The RISKS Digest
Volume 26 Issue 30

Friday, 14th January 2011

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

For Some Travelers Stranded in Airports, Relief Is in 140 Characters
Kim Severson via Monty Solomon
Risks of not securing public infrastructure
John Sawyer
Against Headphones
Virginia Heffernan via Monty Solomon
The dangers of GPS/GNSS
jidanni
Calif. Supreme Court - cell phones can be searched without warrants
PGN
Login for Facebook
jidanni
Re: Cell phone "emergency mode" *preventing* 911 call
Amos Shapir
Re: Risks of Touring the White House
Steve Wildstrom
Re: Risks of panic about SSNs
John Levine
Re: Health information technology risks
Ken
I am stupid, and it has cost me: Hard Drive woes, Pass 2
Paul Robinson
Re: I am stupid, and it has cost me
George Adomavicius
Re: "Risk of coffee in the cockpit", maybe, maybe not
Mark Brader
Info on RISKS (comp.risks)

For Some Travelers Stranded in Airports, Relief Is in 140 Characters

Monty Solomon <monty@roscom.com>
Sat, 1 Jan 2011 13:22:42 -0500
  (Kim Severson)

[Source: Kim Severson, *The New York Times*, 29 Dec 2010]
http://www.nytimes.com/2010/12/30/us/30airlines.html

Atlanta - Some travelers stranded by the great snowstorm of 2010 discovered
a new lifeline for help. When all else fails, Twitter might be the best way
to book a seat home.  While the airlines' reservation lines required hours
of waiting - if people could get through at all - savvy travelers were able
to book new reservations, get flight information and track lost luggage. And
they could complain, too.

Since [30 Dec 2010], nine Delta Air Lines agents with special Twitter
training have been rotating shifts to help travelers wired enough to know
how to "dm," or send a direct message. Many other airlines are doing the
same as a way to help travelers cut through the confusion of a storm that
has grounded thousands of flights this week.

But not all travelers, of course. People who could not send a Twitter
message if their life depended on it found themselves with that familiar
feeling that often comes with air travel - being left out of yet another
inside track to get the best information.

For those in the digital fast lane, however, the online help was a godsend.


Risks of not securing public infrastructure

John Sawyer <jpgsawyer@googlemail.com>
Fri, 14 Jan 2011 11:17:32 +0000

The following report here states that unprotected SIM cards are part of
traffic lights in Johannesburg.
http://www.joburg.org.za/index.php?option=com_content&view=article&id=6068&catid=88&Itemid=266

No surprises when thieves stole them to make free anonymous calls. So which
part of the risk assessment of this design ignored the fact that if the SIM
was removed it could be used in any phone to make free calls?

The mind boggles.


Against Headphones (Virginia Heffernan)

Monty Solomon <monty@roscom.com>
Sat, 8 Jan 2011 21:40:47 -0500

[Source: Virginia Heffernan, *The New York Times*, 7 Jan 2011]
http://www.nytimes.com/2011/01/09/magazine/09FOB-medium-t.html

One in five teenagers in America can't hear rustles or whispers, according
to a study published in August in The Journal of the American Medical
Association. These teenagers exhibit what's known as slight hearing loss,
which means they often can't make out consonants like T's or K's, or the
plinking of raindrops. The word "talk" can sound like "aw." The number of
teenagers with hearing loss - from slight to severe - has jumped 33 percent
since 1994.

Given the current ubiquity of personal media players - the iPod appeared
almost a decade ago - many researchers attribute this widespread hearing
loss to exposure to sound played loudly and regularly through
headphones. (Earbuds, in particular, don't cancel as much noise from outside
as do headphones that rest on or around the ear, so earbud users typically
listen at higher volume to drown out interference.) Indeed, the August
report reinforces the findings of a 2008 European study of people who
habitually blast MP3 players, including iPods and smartphones. According to
that report, headphone users who listen to music at high volumes for more
than an hour a day risk permanent hearing loss after five years.

Maybe the danger of digital culture to young people is not that they
have hummingbird attention spans but that they are going deaf. ...


