Previous IssueIndexNext IssueInfoSubmit ArticleFTPDo not even think about clicking on this button
 

The Risks Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26: Issue 61

Sunday 13 November 2011

Contents

Panel Emphasizes Safety in Digitization of Health Records
Steve Lohr
The Coming Fascist Internet
Lauren Weinstein
First national Emergency Alert System (EAS) test: FAIL in many areas
Lauren Weinstein
"747's are big flying Unix hosts"
Gabe Goldberg
Underground call-centre for identity theft uncovered
Gene Wirchenko
The Dark Side Of Biometrics: 9 Million Israelis' Hacked
FastCompany
"Sloppy use of Amazon cloud can expose users to hacking"
Gene Wirchenko
Re: Gmail goes Colbert
Dag-Erling Smørgrav
Re: ANA plane goes nearly belly up ... wrong knob turned
Pete Disdale
Richard S. Russell
Joe Keane
Fun Yahoo! term of service
jidanni
Humorous illustration of computer security
David Hollman
Info on RISKS (comp.risks)
---

Panel Emphasizes Safety in Digitization of Health Records

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 9 Nov 2011 20:19:23 PST
  (Steve Lohr)

Poorly designed, hard-to-use computerized health records are a threat to
patient safety, and an independent agency should be set up to investigate
injuries and deaths linked to health information technology, according to a
federal study just released by the Institute of Medicine.  The proposed
investigative agency should be modeled after the National Transportation
Safety Board.  The report also called for tracking the safety performance of
electronic health records in use.  Results from studies done so far, the
report said, are mixed. Success stories are offset by reports of patients
harmed.  [Source: Steve Lohr, *The New York Times*, 8 Nov 2011; PGN-ed;
Thanks to Marc Rotenberg.]
http://www.nytimes.com/2011/11/09/technology/federal-panel-emphasizes-safety-in-push-for-digital-health-records.html?_r=1&hpw

  [This is as always a scary double-edged sword.  The doctors will probably
  have to spend more time with their computers and less with patients, could
  indeed make more errors, which would not be challenged by other doctors
  and nurses because they would be likely to believe in the infallibility of
  computers—ignoring the high rates of fallibility of people!  Remember
  the Risks!  PGN]
---

The Coming Fascist Internet

Lauren Weinstein <lauren@vortex.com>
Sun, 13 Nov 2011 13:39:49 -0800 (PST)

(((((( Lauren Weinstein's Blog Update: The Coming Fascist Internet ))))))
                           November 13, 2011
http://lauren.vortex.com/archive/000911.html

Around four decades ago or so, at the U.S. Defense Department funded
ARPANET's first site at UCLA—what would of course become the genesis of
the global Internet—I spent a lot of time alone in the ARPANET computer
room. I'd work frequently at terminals sandwiched between two large, noisy,
minicomputers, a few feet from the first ARPANET router—Interface Message
Processor (IMP) #1, which empowered the "blindingly fast" 56 Kb/s ARPANET
backbone.  Somewhere I have a photo of the famous "Robby the Robot" standing
next to that nearly refrigerator-sized cabinet and its similarly-sized modem
box.

I had a cubicle I shared elsewhere in the building where I also worked, but
I kept serious hacker's hours back then, preferring to work late into the
night, and the isolation of the computer room was somehow enticing.

Even the muted roar of the equipment fans had its own allure, further
cutting off the outside world (though likely not particularly good for one's
hearing in the long run).

Occasionally in the wee hours, I'd shut off the room's harsh
fluorescent lights for a minute or two, and watch the many blinking
lights play across the equipment racks, often in synchronization with
the pulsing and clicking sounds of the huge disk drives.

There was a sort of hypnotic magic in that encompassing, flickering
darkness.  One could sense the technological power, the future coiled
up like a tight spring ready to unwind and energize many thousands of
tomorrows.

But to be honest, there was little then to suggest that this stark room
-- in conjunction with similar rooms scattered across the country at
that time—would trigger a revolution so vast and far-reaching that
governments around the world, decades later, would cower in desperate
efforts to leash it, to cage its power, to somehow turn back the clock
to a time when communications were more firmly under the thumbs of the
powers-that-be.

There were some clues.   While it was intended that the ARPANET's
resource sharing capabilities would be the foundation of what we now
call the "cloud," the ARPANET was (somewhat to the consternation of
various Defense Department overseers) very much a social space from the
beginning.

