RISKS Forum mailing list archives
Risks Digest 28.61
From: RISKS List Owner <risko () csl sri com>
Date: Fri, 1 May 2015 14:32:07 PDT
RISKS-LIST: Risks-Forum Digest Friday 1 May 2015 Volume 28 : Issue 61 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/28.61.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: An iPad glitch grounded several dozen American Airlines planes (Adam Pasick via Jim Reisert) At least one American Airlines plane is grounded because the pilots' iPads crashed (Ben Moore) FAA Orders Fix for Possible Power Loss in Boeing 787 (Jad Mouawad via Jan Wolitzky) Re: Software Overflow Could Cause Complete Power Loss in 787 (Richard Karash) Congressman with computer science degree: Encryption back doors are ``technologically stupid'' (Andrea Peterson via Lauren Weinstein) Cybersecurity mandated by those who don't use it (*The Guardian via Devon McCormick) Public wifi & man-in-the-middle (Henry Baker) Preparing for Warfare in Cyberspace (*The New York Times* via Monty Solomon) All cars must have tracking devices to cut road deaths, says EU (Chris Drewe) Doctors don't like EHRs? (DKross) Now you can embed classic MS-DOS games in tweets (Ian Paul via Jim Reisert) Re: Iowa casino doesn't have to pay $41M jackpot error (Craig Burton) Re: Starbucks Outage (Clay Jackson) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 29 Apr 2015 07:42:38 -0600 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: : An iPad glitch grounded several dozen American Airlines planes (Adam Pasick) American Airlines flights experienced significant delays this evening after pilots' iPads--which the airline uses to distribute flight plans and other information to the crew--abruptly crashed. "Several dozen" flights were affected by the outage, according to a spokesperson for the airline. "The pilot told us when they were getting ready to take off, the iPad screens went blank, both for the captain and copilot, so they didn't have the flight plan," Toni Jacaruso, a passenger on American flight #1654 from Dallas to Austin, told Quartz. "The pilot came on and said that his first mate's iPad powered down unexpectedly, and his had too, and that the entire 737 fleet on American had experienced the same behavior," said passenger Philip McRell, who was also on flight #1654. "It seemed unprecedented and very unfamiliar to the pilots." Other passengers in New York and Chicago also said they were being affected by the outage. http://qz.com/393909/american-airlines-planes-are-grounded-because-their-pilots-ipads-have-crashed/ ------------------------------ Date: Tue, 28 Apr 2015 22:03:36 -0500 From: Ben Moore <ben.moore () juno com> Subject: At least one American Airlines plane is grounded because the pilots' iPads crashed Where's the backup system? ------------------------------ Date: Thu, 30 Apr 2015 21:08:16 -0400 From: Jan Wolitzky <jan.wolitzky () gmail com> Subject: FAA Orders Fix for Possible Power Loss in Boeing 787 (Jad Mouawad) Jad Mouawad, *The New York Times*, 30 Apr 2015 Federal regulators will order operators of Boeing 787 Dreamliners to shut down the plane's electrical power periodically after Boeing discovered a software error that could result in a total loss of power. The Federal Aviation Administration said on Thursday that Boeing found during laboratory testing that the plane's power control units could shut down power generators if they were powered without interruption for 248 days, or about eight months. The findings were published in an airworthiness directive. Boeing said the problem had occurred only in lab simulation and no airplane had experienced it. Boeing said that powering the airplane down would eliminate the risk that all power generators would shut down at the same time. The company said it was working on a software update that should be ready by the fourth quarter this year. The plane maker said that power was shut down in all airplanes in service in the course of the regular maintenance schedule, and that it would be rare for a plane to remain with power on without interruption for eight months. [... Truncated for RISKS. PGN] ------------------------------ Date: Fri, 1 May 2015 09:41:01 -0400 From: Richard Karash <richard () karash com> Subject: Re: Software Overflow Could Cause Complete Power Loss in 787 It's not clear how likely it is that generator could be left on for eight months. Do they run between flights and over-night? Only powered down at