The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 83

Saturday 12 May 2012

Contents

6 Disasters Caused by Poorly Designed User Interfaces
John Hillabin via Brian Westley
Never Trust a Robot
Earl Boebert
Robot Soldiers Will Be a Reality—and a Threat
Jonathan D. Moreno via John F. McMullen
Automatic cars? Not so fast..
Peter Houppermans
"Fire risk: Lenovo expands recall of ThinkCentre all-in-ones"
Agam Shah via Gene Wirchenko
Disruptions: Indiscreet Photos, Glimpsed Then Gone
Nick Bilton via Monty Solomon
USPS curtailing international lithium battery shipments... no iPads, laptops, cameras...
Danny Burstein
Man jailed for accepting call in court
Gene Wirchenko
FBI issues warning on hotel Internet connections
Michael Cooney via Monty Solomon
".secure" TLD proposed
Lauren Weinstein
More details on the .secure TLD proposal—and why I believe it is fundamentally flawed
Lauren Weinstein
Re: The Campus Tsunami
David Alexander
Re: The Power of Individual Voters to Transform Their Government
Roderick A Rees
Andrew Douglass
Info on RISKS (comp.risks)

6 Disasters Caused by Poorly Designed User Interfaces:

"Brian Westley" <westley@visi.com>
Sat, 12 May 2012 01:37:10 -0500
  John Hillabin

  [John Hillabin has chosen 6 incidents at least partially blamed on bad
  UIs.  As we have noted many times before, blame can usually be more widely
  distributed.  Most of these should be familiar to long-time RISKS readers.
  PGN-ed from a detailed illustrated item by John Hillabin, cracked.com, 17
  Apr 2012]

6. The Vincennes shootdown of an Iranian commercial airliner—inability
   to distinguish between a fighter and the airliner
5. Three Mile Island—light on a console
4. Air Inter flight 148 crash—display screen too small
3. Herald of Free Enterprise capsized—because of an open door
2. Kegworth air disaster—a digital dial
1. Space Shuttle Columbia burned up—because of PowerPoint

http://www.cracked.com/article_19776_6-disasters-caused-by-poorly-designed-user-interfaces.html


Never Trust a Robot

Earl Boebert <boebert@swcp.com>
Fri, 11 May 2012 12:52:25 -0600

  [From Steve Greenwald's distribution]

Each year an ocean race for sailboats is run from Newport, CA to Ensenada,
Mexico. Owing to diminishing entries, the organizers some years ago allowed
cruising sailboats to enter. These are generally largish, slowish motor
sailors intended for comfortable recreational sailing. Since the race occurs
in a time and place known for light winds, the rules permit the cruising
sailboats to proceed under motor during nighttime, so that they may reach
the finish in time for the party.

This year, dawn broke after the first night to reveal a debris field and
three bodies near a set of rocky islets known as Coronado Island. The
remains were identified as that of an entered boat and three of her four-man
crew. The body of the fourth crew member was discovered a week later. These
were the first fatalities in the 60 year history of the race.

The boat was equipped with every possible electronic aid, and the captain
(the fourth crewmember) was an electronics executive and highly experienced
sailor. One of the aids was a commercial tracking system called SPOT, which
permits shoreside viewing on the Web of the track of the vessel carrying
it. When the SPOT track surfaced it showed a dead straight line headed into
the northernmost of the Coronados. The point of intersection was a sheer
rocky cliff.

The most plausible inference (which may be invalidated by later evidence) is
that the crew started the motor, set a waypoint at the entrance to Ensenada
harbor, and turned on the turned on the autopilot. A further inference is
that in doing so they had the electronic chart zoomed out to a point where
the Coronado Islands no longer showed up, and so had no warning that their
track would take them straight into a rock. It then seems likely that the
three crew members went below to sleep and sometime later the captain fell
overboard. The robot then motored the boat and the sleeping crew straight
into the cliff. Given the sea state and the speed shown on the track it is
estimated that impact velocity was in the order of 11 kt, sufficient to
split the hull and flood the boat, which was then pounded to pieces by the
surf beating against the sheer cliff. Even if the crew had survived the
impact, survival that close to the rocks in that sea state was impossible.

