RISKS-LIST: Risks-Forum Digest Thursday 19 July 2012 Volume 26 : Issue 93 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/26.93.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Washington State wants to register voters via Facebook (Peter Houppermans) Facebook security 'checkpoint' hits user roadblock (Antone Gonsalves via Gene Wirchenko) Passwords leaked from Yahoo: Boozy, preachy, angry -- and easy (Stephen Lawson via Gene Wirchenko) Bitcoinica exchange funds hacked, again (Mark Thorson) Accidents due to confusion of units of measurement (jidanni) Mom accessed school system 110 times to change kids' grades (Emil Protalinski via Monty Solomon) Online identity theft up 200% since 2010 (Emil Protalinski via Monty Solomon) Warning: Scams surrounding 2012 Olympics have already begun (Emil Protalinski via Monty Solomon) "GPS watch to keep tabs on kids, seniors could hit Canada by autumn" (Christine Wong via Gene Wirchenko) Re: FDA spied on its own people - and then the evidence leaked (Steven J Klein, Ken Knowlton) Re: In the UK, encryption implies potential guilt? (David Alexandero Re: Major Snafu in New Zealand Election was 'Human Error' (Gregor Ronald) Re: Taxing old browsers out of existence (Dimitri Maziuk, Henry Baker, Jonathan Kamens, Arthur T.) Re: Privacy trumps cybersecurity! (Dick Mills) "Apple wins patent for transparent scroll bar" (Gene Wirchenko) Re: Announcement of civil timekeeping meeting (J R Stockton) Tests (Monty Solomon) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 18 Jul 2012 13:46:09 +0200 From: Peter Houppermans <peter_at_private> Subject: Washington State wants to register voters via Facebook "Facebook users in Washington state will have something else to brag about to their online friends: that they registered to vote on Facebook. The secretary of state's office said Tuesday it will have an application on its Facebook page that allows residents to register to vote and then "like" the application and recommend it to their friends. It's expected to launch as early as next week." http://hosted.ap.org/dynamic/stories/U/US_VOTER_REGISTRATION_FACEBOOK?SITE=CAANR&SECTION=HOME&TEMPLATE=DEFAULT Pay particular attention to the bright idea to get users used to trusting page overlays on Facebook. With "friends" like that.. [... presumably with multiple aliases and personas, as well. An obvious next step might be legislation requiring would-be voters to cast their votes on Facebook or other social networking media. That would clearly solve all our concerns for security, integrity, equal access, and privacy? PGN] ------------------------------ Date: Tue, 17 Jul 2012 13:09:44 -0700 From: Gene Wirchenko <genew_at_private> Subject: Facebook security 'checkpoint' hits user roadblock (Antone Gonsalves) Antone Gonsalves, *InfoWorld*, 13 Jul 2012 Facebook security 'checkpoint' hits user roadblock; Some Facebook users say their accounts were locked when they tried to use the new Malware Checkpoint service https://www.infoworld.com/d/security/facebook-security-checkpoint-hits-user-roadblock-197716 ------------------------------ Date: Tue, 17 Jul 2012 13:13:17 -0700 From: Gene Wirchenko <genew_at_private> Subject: Passwords leaked from Yahoo: Boozy, preachy, angry -- and easy (Stephen Lawson) Stephen Lawson, *InfoWorld*, 13 Jul 2012 Passwords leaked from Yahoo: Boozy, preachy, angry -- and easy; The account passwords taken from a Yahoo database reveal much about users, good and bad https://www.infoworld.com/d/security/passwords-leaked-yahoo-boozy-preachy-angry-and-easy-197696 ------------------------------ Date: Tue, 17 Jul 2012 16:14:24 -0700 From: Mark Thorson <eee_at_private> Subject: Bitcoinica exchange funds hacked, again After the Bitcoinica exchange for the Bitcoin cryptocybercurrency was hacked in May, they changed all their passwords but they did not change an uncompromised password they used on another system. Unfortunately that password was the same as one of the compromised passwords. Oops. About USD$350,000 gone. http://siliconangle.com/blog/2012/07/16/bitcoinica-cant-catch-a-break-recent-breach-hemorrhages-40000-btc/ ------------------------------ Date: Thu, 19 Jul 2012 09:41:12 +0800 From: jidanni_at_private Subject: Accidents due to confusion of units of measurement Don't forget your units, programmer dudes. http://en.wikipedia.org/wiki/Metrication#Accidents_and_incidents ... ran out of fuel in mid-flight. The incident was caused, in a large part, by the