Starting very early on, ARPANET communications began including all
manner of personal discussions and interests, far beyond the narrow
confines of "relevant" technical topics.  A "wine tasting enthusiasts"
mailing list triggered reprimands  from DoD when it became publicly
known thanks to a magazine article, and I won't even delve here into
the varied wonders of the "network hackers" and "mary hartman" mailing
lists.

In fact, the now ubiquitous mailing list "digest" format was originally
invented as a "temporary" expedient when "high volumes" of traffic (by
standards of the time) threatened the orderly distribution of the
science-fiction and fantasy oriented "sf-lovers" mailing list.  Many
other features that we take for granted today in email systems were
created or enhanced largely in reaction to these sorts of early
"social" communications on the very young Net.

The early ARPANET was mostly restricted to the U.S., but as
international points began to come online the wonders expanded.  I
still remember the day I found myself in a "talk" (chat) link with a
party at a military base in Norway—my first international live
contact on the Net that I knew of.  I remember thinking then that
someday, AT&T was going to start getting concerned about all this.

The power of relatively unfiltered news was also becoming apparent back
then.  One of my projects involved processing newswire data (provided
to me over the ARPANET on a friendly but "unofficial" basis from
another site) and building applications to search that content and
alert users (both textually and via a synthesized voice phone-calling
system—one of my other pet projects) about items of interest.

For much of the Net's existence, both phone companies and governments
largely ignored (or at least downplayed) the ARPANET, even as it
evolved toward the Internet of today.

AT&T and the other telcos had explicitly expressed disinterest early on, and
even getting them to provide the necessary circuits had at times been a
struggle. Governments didn't really seem to be worried about an Internet
"subculture" that was limited mostly to the military, academia, and a
variety of "egghead" programmers variously in military uniforms and
bell-bottoms, whether sporting crew cuts, scruffy longhairs, or somewhere
in-between.

But with the fullness of time, the phone companies, cable companies,
governments, and politicians galore came to most intensely pay attention to
the Internet, as did the entertainment industry behemoths and a broad range
of other "intellectual property" interests.

Their individual concerns actually vary widely at the detailed level, but in
a broader context their goals are very much singular in focus.

They want to control the Internet.  They want to control it utterly,
completely, in every technologically possible detail (and it seems in
various technically impossible ways as well).

The freedom of communications with which the Internet has empowered
ordinary people—especially one-to-many communications that
historically have been limited to governments and media empires
themselves—is viewed as an existential threat to order, control, and
profits—that is, to historical centers of power.

Outside of the "traditional" aspects of government control over their
citizenries, another key element of the new attempts to control the Net are
desperate longings by some parties to turn back the technological clock to a
time when music, movies, and other works could not so easily be duplicated
and disseminated in "authorized" fashions.

The effective fall of copyright in this context was preordained by human
nature (we are physical animals, and the concept of non-physical "property"
plays against our natures) and there's been a relentless "march of bits" --
with text, music, and movies entering the fray in turn as ever more data
could be economically stored and transferred.

In their efforts to control people and protect profits, governments and
associated industries (often in league with powerful Internet Service
Providers—ISPs—who in some respects are admittedly caught in the
middle), seem willing to impose draconian, ultimately fascist censorship,
identification, and other controls on the Internet and its users, even
extending into the basic hardware in our homes and offices.

I've invoked fascism in this analysis , and I do not do so lightly.

The attacks on fundamental freedoms to communicate that are represented by
various government repression of the Internet around the world, and in the
U.S. by hypocritical legislation like PROTECT IP and SOPA (E-PARASITE), are
fundamentally fascist in nature, despite between wrapped in their various
flags of national security, anti-piracy profit protection, motherhood, and
apple pie.

Anyone or anything that is an enabler of communications not willingly
conforming to this model are subject to attack by authorities from a variety
of levels—with the targets ranging from individuals like you and me, to
unbiased enablers of organic knowledge availability like Google.

For all the patriotic frosting, the attacks on the Internet are really
attacks on what has become popularly known as the 99%, deployed by the 1%
powers who are used to having their own way and claiming the largest chunks
of the pie, regardless of how many ants (that's us!) are stomped in the
process.

This is not a matter of traditional political parties and alliances.  In the
U.S., Democrats and Republican legislators are equally culpable in these
regards.

This is a matter of raw power that transcends other ideologies, of the
desire of those in control to shackle the Internet to serve their bidding,
while relegating free communications for everyone else to the dustbin of
history.

