The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 27 Issue 13

Saturday 12 January 2013


Oscar's E-Voting Problems Worse Than Feared
Hollywood Reporter
Abelson/Creswell: EHRs may add to, not reduce, the cost of health care
David Lesher
Lauren Weinstein
Cox cable e-mail storage failure
James Paul
Browser's break pedal changes into gas pedal once fully stopped
Tech Problems Plague Exchanges
Nathan Popper via Dave Farber
IBM's Watson Gets a Swear Filter
Robert Schaefer
Newspaper on Cape Cod Apologizes for a Veteran Reporter's Fabrications
Katharine Q. Seelye via Monty Solomon
Hoax article detailing fake war stayed up on Wikipedia for five years
Lauren Weinstein
Why I never use a non-gas credit card at gas stations...
Paul Saffo
"Instagram debacle shows the user agreement process needs fixing"
Gene Wirchenko
A Chinese Web censor snaps, goes on public rant
Lauren Weinstein
You better brush up on airport security
Peter Houppermans
Online Banking Attacks Were Work of Iran, U.S. Officials Say
David J. Farber
"U.S. bank cyber attacks reflect 'frightening' new era"
Antone Gonsalves via Gene Wirchenko
"Microsoft kicks off 2013 with clutch of critical Windows updates"
Gregg Keizer via Gene Wirchenko
"Ruby on Rails patches more critical vulnerabilities"
Jeremy Kirk via Gene Wirchenko
Hackable office phones
Disney to roll out RFID-enabled 'MagicBand' to guests
Jim Reisert
Info on RISKS (comp.risks)

Oscar's E-Voting Problems Worse Than Feared

Lauren Weinstein <>
Tue, 1 Jan 2013 08:09:30 -0800
  Voting to determine the next set of Oscar nominees began Dec. 17 and will
  extend through Jan. 3. On Dec. 26, I reached out to a wide cross-section
  of the Academy to see if they tried to vote online (an Academy
  spokesperson tells me that "a great majority" of members have registered
  to do so) and, if so, to characterize their experience.  Roughly half of
  the members reached said they experienced problems navigating the site;
  more than one described it as a "disaster." They also worried that hackers
  could compromise the Oscar vote.  (*Hollywood Reporter* via NNSquad)

    [This voting system appears to be one from Everyone Counts, which has
    known vulnerabilities relating to Safari improperly displaying pdf,
    among other problems.  The Hollywood Reporter claims the problems arose
    from an attempt that actually oversimplified in order to make the system
    usable for the Academy voters!  Apparently dumbing down security for
    usability strikes again.  PGN]

EHRs may add to, not reduce, the cost of health care

David Lesher <>
Fri, 11 Jan 2013 03:48:07 -0500
In 2nd Look, Few Savings From Digital Health Records
Reed Abelson and Julie Creswell, *The New York Times*, 11 Jan 2013

The conversion to electronic health records has failed so far to produce the
hoped-for savings in health care costs and has had mixed results, at best,
in improving efficiency and patient care, according to a new analysis by the
influential RAND Corporation.

Optimistic predictions by RAND in 2005 helped drive explosive growth in the
electronic records industry and encouraged the federal government to give
billions of dollars in financial incentives to hospitals and doctors that
put the systems in place.

“We've not achieved the productivity and quality benefits that are
unquestionably there for the taking,'' said Dr. Arthur L. Kellermann, one of
the authors of a reassessment by RAND that was published in this month's
edition of Health Affairs, an academic journal.

RAND's 2005 report was paid for by a group of companies, including General
Electric and Cerner Corporation, that have profited by developing and
selling electronic records systems to hospitals and physician practices.
Cerner/s revenue has nearly tripled since the report was released, to a
projected $3 billion in 2013, from $1 billion in 2005. ...


Gee, Just like HAVA and voting. If you take a hard problem, and throw enough
raw meat into the shark pool.... you have a bigger problem.

