RISKS Forum mailing list archives
Risks Digest 28.44
From: RISKS List Owner <risko () csl sri com>
Date: Tue, 6 Jan 2015 16:24:51 PST
RISKS-LIST: Risks-Forum Digest Tuesday 6 January 2015 Volume 28 : Issue 44 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/28.44.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: [Apologies for R-28.43 dupes. I took my break too seriously.] Too many pilots can't handle an emergency (David Learmount via Chris Drewe) Brouhaha brewing over single-operator trains (Jay Ashworth) "Could e-voting be on its way in the UK?" (Andy Walker) Quick book recommendation (David Jefferson) How Laws Restricting Tech Actually Expose Us to Greater Harm (WiReD via Lauren Weinstein) Risks in Using Social Media to Spot Signs of Mental Distress (NYTimes via NNSquad) Indian government blocks dangerous websites like Github, Dailymotion, Pastebin (Vijay via Prashanth Mundkur) U.S. Social-Media Giants Are Resisting Russia Censors (WSJ via NNSquad) Low-risk 'worm' removed at hacked South Korea nuclear operator (Reuters via Richard I Cook) Iran expands 'smart' Internet censorship (Reuters via NNSquad) FBI Investigating Whether Companies Are Engaged in Revenge Hacking (Gabe Goldberg) Inadvertent Algorithmic Cruelty (Gabe Goldberg) Hackers claim they can copy fingerprints from photos (Bob Frankston) Toy Story and digital preservation (Mark Thorson) NSA has VPNs in Vulcan death grip--no, really,that's what they call it (Ars via Lauren Weinstein) Smart grid powers up privacy worries (David Perera via Henry Baker) Romanian version of EU cybersecurity directive allows warrantless access to data (NNSquad) Her Task Is to Wean the White House Off Floppy Disks (Julie Hirschfeld Davis quoting Megan J. Smith) Gogo issues fake HTTPS certificate to users visiting YouTube (Ars) I added grandma to a NSFW group (Dan Jacobson) Silicon Valley's Mirror Effect (Bob Frankston) The Biggest Security Threats We'll Face in 2015? (WiReD via Matthew Kruk) "Critical vulnerability in Git clients puts developers at risk" (Lucian Constantin via Gene Wirchenko) Norse Security IDs 6, Including Ex-Employee, As Sony Hack Perpetrators (slashdot via Lauren Weinstein) AP: Sony emails show a studio ripe for hacking (Lauren Weinstein) Sony's North Korea "comedy assassination" film available online (Lauren Weinstein) Re: ICANN e-mail accounts, zone database breached in spearphishing attack (John Levine) Re: dual-SIM cell phones (danny burstein) Re: Emergency? DNS TTL < 6 months? (Amos Shapir) Re: Lenovo recalls more than 500,000 power cords (Leonard Finegold, Chris Drewe) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 01 Jan 2015 18:41:45 +0000 From: Chris Drewe <e767pmk () yahoo co uk> Subject: Too many pilots can't handle an emergency (David Learmount) David Learmount, *The Telegraph*, 31 Dec 2014 http://www.telegraph.co.uk/news/uknews/11318189/Too-many-pilots-cant-handle-an-emergency.html Opinion piece in today's newspaper (Dec 31st, 2014) about pilots' overreliance on computers to fly aircraft may be of interest for RISKS. This is in the context of the recent AirAsia flight QZ8501 loss, but it also appears to figure in Air France flight 447 plunging into the Atlantic 5 years ago. The article summarises an FAA study (published last year) called 'The Operational Use of Flight Path Management Systems', which says: The FAA working group established that today's pilots have a number of vulnerabilities. The prime one is that if the automatics fail, the pilots are no longer practised in managing without them. This leads pilots to lose confidence in their own traditional flying abilities, so when things go wrong they have a tendency to try to restore failed automatic systems when, in fact, they should be flying the aircraft to keep it safe. Incidentally, I'm certainly no expert, but I'd always assumed that iced-up pitot tubes (for air-speed indicators) were a pretty routine problem for aircraft? ------------------------------ Date: Mon, 22 Dec 2014 19:40:32 -0500 (EST) From: Jay Ashworth <jra () baylink com> Subject: Brouhaha brewing over single-operator trains I've been a regular reader of (and occasional contributor to) RISKS since the early 80s. In all that time, I'm not sure I have seen a proposal that takes as insufficient a view of the real deployment arena as this one: http://bigstory.ap.org/article/89042513370f4b58a2e3545513f64435/railroads-seek-one-person-crews-freight-trains Even if we ignore for a moment the long-term proposal of people-free freight trains, going from two people to one would seem to benefit exactly one group of people: the railroads that have to pay the other half of their road staff. It's not exactly like a failure on a 5000-ton train pulled by a 400-ton locomotive is small and has little effect on the Real World... What does surprise me in this AP piece is that AAR appears in *favor* of one-person crews. I guess it represents the railroad owners, though. Jay R. Ashworth, Ashworth & Associates, St Petersburg FL USA [By reverse induction, the railroad owners would undoubtedly love zero-person crews, where I presume Jay and many other RISKS readers would not. PGN] ------------------------------ Date: Wed, 24 Dec 2014 21:33:05 +0000 From: Andy Walker <anw () cuboid co uk> Subject: "Could e-voting be on its way in the UK?" A BBC Politics article at http://www.bbc.co.uk/news/uk-politics-30234304 asks the question in the Subject. The Political and Constitutional Reform Committee of MPs has recommended that the government should run online voting pilots in the next parliament "with a view to all electors having the choice of voting online at the 2020 general election". According to the article, a fellow campaigner is Lord Malloch Brown, a former minister who is now chairing an e-voting technology company. Unsurprisingly, Malloch Brown claims that his company's machines "are much more secure than postal votes" and are "very advanced, with high levels of encryption", and that "the results can be registered and collated before hackers have time to break into the systems". Hmm. At least some of the Committee seem to be clued up, but the fear has to be that political issues will weigh more heavily than the security and other problems that have so frequently surfaced in RISKS. Andy Walker, Nottingham. ------------------------------ Date: Wed, 24 Dec 2014 15:17:46 -0800 From: David Jefferson <drjefferson () gmail com> Subject: Quick book recommendation Here is a book I recommend to anyone interested in online voting: Kim Zetter's Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon. This book captures the zeitgeist of cyberattacks and cyberweapons better than any other book I have come across. It is technically accurate, but I think extremely accessible to general audiences. And it is a pretty exciting and amazing story as well. Although it does not event mention Internet voting per se, you cannot read this book and fail to appreciate the dangers that Internet voting would be vulnerable to. Kim Zetter, of course, was an early journalist, and one of the best, covering the voting wars a decade ago. ------------------------------ Date: Wed, 24 Dec 2014 20:25:42 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: How Laws Restricting Tech Actually Expose Us to Greater Harm Wired via NNSquad http://www.wired.com/2014/12/government-computer-security/ "And that's why the current regulatory paradigm for computers, inherited from the 16-year-old stupidity that is the Digital Millennium Copyright Act, needs to change. As things stand, the law requires that computing devices be designed to sometimes disobey their owners, so that their owners won't do something undesirable. To make this work, we also have to criminalize anything that might help owners change their computers to let the machines do that supposedly undesirable thing." ------------------------------ Date: Fri, 26 Dec 2014 20:52:52 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Risks in Using Social Media to Spot Signs of Mental Distress *The New York Times* via NNSquad http://www.nytimes.com/2014/12/27/technology/risks-in-using-social-posts-to-spot-signs-of-distress.html?partner=rss&emc=rss&_r=0 A week after the app was introduced on its website, more than 4,000 people had activated it, the Samaritans said, and those users were following nearly 1.9 million Twitter accounts, with no notification to those being monitored. But just about as quickly, the group faced an outcry from people who said the app, called Samaritans Radar, could identify and prey on the emotionally vulnerable -- the very people the app was created to protect. "A tool that 'lets you know when your friends need support' also lets you know when your stalking victim is vulnerable #SamaritansRadar," a Briton named Sarah Brown posted on Twitter. A week and a half after the app's introduction, the Samaritans announced it was reconsidering the outreach program and disabled the app. ------------------------------ Date: Wed, 31 Dec 2014 02:28:44 -0800 From: Prashanth Mundkur <prashanth.mundkur () gmail com> Subject: Indian government blocks dangerous websites like Github, Dailymotion, Pastebin Vijay, Tech Worm, December 28, 2014 http://www.techworm.net/2014/12/indian-isps-block-free-paste-website-pastebin-git-hosting-repository-github.html Anupam Saxena, Times of India, Dec 31, 2014 http://timesofindia.indiatimes.com/tech/tech-news/Pastebin-Dailymotion-Github-blocked-after-DoT-order-Report/articleshow/45701713.cms Tech Worm excerpt: Neither of the two blocks bode well with the Internet users of India, especially the developers and students. GitHub provides a very high performing platform for distributed revision control and source code management (SCM) functionality of Git as well as adding its own features. With its user friendly web-based graphical interface and desktop as well as mobile integration it is a go to tool for developers and computer