The RISKS Digest
Volume 26 Issue 57

Monday, 19th September 2011

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Redundancy is always a good idea, when it exists
David Lesher
EFF Heads Back to Court to Fight Warrantless Wiretapping
Re: United Airlines uses 11,000 iPads to take planes paperless
Alistair McDonald
John Stanley
Re: Air France 447
Peter Houppermans
FTC proposes stricter Net access rules for children under 13
Lauren Weinstein
Pakistan orders ISPs to block VPNs and other encryption?
Bill Snyder via Gene Wirchenko
Re: "Why Governments Are Terrified of Social Media"
Chris D
Re: Zombie Cookies won't die
Chris Jewell
Re: Risks in Google, specifically Gmail
John Fouhy
Joseph Brennan
Re: Don't throw away Grandma's wind-up desk clock
Martin Ward
Re: Transaction without a password is more secure?
Wayne Mesard
Re: Researchers' Typo-squatting Stole 20 GB of E-Mail
Lauren Weinstein
Re: $100 Bill: The Fed Has a $110 Billion Problem ...
Nick Laflamme
Re: Yet another incident of over-reliance on GPS navigation
Paul Wallich
Re: Man unable to open car from the inside and dies of dehydration
David Peverley
Online risks for a power of attorney
Jared Gottlieb
Info on RISKS (comp.risks)

Redundancy is always a good idea, when it exists

David Lesher <>
Thu, 15 Sep 2011 00:30:25 -0400

Nonredundancy is a perennial RISKS favorite (e.g., RISKS-6.93 and 7-05, to
name just a few telecom items, with lots more not telecom related.)

I've just become aware of an older event than most discussed here. At 04:42
AM on November 24, 1961, SAC Headquarters [then at Ent Air Force Base] lost
all communications with the BMEWS ("Dew Line") radars, AND also with NORAD
at Colorado Springs.

CINCSAC Gen. Thomas Power, fearing an attack in progress, ordered all SAC
bombers to immediate alert; but he did hold them at the end of their

He soon managed to establish HF SSB radio contact with a watch aircraft, a
B-52 over Thule AFB in Greenland, reassuring him.

The cause was all those "redundant" links went through one AT&T Long-Lines
microwave tower at Black Forest, near Colorado Springs. A technician there
was running a routine maintenance test on some other circuits, but left out
one step....

<> ISBN: 978-0691021010 The limits of safety:
organizations, accidents, and nuclear weapons;  By Scott Douglas Sagan


We now have MANY more suppliers of bit transport, with diverse glass buried
hither and yon; but do we yet have really independent, redundant, systems?

  [As we've noted here many times, we have often seen belief in the
  importance of redundancy, but with weak implementation.  But we also
  recall that the management of redundancy itself tends to considerably
  increase complexity.  PGN]

EFF Heads Back to Court to Fight Warrantless Wiretapping

EFFector List <>
August 29, 2011 4:00:29 PM

EFFector Vol. 24, No. 29 Monday August 29, 2011

A Publication of the Electronic Frontier Foundation
ISSN 1062-9424

effector: n, Computer Sci. A device for producing a desired change.

: . : . : . : . : . : . : . : . : . : . : . : . : . : . :

* EFF Heads Back to Court to Fight Warrantless Wiretapping

More than five years ago, EFF filed the first lawsuit aimed at stopping the
government's illegal mass surveillance of millions of ordinary Americans'
private communications.  Whistleblower evidence combined with news reports
and Congressional admissions revealed that the National Security Agency
(NSA) was tapped into AT&T's domestic network and databases, sweeping up
Americans' emails, phone calls and communications records in bulk and
without court approval. On August 31, 2011, the Ninth Circuit Court of
Appeals will hear a warrantless wiretapping double-feature to decide whether
EFF's two cases can proceed. At stake will be whether the courts can
consider the legality and constitutionality of the National Security
Agency's mass interception of Americans' Internet traffic, phone calls, and
communications records.

