The RISKS Digest
Volume 27 Issue 27

Saturday, 4th May 2013

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

US election fraud
Gary Hinson
Computer Problems in Three States Hamper Student Proficiency Tests
AP item via Monty Solomon
"McAfee spots Adobe Reader PDF-tracking flaw"
Jeremy Kirk via Gene Wirchenko
Cellphone Thefts Grow, but the Industry Looks the Other Way
Monty Solomon
News on Lulszec hackers
PGN
Dutch cyberattack suspect arrested in Spain
Lauren Weinstein
This Powerful Spy Software Is Being Abused By Governments Around The World
Geoff Goodfellow
What happens when pirates play a game development simulator and then go bankrupt because of piracy?
Patrick via Richard Berlin via Dave Farber
"Malware hijacks Twitter accounts to send dangerous links"
Jeremy Kirk via Gene Wirchenko
"The taxman cometh for cloud services"
Caroline Craig via Gene Wirchenko
"Cloud computing gets CIA endorsement"
CDN Staff via Gene Wirchenko
Anyone can send private messages to the deceased person
jidanni
UK Gov passes Instagram Act: All your pics belong to everyone now
LW
U.S. Lawmaker Proposes New Criteria for Choosing NSF Grants
ScienceInsider via Dave Farber
Fake Post Erasing $136 Billion Shows Markets Need Humans
Monty Solomon
More on That Spreadsheet Error
James Madison via Richard S. Russell
Microsoft re-releases botched patch as KB 2840149, but problems remain
Woody Leonhard via Gene Wirchenko
Shame on Verizon:: Some Customers in Manhattan, NYC Out Since Sandy— 186 Days and Counting
Bruce Kushnick via Dewayne Hendricks via DF
"EFF reports reveals tech's loosest lips, tightest grips"
RXC via Gene Wirchenko
LAX sign story just gets better and better...
Brian Sumers via Paul Saffo
"The Delete Squad: Google, Twitter, Facebook and the new global battle over the future of free speech"
TNR via LW
Re: The Shame of Boston's Wireless Woes
Chris Drewe
Re: Economic policy decisions may be affected by spreadsheet errors
Michael Kohne
Amos Shapir
Re: Risks of ASCII-formatting mathematics
Steven Bellovin
Re: Taiwan issues duplicate license plate numbers
Bob Frankston
Two items on Internet use, etc. vs. distracted driving
Bob Frankston
Re: Laptop goes up in flames
David Tarabar
Re: New lithium ion battery design
Anthony Thorn
Call for Full Papers and Structured Abstracts - 2013 LASER Workshop: Learning from Authoritative Security Experiment Results
Edward Talbot
Info on RISKS (comp.risks)

US election fraud

"Gary Hinson" <Gary@isect.com>
Sat, 27 Apr 2013 13:47:47 +1200
I'm sure the final paragraph will cause long-time RISKS-listers to raise an
eyebrow, perhaps both: "Nees previously told Fox News that the fraud was
clearly evident, "because page after page of signatures are all in the same
handwriting," and that nobody raised any red flags "because election workers
in charge of verifying their validity were the same people faking the
signatures."
http://www.foxnews.com/politics/2013/04/26/officials-found-guilty-in-obama-clinton-ballot-petition-fraud/

  We don' need no steenkin' divisions of responsibility.

Gary Hinson, CEO IsecT Ltd, NZ, www.SecurityMetametrics.com, PRAGMATIC
metrics www.NoticeBored.com; non-stop awareness www.ISO27001security.com ...