One comment in a long forum thread about this incident claimed that the UK
maritime safety organizations have now adopted an acronym called "SNIG,"
which stands for "Sat-Nav Induced Grounding." A half-smart robot (smart
enough to steer a straight line, but not smart enough to know the line goes
through a rock) is a dangerous thing.


Robot Soldiers Will Be a Reality—and a Threat: Jonathan D. Moreno

"John F. McMullen" <johnmac13@gmail.com>
May 12, 2012 1:35 PM

Given the obvious dangers, fully autonomous offensive lethal weapons should
never be permitted.  Jonathan D. Moreno, *The Wall Street Journal [PGN-ed]
http://online.wsj.com/article/SB10001424052702304203604577396282717616136.html?mod=WSJ_Opinion_LEFTTopOpinion

Much controversy has surrounded the use of remote-controlled drone aircraft
or "unmanned aerial vehicles" in the war on terror. But another, still more
awe-inducing possibility has emerged: taking human beings out of the
decision loop altogether. Emerging brain science could take us there. ...

[J,D, Moreno is a professor of medical ethics and health policy at the
University of Pennsylvania and a senior fellow of the Center for American
Progress. He is the author of "Mind Wars: Brain Research and the Military
in the 21st Century" (Bellevue, 2012).]

For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml

http://johnmacrants.blogspot.com http://johnmac13.pulsememe.com/
Editor - Web2.0 The Magazine—www.web2themag.com  http://bit.ly/johnmac


Automatic cars? Not so fast..

Peter Houppermans <peter@houppermans.com>
Sat, 12 May 2012 16:50:08 +0200

I have read with amusement a lot of pieces such as the BBC article linked
below that predicts a rosy future now Google is on its way (sorry) to test
its driverless car in Nevada:

http://www.bbc.co.uk/news/magazine-18012812

I even came across a piece that predicted a brutal drop in insurance rates
somewhere.

Not so fast, if you pardon the pun, all of this is based on the assumption
that it (a) all will work wonderfully and (b) third parties will not find a
way to get creative with it.

Point (a) really needs no elaboration - the development of such software is
several million dollars of manhours and innovation behind of the telematics
that keeps planes in the air, and we're aware of enough bugs in that
environment to make a RISK aware professional nervous.  Furthermore, Google
may be a hothouse of innovation according to some, but if their code
controls are so shoddy that an engineer "accidentally" can throw a Wifi
snooping application into the Streetview data gathering process (including
the required data storage back end) I would hazard a guess that there is
room for improvement.  It would put a whole new spin on their "I feel lucky"
slogan..

I assume point (b) to be an almost instinctive focus for faithful readers of
RISKS.  I would be rather concerned about ANY data exchange from such a
vehicle - not just from the privacy angle (not to harp on about Google), but
also from the kind of mischief that could be had from messing with the car.
It should no longer be news that present embedded systems in cars can be
hacked to the point of disabling the brakes remotely (www.autosec.org) - I
dare say that that ought to inspire some better focus on shielding such
systems first.  For the James Bond fans, this could otherwise work out
neater than shipping a dessert portion of polonium abroad..

On the plus side, it does open the perspective of a new era of car tuneups,
and I personally would not want a Jetsons style flying car above me without
automation (because of the driving styles I encounter daily in the present
2D environment) - there certainly is room for progress.

I would simply like to repeat the theme of a Swiss speed awareness campaign:
  Slow down - take it easy.


