Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26: Issue 95

Wednesday 25 July 2012

Contents

Cadillac replaces tactile buttons with tablet

Paul Wexelblat

Open Sesame for hotel keycards

Andy Greenberg via PGN

"Will the 2012 Olympics set new surveillance records?"

Claudiu Popa via Gene Wirchenko

DARPA's hacking box disguised as a power strip

Lauren Weinstein

Clicking with your doctor

Bella English via Monty Solomon

Mother stole passwords to change children's school grades

John E. Dunn via Gene Wirchenko

Best Typo Ever Runs A-1 in the Los Angeles Times

Tessa Stuart via Monty Solomon

Re: Who Really Invented the Internet?

John Shoch
Dave Crocker
Rebecca Mercuri
Vint Cerf via Lauren Weinstein

Re: Google ordered to censor 'torrent', 'megaupload'

Albert Aribaud

Re: Olympics security poster 'gibberish'

Chris J Brady
Dimitri Maziuk

Re: Taxing old browsers out of existence

Steven J Klein

LADC2013 - Sixth Latin-American Symposium on Dependable Computing

Mohamed Kaaniche

Info on RISKS (comp.risks)

Cadillac replaces tactile buttons with tablet

Paul Wexelblat <wex@cs.uml.edu>

Tue, 24 Jul 2012 22:47:45 -0400

Sorry I can't give more info, but I just saw a TV ad for a new, improved
control system for new Cadillac cars - They show the old-fashioned way to
control things, with buttons - Then they show what appears to be an
iPad-like tablet for controls (lights/heat/radio/etc) and tout it as an
improvement.

DUH—With the New system you're forced to take your eyes off the road to
accomplish even the most mundane task.

  [Wex, Adding more info would not add much more other than artistic
  verisimilitude.  The concept is inherently a risky one.  It goes even
  further than multipurpose context-dependent controls.  For example, there
  could be serious challenges for people with vision problems, such as
  near-sighted folks who wear glasses for distance vision while driving --
  who cannot read screens up close without removing those glasses!  Of
  course, bifocals or multifocals would help, but that only adds another
  layer of requirements for context switching.  PGN]

Open Sesame for hotel keycards (Andy Greenberg)

<Peter G Neumann>

Wed, 25 Jul 2012 09:06:23 -0600

  [Andy Greenberg's item in Forbes on Mozilla developer Cody Brocious' talk
  at BlackHat is quite intriguing, although not surprising to RISKS readers.
  The following URL is sufficiently graphic.  PGN via Earl Boebert]

http://www.forbes.com/sites/andygreenberg/2012/07/23/hacker-will-expose-potential-security-flaw-in-more-than-four-million-hotel-room-keycard-locks/

This required only about $50 for equipment to exploit the lock mechanism.
Each hotel has a unique 32-bit sitecode, which is stored at a fixed location
in memory and requires no authentication to read.  Thus, the strength of the
crypto can be (as is often the case) more or less irrelevant.]
http://www.extremetech.com/computing/133448-black-hat-hacker-gains-access-to-4-million-hotel-rooms-with-arduino-microcontroller

"Will the 2012 Olympics set new surveillance records?" (Claudiu Popa)

Gene Wirchenko <genew@ocis.net>

Tue, 24 Jul 2012 09:46:19 -0700

Never in the history of the Olympics has there been a more publicized series
of security blunders before the actual event.  People on terrorism watch
lists are waved through airport security, contractors unable to hire
qualified security personnel, busloads of Olympians temporarily lost in
London, and a general public malaise about the whole thing are now
permeating the global media.  ...

Meanwhile and probably as a result, the UK's Security Services (MI5, MI6 and
GCHQ) are likely implementing further technical measures to compensate for
the physical security shortfalls.  Some such surveillance techniques will
doubtlessly fire up privacy advocates worldwide and may even establish a
precedent for world-class events.  Already having had a chance to review the
proposed plans, privacy advocates are primarily concerned over the plan to
record all electronic communication. Period. ...

