Forum on Risks to the Public in Computers and Related Systems
Volume 25: Issue 11
Wednesday 9 April 2008
- Crossed wires cited in recent UAL skidding incidents
- Monty Solomon
- Unanticipated GPS risk: foreign translations
- Paul Schreiber
- Census to scrap handheld computers for 2010 count
- Bob Schaefer
- Boston city complaint line lags
- Donovan Slack via Monty Solomon
- Indiana school district wipes out high school grades
- Danny Burstein
- Re: Search engine bait?
- Martin Ward
- Another genuine mail that looks like a phish
- Andy Piper
- Nissan GT-R sports car recognizes racetrack coordinates and aftermarket parts
- Clark Family
- REVIEW: "Security Data Visualization", Greg Conti
- Rob Slade
- Info on RISKS (comp.risks)
Crossed wires cited in recent skidding incidents Two United A320s went off runway in recent months after wheels locked up http://www.msnbc.msn.com/id/23887919/ [For inspections of MD-80 wheel-well wiring, American Airlines canceled more than 500 flights on 8 Apr, and 1000 flights on 9 Apr. PGN]
I just discovered this problem: <http://paulschreiber.com/blog/2008/04/08/lost-in-translation/> In English, when reading numbers out loud, one often chunks the numbers into smaller groups. For example, when reading the phone number 555-1212, one would say five five five, one two one two, not five hundred fifty-five, one thousand two hundred and twelve. Similarly, one would call Interstate 280 interstate two eighty, not interstate two hundred and eighty. Toyota's Prius GPS does this. It's an example of good design—speak the language your customers speak. However, this falls apart when you switch the Prius over to French. Exit 420 becomes exit quatre (4) vingt (20). The problem? In most parts of the French-speaking world, 80 is also pronounced quatre vingts (four twenties). In this case, you have to listen to your GPS and read the screen to be sure you take the right exit.
Yet another computer related project over budget and behind schedule. [thanks to Bob Schaefer.] http://www.nextgov.com/nextgov/ng_20080403_9574.php
Donovan Slack, *The Boston Globe*, 6 Apr 2008 City complaint line lags; Despite Menino's vow, a system to track citizen calls is still years away When Boston officials rolled out their ambitious plans for a citizen complaint tracking system like the ones that are commonplace in cities across the country, Mayor Thomas M. Menino announced, "The city's changing, and my administration has to change, too." Nearly two years later, the administration has not changed much, leaving Boston far behind other cities such as New York, Chicago, Baltimore, and even Somerville and Hartford - and leaving untold numbers of citizen complaints by the wayside. City officials have spent $2 million. They've hired outside consultants. They've bought furniture and telephones for a complaint call center in City Hall, and painted the room a pale shade of blue. But senior officials say it could be nearly two more years and $2 million more before the administration has a citywide system to keep track of residents' complaints about everything from burned out street lights to missed trash pickups. ... http://www.boston.com/news/local/articles/2008/04/06/city_complaint_line_lags/
from the school's website of Evansville, Indiana "... The Evansville Vanderburgh School Corporation recently experienced a hardware malfunction with its AS400 computer server resulting in a loss of student grades... " Following scheduled maintenance on March 27, 2008, disk errors occurred. After working with IBM engineers around the clock to mitigate data loss, the engineers determined that due to an unfortunate and very rare combination of hardware problems and backup configuration settings, all student grade book assignment data for the current grading period is no longer in the system. Harrison, North and Bosse High Schools and Harwood Middle School - all on the six-week grading period - lost four weeks of individual assignment grades that had been posted." rest: http://www.evscschools.com/ [Also noted by Jim Reisert. http://news.yahoo.com/s/ap/20080401/ap_on_re_us/grades_gone_1 PGN]
Re: Search engine bait? (RISKS-25.09)Martin Ward <firstname.lastname@example.org> Fri, 28 Mar 2008 10:40:49 +0000
> Read the descriptions of the products. > ... they are in fact crafted by taking a genuine English description (from > a manufacturer's site, perhaps?) and then applying a randomized > thesaurus-based word replacement algorithm. My guess is that the changes are designed to make each page look different, so as to avoid being marked down for having many similar pages. email@example.com http://www.cse.dmu.ac.uk/~mward/ G.K.Chesterton web site: http://www.cse.dmu.ac.uk/~mward/gkc/
