Katie Johnston Chase and Alexa McMahon, Phone jam-ups stymie fliers; Airlines unable to handle calls after snowstorm, *The Boston Globe*, 29 Dec 2010 [typo fixed in archive] As airlines were scrambling to get flight schedules back to normal yesterday, stranded travelers were struggling to reach them, sometimes being left on hold for more than an hour - or worse, disconnected from the call. Cali Archon of Portsmouth, N.H., tried calling JetBlue Airways for four hours yesterday morning to rebook her 15-year-old daughter's flight to Fort Lauderdale, Fla. But each time, after about five minutes of recorded messages, the system told her: "Please try back at a later time. We are doing the best we can to manage our call volumes at this time. This call will end now.'' And then it did. ... http://www.boston.com/business/articles/2010/12/29/for_stranded_travelers_calling_airlines_its_hurry_up_and_wait/
This is a classical tale of Shoot the Messenger. As we all know, TSA's security is perfect; anyone claiming otherwise is therefore a Terrorist and would be treated as such. Full story at (i.a.): http://www.bbc.co.uk/news/world-us-canada-12078040
Nothing weaker than 128-bit AES is considered sufficient protection for e-commerce transactions, but car manufacturers are still using proprietary 40-bit and 48-bit encryptions protocols that are vulnerable to brute force attacks. Worse still, one unnamed manufacturer used the Vehicle Identification Number (VIN) as the "secret" key for the immobiliser. http://www.theregister.co.uk/2010/12/20/car_immobiliser_security_flaws/
[Source: Sarah Favot and Caroline Hailey, New drug law will track more prescriptions, *MetroWest Daily News*, 26 Dec 2010; long item PGN-ed] http://www.metrowestdailynews.com/top_stories/x1295283307/New-drug-law-will-track-more-prescriptions Massachusetts residents face a new routine when they pick up certain prescription drugs at the pharmacy on 1 Jan 2011. Under a law passed last summer, they will have to show a driver's license or another approved ID before the druggist can give them prescriptions ranging from addictive opiates to certain medicines for diarrhea. Their purchases will be recorded in a massive database that will include their names, addresses and the kinds and amount of pills they take. The goal of the law is to combat the growing problem of prescription drug abuse, particularly among teens and young adults. According to one federal survey, Massachusetts ranked 8th among those 18-to-25 who have used drugs not prescribed to them. Mass State Rep. Harriet Stanley: “This bill is a great example of how costs increase without you realizing. We thought we had a grip, but we have to re-look at it this session.''
[Source: L.L. BRASIER, *Free Press*, 26 Dec 2010] http://www.freep.com/article/20101226/NEWS03/12260530/1318 A Rochester Hills man faces up to 5 years in prison—for reading his wife's e-mail. Oakland County prosecutors, relying on a Michigan statute typically used to prosecute crimes such as identity theft or stealing trade secrets, have charged Leon Walker, 33, with a felony after he logged onto a laptop in the home he shared with his wife, Clara Walker. Using her password, he accessed her Gmail account and learned she was having an affair. He now is facing a Feb. 7 trial. She filed for divorce, which was finalized earlier this month. Legal experts say it's the first time the statute has been used in a domestic case, and it might be hard to prove ... http://www.freep.com/article/20101226/NEWS03/12260530/1318
[Network Neutrality Squad] http://bit.ly/gRa88D (ars technica)
The UK Card Association, which represents organisations who offer financial-card transactions in the UK, has written to the University of Cambridge, http://www.cl.cam.ac.uk/~rja14/Papers/20101221110342233.pdf , asking it not to publish on the WWW some work by Omar Choudary on breaking the Chip-and-PIN protocol used on most bank cards debit cards, and credit cards. Reported in The Independent newspaper: http://www.independent.co.uk/news/education/education-news/banks-attempt-to-suppress-maths-students-expos233-of-chip-and-pin-2170396.html and on Ross Anderson's Security Group blog http://www.lightbluetouchpaper.org/ . Choudary's short blog post describing his work is at http://www.lightbluetouchpaper.org/2010/10/19/the-smart-card-detective-a-hand-held-emv-interceptor/ The public knowledge that Chip-and-PIN is broken is almost a year old. It was reported in German trade publications at the beginning of February 2010, for example http://www.heise.de/newsticker/meldung/PIN-Pruefung-im-EMV-Verfahren-bei-EC-und-Kreditkarten-ausgehebelt-929528.html (in German). The original work won a Best Paper award at the IEEE Symposium on Security and Privacy in May 2010. Apparently the banks have had about a year to fix a broken protocol and haven't managed to promulgate one. So now their associations are writing to people to ask them not to publish. That process has been known to be broken for far longer than Chip-and-PIN. On the other hand, maybe the banks shouldn't worry too much about word getting around. I received in October a letter from American Express saying that, with their new cards issued in January 2011, rather than just signature on a transaction, they are introducing Chip-and-PIN "so you are better protected from card abuse". Hadn't they heard? Peter Bernard Ladkin, Causalis Limited and University of Bielefeld www.causalis.com www.rvs.uni-bielefeld.de
