The RISKS Digest
Volume 27 Issue 20

Monday, 18th March 2013

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator


Election screw-ups in Kenyan election
Hacking the Papal Election
Bruce Schneier
Replacing car keys with smartphone apps
Arthur T.
Hyundai car controller failure?
When being a "self starter" isn't a good thing
Jeremy Epstein
Hiding Secret Messages in E-mail Jokes
Lauren Weinstein
Fake silicone fingers strike again
Charles C. Mann
The Internet is a surveillance state
Bruce Schneier
More bad news for RC4 crypto
Lauren Weinstein
"Researchers resurrect and improve CRIME attack against SSL"
Gene Wirchenko
Warning About the Thrift Savings Plan iPhone App
Gabe Goldberg
"Attorney General's testimony on Aaron Swartz raises more questions than answers"
Ted Samson via Gene Wirchenko
Defense Companies Cash in on Gov't Hyped 'Cyber-Security' Threat
Lauren Weinstein
Microsoft: Botched firmware update set off outage
Tim Greene via Jim Reisert
Bloomberg: Hacker Attacks Top Latest U.S. List of Global Threats
Gabe Goldberg
"Mobile to the rescue when an airplane trip goes awry"
Galen Gruman via Gene Wirchenko
The end of Google Reader: Have I got news for you
G.F. via Dewayne Hendricks
Google offers help to attacked /"hacked"/ sites
Lauren Weinstein
Re: Boeing 787s to create half a terabyte of data per flight
Bob Frankston
Steve Loughran
Re: How SSD power faults scramble your data
Dimitri Maziuk
Harvard apologizes after secret e-mail search
Lauren Weinstein
Info on RISKS (comp.risks)

Election screw-ups in Kenyan election

"Peter G. Neumann" <>
Tue, 12 Mar 2013 11:19:50 PDT
  [Gathered from a collection of sources.  PGN]

Electronic voting is failing the developing world while the US and
Europe abandon it.

It was supposed to be the most modern election in Africa.  Kenyan
authorities, hoping to avoid the chaos of the 2007 election decided that
this time the country would use a tamper-proof, state-of-the-art electronic
voting system
where voter IDs would be checked on hand-held devices and results
transmitted to Nairobi through text messages.
< 00077696&pageNo=1>

But everything that could go wrong did.
The biometric identification kits to scan people's thumbs broke down; a
server meant to take in results from 33,400 voting centers sent via SMS
became overloaded; and some election operators forgot the passwords and PIN
numbers for the software. Polling centers went back to hand counting ballots
and results were delayed almost a week, until March 9 when Uhuru Kenyatta's
win was announced. And every day before that people feared a repeat of 2007
when results were delayed and violence erupted, killing 1,200 people.

... Vote information was being uploaded to a central server, which didn't
have enough disk space allocated (to the appropriate filesystem partition).
This meant that attempts to upload vote information failed, and many poll
sites were unable to upload vote data electronically.

  [This failure mode seems particularly outrageous if it was a lack of
  anticipating the number of voters, although perhaps the operational
  interface was misleading or defaulted improperly.  In any event, this
  should easily have been avoidable.  PGN]

See also

Hacking the Papal Election

Bruce Schneier <schneier@SCHNEIER.COM>
Fri, 15 Mar 2013 01:45:15 -0500
Bruce Schneier, Chief Security Technology Officer BT, CRYPTO-GRAM, 15 Mar 2013

Hacking the Papal Election

As the College of Cardinals prepares to elect a new pope, security people
like me wonder about the process. How does it work, and just how hard would
it be to hack the vote?

The rules for papal elections are steeped in tradition. John Paul II last
codified them in 1996, and Benedict XVI left the rules largely
untouched. The "Universi Dominici Gregis on the Vacancy of the Apostolic See
and the Election of the Roman Pontiff" is surprisingly detailed.

