The Risks Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 25: Issue 11

Wednesday 9 April 2008

Contents

Crossed wires cited in recent UAL skidding incidents
Monty Solomon
Unanticipated GPS risk: foreign translations
Paul Schreiber
Census to scrap handheld computers for 2010 count
Bob Schaefer
Boston city complaint line lags
Donovan Slack via Monty Solomon
Indiana school district wipes out high school grades
Danny Burstein
Re: Search engine bait?
Martin Ward
Another genuine mail that looks like a phish
Andy Piper
Nissan GT-R sports car recognizes racetrack coordinates and aftermarket parts
Clark Family
REVIEW: "Security Data Visualization", Greg Conti
Rob Slade
Info on RISKS (comp.risks)
---

Crossed wires cited in recent UAL skidding incidents

Monty Solomon <monty@roscom.com>
Tue, 1 Apr 2008 09:11:28 -0400
Crossed wires cited in recent skidding incidents
Two United A320s went off runway in recent months after wheels locked up
http://www.msnbc.msn.com/id/23887919/

   [For inspections of MD-80 wheel-well wiring, American Airlines canceled
   more than 500 flights on 8 Apr, and 1000 flights on 9 Apr.  PGN]

---

Unanticipated GPS risk: foreign translations

Paul Schreiber <shrub@mac.com>
Tue, 8 Apr 2008 00:10:56 -0700
I just discovered this problem:

<http://paulschreiber.com/blog/2008/04/08/lost-in-translation/>

In English, when reading numbers out loud, one often chunks the numbers into
smaller groups. For example, when reading the phone number 555-1212, one
would say five five five, one two one two, not five hundred fifty-five, one
thousand two hundred and twelve.

Similarly, one would call Interstate 280 interstate two eighty, not
interstate two hundred and eighty.

Toyota's Prius GPS does this. It's an example of good design—speak the
language your customers speak.

However, this falls apart when you switch the Prius over to French.  Exit
420 becomes exit quatre (4) vingt (20). The problem? In most parts of the
French-speaking world, 80 is also pronounced quatre vingts (four twenties).

In this case, you have to listen to your GPS and read the screen to be sure
you take the right exit.

---

Census to scrap handheld computers for 2010 count

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 3 Apr 2008 13:48:11 PDT
Yet another computer related project over budget and behind schedule.
  [thanks to Bob Schaefer.]

http://www.nextgov.com/nextgov/ng_20080403_9574.php

---

Boston city complaint line lags

Monty Solomon <monty@roscom.com>
Sun, 6 Apr 2008 23:29:37 -0400
Donovan Slack, *The Boston Globe*, 6 Apr 2008
City complaint line lags;
Despite Menino's vow, a system to track citizen calls is still years away

When Boston officials rolled out their ambitious plans for a citizen
complaint tracking system like the ones that are commonplace in cities
across the country, Mayor Thomas M. Menino announced, "The city's changing,
and my administration has to change, too."

Nearly two years later, the administration has not changed much, leaving
Boston far behind other cities such as New York, Chicago, Baltimore, and
even Somerville and Hartford - and leaving untold numbers of citizen
complaints by the wayside.

City officials have spent $2 million. They've hired outside
consultants. They've bought furniture and telephones for a complaint call
center in City Hall, and painted the room a pale shade of blue.  But senior
officials say it could be nearly two more years and $2 million more before
the administration has a citywide system to keep track of residents'
complaints about everything from burned out street lights to missed trash
pickups. ...
http://www.boston.com/news/local/articles/2008/04/06/city_complaint_line_lags/

---

Indiana school district wipes out high school grades

Danny Burstein <dannyb@panix.com>
Tue, 1 Apr 2008 19:45:40 -0400 (EDT)
from the school's website of Evansville, Indiana

"... The Evansville Vanderburgh School Corporation recently experienced a
hardware malfunction with its AS400 computer server resulting in a loss of
student grades...

" Following scheduled maintenance on March 27, 2008, disk errors occurred.
After working with IBM engineers around the clock to mitigate data loss, the
engineers determined that due to an unfortunate and very rare combination of
hardware problems and backup configuration settings, all student grade book
assignment data for the current grading period is no longer in the
system. Harrison, North and Bosse High Schools and Harwood Middle School -
all on the six-week grading period - lost four weeks of individual
assignment grades that had been posted."

rest: http://www.evscschools.com/

  [Also noted by Jim Reisert.
    http://news.yahoo.com/s/ap/20080401/ap_on_re_us/grades_gone_1
  PGN]

---

Re: Search engine bait? (RISKS-25.09)

Martin Ward <martin@gkc.org.uk>
Fri, 28 Mar 2008 10:40:49 +0000
> Read the descriptions of the products.

> ... they are in fact crafted by taking a genuine English description (from
> a manufacturer's site, perhaps?)  and then applying a randomized
> thesaurus-based word replacement algorithm.

