The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 93

Thursday 19 July 2012


Washington State wants to register voters via Facebook
Peter Houppermans
Facebook security 'checkpoint' hits user roadblock
Antone Gonsalves via Gene Wirchenko
Passwords leaked from Yahoo: Boozy, preachy, angry—and easy
Stephen Lawson via Gene Wirchenko
Bitcoinica exchange funds hacked, again
Mark Thorson
Accidents due to confusion of units of measurement
Mom accessed school system 110 times to change kids' grades
Emil Protalinski via Monty Solomon
Online identity theft up 200% since 2010
Emil Protalinski via Monty Solomon
Warning: Scams surrounding 2012 Olympics have already begun
Emil Protalinski via Monty Solomon
"GPS watch to keep tabs on kids, seniors could hit Canada by autumn"
Christine Wong via Gene Wirchenko
Re: FDA spied on its own people - and then the evidence leaked
Steven J Klein
Ken Knowlton
Re: In the UK, encryption implies potential guilt?
David Alexandero
Re: Major Snafu in New Zealand Election was 'Human Error'
Gregor Ronald
Re: Taxing old browsers out of existence
Dimitri Maziuk
Henry Baker
Jonathan Kamens
Arthur T.
Re: Privacy trumps cybersecurity!
Dick Mills
"Apple wins patent for transparent scroll bar"
Gene Wirchenko
Re: Announcement of civil timekeeping meeting
J R Stockton
Monty Solomon
Info on RISKS (comp.risks)

Washington State wants to register voters via Facebook

Peter Houppermans <>
Wed, 18 Jul 2012 13:46:09 +0200

  "Facebook users in Washington state will have something else to brag about
  to their online friends: that they registered to vote on Facebook.  The
  secretary of state's office said Tuesday it will have an application on
  its Facebook page that allows residents to register to vote and then
  "like" the application and recommend it to their friends. It's expected to
  launch as early as next week."

Pay particular attention to the bright idea to get users used to trusting
page overlays on Facebook.  With "friends" like that..

  [... presumably with multiple aliases and personas, as well.  An obvious
  next step might be legislation requiring would-be voters to cast their
  votes on Facebook or other social networking media.  That would clearly
  solve all our concerns for security, integrity, equal access, and privacy?

Facebook security 'checkpoint' hits user roadblock (Antone Gonsalves)

Gene Wirchenko <>
Tue, 17 Jul 2012 13:09:44 -0700

Antone Gonsalves, *InfoWorld*, 13 Jul 2012
Facebook security 'checkpoint' hits user roadblock;
Some Facebook users say their accounts were locked when they tried to
use the new Malware Checkpoint service

Passwords leaked from Yahoo: Boozy, preachy, angry—and easy

Gene Wirchenko <>
Tue, 17 Jul 2012 13:13:17 -0700
  (Stephen Lawson)

Stephen Lawson, *InfoWorld*, 13 Jul 2012
Passwords leaked from Yahoo: Boozy, preachy, angry—and easy;
The account passwords taken from a Yahoo database reveal much about
users, good and bad

Bitcoinica exchange funds hacked, again

Mark Thorson <>
Tue, 17 Jul 2012 16:14:24 -0700

After the Bitcoinica exchange for the Bitcoin cryptocybercurrency was hacked
in May, they changed all their passwords but they did not change an
uncompromised password they used on another system.  Unfortunately that
password was the same as one of the compromised passwords.  Oops.  About
USD$350,000 gone.

Accidents due to confusion of units of measurement

Thu, 19 Jul 2012 09:41:12 +0800

Don't forget your units, programmer dudes.

... ran out of fuel in mid-flight. The incident was caused, in a large part,
by the confusion over the conversion among litres, kilograms, and pounds,
resulting in the aircraft receiving 22,300 pounds of fuel instead of the
required 22,300 kg.

... approximately 10 - 12% of bridge strikes involved foreign lorries.  This
is disproportionately high in terms of the number of foreign lorries on the
road network.

Mom accessed school system 110 times to change kids' grades

Monty Solomon <>
Thu, 19 Jul 2012 13:01:51 -0400

Summary: A former secretary successfully changed her daughter's grade from
an F to an M and her son's grade from a 98 to a 99. She used the school
district's superintendent's password to pull off the deeds.