Every cardinal younger than 80 is eligible to vote. We expect 117 to be
voting. The election takes place in the Sistine Chapel, directed by the
church chamberlain. The ballot is entirely paper-based, and all ballot
counting is done by hand. Votes are secret, but everything else is open.

First, there's the "pre-scrutiny" phase.

"At least two or three" paper ballots are given to each cardinal, presumably
so that a cardinal has extras in case he makes a mistake.  Then nine
election officials are randomly selected from the cardinals: three
"scrutineers" who count the votes; three "revisers" who verify the results
of the scrutineers; and three "infirmarii" who collect the votes from those
too sick to be in the chapel. Different sets of officials are chosen
randomly for each ballot.

Each cardinal, including the nine officials, writes his selection for pope
on a rectangular ballot paper "as far as possible in handwriting that cannot
be identified as his." He then folds the paper lengthwise and holds it aloft
for everyone to see.

When everyone has written his vote, the "scrutiny" phase of the election
begins. The cardinals proceed to the altar one by one. On the altar is a
large chalice with a paten—the shallow metal plate used to hold communion
wafers during Mass—resting on top of it. Each cardinal places his folded
ballot on the paten. Then he picks up the paten and slides his ballot into
the chalice.

If a cardinal cannot walk to the altar, one of the scrutineers—in full
view of everyone—does this for him.

If any cardinals are too sick to be in the chapel, the scrutineers give the
infirmarii a locked empty box with a slot, and the three infirmarii together
collect those votes. If a cardinal is too sick to write, he asks one of the
infirmarii to do it for him. The box is opened, and the ballots are placed
onto the paten and into the chalice, one at a time.

When all the ballots are in the chalice, the first scrutineer shakes it
several times to mix them. Then the third scrutineer transfers the ballots,
one by one, from one chalice to another, counting them in the process. If
the total number of ballots is not correct, the ballots are burned and
everyone votes again.

To count the votes, each ballot is opened, and the vote is read by each
scrutineer in turn, the third one aloud. Each scrutineer writes the vote on
a tally sheet. This is all done in full view of the cardinals.

The total number of votes cast for each person is written on a separate
sheet of paper. Ballots with more than one name (overvotes) are void, and I
assume the same is true for ballots with no name written on them
(undervotes). Illegible or ambiguous ballots are much more likely, and I
presume they are discarded as well.

Then there's the "post-scrutiny" phase. The scrutineers tally the votes and
determine whether there's a winner. We're not done yet, though.

The revisers verify the entire process: ballots, tallies, everything.  And
then the ballots are burned. That's where the smoke comes from: white if a
pope has been elected, black if not—the black smoke is created by adding
water or a special chemical to the ballots.

Being elected pope requires a two-thirds plus one vote majority. This is
where Pope Benedict made a change. Traditionally a two-thirds majority had
been required for election. Pope John Paul II changed the rules so that
after roughly 12 days of fruitless votes, a simple majority was enough to
elect a pope. Benedict reversed this rule.

How hard would this be to hack?

First, the system is entirely manual, making it immune to the sorts of
technological attacks that make modern voting systems so risky.

Second, the small group of voters—all of whom know each other—makes it
impossible for an outsider to affect the voting in any way. The chapel is
cleared and locked before voting. No one is going to dress up as a cardinal
and sneak into the Sistine Chapel. In short, the voter verification process
is about as good as you're ever going to find.

A cardinal can't stuff ballots when he votes. The complicated
paten-and-chalice ritual ensures that each cardinal votes once—his ballot
is visible—and also keeps his hand out of the chalice holding the other
votes. Not that they haven't thought about this: The cardinals are in "choir
dress" during the voting, which has translucent lace sleeves under a short
red cape, making sleight-of-hand tricks much harder. Additionally, the total
would be wrong.

The rules anticipate this in another way: "If during the opening of the
ballots the scrutineers should discover two ballots folded in such a way
that they appear to have been completed by one elector, if these ballots
bear the same name, they are counted as one vote; if however they bear two
different names, neither vote will be valid; however, in neither of the two
cases is the voting session annulled." This surprises me, as if it seems
more likely to happen by accident and result in two cardinals' votes not
being counted.