confusion over the conversion among litres, kilograms, and pounds, resulting in the aircraft receiving 22,300 pounds of fuel instead of the required 22,300 kg. ... approximately 10 - 12% of bridge strikes involved foreign lorries. This is disproportionately high in terms of the number of foreign lorries on the road network. ------------------------------ Date: Thu, 19 Jul 2012 13:01:51 -0400 From: Monty Solomon <monty_at_private> Subject: Mom accessed school system 110 times to change kids' grades Summary: A former secretary successfully changed her daughter's grade from an F to an M and her son's grade from a 98 to a 99. She used the school district's superintendent's password to pull off the deeds. 45-year-old Catherine Venusto allegedly changed her children's grades by using passwords she obtained while working for their school district. She was charged with three counts each of unlawful use of a computer and computer trespass. The former secretary was arraigned Wednesday on a half-dozen felony counts and released on $30,000 unsecured bail, court records show. State police say she admitted changing the grades, and while she agreed her actions were unethical, she didn't think they were illegal. ... [Source: Emil Protalinski, ZDNet, 19 Jul 2012] http://www.zdnet.com/mom-accessed-school-system-110-times-to-change-kids-grades-7000001230/ ------------------------------ Date: Thu, 19 Jul 2012 13:01:51 -0400 From: Monty Solomon <monty_at_private> Subject: Online identity theft up 200% since 2010 Summary: Following the recent slew of attacks against various websites that resulted in millions of user accounts being compromised, comes this little statistic: fraudsters traded 12 million pieces of personal information online in just Q1 2012. In Q1 2012, fraudsters traded 12 million pieces of personal information online, or a 200 percent increase over 2010. Most people were unaware their identity had been stolen until they were denied access to something. Identity theft victims commonly experience refusal of loans or credit cards (14 percent), debts being run up in their name (9 percent), refusal of mobile phone contracts (7 percent), and being chased by debt collectors for money they do not owe (7 percent). ... [Source: Emil Protalinski, ZDNet, 19 Jul 2012] http://www.zdnet.com/online-identity-theft-up-200-since-2010-7000001170/ ------------------------------ Date: Thu, 19 Jul 2012 13:01:51 -0400 From: Monty Solomon <monty_at_private> Subject: Warning: Scams surrounding 2012 Olympics have already begun (Emil Protalinski) Summary: This year's Summer Olympics are less than two weeks away. That means you should already be wary of scams and spam heading your way. Be sure to remind family and friends to avoid e-mails and websites claiming you've won something related to the Games. Source: Emil Protalinski, ZDNet, 18 Jul 2012 http://www.zdnet.com/warning-scams-surrounding-2012-olympics-have-already-begun-7000001151/ ------------------------------ Date: Wed, 18 Jul 2012 09:39:53 -0700 From: Gene Wirchenko <genew_at_private> Subject: "GPS watch to keep tabs on kids, seniors could hit Canada by autumn" (Christine Wong) Christine Wong, *IT Business*, 17 Jul 2012 GPS watch to keep tabs on kids, seniors could hit Canada by autumn A U.S. startup is marketing the watches as back-to-school items. It's also keeping a close eye on Canadian Eric Migicovsky's Pebble watch story.7 http://www.itbusiness.ca/it/client/en/Home/News.asp?id=68279 What kid is going to want to be tracked 24-7? "Oh, I left it in my locker." Or aesthetics. "Suzie's was a nicer colour, so we traded." ------------------------------ Date: Tue, 17 Jul 2012 19:32:10 -0400 From: Steven J Klein <steven_at_private> Subject: Re: FDA spied on its own people - and then the evidence leaked In RISKS-26.92, Peter Houppermans linked to a *New York Times* article about the FDA tracking email sent by its scientists. Mr Houppermans submission included this: Note that the FDA has come up with a new "crime": people are guilty of RECEIVING confidential information. The article does not say the FDA considered it a crime, and the phrase he puts in quotes does not appear anywhere in the article. The article mentioned some people were "were suspected of receiving confidential information,'' which is very different from what Mr Houppermans implied. ------------------------------ Date: Tue, 17 Jul 2012 17:32:56 -0400 (EDT) From: Ken Knowlton <kcknowlton_at_private> Subject: Re: FDA spied on its own people - and then the evidence leaked Crime of receiving confidential Info? Re: Peter Houppermans, RISKS-26.92, noting that the FDA has come up with a new `crime' - that of being ``guilty of RECEIVING confidential information'', an obvious thought: Couldn't Julian Assange and WikiLeaks have fun with that! For that matter, is there anyone in the country who is not already guilty? ------------------------------ Date: Wed, 18 Jul 2012 08:24:54 +0100 (BST) From: David Alexandero <davidalexander440_at_private> Subject: Re: In the UK, encryption implies potential guilt? (RISKS-26.92) [I received several complaints about the cited item in the previous issue. Actually, it was not submitted to RISKS, but when I saw it elsewhere, I thought it was worth including as a heads-up either for a bad policy, or a very bad / perhaps inaccurate / misguided piece of so-called journalism. The SUBJECT line was mine, including the question mark. PGN] I have just read the item in the link about encryption law in the UK. Oh dear. I'm sorry but this is scaremongering and sloppy journalism of the very worst sort. The Regulation of Investigatory Powers Act 2000 (RIPA) has been in effect for over 10 years, and to my knowledge there hasn't been a single instance in which an miscarriage of justice of this sort has occurred. Contrary to popular belief the Criminal Justice Organizations in the UK do have access to expert and competent advisors in this field. We have a National Technical Authority that does know about these matters and isn't afraid to consult external experts if appropriate. I can tell you that, before this law came into effect, there was a case of a suspected paedophile who had his data seized, under correct forensic procedures, and the CJOs couldn't break the encryption used to protect it. The person in question refused to divulge the key and had to be released. There is no doubt that RIPA has contributed materially to the safety of the citizen and state in the UK from terrorist and organized criminal activity. As far as I am concerned there is a wholly justifiable case to be made for this legislation and no sane, responsible individual can possibly argue otherwise. The phrase "You can have security or privacy. Pick one." is very emotive and requires qualification about the people who have control and oversight, but it's a good debating point. My choice is "Security, with as much privacy as possible." Let's keep this in proportion, more than 99.999% of the population will never have their data examined by the UK authorities. I can't vouch for other nation states, and can understand why Americans are so touchy when abuses of power of this nature (e.g the FDA spying item in Volume 26 issue 92 of the Risks List) are identified on a regular basis but please judge us in the UK by your standards. In the interest of fairness and objectivity, I should say that other areas of the RIPA do appear to have been abused by local authorities in the UK. Some surveillance powers appear to have been used for the purposes other than that for which they were originally intended. Debate is going on about how to fix that right now. ------------------------------ Date: Wed, 18 Jul 2012 14:51:34 +1200 From: Gregor Ronald <gregor.ronald_at_private> Subject: Re: Major Snafu in New Zealand Election was 'Human Error' (R-26.92) A minor clarification: this election wasn't for any national or regional political unit. It was an election for members of a community-owned trust which in turn owns half of the local power utility. TECT is the Tauranga Energy Consumer Trust, which is a part owner of energy utility TrustPower. It's still an unforgivable, and easily prevented, snafu, all the same - but our NZ government is not at stake here, just the board of a local power company. Gregor Ronald, Christchurch, New Zealand http://gregorronald.blogspot.com/ ------------------------------ Date: Tue, 17 Jul 2012 16:19:42 -0500 From: Dimitri Maziuk <dmaziuk_at_private> Subject: Re: Taxing old browsers out of existence (Baker, RISKS-26.92) On the gripping hand, many of the webpages I consider actually useful will still work in lynx or mosaic. Whereas search for "software updates" in RISKS yields "zombieware", "distributes malware", and "a menace and a problem", to pick a few. Thank you Microsoft for Windows 7, specifically for intercepting all 3rd party auto-updaters and letting me click "No" whenever firefox wants to wrap itself in