The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 27 Issue 26

Tuesday 23 April 2013

Contents

LAX terminal signs hacked
Paul Saffo
AP fooled by phishing attack
Lauren Weinstein
Taiwan issues duplicate license plate numbers
jidanni
EU Car Type-Approval Awkwardness
Chris Drewe
FAA Approves Boeing 787 Battery Fix Allowing Flight Resumptions
Bloomberg
New lithium ion battery design
PGN
Two items on Internet use, etc. vs. distracted driving
Lauren Weinstein
More in New York City Qualify as Gifted After Error Is Fixed
Al Baker via Jim Reisert
Neil Richards on the Dangers of Surveillance
Lauren Weinstein
Crowdsourcing a lynch mob
Mark Thorson
Re: The Shame of Boston's Wireless Woes
Bob Frankston
Re: Economic policy decisions may be affected by spreadsheet errors
John Levine
Amos Shapir
Re: American Express Australia Mail Merge Stuff-up
John Levine
Churnalism: Discover When News Copies from Other Sources
Lauren Weinstein
Info on RISKS (comp.risks)

LAX terminal signs hacked

Paul Saffo <psaffo@discern.com>
Mon, 22 Apr 2013 23:04:20 -0700
http://www.latimes.com/local/lanow/la-me-ln-hacker-lax-flight-boards-20130422,0,6739919.story

LAX flight status boards hacked, telling passengers to exit terminal
Andrew Blankstein and Robert J. Lopez, latimes.com, 22 Apr 2013

Authorities were searching the Tom Bradley International Terminal at Los
Angeles International Airport on Monday night for someone who hacked into
multiple flight status boards to write: "Emergency Leave the Terminal," law
enforcement authorities told *The Times*.

The rogue message was changed about five minutes after it was noticed about
10 p.m., authorities said. It was unclear whether any passengers had left
the terminal.

Multiple travelers reported the message to airport police. The status boards
are located in the B aisle area of the terminal.

Additional officers were dispatched to the terminal while LAX officials
investigated who was responsible for the hacking.

Earlier this month, an electronic sign near USC was apparently hacked to
display inappropriate messages about the Los Angeles Police Department.

  [That should be known as REALLY LAX security! PGN]


AP fooled by phishing attack

Lauren Weinstein <lauren@vortex.com>
Tue, 23 Apr 2013 13:45:20 -0700
http://j.mp/13XGzfH  (Techcrunch via NNSquad)

  The AP Twitter hack which sent the stock market briefly crashing was
  caused by a phishing attack, according to the AP. The news organization
  now says the attack on Twitter was "preceded by a phishing attempt on AP's
  corporate network."

    [Lots to choose from: lame passwords, cross-site scripting, compromised
    insider access routes, whatever. CNN suggests “social
    engineering''. PGN]


Taiwan issues duplicate license plate numbers

<jidanni@jidanni.org>
Wed, 24 Apr 2013 07:16:40 +0800
The legislator held out two license plates—one in green and one in red --
that were both labeled "AB-123," and asked the premier if he could tell the
difference between them. When the premier said he could not, lawmaker Yeh
noted that they were from two different types of vehicles yet have the same
number.
http://www.chinapost.com.tw/taiwan/national/national-news/2013/04/10/375627/Govt-made.htm


EU Car Type-Approval Awkwardness

"Chris Drewe" <e767pmk@yahoo.co.uk>
Tue, 23 Apr 2013 20:55:53 +0100
In the cars section of last Saturday's newspaper (April 20th), there was a
letter from a reader with a new Audi R8 V8 with manual transmission.
Complaint was very sluggish acceleration from 30mph (50km/hr) in 3rd gear;
interrogating the OBD-II port showed a temporary throttle part-closure,
which turned out to be programmed in to get good figures in the drive- by
noise test required for EU Type Approval.  It's good to have cars that
aren't too loud, but awkward to discover this in the middle of a tricky
passing manoeuvre...


FAA Approves Boeing 787 Battery Fix Allowing Flight Resumptions

"David J. Farber" <farber@gmail.com>
Fri, 19 Apr 2013 15:32:19 -0400
http://www.bloomberg.com/news/2013-04-19/faa-approves-boeing-787-battery-fix-allowing-flight-resumptions.html

Boeing' 787 Dreamliner won U.S. approval to return to service with a
redesigned lithium-ion battery, more than three months into the government's
longest grounding of a commercial model in the jet age.

Restoring the 787 to flight status will allow the eight current operators to
end the use of temporary replacements and start routes that had been put on
hold with the Dreamliners unavailable. Chicago-based Boeing will be able to
resume deliveries, a pivotal step because it gets bulk payments when
aircraft are handed over.