It is very much our leaders telling us to sit down, shut up, and use the
Internet only in the furtherance of their objectives—or else.

To me, these are the fundamental characteristics of a fascist world
view, perhaps not in the traditional sense but clearly in the ultimate
likely impacts.

The Internet is one of the most important tools ever created by
mankind.  It certainly ranks with the printing press, and arguably in
terms of our common futures on this tiny planet perhaps even with fire.

The question is, are we ready and willing to fight for the Net as it should
be in the name of civil rights and open communications? Or will we sit back
compliantly, happily gobble down the occasional treats tossed in our
direction, and watch as the Internet is perverted into a monstrous
distortion to control speech and people alike, rather than enabling the
spread of freedom.

Back in that noisy computer room so many years ago, I couldn't imagine that
I was surrounded by machines and systems that would one day lead to such a
question, and to concerns of such import.

The blossoming we've seen of the Internet was not necessarily easy to
predict back then.  But the Internet's fascist future is much more
clear, unless we fight now—right now—to turn back the gathering
evil.
---

First national Emergency Alert System (EAS) test: FAIL in many areas

Lauren Weinstein <lauren@vortex.com>
Wed, 9 Nov 2011 11:17:00 -0800
  [From Network Neutrality Squad]

Apparently the first ever national test of the Emergency Alert System (EAS)
can be declared a failure in many areas.

Reports are coming in of broadcast stations that did not show the test, even
while local cable systems did, and places where broadcast stations did
alert and cable systems failed to activate their warning systems.

Here in L.A., I monitored and recorded two outlets: KCBS-DT (2) via an
antenna, and CNN HD on Time Warner Cable.

KCBS broadcast *did* run the test as planned.  Time Warner Cable (at least
here in the West Valley) did not.  Normally for EAS activations (tests,
weather alerts, etc.) TW triggers a red banner warning that overrides
programming on all cable channels.  This did *not* occur for the national
test at 11am PST today.  FAIL.

Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren, Network
Neutrality Squad: http://www.nnsquad.org +1-818-225-2800 Skype: vortex.com
---

"747's are big flying Unix hosts"

Gabe Goldberg <gabe@gabegold.com>
Tue, 08 Nov 2011 22:50:10 -0500

Craig S Wright says: "I was contracted to test the systems on a Boeing
747. They had added a new video system that ran over IP. They segregated
this from the control systems using layer 2 - VLANs. We managed to break the
VLANs and access other systems and with source routing could access the
Engine management systems."

https://plus.google.com/u/0/110897184785831382163/posts/5qsNxFEaiML

Gabriel Goldberg, Computers and Publishing, Inc., 3401 Silver Maple Place,
Falls Church, VA 22042 (703) 204-0433 http://www.linkedin.com/in/gabegold
---

Underground call-centre for identity theft uncovered

Gene Wirchenko <genew@ocis.net>
Thu, 10 Nov 2011 10:39:17 -0800

  Call me about an important financial matter?

http://www.itbusiness.ca/it/client/en/home/News.asp?id=64887
Underground call-centre for identity theft uncovered by security researchers
Identity thieves use professional calling services to obtain missing
pieces of information about victims.
11/10/2011 6:00:00 AM By: Lucian Constantin

opening paragraph:

Researchers from security vendor Trusteer have come across a professional
calling service that caters to cybercriminals. The business offers to
extract sensitive information needed for bank fraud and identity theft from
individuals.
---

The Dark Side Of Biometrics: 9 Million Israelis' Hacked

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 25 Oct 2011 12:39:34 PDT

  [Thanks to Richard M. Smith for spotting this one.  PGN]

Part of Israel's online population registry has been compromised, resulting
in massive leakage of personal information of 9 million Israelis.  A
contract worker at the Israeli Welfare Ministry has been arrested, and is
accused of stealing Israel's national biometric database in 2006 that
includes names, dates of birth, and detailed health information.  [Source:
FastCompany item, PGN:ed]
http://www.fastcompany.com/1790444/the-downside-of-biometrics-9-million-israelis-records-hacked
---

"Sloppy use of Amazon cloud can expose users to hacking"

