The RISKS Digest
Volume 26 Issue 13

Monday, 2nd August 2010

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Another GPS Near-Tragedy
Richard Grady
Is Your Detergent Stalking You?
Matthew Kruk
Online Trust Again
Gene Wirchenko
Citi Discovers Security Flaw in iPhone Application
Nick Bilton via Monty Solomon
The Web Means the End of Forgetting
Jeffrey Rosen via Monty Solomon
Facebook privacy settings: Who cares?
Danah Boyd & Eszter Hargittai via Monty Solomon
Re: Risks of free-text fields in medical records
Gabe Goldberg
Re: Electronic business cards anyone?
Jonathan Kamens
Re: BP: "Will no one rid me of this turbulent alarm?"
Peter Duncanson
Re: Quiet electric & hybrid cars endanger ...
Paul Wallich
Jonathan Kamens
Info on RISKS (comp.risks)

Another GPS Near-Tragedy

Richard Grady <richard@richbonnie.com>
Fri, 30 Jul 2010 16:50:40 -0700

Three women got stranded in Death Valley, California for three days in
mid-summer, led astray by their GPS.  They got lost on 22 Jul, and were
found on 25 Jul,

  Cooper said she had GPS onboard, and tried to use it. “It kept telling me
  to go one mile and turn either right or left on Saline Valley Road.''
  Cooper said she never saw a road sign and sometimes she'd go one mile and
  there was no turn at all.

  Cooper said by the time the fuel light came on in her Hyundai Accent, she
  had traveled so many miles there was no turning back. So she kept going
  forward hoping to come out of the desolation to “a paved road leading
  somewhere.''

http://pvtimes.com/news/lost-and-found-in-death-valley/

I live 60 miles away from Death Valley, and I know my way around there.
Yet, I would never consider driving there in mid-summer with temperatures
around 125 degrees F.


Is Your Detergent Stalking You?

"Matthew Kruk" <mkrukg@gmail.com>
Sun, 1 Aug 2010 13:37:40 -0600

Brazil's Omo Uses GPS to Follow Consumers Home With Prizes
Posted by Laurel Wentz on 29 Jul 2010

Unilever's Omo detergent is adding an unusual ingredient to its two-pound
detergent box in Brazil: a GPS device that allows its promotions agency
Bullet to track shoppers and follow them to their front doors.

Starting next week, consumers who buy one of the GPS-implanted detergent
boxes will be surprised at home, given a pocket video camera as a prize and
invited to bring their families to enjoy a day of Unilever-sponsored outdoor
fun. The promotion, called Try Something New With Omo, is in keeping with
the brand's international "Dirt is Good" positioning that encourages parents
to let their kids have a good time even if they get dirty.

http://adage.com/globalnews/article?article_id=145183


Online Trust Again

Gene Wirchenko <genew@ocis.net>
Fri, 23 Jul 2010 14:20:55 -0700

New twist on trust when storing data online, *InfoWorld Home*, 23 Jul 2010
One reader learns a harsh lesson about online data storage when she
has to beg access to her records after a business breakup
http://www.infoworld.com/d/adventures-in-it/new-twist-trust-when-storing-data-online-025?source=IFWNLE_nlt_blogs_2010-07-23

Opening paragraphs:

Gripe Line reader Joan wrote in to warn readers about trusting important
financial and business documents to Web storage services.  "About a year
ago, my business partner embezzled the remaining assets of a trucking
company we founded together," Joan says. "We had been storing our invoices
and trucking contracts on a secure site using the uReach virtual faxing
service."

After her partner scarpered, she tried to get access to those documents but
found she didn't have the passwords. "We paid for the service with my
personal credit card," she says, "but uReach let my partner keep the
account."  Joan was reduced to calling the company and pleading to get
access to her own files.  "It took more time than she wanted," explains
uReach spokesperson Saul Einbinder. "It was a couple of weeks before she was
able to provide the documentation required by our privacy policy. She was
very upset. It was a difficult situation."


Citi Discovers Security Flaw in iPhone Application (Nick Bilton)

Monty Solomon <monty@roscom.com>
Wed, 28 Jul 2010 10:32:01 -0400

[Source: Nick Bilton, *The New York Times*, 26 Jul 2010; PGN-ed]
http://bits.blogs.nytimes.com/2010/07/26/citi-discovers-security-flaw-in-iphone-application/

Citi The Citigroup iPhone application can be used for mobile banking.