science students. ------------------------------ Date: Sat, 27 Dec 2014 14:02:00 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: U.S. Social-Media Giants Are Resisting Russia Censors (WSJ) *Wall Street Journal* via NNSquad http://www.wsj.com/articles/u-s-tech-firms-face-showdown-with-russian-censors-1419620113 "Facebook Inc., Twitter Inc. and Google Inc. have started resisting Russian government orders to remove information about a rally next month in support of opposition leader Alexei Navalny, raising the prospect of a showdown over the Kremlin's efforts to control online information. In response to a request from Russian prosecutors, Roskomnadzor, the country's communications regulator, began issuing block orders for Russia just hours after the Moscow rally was publicized on social media late last week, officials said. Facebook honored the initial order last weekend and blocked a page promoting the event, but others were quickly created, attracting more attention." ------------------------------ Date: Wed, 31 Dec 2014 11:05:03 -0600 From: Richard I Cook MD <ricookmd () gmail com> Subject: Low-risk 'worm' removed at hacked South Korea nuclear operator Reuters http://www.reuters.com/article/2014/12/30/us-nuclear-southkorea-cybersecurity-idUSKBN0K80J620141230 Excerpt: ``Korea Hydro & Nuclear Power Co Ltd said it would beef up cyber security by hiring more IT security experts and forming an oversight committee, as it came in for fresh criticism from lawmakers following recent hacks against its headquarters.'' Comments: 1) What is a `low risk; worm? 2) Hiring experts and forming committees does not seem to this writer to be an effective strategy for reducing risk. ------------------------------ Date: Sat, 27 Dec 2014 19:14:22 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Iran expands 'smart' Internet censorship Reuters via NNSquad http://www.reuters.com/article/2014/12/26/us-iran-internet-censorship-idUSKBN0K40SE20141226 "The Islamic Republic has some of the strictest controls on Internet access in the world, but its blocks on U.S.-based social media such as Facebook, Twitter and YouTube are routinely bypassed by tech-savvy Iranians using virtual private networks (VPNs). Under the new scheme, Tehran could lift its blanket ban on those sites and, instead, filter their content. The policy appears to follow President Hassan Rouhani's push to loosen some social restrictions, but it was not clear if it would mean more or less Internet freedom. Iranians on Twitter expressed concern that, as part of the new policy, the government would try to block VPN access to such sites." ------------------------------ Date: Tue, 30 Dec 2014 13:10:59 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: FBI Investigating Whether Companies Are Engaged in Revenge Hacking The hacked are itching to hack back. To read the entire article, go to http://bloom.bg/1xdL56N Hacking costs the global economy as much as $575 billion annually, according to a study published in June by McAfee, a security-software maker owned by Intel Corp. (INTC), and the Center for Strategic & International Studies. ...certainly an objective observer. (Not) ------------------------------ Date: Sun, 28 Dec 2014 17:20:06 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Inadvertent Algorithmic Cruelty Author says: I didn't go looking for grief this afternoon, but it found me anyway, and I have designers and programmers to thank for it. In this case, the designers and programmers are somewhere at Facebook. http://meyerweb.com/eric/thoughts/2014/12/24/inadvertent-algorithmic-cruelty/ ...different sort of risk from the usual. Gabriel Goldberg, Computers and Publishing, Inc. gabe () gabegold com 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433 ------------------------------ Date: 30 Dec 2014 12:06:46 -0500 From: "Bob Frankston" <bob19-0501 () bobf frankston com> Subject: Hackers claim they can copy fingerprints from photos As the resolution of photos increase and burst shots become common . http://mashable.com/2014/12/29/fingerprint-photo-copy/ ------------------------------ Date: Mon, 22 Dec 2014 14:03:04 -0800 From: Mark Thorson <eee () sonic net> Subject: Toy Story and digital preservation Here's an article about digital preservation, but what I find astounding is that when they made the DVD version of Toy Story, they had to make it from a film print because the digital files were unreadable. How could anybody be so incompetent as to allow millions of dollars worth of digital IP to become inaccessible? http://www.vulture.com/2014/12/perils-of-an-all-digital-movie-future.html Sure, I've lost a few files, but never anything important. I keep backups of the important stuff. ------------------------------ Date: Tue, 30 Dec 2014 09:59:39 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: NSA has VPNs in Vulcan death grip--no, really, that's what they call it Ars via NNSquad