RISKS Forum mailing list archives
Risks Digest 27.22
From: RISKS List Owner <risko () csl sri com>
Date: Sat, 23 Mar 2013 17:01:42 PDT
RISKS-LIST: Risks-Forum Digest Saturday 23 March 2013 Volume 27 : Issue 22 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/27.22.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Small furry animals and slithering snakes vs Electric Utilities (Ishikawa) Panama Canal Railway upgrade problems (Robert Heuman) National Vulnerability Database is hacked! (Mark Thorson) Re: Weapons Experts Raise Doubts About Israel's Antimissile System (Amos Shapir) Feds announce massive scanning of private Internet communications (Lauren Weinstein) Google's trust problem (Ezra Klein via Dewayne Hendricks) "Smile, you're on Google Glass, whether you like it or not" (Caroline Craig via Gene Wirchenko) "Andrew Auernheimer joins growing list of so-called hackers facing harsh justice" (Ted Samson via Gene Wirchenko) Security hole lets Apple passwords be reset with e-mail addr, DoB (Chris Welch via Jim Reisert) Re: Electronic health records: teething problems?" (William Pociengel) Re: Mars Rover is Repaired, NASA Says (William Pociengel) Re: Fake silicone fingers strike again (Amos Shapir) Re: Attorney General's testimony on Aaron Swartz raises more ... (Wol) Microwave oven interference robustness mode (Jidanni) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 22 Mar 2013 14:39:12 +0900 From: ishikawa <ishikawa () yk rim or jp> Subject: Small furry animals and slithering snakes vs Electric Utilities In the never-ending saga of small furry animals and slithering snakes vs electric utilities, here is the latest and more horrifying incident. Martin Fackler, Fukushima Blackout Hints at Plant's Vulnerability, *The New York Times*, 19 Mar 2013 http://www.nytimes.com/2013/03/20/world/asia/blackout-halts-cooling-system-at-fukushima-plant.html Martin Fackler, Rat Body Linked to Blackout at Atomic Site, *The New York Times*, 20 Mar 2013 http://www.nytimes.com/2013/03/21/world/asia/rat-at-fukushima-plant.html A lot of Japanese must have gone through uncomfortable moments. Initially, when I learned that there was a re-wiring work was going on, I thought there was some type of human error. Now a rodent is implicated. In either case, TEPCO is losing public trust, well, at least from me. If an important piece for feeding electricity is not protected from a rodent, how can we tell the piece won't fall down or break down if another reasonably large earthquake hits the area (and this is no idle threat in Japan, the virtually the busiest center of earthquakes in the world.) I would not mind losing electricity for my home for a few hours or even half a day after a big earthquake. That is life in this corner of the world. Many households in Japan stock water/food/battery, etc. just in case. We can't argue with earthquakes as the saying goes here. (The other two, we can't argue in the saying are thunderbolts, and one's father.) But a crippled nuclear reactor site with many used fuel rods that requires continuous cooling needs better care than typical households. BTW, I found a few similar incidents in RISKS: RISKS-8.75 SRI attacked by kamikaze squirrels? RISKS-8.77 Re: Power outages (A raccoon hit U. of Utah and disturbed a room-temperature fusion experiment, and it was mentioned that JPL had seen similar attacks, er, incidents. ) RISKS-18.52 Rats take down Stanford power and Silicon Valley Internet service RISKS-19.88 Japanese snake vs. railroad electrical supply RISKS-23.39 Boa triggers blackout in Honduras (Nation-wide blackout for 15 minutes! Beat other animals to date in the scale of the incident.) I thought that utility companies would have learned from these off-angle attacks from the nature by now. ------------------------------ Date: Sat, 23 Mar 2013 19:38:20 -0400 From: "R.S. (Bob) Heuman" <robert.heuman () alumni monmouth edu> Subject: Panama Canal Railway upgrade problems Reuters (Panama City), 22 Mar 2013 http://www.reuters.com/article/2013/03/23/us-panama-canal-idUSBRE92L19120130323 Thousands of containers have been stuck at Panamanian ports after a computer glitch hampered communication with the railway, causing significant delays, officials said on Friday. The Panama Canal Railway Co transports about 1,500 containers daily between the only port on the Pacific entrance to the Panama Canal and three ports on the Atlantic, said Thomas Kenna, director of operations for the railway. But a computer upgrade on Wednesday by Panama Ports Co, which manages two of those ports, caused severe lags, Kenna said. Since then, the railway has moved only about 350 containers a day. Traffic picked up on Friday, and the system should be operating normally by Monday, Kenna added. ------------------------------ Date: Thu, 21 Mar 2013 16:53:56 -0700 From: Mark Thorson <eee () sonic net> Subject: National Vulnerability Database is hacked! Their server is offline due to malware infection. They probably clicked on an ad in an e-mail. The exploit used a