit, and when I logged in (by typing in the
PayPal URL, not clicking a link) there indeed was a notice of updated terms.

As we all know, the e-mail should have contained no login links and should
have advised the recipient to login by entering the URL manually. Somebody
at PayPal deserves a dope-slap.

I decided to submit it to PayPal's spoof-investigation address to point out
the error of their ways, and today received this:

  Our security team is working to identify if the e-mail you forwarded to us
  is a phishing e-mail. We will get in touch shortly to let you know our
  findings.

I await their findings with interest :-)

------------------------------

Date: Fri, 27 Jan 2012 10:26:23 -0800
From: Gene Wirchenko <genew_at_private>
Subject: FBI to track social networks (Antony Savvas)

Antony Savvas, App would crawl Twitter and Facebook, *IT Business*, 27 Jan 2012

The US Federal Bureau of Investigation (FBI) is planning to develop an
application that can track the public's postings to Facebook, Twitter and
other social networks, in order to aid how it predicts and reacts to
criminal behaviour, including public disorder and terrorism.  ...
http://www.itbusiness.ca/it/client/en/CDN/News.asp?id=65839

------------------------------

Date: Fri, 27 Jan 2012 10:24:29 -0800
From: Gene Wirchenko <genew_at_private>
Subject: "Twitter can now block tweets in specific countries"

Stephen Lawson, *IT Business*, 27 Jan 2012
http://www.itbusiness.ca/IT/client/en/CDN/News.asp?id=65840
The messages would be visible elsewhere in the world and the removal
would be clearly marked, Twitter said.

------------------------------

Date: Fri, 10 Feb 2012 09:53:05 -0800
From: Lauren Weinstein <lauren_at_private>
Subject: Evidence of massive Iranian Internet blocking (SSL, etc.)

Evidence of massive Iranian Internet blocking -- SSL, etc. [From NNSquad]

http://j.mp/wmu13o  (Google+)
http://j.mp/AaJ27E  (Google+)

------------------------------

Date: Feb 7, 2012 4:49 PM
From: "Jim Ausman" <ausman_at_private>
Subject: "Man-in-the-middle" corporate attack in the wild

  (From Dave Farber's IP)

Trustwave, a Certificate Authority, issued a certificate that allowed the
owner to issue any valid certificate to facilitate man-in-the-middle attacks
on their employees.

http://www.h-online.com/security/news/item/Trustwave-issued-a-man-in-the-middle-certificate-1429982.html

They say that they used a special hardware container to ensure that this
could not be used for anything other than the intended purpose, but this
still indicates that a long-suspected weakness in the CA infrastructure is
being exploited to eavesdrop on traffic.

http://blog.spiderlabs.com/2012/02/clarifying-the-trustwave-ca-policy-update.html

EFF sent out an alert about the fact that Iran was doing this a few months
ago, but this is the first I have heard of a corporation doing it.

https://www.eff.org/deeplinks/2011/08/iranian-man-middle-attack-against-google

------------------------------

Date: Fri, 27 Jan 2012 09:00:15 -0500
From: Monty Solomon <monty_at_private>
Subject: Symantec recommends disabling pcAnywhere

Symantec pcAnywhere Security Recommendations

Introduction

Upon investigation of the claims made by Anonymous regarding source code
disclosure, Symantec believes that the disclosure was the result of a theft
of source code that occurred in 2006. We believe that source code for the
2006-era versions of the following products was exposed: Norton Antivirus
Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton
Utilities and Norton GoBack); and pcAnywhere.

With this incident pcAnywhere customers have increased risk.  Malicious
users with access to the source code have an increased ability to identify
vulnerabilities and build new exploits.  Additionally, customers that are
not following general security best practices are susceptible to
man-in-the-middle attacks which can reveal authentication and session
information. General security best practices include endpoint, network,
remote access, and physical security, as well as configuring pcAnywhere in a
way that minimizes potential risks.

At this time, Symantec recommends disabling the product until Symantec
releases a final set of software updates that resolve currently known
vulnerability risks. For customers that require pcAnywhere for business
critical purposes, it is recommended that customers understand the current
risks, ensure pcAnywhere 12.5 is installed, apply all relevant patches as
they are released, and follow the general security best practices discussed
herein.