After Citigroup on Monday discovered a potential security flaw in the Apple
iPhone app that its customers use to access its Web site, the bank urged
customers to upgrade to a newer version of the software, which it says will
correct the problem. Citigroup said the original app accidentally saved
information from a banking customer's account into a hidden file on the
iPhone. The statement from Citigroup was first reported by *The Wall Street
Journal*.  Citigroup said the update "deletes any Citi Mobile information
that may have been saved" to a customer's iPhone or computer. The bank also
said the update "eliminates the possibility that this will occur in the
future."  Although Citigroup was working with customers to fix the problem,
the bank said it did not believe its customers' personal information was
affected.  Citigroup also said the bug only affected iPhone users in the
United States, though it did not say how many. ...

  [Peal me a gripe?  PGN]


The Web Means the End of Forgetting (Jeffrey Rosen)

Monty Solomon <monty@roscom.com>
Sun, 25 Jul 2010 15:24:37 -0400

[Source: Jeffrey Rosen, *The New York Times*, 19 Jul 2010; PGN-ed]
  https://www.nytimes.com/2010/07/25/magazine/25privacy-t2.html

Four years ago, Stacy Snyder, then a 25-year-old teacher in training at
Conestoga Valley High School in Lancaster, Pa., posted a photo on her
MySpace page that showed her at a party wearing a pirate hat and drinking
from a plastic cup, with the caption "Drunken Pirate." After discovering the
page, her supervisor at the high school told her the photo was
"unprofessional," and the dean of Millersville University School of
Education, where Snyder was enrolled, said she was promoting drinking in
virtual view of her under-age students. As a result, days before Snyder's
scheduled graduation, the university denied her a teaching degree. Snyder
sued, arguing that the university had violated her First Amendment rights by
penalizing her for her (perfectly legal) after-hours behavior. But in 2008,
a federal district judge rejected the claim, saying that because Snyder was
a public employee whose photo didn't relate to matters of public concern,
her "Drunken Pirate" post was not protected speech.

When historians of the future look back on the perils of the early digital
age, Stacy Snyder may well be an icon. The problem she faced is only one
example of a challenge that, in big and small ways, is confronting millions
of people around the globe: how best to live our lives in a world where the
Internet records everything and forgets nothing - where every online photo,
status update, Twitter post and blog entry by and about us can be stored
forever. With Web sites like LOL Facebook Moments, which collects and shares
embarrassing personal revelations from Facebook users, ill-advised photos
and online chatter are coming back to haunt people months or years after the
fact. Examples are proliferating daily: there was the 16-year-old British
girl who was fired from her office job for complaining on Facebook, "I'm so
totally bored!!"; there was the 66-year-old Canadian psychotherapist who
tried to enter the United States but was turned away at the border - and
barred permanently from visiting the country - after a border guard's
Internet search found that the therapist had written an article in a
philosophy journal describing his experiments 30 years ago with L.S.D.


Facebook privacy settings: Who cares? (Danah Boyd & Eszter Hargittai)

Monty Solomon <monty@roscom.com>
Wed, 28 Jul 2010 14:41:21 -0400

Danah Boyd and Eszter Hargittai, First Monday, Vol 15, No 8, 2 Aug 2010

Abstract: With over 500 million users, the decisions that Facebook makes
about its privacy settings have the potential to influence many people.
While its changes in this domain have often prompted privacy advocates and
news media to critique the company, Facebook has continued to attract more
users to its service. This raises a question about whether or not Facebook's
changes in privacy approaches matter and, if so, to whom. This paper
examines the attitudes and practices of a cohort of 18- and 19-year-olds
surveyed in 2009 and again in 2010 about Facebook's privacy settings. Our
results challenge widespread assumptions that youth do not care about and
are not engaged with navigating privacy. We find that, while not universal,
modifications to privacy settings have increased during a year in which
Facebook's approach to privacy was hotly contested. We also find that both
frequency and type of Facebook use as well as Internet skill are correlated
with making modifications to privacy settings. In contrast, we observe few
gender differences in how young adults approach their Facebook privacy
settings, which is notable given that gender differences exist in so many
other domains online.  We discuss the possible reasons for our findings and
their implications. ...

http://www.uic.edu/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/3086/2589


Re: Risks of free-text fields in medical records (RISKS-26.12)

Gabe Goldberg <gabe@gabegold.com>
Fri, 30 Jul 2010 19:59:38 -0400

Regarding "Risks of free-text fields in medical records"—a presentation I
heard described risks of FIXED-text fields in medical records: that they too
easily lead to accepting incorrect information.

