[RISKS] Risks Digest 26.94

From: RISKS List Owner <risko_at_private>
Date: Tue, 24 Jul 2012 16:53:05 PDT
RISKS-LIST: Risks-Forum Digest  Tuesday 24 July 2012  Volume 26 : Issue 94

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/26.94.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Who Really Invented the Internet? (PGN)
Denials of Service spam attacks commercially available (PGN)
"How to avoid an Elections-Ontario-style data-breach fiasco" (Christine Wong
  via Gene Wirchenko)
Re: Washington State wants to register voters via Facebook (JC Cantrell)
The car in the future is connected - I hope not.. (Peter Houppermans)
Navy radio might be crippling Connecticut garage doors (Russ Furze)
Searching for Clues to Calamity (Fred Guterl via Monty Solomon)
Olympics security poster 'gibberish' to Arabic speakers (Chris J Brady)
Google ordered to censor 'torrent', 'megaupload' and more words
  (Lauren Weinstein)
Patient information may have been breached after laptop stolen at
  Beth Israel Deaconess (Kay Lazar via Monty Solomon)
Apple removes security app from the App Store (Mark Thorson)
"Mobile and Web security will be major topics at Black Hat"
  (Lucian Constantin via Gene Wirchenko)
Oops! Vivus awaits weight-loss drug approval, even as story breaks
  (Ron Leuty via Monty Solomon, PGN)
Re: In the UK, encryption implies potential guilt? (Jonathan Thornburg,
  Chris Drewe)
Re: Accidents due to confusion of units of measurement (Mark Brader)
Re: Apple wins patent for transparent scroll bar (Richard O'Keefe)
Re: You can have security or privacy. Pick one (Anthony Thorn)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Mon, 23 Jul 2012 11:47:28 PDT
From: "Peter G. Neumann" <neumann_at_private>
Subject: Who Really Invented the Internet?

In a really egregious piece of so-called journalism relating to the
Internet, L. Gordon Crovitz has written item in the *Wall Street Journal*,
23 Jul 2012, with the above Subject line:

  It's an urban legend that the government launched the Internet. The myth
  is that the Pentagon created the Internet to keep its communications lines
  up even in a nuclear strike. The truth is a more interesting story about
  how innovation happens -- and about how hard it is to build successful
  technology companies even once the government gets out of the way.

http://online.wsj.com/article/SB100008723963904444643045775390630084
06518.html?mod=WSJ_article_comments#articleTabs%article

Crovitz's thesis seems to imply that U.S. Government funding did not have a
major role in development network technology, with a perhaps not-so-hidden
agenda that government funding is an undesirable interference in private
enterprise?

His article has led to a huge flurry of corrective items on the Web,
pointing out numerous misstatements.  To make a long story short, Crovitz
seems to confuse The Internet with internetting and networking, confuse
internetting with the ethernet, and somehow miss the fact that Vint Cerf and
Bob Kahn were first funded by and then worked for ARPA!  Hawaii's AlohaNet
(Frank Kuo and Norm Abramson) preceded ethernet, also government funded.
SRI's packet-switched radio experiment is generally credited as being the
first real "internetworking" demonstration, linking 3 different networks
(also government funded), and recently celebrated at the Computer History
Museum.  Without those impeti or impetuses, might we still have only circuit
switching and even analog telephony?  (By the way, ARPA also contributed
considerably to the pioneering Multics development.)

Joseph Lorenzo Hall noted in Dave Farber's IP distribution that
*ArsTechnica's* Timothy Berners Lee penned a superb rejoinder:
WSJ mangles history to argue government didn't launch the Internet
http://arstechnica.com/tech-policy/2012/07/wsj-mangles-history-to-argue-government-didnt-launch-the-internet/

Also, see the *Scientific American*: Yes, Government Researchers Really Did
Invent the Internet:

  But perhaps the most damning rebuttal comes from Michael Hiltzik, the
  author of "Dealers of Lightning," a history of Xerox PARC that Crovitz
  uses as his main source for material. "While I'm gratified in a sense that
  he cites my book," writes Hiltzik, "it's my duty to point out that he's
  wrong. My book bolsters, not contradicts, the argument that the Internet
  had its roots in the ARPANet, a government project."
  http://j.mp/NQtACW  (Scientific American)