45-year-old Catherine Venusto allegedly changed her children's grades by
using passwords she obtained while working for their school district. She
was charged with three counts each of unlawful use of a computer and
computer trespass. The former secretary was arraigned Wednesday on a
half-dozen felony counts and released on $30,000 unsecured bail, court
records show. State police say she admitted changing the grades, and while
she agreed her actions were unethical, she didn't think they were
illegal. ...  [Source: Emil Protalinski, ZDNet, 19 Jul 2012]

Online identity theft up 200% since 2010

Monty Solomon <>
Thu, 19 Jul 2012 13:01:51 -0400

Summary: Following the recent slew of attacks against various websites that
resulted in millions of user accounts being compromised, comes this little
statistic: fraudsters traded 12 million pieces of personal information
online in just Q1 2012.

In Q1 2012, fraudsters traded 12 million pieces of personal information
online, or a 200 percent increase over 2010. Most people were unaware their
identity had been stolen until they were denied access to
something. Identity theft victims commonly experience refusal of loans or
credit cards (14 percent), debts being run up in their name (9 percent),
refusal of mobile phone contracts (7 percent), and being chased by debt
collectors for money they do not owe (7 percent). ...
  [Source: Emil Protalinski, ZDNet, 19 Jul 2012]

Warning: Scams surrounding 2012 Olympics have already begun

Monty Solomon <>
Thu, 19 Jul 2012 13:01:51 -0400
  (Emil Protalinski)

Summary: This year's Summer Olympics are less than two weeks away.  That
means you should already be wary of scams and spam heading your way. Be sure
to remind family and friends to avoid e-mails and websites claiming you've
won something related to the Games.

Source: Emil Protalinski, ZDNet, 18 Jul 2012

"GPS watch to keep tabs on kids, seniors could hit Canada by autumn"

Gene Wirchenko <>
Wed, 18 Jul 2012 09:39:53 -0700
  (Christine Wong)

Christine Wong, *IT Business*, 17 Jul 2012
GPS watch to keep tabs on kids, seniors could hit Canada by autumn
A U.S. startup is marketing the watches as back-to-school items. It's
also keeping a close eye on Canadian Eric Migicovsky's Pebble watch story.7

What kid is going to want to be tracked 24-7?  "Oh, I left it in my locker."
Or aesthetics.  "Suzie's was a nicer colour, so we traded."

Re: FDA spied on its own people - and then the evidence leaked

Steven J Klein <>
Tue, 17 Jul 2012 19:32:10 -0400

In RISKS-26.92, Peter Houppermans linked to a *New York Times* article about
the FDA tracking email sent by its scientists. Mr Houppermans submission
included this:

  Note that the FDA has come up with a new "crime": people are guilty of
  RECEIVING confidential information.

The article does not say the FDA considered it a crime, and the phrase he
puts in quotes does not appear anywhere in the article.

The article mentioned some people were "were suspected of receiving
confidential information,'' which is very different from what Mr
Houppermans implied.

Re: FDA spied on its own people - and then the evidence leaked

Ken Knowlton <>
Tue, 17 Jul 2012 17:32:56 -0400 (EDT)

  Crime of receiving confidential Info?

Re: Peter Houppermans, RISKS-26.92, noting that the FDA has come up with a
new `crime' - that of being “guilty of RECEIVING confidential
information'', an obvious thought: Couldn't Julian Assange and WikiLeaks
have fun with that!  For that matter, is there anyone in the country who is
not already guilty?

Re: In the UK, encryption implies potential guilt? (RISKS-26.92)

David Alexandero <>
Wed, 18 Jul 2012 08:24:54 +0100 (BST)

  [I received several complaints about the cited item in the previous issue.
  Actually, it was not submitted to RISKS, but when I saw it elsewhere, I
  thought it was worth including as a heads-up either for a bad policy, or a
  very bad / perhaps inaccurate / misguided piece of so-called journalism.
  The SUBJECT line was mine, including the question mark.  PGN]

I have just read the item in the link about encryption law in the UK. Oh
dear. I'm sorry but this is scaremongering and sloppy journalism of the very
worst sort.  The Regulation of Investigatory Powers Act 2000 (RIPA) has been
in effect for over 10 years, and to my knowledge there hasn't been a single
instance in which an miscarriage of justice of this sort has occurred.
Contrary to popular belief the Criminal Justice Organizations in the UK do
have access to expert and competent advisors in this field. We have a
National Technical Authority that does know about these matters and isn't
afraid to consult external experts if appropriate.  I can tell you that,
before this law came into effect, there was a case of a suspected paedophile
who had his data seized, under correct forensic procedures, and the CJOs
couldn't break the encryption used to protect it. The person in question
refused to divulge the key and had to be released.  There is no doubt that
RIPA has contributed materially to the safety of the citizen and state in
the UK from terrorist and organized criminal activity. As far as I am
concerned there is a wholly justifiable case to be made for this legislation
and no sane, responsible individual can possibly argue otherwise. The phrase
"You can have security or privacy. Pick one." is very emotive and requires
qualification about the people who have control and oversight, but it's a
good debating point. My choice is "Security, with as much privacy as
possible."  Let's keep this in proportion, more than 99.999% of the
population will never have their data examined by the UK authorities. I
can't vouch for other nation states, and can understand why Americans are so
touchy when abuses of power of this nature (e.g the FDA spying item in
Volume 26 issue 92 of the Risks List) are identified on a regular basis but
please judge us in the UK by your standards.