Read more:

* Why IP Addresses Alone Don't Identify Criminals

This spring, agents from Immigration and Customs Enforcement (ICE) executed
a search warrant at the home of Nolan King and seized six computer hard
drives in connection with a criminal investigation. The warrant was issued
on the basis of an Internet Protocol (IP) address that traced back to an
account connected to Mr. King's home, where he was operating a Tor exit
relay. While we think it's important to let the public know about this
unfortunate event, it doesn't change our belief that running a Tor exit
relay is legal. And it's worth highlighting the fact that these unnecessary
incidents are avoidable. Law enforcement needs to understand that an IP
address doesn't automatically identify a criminal suspect.

Read more:

Re: United Airlines uses 11,000 iPads to take planes paperless

"Alistair McDonald" <>
Thu, 15 Sep 2011 07:21:03 +0200

In Risks Digest 26.56, Geoff Kuenning says:

>>But of course passengers will still be prohibited from using those
>> same devices while the pilots have them turned on...

I think many people misunderstand why devices are banned on landing. The
reason is that the landing is, relatively speaking, one of the riskier
parts of flight, and so there more likely to be an accident. The advice we
get in the UK is to put your seat back upright, open the window blinds,
and stop using portable electronic devices.

Upright seat backs are easier for evacuation, especially for those behind

By opening window blinds, no-one will be blinking in unfamiliar light if
they have to evacuate (or the plane is torn in half, I suppose, in a
worst-case scenario).

By making sure everyone can hear any cockpit announcements, there will be
less chance of someone being unaware of what any incidents and evacuation
plans are. I notice that these days, although I can't use my own portable
mp3 or DVD player, I can still watch movies via the on-board entertainment
all the way down to the gate - because any cockpit announcements pause the
movie and come through my headphones. This can't be guaranteed if I'm
trying to damage my own hearing by listening to heavy metal at excessive
volume on my iPod.

Alistair McDonald  UK: +44 7833 461 587  Lux: +352 661 832 898
Author of the SpamAssassin book: (

Re: United Airlines uses 11,000 iPads to take planes paperless

John Stanley <>
Fri, 16 Sep 2011 11:43:52 -0700 (PDT)

    Geoff Kuenning: But of course passengers will still be prohibited from
    using those same devices while the pilots have them turned on...

Of course. The pilot's iPads have been tested in the exact environment they
will be used in, properly configured to disable any radio functions (WiFi,
3g, etc), and most important, will be immediately and directly accessible to
the pilots so they can be shut down in the event of any perceived
interference with critical flight operations.

The passenger's iPads (and other iPad-like devices too numerous to count)
will have none of that. And most of what they will have won't be iPads.

Suppose you decide to allow people to use iPads because of this. Do you
think the cabin crew has the time or knowledge to differentiate between true
iPads (which you assume have met all Part 15 unintentional radiator
standards and are thus safe, a questionable assumption to start with) and
the iPad knock-offs from China (where you can't assume the the manufacturer
knows what "Part 15" is, much less can meet the standards)?

I know that anecdotal evidence doesn't mean anything to anyone who wants to
play Angry Birds during landing, but here it is anyway. Even FCC
certificated radio systems are not immune from interfering with aircraft
communications. During a flight in New York Center airspace, as co-pilot, at
night, IFR, we started getting interference on the assigned FAA operating
frequency. We couldn't hear them. I knew what caused it—I had just tuned
another radio to a different channel. I turned the offending radio off;
problem solved. Imagine if that radio had been in the hands of a passenger
in the middle of a 747 during landing.

There is a significant difference between allowing pilots to do something in
an airplane and allowing every passenger aboard to do the same thing.

Re: Air France 447 (Norman, RISKS-26.56)

Peter Houppermans <>
Thu, 15 Sep 2011 09:51:12 +0200

> Readers of RISKS should be sophisticated enough not to jump on the
> "human error" bandwagon every time it seems convenient

Hmm, So jumping on the "human error" bandwagon is, umm - a human error?
I'll go and hide now :-).

On the serious side, though, your observation goes deeper and wider than
just this topic.  I am presently busy upsetting security "professionals" by
telling them they have turned into mere administrators - especially people
with a technical background get so wrapped up in policy setting and gadget
management that they tend to overlook the human in the chain.  You can't
just throw that out with a label "weakest part" - that's not addressing the
issue, that's avoiding it.  Using the label "weakest link" is maintaining
that status instead of doing something about it.