Ballots from previous votes are burned, which makes it harder to use one to
stuff the ballot box. But there's one wrinkle: "If however a second vote is
to take place immediately, the ballots from the first vote will be burned
only at the end, together with those from the second vote." I assume that's
done so there's only one plume of smoke for the two elections, but it would
be more secure to burn each set of ballots before the next round of voting.

The scrutineers are in the best position to modify votes, but it's
difficult. The counting is conducted in public, and there are multiple
people checking every step. It'd be possible for the first scrutineer, if he
were good at sleight of hand, to swap one ballot paper for another before
recording it. Or for the third scrutineer to swap ballots during the
counting process. Making the ballots large would make these attacks
harder. So would controlling the blank ballots better, and only distributing
one to each cardinal per vote. Presumably cardinals change their mind more
often during the voting process, so distributing extra blank ballots makes

There's so much checking and rechecking that it's just not possible for a
scrutineer to misrecord the votes. And since they're chosen randomly for
each ballot, the probability of a cabal being selected is extremely
low. More interesting would be to try to attack the system of selecting
scrutineers, which isn't well-defined in the document. Influencing the
selection of scrutineers and revisers seems a necessary first step toward
influencing the election.

If there's a weak step, it's the counting of the ballots.

There's no real reason to do a precount, and it gives the scrutineer doing
the transfer a chance to swap legitimate ballots with others he previously
stuffed up his sleeve. Shaking the chalice to randomize the ballots is
smart, but putting the ballots in a wire cage and spinning it around would
be more secure—albeit less reverent.

I would also add some kind of white-glove treatment to prevent a scrutineer
from hiding a pencil lead or pen tip under his fingernails.  Although the
requirement to write out the candidate's name in full provides some
resistance against this sort of attack.

Probably the biggest risk is complacency. What might seem beautiful in its
tradition and ritual during the first ballot could easily become cumbersome
and annoying after the twentieth ballot, and there will be a temptation to
cut corners to save time. If the Cardinals do that, the election process
becomes more vulnerable.

A 1996 change in the process lets the cardinals go back and forth from the
chapel to their dorm rooms, instead of being locked in the chapel the whole
time, as was done previously. This makes the process slightly less secure
but a lot more comfortable.

Of course, one of the infirmarii could do what he wanted when transcribing
the vote of an infirm cardinal. There's no way to prevent that. If the
infirm cardinal were concerned about that but not privacy, he could ask all
three infirmarii to witness the ballot.

There are also enormous social—religious, actually—disincentives to
hacking the vote. The election takes place in a chapel and at an altar. The
cardinals swear an oath as they are casting their ballot—further
discouragement. The chalice and paten are the implements used to celebrate
the Eucharist, the holiest act of the Catholic Church. And the scrutineers
are explicitly exhorted not to form any sort of cabal or make any plans to
sway the election, under pain of excommunication.

The other major security risk in the process is eavesdropping from the
outside world. The election is supposed to be a completely closed process,
with nothing communicated to the world except a winner. In today's high-tech
world, this is very difficult. The rules explicitly state that the chapel is
to be checked for recording and transmission devices "with the help of
trustworthy individuals of proven technical ability." That was a lot easier
in 2005 than it will be in 2013.

What are the lessons here?

First, open systems conducted within a known group make voting fraud much
harder. Every step of the election process is observed by everyone, and
everyone knows everyone, which makes it harder for someone to get away with

Second, small and simple elections are easier to secure. This kind of
process works to elect a pope or a club president, but quickly becomes
unwieldy for a large-scale election. The only way manual systems could work
for a larger group would be through a pyramid-like mechanism, with small
groups reporting their manually obtained results up the chain to more
central tabulating authorities.

And third: When an election process is left to develop over the course of a
couple of thousand years, you end up with something surprisingly good.

This essay previously appeared on, and is an update of an essay I
wrote for the previous papal election in 2005.