"Fire risk: Lenovo expands recall of ThinkCentre all-in-ones":

Gene Wirchenko <genew@ocis.net>
Thu, 10 May 2012 09:03:36 -0700
  Agam Shah

http://www.itbusiness.ca/IT/client/en/CDN/News.asp?idg413
Agam Shah, Fire risk: Lenovo expands recall of ThinkCentre all-in-ones
Some of Lenovo's ThinkCentre M70z and M90z models could catch fire
due a faulty power supply, *IT Business* 9 May 2012


Disruptions: Indiscreet Photos, Glimpsed Then Gone: Nick Bilton

Monty Solomon <monty@roscom.com>
Wed, 9 May 2012 10:49:53 -0400

Nick Bilton, 6 May 2012

People once took photographs so they could capture a moment for themselves
and keep it forever. Then digital cameras and cellphones turned photos into
something more ephemeral and more easily shared.  But as the case of Anthony
Weiner demonstrated, photos that are shared but are not meant to last,
sometimes stick around.

Mr. Weiner's downfall does not seem to have discouraged people from sharing
risque photos. According to a study by the Pew Research Center's Internet
and American Life Project that is due out later this year, 6 percent of
adult Americans admit to having sent a "sexually suggestive nude or nearly
nude photo or video" using a cellphone. Another 15 percent have received
such material. Three percent of teenagers admit to sending sexually explicit
content.

All of this sexting, as the practice is known, creates an opening for
technology that might make the photos less likely to end up in wide
circulation.

This is where a free and increasingly popular iPhone app called Snapchat
comes in. Snapchat allows a person to take and send a picture and control
how long it is visible by the person who receives it, up to 10 seconds.
After that, the picture disappears and can't be seen again. If the person
viewing the picture tries to use an iPhone feature that captures an image of
whatever is on the screen, the sender is notified.

http://bits.blogs.nytimes.com/2012/05/06/disruptions-indiscreet-photos-glimpsed-then-gone/


<USPS curtailing international lithium battery shipments... no iPads,>
Sat, 12 May 2012 18:27:39 -0400 (EDT)

If you're a servicemember overseas planning to order the latest smartphone
or laptop from the United States, take a second look at your options.
Effective 16 May 2012, new U.S. Postal Service restrictions will ban air
shipping of any electronics containing lithium batteries - such as iPads,
smart phones and digital cameras - between the United States and overseas
locations.  [stripes.com]

rest:
http://www.stripes.com/gadgets-using-lithium-to-be-barred-from-overseas-shipments-1.176965

the USPS info sheet clarifies that you can't send lithium batteries, even if
in their own box:
  http://about.usps.com/postal-bulletin/2012/pb22336/html/updt_010.htm

"Primary lithium metal or lithium alloy (non-rechargeable) cells and
batteries, or secondary lithium-ion cells and batteries (rechargeable),
regardless of quantity, size, or watt hours, and regardless of whether the
cells or batteries are packed in the equipment they are intended to operate
with the equipment they are intended to operate, or without equipment
(individual batteries). This standard applies to all APO, FPO, or DPO
locations."

* and looks like this also applies to Canada/Mexico.  Don't know about
  Hawaii. (The service rep at my local Post Office just got the notice Fri.,
  May 11th, and it left the question of Hawaii up in the air, so to speak).

* There are *plenty* of consumer items that have these batteries, sometimes
  obviously (such as a laptop), but frequently hidden away and/or built in.

hmm, wonder what's in my ultrasonic tapeless tape measure?


Net Neutrality and Economic Equality Are Intertwined

Lauren Weinstein <lauren@vortex.com>
Wed, 9 May 2012 10:49:31 -0700

  [*The New York Times* via NNSquad]

http://j.mp/Jyv0xe  (New York Times)

  "If I watch last night's 'S.N.L.' episode on my Xbox through the Hulu app,
  it eats up about one gigabyte of my cap, but if I watch that same episode
  through the Xfinity Xbox app, it doesn't use up my cap at all,"
  Mr. Hastings wrote on his Facebook page. "In what way is this neutral?"
  Comcast argues that its Xfinity move is not subject to the Federal
  Communications Commission's neutrality rules because the video travels
  exclusively on its network and not on the public Internet.

I will note that Comcast's excuse is—in my opinion—specious, since
they alone determine how much of their total cable bandwidth they devote to
"outside" Internet access services, how much those cost, where arbitrary
bandwidth caps are set, and so on. All without any effective regulatory
oversight whatsoever. This is *exactly* the anticompetitive scenario that
many of us have been warning about for years.