Joseph Bonneau, Lightbluetouchpaper, 15 Dec 2010 Almost a year to the date after the landmark RockYou password hack, we have seen another large password breach, this time of Gawker Media. While an order of magnitude smaller, it's still probably the second largest public compromise of a website's password file, and in many ways it's a more interesting case than RockYou. The story quickly made it to the mainstream press, but the reported details are vague and often wrong. I've obtained a copy of the data (which remains generally available, though Gawker is attempting to block listing of the torrent files) so I'll try to clarify the details of the leak and Gawker's password implementation (gleaned mostly from the readme file provided with the leaked data and from reverse engineering MySQL dumps). I'll discuss the actual password dataset in a future post. ... http://www.lightbluetouchpaper.org/2010/12/15/the-gawker-hack-how-a-million-passwords-were-lost/
Gawker Media plans to overhaul its web infrastructure and require employees to use two-factor authentication when accessing sensitive documents stored online, following an embarrassing attack that completely rooted the publisher's servers. http://www.theregister.co.uk/2010/12/18/gawker_hack_aftermath/
I think these folks misunderstand the concept of "security". The clout comes from "three strikes and your locked out". Who cares what character the User uses? And, limiting its length, specifying a character set, limiting the character set, or creating other hurdles is down right dumb. Especially when teamed up with an unlimited number of mistakes. More and more people are relying of "password memorize-ers" like Roboform, Keypass, or LastPass. Seriously, when are folks going to realize how "Julius Caesar-ish" passwords alone are. Argh! F.John Reinke, Kendall Park, NJ 08824, http://reinkefaceslife.com http://www.reinkefj.com http://www.linkedin.com/in/reinkefj http://lifehacker.com/5721610/why-you-should-avoid-non+ascii-characters-in-your-passwords > It does not affect most of our users - If you are not using non-Latin > characters for your password, there is nothing to do (see wikipedia > <http://en.wikipedia.org/wiki/ASCII>for more information on the characters > that are not affected - US-ASCII).*If you do use characters that are > non-Latin, you should reset your password to ensure it is updated to fully > support these special characters.* > Tom also notes that, to help address the problem, "when a person logs > in with a non-ascii char in password, we prompt them to reset." Read > up for more details at Gawker Tech. http://tech.gawker.com/5717059/does-your-password-contain-non+latin-characters
The US Veterans Administration has discovered that its employees in at least 9 hospitals were using commercial providers like Google and Yahoo to store and share patient information in calendars and other documents, in violation of VA policies. The VA CIO says this shows that they need to make more cloud services available to employees, lest the employees bypass official systems in favor of commercial systems which do not have the same level of protection. (Let's ignore for a moment the assumption that VA systems *are* any more secure.) I'm ambivalent about this - on the one hand, just because the service is available commercially doesn't mean that it should be provided to everyone in an organization like a VA hospital. On the other hand, it's pretty clear that people will bypass security systems if they don't provide adequate capabilities. So the security organization is in a difficult position of what to provide. There seems a pretty clear parallel to multilevel secure systems—if it's too hard to move data from classified to unclassified systems, people will figure out ways around it (cf Wikileaks). But does that mean we should allow easy interconnection and data movement? http://www.nextgov.com/nextgov/ng_20101222_6852.php
> PGN: The resilience of WikiLeaks despite attempts to shut it down is a > testament to the extreme difficulty governments face in their attempts to > control the Internet.] Unfortunately, rejoicing (in this article as well as the previous one about the inclusion of email within 4th Amendment protection) is premature. IMHO the WikiLeaks affair only shows that authorities had not caught up with the Internet yet; but considering China as a case in point, the future looks rather bleak. Just as it is now impossible to drive a car legally on public roads anywhere in the world without having registered both the vehicle and driver with the authorities first, the situation in cyberspace is going to gravitate towards the same level of control. We all connect through a rather small number of ISP's, all of whom depend on governments in many ways, and must obey local laws and regulations. Once legislators and regulators catch up, sites like WikiLeaks would suffer the same fate as women driving in Saudi Arabia. I'm afraid that this is going to happen sooner than anyone dares to predict. [I don't think I was rejoicing! However, i think the WikiLeaks situation has enormous impacts all around—on the government security policies relying on untrustworthy systems, overclassification, etc., and on ubiquitous losses of personal privacy for everyone else, for starters. The problems exposed here are literally enormous. PGN]
