The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 84

Tuesday 4 August 2015

Contents

Lottery chief resigns in scandal
Wikipedia
Doctors Still In the Dark After Electronics Records Hack Exposes Data on 4 Million
Security Ledger
Google Cloud Platform to Let Customers Control Encryption Keys
DataCenterKnowledge
Counterterrorism expert says it's time to give companies offensive cybercapabilities
IT World
Nice item on Going Dark
Nick Weaver via PGN
Struggling to Disconnect From Our Digital Lives
NYTimes
Steep Discounts a Boon for Customers, but a Gamble for Start-Ups
NYTimes
Mark Karpeles, Chief of Mt. Gox Bitcoin Exchange, Arrested in Tokyo
NYTimes
UK peer calls for universal Internet delete button, may also want unicorns
Ars Technica
Why Consumers Should Tread Carefully with Samsung Galaxy's Price Cut?
NYTimes
Siri's new voice, new name: Comey
James Cook via Henry Baker
CISA could 'sweep away' Internet users' privacy
Sam Thielman
'Hack Back' NACK
Grant Gross
Stolen Consumer Data Is a Smaller Problem Than It Seems
NYTimes
Vehicular connectivity system vulnerabilities may be far more widespread than Fiat Chrysler Jeep
Reuters
Re: Space Ship Two crash investigation results
Peter Bernard Ladkin
Re: Why you shouldn't trust your Intel/AMD/ARM chips
Bob Eager
Re: GW 9525 EASA crash report
Dick Mills
Re: Windows 10 and Wifi Sense
David Damerell
Re: Windows XP: Embedded systems, what fun...
Geoff Kuenning
Re: Don't bring your drones to New Zealand
Richard A. O'Keefe
Info on RISKS (comp.risks)

Lottery chief resigns in scandal

Henry Baker <hbaker1@pipeline.com>
Mon, 03 Aug 2015 08:08:46 -0700
https://en.wikipedia.org/wiki/Dual_EC_DRBG

"one of the numbers in the winning combination appeared on TV screens before
it was actually drawn"

Quantum entanglement may be implicated...

https://en.wikipedia.org/wiki/Alain_Aspect
http://bigstory.ap.org/article/4b23b095df6345dfaaa993192ce8ab93/serbia-lottery-chief-resigns-live-ticket-draw-scandal

Serbia lottery chief resigns in live ticket draw scandal
Jul. 30, 2015 12:27 PM EDT

BELGRADE, Serbia (AP) The head of Serbia's state lottery resigned on
Thursday following allegations of fraud during a live ticket draw this week.

In a live broadcast Tuesday evening, one of the numbers in the winning
combination appeared on TV screens before it was actually drawn.  That
sparked accusations that the numbers had been chosen in advance.

The State Lottery has denied fraud and blamed the incident on a "technical
mistake."  The company head, Aleksandar Vulovic, said Thursday that he was
stepping down out of "moral obligation."

"The draw was completely in accordance with the rules and the company abides
by the law," the state lottery said in a statement.

Police said lottery employees who worked during the draw will undergo a lie
detector test, while computers and other equipment have been impounded.
Police said they have questioned six people in the scandal.

The lottery is very popular in Serbia, a Balkan country with a poor economy
and widespread corruption.


Doctors Still In the Dark After Electronics Records Hack Exposes Data on 4 Million

Lauren Weinstein <lauren@vortex.com>
Sat, 1 Aug 2015 18:25:17 -0700
Security Ledger via NNSquad
https://securityledger.com/2015/07/doctors-still-in-the-dark-after-electronics-records-hack-exposes-data-on-4-million/

  Four million patients of more than 230 hospitals, doctors offices and
  clinics had patient data exposed in a May hack of Fort Wayne, Indiana firm
  Medical Informatics Engineering (MIE) and its NoMoreClipBoard electronic
  health records system, according to the Indiana Attorney General.  The
  breach affected 3.9 million people in total, 1.5 million in Indiana alone,
  almost a quarter of the state's population, according to a statement by
  the Indiana Attorney General's Office. The breach affects healthcare
  organizations from across the country.  Healthcare providers ranging from
  prominent hospitals to individual physicians' offices and clinics are
  among 195 customers of the NoMoreClipBoard product that had patient
  information exposed in the breach.  However, more than a month after the
  breach was discovered, some healthcare organizations whose patients were
  affected are still waiting for data from EMI on how many and which
  patients had information exposed, the Security Ledger has learned.  "We
  have received no information from MIE regarding that," said a spokeswoman
  for Fort Wayne Radiology Association, one of hundreds of healthcare
  organizations whose information was compromised in the attack on MIE.
  Calls and e-mail messages seeking comment from EMI were not returned.