yet another layer of bloat. I hope they'll add "remember my answer and do this automagically from now on" check box in Windows 8, then I will upgrade my PC to stop it from automatically upgrading (at least some parts of) itself. Dimitri Maziuk Programmer/sysadmin BioMagResBank, UW-Madison -- http://www.bmrb.wisc.edu ------------------------------ Date: Tue, 17 Jul 2012 14:22:48 -0700 From: Henry Baker <hbaker1_at_private> Subject: Re: Taxing old browsers out of existence (Kamens, RISKS-26.90) Normally, I might agree with Jonathan, but this isn't just a browser issue. He is blithely assuming that newer browsers are better browsers, and that all progress is "forward" progress. I've noticed that with every browser "update", the browser gets noticeably slower & bigger, and noticeably more vulnerable to unpleasant hacking: there's usually a flurry of 5-10 fixes for each new update to fix all the new security flaws that the "update" introduced. Many of the browser "updates" also appear to enhance the ability of websites to spy on their visitors with new capabilities. Also, the browsers on many older machines are no longer updated -- e.g., older Macs, phones, etc., so this is effectively a disenfranchisement of those with older machines. I've been forced to use "NoScript" to run with Javascript _normally disabled_, and only selectively enable Javascript on the smallest subset of sites that enables minimal functionality. In particular, Google's Javascript cleverness is so annoying that I have had to block Javascript on all of Google's sites. All of Adobe's & Semantec's bloatware have been removed from my machines, as 95% of their code does nothing for me but open up huge security holes. I have to manually disable "automatic updates" (aka "automatic virus installers") on each and every program; among other things, these "updates" appear to be for the sole purpose of turning their stupid & often dangerous default settings back on (e.g., Apple iTunes). I have to disable the camera & microphone at the operating system level to deter some spyware; I suppose on the next generation of Windows, I'll have to physically destroy the camera & microphone with my power drill before starting to use the machine. Virtually every "improvement" has its downside: look at the swath of damage caused by the "autorun" feature of Windows that begs for the opportunity to install a new virus every time you plug something into your machine. ------------------------------ Date: Tue, 17 Jul 2012 17:55:17 -0400 (EDT) From: Jonathan Kamens <jik_at_private> Subject: Re: Taxing old browsers out of existence (Baker, RISKS-26.90) Henry, You cannot defeat the inexorable tide of progress in computer hardware and software. You may not view it as progress, but in that view you are in a small minority, and that is not likely to change. The vast majority of users who are using very old browsers are not doing so because of carefully considered concerns about security. They are doing so because they haven't bothered to update for whatever reason. Because they have not taken the precautions you have taken to make their old browsers secure, they are vulnerable. There are a lot more of them than there are of people like you. Therefore, in terms of measuring the greatest good for the greatest number of people, forcing people to upgrade their browsers is clearly a net positive. As for your point about "disenfranchising" users of old computers, I don't hear anybody complaining that it's unfair that you can't get any decent software for the Apple ][+ nowadays. Hardware becomes obsolete, and as the pace of advances in hardware has increased, the pace of its obsolescence has as well. As I started with, you can't fight progress and expect to win. ------------------------------ Date: Tue, 17 Jul 2012 20:03:40 -0400 From: "Arthur T." <Risk201207.risk.atsjbt_at_private> Subject: Re: Taxing old browsers out of existence (RISKS-26.90) From an economic point of view, the evolution and roll-out of new browsers is a bane on the existence of web developers. It costs companies real money in terms of rewriting perfectly good code to take advantage of the latest bells and whistles that *someone* in the company thinks the web site should have or support. The old site will support the new browsers fine with no changes. From a progress point of view, the resources spent taking advantage of new features for no other reason than that those features exist raises the