[PGN adds: See also *The Boston Globe*]

EHRs may add to, not reduce, the cost of health care

Lauren Weinstein <>
Thu, 10 Jan 2013 20:25:58 -0800
  The report predicted that widespread use of electronic records could save
  the United States health care system at least $81 billion a year, a figure
  RAND now says was overstated. The study was widely praised within the
  technology industry and helped persuade Congress and the Obama
  administration to authorize billions of dollars in federal stimulus money
  in 2009 to help hospitals and doctors pay for the installation of
  electronic records systems. "RAND got a lot of attention and a lot of buzz
  with the original analysis," said Dr. Kellermann, who was not involved in
  the 2005 study. "The industry quickly embraced it." But evidence of
  significant savings is scant, and there is increasing concern that
  electronic records have actually added to costs by making it easier to
  bill more for some services. (*The New York Times* via
  NNSquad; see the previous item.  PGN)

Cox cable e-mail storage failure

"James Paul" <>
Tue, 25 Dec 2012 20:40:31 -0500
Back on 14 Dec 2012, my e-mail disappeared.  It came back on 17 Dec.  What
surprised me is that Cox Communications crashed a good part of its network
(users in Arkansas, Connecticut, Georgia, Florida, Idaho, Iowa, Kansas,
Louisiana, Massachusetts, Nebraska, Ohio, Oklahoma, Rhode Island and
Virginia (that's me) were affected) and it didn't set off a media storm.

Cox Customer Service was not helpful, not that I bothered to call.  The
support forum was carrying the usual flood of messages complaining about the
lack of an explanation and the service restoration estimates that kept
receding into the distance.  In the end, Cox simply gave up and the message
became (paraphrasing) "it will return when it returns."  It didn't help when
some users were told "email is a free service so why are you expecting
support?"  As time when on, Cox added that it was not experiencing a
cyberattack, hadn't suffered a security breach and that incoming messages
were being captured.  On Monday, my backlog started arriving.  I received a
message on December 21st that all of my messages had been delivered.

I also received the following explanation:

  Dear Cox email user,

  We owe you an apology for your recent experience with our residential
  email service.  We pride ourselves on delivering your most important
  connections, and candidly, we recognize that did not happen.  We are
  focused on how we can improve your trust in our service and with our
  company.  Our hope is that we have begun to do that with this apology and

  On Friday, we experienced a storage platform failure in our production
  environment.  Both our primary and back-up storage devices that support
  email service were affected.  Dozens of engineers worked with our storage
  vendor and have isolated what caused the platform in our Midwest and East
  Coast regions to go down.  Every resource was made available to restore
  services to all affected customers as soon as possible.  The multiple
  components and processes that make up our email system required time to
  bring back online, and care to ensure that no messages were lost.  This
  week, we began to replace the storage platform as part of our efforts to
  ensure this issue does not happen again.

  We understand that email is an important component of your Cox High Speed
  Internet service, and we deeply regret the impact this outage had,
  especially at a time when you are busy preparing for holiday celebrations
  with your family and friends.  On behalf of the 20,000 Cox employees who
  proudly serve our customers, I hope you'll accept our most sincere

  Sincerely, Paul Cronin, Senior Vice President, Customer Experience
  Cox Communications"

Readers on this forum with better technical chops than mine can read volumes
into that message.  There might even be a few readers with first-hand
knowledge of the details.  I wondered for a while if Cox was having the same
problem AT&T went through back in 1990 where its ESS7 switches kept knocking
each other off the network with spurious error/reset messages.  That there
was apparently a flaw common to the primary and backup storage network is
also eye-opening.

In checking Google during the outage, I only saw links to some local
television outlets in the affected area.  I didn't see any reference to the
problems in the Washington Post, my local paper.  I've stopped watching my
local TV news or the national news programs, so I cannot assert that the
word was not getting out.  However, in other major net outages I usually run
across some references pretty quickly and it becomes difficult to avoid
information about such problems fairly quickly.  That Cox avoided that fate
here is what I find the most interesting aspect here.

As far as I can tell, this was in the end a hiccup; things seem to be
working as they were before (well, except that Cox doesn't seem to be able
to determine which of their regional services I'm using when I log in to the
webmail interface but that may be an artifact of my particular
computer/browser setup).  My messages go out and come in.  I thought I'd
bring it to the attention of this particular list, both to memorialize the
event and to spur the deeper post-mortem I can't perform.