This document is designed to help customers understand the situation and to
provide remediation steps to maintain the protection of their devices and
information. ...

http://www.symantec.com/connect/sites/default/files/pcAnywhere%20Security%20Recommendations%20WP_01_23_Final.pdf

------------------------------

Date: Fri, 10 Feb 2012 15:05:10 -0800
From: Gene Wirchenko <genew_at_private>
Subject: "Got remote access? Lock it down" (Robert Lemos)

http://www.infoworld.com/t/application-security/got-remote-access-lock-it-down-186194
Robert Lemos, InfoWorld, 10 Feb 2012
Got remote access? Lock it down
Poorly configured remote-access software is to blame for the majority of
data breaches by hackers, according to security reports from Verizon and
Trustwave

opening text:

While the theft of source code for Symantec's pcAnywhere has put the
remote-access program in the spotlight, the security issues posed by remote
management products are not new. In fact, data released over the last year
shows that poorly configured remote-access programs routinely account for a
significant portion of data breaches and network security incidents.

Remote-access software, for example, led to a stunning 62 percent of
breaches studied by security firm Trustwave in its recently released global
security report.

------------------------------

Date: Thu, 26 Jan 2012 09:49:06 -0800
From: Lauren Weinstein <lauren_at_private>
Subject: Aloha Privacy! - Hawaii bill would track all Web surfing in detail

http://j.mp/wYfWgu  (CNET via NNSquad)

  Hawaii's legislature is weighing an unprecedented proposal to curb the
  privacy of Aloha State residents: requiring Internet providers to keep
  track of every Web site their customers visit.

------------------------------

Date: Thu, 26 Jan 2012 09:46:56 -0800
From: Lauren Weinstein <lauren_at_private>
Subject: Privacy on the Barbie! - Australia considers unlimited
	communications data retention

http://j.mp/A5Opfx  (Slashdot via NNSquad)

  Australia would like to follow the EU down the 'European Directive on Data
  Retention' path. Law enforcement agencies may have the option to request a
  log of all a users of interest telco usage without any review or time
  limits.

------------------------------

Date: Thu, 26 Jan 2012 10:24:16 -0800
From: Lauren Weinstein <lauren_at_private>
Subject: Lawyer sues ex-girlfriend over Google Search results

http://j.mp/xhJiCo  (FOX via NNSquad)

  But in Matt's case, his "slanderer" isn't so anonymous. In fact, Amanda
  Ryncarz, Matt's former girlfriend, fully admits posting on the site about
  their three-year relationship.  "I posted on liarscheatersrus.com," she
  said in a written statement, "because I wanted to warn other women in
  order to protect them from what I suffered."  Couloute is now suing
  Ryncarz for "tortuous interference with prospective business
  relations. It's a case that could determine what people are and are not
  allowed to post on the Web.

------------------------------

Date: Sun, 29 Jan 2012 17:18:36 -0800
From: Lauren Weinstein <lauren_at_private>
Subject: Inside China's censorship machine

http://j.mp/yILrSa  (Full Comment, via NNSquad)

  China's censorship system is complex and multilayered. The outer layer is
  generally known as the "great firewall" of China, through which hundreds
  of thousands of websites are blocked from view on the Chinese
  Internet. What this system means in practice is that when one goes online
  from an ordinary commercial Internet connection inside China and tries to
  visit a website such as hrw.org, the website belonging to Human Rights
  Watch, the web browser shows an error message saying, "This page cannot be
  found." This blocking is easily accomplished because the global Internet
  connects to the Chinese Internet through only eight "gateways," which are
  easily "filtered."

------------------------------

Date: Sat, 4 Feb 2012 21:13:34 -0500
From: Monty Solomon <monty_at_private>
Subject: Hackers take over Boston Police Department website; message cites
 handling of Occupy Boston protest

http://www.boston.com/Boston/metrodesk/2012/02/hackers-take-over-boston-police-department-website/mKzINebAXJWcv7uBZKZB0K/index.html

------------------------------

Date: Sun, 5 Feb 2012 10:05:51 +0800
From: "Len Spyker" <redmond2_at_private>
Subject: Risks: Conviction of Card Scam operators. How the Scam worked.

