RISKS Forum mailing list archives
Risks Digest 29.26
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 15 Feb 2016 14:35:49 PST
RISKS-LIST: Risks-Forum Digest Monday 15 February 2016 Volume 29 : Issue 26 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/29.26.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Indian Supreme Court says nothing wrong with banning the Internet (Prashanth Mundkur) UK politicians green-light plans to record every citizen's Internet history (James Vincent) US intel chief: we might use the Internet of Things to spy on you (Spencer Ackerman and Sam Thielman) Tesla Updates Self-Parking Software After Consumer Reports Raises Concerns (Consumerist) Wrong number of hits in Bing (M. E. Kabay) Lack of reproducibility of research (Anthony Thorn) Pirate Bay of science? (Fiona Macdonald) Apple owns up to '1 January 1970' iPhone bricking bug (Monty Solomon) Motorcycle software recall (Mike Tashker) Office 2013 patch KB 3114717 freezes 32-bit Word 2013 on Win 7, 8.1, 10 (Woody Leonhard) Creative Cloud deletes files you *really* wanted (Barry Gold) And Then There Were 4: Phone Booths Saved on Upper West Side Sidewalks (Monty Solomon) Russian hackers, Kazan-based Energobank, and Ruble-$ exchange rate (HackerNews) Re: Asiana: Secondary Cause of Crash Was Poor Software Design (Peter Bernard Ladkin) Re: IoT Insecurity by design (John Beattie) Re: Doing University exams on computers? (3daygoaty, Len Finegold, Rogier Wolff) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sat, 13 Feb 2016 07:57:23 -0800 From: Prashanth Mundkur <prashanth.mundkur () gmail com> Subject: Indian Supreme Court says nothing wrong with banning the Internet [There's very little coverage of this in the Indian press; I noticed this by accident.] Nothing wrong in Internet ban to maintain law and order: Supreme Court Utkarsh Anand, Indian Express, February 12, 2016 http://indianexpress.com/article/india/india-news-india/nothing-wrong-in-internet-ban-to-maintain-law-and-order-supreme-court/ The Supreme Court on Thursday held that Internet services can be stopped temporarily by a state government to maintain law and order situation, and that such a ban did not violate fundamental rights. âWhat is wrong with such a ban? There can be such a ban for law and order,â observed a bench of Chief Justice T S Thakur and Justice R Bhanumathi, while upholding the Gujarat High Court's judgment declaring the ban right. ------------------------------ Date: February 11, 2016 at 8:49:17 AM EST From: Hendricks Dewayne <dewayne () warpspeed com> Subject: UK politicians green-light plans to record every citizen's Internet history (James Vincent) James Vincent, *The Verge*, UK politicians green-light plans to record every citizen's Internet history But recommend that no encryption backdoors should be installed <http://www.theverge.com/2016/2/11/10965098/uk-snoopers-charter-select-committee-criticism> Surveillance legislation proposed by the UK last November has been examined in detail by the country's politicians, with a new report recommending 86 alterations, but broadly approving the powers requested by the government. The parliamentary committee scrutinizing the draft Investigatory Powers Bill said that companies like Apple and Facebook should not be required to decrypt messages sent on their services, but approved plans to record every UK citizen's browsing history for 12 months. The committee also gave a thumbs up to the bulk retention of data, and the targeted hacking of individuals' computers, known as "equipment interference." The Investigatory Powers Bill will be the first legislation to fully codify digital surveillance in the UK, and has been dubbed the "snoopers' charter" by critics (a name used to refer to similar laws rejected a few years ago). The Bill has been attacked by ISPs, privacy advocates, the UN, and the world's largest tech companies, with critics agreeing that the Bill is being rushed into law and that its wording is confusing. Critics point to portions of the law like the statement that "data includes any information that is not data." The UK's home secretary and the Bill's principal architect, Theresa May, later explained that this was supposed to refer to things like paper. This latest report repeats these complaints, stressing the need for clarity in the Bill's language. However, it also gives its approval to a number of controversial items. The report's authors says that the bulk interception and surveillance should be "fully justified" in a rewrite of the legislation, and notes that although these powers might contravene the EU's right to privacy, "security and intelligence agencies would not seek these powers if they did not believe they would be effective." This is despite