With auto-complete fields, typing the beginning of a drug name can trigger a
pop-up of MANY drugs with the same root, where careless clicking selects the
wrong one, a common problem with Windows' auto-complete function.

Similarly, a pull-down field for dosage can lead to careless selection of an
incorrect value, a common problem with Windows' pull-down selection
function.

I'm not sure what best practice is in entering medical records fields—and
I'm not suggesting ruling out BOTH fixed- and variable-text fields (what
would that leave?)—just noting that defining field values is a complex
issue.

  [This is one of those issues in which both arguments are partially
  correct.  Fixed fields are risky with poorly defined, overlapping,
  or otherwise confusing.   Free-text fields have many other risks.
  The risks question is much deeper than that dichotomy.  PGN]


Re: Electronic business cards anyone? (Scott, RISKS-26.11)

"Jonathan Kamens" <jik@kamens.us>
Fri, 23 Jul 2010 10:52:31 -0400

"And what's wrong anyway with a bit of plain, honest text?!!"

Or, for people who want a "functional" business card (e.g., one that can be
imported easily into the recipient's contact list, which is the whole point,
isn't it?), what's wrong with the long-standing (first proposed 15 years
ago) and extremely widely adopted and supported vCard standard
<http://en.wikipedia.org/wiki/VCard> ?

  [Reminds me of the new V Gates at Dulles International.
  V Gates, Mein Herr?  PGN]


Re: BP: "Will no one rid me of this turbulent alarm?"

Peter Duncanson <mail@peterduncanson.net>
Sat, 31 Jul 2010 15:40:10 +0100

The quotation from a Transocean employee that "...that the system [on the
Deepwater Horizon drilling rig] that automatically sounded a general alarm
had been disabled because rig managers "did not want people woken up at 3
a.m. with false alarms" raises an interesting point. Tired workers are
accident prone, so ensuring that workers get uninterrupted sleep is a safety
matter. There are therefore competing risks: on the one hand there is the
clear risk of people not being warned immediately a dangerous situation has
developed, and on the other the risks of errors by people working when tired
because of losing sleep as a result of false alarms.

If it is not possible to prevent false alarms, it would seem prudent to
insist that off-duty workers sleep on a separate accommodation vessel
where they will be able to sleep undisturbed. The general alarm system
would not then need to be disabled on the drilling rig.

  [So, you put your soundest sleeper on board the rig... and *everyone* gets
  lots of rest—until the rig blows skyhigh.  PGN]


Re: Quiet electric & hybrid cars endanger ... (Klein, RISKS-26.11)

Paul Wallich <pw@panix.com>
Thu, 22 Jul 2010 10:23:52 -0400

This may be a classic example of looking for solutions in the wrong
place. If you listen to cars in parking lots and other places where
pedestrians could get in trouble, a large component of the noise they make
is not engine noise but transmission/tire noise. I wonder if enhancing those
sounds would make cars uniformly detectable (preferably without interfering
with the question for the lowest possible rolling resistance, albeit that
has its own issues).

  [And what if you are deaf?  PGN]


Re: Quiet electric & hybrid cars endanger ... (Klein, RISKS-26.11)

"Jonathan Kamens" <jik@kamens.us>
Fri, 23 Jul 2010 11:03:50 -0400

Ah, the more things change, the more they stay the same.

I believe I first heard about the problem of electric cars being so quiet
that they would pose a danger to pedestrians (blind and otherwise) and
bicyclists from a kids' science program on TV *27 years ago*.

It's irksome that the car manufacturers haven't solved it yet and that the
governments that regulate vehicle safety haven't yet imposed a solution.
Irksome, but not surprising, since getting out in front of problems is not
something that government bureaucracies are particularly good it, and car
manufacturers tend to fight tooth and nail against any safety improvements
which won't help them sell cars.

Remember the scare campaign by car manufacturers against legislation
requiring new cars to have seatbelts? They actually ran television ads
telling people that seatbelts would make them *less* safe by trapping them
in the car in case of an accident, fire, vehicle plunging into a pond, etc.
That cultural meme started by that campaign is cited to this very day
<http://www.snopes.com/autos/techno/seatbelt.asp> by people too stupid or
clueless to understand risk and statistics, to justify why they don't wear a
seatbelt, don't think they should be legally required to, etc.

  [And don't forget your large dog has to wear a seatbelt, which causes
  him to bark incessantly—which is likely to distract you.   PGN]

Please report problems with the web pages to the maintainer

x
Top