My previous essay:

John Paul II's rules:

Benedict XVI's rules:

Rule changes:

Replacing car keys with smartphone apps

"Arthur T." <>
Tue, 12 Mar 2013 17:59:30 -0500
"Traditional car keys will likely become obsolete and be replaced by
technologies offering even greater security and convenience," John Nielsen,
AAA director of automotive engineering and repair told the *L.A. Times*.
"Motorists will need to adapt with the technology to avoid the hassle and
expense of smart key replacements."

Does he really believe that software gives greater security than hardware?
As for convenience, are you going to have to give your smartphone to the
parking lot valet? Or, will you instead give him a (probably permanent) app
to use your car?

Hyundai car controller failure?

"Peter G. Neumann" <>
Fri, 15 Mar 2013 16:12:47 PDT
  [Thanks to Kent Peterson.  PGN]

... allegedly causes high speed chase/crash:

When being a "self starter" isn't a good thing

Jeremy Epstein <>
Wed, 13 Mar 2013 09:33:34 -0400S
In management 101, I learned that being a "self starter" is a good thing.
But when it comes to cars, that's not so.

Subaru is recalling 50,000 cars there's a problem with the remote-control
self starter—if you drop the keys in the wrong way, they can start the car
without the owner noticing.  Obviously if the car is inside a closed garage
and the owner doesn't notice it, that would be a Bad Thing.

Not really a software problem as far as I can tell from the brief
description.  And there's no indication that (by itself) this indicates the
ability for an attacker to remotely start a car.  It more points to the core
point of the RISKS forum: computerized technology can be a risk in its own
right, even when everything works as intended (i.e., only an authorized key
fob can be used to remotely start a car).

Hiding Secret Messages in E-mail Jokes

Lauren Weinstein <>
Tue, 12 Mar 2013 11:19:43 -0700  (*Science Daily* via NNSquad)

  "Desoky suggests that instead of using a humdrum text document and
  modifying it in a codified way to embed a secret message, correspondents
  could use a joke to hide their true meaning. As such, he has developed an
  Automatic Joke Generation Based Steganography Methodology (Jokestega) that
  takes advantage of recent software that can automatically write pun-type
  jokes using large dictionary databases."

[Obviously true.  Why did the chicken traverse the road?  LW]

  [Because he wasn't *cross*?  Because he saw a steganosaurus?  Because he
  wanted to be victimized by a hidden-run driver?  Because he believed in
  o-pun-source soft-air?  This reminds me of a banquet talk I gave many
  years ago on parameterized polymorphic jokes suitable (or not suitable)
  for diverse occasions.  Unfortunately, the ultimate PUNchline was
  recursively parameterized and perhaps lost forever.  PGN]

Fake silicone fingers strike again

"Charles C. Mann" <>
Wed, 13 Mar 2013 20:19:25 +0000 (UTC)
I love the picture that illustrates this story:


Here's hoping none of you, dear readers, has spent much money recently on
finger-scanning biometric security technology lately. Because it turns out
it's pretty easy to hack.

A news report from the BBC reveals that a 29-year-old Brazilian doctor,
Thaune Nunes Ferreira, working in a small town outside Sao Paulo was
arrested over the weekend for allegedly using prosthetic silicone fingers to
fake the presence of six of her colleagues.

That's right. If you can find a decent fingerprint and a way to manufacture
silicone objects (as some 3D printers can), you probably have what it takes
to break-into anything that requires a finger scan.

Charles C. Mann, P.O. Box 66, Amherst, MA, 01004-0066

  [Danny Burstein noted that an item on this in Al Jazeera quoted the doctor
  saying this was part of a scam to fool hospital bosses into thinking her
  colleagues had worked more overnight shifts than they actually had.  PGN]

The Internet is a surveillance state (CNN)

Bruce Schneier <>
Sun, 17 Mar 2013 07:46:12 -0500
March 16 2013

I'm going to start with three data points.

