The Risks Digest, Volume 25, Issue27

Peter G. Neumann

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 25: Issue 27

Friday 8 August 2008

Strange Yahoo! vote count: PGN
Trust TSA? Maybe... Trust Akamai...?: David Lesher
"How reliable is DNA in identifying suspects?": Robert P Schaefer
GPS causes nightmare vacation: PGN
Re: Another small interface risk: Thomas Wicklund
Re: Unsuspected travelers' laptops may be detained at border: Thomas Hamann
Re: Neglecting to logout from Skype: Dimitri Maziuk
Pizza delivery and postal addresses: Mark Brader
Info on RISKS (comp.risks)

Strange Yahoo! vote count

<"Peter G. Neumann" <neumann@csl.sri.com>>

Thu, 7 Aug 2008 13:52:46 PDT


The original statement from the Yahoo! Annual Meeting suggested strong
support for the Yahoo! board.  However, reportedly exactly 200 million votes
seemed to have vanished from some of the expected totals.  Subsequently, the
final numbers showed some large discrepancies -- an EXACTLY 100 million vote
change for two of the directors, and an EXACTLY 200 million vote change for
three of the directors.  That is, half of that number of votes were
misallocated -- first FOR, then AGAINST for those candidates.  (Four others
were unchanged.)  The anomalies were apparently blamed on "truncation
errors", which seems very curious.  Once again, who knows what really
happened?

Sources:
http://breakoutperformance.blogspot.com/2008/08/missing-200-million-yahoo-shares-from.html
http://www.techcrunch.com/2008/08/06/yahoo-vote-recount-shows-how-close-yang-and-bostock-were-to-being-ousted-from-the-board/

Trust TSA? Maybe... Trust Akamai...?

<"David Lesher" <wb8foz@panix.com>>

Fri, 8 Aug 2008 16:13:03 -0400 (EDT)


  $ https://www.tsa.gov

  www.tsa.gov uses an invalid security certificate.
  The certificate is only valid for a248.e.akamai.net

Is it any wonder we can't teach people about phishing when.....

"How reliable is DNA in identifying suspects?"

<"Schaefer, Robert P \(US SSA\)" <robert.p.schaefer@baesystems.com>>

Thu, 7 Aug 2008 07:45:54 -0400


The risks of database searches:
http://www.latimes.com/news/local/la-me-dna20-2008jul20,0,1506170,full.s
tory

"State crime lab analyst Kathryn Troyer was running tests on Arizona's DNA
database when she stumbled across two felons with remarkably similar genetic
profiles."

GPS causes nightmare vacation

<"Peter G. Neumann" <neumann@csl.sri.com>>

Thu, 7 Aug 2008 9:51:44 PDT


Convoy Rescued After GPS Led to Utah Cliff; GPS Device Was a 'Nightmare' and
'A Vacation from Hell',  Associated Press item, 7 Aug 2008

Trying to go from Bryce Canyon to the Grand Canyon by lesser traveled roads,
a convoy of tourists (16 adults and 10 children) attempted to use a GPS
device, which led them with various wrong turns onto inappropriate dirt
roads to the edge of a sheer cliff deep inside the Grand Staircase-Escalante
National Monument.  One vehicle got stuck in soft sand, two others ran low
on fuel.
  http://abcnews.go.com/Travel/Weather/wireStory?id=5522295

  [TNX to Lauren Weinstein for spotting this one.]

Re: Another small interface risk (RISKS-25.26)

Thu, 7 Aug 2008 09:46:16 -0700 (PDT)


Security questions such as birth city have always seemed to be very
difficult.  I found one site which had a security question (mother's maiden
name I think) but required that the field be at least 8 characters.
Something of a problem.

Worse are the sites where the only questions are "what is your favorite
xyz".  I find my favorite "xyz" can vary from day to day and the only
solution is to write the answers down someplace.  I had to call to to get
access to my new health insurance's web site because I had that insurance 5
years ago, was still registered, and didn't have any idea what I used for an
answer to one of their "favorite" questions.

Comparing these answers seems a programmer's nightmare.  It can't be case
sensitive.  Spaces have to be normalized.  Did I type "Kansas City" or
"Kansas City, MO" as my answer?  What if I leave off the comma?

Re: Unsuspected travelers' laptops may be detained at border (R-25.16)

Fri, 8 Aug 2008 12:12:56 +0200


This policy seems like a major risk to the US economy should it ever be
seriously enforced. It seems to basically provide a legal means for massive
industrial and scientific espionage. I know the article mentions that
"reasonable measures must be taken to protect business information and
attorney-client privileged material", but the US government's track record on
the enforcements of such measures is spotty, to say the least (also note that
'(unpublished) scientific information' isn't specifically listed...).

>They also cover "all papers and other written documentation," including books,
>pamphlets and "written materials commonly referred to as 'pocket trash'
>or 'pocket litter.' "

This rings all alarm bells (also, the words 'police state' come to mind). I
think that anyone who is considering traveling to the US should think twice
before doing so. I wonder what would happen to anyone who has the 'wrong'
combination of digital data and paperwork on him...

Re: Neglecting to logout from Skype (RISKS-25.26)

Thu, 07 Aug 2008 09:43:13 -0500


> Date: Tue, 05 Aug 2008 20:32:32 +0200
> From: "Michael Weiner" <michael_weiner@gmx.net>
> Subject: Neglecting to logout from Skype means sharing your Instant Messages

> ... According to several messages on the Skype Community forum, Skype
> considers the ability to remain logged in to the same account on several
> machines a "feature" and sees no need to fix anything.

There are legitimate reasons for logging on to more than one office computer
(that is why I never used Gnome: the early versions wouldn't let one do so)
and there are legitimate reasons for having your messages arrive at more
than one computer. I'd side with Skype on this and blame you: what you did
is effectively give your friend your password.  Auto-login is a bad default
in this case, however, it's a convenient one and in the case of one computer
- one user it's not unreasonable.

The risk is believing that software will magically know where you want to go
today and will take you there when you click on start button. In reality
default out of the box configuration may (or may not) work for what
developers imagine their average user to be, but it probably won't work
right for you -- in real life "one size fits all" doesn't fit anyone in
particular.

Pizza delivery and postal addresses

<msb@vex.nte (Mark Brader)>

Thu, 7 Aug 2008 17:14:46 -0400 (EDT)


[Posted by David Cantrell <david@cantrell.org.uk> in uk.transport.london]

The building I live in has three flats in it, numbered 1, 2 and 3.
Flats 2 and 3 share a common front door and hallway, having their own
doors off that.  As far as normal people are concerned, that's three
flats and three addresses.  Post for flats 2 and 3 is delivered through a
single letterbox.  Consequently, as far as the post office is concerned,
there are only *two* addresses, one for flat 1, and one for the shared
letterbox of flats 2 and 3.

This is quite irritating, especially when stupid programmers working for
stupid companies insist that I tell them my address by typing in my
postcode and then selecting one of the addresses that the post office
think exist.  Normally it doesn't matter, of course, but it does matter
when I'm trying to do something like order a pizza late at night and
want the delivery boy to ring *my* doorbell and not have to guess at
random between mine and my upstairs neighbour's.

[Note added by David Cantrell when giving permission to forward to Risks]

It's worth noting, however, that *most* companies who use the PAF
do allow the user to type it in themselves if their address isn't in
the list.  It's some time since I last read the PAF docs, but I *think*
they recommend doing that, because of, eg, people living in brand new
developments which haven't yet filtered through to your local copy of
the database, which might only get updated once a quarter or once a year.

Report problems with the web pages to the maintainer