the fact that this sort of mass surveillance (already in place, of course, just not officially legislated) has often proven to be ineffective, as with last year's terrorist attacks in Paris. Similarly, the committee found no faults with the government's plans to force ISPs to store users' web history for 12 months at a time. This information (known as Internet Connection Records or ICRs) would be available to police without a warrant, with the report noting: "We heard a good case from law enforcement and others about the desirability of having such a scheme. We are satisfied that the potential value of ICRs could outweigh the intrusiveness involved in collecting and using them." Evidence submitted to the committee pointed out that these records would reveal "sensitive information" about citizens' political, religious, and sexual preferences, as well their health and daily activities, while ISPs noted that storing this data securely would be a "technical challenge." Experts also testified to the difficulty of sorting this data, as many apps like Facebook and Twitter keep a near-constant connection to the Internet, and Internet users can access sites they're not aware of. One expert noted that he created a blog with a "tiny one-pixel image in the corner" that showed up as Pornhub.com on visitors' Internet history. ------------------------------ Date: February 10, 2016 at 7:58:26 AM EST From: Hendricks Dewayne <dewayne () warpspeed com> Subject: US intel chief: we might use the Internet of Things to spy on you (Ackerman/Thielman) Spencer Ackerman and Sam Thielman, *The Guardian, 9 Feb 2016 http://www.theguardian.com/technology/2016/feb/09/internet-of-things-smart-home-devices-government-surveillance-james-clapper James Clapper did not name specific agency as being involved in surveillance via smart-home devices but said in congressional testimony it is a distinct possibility The US intelligence chief has acknowledged for the first time that agencies might use a new generation of smart household devices to increase their surveillance capabilities. As increasing numbers of devices connect to the Internet and to one another, the so-called Internet of Things promises consumers increased convenience -- the remotely operated thermostat from Google-owned Nest is a leading example. But as home computing migrates away from the laptop, the tablet and the smartphone, experts warn that the security features on the coming wave of automobiles, dishwashers and alarm systems lag far behind. In an appearance at a Washington thinktank last month, the director of the National Security Agency, Adm Michael Rogers, said that it was time to consider making the home devices *more defensible*, but did not address the opportunities that increased numbers and even categories of connected devices provide to his surveillance agency. However, James Clapper, the US director of national intelligence, was more direct in testimony submitted to the Senate on Tuesday as part of an assessment of threats facing the United States. ``In the future, intelligence services might use the [Internet of Things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials,'' Clapper did not specifically name any intelligence agency as involved in household-device surveillance. But security experts examining the Internet of things take as a given that the US and other surveillance services will intercept the signals the newly networked devices emit, much as they do with those from cellphones. Amateurs are already interested in easily compromised hardware; computer programmer John Matherly's search engine Shodan indexes thousands of completely unsecured web-connected devices. Online threats again topped the intelligence chief's list of worldwide threats the US faces, with the mutating threat of low-intensity terrorism quickly following. ... ------------------------------ Date: Fri, 12 Feb 2016 20:24:29 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Tesla Updates Self-Parking Software After Consumer Reports Raises Concerns http://consumerist.com/2016/02/10/tesla-updates-self-parking-software-after-consumer-reports-raises-concerns/ ------------------------------ Date: Mon, 8 Feb 2016 16:45:26 -0500 From: "M. E. Kabay" <mekabay () gmail com> Subject: Wrong number of hits in Bing Has anyone else noticed that Bing can return exaggeratedly high numbers of hits on a search item? Specifically, I was ego-surfing on my own name using the string "m. e. kabay" and nearly fell off my chair when Bing returned the number of hits = 1,850,000,000. Nearly TWO BILLION HITS???? I tried Bing for the word "god" and found only 223,000,000 hits. Therefore according to Bing, I have more hits than god. A Google search returns the far more modest number of