One: Some of the Chinese military hackers who were implicated in a broad set
of attacks against the U.S. government and corporations were identified
because they accessed Facebook from the same network infrastructure they
used to carry out their attacks.

Two: Hector Monsegur, one of the leaders of the LulzSac hacker movement, was
identified and arrested last year by the FBI. Although he practiced good
computer security and used an anonymous relay service to protect his
identity, he slipped up.

And three: Paula Broadwell,who had an affair with CIA director David
Petraeus, similarly took extensive precautions to hide her identity. She
never logged in to her anonymous e-mail service from her home network.
Instead, she used hotel and other public networks when she e-mailed him.
The FBI correlated hotel registration data from several different hotels --
and hers was the common name.

The Internet is a surveillance state. Whether we admit it to ourselves or
not, and whether we like it or not, we're being tracked all the time.
Google tracks us, both on its pages and on other pages it has access to.
Facebook does the same; it even tracks non-Facebook users. Apple tracks us
on our iPhones and iPads. One reporter used a tool called Collusion to track
who was tracking him; 105 companies tracked his Internet use during one
36-hour period.

Increasingly, what we do on the Internet is being combined with other data
about us. Unmasking Broadwell's identity involved correlating her Internet
activity with her hotel stays. Everything we do now involves computers, and
computers produce data as a natural by-product. Everything is now being
saved and correlated, and many big-data companies make money by building up
intimate profiles of our lives from a variety of sources.

Facebook, for example, correlates your online behavior with your purchasing
habits offline. And there's more. There's location data from your cell
phone, there's a record of your movements from closed-circuit TVs. ...

More bad news for RC4 crypto

Lauren Weinstein <>
Thu, 14 Mar 2013 12:52:45 -0700  (Forbes via NNSquad)

  "A bunch of us have been sitting in the background scratching our heads,
  knowing that RC4 is weak in all kinds of ways," says Kenny Paterson, a
  professor at Royal Holloway, University of London who worked with
  Bernstein along with three other researchers to develop the new
  techniques. "But no one has been able to put it all together to break TLS
  in this kind of setting. Our work shows one way to do that."

Of course, if someone really wants your stuff that badly, they're probably
gonna try get you to download a keylogger.  But still, let's face it, RC4 is
way, way past its prime.

"Researchers resurrect and improve CRIME attack against SSL"

Gene Wirchenko <>
Fri, 15 Mar 2013 10:30:01 -0700
InfoWorld Home / Security / News
March 14, 2013
Researchers resurrect and improve CRIME attack against SSL
New techniques bypass existing mitigations and allow attackers to
extract sensitive information from users' encrypted Web traffic
By Lucian Constantin | IDG News Service

Warning About the Thrift Savings Plan iPhone App

Gabe Goldberg <>
Tue, 12 Mar 2013 16:24:07 -0400
> Date: 	Tue, 12 Mar 2013 14:26:05 -0500
> From: Team <>
> Subject: 	Warning About the Thrift Savings Plan (TSP) iPhone App

  [I have removed some of the ugliest URLs I have ever seen from Gabe's
  posting. I think the stripped version conveys the message adequately.  PGN]

A free iPhone app called TSP Funds is currently being offered through the
Apple store. It asks Thrift Savings Plan (TSP) participants for their
account log in information.

This is not an official TSP app and the TSP does not recommend using this
app to access your TSP account. *Providing your information could result in
a security risk to your account.*

If you would like to access your TSP account, please log in directly at [...]

"Attorney General's testimony on Aaron Swartz raises more questions than answers" (Ted Samson)

Gene Wirchenko <>
Tue, 12 Mar 2013 09:46:19 -0700
Ted Samson, InfoWorld, 8 Mar 2013
U.S. Attorney General Eric Holder and Sen. John Cornyn butt heads
over whether prosecutors 'bullied' hacktivist (Reuters/Noah Berger)

selected text:

Cyber criminals seem to face disproportionately aggressive prosecution and
sentencing—while major financial institutions that had a role in creating
the financial crisis remain, by the attorney general's own admission,

Holder's testimony prompted Cornyn to ask one of the key questions of the
entire case: "Does it strike you as odd that the government would indict
someone for crimes that would carry penalties of up to 35 years in prison
and million dollar fines and then offer him a three- or four-month prison

Why the ton of bricks?