Claudiu Popa, president, Informatica Corp.
http://blogs.itbusiness.ca/2012/07/will-the-2012-olympics-set-new-surveillance-records/

DARPA's hacking box disguised as a power strip

Lauren Weinstein <lauren@vortex.com>

Sat, 21 Jul 2012 22:54:56 -0700

http://j.mp/SO8uWk  (Wired, via NNSquad)

  "It may look like a surge protector, but it's really a remote access
  machine that corporations can use to test security and log into branch
  offices. Called the Power Pwn, it's a stealthier version of the little box
  that can hack your network we wrote about last March.  Hidden inside are
  Bluetooth and Wi-Fi adapters, along with a number of hacking and remote
  access tools that let security experts prod and poke the network, and even
  call home to be remotely controlled via the cellular network."

     [“Mongo only Pwn in the Game of Life''? (Blazing Saddles)
     Mayhaps we've been Rooked?  PGN]

Clicking with your doctor (Bella English)

Monty Solomon <monty@roscom.com>

Tue, 24 Jul 2012 22:24:02 -0400

Bella English, Living with Screens, *The Boston Globe*, 20 Jul 2012

Dr. Larry Cohan, a pediatrician who has always kept voluminous files on his
patients from birth through college, is used to examining his young charges,
questioning and quipping, while scribbling notes in the medical record. But
a few years ago a third party came between him and his patients: a computer
screen.

Prodded by the federal government, doctors are replacing their paper files
with electronic records. There have been growing pains. As efficient as the
technology is, neither physicians nor patients want a computer screen
separating them.

"I was faced with a choice," says Cohan, who has practices in Braintree and
Boston. "When writing my exam notes in the computer, do I turn my back on my
patients sometimes? Or do I try to maintain eye contact and write my notes
later, when frankly there isn't time later?" Cohan has hit upon a third way,
which seems to work: He invites his young charges to sit in a chair near his
desk, so he can explain things to them as he's typing notes.

But e-records are only part of e-medicine. Patients are increasingly turning
to medical websites and message boards to become "experts" on their own
health care. Many expect to keep in e-mail touch with their physicians. And
some patients are even involved in home e-monitoring for chronic conditions.

Together, these changes - all of them fueled by our increasing reliance on
digital devices - are fundamentally altering the doctor-patient
relationship, nudging health care from medical settings into people's
day-to-day lives. ...

http://articles.boston.com/2012-07-20/lifestyle/32744102_1_electronic-records-patients-medicaid

Mother stole passwords to change children's school grades

Gene Wirchenko <genew@ocis.net>

Wed, 25 Jul 2012 09:53:30 -0700

  (John E. Dunn)

This comes under the category of computer risks that do not appear to be
computer risks at first glance.  Computers are used a lot more than when I
was in school.

John E. Dunn, Article with the above title, subtitled Pennsylvania school
assistant used passwords 110 times, *IT Business*, 24 Jul 2012
http://www.itbusiness.ca/it/client/en/cdn/News.asp?id=68357

Best Typo Ever Runs A-1 in the Los Angeles Times (Tessa Stuart)

Monty Solomon <monty@roscom.com>

Tue, 24 Jul 2012 18:00:38 -0400

Tessa Stuart, *Los Angeles Times*, 20 Jul 2012

The *Los Angeles Times* has an excellent story in A-1 today about a
legendary Las Vegas sheriff. 85-year-old Ralph Lamb, "The Cowboy Sheriff,"
John M. Glionna writes, was once the most powerful man in Nevada—feared
by gangsters, beloved by locals, respected by fellow lawmen.

It's a great read—made even greater by what may be the best typo to ever
run in the *L.A. Times*. ...  [and perhaps enhanced by the ubiquitous
spelling-and-grammar curekter.  PGN]

http://blogs.laweekly.com/informer/2012/07/best_typo_ever_runs_a-1_in_the.php

Re: Who Really Invented the Internet? (PGN, RISKS-26.94)

John Shoch <shoch@alloyventures.com>

Wed, 25 Jul 2012 02:51:08 +0000

The WSJ opinion piece was an abomination.