The dangers of GPS/GNSS

<jidanni@jidanni.org>
Tue, 04 Jan 2011 11:15:55 +0800

"The problem is that nothing works 100%. GPS is very close, but for
some users under some circumstances, "very close" is not good enough"
Feb 2009 B0x00D6RJE FORSSELL
http://mycoordinates.org/the-dangers-of-gpsgnss/


Calif. Supreme Court - cell phones can be searched without warrants

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 4 Jan 2011 17:02:19 PST

  Noted by Lauren Weinstein:
http://bit.ly/gV2NbK  (SFGate)


Login for Facebook

<jidanni@jidanni.org>
Sun, 02 Jan 2011 12:17:01 +0800

http://news.cnet.com/8301-27080_3-20025957-245.html

"Another potential problem for Web sites is that an outage at Facebook could
affect the ability for people to log in on the other sites using Login for
Facebook."

"Facebook advises people to make sure that when they are signing up via
Login for Facebook on a site that a window pops up in a new browser and that
it includes a legitimate Facebook.com Web address. Otherwise, the user could
fall prey to a scam that looks like a legitimate Login for Facebook
implementation but is instead a ruse to steal log in information."


Re: Cell phone "emergency mode" *preventing* 911 call (RISKS-26.26)

Amos Shapir <amos083@hotmail.com>
Tue, 4 Jan 2011 16:17:14 +0200

I have tried this on my own phone (a Samsung C3053); since the police
emergency number in Israel is 100 rather than 911, I assumed I would not be
calling them by mistake—which the phone promptly did.

It seems that the local vendor had pre-programmed the phone to dial 100 as
the default emergency number; this number can be dialed by choosing
"emergency" from the menu, or by dialing the international emergency code
112 (which is defined to work even if the phone is off).  Apparently,
dialing 911 also triggers this function, although this is not documented
anywhere.

In the case described in the referenced article, the phone's default
emergency number could have been programmed to a number different than 911
(or not initialized at all), which is where the phone was redirected to when
actual 911 code was pressed.


Re: Risks of Touring the White House (RISKS-26.29)

Steve Wildstrom <steve@wildstrom.com>
Fri, 14 Jan 2011 09:48:27 -0500

The White House has long required SSNs from visitors, presumably to
facilitate background checks. The problem, of course, is society's penchant
for using the SSN both for identification (OK, though a number with some
sort of checksum would be better) and authentication (bad.)  The best way to
end the later would be to follow Marcus Ranum's suggestion of some years ago
and make all SSNs public.=20

Check out my new blog at swildstrom.wordpress.com

Steve Wildstrom steve@wildstrom.com Twitter: www.twitter.com/swildstrom
Swildstrom on Facebook & LinkedIn www.wildstrom.com/steve


Re: Risks of panic about SSNs

John Levine <johnl@iecc.com>
14 Jan 2011 18:18:57 -0000

A sensible approach is to consider first, the likelihood of disclosure, and
second, the costs if data are disclosed.

For the first, the chances of some random bad guy reading e-mail in transit
is very low. This concern seems to be left over from the era when coax
Ethernet cables snaked through the utility closets of college dormitories.
How often do you hear about a bunch of e-mail in transit getting published
by mistake?

For the second, SSNs are about the least confidential pieces of data around.
Every bank, credit card, employer, and landlord has your SSN.  In crimeware
carder forums, you can buy data dumps with SSN for a dollar or so apiece.
The real risk is the fiction that someone who presents your SSN has
established that he is you. From a security viewpoint, we'd all be better
off if our SSNs were tattooed on our foreheads so nobody thought they were
secret.

You can certainly argue the the SSN is a lousy identifier, but it's silly to
niggle about how it might be transmitted from one place to another.

John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly

PS: Yeah, but what if the GOVERNMENT is spying on the White House?


Re: Health information technology risks (Wears, RISKS-26.25)

Ken <kenzolist@counterfolk.com>
Sun, 26 Dec 2010 11:06:41 -0500

>[...] the social element of the sociotechnical system that is a
>hospital was able to quickly reorganize in multiple ways and
>keep essential services operating in at least some fashion for
>the duration.  Many of these adaptations were made "on the fly" [...]

I consider this an example of one of the primary technology (esp. computers)
risks to society: When an organization needs to spontaneously reorganize (on
the fly or otherwise), and its operations are closely tied into its computer
systems, changing the behavior of the organization becomes difficult and
sluggish, as it requires the involvement and full cooperation of the
relatively few people in the world who know how to change the computer
systems, and the skill to do so without breaking them.  A relatively large
number of people in any given organization know how to reorganize people and
systems on the fly.  But it's not usually many at all who have the skills to
reshape the computer systems behind them.