Browser's break pedal changes into gas pedal once fully stopped

Fri, 28 Dec 2012 15:44:45 +0800
The Midori browser includes a revolutionary (for me at least) space saving
design feature: the Stop button is changes into the Refresh button after a
web page is full loaded. I.e., if you click on "stop" just as a web page
fully loads, you will in fact end up clicking on the Refresh button... not
only not stopping anything, but forcing even more of the transmission you
intended to stop.

It's like a one-pedal car where the break pedal changes into the gas pedal
once the car is fully stopped... to keep you old folks on your toes.

Tech Problems Plague Exchanges (Nathan Popper)

"David J. Farber" <>
Fri, 11 Jan 2013 11:01:05 -0500
Nathan Popper, *The New York Times*, 11 Jan 2012
Confidence-shaking technology mishaps have been an almost daily occurrence
at the nation's stock exchanges in the new year

The latest example came Wednesday night when the nation's third-largest
stock exchange operator, BATS Global Markets, alerted its customers that a
programming mistake had caused about 435,000 trades to be executed at the
wrong price over the last four years, costing traders $420,000.

A day earlier, the trading software used by the National Stock Exchange
stopped functioning properly for nearly an hour, forcing other exchanges to
divert trades around it. The New York Stock Exchange, the nation's largest
exchange, has had two similar, though shorter-lived, breakdowns since
Christmas and two separate problems with its data reporting system. And
traders were left in the dark on Jan. 3 after the reporting system for
stocks listed on the Nasdaq exchange, the second-biggest exchange, broke
down for nearly 15 minutes.

The stream of errors has occurred despite the spotlight on the exchanges
since a programming mishap nearly derailed Facebook's initial public
offering on Nasdaq last May and BATS's fumbling of its own I.P.O. two
months earlier. At the end of 2012, a number of exchange executives said
they were increasing efforts to reduce the problems. But market data expert
Eric Hunsader said that the technology problems have become, if anything,
more frequent in recent weeks. ...

IBM's Watson Gets a Swear Filter

Robert Schaefer <>
Fri, 11 Jan 2013 07:56:17 -0500
There are implications that the smarter we humans can make our AI the less
we may like the results.

IBM's Watson Gets A 'Swear Filter' After Learning The Urban Dictionary"
"In the end, Brown and his team were forced to remove the Urban Dictionary
from Watson's vocabulary, and additionally developed a smart filter to keep
Watson from swearing in the future."

robert schaefer, Atmospheric Sciences Group, MIT Haystack Observatory
Westford MA 01886 781-981-5767

Newspaper on Cape Cod Apologizes for a Veteran Reporter's Fabrications (Katharine Q. Seelye)

Monty Solomon <>
Sat, 29 Dec 2012 23:20:45 -0500
Katharine Q. Seelye, *The New York Times*, 28 Dec 2012

HYANNIS, Mass. - When an editor at The Cape Cod Times was reading the
newspaper last month, she thought an article about the Veterans Day parade
from the day before seemed slightly off.  The article, written by Karen
Jeffrey, a longtime reporter, told of a Ronald Chipman, 46, and his family
from Boston. The Chipmans apparently were oblivious to Veterans Day until
they saw the parade.  Ms. Jeffrey described the family in detail, including
a scene in which the parents used their smartphones to find information
about the holiday, creating a "teachable moment" for themselves and their

Maybe it was the tidiness of the tale. Or the notion that adults were
unfamiliar with Veterans Day. But the article did not ring true to the
editor and she set out to find the Chipmans. She searched several databases
but turned up nothing. She reported her finding to the editor in chief, Paul
Pronovost.  Mr. Pronovost asked the editor - whom he would not name to
protect her privacy - to check other recent articles by Ms. Jeffrey. After
more people in the articles could not be found, he then asked Ms.  Jeffrey
for help in locating the Chipmans. Ms. Jeffrey said she had thrown out her
notes.  "That's when the alarm bells went off," Mr. Pronovost said. He
ordered a full review of her work. For three days, three editors pored over
a public-records database called Accurint. They examined voter rolls and
town assessor records. They checked Facebook profiles and made phone
calls. And they concluded that, over the years, Ms.  Jeffrey had written
dozens of articles that included people who did not exist.