hits = 19,100. Comments from the Bing crew? [Maybe they were bitten by Bing Cross-Bee. PGN] Professor of Computer Information Systems, School of Business & Management College of Professional Schools, Norwich University, Northfield, VT, USA ------------------------------ Date: Fri, 12 Feb 2016 11:27:57 +0100 From: Anthony Thorn <anthony.thorn () atss ch> Subject: Lack of reproducibility of research An article in *The Economist* highlights appalling lack of reproducibility in (not only) cancer research papers. The risks here are obvious, and should be added to the risks resulting from the non-publication of negative results. The new "Preclinical Reproducibility and Robustness Channel" mentioned in the article can only start to address this. The main points: For example, when staff at Amgen, a Californian drug company, attempted to reproduce the results of 53 high-profile cancer-research papers they found that only six lived up to their original claims. The problem, though, is not restricted to medicine. An analysis of 98 psychology papers, published in 2015 by 90 teams of researchers co-ordinated by Brian Nosek of the University of Virginia, managed to replicate satisfactorily the results of only 39% of the studies investigated. http://www.economist.com/news/science-and-technology/21690020-reproducibility-should-be-sciences-heart-it-isnt-may-soon ------------------------------ Date: February 12, 2016 at 9:44:40 AM EST From: "Mark Stahlman" <mark () tmtstrategies com> Subject: Pirate Bay of science? (Fiona Macdonald) Fiona Macdonald, Science Alert, 12 Feb 2016, (via Timour Shchoukine and Dave Farber) Researcher illegally shares millions of science papers free online to spread knowledge -- Welcome to the Pirate Bay of science. http://www.sciencealert.com/this-woman-has-illegally-uploaded-millions-of-journal-articles-in-an-attempt-to-open-up-science A researcher in Russia has made more than 48 million journal articles -- almost every single peer-reviewed paper every published -- freely available online. And she's now refusing to shut the site down despite a court injunction and a lawsuit from Elsevier, one of the world's biggest publishers. <http://bigthink.com/neurobonkers/a-pirate-bay-for-science> For those of you who aren't already using it, the site in question is Sci-Hub <http://sci-hub.io/>, and it's sort of like a Pirate Bay of the science world. It was established in 2011 by neuroscientist Alexandra Elbakyan, who was frustrated that she couldn't afford to access the articles needed for her research, and it's since gone viral, with hundreds of thousands of papers being downloaded daily. But at the end of last year, the site was ordered to be taken down by a New York district court -- a ruling that Elbakyan has decided to fight, triggering a debate over who really owns science. <http://www.nature.com/news/pirate-research-paper-sites-play-hide-and-seek-with-publishers-1.18876> "Payment of $32 is just insane when you need to skim or read tens or hundreds of these papers to do research. I obtained these papers by pirating them,"Elbakyan told Torrent Freak last year. "Everyone should have access to knowledge regardless of their income or affiliation. And that's absolutely legal." <https://torrentfreak.com/science-pirate-attacks-elseviers-copyright-monopoly-in-court-150916/>. If it sounds like a modern day Robin Hood struggle, that's because it kinda is. But in this story, it's not just the poor who don't have access to scientific papers -- journal subscriptions have become so expensive that leading universities such as Harvard and Cornell have admitted they can no longer afford them. Researchers have also taken a stand -- with 15,000 scientists vowing to boycott publisher Elsevier in part for its excessive paywall fees. <https://www.theguardian.com/science/2012/apr/24/harvard-university-journal-publishers-prices> <http://www.nature.com/nature/journal/v426/n6964/full/426217a.html> <http://thecostofknowledge.com/> Don't get us wrong, journal publishers have also done a whole lot of good -- they've encouraged better research thanks to peer review, and before the Internet, they were crucial to the dissemination of knowledge. [Long item truncated for RISKS. PGN] ------------------------------ Date: Mon, 15 Feb 2016 14:07:38 -0500 From: Monty Solomon <monty () roscom com> Subject: Apple owns up to '1 January 1970' iPhone bricking bug Apple says a fix is on the way to prevent users bricking their iPhones and iPads by setting the date to the 1970s. http://www.zdnet.com/article/apple-owns-up-to-1-january-1970-iphone-bricking-bug/ ------------------------------ Date: Mon, 15 Feb 2016 12:35:20 -0800 From: "Mike Tashker" <tashkerm () gmail com> Subject: Motorcycle software recall [Neither source