Especially in my privacy protection work, the humans are my starting point -
because they are what I protect.  They present you with a rich picture of
psychology, social circumstances and behaviour, wants, likes, weaknesses but
also strengths, and it is especially on the latter you build.  Only after
that you look at technology and how it is used.  You'll need the same
approach at board level, those people have a way of working which you need
to roll with.

In addition, even people which one could call "intellectually challenged"
(to use the politically correct term) are still *WAY* more sophisticated
than any computer I can buy or build.  Somehow we have to find a way to make
that work for us.

Peter Houppermans, Private & Confidential Group,

FTC proposes stricter Net access rules for children under 13 (NNSquad)

Lauren Weinstein <>
Thu, 15 Sep 2011 22:46:40 -0700  (This message on Google+)  (Wired)

  "The Federal Trade Commission proposed Thursday to revamp its online child
  privacy rules to reflect the ubiquity of smartphones and geolocation
  services.  The proposed updates (.pdf) to the Children's Online Privacy
  Protection Act of 1998 were welcomed by many in the privacy community.
  They see the new proposal as a means to combat behavioral advertising
  targeting America's youth. By contrast, Facebook, Microsoft, the
  Entertainment Software Association, the Toy Industry Association and
  others are arguing for self-regulation when it comes to targeted, online
  behavioral advertising."

 - - -

At least the FTC is explicitly not proposing that Congress require sites
that don't cater to children to collect age-related identity information.
On the other hand, some of the verification techniques being proposed seem
intrusive, others seem—well—rather weird.  In particular, finding
someone to be "your parent" for a video-conference check probably won't be a
stretch for the average intelligent kid:  ("Yep! That's my Bobby!" [Picasa])

This is not to suggest that I'm unsympathetic to concerns of parents
and their children's Internet use.  But I discern some potential
"slippery slopes" in various of these proposals, of significant
concern relating ultimately to adults' use of the Net, and I believe
that some of these proposals will be mainly effective at scoring
political points.

Pakistan orders ISPs to block VPNs and other encryption? (NNSquad)

Lauren Weinstein <>
Tue, 30 Aug 2011 09:24:39 -0700  (domain-b)

  "According to a PTA spokesman the directive was intended only to stop
  militants from using secure Internet connections to communicate with each
  other. However he admitted that this was only possible by preventing all
  Internet users in Pakistan from using virtual private networks (VPNs),
  according to the *Express Tribune* newspaper."

Supercookie (Bill Snyder)

Gene Wirchenko <>
Fri, 02 Sep 2011 09:49:32 -0700

Bill Snyder, 22 Aug 2011, Browsing and Privacy: How to Not Get Tracked
All modern browsers have built-in tools and add-ons to protect users from having
their Web behavior tracked. But regardless, some sites still find ways to
track you. Here are tips for taking matters into your own hands.

two nasty bits:

A researcher at Stanford University recently found that Microsoft (MSFT) has
been using an online tracking technology that allowed the company to
sneakily track users on even though it had used some of the standard
techniques developed to avoid tracking.

Another group of researchers found that other sites, including,
employed super cookie techniques to track users for advertising
purposes. They wrote: "We found two sites that were respawning cookies,
including one site——where both flash and cache cookies were
employed to make identifiers more persistent. The cache cookie method used
Etags, and is capable of unique tracking <bold>even where all cookies are
blocked by the user and 'private browsing mode' is enabled.</bold>" (The
authors are from The University of California at Berkeley, Worcester
Polytechnic and the University of Wyoming. The emphasis is mine.)

Re: "Why Governments Are Terrified of Social Media" (RISKS-26.55)

"Chris D." <>
Sun, 18 Sep 2011 22:15:11 +0100

In the UK, politicians are pushing ahead with plans requiring ISPs to block
pornography unless subscribers specifically request access to it, to protect
children.  I have no idea if this really is a problem, or parents and
politicians looking for something to worry about (I'm not a parent myself),
but newspaper headlines like "Parents Will Get Power To Stop The Internet
Porn Invasion" don't help a balanced debate.  Allegedly most children claim
to have viewed Internet porn, but I suspect an element of schoolyard
bragging here...  Another proposal is to `encourage' Google and other search
sites to `remove from their search results content that beaches copyright'.