The next day, Dec. 5, Mr. Pronovost and the publisher, Peter Meyer, wrote a
front-page apology to their readers. ...

Hoax article detailing fake war stayed up on Wikipedia for five years

Lauren Weinstein <>
Tue, 8 Jan 2013 18:55:38 -0800  (*The Daily Caller* via NNSquad)

  For the last five years, those who spend their time procrastinating on
  Wikipedia could read up on a 17th century war between colonial Portugal
  and India's Maratham Empire known as the "Bicholim Conflict."  The problem
  is that Bicholim Conflict never happened, and that the entire 4,500-word
  article on the war was nothing more than an elaborate joke ... It was
  voted a "good article" by Wikipedia's readers, and at one point was even
  nominated to be a "featured article" that would be prominently displayed
  on the site's homepage.

Actually, in addition to totally faked stories that likely are scattered
throughout the totality of the Wikipedia corpus, what's of even more concern
is the errors and purposeful misstatements seeded in otherwise factual
articles that don't receive enormous day to day attention.  But hell, who
would ever have expected such problems with a reference source edited by
anonymous persons of unknown credentials or expertise, sporting screen names
like blowboy17?

Why I never use a non-gas credit card at gas stations...

Paul Saffo <>
Sun, 30 Dec 2012 15:28:23 -0800
Why I only use vendor-specific gas cards at gas stations, and pay inside
when things seem amiss.  Paul

Vicky Nguyen, Julie Putnam and Jeremy Carroll,
One Gas Pump Key Lets Thieves Steal Your ID, NBC Bay Area, 9 Nov 2012

The NBC Bay Area Investigative Unit has found a single master key grants
access to gas pumps across the state and it s giving easy access to thieves
looking to compromise Bay Area drivers credit card information.  Vicky
Nguyen first aired this story 8 Nov at 11 p.m.

Call it the key to the kingdom. In the world of gas pumps, there is a
universal key unlocking a lucrative business for identity thieves.

The NBC Bay Area Investigative Unit has learned a single key opens the
majority of gas station pumps across the country, making it easy for crooks
to install high-tech skimming devices and resulting in hundreds of victims
of credit card fraud in the South Bay.  The single key was initially created
to make it easier for pump inspections and maintenance, but now, copies are
circulating amongst thieves.

The Rapid Enforcement Allied Computer Team, a high tech task force of
investigators in Silicon Valley, which partners with the Santa Clara County
District Attorney's Office, is looking into hundreds of these cases across
the state.  The REACT Task Force has uncovered nine skimming devices in the
past two months from Bay Area gas stations. Three hundred victims have been
identified so far and that number continues to grow.  “We are just touching
the tip of the iceberg,'' REACT Task Force Director Mike Sterner told NBC
Bay Area.  [Long item truncated for RISKS.  PGN]

If you have a tip for the Investigative Unit, email us:

"Instagram debacle shows the user agreement process needs fixing"

Gene Wirchenko <>
Thu, 10 Jan 2013 14:42:02 -0800
opening text:
At the end of 2012 Instagram, the online image-sharing company recently
acquired by Facebook, announced new changes to their Privacy and Terms of
Service policies that caused tremendous backlash from the public and from
their users.

A Chinese Web censor snaps, goes on public rant

Lauren Weinstein <>
Wed, 9 Jan 2013 16:08:12 -0800  (*The Washington Post* via NNSquad)

  "Spare a moment for the Chinese censor, stuck between a Communist Party
  that demands strict control and a few million Web users who increasingly
  expect the ability to speak their minds online.  As controversy over a
  censored newspaper grows into one of China's biggest and potentially most
  significant free-speech fights in years, party officials are likely
  seeking greater control at exactly the moment that outraged Web users are
  making that task most difficult. At least one censor on Weibo, the popular
  Twitter-like service that often serves as the closest China has to a
  public national conversation, seems to have snapped."