Yesterday I received an invitation from TaxCalc to purchase the new 2008 version [for those in the US, the UK tax year starts April 6th]: "We are delighted to inform you that TaxCalc 2008 is available for immediate download." It goes on: "Go to <http://response.pure360.com/_act/link.php?mId=A833682651665220042396&tId=7258777>www.taxcalc.com to order now." plus assorted other links where the URL is not actually the same as the supplied text. Which to me looks like a phishing attempt more than anything else. It seems though that pure360.com is a marketing organization that handles this sort of thing for a number of companies and the mail is in fact genuine. I'm guessing that if I click through the link [I'm not going to!] I will end up at taxcalc.com eventually, but why do they even do this? Why not just put up the real URL if I am going to end up there anyway? I sent a mail to pure360 CC'ing the taxcalc sales team, and to their credit they (taxcalc) gave me a call within the hour, although I didn't get the impression they were going to do anything about it. The call was clever/disturbing as well - I never gave my number out in my mail, and I used a different mail address from the one I have registered with them; they must have deduced who I was from the "phish"-link and looked up my number in their records. Now I am really paranoid. The link above clearly identifies me individually, am I giving out something to RISKS that puts me at even more RISK?! .... so I click through the link and end up at a taxcalc login page. Clearly some form of sanity has prevailed. The RISK, as always, is how can we expect to educate the public when reputable companies do things like this. Maybe they need to look at some basic material such as Dr Seuss' Internet guide - "One phish, two phish - red phish, blue phish" ...
Apparently the Nissan Corp. has ruined the fun of aftermarket tuners on the latest GT-R high performance street sportscar in Japan. The ECU is set on a hair trigger and balks at many aftermarket performance upgrades as well as non-factory installed tires and wheels through the run-flat detectors. But more ominously, the onboard navigation system watches your speed via GPS and recognizes popular racetrack locations. You must scroll through a series of menus and agree to disable the 180kph (111mph) speed limiter. Then after thrashing it on the track, you must take it for a $1000 Nissan High Performance Center safety check or the warranty is void. Big Brother is your co-pilot.
BKSCDTVS.RVW 20071124 "Security Data Visualization", Greg Conti, 2007, 978-1-59327-143-5, U$49.95/C$59.95 %A Greg Conti www.gregconti.com %C 555 De Haro Street, Suite 250, San Francisco, CA 94107 %D 2007 %G 978-1-59327-143-5 1-59327-143-3 %I No Starch Press %O U$49.95/C$59.95 415-863-9900 fax 415-863-9950 firstname.lastname@example.org %O http://www.amazon.com/exec/obidos/ASIN/1593271433/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1593271433/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1593271433/robsladesin03-20 %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 244 p. %T "Security Data Visualization: Graphical Techniques for Network Analysis" Data visualization is very valuable. It is, however, difficult to perform properly in many situations: interpretation of data into graphics can be extremely useful, but it is often difficult to determine how best to present the information, and in the same way that proper visualization can be tremendously helpful, the wrong choice can be terrifically misleading. Conti somewhat avoids this issue in the introduction, since all he claims for the book is inspiration. Chapter one provides a number of data visualization and user interface examples. Some simple data visualization experiments in chapter two show a few interesting ideas that can be explored with text and simple graphics files, as well as comparative images as simple processing is pursued. The port scan data displays suggested in chapter three don't seem to work quite as well. Similarly, chapter four looks at vulnerability scanning, but the recommendations presented don't appear to add much of value in displaying the data. Slightly better results seem to be obtained using real Internet data in chapter five, since some notion of the implications of the information can be taken from the illustrations. Chapter six contains a number of examples of impressive visualization of security data, but there is limited discussion as to how to determine the best means of displaying data of different types. The aspects of creation of visualizations, for firewall logs, is dealt with in chapter seven, and with IDS (Intrusion Detection System) data in eight. Chapter nine discusses ways of attacking visualizations, usually by injecting spurious data. General principles for building visualization systems are in chapter ten. Chapter eleven turns to areas for additional research on the topic in the future. Chapter twelve lists references and resources. The book is pretty, and it may provide inspiration. However, it probably won't provide an awful lot of assistance in getting your data effectively visualized. copyright Robert M. Slade, 2007 BKSCDTVS.RVW 20071124 email@example.com firstname.lastname@example.org email@example.com http://victoria.tc.ca/techrev/rms.htm
Report problems with the web pages to the maintainer