Main RISKs here seems to be: (a) politicians legislating for the desired
results and leaving others with the problem of figuring out how to achieve
them (and assuming that anything can be done easily with computers by
pressing a few buttons, or setting check boxes nowadays), and (b) legally
requiring ISPs to monitor subscribers' usage, and make value judgments as
to what the heck is "pornography" or other potentially-objectionable
material.  Like 1970s East Germany, it's easy to imagine a future when half
of the population are employed to watch over the other half, with huge
Internet bills to pay for it, of course.

In any case, presumably juveniles who really want to seek out pornography
will know where to find it, so it's just the rest of us will be
inconvenienced; I can imagine seniors having to get their grandkids to
disable the parental locks on their laptops.

Re: Zombie Cookies won't die (RISKS-26.55)

Chris Jewell <>
19 Sep 2011 00:15:38 -0000

  rm -rf ~/.mozilla/"Default User"/Cache/*
  chmod a-w ~/.mozilla/"Default User"/Cache

I haven't noticed that my browsing is any slower.

I assume that Windows/NT supports something similar (and I'm sure Mac
OS 10 does), though many users may not know how.

Re: Risks in Google, specifically Gmail (Robinson, RISKS-26.56)

John Fouhy <>
Thu, 15 Sep 2011 22:29:15 +1200

Paul Robinson unfairly maligns Gmail.  I have my own domain, registered
through, and backed by a Gmail account.  It works flawlessly, and
has done so for a number of years.

[well, almost flawlessly—Gmail puts my @gmail address in the Sender:
header which causes some undesirable behaviour, notably with Outlook]

Re: Risks in Google, specifically Gmail (Robinson, RISKS-26.56)

Joseph Brennan <>
Mon, 19 Sep 2011 09:46:09 -0400

> The same is not true with Gmail.  There is a weird technical problem with
> Gmail, if a Gmail client sends mail to a domain that redirects its mail -
> like mine - and the terminating address that the redirection goes to is a
> Gmail account, Gmail discards the message.

Better described: If you send mail from a Gmail account, and delivery
ends up forwarding back to the same Gmail account, Gmail does not add
an inbox tag to the message. It's not actually discarded, since you do
have the message, tagged as sent mail. That's their logic anyway.

The incoming message is considered a duplicate, based (I think) on the
Message-ID. The catch is that people testing delivery want to see the
almost-duplicate that has different headers showing delivery through
the forwarding routing. I think Gmail is the only system that does
duplicate suppression between incoming and sent mail. While I like to
be open to new concepts, this seems like a bug to me.

Our helpdesk has had probably over one hundred tickets reporting that
forwarding an account to Gmail does not work.

Joseph Brennan, Lead Email Systems Engineer
Columbia University Information Technology

Re: Don't throw away Grandma's wind-up desk clock (Lee, RISKS-26.49)

Martin Ward <>
Fri, 16 Sep 2011 10:29:41 +0100

When I want the *exact* time I depend on one of our radio-controlled
clocks: which I don't even need to reset twice a year when British Summertime
starts or ends, or my solar-powered radio-controlled watch: which doesn't
even need the battery changing.

There used to be a saying: "A man with one watch knows what time it is;
a man with two watches is never quite sure." This problem disappears
with my radio-controlled clocks since they all show exactly the same time!

STRL Reader in Software Engineering and Royal Society Industry Fellow

Re: Transaction without a password is more secure? (RISKS-26.54)

Wayne Mesard <>
Wed, 31 Aug 2011 09:55:20 -0400

> Can somebody please explain to me how it's "more secure"...

The wording isn't the best, but they are making a legitimate point.  While
it may be the case that many ATMs are not appropriately secured, it is
*certainly* the case that the majority of point-of-sale terminals are less
secure than even a fairly weakly-protected ATM.  This makes them much more
attractive targets for skimmers.

If I enter my PIN at a compromised POS terminal, then the evil-doer has my
PIN and can go to any ATM and clean me out.  If he doesn't have my PIN, then
he can only access my compromised account from other POS terminals.  Still
bad, but not as bad.

