RISKS Forum mailing list archives
Risks Digest 28.62
From: RISKS List Owner <risko () csl sri com>
Date: Fri, 8 May 2015 15:24:07 PDT
RISKS-LIST: Risks-Forum Digest Friday 8 May 2015 Volume 28 : Issue 62 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/28.62.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Dealing with rogue drones, Copping a 'copter (The Economist) Computer Scientists Use Twitter to Predict UK General Election Result (Lee Page) Vint Cerf on ACM, Internet Issues, Quantum Machine Computing (Stephan Ibarki) ACLU sues Fairfax County police over license-plate data (Jim Reisert) The man who wants to outlaw encryption (Daily Dot via Lauren Weinstein) Boxing Match: Video Piracy Battle Enters Latest Round -- Mobile Apps (NYTimes via Monty Solomon) Now you can embed classic MS-DOS games in tweets (Ian Paul via Jim Reisert) ZPM Espresso and the Rage of the Jilted Crowdfunder (NYTimes via Monty Solomon) Re: Doctors don't like EHRs (James Geissman) Re: All cars must have tracking devices ... (Alister Wm Macintyre) Re: FAA Orders Fix for Possible Power Loss in Boeing 787 (Jeff Makey) Re: At least one American Airlines plane is grounded because the pilots' iPads crashed (Michael Kohne) Authentication vs Identification: South Korean ID system in disarray (Jay Ashworth) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, 3 May 2015 9:29:28 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Dealing with rogue drones, Copping a 'copter (The Economist) In the hands of criminals, small drones could be a menace. Now is the time to think about how to detect them and knock them down safely. On 22 April, a drone carrying radioactive sand landed on the roof of the Japanese prime minister's office in Tokyo. It was the latest of a string of incidents around the world involving small drones. Last year more than a dozen French nuclear plants were buzzed by them. In January one crashed on the White House lawn. In February and early March several were spotted hovering near the Eiffel tower and other Parisian landmarks. Later in March someone attempted to fly one full of drugs (and also a screwdriver and a mobile phone) into a British prison. The employment of drones for nefarious, or potentially nefarious, purposes thus seems to have begun in earnest. It is only a matter of time before somebody attempts to use a drone, perhaps carrying an explosive payload, to cause serious damage or injury. The question for the authorities is how to try to stop this happening. *The Economist*, 1 May 2015 ------------------------------ Date: Fri, 8 May 2015 13:13:01 -0400 (EDT) From: "ACM TechNews" <technews () hq acm org> Subject: Computer Scientists Use Twitter to Predict UK General Election Result (Lee Page) Lee Page, University of Warwick, 5 May 2015 via ACM TechNews, Friday, May 8, 2015 Computer scientists from the University of Warwick used Twitter to predict the outcome of the U.K. general election. The team has developed an algorithm that harvests political tweets, and incorporating sentiment conveyed in tweets was one of its key features. The user-generated content is aggregated and put into conventional polling reports to produce a daily prediction of voting share. "We then put all this information into our forecasting model, along with the parties' share of the vote as measured by opinion polls," says Warwick researcher Adam Tsakalidis. The team says the approach will provide key insights into how public opinion is developing and what factors might be influencing any changes in support. The researchers believe their forecasts could be more accurate than traditional opinion methods. Tested during the Greek election in January, the model achieved better results than all of the most recent polls leading up to the vote and three exit polls once the ballots closed. "We are particularly interested in automatically identifying the sentiment expressed towards specific politicians or parties and topics such as immigration," Tsakalidis says. "This will help us obtain more accurate predictions as well as better understanding of the reasons behind public support or discontent." http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-dac7x2cca3x061924& ------------------------------ Date: Mon, 4 May 2015 12:28:25 -0400 (EDT) From: "ACM TechNews" <technews () hq acm org> Subject: Vint Cerf on ACM, Internet Issues, Quantum Machine Computing (Stephan Ibaraki) Stephan Ibaraki, IT World Canada, 1 May 2015 via ACM TechNews, 4 May 2015 In a wide-ranging interview, Vint Cerf, co-creator of the