I feel bad that an ancient quote of mine has been taken out of context, in
support of an underlying argument with which I do not agree.

There are many things wrong with this article; but to briefly summarize the
obvious:

* It was written by the former publisher of the WSJ.
* It appeared on the Opinion page of the WSJ.
* There were many sources of funding, around the globe, for early work on
  data communications, packet-networking, inter-networking, and local
  networks.
* But, clearly, the US government (through DARPA) played an important role
  in funding the development of the Arpanet (at BBN and elsewhere) and
  inter-networking (at Stanford, BBN, ISI, SRI and elsewhere).
* Beyond the direct funding of these projects, DARPA funding provided the
  second-order benefit of training a whole cadre of graduate students, who
  went on to contribute at many organizations.

We accomplished a lot at Xerox PARC, with corporate support, in local
networks and inter-networking; we can have a healthy debate about who
invented what, who implemented what, and who commercialized what; but that
should not be used to diminish the contributions of DARPA, and other
government support of research......

  [John Shoch is well-known to long-time readers as the coauthor with
  J.A. Hupp of what seems to be the first paper on computer worms: The
  “Worm'' Programs—Early Experience with a Distributed Computation,
  Comm.ACM, 25, 3, 172--180, March 1982, also Reprinted in Peter Denning
  (ed.), Computers Under Attack.  PGN]

---

Re: Who Really Invented the Internet? (PGN, RISKS-26.94)

Dave Crocker <dcrocker@bbiw.net>

Tue, 24 Jul 2012 21:56:37 -0700

Besides funding the underlying core packet-switching and inter-networking
research and the development of most underlying and user-visible core
protocols that remain in operation, the US government funded the original
infrastructure service providers, via the National Science Foundation's
NSFNet backbone and regions networks.  Converting these to commercial
operations began the commercial Internet.

The article was correct that the PARC team did seminal work in this space
too—and for a time their XNS protocols did provide the basis for a number
of other company's networking products, including the ones I worked on at
Ungermann-Bass—but what we use today is a very simple, straight-line
continuation of all that government-funded research, starting in the 60s up
through the 90s.

Much of what worked in the mid-80s, on the NSFNet/et-al Internet still works
on today's Internet.

Dave Crocker, Brandenburg InternetWorking, http://www.bbiw.net

---

Re: Who Really Invented the Internet? (PGN, RISKS-26.94)

RTMercuri <notable@mindspring.com>

Wed, 25 Jul 2012 10:48:47 -0400

On the poorly fact-checked WSJ piece, the LA Times' rebuttal is just as bad.

See:
http://articles.latimes.com/2012/jul/23/news/la-mo-who-invented-internet-20120723

Everyone (at least here) knows that Ted Nelson coined the terms
"hypertext" and "hypermedia" and began popularizing the concept back in
1963, well before the SRI 1968 demo.

  [NOTE: Doug Engelbart was already developing hypertext in the NLS system
  at SRI in 1962, independently of Ted Nelson.  However, I believe Ted gave
  talks about hypertext and hyperlinks even earlier than that.  I would be
  surprised if they had not learned from each other.  PGN]

---

Re: Who Really Invented the Internet? (PGN, RISKS-26.94)

<Lauren Weinstein>

Wed, 25 Jul 2012 13:17:39 -0700

No credit for Uncle Sam in creating Net? Vint Cerf disagrees
http://j.mp/Onm9Rp  (CNET)

  "I would happily fertilize my tomatoes with Crovitz's assertion."

Re: Google ordered to censor 'torrent', 'megaupload' (RISKS-26.94)

Albert Aribaud <albert.aribaud@free.fr>

Wed, 25 Jul 2012 08:43:03 +0200

As I see that *The Register* has it wrong on at least one account.  No, the
Cour de Cassation (the "French Supreme Court) did *not* say that Google
could not be held responsible for people downloading illegal content; that
was said by the Appellate Court—I think I should mention at least two
points:

Minor one:

The "French Supreme Court" (Cour de Cassation) did *not* order any
censoring: it cannot do so. What it did was cancel ("casser", hence its
name) an order from an appellate Court (Cour d'Appel) which had rejected
such a censoring.