Computer Problems in Three States Hamper Student Proficiency Tests

Monty Solomon <monty@roscom.com>
Thu, 2 May 2013 08:37:54 -0400
http://www.nytimes.com/2013/05/02/education/computer-problems-in-three-states-hamper-student-proficiency-tests.html


"McAfee spots Adobe Reader PDF-tracking flaw" (Jeremy Kirk)

Gene Wirchenko <genew@telus.net>
Wed, 01 May 2013 10:10:28 -0700
Jeremy Kirk, InfoWorld, 29 Apr 2013
The flaw in Adobe Reader could allow an attacker to see when and where a PDF
is opened.
http://www.infoworld.com/d/security/mcafee-spots-adobe-reader-pdf-tracking-flaw-217461


Cellphone Thefts Grow, but the Industry Looks the Other Way

Monty Solomon <monty@roscom.com>
Thu, 2 May 2013 08:32:32 -0400
When a teenage boy snatched the iPhone out of Rose Cha's hand at a bus stop
in the Bronx in March, she reported the theft to her carrier and to the
police - just as she had done two other times when she was the victim of
cellphone theft. Again, the police said they could not help her.

Ms. Cha's phone was entered in a new nationwide database for stolen
cellphones, which tracks a phone's unique identifying number to prevent it
from being activated, theoretically discouraging thefts.  But police
officials say the database has not helped stanch the ever-rising numbers of
phone thefts, in part because many stolen phones end up overseas, out of the
database's reach, and in part because the identifiers are easily modified.

Some law enforcement authorities, though, say there is a bigger issue - that
carriers and handset makers have little incentive to fix the problem. ...

http://www.nytimes.com/2013/05/02/technology/cellphone-thefts-grow-but-the-industry-looks-the-other-way.html


News on Lulszec hackers

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 27 Apr 2013 9:59:58 PDT
LulzSec arrest in Australia
Federal police charge IT worker, 24, with attacking government website and
say he has claimed to be a leader of hacker group

LulzSec hacking suspect arrested in Sydney
http://www.guardian.co.uk/technology/video/2013/apr/24/lulzsec-hacking-arrested-sydney-video

Australian police have arrested a man they say is affiliated with the
international hacking collective LulzSec on a charge of attacking and
defacing a government website.
http://www.guardian.co.uk/technology/lulzsec

The 24-year-old senior IT worker, whose name was not released, was arrested
on Tuesday night at his Sydney office, the Australian Federal Police
said. The man, who police say has claimed to be a high-level member of the
hacking group, was charged with two counts of unauthorised modification of
data to cause impairment, and one count of unauthorised access to, or
modification of, restricted data. If convicted he could face up to 12 years
in jail.

http://www.guardian.co.uk/technology/2013/apr/24/lulzsec-arrest-australia

  [Thanks to Don Hutson for noting this item.  PGN]


Dutch cyberattack suspect arrested in Spain

Lauren Weinstein <lauren@vortex.com>
Fri, 26 Apr 2013 11:13:41 -0700
  "Prosecutors say a Dutch citizen has been arrested in Spain in connection
  with what experts described as the biggest cyberattack in the history of
  the Internet, launched against an anti-spam watchdog group last month.
  The Netherlands National Prosecution Office said a 35-year-old suspect it
  identified only by his initials, S.K., was arrested Thursday at his home
  in Barcelona. Authorities also seized computers and mobile phones."
  http://j.mp/14WmE1m  (New Tribune / AP, via NNSquad)


This Powerful Spy Software Is Being Abused By Governments Around The World

Geoff Goodfellow <geoff@iconia.com>
May 2, 2013 7:19:58 PM EDT
A new report presents overwhelming evidence that sophisticated spying
software is being abused by governments around the world.  The findings by
The Citizen Lab, a digital research laboratory at the University of Toronto,
detail how the software marketed to track criminals is being used against
dissidents and human rights activists.

Titled "For Their Eyes Only: The Commercialization of Digital Spying," the
report focuses on a type of surveillance software called FinSpy that can
remotely monitor webmail and social networks in real time as well as collect
encrypted data and communications of unsuspecting targets...

http://www.businessinsider.com/countries-with-finfisher-spying-software-2013-5


What happens when pirates play a game development simulator and then go bankrupt because of piracy? (Patrick via Dave Farber)

Richard Berlin <richard.berlin@stanfordalumni.org>
May 3, 2013 2:14:34 PM EDT
http://www.greenheartgames.com/2013/04/29/what-happens-when-pirates-play-a-game-development-simulator-and-then-go-bankrupt-because-of-piracy/

Patrick  April 29, 2013 256 Comments

When we released our very first game, Game Dev Tycoon (for Mac, Windows and
Linux) yesterday, we did something unusual and as far as I know unique. We
released a cracked version of the game ourselves, minutes after opening our
Store. ...


