RISKS-LIST: Risks-Forum Digest Tuesday 24 July 2012 Volume 26 : Issue 94 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/26.94.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Who Really Invented the Internet? (PGN) Denials of Service spam attacks commercially available (PGN) "How to avoid an Elections-Ontario-style data-breach fiasco" (Christine Wong via Gene Wirchenko) Re: Washington State wants to register voters via Facebook (JC Cantrell) The car in the future is connected - I hope not.. (Peter Houppermans) Navy radio might be crippling Connecticut garage doors (Russ Furze) Searching for Clues to Calamity (Fred Guterl via Monty Solomon) Olympics security poster 'gibberish' to Arabic speakers (Chris J Brady) Google ordered to censor 'torrent', 'megaupload' and more words (Lauren Weinstein) Patient information may have been breached after laptop stolen at Beth Israel Deaconess (Kay Lazar via Monty Solomon) Apple removes security app from the App Store (Mark Thorson) "Mobile and Web security will be major topics at Black Hat" (Lucian Constantin via Gene Wirchenko) Oops! Vivus awaits weight-loss drug approval, even as story breaks (Ron Leuty via Monty Solomon, PGN) Re: In the UK, encryption implies potential guilt? (Jonathan Thornburg, Chris Drewe) Re: Accidents due to confusion of units of measurement (Mark Brader) Re: Apple wins patent for transparent scroll bar (Richard O'Keefe) Re: You can have security or privacy. Pick one (Anthony Thorn) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 23 Jul 2012 11:47:28 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: Who Really Invented the Internet? In a really egregious piece of so-called journalism relating to the Internet, L. Gordon Crovitz has written item in the *Wall Street Journal*, 23 Jul 2012, with the above Subject line: It's an urban legend that the government launched the Internet. The myth is that the Pentagon created the Internet to keep its communications lines up even in a nuclear strike. The truth is a more interesting story about how innovation happens -- and about how hard it is to build successful technology companies even once the government gets out of the way. http://online.wsj.com/article/SB100008723963904444643045775390630084 06518.html?mod=WSJ_article_comments#articleTabs%article Crovitz's thesis seems to imply that U.S. Government funding did not have a major role in development network technology, with a perhaps not-so-hidden agenda that government funding is an undesirable interference in private enterprise? His article has led to a huge flurry of corrective items on the Web, pointing out numerous misstatements. To make a long story short, Crovitz seems to confuse The Internet with internetting and networking, confuse internetting with the ethernet, and somehow miss the fact that Vint Cerf and Bob Kahn were first funded by and then worked for ARPA! Hawaii's AlohaNet (Frank Kuo and Norm Abramson) preceded ethernet, also government funded. SRI's packet-switched radio experiment is generally credited as being the first real "internetworking" demonstration, linking 3 different networks (also government funded), and recently celebrated at the Computer History Museum. Without those impeti or impetuses, might we still have only circuit switching and even analog telephony? (By the way, ARPA also contributed considerably to the pioneering Multics development.) Joseph Lorenzo Hall noted in Dave Farber's IP distribution that *ArsTechnica's* Timothy Berners Lee penned a superb rejoinder: WSJ mangles history to argue government didn't launch the Internet http://arstechnica.com/tech-policy/2012/07/wsj-mangles-history-to-argue-government-didnt-launch-the-internet/ Also, see the *Scientific American*: Yes, Government Researchers Really Did Invent the Internet: But perhaps the most damning rebuttal comes from Michael Hiltzik, the author of "Dealers of Lightning," a history of Xerox PARC that Crovitz uses as his main source for material. "While I'm gratified in a sense that he cites my book," writes Hiltzik, "it's my duty to point out that he's wrong. My book bolsters, not contradicts, the argument that the Internet had its roots in the ARPANet, a government project." http://j.mp/NQtACW (Scientific American) Lauren Weinstein commented in his Network Neutrality Squad, Privacy Forum, and People for Internet Responsibility, ``This Wall Street Journal "opinion piece" really mucked up big time. And the sense of some associated political motivation is difficult to ignore. The fact is, without ARPA/IPTO, there would not be an Internet as we know it today. Period. Other networks would have very likely developed of course, probably along the lines of various pay-per-packet, walled garden modalities that the dominant ISPs seem hell-bent at deploying today -- but not the end-to-end ARPANET/Internet model that has been so very crucial to the spread and wide availability of these technologies. ------------------------------ Date: Fri, 20 Jul 2012 9:37:10 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: Denials of Service spam attacks commercially available Security expert Brian Krebs was the target of a malicious e-mail flood. Such attacks are widespread, and can used to mask all sorts of computer crimes. Various plans are offered beginning at $25 for 25,000 e-mails. [Cory Doctorow, Commercial Spamflooding used by crooks to tie up their victims at key moments, BoingBoing, 19 Jul 2012; PGN-ed] http://boingboing.net/2012/07/19/commercial-spamflooding-used-b.