Lauren Weinstein commented in his Network Neutrality Squad, Privacy Forum,
and People for Internet Responsibility,

  ``This Wall Street Journal "opinion piece" really mucked up big time.  And
  the sense of some associated political motivation is difficult to ignore.
  The fact is, without ARPA/IPTO, there would not be an Internet as we know
  it today.  Period.  Other networks would have very likely developed of
  course, probably along the lines of various pay-per-packet, walled garden
  modalities that the dominant ISPs seem hell-bent at deploying today -- but
  not the end-to-end ARPANET/Internet model that has been so very crucial to
  the spread and wide availability of these technologies.

------------------------------

Date: Fri, 20 Jul 2012 9:37:10 PDT
From: "Peter G. Neumann" <neumann_at_private>
Subject: Denials of Service spam attacks commercially available

Security expert Brian Krebs was the target of a malicious e-mail flood.
Such attacks are widespread, and can used to mask all sorts of computer
crimes.  Various plans are offered beginning at $25 for 25,000 e-mails.

[Cory Doctorow, Commercial Spamflooding used by crooks to tie up their
victims at key moments, BoingBoing, 19 Jul 2012; PGN-ed]
http://boingboing.net/2012/07/19/commercial-spamflooding-used-b.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+boingboing%2FiBag+%28Boing+Boing%29

  [Proponents of voting over the Internet from hardwired or wireless devices
  tend to ignore such vulnerabilities, along with many others.  PGN]

------------------------------

Date: Fri, 20 Jul 2012 10:35:18 -0700
From: Gene Wirchenko <genew_at_private>
Subject: "How to avoid an Elections-Ontario-style data-breach fiasco"
  (Christine Wong)

Christine Wong, Think it's too expensive and time consuming to embed
'privacy by design' into your SMB? A security expert and an SMB who've done
it tell us how it can be accomplished. *IT Business*, 19 Jul 2012
http://www.itbusiness.ca/it/client/en/home/News.asp?id=68311

------------------------------

Date: Mon, 23 Jul 2012 08:25:02 -0700 (PDT)
From: JC Cantrell <jccant_at_private>
Subject: Re: Washington State wants to register voters via Facebook (R-26.93)

> [An obvious next step might be legislation requiring would-be voters to
> cast their votes on Facebook or other social networking media.  That would
> clearly solve all our concerns for security, integrity, equal access, and
> privacy? PGN]

Not only that, but this might help solve the chronic problem here in the USA
of getting the registered voters to actually vote! We might even get over
100% of the population to vote. Reminds me of my time living in Chicago ...

------------------------------

Date: Mon, 23 Jul 2012 12:33:31 +0200
From: Peter Houppermans <peter_at_private>
Subject: The car in the future is connected - I hope not..

Oh, they soooo much want this..

A BBC article refers to a bright and wonderful future where cars communicate
and thus save fuel and are safer.
(http://www.bbc.com/future/story/20120719-road-opens-for-connected-cars/1)

Security in this context warrants one paragraph, but the article concludes
that the rise of the Apps on mobiles should be an indication that an absence
of security is not likely to be a hindrance to adoption.

Thus, they gloss over a tiny, yet important detail: a breach in this kind of
information exchange can get you killed. That's why cars have to be
type-certified before they are allowed on the road.

The astute reader will also observe a full and complete absence of any
reference to the privacy implications of such an enthusiastic data exchange.
The simplest example is "If <all registered inhabitants> are not <at
location> then ransack <location>"..

As I have said before in this context, not so fast..