Defense Companies Cash in on Gov't Hyped 'Cyber-Security' Threat

Lauren Weinstein <>
Fri, 15 Mar 2013 08:48:24 -0700
  Bloomberg News reports that within the past two weeks security contractors
  Lockheed Martin and Raytheon have signed an agreement under the Department
  of Homeland Security's Enhanced Cybersecurity Services program providing
  new revenue streams and, more notably, unparalleled access to personal
  information classified as "U.S.  government data."  (Common Dreams via

Microsoft: Botched firmware update set off outage (Tim Greene)

Jim Reisert AD1C <>
Thu, 14 Mar 2013 12:51:15 -0400
Tim Greene, Network World, 14 Mar 2013
Series of events forced a manual recovery, slowing the recovery, Microsoft says

The partial outage lasting 16 hours on Tuesday and Wednesday
morning was caused by a firmware update gone awry that triggered a
temperature spike in a Microsoft data center, resulting in automatic
safeguards that made a large number of servers inaccessible.

Because of the unspecified safeguards, downed servers couldn't fail over on
their own so restoration work had to be done manually, slowing down the
process, according to a blog post by Microsoft Vice President
Arthur de Haan.

Bloomberg: Hacker Attacks Top Latest U.S. List of Global Threats

Gabe Goldberg <>
Tue, 12 Mar 2013 10:48:49 -0400
Hostile hackers or an `isolated state' may succeed in breaching U.S.
computer networks and disrupting power grids and other vital services in the
next two years, the top U.S. intelligence official told Congress today.
[Source: Bloomberg, 12 Mar 2013: .  PGN]

"Mobile to the rescue when an airplane trip goes awry"

Gene Wirchenko <>
Tue, 12 Mar 2013 10:32:49 -0700
Galen Gruman, InfoWorld, 12 Mar 2013
An iPhone and iPad help our intrepid traveler survive flight delays,
flight cancelations, and unexpected overnight stays

The article also mentions problems with systems because his flight had not
be officially canceled.  This made dealing with his problem that much more

The end of Google Reader: Have I got news for you (G.F.)

<Dewayne Hendricks>
Sunday, March 17, 2013
G.F., Seattle, 17 Mar 2013

Spring cleaning has a lot to commend it. But when Google announced that it
is binning its Reader, which aggregates information from websites' news
feeds, tech types around the world erupted in righteous fury. Many websites
which have come to depend on the service to power their news feeds now fret
that Google's decision will cost them millions of readers—and with that
lots of advertising revenue. Users, meanwhile, worry about impending

Google launched Reader in 2005. By offering it to users for free, it
undercut, and ultimately eliminated, all substantial competitors in the
news-aggregation business. The few that remained began requiring a Google
Reader account and used the search giant's service to handle synchronisation
of feeds among a user's mobile and desktop devices. At the time, the servers
and storage required might have cost millions of dollars a year, posing a
high barrier to entry.

Google Reader relies on news-syndication technology collectively called
"RSS", even though there are in fact four rival formats (three types of RSS
and one called Atom). In the late 1990s "push" news services used dedicated
servers to collect information from news websites and push updates to
specialised software on users' computers. This overtaxed the early Internet,
as hundreds or thousands of people on a single network or Internet service
provider would each receive a separate hunk of data with every update. Push
was quickly banned and more or less died in 1999.