ACM TechNews, Wednesday, December 15, 2010 Read the TechNews Online at: http://technews.acm.org (c) 2010 INFORMATION, INC. This service may be reproduced for internal distribution. [RISKS is sponsored by ACM, and therefore I consider RISKS internal to our subscribers. Please treat this accordingly. PGN] ACM TechNews; Wednesday, December 15, 2010 Sponsored by http://www.acm.org/careercenter http://www.facebook.com/home.php?#/group.php?sid=3Df763a52a3bbe09f2e99cf6de81463c16&gid=5535958999&ref=search http://www.linkedin.com/groups?gid=3D36836 TheOfficialACM Twitter http://twitter.com/TheOfficialACM Cryptographers Chosen to Duke It Out in Final Fight New Scientist (12/13/10) Celeste Biever The U.S. National Institute of Standards and Technology (NIST) has selected five Secure Hash Algorithm (SHA-3) entrants as finalists for its competition to find a replacement for the gold-standard security algorithm. The finalists include BLAKE, devised by a team led by Jean-Philippe Aumasson of the Swiss company Nagravision, and Skein, which is the work of computer security expert and blogger Bruce Schneier. "We picked five finalists that seemed to have the best combination of confidence in the security of the algorithm and their performance on a wide range of platforms" such as desktop computers and servers, says NIST's William Burr. "We wanted a set of finalists that were different internally, so that a new attack would be less likely to damage all of them, just as biological diversity makes it less likely that a single disease can wipe out all the members of a species." The finalists incorporate new design ideas that have arisen in recent years. The Keccak algorithm from a team led by STMicroelectronics' Guido Bertoni uses a novel idea called sponge hash construction to produce a final string of 1s and 0s. The teams have until Jan. 16, 2011, to tweak their algorithms, then an international community of cryptanalysts will spend a year looking for weaknesses. NIST will pick a winner in 2012. http://www.newscientist.com/article/dn19865-cryptographers-chosen-to-duke-it-out-in-final-fight.html
I recently (a few days ago) purchased an item from the Apple Store as a Christmas present. Quite soon, I received an e-mail telling me that it had been shipped and giving a 9-digit tracking number. I immediately clicked on the appropriate link, only to learn that my item had apparently been shipped from Dubai on September 16th and delivered to Sofia on September 21st. Hmmm...that didn't seem quite right. 24 hours later, the same Web page listed the tracking number twice, giving both the Dubai shipment and my own. With a billion numbers to choose from, WHY are they recycling them so quickly? Do they have a clumsy auto-generation algorithm? If so, the RISKS are additional and glaringly obvious. Geoff Kuenning email@example.com http://www.cs.hmc.edu/~geoff/
(Jon Borland) [Source: Jon Borland, wired.com] Speaking at the Chaos Computer Club (CCC) Congress in Berlin on Tuesday, a pair of researchers demonstrated a start-to-finish means of eavesdropping on encrypted GSM cellphone calls and text messages, using only four sub-$15 telephones as network "sniffers," a laptop computer, and a variety of open source software. While such capabilities have long been available to law enforcement with the resources to buy a powerful network-sniffing device for more than $50,000 (remember The Wire?), the pieced-together hack takes advantage of security flaws and shortcuts in the GSM network operators' technology and operations to put the power within the reach of almost any motivated tech-savvy programmer. ... http://arstechnica.com/gadgets/news/2010/12/15-phone-3-minutes-all-thats-needed-to-eavesdrop-on-gsm-call.ars
Re: Radiation Machines Overdosing Again (Ladkin, RISKS-26.26) http://www.nytimes.com/2010/12/29/health/29radiation.html?partner=rss&emc=rss The initial accident report offered few details, except to say that an unidentified hospital had administered radiation overdoses to three patients during identical medical procedures. It was not until many months later that the full import of what had happened in the hospital last year began to surface in urgent nationwide warnings, which advised doctors to be extra vigilant when using a particular device that delivers high-intensity, pinpoint radiation to vulnerable parts of the body.