------------------------------

Date: Tue, 24 Jul 2012 11:32:58 -0700
From: Russ Furze <rfurze_at_private>
Subject: Navy radio might be crippling Connecticut garage doors

  [The subject line says it all.  Apparently, signals from the Groton
  submarine base are blocking garage door openers in southeastern
  Connecticut -- on the same frequency.  For more recent RISKS readers, this
  is a new manifestation of an old story.  Previous cases noted here include
  garage doors opening and closing as Sputnik transited overhead, and
  President Reagan's Air Force One interfering as well.  PGN]

http://news.yahoo.com/navy-radio-might-crippling-conn-garage-doors-183220009.html?_esi=1

Russ Furze, CISSP, Senior Vice President, Chief Information Officer
Frontier Bank FSB, dba El Paseo Bank  760.834.3116

------------------------------

Date: Sat, 21 Jul 2012 15:26:07 -0400
From: Monty Solomon <monty_at_private>
Subject: Searching for Clues to Calamity (Fred Guterl)

Fred Guterl, *The New York Times*, 20 Jul 2012

So far 2012 is on pace to be the hottest year on record. But does this mean
that we've reached a threshold - a tipping point that signals a climate
disaster?

For those warning of global warming, it would be tempting to say so.  The
problem is, no one knows if there is a point at which a climate system
shifts abruptly. But some scientists are now bringing mathematical rigor to
the tipping-point argument. Their findings give us fresh cause to worry that
sudden changes are in our future.

One of them is Marten Scheffer, a biologist at Wageningen University in the
Netherlands, who grew up swimming in clear lowland ponds. In the 1980s, many
of these ponds turned turbid. The plants would die, algae would cover the
surface, and only bottom-feeding fish remained.  The cause - fertilizer
runoff from nearby farms - was well known, but even after you stopped the
runoff, replanted the lilies and restocked the trout, the ponds would stay
dark and scummy.

Mr. Scheffer solved this problem with a key insight: the ponds behaved
according to a branch of mathematics called "dynamical systems," which deals
with sudden changes. Once you reach a tipping point, it's very difficult to
return things to how they used to be.  It's easy to roll a boulder off a
cliff, for instance, but much harder to roll it back. Once the ponds turned
turbid, it wasn't enough to just replant and restock. You had get them back
to their original, clear state. ...

http://www.nytimes.com/2012/07/21/opinion/the-climate-change-tipping-point.html

------------------------------

Date: Fri, 20 Jul 2012 02:20:31 -0700 (PDT)
From: Chris J Brady <chrisjbrady_at_private>
Subject: Olympics security poster 'gibberish' to Arabic speakers

A UK train company has been criticised for producing an Olympics 2012
security poster which reads as "gibberish" in Arabic.  First Capital Connect
sent posters to 13 stations printed in English and seven other languages.
But the Council for Arab-British Understanding called the Arabic lettering
"ridiculous" and unreadable since the characters are not joined up and are
back to front.  http://www.bbc.co.uk/news/uk-england-london-18911599

The posters, which are supposed to warn people not to leave items
unattended, have been displayed in stations including Blackfriars, King's
Cross, City Thameslink, Farringdon, St Pancras International, Luton and
Stevenage.  The lame excuse was "... our supplier substituted one font for
another so that the wrong alphabet was used for the Arabic message,
rendering it meaningless."  The risk? Perhaps proof-reading by a native
speaker would have been an idea.

------------------------------

Date: Thu, 19 Jul 2012 17:50:30 -0700
From: Lauren Weinstein <lauren_at_private>
Subject: Google ordered to censor 'torrent', 'megaupload' and more words

  "The French Supreme Court has ruled that Google should censor the words
  'torrent', 'rapidshare' and 'megaupload' from its Instant and Autocomplete
  search services."  http://j.mp/OKRA66 (*The Register*, via NNSquad)

Here's another word: Ridiculous.

------------------------------

Date: Mon, 23 Jul 2012 10:59:53 -0400
From: Monty Solomon <monty_at_private>
Subject: Patient information may have been breached after laptop stolen at
  Beth Israel Deaconess (Kay Lazar)

Kay Lazar, *The Boston Globe*, 20 Jul 2012

Approximately 3,900 Beth Israel Deaconess Medical Center patients will be
getting letters alerting them that some of their personal health information
may have been breached after a physican's personal laptop computer was
stolen from a hospital office.  The theft occurred on 22 May 2012, and the
stolen laptop, which contained a tracking device, has not been recovered.
Police were notified and a suspect has been arrested in the case, the
officials said.