Hooray! Two people running a card  swipe scam mainly in Perth Australia have
been convicted on $3.5 million dollar scam. Over 400 people were defrauded.

http://au.news.yahoo.com/thewest/a/-/breaking/12804738/man-found-guilty-of-m
cdonalds-card-scam/

The expert witness for the DA and the lay jury bravely handled the attempt
by the highly technically savvy defence team to throw doubt on the technical
testimony.

A small group of Perth gurus, with backgrounds in design of card reader
hardware, software and security, aided the police investigation and provided
support for the DA's team.

This scam was achieved by substituting at fast food drive-throughs, modified
same make handheld terminals that were previously stolen.

Yet, how this substitution could be done without anyone noticing, is
described later on.

The criminals applied a set of clever modifications INSIDE the terminal.
Undetectable from the outside.

These bugged terminals were then handed over to customers, in cars at fast
food drive throughs, throughout the Perth area.

The modified terminals sent the customer's CARD swipe and PIN codes by radio
link to a nearby cars staffed by yet uncaught associates.

New cards were created with this information and all the funds sucked out of
many accounts.

Caveat- some of the below is based on off the record rumours :

Security failures:

[1] There was no inside job: Sadly the drive through sites themselves
provided the "Open Sesame" for these baddies quite by accident.

The card terminals that were handed to the car, had the spiral cable
security clamps REMOVED because of the habit of this brand of terminals to
lock up and ONLY by unplugging would the terminal reset.

This fault occurred so often that the under pressure staff worked out a
"solution" and just left the cable's security clamp off!

Terminal Swap out technique:

The crook's car enters the drive through as normal. They order, the staff
hands over a  (unclamped) terminal, a normal transaction occurs.

Then the modified terminal is substituted in just a few seconds, and handed
back.

This clean terminal is then modified and taken to a new store.

A nearly perfect Do While loop with one exit case, "If Police" then break.

[2] So why was this swap  not detected?

My guess is that there was software in the card host controller which
allowed new or different terminals to be rapidly connected and re-activated
without causing any alarms or requiring a manual log-in.

Many possible reasons: Code flaws, poor testing, misguided directions from a
client?  I do hope this may be made public one day.

Do not treat this as a one off down under crime. This crime is likely to be
part of a worldwide scam.

A smart techno crook has noticed the physically unprotected terminal cable
and worked out how to get rich quick.

Notify the store, police or newspaper in your area if you see an unclamped
cable when you are handed a terminal in a drive through.

If you can unplug it so can the crooks.

Len Spyker Perth Australia.

------------------------------

Date: Mon, Feb 6, 2012 at 11:10 AM
From: Dewayne Hendricks <dewayne_at_private>
Subject: Would the US Extradite UK Blogger for Linking to Works in the
  Public Domain in Other Countries?

  [From Dave Farber's IP distribution.  PGN]

Would The US Extradite UK Blogger For Linking To Works In The Public Domain
In Other Countries?
from the insanity-of-today's-copyright-laws dept

http://www.techdirt.com/articles/20120201/00455517613/would-us-extradite-uk-blogger-linking-to-works-public-domain-other-countries.shtml

James Firth has an interesting post, talking about some of the more
ridiculous consequences of current US law enforcement interpretation of
copyright law. Looking at the case of Richard O'Dwyer, the computer science
student that the US is getting closer to extraditing to the US to face
criminal copyright infringement charges for merely linking to infringing
works (something that had already been found legal in the UK multiple
times), Firth takes it to its logical ends. He points out that George
Orwell's works, Animal Farm and 1984 have gone into the public domain in
South Africa, Canada or Australia. And thus, there are completely legal
free copies of such works online. But they're only legal in those
countries. In the US and the UK, both remain under the yoke of copyright
thanks to copyright extensions.