Gene Wirchenko <genew@ocis.net>
Thu, 10 Nov 2011 10:16:43 -0800

http://www.infoworld.com/t/cloud-computing/sloppy-use-amazon-cloud-can-expose-users-hacking-178575
InfoWorld Home / InfoWorld Tech Watch
November 09, 2011
Sloppy use of Amazon cloud can expose users to hacking
New research exposes the potential for vulnerabilities from the
non-secure use of virtual images in the public cloud
By Ted Samson | InfoWorld

opening paragraph:

Using Amazon's EC2 (Elastic Compute Cloud) can pose a security threat to
organizations and individuals alike, though Amazon's not to blame, according
to researchers from Eurecom, Northeastern University, and SecludIT. Rather,
third parties evidently are not following best security practices when using
preconfigured virtual machine images available in Amazon's public catalog,
leaving users and providers open to such risks as unauthorized access,
malware infections, and data loss.
---

Re: Gmail goes Colbert (Morris, RISKS-26.60)

Dag-Erling Smørgrav <des@des.no>
Sun, 13 Nov 2011 01:01:07 +0100

james.morris@cmu.edu writes:
> The new gmail that apparently is going to be forced on everyone is not an
> improvement as far as I can see.

This isn't just Google Mail, they've "revamped" Google Docs and Google
Reader in a similar manner (and probably other services as well, but these
are the ones I use).  Not only has usability been reduced due to hiding more
functions behind fewer buttons and menus and replacing text buttons with
non-obvious icons, but the new interface wastes a *lot* of screen real
estate, which is a serious problem on ultraportables like the Asus Eee or HP
Mini.
---

Re: ANA plane goes nearly belly up ... wrong knob turned (Re: McCool, RISKS-26.60)

Pete Disdale <risks@papadelta.co.uk>
Sat, 12 Nov 2011 10:39:36 +0000 (GMT)

> An ANA 737 went nearly belly up during cruise flight after the first officer
> turned the wrong knob to let the captain back into the cockpit. The knob for
> the rudder is similar to the knob to unlock the door and both are located in
> close proximity to each other.

I am not an airline pilot, but find this astonishing. I had always believed
that flight deck controls (knobs, levers etc.) were required to be
"different" - i.e. different colours, shapes - in order to avoid or minimise
any confusion by the pilot.  For example when the flight deck fills with
smoke or suffers a lighting blackout, s/he should be able to "feel" for the
necessary controls.

That two such controls with very different functions are similar and
co-located seems like an accident waiting to happen.  As the 737 has been
around for a long time, is this door-unlock knob a retrofit in response to
flight deck strengthening since 9/11?  If so, it would appear that the
solution is as bad as or worse than the original problem.

Another example of "security feature causes (or nearly causes) accident" to
add to the list.

Re: ANA plane goes nearly belly up ... wrong knob turned (Re: McCool, RISKS-26.60)

"Richard S. Russell" <richardsrussell@tds.net>
Sat, 12 Nov 2011 12:58:37 -0600

For a dramatization of this piece of system design, we turn to the film "Monsters vs. Aliens":
   http://www.youtube.com/watch?v=L1CxlyMoFRs

Richard S. Russell, a Bright (http://the-brights.net)
2642 Kendall Av. #2, Madison  WI  53705-3736
608+233-5640 • RichardSRussell@tds.net
http://richardsrussell.livejournal.com/

I have discovered that there are two types of command interfaces in the
world of computing: good interfaces and user interfaces. —Daniel
J. Bernstein

Re: ANA plane goes nearly belly up ... wrong knob turned (Re: McCool, RISKS-26.60)

Joe Keane
Fri, 11 Nov 2011 20:46:38 +0000 (UTC)

Didn't they put different beer handles on the nuclear reactors?
---

Fun Yahoo! term of service

<jidanni@jidanni.org>
Sun, 13 Nov 2011 21:11:11 +0800

'You agree to not use the Yahoo! Services to: ... cause a screen to
"scroll" faster than other users of the Yahoo! Services are able to type...'
---

Humorous illustration of computer security

David Hollman <dah8@cornell.edu>
Fri, 28 Oct 2011 14:26:28 -0400

The cartoon XKCD often combines good fun with a real point, such as in
this illustration: http://xkcd.com/970/

I can't think of the last time I was asked to double-enter something
of importance *other* than my e-mail address!  (On the other hand, I
don't want to have to do everything twice either.)

  [This cartoon is actually rather appropriate for RISKS.  TNX.  PGN]

---------------------------------------------

Previous IssueIndexNext IssueInfoSubmit ArticleFTPDo not even think about clicking on this button
 

Report problems with the web pages to the maintainer