Eek! I'll bet there are a whole bunch mad customers. All Flights Grounded at LAX Due to `Computer Issues' http://ktla.com/2014/04/30/all-flights-grounded-at-lax-due-to-computer-issues/#eGHVB3vHULCcuYSY.99 All flights were grounded at Los Angeles International Airport [on 30 Apr] 2014 afternoon due to `computer issues' the airport announced on Twitter. The `ground stop; was announced by LAX on Twitter at 2:13 p.m., and it referred questions to the Federal Aviation Administration, the agency that issued the order. The FAA did not immediately return a request for more information. The airport was accepting arrivals but flights cannot depart from LAX, according to Amanda Parsons of the airport. She said the ground stop began about 2 p.m. When a ground stop is issued, flights bound for the affected airport are held at their departing airport, according to the FAA website. https://twitter.com/flyLAXairport/status/461614376311853059 Read more at http://ktla.com/2014/04/30/all-flights-grounded-at-lax-due-to-computer-issues/#eGHVB3vHULCcuYSY.99
This computer glitch is the latest humiliation for the Home Office's beleaguered UK Border Force—and the biggest disaster since the widespread queue chaos before the 2012 Olympics. Apparently it was the scanning of passports that 'glitched.' The plan B was to enter details of passengers into the computer system(s) by hand. So, what went wrong? http://www.bbc.co.uk/news/uk-27225649 http://www.dailymail.co.uk/news/article-2617136/Chaos-airports-Britain-IT-glitch-brings-immigration-passport-control-standstill.html
We are very familiar with the privacy risks of using social networks. What is getting less attention is that the careless use of social networks may have deadly consequences. I would classify these risks into two categories. The first being a direct consequence of the user's own actions, while the second is of indirect nature. Social networks have promoted "selfies" (pictures of oneself). At least three people have died lately by making selfies. One person made and uploaded a selfie while driving. The lack of attention to traffic killed the driver. For more details see e.g.: http://www.independent.co.uk/news/world/americas/selfie-crash-death-woman-dies-in-headon-collision-seconds-after-uploading-pictures-of-herself-and-happy-status-to-facebook-9293694.html An attempt to take a selfie with an elephant in Kenya had deadly consequences too, see: http://www.tambaa.co.ke/news/292-selfie-moment-gone-tragic-elephant-tramples-on-two-teenagers-at-kiptagich-forest-nakuru-county Although, the last accident may have occurred prior to the invention of social networks, the same comment does not apply to the first incident. Users of social networks may also endanger themselves indirectly. Instead of putting themselves in a dangerous position in order to take a selfie, or to use a social network, their careless postings may infuriate others. The unfortunate consequence might be that the careless user is murdered, see e.g.: http://www.nydailynews.com/news/crime/mexican-teen-stabbed-friend-65-times-posted-naked-selfies-cops-article-1.1741314 Two questions are worth addressing by psychologists and pedagogists. First, why are humans endangering their lives with their social networking activities? When raising children one can caution them of the potential dangers of current technologies (such as cars). The question is how one can educate the next generation to reduce their risks that will be caused by a future, currently yet unknown, technology. Department of Computer Science, EC31, The University of Texas at Dallas Richardson TX 75080-3021 http://www.utdallas.edu/~Yvo.Desmedt/ +1(972)883-4536
According to the article, two-factor authorization was provided recently "after a large number of its customers had already been compromised by fraudsters who were plundering W-2 data to file fraudulent tax refunds." Jody Kaminsky, senior vice president of marketing at Ultipro, was quoted as saying, "We strongly encourage [customers] to use it,' but apparently did not require them to do so. http://krebsonsecurity.com/2014/04/tax-fraud-gang-targeted-healthcare-firms/