In the interest of fairness and objectivity, I should say that other areas
of the RIPA do appear to have been abused by local authorities in the
UK. Some surveillance powers appear to have been used for the purposes other
than that for which they were originally intended. Debate is going on about
how to fix that right now.

Re: Major Snafu in New Zealand Election was 'Human Error' (R-26.92)

Gregor Ronald <>
Wed, 18 Jul 2012 14:51:34 +1200

A minor clarification: this election wasn't for any national or regional
political unit. It was an election for members of a community-owned trust
which in turn owns half of the local power utility.

TECT is the Tauranga Energy Consumer Trust, which is a part owner of energy
utility TrustPower.

It's still an unforgivable, and easily prevented, snafu, all the same - but
our NZ government is not at stake here, just the board of a local power

Gregor Ronald, Christchurch, New Zealand

Re: Taxing old browsers out of existence (Baker, RISKS-26.92)

Dimitri Maziuk <>
Tue, 17 Jul 2012 16:19:42 -0500

On the gripping hand, many of the webpages I consider actually useful will
still work in lynx or mosaic. Whereas search for "software updates" in RISKS
yields "zombieware", "distributes malware", and "a menace and a problem", to
pick a few.

Thank you Microsoft for Windows 7, specifically for intercepting all 3rd
party auto-updaters and letting me click "No" whenever firefox wants to wrap
itself in yet another layer of bloat. I hope they'll add "remember my answer
and do this automagically from now on" check box in Windows 8, then I will
upgrade my PC to stop it from automatically upgrading (at least some parts
of) itself.

Dimitri Maziuk  Programmer/sysadmin
BioMagResBank, UW-Madison—

Re: Taxing old browsers out of existence (Kamens, RISKS-26.90)

Henry Baker <>
Tue, 17 Jul 2012 14:22:48 -0700

Normally, I might agree with Jonathan, but this isn't just a browser issue.
He is blithely assuming that newer browsers are better browsers, and that
all progress is "forward" progress.

I've noticed that with every browser "update", the browser gets noticeably
slower & bigger, and noticeably more vulnerable to unpleasant hacking:
there's usually a flurry of 5-10 fixes for each new update to fix all the
new security flaws that the "update" introduced.

Many of the browser "updates" also appear to enhance the ability of
websites to spy on their visitors with new capabilities.

Also, the browsers on many older machines are no longer updated—e.g.,
older Macs, phones, etc., so this is effectively a disenfranchisement of
those with older machines.

I've been forced to use "NoScript" to run with Javascript _normally
disabled_, and only selectively enable Javascript on the smallest subset
of sites that enables minimal functionality.  In particular, Google's
Javascript cleverness is so annoying that I have had to block Javascript
on all of Google's sites.

All of Adobe's & Semantec's bloatware have been removed from my machines,
as 95% of their code does nothing for me but open up huge security holes.

I have to manually disable "automatic updates" (aka "automatic virus
installers") on each and every program; among other things, these "updates"
appear to be for the sole purpose of turning their stupid & often dangerous
default settings back on (e.g., Apple iTunes).

I have to disable the camera & microphone at the operating system level
to deter some spyware; I suppose on the next generation of Windows, I'll
have to physically destroy the camera & microphone with my power drill
before starting to use the machine.

Virtually every "improvement" has its downside: look at the swath of damage
caused by the "autorun" feature of Windows that begs for the opportunity to
install a new virus every time you plug something into your machine.

Re: Taxing old browsers out of existence (Baker, RISKS-26.90)

Jonathan Kamens <>
Tue, 17 Jul 2012 17:55:17 -0400 (EDT)

Henry, You cannot defeat the inexorable tide of progress in computer
hardware and software. You may not view it as progress, but in that view you
are in a small minority, and that is not likely to change.