This leads to a simple fear. If he merely pointed people to the location of
these completely legalversions of the work, he would now be just as
"guilty" as Richard O'Dwyer under the interpretation of the US Justice
Department. After all, he is using a .com domain (American property,
according to the stretched interpretation of the DOJ) to link to works that
technically infringe in both the UK -- where he is -- and the US, where the
DOJ has suddenly become the US entertainment industry's private police
force. ...

------------------------------

Date: Feb 10, 2012 10:30 AM
From: "EFF Press" <press_at_private>
Subject: The Heartbreaking Truth About Online Dating Privacy (EFF)

Electronic Frontier Foundation Media Release
For Immediate Release: Friday, February 10, 2012

The Heartbreaking Truth About Online Dating Privacy
Users Beware: Many Sites Have Serious Security Holes

San Francisco - Millions of people use Internet dating sites to search for
love and connection every day, but it could come a big cost for their
privacy and security.  The Electronic Frontier Foundation (EFF) has found
that many services are taking shortcuts in safeguarding users' profiles and
other sensitive data.

In "Six Heartbreaking Truths About Online Dating Privacy," EFF identifies
serious security holes and counter-intuitive privacy settings that could
expose daters' private information.  For example, your dating profile =96
including your photo =96 can hang around long after you think you've taken
yourself off the market.  Some sites are also sucking up the vast quantity
of data their users share and selling it to online marketers.  If you aren't
careful, your profile can also be indexed by Google, perhaps popping up in
search results if you have an unusual nickname or other unique ways of
describing yourself.

"Whether you signed up on a lark or maintained an active profile for years,
you may be exposing more information about yourself than you know," said EFF
Activism Director Rainey Reitman.  "There are a number of ways your online
dating profile can be connected to your real identity, exposing things like
religious and political beliefs, drug and alcohol use, and sexual
preferences.  That's why we created this list of the biggest risks, and
included some simple tips for online daters who want to protect themselves."

As part of its campaign to raise awareness about the privacy and security
risks on popular online dating sites, EFF analyzed the security practices of
eight major sites.  Many of the most popular sites, like eHarmony and
Match.com, don't offer secure access through HTTPS by default, and OkCupid
doesn't provide HTTPS access at all.  That means every OkCupid username,
e-mail, chat session, search, and page viewed are all transmitted in
plaintext instead of in encrypted form.

"OkCupid says it can limit who sees your profile -- for example, users who
identify as gay or bisexual may opt out of being seen by straight people,"
said EFF Senior Staff Technologist Seth Schoen.  "But without HTTPS, the
fact that you identify as gay and don't want to be seen by some groups is
sent in plaintext, making it easy for someone with the right skills to
uncover it.  Major sites like Twitter and Facebook have implemented HTTPS
recently to protect their users.  But dating sites like OkCupid are sadly
lagging behind."

Six Heartbreaking Truths About Online Dating Privacy:
https://www.eff.org/deeplinks/**2012/02/six-heartbreaking-**
truths-about-online-dating-**privacy<https://www.eff.org/deeplinks/2012/02/=
six-heartbreaking-truths-about-online-dating-privacy>

Comparing Privacy and Security Practices on Online Dating
Sites:
https://www.eff.org/deeplinks/**2012/02/comparing-privacy-and-**
security-online-dating-sites<https://www.eff.org/deeplinks/2012/02/comparin=
g-privacy-and-security-online-dating-sites>

Find out more at https://www.eff.org.

Contacts:
Rainey Reitman
 Activist, Electronic Frontier Foundation,  rainey_at_private
 +1 415 436-9333 x140

Seth Schoen
 Senior Staff Technologist,  Electronic Frontier Foundation,  seth_at_private
 +1 415 436-9333 x107

------------------------------

Date: Sun, 5 Feb 2012 16:46:35 -0800
From: Lauren Weinstein <lauren_at_private>
Subject: Over 3 years later, "deleted" Facebook photos are still online

  [From nnsquad_at_private]