http://arstechnica.com/tech-policy/2014/12/nsa-has-vpns-in-vulcan-death-grip-no-really-thats-what-they-call-it/ "The National Security Agency's Office of Target Pursuit (OTP) maintains a team of engineers dedicated to cracking the encrypted traffic of virtual private networks (VPNs) and has developed tools that could potentially uncloak the traffic in the majority of VPNs used to secure traffic passing over the Internet today, according to documents published this week by the German news magazine Der Speigel. A slide deck from a presentation by a member of OTP's VPN Exploitation Team, dated September 13, 2010, details the process the NSA used at that time to attack VPNs--including tools with names drawn from Star Trek and other bits of popular culture." - - - Not really new, but confirmational. That's what intel agencies around the world are paid to do -- crack codes. ------------------------------ Date: Fri, 02 Jan 2015 08:37:16 -0800 From: Henry Baker <hbaker1 () pipeline com> Subject: Smart grid powers up privacy worries (David Perera) FYI -- Why are we doing this? Why aren't we spending this money on putting in rooftop solar & cutting the cord to the grid entirely? David Perera, *Politico*, 1 Jan 15 http://www.politico.com/story/2015/01/energy-electricity-data-use-113901.html The next Big Data threat to our privacy may come from the electricity we consume in our homes. Smart online power meters are tracking energy use -- and that data may soon be worth more than the electricity they distribute. The Department of Energy is publishing in January the final draft of a voluntary code of conduct governing data privacy for smart meters, 38 million of which have already been installed nationwide. The meters gather information about household electricity consumption and transmit it wirelessly at regular intervals to the supplier. It's a key element in the push for the so-called smart grid, a more efficient way to distribute the nation's electricity. But, despite the voluntary code, critics fear consumers will still be cajoled or conned into giving up their data, not just to power companies but to third-party data aggregators. Too much money is at stake, they say. And the huge profits to be made could upend the business model of energy utilities. [...] ------------------------------ Date: Fri, 26 Dec 2014 15:46:09 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Romanian version of EU cybersecurity directive allows warrantless access to data IT World via NNSquad http://www.itworld.com/article/2863635/romanian-version-of-eu-cybersecurity-directive-allows-warrantless-access-to-data.html "More than a dozen Romanian non-governmental organizations are protesting new cybersecurity legislation passed by the parliament last week that would force businesses to provide the country's national intelligence agencies with access to their data without a court warrant. The law could also impact businesses from Europe and beyond, as Romania is a hub for IT outsourcing and software development. Many multinational corporations including Amazon, Microsoft, Adobe Systems, Siemens and Intel have research and development centers in the country." ------------------------------ Date: Sun, 4 Jan 2015 09:15:41 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Her Task Is to Wean the White House Off Floppy Disks (Julie Hirschfeld Davis quoting Megan J. Smith) Julie Hirschfeld Davis, *The New York Times*, 3 Nov 2015, via NNSquad http://www.nytimes.com/2015/01/04/us/politics/her-task-weaning-the-white-ho= use-off-floppy-disks.html Megan J. Smith advised President Obama on the technological issues before his decision late last year to come out strongly in favor of a free and open Internet, including making sure that Mr. Obama heard from Vinton G. Cerf, Google's vice president and one of the chief architects of the Internet, and Tim Berners-Lee, the inventor of the World Wide Web. "Having the engineering voice saying, 'This is how the technology works,' was very important," she said. - - - I would add that in my experience, so long as you don't talk down to them, most people are interested in the reality of how these systems work and how that impacts their views of the associated policy issues. Explaining in ways non-techies will understand is crucial! ------------------------------ Date: Mon, 5 Jan 2015 13:51:36 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Gogo issues fake HTTPS certificate to users visiting YouTube Ars via NNSquad http://arstechnica.com/security/2015/01/gogo-issues-fake-https-certificate-to-users-visiting-youtube/ Mandatory HTTPS connections have long been the bane of people using so-called "captive-portal" Internet services offered by hotels and conferences. Typically, such services redirect first-time users to a terms of service page before they can browse the Internet. Those redirections often stall when users first try to visit encrypted webpages, creating a hugely frustrating problem for end users, broadband providers, and