FWIW, I never enter my PIN anywhere except at ATMs located at reputable,
CCTV-monitored bank branches. (I also never use a debit card, and given the
RISKS and the fees, I don't understand why anyone does.  Just use a credit
card and pay the full balance every month.)

Re: Researchers' Typo-squatting Stole 20 GB of E-Mail

Lauren Weinstein <>
Thu, 8 Sep 2011 18:29:59 -0700
  (was Risks of Typos, RISKS-26.55)  (Wired) [NNSquad]

  "Two researchers who set up doppelganger domains to mimic legitimate
  domains belonging to Fortune 500 companies say they managed to vacuum up
  20 gigabytes of misaddressed e-mail over six months."

Re: $100 Bill: The Fed Has a $110 Billion Problem with New Benjamins (26.56)

Nick Laflamme <>
Thu, 15 Sep 2011 17:10:12 -0500

I'm surprised that neither Leonard Finegold, who submitted the item, nor
PGN, who read it and provided the excerpt, noted that the article cited is
nine months old. What's happened with this story since 7 Dec 2010? Has the
Bureau of Engraving pursued any of the solutions suggested? Have any of the
new currency started to circulate? And has anything made this article more
or less relevant now than it was nine months ago?

  [I was hoping that item would provoke a follow-up as to what's new.  PGN]

Re: Yet another incident of over-reliance on GPS navigation

Paul Wallich <>
Thu, 15 Sep 2011 09:48:02 -0400
 (Kuenning, RISKS-26.56)

In my (thank goodness limited) experience this is also an issue of
decision-making under short deadlines in the presence of (real or perceived)
peer pressure. When you see other drivers going around a road-closed sign,
or when you're following written directions from a local, it's easy to
assume that they have knowledge about the situation that goes beyond or
contradicts a terse road sign. (In my childhood home town, visitors used to
blench as we zipped right past the "Road Legally Closed" notice that
decorated the route to the nearest interstate for 10 years or so.)

What's difficult to calibrate is the amount of local knowledge needed to
traverse a "closed" or otherwise posted section of road safely—locals can
typically drive back roads at least 20 km/h faster than visitors, and the
Dunning-Krueger effect is in full play.

(This also brings me to one of my pet peeves about GPS maps: they have
nowhere near the right level of discrimination among road types. Perhaps a
two or three-level classification was appropriate during the years of
expensive color printing or limited device memory, but today you could do
far more accurate and safer routing with more levels or even a continuous
distribution of road-quality classifications.)

Re: Man unable to open car from the inside and dies of dehydration

David Peverley <>
Thu, 15 Sep 2011 15:06:20 +0100

I find this particularly interesting in the context of my current car - it
is a twelve year old model with the same auto-lock if-not-opened
feature. I'd been ferrying bags from out of the boot and having returned
from one load to get the next found the door had blown shut with the keys
inside and the car had locked them in. The reason? The micro-switch in the
lock mechanism that senses lock opening / closing had failed and the
previous owner had not replaced it. This is understandable as you could only
replace the whole lock assembly for around 40 and is only available from
official dealers with the only obvious visible consequence being that the
courtesy light wouldn't turn on with the boot opening. A no-brainer not to
spend that much to turn a light on and off...

For cars that additionally disable internal opening mechanisms one might
reasonably predict that when a large number get to a decent second-hand age
and start being affected by long-term wear and tear, this may well happen a
lot more often if the designers haven't been able to recognise such sensor

Online risks for a power of attorney

jared gottlieb <>
Sun, 18 Sep 2011 12:00:00 -0600

The risk is some banks do not recognise the power of attorney for on-line
banking. This is a significant restriction to the the person with the
power-of-attorney, particularly when they live at a distance or simply want
to take advantage of tracking account transactions without delay.

The Guardian ( reports a study "... with some financial
institutions putting unnecessary restrictions on how an [individual with a
power of] attorney can access an account, and many refusing point blank to
allow attorneys to operate online accounts."  and the Chicago Tribune
( had a headline "Power of attorney powerless in online
banking Bank says caretaker spouse will have to rely on monthly statements"

Please report problems with the web pages to the maintainer