vulnerability in Adobe's ColdFusion software. http://www.theregister.co.uk/2013/03/14/adobe_coldfusion_vulns_compromise_us_malware_catalog/ ------------------------------ Date: Sun, 24 Mar 2013 01:02:09 +0200 From: Amos Shapir <amos083 () gmail com> Subject: Re: Weapons Experts Raise Doubts About Israel's Antimissile System (RISKS-27.21) The following article by the Israel Institute for National Security Studies contains a detailed debunking of the arguments used by some of the researches which had produced these results. It seems to be a yet another case of "how to lie with statistics"... http://www.inss.org.il/publications.php?cat=21&incat=&read=11166 ------------------------------ Date: Thu, 21 Mar 2013 20:39:59 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Feds announce massive scanning of private Internet communications http://j.mp/Z5d4TP (Google+ via NNSquad) http://j.mp/11n0qzS (Reuters / New York Times) "Under the program, critical infrastructure companies will pay the providers, which will use the classified information to block attacks before they reach the customers. The classified information involves suspect web addresses, strings of characters, e-mail sender names and the like." Here we go! It's out in the open at last. Encrypt deeply now, or forever hold your peace. CHARACTER STRINGS? EMAIL SENDER NAMES? Who do they think they're kidding? ------------------------------ Date: Friday, March 22, 2013 From: Dewayne Hendricks Subject: Google's trust problem (Ezra Klein) Ezra Klein, *The Washington Post*, 21 Mar 2013 http://www.washingtonpost.com/blogs/wonkblog/wp/2013/03/21/googles-trust-problem/ James Fallows likes software meant to help him organize and simplify his life. So, naturally, he moved immediately to download Google Keep, the search giant's ``new app for collecting notes, photos, and info.'' The problem, Fallows quickly realized, is that he wasn't sure he could trust it. Google now has a clear enough track record of trying out, and then canceling, `interesting' new software that I have no idea how long Keep will be around. When Google launched its Google Health service five years ago, it had an allure like Keep's: here is the one place you could store your prescription info, test readings, immunizations, and so on and know that you could get at them. That's how I used it -- until Google canceled this `experiment' last year. Same with Google Reader, and all the other products in the Google Graveyard that Slate produced last week. And if there's even a 25 percent chance that Google Keep will be canceled in two years, do you really want to be the sucker who spent endless hours organizing your life around it? Now, most people don't use Google Reader, or even know it's being canceled. Same for Google Wave, Google Buzz, Google Health and Picnik, and all the rest of the beloved little apps that have been sent to that cloud above the cloud, where data is stored forever and servers never overload. This is a pained whine emanating almost exclusively from Google power users. Most people, however, also aren't the sort of early adopters who will rush to download Google Keep. But Fallows is that kind of early adopter. So am I. And Google needs early adopters. They need weirdos to rush to download their new apps, try them out, offer feedback, and, ultimately, proselytize to their friends. And I do all that! For instance, have you ever tried using Sleep Cycle? This isn't an early adopter thing -- the app has been around for awhile -- but I just started using it and am now annoying everyone I know badgering them to try waking up to Sleep Cycle. It'll change your life. But I'm not sure I want to be a Google early adopter anymore. I love Google Reader. And I used to use Picnik all the time. I'm tired of losing my services. In fact, I'm starting to worry a bit about Gmail, which is at the core of pretty much my entire life. I know, I know -- Gmail is safe. The data it feeds into the Google mainframe is extremely valuable to the search giant. They won't let anything happen to it. But I'm a heavy user of Gmail. And so I've been buying more space on Google's servers. Recently, I hit 30 gigs -- and learned Google won't let me purchase any more room. The service which once swore I'd never have to delete a message now tells me my only option is to delete gigabyte after gigabyte of past e-mails. That's their right, of course. But it was a reminder that Google's core business isn't running an e-mail system or selling data storage. The thing I wanted to pay them to do wasn't something they make much money off. So now I'm a bit nervous: I freed up a good number of gigabytes, but now I've run through much of the low-hanging fruit, and the bar measuring how far I am from my storage unit is beginning to tick up again. The problem, I'm beginning to think, is simply mismatch. The core services of Google's business are often not the Google services I rely on most. And even when their core products and my needs do meet, the business connection is