maintenance checks? Or go off when parked, like your car? Nice to see this was discovered in a lab simulation, not in mid-air. Richard Karash Richard () Karash com +1 617-308-4750 -- http://Karash.com [Also noted by Jeremy Epstein... PGN] ------------------------------ Date: Thu, 30 Apr 2015 17:03:40 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Congressman with computer science degree: Encryption back doors are ``technologically stupid'' *The Washington Post*, 30 Apr 2015, via NNSquad http://www.washingtonpost.com/blogs/the-switch/wp/2015/04/30/congressman-with-computer-science-degree-encryption-back-doors-are-technologically-stupid/ The debate over whether companies should be forced to build in ways for law enforcement to access communications protected by encryption took a tense turn this week in a congressional hearing. On one side were law enforcement officials, including a high-ranking FBI official. On the other were tech-savvy members of the House Government Oversight and Reform Committee's Information Technology subcommittee -- two with computer science degrees. "It is clear to me that creating a pathway for decryption only for good guys is technologically stupid," said Rep. Ted Lieu (D-Calif.), who has a bachelor's in computer science from Stanford University. "You just can't do that." ------------------------------ Date: Tue, 28 Apr 2015 09:46:15 -0400 From: Devon McCormick <devonmcc () gmail com> Subject: Cybersecurity mandated by those who don't use it There's a good article in *The Guardian* pointing out that the members of the U.S. Congress, who would legislate cybersecurity for all Americans, do not themselves take the slightest security precautions - none of them encourage (or, for the most part, use) encrypted communication and none of their websites use https. http://www.theguardian.com/commentisfree/2015/apr/18/congress-cannot-be-taken-seriously-on-cybersecurity ------------------------------ Date: Tue, 28 Apr 2015 08:40:13 +0200 (GMT+02:00) From: hbaker1 <hbaker1 () pipeline com> Subject: Public wifi & man-in-the-middle Public wifi networks in airports & hotels often utilize man-in-the-middle techniques to require some sort of login -- e.g., Ruckus Wireless. With "HTTPS Everywhere" & other new browser techniques to stop MITM techniques, it becomes almost impossible to use these networks. I now have to use a "throwaway" Chrome browser on my laptop that I use *only* for initial login to these networks with an HTTP throwaway home page. Once logged in, I can then fire up a real, *locked-down* browser that uses HTTPS Everywhere, NoScript, Tor, etc. Since public wifi networks place computers *most* at risk, these public wifi networks are going to have to find a better -- i.e., more secure -- way to login, as MITM'ing an http request is perhaps the world's worst (i.e., most insecure) idea ever invented. ------------------------------ Date: Tue, 28 Apr 2015 16:41:23 -0400 From: Monty Solomon <monty () roscom com> Subject: Preparing for Warfare in Cyberspace http://www.nytimes.com/2015/04/28/opinion/preparing-for-warfare-in-cyberspace.html A new strategy begins to lay out the conditions under which America would use cyberweapons. ------------------------------ Date: Wed, 29 Apr 2015 15:38:40 +0100 From: Chris Drewe <e767pmk () yahoo co uk> Subject: All cars must have tracking devices to cut road deaths, says EU. This idea has been around for a while, but the title says it all. All new cars will within three years contain tracking devices that alert the emergency services in the event of an accident. Under EU laws passed on Tuesday the technology will be compulsory from 2018 and fitted as standard in every model of car and small van. A serious crash will prompt an automatic call to the nearest emergency centre. Even if nobody in the vehicle is able to speak, the device will still relay the exact location, time, direction of travel, the scale of the impact and whether airbags have been deployed. <http://ec.europa.eu/digital-agenda/en/news/ecall-all-new-cars-april-2018> Apart from the privacy concerns mentioned, a couple of queries occur to me, assuming that this feature will use the regular public mobile telephone (cellphone) network: - If there's a multi-vehicle pile-up, could the cellphone network in the vicinity of the crash be overloaded by these automatically-generated calls, possibly blocking other urgent communications (as happened in the Boston