Forum on Risks to the Public in Computers and Related Systems
Volume 25: Issue 27
Friday 8 August 2008
- Strange Yahoo! vote count
- Trust TSA? Maybe... Trust Akamai...?
- David Lesher
- "How reliable is DNA in identifying suspects?"
- Robert P Schaefer
- GPS causes nightmare vacation
- Re: Another small interface risk
- Thomas Wicklund
- Re: Unsuspected travelers' laptops may be detained at border
- Thomas Hamann
- Re: Neglecting to logout from Skype
- Dimitri Maziuk
- Pizza delivery and postal addresses
- Mark Brader
- Info on RISKS (comp.risks)
The original statement from the Yahoo! Annual Meeting suggested strong support for the Yahoo! board. However, reportedly exactly 200 million votes seemed to have vanished from some of the expected totals. Subsequently, the final numbers showed some large discrepancies -- an EXACTLY 100 million vote change for two of the directors, and an EXACTLY 200 million vote change for three of the directors. That is, half of that number of votes were misallocated -- first FOR, then AGAINST for those candidates. (Four others were unchanged.) The anomalies were apparently blamed on "truncation errors", which seems very curious. Once again, who knows what really happened? Sources: http://breakoutperformance.blogspot.com/2008/08/missing-200-million-yahoo-shares-from.html http://www.techcrunch.com/2008/08/06/yahoo-vote-recount-shows-how-close-yang-and-bostock-were-to-being-ousted-from-the-board/
$ https://www.tsa.gov www.tsa.gov uses an invalid security certificate. The certificate is only valid for a248.e.akamai.net Is it any wonder we can't teach people about phishing when.....
The risks of database searches: http://www.latimes.com/news/local/la-me-dna20-2008jul20,0,1506170,full.s tory "State crime lab analyst Kathryn Troyer was running tests on Arizona's DNA database when she stumbled across two felons with remarkably similar genetic profiles."
Convoy Rescued After GPS Led to Utah Cliff; GPS Device Was a 'Nightmare' and 'A Vacation from Hell', Associated Press item, 7 Aug 2008 Trying to go from Bryce Canyon to the Grand Canyon by lesser traveled roads, a convoy of tourists (16 adults and 10 children) attempted to use a GPS device, which led them with various wrong turns onto inappropriate dirt roads to the edge of a sheer cliff deep inside the Grand Staircase-Escalante National Monument. One vehicle got stuck in soft sand, two others ran low on fuel. http://abcnews.go.com/Travel/Weather/wireStory?id=5522295 [TNX to Lauren Weinstein for spotting this one.]
Re: Another small interface risk (RISKS-25.26)<Thomas Wicklund <firstname.lastname@example.org>> Thu, 7 Aug 2008 09:46:16 -0700 (PDT)
Security questions such as birth city have always seemed to be very difficult. I found one site which had a security question (mother's maiden name I think) but required that the field be at least 8 characters. Something of a problem. Worse are the sites where the only questions are "what is your favorite xyz". I find my favorite "xyz" can vary from day to day and the only solution is to write the answers down someplace. I had to call to to get access to my new health insurance's web site because I had that insurance 5 years ago, was still registered, and didn't have any idea what I used for an answer to one of their "favorite" questions. Comparing these answers seems a programmer's nightmare. It can't be case sensitive. Spaces have to be normalized. Did I type "Kansas City" or "Kansas City, MO" as my answer? What if I leave off the comma?
Re: Unsuspected travelers' laptops may be detained at border (R-25.16)<Thomas Hamann <T.D.Hamann@umail.LeidenUniv.nl>> Fri, 8 Aug 2008 12:12:56 +0200
This policy seems like a major risk to the US economy should it ever be seriously enforced. It seems to basically provide a legal means for massive industrial and scientific espionage. I know the article mentions that "reasonable measures must be taken to protect business information and attorney-client privileged material", but the US government's track record on the enforcements of such measures is spotty, to say the least (also note that '(unpublished) scientific information' isn't specifically listed...). >They also cover "all papers and other written documentation," including books, >pamphlets and "written materials commonly referred to as 'pocket trash' >or 'pocket litter.' " This rings all alarm bells (also, the words 'police state' come to mind). I think that anyone who is considering traveling to the US should think twice before doing so. I wonder what would happen to anyone who has the 'wrong' combination of digital data and paperwork on him...
Re: Neglecting to logout from Skype (RISKS-25.26)<Dimitri Maziuk <email@example.com>> Thu, 07 Aug 2008 09:43:13 -0500
> Date: Tue, 05 Aug 2008 20:32:32 +0200 > From: "Michael Weiner" <firstname.lastname@example.org> > Subject: Neglecting to logout from Skype means sharing your Instant Messages > ... According to several messages on the Skype Community forum, Skype > considers the ability to remain logged in to the same account on several > machines a "feature" and sees no need to fix anything. There are legitimate reasons for logging on to more than one office computer (that is why I never used Gnome: the early versions wouldn't let one do so) and there are legitimate reasons for having your messages arrive at more than one computer. I'd side with Skype on this and blame you: what you did is effectively give your friend your password. Auto-login is a bad default in this case, however, it's a convenient one and in the case of one computer - one user it's not unreasonable. The risk is believing that software will magically know where you want to go today and will take you there when you click on start button. In reality default out of the box configuration may (or may not) work for what developers imagine their average user to be, but it probably won't work right for you -- in real life "one size fits all" doesn't fit anyone in particular.
[Posted by David Cantrell <email@example.com> in uk.transport.london] The building I live in has three flats in it, numbered 1, 2 and 3. Flats 2 and 3 share a common front door and hallway, having their own doors off that. As far as normal people are concerned, that's three flats and three addresses. Post for flats 2 and 3 is delivered through a single letterbox. Consequently, as far as the post office is concerned, there are only *two* addresses, one for flat 1, and one for the shared letterbox of flats 2 and 3. This is quite irritating, especially when stupid programmers working for stupid companies insist that I tell them my address by typing in my postcode and then selecting one of the addresses that the post office think exist. Normally it doesn't matter, of course, but it does matter when I'm trying to do something like order a pizza late at night and want the delivery boy to ring *my* doorbell and not have to guess at random between mine and my upstairs neighbour's. [Note added by David Cantrell when giving permission to forward to Risks] It's worth noting, however, that *most* companies who use the PAF do allow the user to type it in themselves if their address isn't in the list. It's some time since I last read the PAF docs, but I *think* they recommend doing that, because of, eg, people living in brand new developments which haven't yet filtered through to your local copy of the database, which might only get updated once a quarter or once a year.
Report problems with the web pages to the maintainer