The vast majority of users who are using very old browsers are not doing so
because of carefully considered concerns about security. They are doing so
because they haven't bothered to update for whatever reason. Because they
have not taken the precautions you have taken to make their old browsers
secure, they are vulnerable. There are a lot more of them than there are of
people like you. Therefore, in terms of measuring the greatest good for the
greatest number of people, forcing people to upgrade their browsers is
clearly a net positive.

As for your point about "disenfranchising" users of old computers, I don't
hear anybody complaining that it's unfair that you can't get any decent
software for the Apple ][+ nowadays. Hardware becomes obsolete, and as the
pace of advances in hardware has increased, the pace of its obsolescence has
as well. As I started with, you can't fight progress and expect to win.

Re: Taxing old browsers out of existence (RISKS-26.90)

"Arthur T." <>
Tue, 17 Jul 2012 20:03:40 -0400

 From an economic point of view, the evolution and roll-out of new browsers
is a bane on the existence of web developers. It costs companies real money
in terms of rewriting perfectly good code to take advantage of the latest
bells and whistles that *someone* in the company thinks the web site should
have or support. The old site will support the new browsers fine with no

 From a progress point of view, the resources spent taking advantage of new
features for no other reason than that those features exist raises the
question, "Is this progress, or is this just change?"

All of the new browsers support everything the old browsers do. If you want
to save money, add content, not bling. The economic problem is not
supporting old browsers, but trying to take advantage of every new feature
of every new browser that comes along.

I use an old browser. I know all of the keyboard shortcuts.  I know what
click does, what shift-click does, what shift-ctrl-click does, etc. I'd be
wasting a lot of my own time constantly learning how to use new browsers,
and, more importantly, trying to forget years worth of old habits.

You are free to write your site in a way that requires new browsers. I am
free to go elsewhere. If you have a site, you probably want people to use
it. Why drive people to your competitors?

Re: Privacy trumps cybersecurity! (RISKS-26.92)

Dick Mills <>
Wed, 18 Jul 2012 09:41:17 -0400

The cited article misses the point.  To many American people, privacy is not
the main issue.  Rather they perceive our own government and big business as
the primary risks.

In the name of cybersecurity, the fox is asking for the keys to the hen

It sounds less controversial to say that we are concerned about privacy,
than to say that government is the problem, not the solution.

"Apple wins patent for transparent scroll bar"

Gene Wirchenko <>
Thu, 19 Jul 2012 09:54:41 -0700

  This is patentable?

Mark Hattersley, Apple wins patent for transparent scroll bar:
Apple has secured a patent to a major interface design motif in the
ongoing patent wars, *IT Business*, 18 Jul 2012

Re: Announcement of civil timekeeping meeting (Seaman, RISKS-26.92)

Dr J R Stockton <>
Wed, 18 Jul 2012 19:52:12 +0100

The ordinary people, who are the democratic majority, want local civil time
- LCT - to be 24 hours of 60 minutes of 60 seconds per mean solar day.  They
can tolerate seasonal clock changes, and time zone changes when traveling.
They can have no rational objection to the occasional sub-ppm-scale change
in the length of a civil second.

Scientists - physicists and astronomers in particular - need a numbered
scale of exact SI seconds, without separation into minutes, hours, days,

The answer, then, is to disseminate, in principle from BIPM/BIH, both the SI
seconds scale and, every few months, the duration to be used, in integer SI
nanoseconds, for the civil second.  That announced figure will be used for
an integer number of GMT months, changing at GMT month turnover.  Let us say
at the beginning of each quarter- or half- GMT year.  Effectively, leap
seconds are issued in tiny pieces, once per civil second.

Engineers of all sorts can use one or the other of those scales, or if
essential generate whatever variety their profession needs - they are clever
enough to do it.

The electronics needed to lock GMT to SI in that fashion should be within
the capability of any National time lab, any major observatory, any GMT
disseminator - and could be provided commercially.  Those who disseminate
LCT would include time zone and summer time contributions for the locality.
Dates - miscdate.htm estrdate.htm js-dates.htm pas-time.htm critdate.htm etc.


Monty Solomon <>
Wed, 18 Jul 2012 07:38:24 -0400

  Excerpted from
Teaching After The Test: An argument for a national school schedule

 From another teacher at a different school I heard a horror story about a
bunch of students who, part way through the two day long state test, pressed
the wrong button and are now locked out of finishing the rest of it having
only done half. (One of those "Are you done, click continue to end test OK
to continue test?: OK, Continue, Cancel" dialogs where "OK" means you are
done and "Continue" you are—no wait, I have that backwards.)

Please report problems with the web pages to the maintainer