The hospital hired a national forensic firm to investigate if data were
compromised, and it has found no indication that any information has been
misused, according to the hospital. ...

http://www.boston.com/whitecoatnotes/2012/07/20/patient-information-may-have-been-breached-after-laptop-stolen-beth-israel-deaconess/tgOtdeQBL2QP9JgzsjVn4J/story.html

------------------------------

Date: Sun, 22 Jul 2012 19:56:48 -0700
From: Mark Thorson <eee_at_private>
Subject: Apple removes security app from the App Store

After two months of availability, Apple has removed a third-party iPhone app
from the App Store that informs users about the data being collected by
other apps.
  http://www.securityweek.com/apple-yanks-privacy-app-app-store

Interesting statistics collected by the app are:

* 42.5 percent of apps do not encrypt users' personal data, even when
  accessed via public Wi-Fi.

* 41.4 percent of apps were shown to track a user's location unbeknownst to
  them.

Almost one in five of the apps analyzed can access a user's entire Address
Book, with some even sending user information to the cloud without
notification.

------------------------------

Date: Mon, 23 Jul 2012 09:28:19 -0700
From: Gene Wirchenko <genew_at_private>
Subject: "Mobile and Web security will be major topics at Black Hat"
  (Lucian Constantin)

The article names some of the risks that will be presented.

Lucian Constantin, *IT Business*, 20 Jul 2012
Mobile and Web security will be major topics at Black Hat
Security researchers will disclose new vulnerabilities affecting
mobile and Web technologies at security conference
http://www.itbusiness.ca/it/client/en/cdn/News.asp?id=68327

------------------------------

Date: Fri, 20 Jul 2012 11:10:32 -0400
From: Monty Solomon <monty_at_private>
Subject: Oops! Vivus awaits weight-loss drug approval, even as story breaks
  (Ron Leuty)

Ron Leuty, An OK by any other name: Oops! Vivus awaits weight-loss drug
approval, even as story breaks; *San Francisco Business Times*, 17 Jul 2012

Nothing stands in the way of a good FDA drug approval story -- except, of
course, when the drug isn't yet approved.

*USA Today* ran a story online Tuesday about Mountain View-based Vivus
Inc. winning approval of its weight-loss drug, Qnexa.  The story had new
details about the drug -- like a new name (Qsymia) and when the drug would
be available to consumers (later this year) -- as well as quotes attributed
to President Peter Tam and a photo of Qsymia pills and bottles.

Great news, right? After all, the FDA was expected to rule on the drug
Tuesday. Except the FDA has not -- at least, not yet -- approved Vivus'
drug.

http://www.bizjournals.com/sanfrancisco/blog/biotech/2012/07/vivus-arena-qne=
xa-belviq-weight-loss-fda.html

------------------------------

Date: Sat, 21 Jul 2012 20:56:28 PDT
From: Peter G Neumann <risko_at_private>
Subject: Re: Vivus awaits weight-loss drug approval, even as story breaks

My favorite instance of this problem was back in the Multics days, when we
(Bell Labs) had issued a contract to Digitek to produce the first PL/I
compiler, for the Multics development.  The contract specified delivery in
*six* months.  (Digitek was a very experienced developer of Fortran
compilers.)

During the sixth month, a full-page ad appeared in Datamation: "Here and
Now: The world's first PL/I compiler."

The only problem was that Digitek defaulted on the contract that month.
Doug McIlroy and Bob Morris rushed to the fore, and produced the
EPL compiler for a subset of the language just powerful enough for the
Multics development, and whipped it together in a few months.  That may
well have been one of the inspirations for GCC.

------------------------------

Date: Thu, 19 Jul 2012 22:04:28 -0400 (EDT)
From: Jonathan Thornburg <jthorn_at_private>
Subject: Re: In the UK, encryption implies potential guilt? (RISKS-26.92,93)

While the the Regulation of Investigatory Powers Act 2000 (RIPA) was passed
over a decade ago, the present discussion concerns Part 3, which only came
into effect on 1 October 2007.