> To adopt the de facto standard set by the aviation industry, that some set > party is deemed liable (in aviation: the airline) and pays compensation? It might work differently elsewhere, but here in the USA, the "standard" is to sue everyone: the manufacturer, the airline, the FAA, the pilots, all the way down to the mechanics that last touched the airplane. > Isn't it about time that professional engineering bodies took a public stand > that such events are avoidable and should be avoided? Most engineering bodies have a code of ethics that includes something similar to: Engineers, in the fulfillment of their professional duties, shall: Hold paramount the safety, health, and welfare of the public. These devices may not have been created by licensed professional engineers. Most states in the USA allow design and manufacture of equipment without a license, as long is it not something like a bridge, dam, or road. (This is called the "industrial exemption".) Stanley F. Quayle, P.E. N8SQ Quayle Consulting Inc. +1 614-868-1363 8572 North Spring Ct., Pickerington, OH 43147 USA http://www.stanq.com
> What is there about medical accidents which lets everyone be comparatively > so complacent about them compared with other walks of life such as > transportation? Well, there are a couple of differences. 1. When an airliner crashes, it kills many people. Big splashy headlines. That's why the terrorists keep trying for airliners. They could blow up a bus, but a bus holds, what? 40 people? Even a 737 holds 130 people. A mid-sized craft like the DC-8 holds over 250, and the 747 can seat over 500. When there is "operator error" on a medical device, it kills one person. All told, maybe a dozen people die before the normal checks built into our hospital & clinic system(*) detect that something is wrong and take countermeasures: replacing the device, special warnings, whatever it takes. So a medical device failure just isn't as exciting as an airliner crashing. 2. Harm should be balanced against good. Let's say you have a choice: you can build a device and get it out the door in 6 months, or you can adopt standards equivalent to those used for EAL-7 in the security community, and get it out five years from now. How many people will die of cancer or other treatable diseases during those 4.5 years? If you kill 5 people with accidental overdoses, and save 20, aren't you ahead? [Yeah, I know, but what if I'm one of the 5? True, but I never know in advance whether I'll be one of the 5, or one of the 20. Overall, I'll take those odds when I have an otherwise fatal—or debilitating—disease.] [snip] > Isn't it about time that professional engineering bodies took a public stand > that such events are avoidable and should be avoided? That devices prone to > accidents through "operator error" should be taken off the market and > redesigned? To adopt the de facto standard set by the aviation industry, > that some set party is deemed liable (in aviation: the airline) and pays > compensation? (Obvious candidates here would be the manufacturer or the > hospital; one would then leave it to the insurance industry to negotiate > contributory payments from other parties, as insurance usually does.) AFAIK that already happens. You can bet that every one of the patients killed (or injured) by an accidental overdose has received compensation, or soon will. Does it really make a difference if the initial payer is a hospital/clinic whose employee "misused" the device, or the manufacturer. Either way, the insurance industry will sort out who pays how much. One thing to consider: it is impossible to make something foolproof, because fools are so ingenious. I'm reminded of a news story I read a couple of decades back: A nuclear sub came limping into port with inadequate power. Technicians came on board to see what was wrong, and found that one of the engines was installed upside down (and hence, wasn't producing much power, if any). Now... the engineers who designed the engine knew that it would be installed by average Navy seamen—which is to say, people with an IQ of around 100. Not total dummies, but not especially smart either. So they built it in the shape of a trapezoid: the top and bottom were of different widths. And the space it was installed into was similarly shaped. That didn't stop the installers. When it wouldn't fit, they just used a bigger hammer. So yes, it would be nice if life-critical systems had better failure modes and were less subject to operator error. And in some cases, yes, the manufacturer could and should have anticipated that and taken appropriate steps to prevent it. *But* nothing is ever perfect. And the perfect is the enemy of the good.
One objection I have heard is that the FCC is overreaching its authority. Once the precedent is set, we can expect many more internet regulations from the FCC. There seems to be an increase in the phenomenon of statutory bodies unilaterally extending their powers to cover areas that are too contentious for Congress to tackle.
You can have all kinds of good clean fun looking to see what Google Maps does with abbreviations. For instance, the streets in the neighborhood just south of Twin Trails Neighborhood Park, San Diego, CA (Google maps link here: http://tinyurl.com/324whky ) have Western-themed names, like Cayote Ave Sundance Ave Cavalry Ct Trail Dust Ave Old West Ave and so forth. But Google Maps thinks that all instances of the word "West" should be abbreviated, so "Old West Ave" is marked as "Old W Ave". Everett Howe, Center for Communications Research, 4320 Westerra Court San Diego, CA 92121 http://www.alumni.caltech.edu/~however/
*One Nation Under Surveillance: A New Social Contract to Defend Freedom Without Sacrificing Liberty* (Oxford University Press, 2011) examines what limits—if any—should be placed on a government's efforts to spy on its citizens in the name of national security. www.OneNationUnderSurveillance.net The Web site also has links to two op-eds discussing current issues in the debates over security, privacy, and the work of intelligence services. The first, being distributed through *Project Syndicate*, considers the recent WikiLeaks revelations. The perverse consequence of this guerrilla transparency will in fact be greater secrecy, worse decision-making, and less accountability in the United States and elsewhere. The second, published in the global edition of the *New York Times*, looks at the reviews of data protection laws in the United States and Europe presently underway—and shows why privacy will lose out. Simon Chesterman, Vice Dean (Graduate Studies), NUS Law School, Global Professor & Director, NYU School of Law Singapore Programme, 469G Bukit Timah Road, Singapore 259776
Please report problems with the web pages to the maintainer