I got a better-than-average phish/virus/spam message, claiming to be a UPS delivery exception notice. The tracking # cited even was valid, but in the UK. The usual clues tipped me off, a delivery exception does not need an attached zip, the Received headers did not list ups.com, etc. I found a link to reach UPS, and alerted them. I got a reply quickly, saying "not us" & "we know" etc. EXCEPT The message back from UPS Fraud Mitigation Corporate Security was: A) Not in text; it was in HTML only. B) The headers show it is not from UPS, but rightnowtech.com, an Oracle business group, I gather: ... Received: from mailgwmw04.rightnowtech.com (mailgwmw04.rightnowtech.com [184.108.40.206]) by ZZZ.WW.XXX (Postfix) with ESMTP id AB397D1816A for <XXXXXX@YYYY.COM>; Wed, 30 Apr 2014 15:38:40 -0400 (EDT) Received: from [10.70.0.131] ([10.70.0.131:6575] helo¬cess-mw.rightnowtech.com) by rntmw123.rnmk.com (envelope-from <firstname.lastname@example.org>) (ecelerity 220.127.116.11 r(34222M)) with ESMTP id 4A/C6-04808-04151635; Wed, 30 Apr 2014 14:38:40 -0500 Received: from utilmw04.int.rightnowtech.com (localhost.localdomain [127.0.0.1]) by access-mw.rightnowtech.com ("Mail Server") with SMTP id 30177903912 for <XXXXXX@YYYY.COM>; Wed, 30 Apr 2014 14:38:40 -0500 (CDT) At least there was no attached zip file. But jeeze, hasn't anyone there got a clue yet?
Re: heartbleed (Maziuk, RISKS-27.86) Irrespective of whether GC can be deterministic or not, large-scale systems are written in GC'd languages, including everything built in Java and .NET is GCd. As an example Apache Hadoop implements its HDFS distributed filesystem in Java, so does not directly have to worry about buffer overflows -though whenever it delegates to native code that risk does exist. Where garbage collection is an issue is that it can introduce delays, and the larger the process's memory space, the longer the GC time can be. The standard HDFS clients are written to support blocking with backoff policies -including the ability to failover to another server if the client determines that the original server has failed. Which raises the hard question: how can a remote network client distinguish "hung process' from "process undergoing very large GC pauses"? They tend to exhibit the same behaviour (TCP connections accepted in the kernel, but all communications blocked), heartbeat events do not get published, so a processes membership of any paxos-style distributed group may lapse. The only solution today is to have long enough timeouts that network side failover and server-side (STONITH-style fencing) don't misinterpret a GC pause from a hung process, and so-overreact. Yet the Java runtime is aware that GC is going on -this information just isn't published externally, or propagated to routines in the process itself that can be used to alert the rest of the distributed system that "it is not dead -just pining for the fjiords". This would seem a feature worth developing, as now that the heap size of a process can be measured in over a hundred gigabytes, delays can only increase. Rather than continuing to hope that GC will become deterministic, we can just accept reality and design our systems around it.
Regarding my previous submission on this subject, I have discovered myself labouring under a misapprehension. I had understood that the purpose of this limit was to prevent accounts being emptied by an attacker, and so (mis)understood it to be *per day*. In fact, it is *per transfer*. An account can be emptied immediately. This measure is not therefore addressing this issue. At least initially it would seem that the sole effect of this "security measure" is the repeated as opposed to one-off application of the transfer fee (3 USD inside the US, 25 USD outside). However, there may yet be a kinder explanation. It may be a (rather blunt) effort to increase the adoption rate of the two-factor authentication scheme, which increases the transfer limit to 10k USD.
> When Scott Erven was given free rein to roam through all of the medical > equipment used at a large chain of Midwest health care facilities, he knew > he would find security problems—but he wasn't prepared for just how bad > it would be. This is an old problem—years ago at Creighton, the hospital wanted us to filter off traffic to heart monitors (but couldn't at a point that would have made a difference. According to them at the time, the FDA would not allow them to protect the Windows 95-based stuff. Idioten aangeboden. Gratis af te halen. h/t Dagelijkse Standaard
Mark Thorson links to a Myce report by Sean Byrne. Byrne reports that Microsoft's cloud service OneDrive for Business modifies many of the files stored in it, adding identification numbers or conditional code. Byrne's verdict: "So what this means is that people who use OneDrive for Business or SharePoint need to be very careful with what they sync with it ... " Thorson remarks that "doing this without notification seems like an enormous breach of trust." I regard it as a fraud. If Microsoft is changing its customers' files without permission, it is not providing true cloud service. Today they inject identification numbers. Tomorrow they may inject spyware, worms, or steganopornography. So users of Microsoft cloud services do not "need to be very careful." They need to stop using Microsoft cloud services.