"Malware hijacks Twitter accounts to send dangerous links" (J.Kirk)

Gene Wirchenko <genew@telus.net>
Wed, 24 Apr 2013 11:10:54 -0700
Jeremy Kirk, InfoWorld Home, 23 Apr 2013
Trusteer has found malicious software that leverages Twitter to infect more
  computers
http://www.infoworld.com/d/security/malware-hijacks-twitter-accounts-send-dangerous-links-217054


"The taxman cometh for cloud services" (Caroline Craig)

Gene Wirchenko <genew@telus.net>
Fri, 03 May 2013 10:22:22 -0700
Caroline Craig, InfoWorld, 03 May 2013
Cash-strapped states are enacting new taxes on computing and cloud-based
services, opening a possible Pandora's box of confusion and lost cost
savings
http://www.infoworld.com/t/cloud-computing/the-taxman-cometh-cloud-services-217814


"Cloud computing gets CIA endorsement" (CDN Staff)

Gene Wirchenko <genew@telus.net>
Wed, 24 Apr 2013 11:21:32 -0700
http://www.computerdealernews.com/news/cloud-computing-gets-cia-endorsement/24774
Cloud Services Infrastructure, 23 Apr 2013
Cloud computing gets CIA endorsement

"Say what you will about the Central Intelligence Agency (CIA), but the
American spy shop is usually pretty concerned about security. So their
endorsement of cloud computing is certainly of note.  According to a report
from FCW, the CIA has inked a cloud computing contract with Amazon Web
Services (AWS) worth as much as $600 million over 10 years."

      [But what sort of note is it?]


Anyone can send private messages to the deceased person

<jidanni@jidanni.org>
Wed, 24 Apr 2013 19:01:02 +0800
http://www.facebook.com/help/103897939701143/


UK Gov passes Instagram Act: All your pics belong to everyone now

Lauren Weinstein <lauren@vortex.com>
Mon, 29 Apr 2013 07:44:51 -0700
http://j.mp/ZYYP0a (The Register via NNSquad)

  "How so? Previously, and in most of the world today, ownership of your
  creation is automatic, and legally considered to be an individual's
  property. That's enshrined in the Berne Convention and other international
  treaties, where it's considered to be a basic human right. What this means
  in practice is that you can go after somebody who exploits it without your
  permission - even if pursuing them is cumbersome and expensive.  The UK
  coalition government's new law reverses this human right. When last year
  Instagram attempted to do something similar, it met a furious
  backlash. But the Enterprise and Regulatory Reform Act has sailed through
  without most amateurs or semi-professionals even realising the
  consequences."


U.S. Lawmaker Proposes New Criteria for Choosing NSF Grants (ScienceInsider)

"David J. Farber" <farber@gmail.com>
Mon, 29 Apr 2013 11:48:06 -0400
http://news.sciencemag.org/scienceinsider/2013/04/us-lawmaker-proposes-new-criteri-1.html?ref=hp#.UX6Vp6SF8zk.email

The new chair of the House of Representatives science committee has drafted
a bill that, in effect, would replace peer review at the National Science
Foundation (NSF) with a set of funding criteria chosen by Congress. For good
measure, it would also set in motion a process to determine whether the same
criteria should be adopted by every other federal science agency.

The legislation, being worked up by Representative Lamar Smith (R-TX),
represents the latest—and bluntest—attack on NSF by congressional
Republicans seeking to halt what they believe is frivolous and wasteful
research being funded in the social sciences. Last month, Senator Tom Coburn
(R-OK) successfully attached language to a 2013 spending bill that prohibits
NSF from funding any political science research for the rest of the fiscal
year unless its director certifies that it pertains to economic development
or national security. Smith's draft bill, called the "High Quality Research
Act," would apply similar language to NSF's entire research portfolio across
all the disciplines that it supports.