Internet and vice president at Google, discusses a range of topics, including the modern challenges of the Internet, the technologies of the future, and the Association for Computing Machinery (ACM). Asked what he sees as the main challenges and controversies surrounding the Internet today, Cerf, co-recipient in 2004 of the ACM A.M. Turing Award, identified the need to ensure users' safety, security, and privacy. He also reiterated his frequent warnings about a "digital Dark Age" that could result as software continues to advance and the means of interacting with older software and data falls away. Finally, he pointed to the Internet of Things, particularly the need to ensure the security of all Internet-connected devices. Cerf also commented on a number of speculative topics, saying he thinks the singularity envisioned by Ray Kurzweil is "a stretch," but that he sees a great deal of promise in current research into quantum computing and quantum entanglement. He also comments on the need for professionalism and credentialing in software development and discusses his time as president of ACM. Cerf says ACM's main challenges today are helping to establish 21st century business models, being relevant to computer science practitioners, and helping to promote computer science as a discipline. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-da62x2cbd1x061742& ------------------------------ Date: Wed, 6 May 2015 14:30:28 -0600 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: ACLU sues Fairfax County police over license-plate data The Associated Press, 6 May 2015 FAIRFAX, Va. (AP) - The American Civil Liberties Union of Virginia is suing Fairfax County police over a policy in which they store data collected on thousands of drivers through the use of license-plate readers. The civil-liberties group filed the suit Tuesday in Fairfax County Circuit Court. The ACLU alleges that keeping a database of information collected through license-plate readers amounts to an illegal invasion of privacy. http://www.wjla.com/articles/2015/05/aclu-sues-fairfax-county-police-over-license-plate-data-113755.html ------------------------------ Date: Thu, 7 May 2015 22:00:53 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: The man who wants to outlaw encryption Unlike the gung-ho mood post-9/11 America, which led to the passage of the USA Patriot Act, industry and academic experts and even members of Congress have lambasted Comey's efforts to outlaw strong encryption as a vast overstep of government authority and grossly naive. Just last week, for example, a congressional hearing on encryption got downright hostile when Rep. Ted Lieu (D-Calif.) called Comey's proposal "stupid." The Daily Dot via NNSquad http://www.dailydot.com/politics/james-comey-no-tradeoff-between-liberty-and-security/ [We note thatthe federal appeals court for the Second Circuit ruled on 7 May 2015 that the NSA's bulk record collection program is unlawful. PGN] ------------------------------ Date: Tue, 5 May 2015 09:34:26 -0400 From: Monty Solomon <monty () roscom com> Subject: Boxing Match: Video Piracy Battle Enters Latest Round -- Mobile Apps http://www.nytimes.com/2015/05/05/technology/with-boxing-match-video-piracy-battle-enters-latest-round-mobile-apps.html With the Mayweather-Pacquiao bout, live streaming from mobile apps was just one of the new piracy headaches facing media companies. [That, plus the fact that thousands of paying customers were unable to access the live streaming. PGN] ------------------------------ Date: Tue, 5 May 2015 13:41:12 -0600 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: Now you can embed classic MS-DOS games in tweets (Ian Paul) That didn't take long..... @SamuelGibbs, 4 May 2015 Twitter kills MS-Dos games embedded in tweets Social network kills MS-Dos gaming fun, saying interactives and games breach its embedded cards terms of service http://www.theguardian.com/technology/2015/may/04/twitter-kills-ms-dos-games-embedded-in-tweets ------------------------------ Date: Tue, 5 May 2015 09:47:32 -0400 From: Monty Solomon <monty () roscom com> Subject: ZPM Espresso and the Rage of the Jilted Crowdfunder http://www.nytimes.com/2015/05/03/magazine/zpm-espresso-and-the-rage-of-the-= jilted-crowdfunder.html What happens when a Kickstarter project fails to launch? ------------------------------ Date: Sat, 02 May 2015 00:03:42 +0000 From: "Geissman, James" <james.geissman () bankofamerica com> Subject: Re: Doctors don't like EHRs (RISKS 28.61) I looked in Wiki and the EHR article listed 