The plane will continue to have permission to fly as far as 180 minutes from
an airport, FAA spokeswoman Laura Brown said in response to questions. That
is the same as the plane was originally certified to fly. That allows it to
fly across oceans, mountain ranges or the poles.

“A team of FAA certification specialists observed rigorous tests we
required Boeing to perform and devoted weeks to reviewing detailed analysis
of the design changes to reach this decision,'' FAA Administrator Michael
Huerta said in a statement.

Next week the FAA will publish regulations on how to alter the batteries in
the U.S. Federal Register, allowing Boeing and airlines to proceed with the
fixes.

Boeing has sent teams around the world to help fit new battery kits into the
49 Dreamliners in airline fleets. Each installation will take four to five
days, Boeing has said. Once those jets are fixed, work will turn to dozens
of 787s stored around Boeing factories.

To contact the reporter on this story: Alan Levin in Washington --
alevin24@bloomberg.net


New lithium ion battery design

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 22 Apr 2013 18:51:45 PDT
http://bit.ly/11gIo1S, noted by Marv Schaefer

New lithium-ion battery design that's 2,000 times more powerful, recharges
1,000 times faster

Researchers at the University of Illinois at Urbana-Champaign have developed
a new lithium-ion battery technology that is 2,000 times more powerful than
comparable batteries. According to the researchers, this is not simply an
evolutionary step in battery tech, “It's a new enabling technology: it
breaks the normal paradigms of energy sources. It's allowing us to do
different, new things.''

  [Lots of new risks as well, much faster and with lower power?  PGN]


Two items on Internet use, etc. vs. distracted driving

Lauren Weinstein <lauren@vortex.com>
Tue, 23 Apr 2013 15:35:43 -0700
Two items on Internet use, etc. vs. distracted driving

How Federal Distracted-Driving Guidelines Will Shape Your Next Phone
http://j.mp/15F5EMF  (Wired via NNSquad)

Study: Voice-activated texting while driving no safer than typing

http://j.mp/15F5tRA  (Washington Post via NNSquad)

It seems clear that regulators are focusing not only on built-in but also
portable devices.  It seems inevitable that they will also direct attention
to "wearable" devices as well at some stage.


More in New York City Qualify as Gifted After Error Is Fixed

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Sat, 20 Apr 2013 07:56:03 -0600
Al Baker, *The New York Times, 19 Apr 2013

Nearly 2,700 New York City students were wrongly told in recent weeks they
were not eligible for seats in public school gifted and talented programs
because of errors in scoring the tests used for admission, the Education
Department said on Friday. ...  According to Pearson, three mistakes were
made. Students' ages, which are used to calculate their percentile ranking
against students of similar age, were recorded in years and months, but
should also have counted days to be precise. Incorrect scoring tables were
used. And the formula used to combine the two test parts into one percentile
ranking contained an error.

https://www.nytimes.com/2013/04/20/education/score-corrections-qualify-nearly-2700-more-pupils-for-gifted-programs.html


Neil Richards on the Dangers of Surveillance

Lauren Weinstein <lauren@vortex.com>
Tue, 23 Apr 2013 14:12:05 -0700
Law professor makes a case for legally recognizing the Dangers of Surveillance
http://j.mp/ZNfh3H  (Network World via NNSquad)

  The Dangers of Surveillance, written by Neil M. Richards, Professor of Law
  at Washington University in St. Louis, was recently published on the
  Social Science Research Network. In it, Richards proposed "four principles
  that should guide the future development of surveillance law." Yet he said
  we must first recognize that: "Surveillance transcends the public-private
  divide;" that "secret surveillance is illegitimate;" that "total
  surveillance is illegitimate" and that "surveillance is harmful." The
  courts may understand that surveillance could be potentially harmful, but
  "have struggled to clearly understand why."


Crowdsourcing a lynch mob (More on RISKS-27.25)

Mark Thorson <eee@sonic.net>
Sat, 20 Apr 2013 13:51:55 -0700
In the confusion surrounding the Boston Marathon bombings, some users of the
popular Reddit site misidentified a missing Brown University student as the
bomber.

http://usnews.nbcnews.com/_news/2013/04/19/17826915-missing-brown-university-students-family-dragged-into-virally-fueled-false-accusation-in-boston

This event seems to be first demonstration of the collision between mass
data available over the Internet and the echo chamber of blogs, comments,
and social media for spawning and amplifying spurious identifications of the
perpetrators of high-profile criminal acts.  If we stay on the current
trajectory (as we most certainly will) the data will become ever more prompt
and detailed.  "The bomber is Mark Thorson and Google says he's at his
mother's house at 1505 Spruce St. right now!  Let's go get him!"