ScienceInsider has obtained a copy of the legislation, labeled "Discussion
Draft" and dated 18 April, which has begun to circulate among members of
Congress and science lobbyists. In effect, the proposed bill would force NSF
to adopt three criteria in judging every grant. Specifically, the draft
would require the NSF director to post on NSF's Web site, prior to any
award, a declaration that certifies the research is:

1) "... in the interests of the United States to advance the national
   health, prosperity, or welfare, and to secure the national defense by
   promoting the progress of science;

2) "... the finest quality, is groundbreaking, and answers questions or
   solves problems that are of utmost importance to society at large; and

3) "... not duplicative of other research projects being funded by the
   Foundation or other Federal science agencies."

NSF's current guidelines ask reviewers to consider the "intellectual merit"
of a proposed research project as well as its "broader impacts" on the
scientific community and society.

Two weeks ago, Republicans on the science committee took to task both John
Holdren, the president's science adviser, and Cora Marrett, the acting NSF
director, during hearings on President Barack Obama's proposed 2014 science
budget. They read the titles of several grants, questioned the value of the
research, and asked both administration officials to defend NSF's decision
to fund the work.

On Thursday, Smith sent a letter to Marrett asking for more information on
five recent NSF grants. In particular, he requested copies of the comments
from each reviewer, as well as the notes of the NSF program officer managing
the awards.

In his letter, a copy of which ScienceInsider obtained, Smith wrote: "I have
concerns regarding some grants approved by the Foundation and how closely
they adhere to NSF's 'intellectual merit' guideline." Today, Smith told
ScienceInsider in a statement that "the proposals about which I have
requested further information do not seem to meet the high standards of most
NSF funded projects."

Smith's request to NSF didn't sit well with the top Democrat on the science
committee, Representative Eddie Bernice Johnson (D-TX). On Friday, she sent
a blistering missive to Smith questioning his judgment and his motives.

"In the history of this committee, no chairman has ever put themselves
forward as an expert in the science that underlies specific grant proposals
funded by NSF," Johnson wrote in a letter obtained by ScienceInsider. "I
have never seen a chairman decide to go after specific grants simply because
the chairman does not believe them to be of high value."

In her letter, Johnson warns Smith that "the moment you compromise both the
merit review process and the basic research mission of NSF is the moment you
undo everything that has enabled NSF to contribute so profoundly to our
national health, prosperity, and welfare." She asks him to "withdraw" his
letter and offers to work with him "to identify a less destructive, but more
effective, effort" to make sure NSF is meeting that mission.

Smith's bill would require NSF's oversight body, the National Science Board,
to monitor the director's actions and issue a report in a year. It also asks
Holdren's office to tell Congress how the principles laid down in the
legislation "may be implemented in other Federal science agencies."


Fake Post Erasing $136 Billion Shows Markets Need Humans

Monty Solomon <monty@roscom.com>
Thu, 25 Apr 2013 10:25:40 -0400
http://www.bloomberg.com/news/2013-04-23/fake-report-erasing-136-billion-shows-market-s-fragility.html


More on That Spreadsheet Error

"Richard S. Russell" <richardsrussell@tds.net>
Wed, 24 Apr 2013 12:59:21 -0500
Of all the enemies of true liberty, war is, perhaps, the most to be dreaded,
because it comprises and develops the germ of every other.

War is the parent of armies; from these proceed debts and taxes; and armies,
and debts, and taxes are the known instruments for bringing the many under
the domination of the few.

In war, too, the discretionary power of the executive is extended; its
influence in dealing out offices, honors and emoluments is multiplied; and
all the means of seducing the minds are added to those of subduing the
force, of the people.

The same malignant aspect in republicanism may be traced in the inequality
of fortunes, and the opportunities of fraud, growing out of a state of war,
and in the degeneracy of manner and of morals, engendered in both.

No nation can preserve its freedom in the midst of continual warfare.