Some of the first actual prosecutions for refusing to supply decryption keys
were:

http://www.theregister.co.uk/2007/11/14/ripa_encryption_key_notice/
*Animal rights activist hit with RIPA key decrypt demand*
UK terror law change kicks in

http://www.theregister.co.uk/2009/11/24/ripa_jfl/
*UK jails schizophrenic for refusal to decrypt files*
Terror squad arrest over model rocket

The latter story opens:

"The first person jailed under draconian UK police powers that Ministers
 said were vital to battle terrorism and serious crime has been identified
 by The Register as a schizophrenic science hobbyist with no previous
 criminal record.

 His crime was a persistent refusal to give counter-terrorism police
 the keys to decrypt his computer file."

------------------------------

Date: Mon, 23 Jul 2012 21:12:59 +0100
From: "Chris Drewe" <e767pmk_at_private>
Subject: Re: "In the UK, encryption implies potential guilt?" (RISKS-26.91)

Well... the garden-variety laptop computer that I'm typing this on (running
Windows 7) has over a million files on it, according to the anti-virus scan
log, and I have no idea what most of them are.  I've never knowingly stored
any files that may get me into trouble, but neither can I tell what gets
loaded with updates (see other thread on browsers), and I bought the laptop
at a reduced price as 'ex-demonstration' as it had been used in the store
before purchase (with the network name TECHSUPPORT already set up!).  So if
by some chance I do "have my data examined by the UK authorities" and they
do find something questionable, where does that leave me?  (And if I didn't
have a computer or use the Internet, is that evidence of having something to
hide?!?)  As the poster says, it's worth a debate, but personally I feel
that people are becoming more likely to have their lives trashed by a
heavy-handed criminal investigation than be blown up by terrorists.

------------------------------

Date: Thu, 19 Jul 2012 18:47:25 -0400 (EDT)
From: msb_at_private (Mark Brader)
Subject: Re: Accidents due to confusion of units of measurement (RISKS-26.93)

> ... resulting in the aircraft receiving 22,300 pounds of fuel instead of
> the required 22,300 kg.

PGN forgot to add "See risks 10.12, 11.16, 17.32, 20.30, 24.13, and
especially 10.13".

  [Yup, Mark gets to remind me every time I forget.  Thanks!  PGN]

------------------------------

Date: Mon, 23 Jul 2012 12:49:21 +1200
From: "Richard O'Keefe" <ok_at_private>
Subject: Re: Apple wins patent for transparent scroll bar (Wirchenko, RISKS-26.93)

Gene Wirchenko noted an Apple patent for a transparent scroll bar.  The
article he linked to starts "Apple on Tuesday was awarded the patent for a
transparent-style of scroll bar that disappears when the window is not being
used."

I think it was Dan Ingalls who wrote "From the earliest days, Smalltalk used
flop-out scroll-bars to economize on screen real estate."  So half of the
invention was in use before the first Macintosh was built.  And Apple
certainly knew about Smalltalk.

Pretty much since the Morphic GUI library was developed it has been possible
to set the colours of the various components that make up a scroll bar in
Squeak Smalltalk; that includes TranslucentColor-s.  And Apple certainly
knew about Squeak and Morphic.  I presume other GUI toolkits let you do the
same.

What then _is_ the invention?

------------------------------

Date: Fri, 20 Jul 2012 07:48:52 +0200
From: Anthony Thorn <anthony.thorn_at_private>
Subject: Re: You can have security or privacy. Pick one (RISKS-26.93)

I would like to slightly modify Mr Alexanderro's choice:
     "Security, with as much privacy as possible."
as follows:

"Where our privacy (and other liberties) are exposed to official bodies,
effective controls (measures) against misuse must be implemented."

Of course the problem of defining "effective" and implicitly also
"practicable" and "affordable" remains .  However this is now a classic risk
management problem.  It is still a difficult problem, but hopefully more
amenable to discussion and even agreement!

------------------------------

Date: Mon, 6 Jun 2011 20:01:16 -0900
From: RISKS-request_at_private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request_at_private
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe_at_private or risks-unsubscribe_at_private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall_at_private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 26.94
************************
Received on Tue Jul 24 2012 - 16:53:05 PDT

This archive was generated by hypermail 2.2.0 : Tue Jul 24 2012 - 17:36:43 PDT