You better brush up on airport security

Peter Houppermans <>
Sat, 05 Jan 2013 14:51:28 +0100
  “A portion of Atlanta's airport, including MARTA rail service, was
  interrupted for more than half an hour Friday morning because of a
  toothbrush. Airport officials told Channel 2 Action News that an electric
  toothbrush began vibrating inside a bag checked onto an AirTran flight,
  causing workers to alert airport officials to the strange noise.''

There are many electric devices carried in luggage that can make weird

[IP] Online Banking Attacks Were Work of Iran, U.S. Officials Say

"David J. Farber" <>
Wed, 9 Jan 2013 09:40:12 -0500
The attackers hit one American bank after the next. As in so many previous
attacks, dozens of online banking sites slowed, hiccupped, or ground to a
halt before recovering several minutes later.

But there was something disturbingly different about the wave of online
attacks on American banks in recent weeks. Security researchers say that
instead of exploiting individual computers, the attackers engineered
networks of computers in data centers, transforming the online equivalent of
a few yapping Chihuahuas into a pack of fire-breathing Godzillas.

The skill required to carry out attacks on this scale has convinced United
States government officials and security researchers that they are the work
of Iran, most likely in retaliation for economic sanctions and online
attacks by the United States.

“There is no doubt within the U.S. government that Iran is behind these
attacks,'' said James A. Lewis, a former official in the State and Commerce
Departments and a computer security expert at the Center for Strategic and
International Studies in Washington. [...]

"U.S. bank cyber attacks reflect 'frightening' new era" (Antone Gonsalves)

Gene Wirchenko <>
Thu, 10 Jan 2013 13:14:39 -0800
Antone Gonsalves, *InfoWorld*
Experts and government officials believe the attacks are in retaliation for
sanctions, and for U.S. cyber attacks on Iranian computer systems

"Microsoft kicks off 2013 with clutch of critical Windows updates" (Gregg Keizer)

Gene Wirchenko <>
Thu, 10 Jan 2013 13:59:16 -0800
Gregg Keizer, Computerworld, InfoWorld, 8 Jan 2013
Microsoft kicks off 2013 with clutch of critical Windows updates
Others, including Adobe, Google, and Mozilla, ride Patch Tuesday's coat tails

selected text:

Microsoft today patched 12 vulnerabilities in Windows, Office and several
server and development products, but as it hinted last week, did not come up
with a fix for the IE (Internet Explorer) bug that cyber criminals have been
exploiting for at least a month.

Among the torrent of patches, one not offered today was for the IE6, IE7 and
IE8 zero-day bug that hackers have been exploiting since at least Dec. 7.

IE9 and IE10 do not contain the bug, which according to Symantec, was used
by the Elderwood group for cyber espionage. But because IE9 won't run on
Windows XP, those customers are stuck with a vulnerable browser. Data from
Web analytics company Net Applications puts XP's online usage share at 39
percent in December, meaning nearly four out of every 10 personal computer
users runs the aged OS.

"Ruby on Rails patches more critical vulnerabilities" (Jeremy Kirk)

Gene Wirchenko <>
Thu, 10 Jan 2013 13:54:04 -0800
Jeremy Kirk, *InfoWorld Home*, 9 Jan 2012
It's the second time this month that Ruby on Rails has released updated
versions for serious software flaws

Hackable office phones

"Peter G. Neumann" <>
Fri, 4 Jan 2013 13:58:19 PST
This is some very interesting work being done at Columbia University.
The URL gives you a clue

Disney to roll out RFID-enabled 'MagicBand' to guests

Jim Reisert AD1C <>
Thu, 10 Jan 2013 08:19:57 -0700
"Linking the entire MyMagic+ experience together is an innovative piece of
technology we developed called the MagicBand. Worn on the wrist, it will
serve as a guest's room key, theme park ticket, access to FastPass+
selections, PhotoPass card and optional payment account all rolled into

As has been said here many times before, what could possibly go wrong
(privacy issues aside)?

Jim Reisert AD1C, <>,

Please report problems with the web pages to the maintainer