nor manufacturer specified] 4 Jan 2016 A major German motorcycle manufacturer today announced that they were suspending the use of Windows 10 in their large Adventure/Touring-class motorcycles. The rollout, which started in January, resulted in problems with the CANbus interface. A controller area network (CANbus) is a vehicle bus standard designed to allow microcontrollers and devices to communicate with each other in applications without a host computer. Riders were receiving false positive failure indications for various electrical and mechanical components. In addition the main instrument cluster would sometimes display the adapted equivalent of the Windows 'Blue Screen of Death'; this could be cleared by restarting the vehicle. Affected owners were advised to bring their bikes back to a dealer, who will roll the software back to Windows 7. ------------------------------ Date: Mon, 15 Feb 2016 09:21:31 -0800 From: Gene Wirchenko <genew () telus net> Subject: Office 2013 patch KB 3114717 freezes 32-bit Word 2013 on Win 7, 8.1, 10 (Woody Leonhard) Woody Leonhard, InfoWorld, 12 Feb 2016 There are reports of the patch causing similar lockup problems with Excel 2013 and Outlook 2013 http://www.infoworld.com/article/3032642/microsoft-windows/office-2013-patch-kb-3114717-freezes-32-bit-word-2013-on-win-7-81-10.html February's Patch Tuesday continues its tempestuous ways. Now there's word that one of the optional Office 2013 patches, KB 3114717, makes many installations of Word 2013 unusable. In addition, there are reports -- apparently related -- of lockups and slowdowns with Excel 2013 and Outlook 2013. When KB3114717 is installed typing in a .docx Document becomes nearly impossible and CPU load goes to 100% (.doc has no issues). This happens with Word 2013 only, Word 2016 is not affected. Tested on Windows 8.1 Enterprise, Windows 10 Enterprise 10240 and Windows 10 Enterprise 1511. Poster amcmill (who isn't listed as a Microsoft employee) gave a definitive response last night in one of the Microsoft Answer forum threads on the subject: [snipped post] Of course, amcmill didn't mention that uninstalling the patch in Windows 10 is an ongoing pain. Every time you reboot Windows 10, the patch will reinstall, and you'll have to remove it all over again -- unless you dig into the wushowhide utility, KB 307930, which I discussed in a similar context last month. Just be glad you don't have Windows 10 and its forced updates .... if you're lucky. [Or is that "farce updates"?] ------------------------------ Date: Mon, 15 Feb 2016 07:24:26 -0800 From: Barry Gold <barrydgold () ca rr com> Subject: Creative Cloud deletes files you *really* wanted A recent release of Adobe Creative Cloud had a bug: when you sign in, it deletes the first folder on the hard drive (in collating order). That's usually a hidden file, like maybe a system folder -- or the .bzvol directory that Backblaze uses to store backups. *http://www.bbc.com/news/technology-35577498* Exactly *why* Creative Cloud was deleting a folder is not explained in the article. Some of the bugs that pop up in software make me think of early books about Dianetics and Scientology by L. Ron Hubbard: the "reactive mind" or "bank" that does things automatically that are often not what you wanted to happen. Maybe we should turn Scientology auditors loose on ours software programs... ------------------------------ Date: Thu, 11 Feb 2016 20:28:49 -0500 From: Monty Solomon <monty () roscom com> Subject: And Then There Were 4: Phone Booths Saved on Upper West Side Sidewalks The boxy, glass-enclosed booths that were once ubiquitous on city sidewalks are all but a memory now â except for the four that are being replaced by refurbished models. http://www.nytimes.com/2016/02/11/nyregion/and-then-there-were-four-phone-booths-saved-on-upper-west-side-sidewalks.html ------------------------------ Date: Thu, 11 Feb 2016 18:15:13 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Russian hackers, Kazan-based Energobank, and Ruble-$ exchange rate Russian Group of Hackers reportedly cracked into the Kazan-based Energobank and messed up with the Ruble-Dollar exchange rates. In Feb 2015, a hacking group, known by the name METEL, successfully breached into the Russian Regional Bank for just 14 minutes and caused the exchange rate to fluctuate between 55 and 66 rubles per dollar, which finally resulted in the increment of Ruble's value. According to Russian security firm, Group-IB, who investigated the incident, the Metel Hacking group infected Kazan-based Energobank with a virus known as the Corkow Trojan and placed more than $500 million in orders at non-market rates. âThis is the first documented attack using this virus, and it has the potential to do much more