11 different standards plus 3 "open" ones for them. Whaa? In the mortgage banking industry where I work there's the MISMO standard. Different people modify it somewhat, but it's a single basic standard. Of course the idea with the mortgage data is the data is meant to be exchanged, not merely used by the creator. Isn't that the case with EHRs also? ------------------------------ Date: Sat, 2 May 2015 01:11:23 -0500 From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com> Subject: Re: All cars must have tracking devices ... (Drewe, RISKS-28.61) Several observations: * I think train locomotives should have radar in front to detect vehicles which have not yet cleared RR crossings, such as back end of a school bus or truck, that is stuck in a traffic jam. * Some cars are imported into EU. I assume it will be a requirement to have this installed in imports, before they are driven in EU. But EU auto manufacturers, which export to other nations, may need to disable this feature, or give owners the opportunity to have this disabled, depending on the laws of the other nations. * The USA has places where cell reception is no good, such as some rural areas, and valleys. Is this also true in Europe? * There are areas where cell phone service is blocked, because national security mentality thinks most bombs are set off by cell phone calls. That will work until the enemy uses alternative technology, such as timers (as in the Spain train bombing), and other techniques. It can also inconvenience first responders who may rely on that system. The Boston Marathon had no drones harassing the runners, thanks to a system which used cell phone communications. * There may need to be some threshold adjustment to recognize what some people do not consider to be an accident, such as car door hitting adjacent car, when they parked too close to each other, or what goes on when crossing the picket line of a labor management dispute . lots of hands thumping the roof. * Some riots may set off excess alarms, as the police shoot pellets into a crowd, and many parked cars get hit. * The US has systems where people are required to notify the police, such as medical personnel observing what appears to be evidence of child abuse, then funding for the police to do anything with the info is lost, and the mandatory reports go into the garbage, without updating the requirements. Is this also true in Europe? * Will this system be as easy to hack as prior systems installed in vehicles? * Many alarm systems in the USA trigger calls to the police, but some systems have lots of false alarms, then the police send the owners of the false alarm systems bills for the wasted time of the police or fire dept. Is this also true in Europe? What will happen with alleged false alarms from this system? There have been multiple disasters, where power outages take out cell phone towers, such as 9/11 in NYC where communication services used the Twin Towers. In the Haiti 2010 quake, which took out a capital city's infrastructure, many volunteer foreign first responders were flooded with SOS. Some speculated: * Where we come from, lots of people do prank 911 calls, so many of these may also be a similar situation. * Cell tower service was knocked out, until the USAF launched a flying cell tower, so what we are probably hearing is the last gasp of the batteries of the cell phones of now dead people. For these, and other reasons, many cell phone SOS were not responded to. But later examination of where dead bodies were found, showed a correlation that many of those SOS were in fact real, and had they been taken seriously, more lives could have been saved. ------------------------------ Date: Mon, 4 May 2015 14:44:43 -0700 From: Jeff Makey <jeff () sdsc edu> Subject: Re: FAA Orders Fix for Possible Power Loss in Boeing 787 248 days is the time it takes a 100Hz counter to go from zero to 2**31. If such a counter is stored in a signed 32-bit integer, its value then overflows to become negative, and confusion may ensue. The Solaris 2.5 operating system, circa 1996, had this problem with the system clock and would hang after 248 days of uptime. [Also noted by Gene Wirchenko and Kent Borg -- who recalls the day Berkshire Hathaway broke $(2^15)/share, and the stock market also broke. PGN] ------------------------------ Date: Fri, 1 May 2015 20:36:39 -0400 From: Michael Kohne <mhkohne () kohne org> Subject: Re: At least one American Airlines plane is grounded because the pilots' iPads crashed (Moore, RISKS-28.61)
Where's the backup system?