James Madison (1809-1817), 4th US president, "father" of the Constitution
 and Bill of Rights

Richard S. Russell, 2642 Kendall Av. #2, Madison  WI  53705-3736
608+233-5640  RichardSRussell@tds.net http://richardsrussell.livejournal.com/


Microsoft re-releases botched patch as KB 2840149, but problems remain (Woody Leonhard)

Gene Wirchenko <genew@telus.net>
Fri, 26 Apr 2013 10:54:47 -0700
Woody Leonhard, InfoWorld, 24 Apr 2013
The saga of botched patch MS13-036 takes new twists and turns --
including a problem with Multiple Master fonts
http://www.infoworld.com/t/microsoft-windows/microsoft-re-releases-botched-patch-kb-2840149-problems-remain-217213

According to this article, not only are there continuing problems, but the
details were not properly disseminated and details are lacking:

In an obscure Microsoft Security Response Center post on Thursday, Microsoft
recommended that "all customers who have installed security update 2823324
should follow the guidance that we have provided in KB2839011 to uninstall
it." Just about every Vista and Win7 customer who had Windows Automatic
Update turned on got the patch, but I'd guess that only about one in 100,000
customers saw the notice to uninstall the patch—and of those, maybe one
in 10 actually did it.

But wait, that's only part of the story. MS13-036 had two different
patches. This botched patch fixed the system file ntfs.sys ...
eventually. The other patch—known as KB 2808735—replaced the file
win32k.sys on all versions of Windows and Server since Windows XP, up to and
including Windows 8, Windows RT, and Windows Server 2012. (There's a full
list at the end of Security Bulletin MS13-036.)  The KB article says that
"[a]fter you install this security update, certain Multiple Master fonts
cannot be installed." Unfortunately, Microsoft doesn't mention which
Multiple Master fonts can't be installed, whether installed MM fonts would
get zapped, or if there are modified versions of the MM fonts that might
work. The KB article also doesn't say why the MM fonts can't be installed,
so it begs the question of whether this is a highly isolated incident, or if
symptoms might manifest with other installers or other fonts.


[Dewayne-Net] Shame on Verizon:: Some Customers in Manhattan, NYC Out Since Sandy—186 Days and Counting (via Dave Farber's IP)

Dewayne Hendricks <dewayne@warpspeed.com>
May 3, 2013 8:47:22 AM EDT
[Note:  This item comes from friend Bruce Kushnick.  DLH]

Date: May 2, 2013 9:56:08 PM PDT
From: Bruce Kushnick <bruce@newnetworks.com>
Subject: Shame on Verizon:: Some Customers in Manhattan, NYC Out Since Sandy—186 Days and Counting.

New Networks

Shame on Verizon: There Are Customers in Manhattan, New York City Who Still
Don't Have Service After Sandy—186 Days and Counting.

Read the article <http://www.newnetworks.com/VerizonNYC.htm>
Download the article. <http://www.newnetworks.com/VerizonNYCSandy.pdf>

This is a foreboding glimpse into your future communications services if you
live in the USA.

I'm sitting in a high ceiling parlor in an aged brownstone at the E.9th
Street Block Association meeting.  People are telling me, somewhat muting
their anger, that some have had no phone service since Sandy, October 28th
2012 ---- 186 days ago, almost 6 months, almost half a year.  Some had their
service restored over the last month, only being out for about 5 months.

I'm in a roomful of people in the middle of Manhattan, New York City, and I
can't believe my ears. I've been a telecom analyst for 31 years and thought
I'd heard everything before - but this?

Mayor Bloomberg, with claims that New York City is a world center for
technology announced his new campaign, “We Are Made in NY'' in 2013,
stating we're “strengthening the city as a global hub for innovation.''

Being out of service is only one of the Manhattanites' problems. Almost all
of those without Verizon service have continued to be billed for services
that THEY DO NOT RECEIVE.

What's the problem?  How could this be happening in America?