damage,â Dmitry Volkov, the head of Group-IBâs cyber intelligence department, told Bloomberg. The hackers had taken the advantage of Spear Phishing Technique, which appears to come from a legit source. A single click on the link in the malicious mail took over the access to the system followed by ultimate exploitation. After gaining the access to a local system, the trojan was able to cause a havoc deepening the attack to its Intranet. This way, the malware named Corkow found the isolated system which handles the money transaction exclusively to the outer world. Corkow malware, initially discovered in 2011, regularly updates itself to evade detection by antivirus programs, and has infiltrated more than 250,000 computers worldwide and infected at least 100 financial institutions. The Energobank claimed losses of 244 million rubles ($3.2 million) due to the trades. But, the Moscow Exchange had denied the allegations of any hacking attempt by the fact that; the changes in the Stock Market would be an output of Trader's mistakes. They also not found any hint of currency manipulation. The attack was earlier ported to target ATMs of Russia, affecting Russian bank card system that resulted in hundreds of millions of rubles being stolen via ATMs in August. Another attack with the same malware also facilitated hackers to use credit card limitlessly. Metel is only known to be active in Russia (affected 73% Russian Banks), although it may present a threat to financial institutions across the globe. Authority has not yet handcuffed any of its criminals who are raising a global bank threat. http://thehackernews.com/2016/02/russian-exchange-hacked.html ------------------------------ Date: Fri, 12 Feb 2016 11:31:25 +0100 From: Peter Bernard Ladkin <ladkin () rvs uni-bielefeld de> Subject: Re: Asiana: Secondary Cause of Crash Was Poor Software Design (Goldberg, RISKS-29.25) In 2013, an Asiana Airlines Boeing 777 grounded short of the runway at San Francisco International Airport while landing, hitting the seawall and cartwheeling along the runway. Astonishingly, only three people were killed, two of them from trauma injuries sustained while apparently not wearing their seat belts (which is required of all passengers on landing). The aircraft was destroyed. The weather was clear, and there was almost no wind. The pilot flying was conducting a manual approach, since the glideslope on Runway 27L was out of operation. Speed decayed well below what it should have on short final approach, and it was noticed very late, leaving the crew unable to arrest the speed drop and sink rate on very short final. Monitoring speed on approach to landing is basic to any piloting of aircraft; it is central to pilot training from the first hour on. Many pilots, both professional and amateur, asked themselves how this could have happened. The US NTSB has answered, in July 2014. Gabe Goldberg resurrects a newspaper article from nearly two years ago, which suggested that Asiana Airlines wanted to locate the primary cause of the crash of its Boeing 777 aircraft at San Francisco (SFO) in clear weather on a windless day in "poor software design" and the operation of the Boeing 777 autothrottle system. These presumably refer to submissions to the NTSB which the journal had seen. The NTSB's public meeting, at which the conclusions of their investigation are presented (but not the detailed reasoning) and comments are invited, took place on 24 June, 2014, nearly three months after the article that Goldberg cited. Risks readers may prefer primary sources. The NTSB's final report is: http://www.ntsb.gov/investigations/AccidentReports/Reports/AAR1401.pdf since July 2014, a month after the Public Meeting. It includes the submission of the Aviation Accident and Railway Investigation Board of South Korea. The NTSB concludes that the primary cause was as follows: The National Transportation Safety Board determines that the probable cause of this accident was the flight crew's mismanagement of the airplane's descent during the visual approach, the pilot flying's unintended deactivation of automatic airspeed control, the flight crew's inadequate monitoring of airspeed, and the flight crew's delayed execution of a go-around after they became aware that the airplane was below acceptable glidepath and airspeed tolerances. Contributing to the accident were (1) the complexities of the autothrottle and autopilot flight director systems that were inadequately described in Boeing's documentation and Asiana's pilot training, which increased the likelihood of mode error; (2) the flight crew's nonstandard communication and coordination regarding the use of the autothrottle and autopilot flight director systems; (3) the pilot flying's inadequate