What's the data on the iPad used for? Is it just stuff used to setup the flight computers and inform the tower and so-on? Because if it IS just pre-flight information, then staying at the gate is a perfectly safe (if moderately expensive) fallback procedure. ------------------------------ Date: Mon, 4 May 2015 19:27:49 -0400 (EDT) From: Jay Ashworth <jra () baylink com> Subject: Authentication vs Identification: South Korean ID system in disarray [Re: Lauren Weinstein, South Korean ID system in disarray, 14 Oct 2014, Privacy Forum and Network Neutrality Squad, but not in RISKS. PGN] PRIVACY Forum's Lauren Weinstein pointed out a BBC story about identity theft in South Korea, and the piece is interesting, because it points up the RISKS of *not learning lessons*. The problem there, it seems stems from the same source as in the US: Treating an identifier as an authenticator. Well, more properly, *knowledge of an identifier*. In the US, of course, this is the Social Security Number, which we are told to keep a State Secret... except for all the people to whom we are required to give it. (TTBOMK, you are only legally required to disclose your SSN to employers, the IRS, and -- thanks to the USA PATRIOT Act, passed by an entire Congress nearly none of whom have read it *by now*, much less before passing it -- banks, and non-bank debit card service providers. (And as another correspondent points out, state DMVs in REALID states, now.)) Identifiers and authenticators each have several properties which it is necessary for them to fulfill in order to successfully accomplish their tasks. Herewith, a recap: For identifiers: they must be unique, they must be arbitrary (you cannot encode mnemonics into them, or, if you do, at least some part must be globally unique and arbitrary amongst the relevant namespace), and it *mustn't ever be necessary to change them*. Authenticators, on the other hand, *must* be changeable, to avoid and recover from authentication breaches, and they must *not* be researchable -- that is, unlike "mothers maiden name" or "city you grew up in" or "name of your first pet", or any other bit of information that people can pry out of you by posting a cute quiz on Facebook, it must not be possible to determine what the authenticator is for a given identity relationship. Anything which is not a password/phrase/PIN violates the second requirement, and biometrics violate the first (quite apart from the requirement that biometrics must test for a living human, lest someone cut your finger off to scan it -- and please don't think I'm joking there). Identity theft problems in both the US and S Korea stem from the persistent and wilfull failure of businesses and governments in both countries to cease trying to extend SSN/identity numbers (which are identifiers) to fill the purpose of authenticators as well -- one data item cannot do both jobs, as they have conflicting requirements... and those requirements are absolute. As you realize, if you shop at Home Depot. Or Target. Or Kohls. Or have tried to make a change to your power utility account. It is often possible to convince someone who tells you they "must have your SSN" that they are wrong; some organizations have policy for this. Duke Energy was happy to put my FL DL number on file instead, once I insisted. In the 60s, a friend forced the Mass DMV to make up an SSN for him, rather than putting his on his MA DL. In the final analysis, each individual is responsible for their own security; while laws may protect you from some of the inevitable results, they generally don't protect you from the hassle. On the larger scale, CIOs of big organizations MUST (to borrow normative language from the RFCs) learn this lesson and MUST stop using "knowledge of SSN" as an authenticator, and MUST stop asking for it at all unless they have a real, legal reason to need it. That's the only way we'll *really* stop having to deal with Identity Theft in the United States.
(BBC): http://www.bbc.com/news/technology-29617196 (Oct 2014) The government is considering issuing new ID numbers to every citizen aged over 17, costing billions of dollars. The ID numbers and personal details of an estimated 80% of the country's 50 million people have been stolen from banks and other targets, say experts. Rebuilding the system could take up to a decade, said one. Some 20 million people, including the president Park Geun-hye, have been victims of a data theft from three credit card companies. "The problems have grown to a point where finding a way to completely solve them looks unlikely,'' technology researcher Kilnam Chon told Reuters.
Jay R. Ashworth, Ashworth & Associates, 2000 Land Rover DII, St Petersburg FL +1 727 647 1274 http://www.bcp38.info jra () baylink com ------------------------------ Date: Mon, 17 Nov 2014 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 28.62 ************************
Current thread:
- Risks Digest 28.62 RISKS List Owner (May 08)