In this story, some computer systems had failed, and one reason the medical
center could manage its disaster was because it was temporarily no longer
tied to those systems, and it could thusly experience the fluid changes its
staff could envision.  In a normal course of operations, bypassing the
computer systems isn't an option, which makes change that could otherwise be
performed by many people expensive and error prone.  This is a large
societal problem, created by the widespread shift to computer dependency in
an era when it's still the case that relatively few people are able to
program computers.


I am stupid, and it has cost me: Hard Drive woes, Pass 2

Paul Robinson <paul@paul-robinson.us>
Thu, 13 Jan 2011 21:50:54 -0800 (PST)

In RISKS-26.28, I told how I stupidly knocked over an external USB drive,
and it won't work.  A reader here made a suggestion: buy a duplicate, try
disassembling the old drive, then put the components into a replacement long
enough to recover the files to a third unit.  Not a bad idea since the files
are effectively lost anyway and I can't afford $1100 to have the drive
recovered.

As I said I'm stupid.  I also realized I ran a duplicate file finder a month
ago on this drive and it had deleted some 12,000 duplicates, and I didn't
even notice anything gone.  Therefore my collection of just my lost music
files, not counting anything else on the drive, probably isn't a mere 4,000
files, it's probably more like 14,000.

It's a Buffalo HB250U2, an external powered USB 2.0 drive and it's so
"small" at 250GB they stopped selling them in 2007!  So I used a screwdriver
and opened it.  It's effectively a USB hard drive adapter, and it contains a
Western Digital WD250BB standard 3.5" hard drive with a 40-pin ATA (or SATA,
I don't know which) adapter and 4-pin power cable.  When it's powered up
Windows "pings" to indicate it does see a good USB connection but the drive
itself just makes a lot of clicks.

It could also be that the USB -> ATA conversion circuits are damaged.  If
another drive would work here, then that's not the case.  I really do
suspect the drive is damaged rather than the converter circuit but it's
worth a try.

If the platters are not broken and if it's merely the head unable to move
and not platter/spindle damage, then a move to a drive with an undamaged
head might work. If I can figure a way to disassemble the drive, then move
the old platters into a duplicate drive, I might be able to read the old
drive contents onto a new drive. I don't even need a jury-rigged contraption
like that to work for a long time; I only have to get it to work long enough
to read the old platters.

These drives can still be bought now for about $65.

So I might be able to solve my problem if two things are true: the old
platters themselves are undamaged and I can move them to a duplicate of this
drive.  Worst case scenario is I waste $65 and find out I can't.  So it will
still hurt but at least there is a chance.

Also, I could try hooking this drive directly to an ATA cable and see if a
utility program like Spinrite (that talks to the drive directly) can read it
then I don't even have to open it. So I have options.

We shall see.


Re: I am stupid, and it has cost me (Robinson, RISKS-26.28)

"George Adomavicius, Lanzena CCS" <lanzena@earthlink.net>
Fri, 14 Jan 2011 05:36:22 -0500

I just recently wrote an article that Paul's submission completely supports.
http://www.garnercitizen.com/2011/01/11/technology-corner-this-year-back-up-
your-pc/

"This is by far the greatest computer-ownership failing I encounter, namely
that PC owners do not back up their machines or critical data. It's almost
like not changing the oil in your car - you can only get away with that for
so long."

"When I am called on a more catastrophic service call ("Cannot boot up," "So
virus-infected, I cannot get to the Internet at all"), I always ask, "Do you
have any critical data on the machine, and do you have a backup of it?"

The answers for those two questions range from yes/no to yes/sort-of to
yes/I've-always-meant-to. If they have a backup, I ask if they have ever
tested it or tried to restore from it. Invariably the answer is negative."

Paul's experience was my third category of catastrophic failure.  The other
two were Fire and Theft.

George Adomavicius, Cary NC

Lanzena Computer & Consulting Services, lanzena@earthlink.net 919-413-1922
http://www.lanzenaccs.com


Re: "Risk of coffee in the cockpit", maybe, maybe not

Mark Brader
Fri, 14 Jan 2011 04:29:13 -0500 (EST)

>    [Also noted by Charlie Shub. citing the author of the 1961 movie
>    Ernest K. Gann, and the Glenn Ford movie (1964).  PGN]

Ernest K. Gann wrote the 1961 *book* "Fate is the Hunter".
Harold Medford wrote the movie starring Glenn Ford.  By all
accounts has little to do with the book; as far as I know,
the coffee incident was invented for the movie.

Please report problems with the web pages to the maintainer

x
Top