website operators alike. While this is a hard problem to solve, Gogo's current approach sets a bad precedent. Promising not to monitor or collect sensitive data isn't the same thing as being unable to do it. The entire premise of HTTPS is at stake. - - - Unacceptable. Period. ------------------------------ Date: Sat, 27 Dec 2014 13:35:47 +0800 From: Dan Jacobson <jidanni () jidanni org> Subject: I added grandma to a NSFW group Today I did the maximum dumb thing in my computer carrier. Toying around with the "Facebook Friends To Groups Adder - Chrome Extension", before you know it I had added Grandma, professors, my neighbor's kids, that bible thumper, all to one of the [Not Suitable For Work] Facebook groups I was a member of. The administrator happened to be awake at the time and asked if I was nuts. Fortunately they were able to cancel each of the 300 membership applications in the queue before anyone noticed... ------------------------------ Date: 27 Dec 2014 10:21:39 -0500 From: "Bob Frankston" <bob19-0501 () bobf frankston com> Subject: Silicon Valley's Mirror Effect A reminder of the very strong hindsight bias in Silicon Valley along with a simplistic measure of merit and the idea that smart people can pick winners and offering prizes as incentives. Thus we adopt policies with parts and not wholes. It's not just Silicon Valley. We see the same biases from those who became rich and blame smarts rather than luck. Once one is very rich there is enough buffer so that one gets more opportunities to be lucky and to seem prescient by simply ignoring failures. This is also a risk to society as the (often naive) ideas become public policy. http://en.wikipedia.org/wiki/The_Rise_of_the_Meritocracy I read the book in my freshman sociology class and may be the source of the term. ------------------------------ Date: Mon, 5 Jan 2015 06:18:06 -0700 From: "Matthew Kruk" <mkrukg () gmail com> Subject: The Biggest Security Threats We'll Face in 2015? http://www.wired.com/2015/01/security-predictions-2015/ ------------------------------ Date: Wed, 24 Dec 2014 10:43:17 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Critical vulnerability in Git clients puts developers at risk" (Lucian Constantin) Lucian Constantin, InfoWorld, 19 Dec 2014 Malicious Git code repositories can execute rogue commands on client machines interacting with them http://www.infoworld.com/article/2861439/security/critical-vulnerability-in-git-clients-puts-developers-at-risk.html A critical vulnerability in client software used to interact with Git, a distributed revision control system for managing source code repositories, allows attackers to execute rogue commands on computers used by developers. The flaw affects the official Git client as well as third-party clients and software based on the original Git code. The issue only affects implementations running on Windows and Mac OS X, not Linux, because their file systems are case-insensitive: NTFS and FAT for Windows and HFS+ for Mac OS X. ------------------------------ Date: Mon, 29 Dec 2014 08:57:09 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Norse Security IDs 6, Including Ex-Employee, As Sony Hack Perpetrators Slashdot via NNSquad http://it.slashdot.org/story/14/12/29/0251211/norse-security-ids-6-including-ex-employee-as-sony-hack-perpetrators But Norse Security is taking the debate up a notch: saying that they have conclusive evidence pointing to group of disgruntled former employees as the source of the attack and data theft. The Security Ledger quotes Norse Vice President Kurt Stammberger saying that Norse has identified a group of six individuals -- in the U.S., Canada, Singapore and Thailand -- that it believes carried out the attack, including at least one 10-year employee of SPE who worked in a technical capacity before being laid off in May. Rather than starting from the premise that the Sony hack was a state sponsored attack, Norse researchers worked their investigation like any other criminal matter: starting by looking for individuals with the "means and motive" to do the attack. ------------------------------ Date: December 18, 2014 at 12:21:48 PM EST From: Lauren Weinstein <lauren () vortex com> Subject: AP: Sony emails show a studio ripe for hacking AP via NNSquad http://www.apnewsarchive.com/2014/Sony-emails-reveal-loose-use-of-passwords-and-IDs-ripe-for-hacking/id-041c9dc46e9d408fa569ccac15c0ffe0 "In the weeks before hackers broke into Sony Pictures Entertainment, the studio suffered significant technology outages it blamed on software flaws and incompetent technical staffers who weren't paying attention, even as hackers targeted executives to trick them into revealing their online credentials." - - - It's my gut feeling that this relatively simple hack actually had nothing to do with North Korea at all -- though they may be leveraging some propaganda points from it. But of course, it's in the interests of the commercial "cybersecurity" firms -- and governments seeking ever larger and bloated "cyberwar" budgets -- to play this up as some sort of "super hack" and to pin it on a widely despised geopolitical enemy -- much more conducive to expanded sales and budgets than this turning out to have been the work of teenage hackers living in their parents' basements. ------------------------------ Date: Wed, 24 Dec 2014 10:33:23 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Sony's North Korea "comedy assassination" film available online It has now been announced that Google Play/YouTube and other online venues (possibly to include Netflix at some point) are either now or soon will enable streaming of Sony's "comedy assassination" film (at least in some countries). I note this specifically because I do not support censorship even of this trash, and I feel it is completely appropriate and admirable for the film to be made widely available in the interests of free speech. That said, this doesn't mean you're required to watch it. A film like this is unlikely in the extreme to bring about positive change in a horrible place like North Korea. If anything, it could drive their insane leadership to even further internal repression. So my *personal* recommendation remains to ignore this film entirely, and not reward Sony's series of unforced errors that enabled this entire mess. ------------------------------ Date: 20 Dec 2014 02:22:05 -0000 From: "John Levine" <johnl () iecc com> Subject: Re: ICANN e-mail accounts, zone database breached in spearphishing attack (Dan Goodin, RISKS-28.42)
stored in its centralized zone data system <https://czds.icann.org/en>,
Before people get too panicky, CZDS is used to distribute copies of top level domain zone files to people like me who have signed up for access. The account info used to access it is intended to be private but the zone data itself is what the TLDs name servers serve, so it is by any normal definition public. (Some TLDs imagine that their zonefiles are full of valuable proprietary data, which tells us that they don't understand the DNS at all.) ICANN wrote to us, told us that they'd reset our passwords so we'd have to use the usual forgotten password hack to re-reset them to something we know. ------------------------------ Date: Fri, 19 Dec 2014 21:17:46 -0500 (EST) From: danny burstein <dannyb () panix com> Subject: Re: dual-SIM cell phones (Re: Levine, RISKS-28.42)
Re: "Your cell phone number: To give or not to give" (RISKS-28.41) Dual SIM cellphones are pretty common, although for obvious reasons you're never going to get one from a carrier.
First, I'm not so clear on how "obvious" it is as I can't figure out the reluctance and resistance. That being said, I've been trying for years to convince Omnipoint (where I'm both a customer and a shareholder) to offer dual-SIM phones. This would be a useful option for people who currently carry around two separate phones - one for their personal use and one for work. - at least today most phones (with one key exception - that's YOU Apple I'm pointing at) use the same charger. ------------------------------ Date: Sat, 20 Dec 2014 12:34:30 +0200 From: Amos Shapir <amos083 () gmail com> Subject: Re: Emergency? DNS TTL < 6 months? (Baker, RISKS-28.42) This idea is not just disruptive but also stupid -- as others may have noticed by now; if DNS is blocked in any significant way, vulnerable sites would just revert to publicizing their IP address as part of their URL instead of the site name, thus completely bypassing DNS lookup. ------------------------------ Date: Sat, 20 Dec 2014 12:30:04 -0500 From: Leonard Finegold <L () drexel edu> Subject: Re: Lenovo recalls more than 500,000 power cords due to spark, burn risk (Welinder, RISKS-28.42) "shed twice as much heat" is a typo? Surely doubling the volts quadruples the power dissipated? As my freshman students know... Twinkle twinkle little star Power equals I squared R (awright... V squared over R, but that doesn't scan) Len ------------------------------ Date: Sat, 20 Dec 2014 21:11:37 +0000 From: Chris Drewe <e767pmk () yahoo co uk> Subject: Re: Lenovo recalls more than 500,000 power cords (RISKS-28.42) At risk of sounding like a total geek, in 220V Europe the mandatory wire colours for power cords are: Brown - Hot (live/phase) Blue - Cold (neutral) Green & Yellow stripes - Safety Ground (earth) I believe that in North America they are black for hot and white for cold; no idea what other territories use, presumably it depends on whether they're 110V or 220/240V. Obviously for moulded cords it's impossible to verify without cutting into the cord and damaging it, but the various territories' safety authorities will need to be satisfied that regulations are being complied with. ------------------------------ Date: Mon, 17 Nov 2014 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 28.44 ************************
Current thread:
- Risks Digest 28.44 RISKS List Owner (Jan 06)