To read the rest of this article: <http://www.newnetworks.com/VerizonNYC.htm>
Download the article: <http://www.newnetworks.com/VerizonNYCSandy.pdf>

Dewayne-Net RSS Feed: <http://www.warpspeed.com/wordpress>


"EFF reports reveals tech's loosest lips, tightest grips" (RXC)

Gene Wirchenko <genew@telus.net>
Thu, 02 May 2013 11:37:37 -0700
Robert X. Cringely, InfoWorld, 01 May 2013
EFF rates how Apple, AT&T, Google, Twitter, and more share data with
Uncle Sam—see which tech leaders come out on top
http://www.infoworld.com/t/cringely/eff-reports-reveals-techs-loosest-lips-tightest-grips-217710


LAX sign story just gets better and better...

Paul Saffo <paul@saffo.com>
Tue, 23 Apr 2013 21:20:14 -0700
It was an accident...

LAX worker accidentally puts up order to evacuate terminals on monitors
Brian Sumers, Daily Breeze

Monitors at Los Angeles International Airport's international terminal
briefly told passengers there was an emergency and asked them to leave the
facility Monday night because of an error made by a contracted airline
employee.

At a little before 9:47 p.m., the message read: "An emergency has been
declared in the terminal. Please evacuate." An airport police source said
officers responded to the scene at the Tom Bradley International Terminal,
believing the system had been hacked. But an airport spokeswoman said it was
an honest mistake.

"After investigating what caused the erroneous posting, LAX Airport Ops and
Information Technology staffers reported that an airline contract employee,
who is authorized to access the display system, was programming airline
check-in information into a set of monitors for a particular flight when he
accidentally activated the preprogrammed emergency message," airport
spokeswoman Nancy Castles said in a statement.

Castles said there were no reports of passengers evacuating the terminal and
the problem was fixed within about 10 minutes.

She said airport officials are looking into ways to ensure a similar problem
does not occur again.

Brian Sumers


"The Delete Squad: Google, Twitter, Facebook and the new global battle over the future of free speech"

Lauren Weinstein <lauren@vortex.com>
Mon, 29 Apr 2013 14:39:12 -0700
http://j.mp/ZwjUDS  (*New Republic* via NNSquad)

  "As online communication proliferates-and the ethical and financial costs
  of misjudgments rise-the Internet giants are grappling with the challenge
  of enforcing their community guidelines for free speech.  Some Deciders
  see a solution in limiting the nuance involved in their protocols, so that
  only truly dangerous content is removed from circulation. But other
  parties have very different ideas about what's best for the
  Web. Increasingly, some of the Deciders have become convinced that the
  greatest threats to free speech during the next decade will come not just
  from authoritarian countries like China, Russia, and Iran, who practice
  political censorship and have been pushing the United Nations to empower
  more of it, but also from a less obvious place: European democracies
  contemplating broad new laws that would require Internet companies to
  remove posts that offend the dignity of an individual, group, or
  religion."


Re: The Shame of Boston's Wireless Woes (RISKS-27.25)

"Chris Drewe" <e767pmk@yahoo.co.uk>
Sat, 27 Apr 2013 21:51:51 +0100
> "Bob Frankston (RISKS-26.25)
> There is a real risk in confusing technical and economic problems.

Well... when I worked in telecoms, lore indeed was that if you didn't have
some congestion in busy times, you had too much capacity, and it's obviously
a matter of commercial judgement as to balancing the cost of losing
revenue-earning traffic in the peaks against having expensive equipment
lying idle much of the time.  I don't know how cellphone or Wi-Fi networks
'scale', but presumably having enough capacity always available to work
normally during Boston-type once-in-a-lifetime (we hope!) events would be
mighty costly, which has be be paid for somehow, either by telecoms
companies' customers, or taxpayers if run by a Government department as a
public service (like transit).  Looks like the problem here is managing
people's expectations; yes you can have a service that stands up to sudden
spikes in demand better, but how much more are you willing to pay?  And do
you want to cope with the once-in-5-years event, or once-in-15, or
once-in-50..?  After all, when emergencies happened years ago, everyone knew
that it would be difficult to find what happened or trace loved ones, now
they get angry if they can't do this immediately.  It's a bit like readers'
letters in the travel section of the newspaper, complaining about the high
price and limited availability of the Internet on cruise ships at sea;
there's no land-lines in the middle of the ocean, and those satellites are
expensive...