Neurosurgeon pulled off cruise after fake bioterrorism tweet

Monty Solomon <monty@roscom.com>
Thu, 10 May 2012 23:48:43 -0400

Posted by Erin Mulvaney, 9 May 2012

A Nashville neurosurgeon was pulled off a Carnival cruise suspected of
planning to commit a bio-terrorist attack, after a tweet from an impostor
account claimed the doctor had a vial of harmful bacteria on board. ...

http://blog.chron.com/newswatch/2012/05/neurosurgeon-pulled-off-cruise-after-fake-bioterrorism-tweet/


Humorous Doctor Office Interaction?

James Nettesheim <james.nettesheim@gmail.com>
Fri, 11 May 2012 13:10:17 -0400

My Doctor's Office Asked me to Lie-- Richard Stallman
  [From Steve Greenwald's distribution]

I saw a doctor this week. Before the appointment, I was asked to sign a
privacy policy consent form which started out this way

   1. The Practice's privacy Notice has been provided to me prior to my
   signing this consent...
   2. The Practice reserves the right to change its privacy practices that
   are described in its Privacy Notice, in accordance with applicable law.

Since I was unwilling to sign a false statement, I asked to see the privacy
notice. The receptionist offered me another copy of the consent form. I
said I already had that, but that it referred to a "privacy notice" and
that's what I didn't have a copy of. The receptionist said, "The rest of
this page gives a summary of the privacy notice." It was a very brief
summary and treated few points. I said, "This clearly refers to some other
Privacy Notice, and it asks me to sign a statement that I have seen it. I
cannot sign that if it is not true."

She said it was a binder 3,000 pages long. I said that I would not ask for
a copy, but I did want to take a look at it. She went to look for it, then
came back and said she could not find it, but asked me to sign anyway.

I said, "Are you asking me to lie?" She said, "No, I am asking you to sign
a piece of paper." I said. "I cannot sign a statement that is not true."
She said, "You can reschedule your appointment for some other time." I
suggested, "How about if I add 'not' to make it a true statement?" She
accepted this. So I had my appointment.

The substance of the issue probably doesn't matter much. There is no real
confidentiality of medical records in the US, since the police can get them
under very easy conditions. Nonetheless, it is a dishonest proceeding,
systematically asking patients to accept policies they have not seen and
then make false statements.

Copyright 2011 Richard Stallman released under Creative Commons Attribution
Noderivs 3.0 unported  http://www.stallman.org/articles/asked_to_lie.html


"Facebook file-sharing could be security, piracy nightmare"

Gene Wirchenko <genew@ocis.net>
Fri, 11 May 2012 12:19:50 -0700

http://www.infoworld.com/t/social-networking/facebook-file-sharing-could-be-security-piracy-nightmare-192959
InfoWorld Home / InfoWorld Tech Watch
May 11, 2012
Facebook file-sharing could be security, piracy nightmare
Users won't be able to pass along music or .exe files—but infected
PDFs and other forms of pirated content are permissible
By Ted Samson | InfoWorld


USPS curtailing international lithium battery shipments...

danny burstein <dannyb@panix.com>
Fri, 11 May 2012 15:44:45 -0400 (EDT)
 no iPads, etc...

[stripes.com]

If you're a servicemember overseas planning to order the latest smartphone
or laptop from the United States, take a second look at your options.

Effective May 16, new U.S. Postal Service restrictions will ban air shipping
of any electronics containing lithium batteries - such as iPads, smart
phones and digital cameras - between the United States and overseas
locations.

    ------
rest:
http://www.stripes.com/gadgets-using-lithium-to-be-barred-from-overseas-shipments-1.176965

- the USPS website doesn't seem to have any "press releases"
   or other "recent announcements" menu choice


Man jailed for accepting call in court

Gene Wirchenko <genew@ocis.net>
Thu, 10 May 2012 21:14:23 -0700

  I like this risk!  I would like to see it happen more often.