My guess is that the changes are designed to make each page look different,
so as to avoid being marked down for having many similar pages.

martin@gkc.org.uk http://www.cse.dmu.ac.uk/~mward/
G.K.Chesterton web site: http://www.cse.dmu.ac.uk/~mward/gkc/

---

Another genuine mail that looks like a phish

<Andy Piper>
Thu, 03 Apr 2008 10:17:31 +0100
Yesterday I received an invitation from TaxCalc to purchase the new 2008
version [for those in the US, the UK tax year starts April 6th]:

"We are delighted to inform you that TaxCalc 2008 is available for immediate
download."

It goes on:

"Go to
<http://response.pure360.com/_act/link.php?mId=A833682651665220042396&tId=7258777>www.taxcalc.com
to order now." plus assorted other links where the URL is not actually the
same as the supplied text.

Which to me looks like a phishing attempt more than anything else. It seems
though that pure360.com is a marketing organization that handles this sort
of thing for a number of companies and the mail is in fact genuine. I'm
guessing that if I click through the link [I'm not going to!] I will end up
at taxcalc.com eventually, but why do they even do this? Why not just put up
the real URL if I am going to end up there anyway?

I sent a mail to pure360 CC'ing the taxcalc sales team, and to their credit
they (taxcalc) gave me a call within the hour, although I didn't get the
impression they were going to do anything about it.  The call was
clever/disturbing as well - I never gave my number out in my mail, and I
used a different mail address from the one I have registered with them; they
must have deduced who I was from the "phish"-link and looked up my number in
their records.

Now I am really paranoid. The link above clearly identifies me individually,
am I giving out something to RISKS that puts me at even more RISK?! .... so
I click through the link and end up at a taxcalc login page. Clearly some
form of sanity has prevailed.

The RISK, as always, is how can we expect to educate the public when
reputable companies do things like this. Maybe they need to look at some
basic material such as Dr Seuss' Internet guide - "One phish, two phish -
red phish, blue phish" ...

---

Nissan GT-R sports car recognizes racetrack coordinates and aftermarket parts

Clark Family <cclark@ix.netcom.com>
Tue, 04 Mar 2008 14:58:56 -0800
Apparently the Nissan Corp. has ruined the fun of aftermarket tuners on the
latest GT-R high performance street sportscar in Japan.  The ECU is set on a
hair trigger and balks at many aftermarket performance upgrades as well as
non-factory installed tires and wheels through the run-flat detectors.

But more ominously, the onboard navigation system watches your speed via GPS
and recognizes popular racetrack locations.  You must scroll through a
series of menus and agree to disable the 180kph (111mph) speed limiter.
Then after thrashing it on the track, you must take it for a $1000 Nissan
High Performance Center safety check or the warranty is void.

Big Brother is your co-pilot.

---

REVIEW: "Security Data Visualization", Greg Conti

Rob Slade <rmslade@shaw.ca>
Tue, 08 Apr 2008 10:21:38 -0800
BKSCDTVS.RVW   20071124

"Security Data Visualization", Greg Conti, 2007, 978-1-59327-143-5,
U$49.95/C$59.95
%A   Greg Conti www.gregconti.com
%C   555 De Haro Street, Suite 250, San Francisco, CA   94107
%D   2007
%G   978-1-59327-143-5 1-59327-143-3
%I   No Starch Press
%O   U$49.95/C$59.95 415-863-9900 fax 415-863-9950 info@nostarch.com
%O  http://www.amazon.com/exec/obidos/ASIN/1593271433/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/1593271433/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1593271433/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   244 p.
%T   "Security Data Visualization: Graphical Techniques for Network
      Analysis"

Data visualization is very valuable.  It is, however, difficult to
perform properly in many situations: interpretation of data into
graphics can be extremely useful, but it is often difficult to
determine how best to present the information, and in the same way
that proper visualization can be tremendously helpful, the wrong
choice can be terrifically misleading.  Conti somewhat avoids this
issue in the introduction, since all he claims for the book is
inspiration.

Chapter one provides a number of data visualization and user interface
examples.  Some simple data visualization experiments in chapter two show a
few interesting ideas that can be explored with text and simple graphics
files, as well as comparative images as simple processing is pursued.  The
port scan data displays suggested in chapter three don't seem to work quite
as well.  Similarly, chapter four looks at vulnerability scanning, but the
recommendations presented don't appear to add much of value in displaying
the data.  Slightly better results seem to be obtained using real Internet
data in chapter five, since some notion of the implications of the
information can be taken from the illustrations.  Chapter six contains a
number of examples of impressive visualization of security data, but there
is limited discussion as to how to determine the best means of displaying
data of different types.  The aspects of creation of visualizations, for
firewall logs, is dealt with in chapter seven, and with IDS (Intrusion
Detection System) data in eight.  Chapter nine discusses ways of attacking
visualizations, usually by injecting spurious data.  General principles for
building visualization systems are in chapter ten.  Chapter eleven turns to
areas for additional research on the topic in the future.  Chapter twelve
lists references and resources.

The book is pretty, and it may provide inspiration.  However, it
probably won't provide an awful lot of assistance in getting your data
effectively visualized.

copyright Robert M. Slade, 2007   BKSCDTVS.RVW   20071124
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
http://victoria.tc.ca/techrev/rms.htm


Report problems with the web pages to the maintainer