Marathon bombing)? - Presumably this will increase the call-handling load for the cellphone network, so who pays? Do car owners have to take out a cellphone subscription, or will cellphone companies get some sort of Gov't funding, or will their other customers effectively subsidise the service? http://www.telegraph.co.uk/news/uknews/road-and-rail-transport/11569453/All-cars-must-have-tracking-devices-to-cut-road-deaths-says-EU.html ------------------------------ Date: Wed, 29 Apr 2015 18:50:07 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Doctors don't like EHRs? [I think that they may be thinking about closing the gate (after the horses ran away) by putting in a few pieces of bamboo :-) DKross] http://www.c-span.org/video/?325544-1/health-human-services-secretary-testimony-fiscal-year-2016-budget Sen Lamar Alexander to HHS Secretary Burwell "... half of doctors don't like their EHRs to the point that they'll accept Medicare penalties rather than deal with workflow disruption..." And added that the "...AMA found that 70 percent of doctors say their EHRs weren't worth the cost and that EHRs are the leading cause of physician dissatisfaction..." ------------------------------ Date: Thu, 30 Apr 2015 09:30:27 -0600 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: : Now you can embed classic MS-DOS games in tweets (Ian Paul) Ian Paul, PCWorld, 30 Apr 2015 Twitter Cards are cool for watching videos or listening to tunes without leaving Twitter. But now the Internet Archive has the best use for Twitter's rich media feature yet: old-school MS-DOS games that can be played right inside a tweet. http://www.pcworld.com/article/2916528/now-you-can-embed-classic-ms-dos-games-in-tweets.html I guess this is one way to find/fix security exploits, but probably not the best way... ------------------------------ Date: Tue, 28 Apr 2015 10:17:10 +1000 From: Craig Burton <craig.alexander.burton () gmail com> Subject: Re: Iowa casino doesn't have to pay $41M jackpot error (RISKS-28.60) A case came up in Australia in 2011 of scratch-off gambling cards showing a winning match, and the winner got AUD100,000. However, company sue and won due to the code on the bottom of the card not being a "winning code". I was surprised the lotteries law allowed for this kind of opacity which could presumably be abused. http://www.abc.net.au/news/2011-08-25/scratchie-case-loss-a-picture-of-pain/2855046 ------------------------------ Date: Wed, 29 Apr 2015 08:58:10 -0700 From: "Clay Jackson" <clayj () nwlink com> Subject: Re: Starbucks Outage (RISKS-28.60) I worked in IT for Starbucks the 1990s (1996-1999) and we had a VERY similar (at least from what I can glean from the press reports of this one) failure in 1998 (might have been '97). Jeremy Epstein comments, "I don't know anything about running global IT infrastructures, so perhaps I'm naive, but I would think that rollouts would be done in a rolling fashion to avoid shutting down the entire company" - I do know a bit about this, and I don't think I'd be violating any non-disclosures by saying that even in the earlier failure, the updates "pushed" to the stores were staggered (and I assume still are). I'm sure the "failure mode" was much more complex. And, yeah, there probably is some naiviety there, preventing ALL possible failure modes like this costs money (at the very least, having onsite or rapidly available backups at every store AND having at least 2 partners trained in how to perform the restore), AND, even if that WAS a possibility, I can see how the "fog of the moment" could make it difficult to implement ("Before we strike out on our own, let's give corporate a chance to fix this", or "They told us they'd be back up in 1 hour, and the recovery will take at least 2"). I also worked for WaMu (another whole set of Risks:)); and I know the steps we took to ensure "branch Independence" were pretty amazing and also VERY costly. This is interesting from a number of standpoints - we now have 2 datapoints from the same company; I would assume that the various systems have changed/grown over the years (it would be REALLY interesting to have a current or more recent Starbucks partner comment). IMHO, 2 failures in 17 or 18 years is really not too bad. ------------------------------ Date: Mon, 17 Nov 2014 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 28.61 ************************
Current thread:
- Risks Digest 28.61 RISKS List Owner (May 01)