training on the planning and executing of visual approaches; (4) the pilot monitoring/instructor pilot's inadequate supervision of the pilot flying; and (5) flight crew fatigue, which likely degraded their performance. There is only one issue relating to systems design, namely complexity of AT/AP/FD, cited with regard to the Operating Manual and the airline's training. Everything else refers to human performance, namely behavior, training and supervision. Unusually, all four Board members who signed the report filed personal statements. There was obviously some disagreement on what kind of causal role the AT control played, and whether to recommend to the FAA that a design review be conducted. Apparently there are some anecdotes that some AT behaviour on these aircraft is "unexpected". But the Boeing 777 had been in service for two decades up to this accident, with the only previous accident a result purely of a fuel systems failure (and featuring an almost-miraculous rescue by the cockpit crew; Captain Peter Burkill became one of James Reason's "heros" in talks Jim gave on outstanding human performance). The statement by the Aviation and Railway Accident Investigation Board (ARAIB) of South Korea, says, in stark contrast, ARAIB believes that this accident is one of a series of recent accidents caused by a failure of the pilots to recognize unexpected operations of the autothrottle system. ARAIB is deeply concerned that the Report fails to engage in in-depth investigation and to address the issue of a deficiency in the low-speed alert and speed protection of the B777 automation system, particularly as it was a key agenda in the investigative hearing. The NTSB and ARAIB's joint investigative efforts have been focused on this very issue, so it comes as a surprise that the issue was only dealt with superficially in the Report and not as a probable cause of the accident. ARAIB recognizes that a deficiency in the automation system related to speed protection has been a major cause of several recent aviation accidents. In this respect, international standards need to be developed and implemented to improve aviation safety. It is hard to see what the ARAIB is talking about. Astonishingly, they apparently don't consider the failure of the crew to monitor airspeed on final approach, and to keep it within reasonable bounds, to be causal. I invite Risks readers to ask any pilot they know what heshe thinks about that piece of reasoning. It is obscure to which "recent accidents" the ARAIB is referring. As far as I can see, there haven't been any. The automation in question is similar on both Boeing 777 and Boeing 787 aircraft, as discussed by the NTSB. The only other major aviation incidents to these aircraft are: * the fuel systems anomaly mentioned above on the Boeing 777 at PHR, and * three incidents involving conflagrations of lithium-based batteries on Boeing 787 aircraft. Such systems as AT are quite different amongst different aircraft, and, as Board Member Weener remarks in his personal note, pilots have to learn the operation of the system installed on the particular aircraft they are operating. Weener points out that there is just "one data point" about any possible issue with this AFCS, namely this accident. He disagreed with recommending that the FAA conduct a special review in advance of determining from other less formal incident data whether there was any issue which generalised. Peter Bernard Ladkin, University of Bielefeld, Causalis Limited, Causalis IngenieurGmbH www.rvs.uni-bielefeld.de www.causalis.com ------------------------------ Date: Fri, 12 Feb 2016 13:00:45 +0000 From: John Beattie <jkb () hignfy demon co uk> Subject: Re: IoT Insecurity by design (RISKS-29.25) "Who owns the data streaming out of your home? Apparently not you. So do you have a legal right to interfere with that data exiting?" It has occurred to me that we could make an improvement in IoT generally just by assigning ownership of data streams. A single datum is more or less worthless, of course. But a stream has value and that value should reside with the originator of the stream. Compare the situation with all those software licenses that we all click through. They exist exactly because without them, the end-user has lots of rights over the software installed on his or her computer. Likewise, assigning ownership to any data stream would help make it clear what legal agreements were needed and what strength they had. On the other side, I can already hear a response that the present situation suits the commercial organisations just fine: they get all the data for free. But assigning ownership would help the commercial position just as much because anything that has value can be bought, worked on and