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+boingboing%2FiBag+%28Boing+Boing%29 [Proponents of voting over the Internet from hardwired or wireless devices tend to ignore such vulnerabilities, along with many others. PGN] ------------------------------ Date: Fri, 20 Jul 2012 10:35:18 -0700 From: Gene Wirchenko <genew_at_private> Subject: "How to avoid an Elections-Ontario-style data-breach fiasco" (Christine Wong) Christine Wong, Think it's too expensive and time consuming to embed 'privacy by design' into your SMB? A security expert and an SMB who've done it tell us how it can be accomplished. *IT Business*, 19 Jul 2012 http://www.itbusiness.ca/it/client/en/home/News.asp?id=68311 ------------------------------ Date: Mon, 23 Jul 2012 08:25:02 -0700 (PDT) From: JC Cantrell <jccant_at_private> Subject: Re: Washington State wants to register voters via Facebook (R-26.93) > [An obvious next step might be legislation requiring would-be voters to > cast their votes on Facebook or other social networking media. That would > clearly solve all our concerns for security, integrity, equal access, and > privacy? PGN] Not only that, but this might help solve the chronic problem here in the USA of getting the registered voters to actually vote! We might even get over 100% of the population to vote. Reminds me of my time living in Chicago ... ------------------------------ Date: Mon, 23 Jul 2012 12:33:31 +0200 From: Peter Houppermans <peter_at_private> Subject: The car in the future is connected - I hope not.. Oh, they soooo much want this.. A BBC article refers to a bright and wonderful future where cars communicate and thus save fuel and are safer. (http://www.bbc.com/future/story/20120719-road-opens-for-connected-cars/1) Security in this context warrants one paragraph, but the article concludes that the rise of the Apps on mobiles should be an indication that an absence of security is not likely to be a hindrance to adoption. Thus, they gloss over a tiny, yet important detail: a breach in this kind of information exchange can get you killed. That's why cars have to be type-certified before they are allowed on the road. The astute reader will also observe a full and complete absence of any reference to the privacy implications of such an enthusiastic data exchange. The simplest example is "If <all registered inhabitants> are not <at location> then ransack <location>".. As I have said before in this context, not so fast.. ------------------------------ Date: Tue, 24 Jul 2012 11:32:58 -0700 From: Russ Furze <rfurze_at_private> Subject: Navy radio might be crippling Connecticut garage doors [The subject line says it all. Apparently, signals from the Groton submarine base are blocking garage door openers in southeastern Connecticut -- on the same frequency. For more recent RISKS readers, this is a new manifestation of an old story. Previous cases noted here include garage doors opening and closing as Sputnik transited overhead, and President Reagan's Air Force One interfering as well. PGN] http://news.yahoo.com/navy-radio-might-crippling-conn-garage-doors-183220009.html?_esi=1 Russ Furze, CISSP, Senior Vice President, Chief Information Officer Frontier Bank FSB, dba El Paseo Bank 760.834.3116 ------------------------------ Date: Sat, 21 Jul 2012 15:26:07 -0400 From: Monty Solomon <monty_at_private> Subject: Searching for Clues to Calamity (Fred Guterl) Fred Guterl, *The New York Times*, 20 Jul 2012 So far 2012 is on pace to be the hottest year on record. But does this mean that we've reached a threshold - a tipping point that signals a climate disaster? For those warning of global warming, it would be tempting to say so. The problem is, no one knows if there is a point at which a climate system shifts abruptly. But some scientists are now bringing mathematical rigor to the tipping-point argument. Their findings give us fresh cause to worry that sudden changes are in our future. One of them is Marten Scheffer, a biologist at Wageningen University in the Netherlands, who grew up swimming in clear lowland ponds. In the 1980s, many of these ponds turned turbid. The plants would die, algae would cover the surface, and only bottom-feeding fish remained. The cause - fertilizer runoff from nearby farms - was well known, but even after you stopped the runoff, replanted the lilies and restocked the trout, the ponds would stay dark and scummy. Mr. Scheffer solved this problem with a key insight: the ponds behaved according to a branch of mathematics called "dynamical systems," which deals with sudden changes. Once you reach a tipping point, it's very difficult to return things to how they used to be. It's easy to roll a boulder off a cliff, for instance, but much harder to roll it back. Once the ponds turned turbid, it wasn't enough to just replant and restock. You had get them back to their original, clear state. ... http://www.nytimes.com/2012/07/21/opinion/the-climate-change-tipping-point.html ------------------------------ Date: Fri, 20 Jul 2012 02:20:31 -0700 (PDT) From: Chris J Brady <chrisjbrady_at_private> Subject: Olympics security poster 'gibberish' to Arabic speakers A UK train company has been criticised for producing an Olympics 2012 security poster which reads as "gibberish" in Arabic. First Capital Connect sent posters to 13 stations printed in English and seven other languages. But the Council for Arab-British Understanding called the Arabic lettering "ridiculous" and unreadable since the characters are not joined up and are back to front. http://www.bbc.co.uk/news/uk-england-london-18911599 The posters, which are supposed to warn people not to leave items unattended, have been displayed in stations including Blackfriars, King's Cross, City Thameslink, Farringdon, St Pancras International, Luton and Stevenage. The lame excuse was "... our supplier substituted one font for another so that the wrong alphabet was used for the Arabic message, rendering it meaningless." The risk? Perhaps proof-reading by a native speaker would have been an idea. ------------------------------ Date: Thu, 19 Jul 2012 17:50:30 -0700 From: Lauren Weinstein <lauren_at_private> Subject: Google ordered to censor 'torrent', 'megaupload' and more words "The French Supreme Court has ruled that Google should censor the words 'torrent', 'rapidshare' and 'megaupload' from its Instant and Autocomplete search services." http://j.mp/OKRA66 (*The Register*, via NNSquad) Here's another word: Ridiculous. ------------------------------ Date: Mon, 23 Jul 2012 10:59:53 -0400 From: Monty Solomon <monty_at_private> Subject: Patient information may have been breached after laptop stolen at Beth Israel Deaconess (Kay Lazar) Kay Lazar, *The Boston Globe*, 20 Jul 2012 Approximately 3,900 Beth Israel Deaconess Medical Center patients will be getting letters alerting them that some of their personal health information may have been breached after a physican's personal laptop computer was stolen from a hospital office. The theft occurred on 22 May 2012, and the stolen laptop, which contained a tracking device, has not been recovered. Police were notified and a suspect has been arrested in the case, the officials said. The hospital hired a national forensic firm to investigate if data were compromised, and it has found no indication that any information has been misused, according to the hospital. ... http://www.boston.com/whitecoatnotes/2012/07/20/patient-information-may-have-been-breached-after-laptop-stolen-beth-israel-deaconess/tgOtdeQBL2QP9JgzsjVn4J/story.html ------------------------------ Date: Sun, 22 Jul 2012 19:56:48 -0700 From: Mark Thorson <eee_at_private> Subject: Apple removes security app from the App Store After two months of availability, Apple has removed a third-party iPhone app from the App Store that informs users about the data being collected by other apps. http://www.securityweek.com/apple-yanks-privacy-app-app-store Interesting statistics collected by the app are: * 42.5 percent of apps do not encrypt users' personal data, even when accessed via public Wi-Fi. * 41.4 percent of apps were shown to track a user's location unbeknownst to them. Almost one in five of the apps analyzed can access a user's entire Address Book, with some even sending user information to the cloud without notification. ------------------------------ Date: Mon, 23 Jul 2012 09:28:19 -0700 From: Gene Wirchenko <genew_at_private> Subject: "Mobile and Web security will be major topics at Black Hat" (Lucian Constantin) The article names some of the risks that will be presented. Lucian Constantin, *IT Business*, 20 Jul 2012 Mobile and Web security will be major topics at Black Hat Security researchers will disclose new vulnerabilities affecting mobile and Web technologies at security conference http://www.itbusiness.ca/it/client/en/cdn/News.asp?id=68327 ------------------------------ Date: Fri, 20 Jul 2012 11:10:32 -0400 From: Monty Solomon <monty_at_private> Subject: Oops! Vivus awaits weight-loss drug approval, even as story breaks (Ron Leuty) Ron Leuty, An OK by any other name: Oops! Vivus awaits weight-loss drug approval, even as story breaks; *San Francisco Business Times*, 17 Jul 2012 Nothing stands in the way of a good FDA drug approval story -- except, of course, when the drug isn't yet approved. *USA Today* ran a story online Tuesday about Mountain View-based Vivus Inc. winning approval of its weight-loss drug, Qnexa. The story had new details about the drug -- like a new name (Qsymia) and when the drug would be available to consumers (later this year) -- as well as quotes attributed to President Peter Tam and a photo of Qsymia pills and bottles. Great news, right? After all, the FDA was expected to rule on the drug Tuesday. Except the FDA has not -- at least, not yet -- approved Vivus' drug. http://www.bizjournals.com/sanfrancisco/blog/biotech/2012/07/vivus-arena-qne= xa-belviq-weight-loss-fda.html ------------------------------ Date: Sat, 21 Jul 2012 20:56:28 PDT From: Peter G Neumann <risko_at_private> Subject: Re: Vivus awaits weight-loss drug approval, even as story breaks My favorite instance of this problem was back in the Multics days, when we (Bell Labs) had issued a contract to Digitek to produce the first PL/I compiler, for