Re: Economic policy decisions may be affected by spreadsheet errors (Shapir, RISKS-27.26)

Michael Kohne <mhkohne@kohne.org>
Tue, 23 Apr 2013 21:13:42 -0400
First off, MS (for all that I dislike many things about them) isn't forcing
anything on this one. They provide a tool that does what it claims to do
(give a grid to put stuff in, add, subtract, fold, spindle and mutilate as
directed). The fact that it's a bad one for sophisticated economic modeling
isn't really their fault.

No one is forcing companies to buy this tool, or forcing them to create
their simulations and economic models in it. They do it because it seems
EASY, and it's the tool they've got handy (it came with their word
processor, after all). Dump the numbers in, put a couple formulas in and
BANG - there's the answer!

And that's the root of the problem - it's easy to do, and no one has to show
you how.  So no one ever mentions that you should find some way to test the
thing.  No one ever explains all subtleties that happen when you insert
cells mid-row.  No one ever looks over your shoulder to see if anything
coming out of your model makes any sense at all.  No one ever lets on that
you are in fact PROGRAMMING. And that perhaps some care should be taken.

As to alternatives - there's more than one package out there that lets you
manipulate numbers. But they aren't 'grid of numbers' simple, and a single
license can in some cases cost more than the entire MS Office suite! If it's
something that has to go through the budget committee, then it's not going
to get bought at many companies.

So yes, there's a problem, but blaming MS will not fix it, and detracts from
any real thinking on the problem.


Re: Economic policy decisions may be affected by spreadsheet errors (Kohne, RISKS-27.27)

Amos Shapir <amos083@gmail.com>
Wed, 24 Apr 2013 16:43:09 +0300
Michael, My point is this: since the MS Office is what the system is
designed to work with, it is de facto bundled.  Surely anyone can use any
utility, but the fact is, a vast majority of Windows users who need a
spreadsheet, end up using Excel.  In principle, the basic utilities of the
system—those which are in common use by laypersons—should be made as
simple, robust and intuitive as possible.  NotePad is a good example, Word
used to be, Excel is not.

As you say, casual users may not even be aware they are programming.  Well,
they should, and should be given the tools to do the job; symbolic names for
variables is the most basic of these, and has been around since the 1950's.
Leaving Excel in this primitive state is certainly MS's fault.


Re: Risks of ASCII-formatting mathematics (Stewart, RISKS-27.24)

Steven Bellovin <smb@cs.columbia.edu>
Sat, 27 Apr 2013 22:27:46 -0400
>  What's new is that someone has managed to turn the weaknesses into a real
>  exploit, albeit one that needs at least 224 and preferably 230 encryptions
>  of the same plaintext to work.
>
> Except he almost certainly didn't write that; the numbers were presumably
> 2**24 and 2**30, expressed in some notation that didn't survive some
> reformatting process somewhere.

Yup.  If you click on the link to the original post, you'll see that I
wrote it correctly—using the <sup>...</sup> HTML tags.  It's perfectly
valid HTML 4 (http://www.w3.org/TR/REC-html40/struct/text.html#edef-SUP)
-- but copy/paste to ASCII turns 2<sup>24</sup> into 224.  (It will be
amusing to see how this paragraph gets translated to HTML.)

It's possible to handle copy/paste correctly.  On a Mac, I did a copy/paste
of some footnoted text from a Word document into an ASCII email message.
It rendered the footnote references as [1] and [2].  I was impressed.