*The Daily News* (Kamloops, British Columbia, Canada); Thurday, May 10,
2012; p. A2:

"ODDITIES

Man jailed for accepting call in court

DUBLIN, Ireland, via the Associated Press": Letting your cellphone ring in a
courtroom is rarely a good idea.  Taking the call is worse.  A Northern
Ireland man received a brief jail sentence Wednesday after his phone rang.
The judge told him to turn it off, but instead he took the call and had a
brief chat.

The judge ordered 36-year-old Paddy Sweeney behind bars for two hours, then
fined him $322 for willfully interrupting the court in Londonderry, Northern
Ireland's second-largest city.  Sweeney had been watching a civil trial at
the time.


FBI issues warning on hotel Internet connections: Michael Cooney

Monty Solomon <monty@roscom.com>
Thu, 10 May 2012 11:18:56 -0400

Michael Cooney, FBI says malware lurking in hotel room connections,
particularly overseas *Network World*, 9 May 2012

The FBI today warned travelers there has been an uptick in malicious
software infecting laptops and other devices linked to hotel Internet
connections.

The FBI wasn't specific about any particular hotel chain, nor the software
involved but stated: "Recent analysis from the FBI and other government
agencies demonstrates that malicious actors are targeting travelers abroad
through pop-up windows while they are establishing an Internet connection in
their hotel rooms.

The FBI recommends that all government, private industry, and academic
personnel who travel abroad take extra caution before updating software
products through their hotel Internet connection.  Checking the author or
digital certificate of any prompted update to see if it corresponds to the
software vendor may reveal an attempted attack. The FBI also recommends that
travelers perform software updates on laptops immediately before traveling,
and that they download software updates directly from the software vendor's
website if updates are necessary while abroad."

The FBI said typically travelers attempting to set up a hotel room Internet
connection were presented with a pop-up window notifying the user to update
a widely used software product. If the user clicked to accept and install
the update, malicious software was installed on the laptop. The pop-up
window appeared to be offering a routine update to a legitimate software
product for which updates are frequently available.  ...

http://www.networkworld.com/news/2012/050912-fbi-internet-259125.html


".secure" TLD proposed

Lauren Weinstein <lauren@vortex.com>
Fri, 11 May 2012 11:06:16 -0700

http://j.mp/Ku8Cau  (Wired via NNSquad)

  "A security researcher has won investments of more than $9 million to
  incorporate a tightly policed section of the Internet reserved for banks,
  healthcare providers, and other groups that are regularly targeted in
  malware, phishing, and similar online attacks."

Describing the many reasons why this idea is fundamentally flawed will
be left as an exercise for the reader—for now.


More details on the .secure TLD proposal—and why I believe

Lauren Weinstein <lauren@vortex.com>
Sat, 12 May 2012 09:20:42 -0700
  it is fundamentally flawed

More details on the .secure TLD proposal (and why I believe it is
fundamentally flawed)
http://j.mp/JlSaLU  (This message on Google+)

You may recall my posting yesterday ( http://j.mp/Ku8pEd [Google+] )
where I suggested that the .secure TLD proposal is fundamentally
flawed for many reasons. The CTO of the company involved contacted me
this morning, pointing at their blog with more details:

http://j.mp/JlRXZ2  (Unhandled)

After reviewing this information, which includes their proposals for a
broader "domain policy framework," I'm forced to stand by my earlier
characterization.  I won't get into the technical analysis now, but just
point out a few facts.

First, the business model for .secure is obvious enough. I mean, hell, if
you're not using .secure, you don't care about your users, right?  How can
you possibly be "secure" if you're not in ... dot-secure? I'm reminded more
than a bit of the model used by the dot-xxx slimeballs to try coerce firms
into that TLD.

Not to say that the .secure folks are slimeballs. Nor that they're not
genuinely concerned about security. But their model is not realistic --
except as a profit center for them. There are no obvious benefits to be
derived from their model for the Internet community at large, and the most
likely outcome is yet another replay of the protective registrations rush.