the Multics development. The contract specified delivery in *six* months. (Digitek was a very experienced developer of Fortran compilers.) During the sixth month, a full-page ad appeared in Datamation: "Here and Now: The world's first PL/I compiler." The only problem was that Digitek defaulted on the contract that month. Doug McIlroy and Bob Morris rushed to the fore, and produced the EPL compiler for a subset of the language just powerful enough for the Multics development, and whipped it together in a few months. That may well have been one of the inspirations for GCC. ------------------------------ Date: Thu, 19 Jul 2012 22:04:28 -0400 (EDT) From: Jonathan Thornburg <jthorn_at_private> Subject: Re: In the UK, encryption implies potential guilt? (RISKS-26.92,93) While the the Regulation of Investigatory Powers Act 2000 (RIPA) was passed over a decade ago, the present discussion concerns Part 3, which only came into effect on 1 October 2007. Some of the first actual prosecutions for refusing to supply decryption keys were: http://www.theregister.co.uk/2007/11/14/ripa_encryption_key_notice/ *Animal rights activist hit with RIPA key decrypt demand* UK terror law change kicks in http://www.theregister.co.uk/2009/11/24/ripa_jfl/ *UK jails schizophrenic for refusal to decrypt files* Terror squad arrest over model rocket The latter story opens: "The first person jailed under draconian UK police powers that Ministers said were vital to battle terrorism and serious crime has been identified by The Register as a schizophrenic science hobbyist with no previous criminal record. His crime was a persistent refusal to give counter-terrorism police the keys to decrypt his computer file." ------------------------------ Date: Mon, 23 Jul 2012 21:12:59 +0100 From: "Chris Drewe" <e767pmk_at_private> Subject: Re: "In the UK, encryption implies potential guilt?" (RISKS-26.91) Well... the garden-variety laptop computer that I'm typing this on (running Windows 7) has over a million files on it, according to the anti-virus scan log, and I have no idea what most of them are. I've never knowingly stored any files that may get me into trouble, but neither can I tell what gets loaded with updates (see other thread on browsers), and I bought the laptop at a reduced price as 'ex-demonstration' as it had been used in the store before purchase (with the network name TECHSUPPORT already set up!). So if by some chance I do "have my data examined by the UK authorities" and they do find something questionable, where does that leave me? (And if I didn't have a computer or use the Internet, is that evidence of having something to hide?!?) As the poster says, it's worth a debate, but personally I feel that people are becoming more likely to have their lives trashed by a heavy-handed criminal investigation than be blown up by terrorists. ------------------------------ Date: Thu, 19 Jul 2012 18:47:25 -0400 (EDT) From: msb_at_private (Mark Brader) Subject: Re: Accidents due to confusion of units of measurement (RISKS-26.93) > ... resulting in the aircraft receiving 22,300 pounds of fuel instead of > the required 22,300 kg. PGN forgot to add "See risks 10.12, 11.16, 17.32, 20.30, 24.13, and especially 10.13". [Yup, Mark gets to remind me every time I forget. Thanks! PGN] ------------------------------ Date: Mon, 23 Jul 2012 12:49:21 +1200 From: "Richard O'Keefe" <ok_at_private> Subject: Re: Apple wins patent for transparent scroll bar (Wirchenko, RISKS-26.93) Gene Wirchenko noted an Apple patent for a transparent scroll bar. The article he linked to starts "Apple on Tuesday was awarded the patent for a transparent-style of scroll bar that disappears when the window is not being used." I think it was Dan Ingalls who wrote "From the earliest days, Smalltalk used flop-out scroll-bars to economize on screen real estate." So half of the invention was in use before the first Macintosh was built. And Apple certainly knew about Smalltalk. Pretty much since the Morphic GUI library was developed it has been possible to set the colours of the various components that make up a scroll bar in Squeak Smalltalk; that includes TranslucentColor-s. And Apple certainly knew about Squeak and Morphic. I presume other GUI toolkits let you do the same. What then _is_ the invention? ------------------------------ Date: Fri, 20 Jul 2012 07:48:52 +0200 From: Anthony Thorn <anthony.thorn_at_private> Subject: Re: You can have security or privacy. Pick one (RISKS-26.93) I would like to slightly modify Mr Alexanderro's choice: "Security, with as much privacy as possible." as follows: "Where our privacy (and other liberties) are exposed to official bodies, effective controls (measures) against misuse must be implemented." Of course the problem of defining "effective" and implicitly also "practicable" and "affordable" remains . However this is now a classic risk management problem. It is still a difficult problem, but hopefully more amenable to discussion and even agreement! ------------------------------ Date: Mon, 6 Jun 2011 20:01:16 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 26.94 ************************Received on Tue Jul 24 2012 - 16:53:05 PDT
This archive was generated by hypermail 2.2.0 : Tue Jul 24 2012 - 17:36:43 PDT