sold, and turn a profit. Currently the commercial organisations are selling the information which is derived from raw streams: I would suggest that the principle that the value of a stream resides with the originator _of_that_stream_ would still apply. If your organisation takes a stream of data and filters it or combines it with another stream, that output becomes a new stream and the value of that stream resides with your organisation. Notice that a stream has value which certainly depends on the kind of data which is sent in each packet but also on the frequency, timeliness, jitter and other QoS of the stream. As a principle, would it work? ------------------------------ Date: Fri, 12 Feb 2016 10:26:28 +1100 From: "3daygoaty ." <threedaygoaty () gmail com> Subject: Re: Doing University exams on computers? (RISKS-29.25) I wrote a large online exam system for a university and this was eventually re-written into an Internet voting application! Some e-exam requirements for server hardness, individual logins, privacy and equity of access were close to requirements for online balloting. That was 1999. Internet voting for any kind of serious ballot is nuts. However, integrity controls for supervised (so not vote-from-home) electronic balloting are pretty promising and I would direct you to Pret a Voter and friends. I had technical issues running both exams and elections online. They were always resolved satisfactorily one way or another, at the time even with low or non-existent transparency. These days I would think students who did not get the marks they expected would ask for proof their exam answers were marked unchanged. If I were writing the exam system again I would look to provable security and a range of other techniques to remove "blind" trust on software, networks and machines. I hope this helps! ------------------------------ Date: Thu, 11 Feb 2016 23:02:34 -0500 From: <lxf () drexel edu> Subject: Re: Doing University exams on computers? (O'Keefe) A view from the US: My impression is that it=E2=80=99s done only by outfits which can afford the expense of rooms of dedicated computers wired so they do not talk to the outside, with dedicated staff to set up the exams. I know of it only at a medical school (e.g., ours). At (somewhat typical) Drexel, we'd need rooms with several hundred terminals; so we use paper and teaching assistants. Letting students use their own laptops has a series of problems (cheating, sick computers, etc.). Do let me know what you find. And have you yet chosen a flag? ------------------------------ Date: Sun, 14 Feb 2016 12:48:33 +0100 From: Rogier Wolff <R.E.Wolff () bitwizard nl> Subject: Re: Doing University exams on computers? Although, of course, there are plenty of risks associated with "doing university exams on computers", there are also plenty of benefits. When I was in university, you had to present your student card for checking during the exam. But there was no crosscheck that you submitted your work under your own name. It was possible to have the better student submit his work as the lesser student and vice versa. Then the better student could redo "his" exam later having done a practise run submitting his work for the lesser student. With computer exams: Assign the workstations beforehand, check IDs at the entrance, and direct students to their previously assigned workstation. Keep "possible cheating associates" well apart! With computers you can randomize the questions: randomize the order, randomize multiple choice answers, randomize the numbers in calculations. That reduces the risk of cheating. ("What does the guy to my left have on question 22? And the girl to my right?) Some questions require an intermediate answer half way along. To give those that didn't get that first part right a chance to do the latter part correctly, you have to provide them with the intermediate answer in the second half of the question. With a computer-exam you can mark a question as: Q15: We'll give you the answer in Q16, so you cannot review/correct this answer after clicking through to Q16. You can enforce rules like: "you are not allowed to go back and correct answers. Your first answer stands". There are of course many other advantages of using computers to take exams. (immediate grading, dynamic (moving) questions, etc., etc.) Proper risk-management will weigh the advantages against the new risks and make an informed decision. R.E.Wolff () BitWizard nl http://www.BitWizard.nl/ +31-15-2600998 Delftechpark 26 2628 XH Delft, The Netherlands. KVK: 27239233 ------------------------------ Date: Mon, 17 Nov 2014 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 29.26 ************************
Current thread:
- Risks Digest 29.26 RISKS List Owner (Feb 15)