Steve Bellovin, https://www.cs.columbia.edu/~smb


Re: Taiwan issues duplicate license plate numbers (Jidanni, R-27.26)

"Bob Frankston" <bob2-39@bobf.frankston.com>
Tue, 23 Apr 2013 21:22:08 -0400
I had a very similar color confusion after asking my office manager to order
numbered labels for equipment with one color for borrowed (red) and another
for the equipment we owned. It never occurred to me I'd get labels with the
same number in each series. But then why should someone not versed in
databases and computer technology realize that color was not normally stored
with other information in the database?

For that matter, before the advent of xerography, fax, Mylar typewriter
ribbons and computer printers typewriters had two color ribbons so that
negative numbers could be typed in red.


Two items on Internet use, etc. vs. distracted driving (RISKS-27.26)

"Bob Frankston" <bob2-39@bobf.frankston.com>
Tue, 23 Apr 2013 21:36:50 -0400
There are multiple risks in building technology policy such as "don't text"
into devices. Such policies put implicit assumptions about context and usage
in between us and the technologies we use. In the case of texting in
particular do we ban apps that might semi-automatically text on our behalf?
That's aside from the practical implementation issues such as determine
whether the user is a passenger or a driver. Today would Motor-ola have been
able to introduce the distractions of car radios?

Of course basing policies on studies is something that should be done very
cautiously as this note appeared in the same issue of Risks as reports of
flawed economic studies that served as the basis for major public policy
decisions. We also need to remember that bans on using devices in airplanes
seem as much if not more due to the social concerns about people talking on
a cell phone than real issues with the technology.

The larger issue is more subtle and part of the problem of tying technology
to specific purposes. When we do so we are throwing sand into the engine of
"innovation" - the opportunity to reimagine our technologies in the same way
IP allowed us to repurpose the telecom infrastructure. In the 1970s
computers become much more valuable to society when IBM was forced to sell
its hardware without limiting it their applications.


Re: Laptop goes up in flames (RISKS-27.25)

David Tarabar <dtarabar@acm.org>
Wed, 24 Apr 2013 09:14:57 -0400
This item is slightly misleading. The laptop was left on a bed with the
power on. The heat from the laptop caused the bedding to catch fire .. and
then the laptop went up in flames.

http://www.metrowestdailynews.com/news/x2082727297/Fire-at-Framingham-State-caused-by-overheated-laptop


Re: New lithium ion battery design (PGN, RISKS-27.26)

Anthony Thorn <anthony.thorn@atss.ch>
Wed, 24 Apr 2013 15:04:58 +0200
> [Lots of new risks as well, much faster and with lower power?  PGN]

" 2,000 times more powerful  "   is LOWER power ?

That is not a risk - that's dangerous!

   [PGN is either silly or preoccupied, or else he meant something like this:
     “[Lots of new risks as well, much faster and even with lower power?]''?
   PGN]


Call for Full Papers and Structured Abstracts - 2013 LASER Workshop: Learning from Authoritative Security Experiment Results

Edward Talbot <edward.talbot@gmail.com>
Wed, 24 Apr 2013 18:17:05 -0700
The Organizing Committee for LASER 2013 would like to invite you to submit
a paper for this year's workshop.

The goal of this workshop is to help the security community quickly
identify and learn from both success and failure.  The workshop focuses on
research that has a valid hypothesis and reproducible experimental
methodology, but where the results were unexpected or did not validate the
hypotheses, where the methodology addressed difficult and/or unexpected
issues, or where unsuspected confounding issues were found in prior work.

Topics include, but are not limited to:

   - Unsuccessful research in experimental security
   - Methods and designs for security experiments
   - Experimental confounds, mistakes, and mitigations
   - Successes and failures reproducing experimental techniques and/or
   results
   - Hypothesis and methods development (e.g., realism, fidelity, scale)

The specific security results of experiments are of secondary interest for
this workshop.

*June 27, 2013* is the submission deadline for LASER 2013.

You can find out more about the workshop at http://www.laser-workshop.org.
 The website has a link to the CFP but I've copied the CFP along with
Submission Guidelines below for your convenience.

Remember that the purpose of this workshop is to quickly identify and learn
from both success and failure, so unexpected results are welcome.

Please report problems with the web pages to the maintainer

x
Top