Re: The Shame of Boston's Wireless Woes (RISKS-27.25)

"Bob Frankston" <bob2-39@bobf.frankston.com>
Sun, 21 Apr 2013 11:16:06 -0400
There is a real risk in confusing technical and economic problems.

Focusing on problem of "congestion" as cited in the Atlantic City cities
misses the point because that congestion is a necessary consequence of the
economic architecture of today's telecommunications system. The alternative
is simple—don't do that. As a common infrastructure we could use Wi-Fi
(for starters) to make the vast existing capacity of the common
infrastructure immediately available.

The idea of trying to make our ability to communicate a profit center is
foolish at best—it's akin to shutting down public transportation systems
if they are not profitable in themselves. Doing so would cause severe harm
to society. The business of providing telecommunications at a profit
requires limiting capacity and funneling traveling through billing points
(AKA cell towers).

Until we understand the interplay of technology and economics we are likely
to work at cross-purposes with ourselves. I'm not an expert on the story of
the closing of the Los Angeles trolley system but when the New York subways
failed to turn a profit the system took responsibility for them rather than
shutting it down.


Re: Economic policy decisions may be affected by spreadsheet errors (Epstein, RISKS-27.25)

"John Levine" <johnl@iecc.com>
19 Apr 2013 21:07:10 -0000
>Perhaps we need methods for spreadsheet assurance, just as we need methods
>for assuring the security and reliability of our operating systems and
>applications?

Back in the 1980s I was one of the authors of a program called Javelin, a
time series modeling package that you could use to do a lot of the same
stuff that people do with spreadsheets.

One of our selling points was that Javelin models were a lot more reliable
than 1-2-3 or Excel models.  Data were stored in named variables each of
which could be a time series, which largely prevented the kind of error that
R+R made, since if you said A=SUM(B), it automatically summed up all of B.
We had spreadsheet-like editing, but you were editing a view of the
underlying model, not anonymous cells.

In marketing focus groups, we learned two things: a) any spreadsheet large
enough to be interesting had bugs, and b) nobody cared.  One telling comment
was "it's my manager's job to check that my spreadsheet is correct."


Re: Economic policy decisions may be affected by spreadsheet errors

Amos Shapir <amos083@gmail.com>
Tue, 23 Apr 2013 17:16:24 +0300
They used cell L44 instead of L49??  Come on, meaningful symbolic names for
variables have been around at least since IBM's RPG language (introduced in
1959)!  No wonder almost all Excel spreadsheets contain errors; this sort of
programming simply guarantees that.
http://www.marketwatch.com/story/88-of-spreadsheets-have-errors-2013-04-17)

I'm not surprised that Microsoft would force such antediluvian practices
upon all of us; but I am surprised that there is still no prevalent
alternative.


Re: American Express Australia Mail Merge Stuff-up (Gingrich, RISKS-27.25)

"John Levine" <johnl@iecc.com>
19 Apr 2013 21:20:53 -0000
>I just received an e-mail on 11 April from AMEX touting a few current
>offers, but the name in the message was not mine—luckily the final digits
>*were* from my card, though it could also have been his ...

I have two Amex cards.  Both have the same last five digits, which is a pain
in the patoot when I'm trying to figure out which account I used for a
charge slip or online purchase.  How likely is it that?  1/100,000?  Not by
a long shot.

Credit card numbers from a particular issuer all have the same structure.
In Amex's case, the first two digits are always 37, the next two are the
currency (with many different digit pairs for common currencies like US
dollars), then there's the account number, a three digit card number, and a
check digit.

The card number for the primary cardholder on each account is card number
100, which only changes if the card is lost or stolen and reissued.  So in
fact, nearly all account numbers end with X100Y where X is the last digit of
the account number, and Y is the check digit.  The check digit is computed
from the rest of the number using the Luhn "mod 10" algorithm which is
intended to detect digit transpositions and to be easy to compute, not to be
cryptographically secure.  Since the other digits in the number are not very
random, the check digit isn't either.  If the X and Y were random, the
chances of those five digits being the same would be a little under 1%, but
since the check digit isn't random, it's a little more than that.

So anyway, partial credit card numbers are only arguably adequate for
showing that a message is from your bank and not a phish, and useless for
anything stronger.


Churnalism: Discover When News Copies from Other Sources

Lauren Weinstein <lauren@vortex.com>
Tue, 23 Apr 2013 14:13:32 -0700
Churnalism: Discover When News Copies from Other Sources

http://j.mp/ZNeRdy  (Sunlight Foundation via NNSquad)

  "Churnalism US is a new web tool and browser extension that allows anyone
  to compare the news you read against existing content to uncover possible
  instances of plagiarism. It is a joint project with the Media Standards
  Trust."

Please report problems with the web pages to the maintainer

Top