  "Facebook is still working on deleting photos from its servers in a timely
  manner nearly three years after Ars first brought attention to the
  topic. The company admitted on Friday that its older systems for storing
  uploaded content "did not always delete images from content delivery
  networks in a reasonable period of time even though they were immediately
  removed from the site," but said it's currently finishing up a newer
  system that makes the process much quicker. In the meantime, photos that
  users thought they "deleted" from the social network months or even years
  ago remain accessible via direct link."
  http://j.mp/xMjyV9  (ars technica)

------------------------------

Date: Tue, 31 Jan 2012 15:43:39 +1300
From: "Richard O'Keefe" <ok_at_private>
Subject: Re: deducing causality (RISKS-26.71)

In RISKS-26.71, PGN drew our attention to a *WiReD* article by Jonah Lehrer.
I've read that article carefully, and have to say that it has some large
leaps of illogic.  A better title that 'Why Science is Failing Us' would
have been 'Trials and Errors: How Scientific Testing Prevented Millions of
People Being Killed'.  Let me offer a translation for programmers:

(1) Pfizer's scientific understanding of the cholesterol pathways was
    soundly based and their drug design rightly worth exploring.  The
    drug had the immediate effects on that system that they expected it
    to.  A closely related drug with the *same* target (that is, based
    on the same science) looks as though it may work, with less bad.

(2) However, their understanding was *limited*.  As is by now pretty
    well known, *most* drugs have multiple effects in many systems of
    the body.  Pfizer's scientists understood quite well that understanding
    what a drug will do to the cholesterol pathway is NOT the same as
    understanding what it will do in a whole person.

(3) The thing that makes scientific drug development science is TESTING.
    As Risks readers will surely understand, when the test phase said
    "OOPS!", that was NOT science failing, that was science working brilliantly.
    If the *drug* fails the test, that means the *test* did NOT fail.

There are obvious lessons for programmers here.  They are not the lessons
("causality is hallucination", "science is failing us") that Jonah Lehrer
learned.  The lesson is that the real world is always more complicated than
our models of it (otherwise there wouldn't be any point in _having_ models);
that there are always unexpected interactions in complex systems; and that
there is no substitute for testing in the best approximation to the real
world that you can get; and that failed tests count as successes of the
testing process.

It is *better* that Pfizer should lose $21e9 in value on the questionably real
stock market than that millions of people should die from an untested drug.

Anyone who expects (program or drug or bridge or highway or ...) designs to
work without testing and without unexpected consequences must have
slept through the entire 20th century.

------------------------------

Date: Thu, 26 Jan 2012 22:02:01 -0500 (EST)
From: Danny Burstein <dannyb_at_private>
Subject: Re: Pocket-dialed 911 calls increasingly common (Brader, RISKS-26.71)

Risks-Forum Digest, Volume 26 : Issue 71, had the following (excerpted)

From: msb_at_private (Mark Brader)
Subject: Pocket-dialed 911 calls increasingly common

[snip... regarding "butt dialing" of 911 calls]

Police are now campaigning to ask cellphone users to "lock it before you
pocket", but some smartphones can dial 911 even when the phone is locked.
    - --------

For some value of "smartphones", and for that matter, "dumbphones",
approaching pretty close to 100 percent.

* A likely contributor to this problem is that a hefty percentage of
  cellphones will _also_ accept calls to "112", the GSM international
  standard for emergency calls. (There's another one as well which isn't as
  common, but many phones will accept that one, too.)

  And, per FCC (US) and similar rules in Canada, cell phones, even without a
  service plan, must be allowed to connect to the "911" call receiving
  centers (PSAPs).

  If you take, for example, a T-Mobile (USA) or Rogers (Canada) cellphone
  and remove the SIM card, you can still make calls to "911". And... if you
  punch in "112", the phone will contact the network, which will then handle
  is as if you dialed "911".

Given the physical layout of keypads, I'd guess that "112" is probably the
path for a hefty number of these calls.

------------------------------

Date: Mon, 6 Jun 2011 20:01:16 -0900
From: RISKS-request_at_private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request_at_private
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe_at_private or risks-unsubscribe_at_private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall_at_private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 26.72
************************
Received on Sun Feb 12 2012 - 14:35:02 PST

This archive was generated by hypermail 2.2.0 : Sun Feb 12 2012 - 15:23:23 PST