question, "Is this progress, or is this just change?" All of the new browsers support everything the old browsers do. If you want to save money, add content, not bling. The economic problem is not supporting old browsers, but trying to take advantage of every new feature of every new browser that comes along. I use an old browser. I know all of the keyboard shortcuts. I know what click does, what shift-click does, what shift-ctrl-click does, etc. I'd be wasting a lot of my own time constantly learning how to use new browsers, and, more importantly, trying to forget years worth of old habits. You are free to write your site in a way that requires new browsers. I am free to go elsewhere. If you have a site, you probably want people to use it. Why drive people to your competitors? ------------------------------ Date: Wed, 18 Jul 2012 09:41:17 -0400 From: Dick Mills <dickandlibbymills_at_private> Subject: Re: Privacy trumps cybersecurity! (RISKS-26.92) The cited article misses the point. To many American people, privacy is not the main issue. Rather they perceive our own government and big business as the primary risks. In the name of cybersecurity, the fox is asking for the keys to the hen house. It sounds less controversial to say that we are concerned about privacy, than to say that government is the problem, not the solution. ------------------------------ Date: Thu, 19 Jul 2012 09:54:41 -0700 From: Gene Wirchenko <genew_at_private> Subject: "Apple wins patent for transparent scroll bar" This is patentable? Mark Hattersley, Apple wins patent for transparent scroll bar: Apple has secured a patent to a major interface design motif in the ongoing patent wars, *IT Business*, 18 Jul 2012 http://www.itbusiness.ca/it/client/en/cdn/News.asp?id=68298 ------------------------------ Date: Wed, 18 Jul 2012 19:52:12 +0100 From: Dr J R Stockton <reply1229_at_private> Subject: Re: Announcement of civil timekeeping meeting (Seaman, RISKS-26.92) The ordinary people, who are the democratic majority, want local civil time - LCT - to be 24 hours of 60 minutes of 60 seconds per mean solar day. They can tolerate seasonal clock changes, and time zone changes when traveling. They can have no rational objection to the occasional sub-ppm-scale change in the length of a civil second. Scientists - physicists and astronomers in particular - need a numbered scale of exact SI seconds, without separation into minutes, hours, days, etc. The answer, then, is to disseminate, in principle from BIPM/BIH, both the SI seconds scale and, every few months, the duration to be used, in integer SI nanoseconds, for the civil second. That announced figure will be used for an integer number of GMT months, changing at GMT month turnover. Let us say at the beginning of each quarter- or half- GMT year. Effectively, leap seconds are issued in tiny pieces, once per civil second. Engineers of all sorts can use one or the other of those scales, or if essential generate whatever variety their profession needs - they are clever enough to do it. The electronics needed to lock GMT to SI in that fashion should be within the capability of any National time lab, any major observatory, any GMT disseminator - and could be provided commercially. Those who disseminate LCT would include time zone and summer time contributions for the locality. http://www.merlyn.demon.co.uk/ http://www.merlyn.demon.co.uk/programs/ Dates - miscdate.htm estrdate.htm js-dates.htm pas-time.htm critdate.htm etc. ------------------------------ Date: Wed, 18 Jul 2012 07:38:24 -0400 From: Monty Solomon <monty_at_private> Subject: Tests Excerpted from Teaching After The Test: An argument for a national school schedule http://scienceblogs.com/gregladen/2012/05/16/teaching-after-the-test-an-arg/ From another teacher at a different school I heard a horror story about a bunch of students who, part way through the two day long state test, pressed the wrong button and are now locked out of finishing the rest of it having only done half. (One of those "Are you done, click continue to end test OK to continue test?: OK, Continue, Cancel" dialogs where "OK" means you are done and "Continue" you are -- no wait, I have that backwards.) ------------------------------ Date: Mon, 6 Jun 2011 20:01:16 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 26.93 ************************Received on Thu Jul 19 2012 - 15:17:51 PDT
This archive was generated by hypermail 2.2.0 : Thu Jul 19 2012 - 15:57:53 PDT