The difference is that the Cour de Cassation did not enter a final decision
on the case as such; it has decided that the case should be tried again by
an appellate Court. This court may still find against censoring, and the
Cour de Cassation may have to re-reexamine this issue, this time in a plenary
session, with a chance (admittedly small) that they change their minds, for
instance if the appellate arguments are different from the ones currently

Major one, because it somewhat waters down the "censorship" point:

The news is only about Google Suggestions, not Google Search results.
Users just need to add "megaupload" (RIP) or a similar term by
themselves, and they'll get their results.

Re: Olympics security poster 'gibberish' (Brady, RISKS-26.94)

Chris J Brady <chrisjbrady@yahoo.com>

Wed, 25 Jul 2012 04:45:39 -0700 (PDT)

More Arabic Font Shenanigans:

Westfield is a *huge* new multi-billion shopping mall near Stratford where
the London Olympics are about to be held. The mall started to display
'Welcome to the Olympics' posters in lots of different languages. One was
supposed to have been in Arabic. Yet the printers got the font wrong and the
message was 'gibberish' just like First Capital Connect did last week.
Again, one wonders why they didn't proof read it first - using a native
speaker of course.  http://www.bbc.co.uk/news/uk-england-london-18971686.

---

Re: Olympics security poster 'gibberish' (Brady, RISKS-26.94)

Dimitri Maziuk <dmaziuk@bmrb.wisc.edu>

Tue, 24 Jul 2012 20:00:06 -0500

... Perhaps proof-reading by a native speaker would have been an idea.

As a native Russian speaker I can assure you that I can't remember one
multilingual ad with Russian text in it on a city bus, nor a single
English-language movie with original Russian in it (written or spoken), that
has been proof-read by a native speaker. Best case scenario is a technically
correct sentence constructed by someone unfamiliar with contemporary spoken
language, and those are a rare find. Why would Arabic be any different?

Dimitri Maziuk, Programmer/sysadmin BioMagResBank,
UW-Madison—http://www.bmrb.wisc.edu

Re: Taxing old browsers out of existence (Baker, RISKS-26.93)

Steven J Klein <steven@yourmacexpert.com>

Tue, 24 Jul 2012 15:36:56 -0400

> I've noticed that with every browser "update", the browser gets noticeably
> slower.

Henry Baker should consider using a webkit-based browser like Safari.
Here's why:

  We have a zero-tolerance policy for performance regressions. If a patch
  lands that regresses performance according to our benchmarks, then the
  person responsible must either back the patch out of the tree or drop
  everything immediately and fix the regression.

  Source: http://www.webkit.org/projects/performance/

Steven Klein Computer Service  1-248-YOUR-MAC

LADC2013 - Sixth Latin-American Symposium on Dependable Computing

Mohamed Kaaniche <Mohamed.Kaaniche@laas.fr>

Wed, 25 Jul 2012 14:25:59 +0200

LADC2013 - Sixth Latin-American Symposium on Dependable Computing
http://www.ft.unicamp.br/ladc2013
Rio de Janeiro, Brazil, 1-5 April 2013

LADC is the major Latin-American event dedicated to computer system
dependability. The LADC 2013 program will present technical sessions,
workshops, tutorials, industrial track, keynote talks from top international
experts in the area.  LADC organization invites you to submit original
works.

In its 6th Edition, LADC is going to have its proceedings published by IEEE
Computer Society, and indexed on IEEE Xplore.  There is also going to be a
Best Paper Award.

Papers and Practical Experience Reports must be submitted by 14 Sep 2012,
tutorials and workshops a week later: https://submissoes.sbc.org.br.

Report problems with the web pages to the maintainer