The most common reaction I received yesterday regarding .secure was "LOL" --
but many respondents immediately caught on to one of the most glaring
problems with .secure—that it would present an irresistible target for
hackers, denial of service attacks, and all manner of other mischief.

The concept of .secure is essentially 180 degrees away from the model I
believe we should be working towards. Rather than centralizing security, we
need to be distributing it, and doing this effectively means more
fundamental changes than new policy frameworks can provide, and certainly
cannot take place if we buy into the .secure sort of model.

Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren
People For Internet Responsibility: http://www.pfir.org
Network Neutrality Squad: http://www.nnsquad.org +1 (818) 225-2800
PRIVACY Forum: http://www.vortex.com  Lauren's Blog: http://lauren.vortex.com


Re: The Campus Tsunami (David Brooks, RISKS-26.82)

David Alexander <davidalexander440@btinternet.com>
Thu, 10 May 2012 18:31:43 +0100 (BST)

I feel well-placed to comment on the article by David Brooks, having
recently completed an MSc in Information Security through Royal Holloway,
University of London (RHUL) entirely by Distance Learning (DL). I should at
this point declare that I am now one of the RHUL DL tutors for the MSc
Network Security module, so they do now employ me in a part-time capacity,
but it also means that I have seen both sides of the fence -  A student and
academic staff, in quick succession.  The online program opens up
qualifications to people who couldn't afford to go to university full-time,
and to mature students like me (pulling 40 with a very long rope :) ) who
have a mortgage and bills, families, etc. and couldn't afford time off the
corporate treadmill to study full-time. I'm now considering doing a PhD by
DL, yes I am a glutton for punishment :)  There is no question that
it is possible to study successfully for a higher level academic
qualification by distance learning and remote lecturing/tutoring. All of my
learning materials were provided as hard copy books, material on CD and
access to the lecture material and a discussion area through a 'Virtual
Learning Environment' (VLE) based on Moodle. Four online seminars (three on
course material and one exam question revision) were held regularly with
distance learning tutors to provide advice and help, and reviewing answers
by students to question set for them.  I think that the biggest
risk/challenge is actually ensuring that DL students are studying
effectively and understand the material to a high enough standard. I noticed
all the way through my student days, and now as a tutor, that less than half
the students participate in the seminars and some don't even log in to the
VLE, or do so very rarely. I have no statistics for the drop-out rate or
pass rate for those DL students who do sit the exams or pass rates for those
who participate on the VLE against those who don't. I can say that I was an
active participant all the way through and it helped me a great deal.  David
Alexander, Towcester, England.


Re: The Power of Individual Voters to Transform Their Government

"Rees, Roderick A" <roderick.a.rees@boeing.com>
Thu, 10 May 2012 06:57:58 -0700
  (Mark E Smith, RISKS-26.81)

Those who control the processes control the declared result.  The blank
votes, or refusal to vote, can be overcome just like the elections that
declare 99% support for dictators.

Roderick Rees, Reliability, Maintainability and Testability B-Q26 425-342-5729


Re: The Power of Individual Voters to Transform Their Government

Andrew Douglass <douglass@me.com>
Thu, 10 May 2012 10:40:53 -0400
  (Mark E Smith, RISKS-26.81)

> The only way to get honest elections is to refuse to vote until we do. If
> you're willing to vote in elections where your vote doesn't have to be
> counted and isn't verifiable, you have no leverage with which to demand
> honest elections. Boycott 2012!

Isn't boycotting to protest exclusion ironic? Not unlike suicide to ease the
executioner's burden.

Besides litigation, the way to honest elections is to elect or persuade
concerned representatives to enact legislation and enforce existing law such
as the Voting Rights Act. Such people most certainly do exist, as in the
legislative success of the Verifiable Voting Coalition of Virginia [my
state] to ban DREs.  It's not hard to judge who most resists enfranchisement
and least supports accurate vote counts (granted the contrast is nowhere
near as much as it should be!). If you don't vote or influence others to
vote, you might as well not exist.

Please report problems with the web pages to the maintainer

Top