RSS gets round this problem by letting users to pick what news they want to
get. A user subscribes to an RSS feed by adding it to a list in so-called
newsreader software, which includes mobile and desktop programs and web apps
like Google Reader. Publishers automatically update syndication files (often
in all four popular formats) on their websites whenever they create or
update an item of content. Software on a user's computer "polls" to see if
changes were made, pulls the RSS file, compares it against the previously
retrieved copy, and highlights any changes. (Since the feeding website has
no information about the subscriber, unsubscribing too is hassle-free; when
a user removes the feed from his list, the website can no longer pester

Google (and other aggregators of the day) made the process more efficient
for publishers by reducing the number of requests for the RSS file. If a
million Reader users subscribed to *The New York Times* main feed, Google
only had to make a single query to retrieve the file. Google Reader users
would receive the changed *Times* stories the next time they logged into
Google's site or refreshed stories in software that relied on Reader for
updates. This shifted the burden of a million queries from *The Times* to
Google, and made Google the nexus for updates. (Google also solved a host of
technical problems ensuring that Reader offered a smooth experience.) ...

Google offers help to attacked ("hacked") sites

Lauren Weinstein <>
Tue, 12 Mar 2013 11:12:34 -0700  (Google Webmaster Central via NNSquad)

  "We certainly hope you never have to use our new Help for hacked sites
  informational series. It's a dozen articles and over an hour of videos
  dedicated to helping webmasters in the unfortunate event that their site
  is compromised."

Re: Boeing 787s to create half a terabyte of data per flight (RISKS-27.19)

"Bob Frankston" <>
Mon, 11 Mar 2013 20:39:38 -0400
I'm not sure what the worry is since we are collecting much of this already.

The more interesting point is that this is no longer a large amount of data
so why does the IT guy think it is a lot? It costs under $20 retail and a
small fraction of that wholesale to store forever.

For society it does raise the risk of never forgetting but that's a separate

Re: Boeing 787s to create half a terabyte of data per flight

Steve Loughran <>
Tue, 12 Mar 2013 09:23:05 +0000
In Risks 27.19, Dag-Erling Smorgrav considers the fact that the Boeing 787s
will generate 0.5TB of data per flight, and asks "what could possibly go

First: what could be gained? That data can record subtle details in engine
operation that has never been created before, help correlate degradaton in
behaviour with past part history. If one part fails, the data of all similar
parts can be examined to identify which other parts have a similar history,
and may be susceptible.

For example, the " NASA-ONERA Collaboration on Human Factors in Aviation
Accidents and Incidents" work is combining datasets from the aircraft,
external datasources—including the recent history of pilot workloads --
to determine correlating factors in Go-Arounds during landing": 120012534&qs=N%3D4294966753%2B4294724598.
Maybe this could even go some way to avoiding the default "blame the pilots"
policy that surfaces in crashes today.

The data then, could be invaluable. What is needed is keeping that data
secure and with effective provenance. You don't need an Internet connection
to keep the data; at 0.5 TB/flight you don't want to be uploading it off the
airplane anyway, not unless "your flight is delayed until the upload
completes" is to become the new cause of delays (which becomes another
factor for NASA-ONERA to worry about). Swapping out an SSD disk is far
simpler—though that adds tracking and provenance of the SSDs to the

Re: How SSD power faults scramble your data (Kuenning, RISKS-27.19)

Dimitri Maziuk <>
Tue, 12 Mar 2013 09:28:18 -0500
My impression, catchy titles aside, is that they fail just like HDDs with
huge write caches—if those caches cached more or less random chunks of
random files, and not necessarily the files that were written to
recently. The unpleasant thought is having that kind of failure in a
journaling setup that stores the journal on SSD for performance. Chunks of
data you'd lose from HDD's write cache won't match the chunks of the journal
lost on the SSD. The result is a filesystem scrambled beyond repair.

It is largely theoretical, yes, but unfortunately Murphy's Law is not.

Harvard apologizes after secret e-mail search

Lauren Weinstein <>
Tue, 12 Mar 2013 09:32:40 -0700  (CNN via NNSquad)

  "On Monday, the school apologized for the way it handled a secret search
  of the e-mail accounts of resident deans. It conducted the search in an
  effort to find who leaked information about the scandal to the media last

Please report problems with the web pages to the maintainer