indirect. ... Dewayne-Net RSS Feed: <http://www.warpspeed.com/wordpress> ------------------------------ Date: Mon, 18 Mar 2013 10:14:31 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Smile, you're on Google Glass, whether you like it or not" (Caroline Craig) Caroline Craig, InfoWorld, 15 Mar 2013 Google Glass's style points are debatable, but one thing's for sure: Data collection and user privacy will never be the same http://www.infoworld.com/t/internet-privacy/smile-youre-google-glass-whether-you-it-or-not-214568 ------------------------------ Date: Tue, 19 Mar 2013 11:13:37 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Andrew Auernheimer joins growing list of so-called hackers facing harsh justice" (Ted Samson) Ted Samson, InfoWorld, 18 Mar 2013 The 26-year-old security researcher sentenced to 41 months in prison for pulling e-mail address from public-facing server http://www.infoworld.com/t/hacking/andrew-auernheimer-joins-growing-list-of-so-called-hackers-facing-harsh-justice-214742 ------------------------------ Date: Fri, 22 Mar 2013 14:11:11 -0600 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: Security hole lets Apple passwords be reset with e-mail addr, DoB (Chris Welch) Chris Welch, 22 Mar 2013 @chriswelch "Apple yesterday rolled out two-step verification, a security measure that promises to further shield Apple ID and iCloud accounts from being hijacked. Unfortunately, today a new exploit has been discovered that affects all customers who haven't yet enabled the new feature. It allows anyone with your e-mail address and date of birth to reset your password -- using Apple's own tools. We've been made aware of a step-by-step tutorial (which remains available as of this writing) that explains in detail how to take advantage of the vulnerability. The exploit involves pasting in a modified URL while answering the DOB security question on Apple's iForgot page. It's a process just about anyone could manage, and The Verge has confirmed the glaring security hole firsthand." http://www.theverge.com/2013/3/22/4136242/major-security-hole-allows-apple-id-passwords-reset-with-email-date-of-birth ------------------------------ Date: Fri, 22 Mar 2013 14:20:05 -0500 From: William Pociengel <wpociengel () yahoo com> Subject: Re: Electronic health records: teething problems?" (RISKS-27.18) Actually you just need to use a screen name and something that looks like a valid e-mail address. It accepts and posts your comment; but yes it is a bit odd to request an e-mail address. ------------------------------ Date: Fri, 22 Mar 2013 08:37:08 -0500 From: William Pociengel <wpociengel () yahoo com> Subject: Re: Mars Rover is Repaired, NASA Says (Re: RISKS-27.21) Since when did NASA stop using 3 computers for deep space exploration? They always used to have every critical system in 3's for this very reason. ------------------------------ Date: Fri, 22 Mar 2013 11:32:33 +0200 From: Amos Shapir <amos083 () gmail com> Subject: Re: Fake silicone fingers strike again (RISKS-27.21) It is amazing that the system would be vulnerable to this attack, especially since the vulnerability has been suggested long before such systems have even existed. In his movie Sleeper, released in 1973, Woody Allen employs exactly this method to subvert a fingerprint scanning system; I'm quite sure he was not the first to suggest it either. ------------------------------ Date: Fri, 22 Mar 2013 15:27:32 +0000 From: Wol <antlists () youngman org uk> Subject: Re: Attorney General's testimony on Aaron Swartz raises more ... It's interesting to see how other jurisdictions handle this. There's been a recent case in the UK where the prosecutor did this (quote a maximum sentence). And on appeal this was all the justification the appeal court needed to throw a guilty plea out of the window and overturn the entire court-martial. The message is clear. In the UK this is totally unacceptable practice. ------------------------------ Date: Sat, 23 Mar 2013 10:30:41 +0800 From: jidanni () jidanni org Subject: Microwave oven interference robustness mode The IEEE 802.11 committee that developed the Wi-Fi specification conducted an extensive investigation into the interference potential of microwave ovens. A typical microwave oven uses a self-oscillating vacuum power tube called a magnetron and a high voltage power supply with a half-wave rectifier (often with voltage doubling) and no DC filtering. This produces an RF pulse train with a duty cycle below 50% as the tube is completely off for half of every AC mains cycle: 8.33 ms in 60 Hz countries and 10 ms in 50 Hz countries. This property gave rise to a Wi-Fi "microwave oven interference robustness" mode that segments larger data frames into fragments each small enough to fit into the oven's "off" periods. http://en.wikipedia.org/wiki/Electromagnetic_interference_at_2.4_GHz#Microwave_oven ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 27.22 ************************
Current thread:
- Risks Digest 27.22 RISKS List Owner (Mar 23)