receive mail which has 18.104.22.168. enumerated list. reply inline. >quoting norms. because of whitespace, > <CRLF> pagination.. each 1. 2. 3. instance is detected as a 'fresh' list and it automatically resets the numbering to 1. each time... I can imagine a lawyer having fun "you said no to item 1" when in fact its "item 3"
Lawfare, 21 Apr 2014 http://www.lawfareblog.com/2014/04/heartbleed-as-metaphor
Registration is now open for an ACM Webinar featuring what may be an usual interactive session with Peter G. Neumann, moderated by Will Tracz (head of ACM SIGSOFT). Title: Lessons from the ACM Risks Forum Event: Webinar with Peter G. Neumann Date: Thursday 22 May 2014 Time: 9am PDT, 10am MDT, 11am CDT, 12noon EDT, 4pm GMT, 5pm UK daylight, [or whenever, wherever else you are!] This webinar will be a free-wheeling discussion of what we might have learned from almost thirty years of the ACM Risks Forum. No talk-specific slides are planned; after initial remarks from the speaker, the topics will hopefully be influenced somewhat interactively by questions and comments you might pose, as interpreted by our moderator, Will Tracz. We hope many regular RISKS readers—and many others—will join us. Various background information is online, in case you have not been a long-time RISKS reader. PGN * The ACM Risks Forum: http://www.risks.org with a nice searchable reader interface (courtesy of Lindsay Marshall at Newcastle) * The CACM Inside RISKS series (The 233rd article in the series will appear online on 22 May 2014. for the June 2014 CACM.) http://www.csl.sri.com/neumann/insiderisks.html * The Illustrative Risks annotated index to early the ACM SIGSOFT Software Engineering Notes and RISKS issues: http://www.csl.sri.com/neumann/illustrative.pdf http://www.csl.sri.com/neumann/illustrative.html for browsing * Website http://www.csl.sri.com/neumann * Bio: http://www.csl.sri.com/neumann/short.bio REGISTRATION: http://w.on24.com/r.htm?ex7463&s=1&kIF794B0466F24FA9C540F5A5C6AE131 Yan Timanovsky <email@example.com>, ACM Education Manager ACM, 2 Penn Plaza, 7th Floor, New York NY 10121 1-212-626-0515
Call for Papers 2014 LASER Workshop - Learning from Authoritative Security Experiment Results http://www.laser-workshop.org Arlington, Virginia - October 15-16, 2014 Paper submissions due June 30, 2014 The LASER workshop invites papers that strive to exemplify the practice of science in cyber security. The goal of this series of workshops, now in its third year, is to address the practice of good science. We encourage participants who want to help others improve their practice and participants who want to improve their own practice. LASER welcomes papers that are: - Exemplars of the practice of science in cyber security. - Promising works-in-progress that would benefit from expert feedback. LASER seeks to foster a dramatic change in the paradigm of cyber security research and experimentation. Participants will find LASER to be a constructive and highly interactive venue featuring informal paper presentations and extended discussions. To promote a high level of interaction, attendance is anticipated to be limited to about 40 people. However, to support a high level of student participation, this limit may be increased. Please send all questions to firstname.lastname@example.org. (Hitchens' razor) What can be asserted without evidence can be dismissed without evidence. —Christopher Hitchens. [More information, motivation, committees, etc at www.laser-workshop.org] [Sean Peisert sent me the entire CfP (much too long for RISKS). Jeremy saved me the effort to prune it down... PGN]
Please report problems with the web pages to the maintainer