Google Cloud Platform to Let Customers Control Encryption Keys

Lauren Weinstein <lauren@vortex.com>
Tue, 28 Jul 2015 15:40:52 -0700
DataCenterKnowledge via NNSquad

http://www.datacenterknowledge.com/archives/2015/07/28/google-cloud-platform-to-let-customers-control-encryption-keys/

  Now, the "Customer-Supplied Encryption Keys" feature allows customers to
  use their own encryption keys as a free beta feature, providing customers
  more control around their data security, as long as they are able to
  securely store the encryption key.  "With Customer-Supplied Encryption
  Keys, we are giving you control over how your data is encrypted with
  Google Compute Engine," Leonard Law, product manager forGoogle Cloud
  Platform for Enterprise, wrote in a blog post. "Keep in mind, though, if
  you lose your encryption keys, we won't be able to help you recover your
  keys or your data - with great power comes great responsibility!"


Counterterrorism expert says it's time to give companies offensive cybercapabilities

Lauren Weinstein <lauren@vortex.com>
Mon, 3 Aug 2015 16:44:36 -0700
IT World via NNSquad
http://www.itworld.com/article/2956115/counterterrorism-expert-says-its-time-to-give-companies-offensive-cybercapabilities.html

  The U.S. government should deputize private companies to strike back
  against cyberattackers as a way to discourage widespread threats against
  the nation's businesses, a former government official says.

Not just an idiot, but an incredibly dangerous idiot.


Nice item on Going Dark (Nick Weaver)

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 4 Aug 2015 9:41:15 PDT
http://www.lawfareblog.com/iphones-fbi-and-going-dark


Struggling to Disconnect From Our Digital Lives

Monty Solomon <monty@roscom.com>
Sun, 2 Aug 2015 19:16:34 -0400
The more time we spend swimming in digital waters, the shallower our
cognitive capacity becomes and the less control we have of our attention.

http://www.nytimes.com/2015/08/01/business/dealbook/struggling-to-disconnect-from-our-digital-lives.html


Steep Discounts a Boon for Customers, but a Gamble for Start-Ups

Monty Solomon <monty@roscom.com>
Sat, 1 Aug 2015 17:55:16 -0400
As new tech companies spend huge amounts to lure customers with deals, it's
a great time to be a consumer.  But can these companies ever turn a profit?

http://www.nytimes.com/2015/07/30/technology/personaltech/steep-discounts-a-boon-for-customers-but-a-gamble-for-start-ups.html


Mark Karpeles, Chief of Mt. Gox Bitcoin Exchange, Arrested in Tokyo

Monty Solomon <monty@roscom.com>
Sun, 2 Aug 2015 19:15:24 -0400
The police said they believed Mr. Karpeles had manipulated transaction
records on a computer system that Mt. Gox used to swap Bitcoins for dollars.

http://www.nytimes.com/2015/08/02/business/dealbook/mark-karpeles-mt-gox-bitcoin-arrested.html


UK peer calls for universal Internet delete button, may also want unicorns

Lauren Weinstein <lauren@vortex.com>
Mon, 3 Aug 2015 09:11:43 -0700
http://arstechnica.com/tech-policy/2015/08/uk-peer-calls-for-universal-internet-delete-button-may-also-want-unicorns/

  In an interview with the Irish Examiner, Baroness Kidron was tackled this
  point. "The question of how they know you are a child is a torturous
  question," she told the paper. "There are plenty of companies that work on
  anonymous verification and there are ways websites can know that a kid is
  a kid without knowing who they are." Essentially, then, the good Baroness
  believes in techno-magic: those clever geeks will come up with some
  unspecified system that can work out a young person's age to the nearest
  day--or month, or year, depending on your gullibility--without even
  knowing who they are.  That's merely one technical reason why the system
  will be impossible to implement. Another is because of legal issues. Last
  week, Google politely but firmly refused to extend the so-called "right to
  be forgotten" from Europe to the whole world. As it wrote on its blog, "We
  believe that no one country should have the authority to control what
  content someone in a second country can access."  Other Internet companies
  are likely to agree with that viewpoint, which means that at best they
  might block access to a young person's post for visitors from the UK, or
  possibly in Europe, but it would still exist for users in other countries
  (and for those who connect via VPNs, of course).

Dangerous pandering politicos.


Why Consumers Should Tread Carefully with Samsung Galaxy's Price Cut?

Monty Solomon <monty@roscom.com>
Sat, 1 Aug 2015 17:52:26 -0400
Samsung is reducing the price of its Galaxy S6 mobile phone. That doesn't
necessarily mean that buyers should rush in.

http://bits.blogs.nytimes.com/2015/07/30/why-consumers-should-tread-carefully-with-samsung-galaxys-price-cut/


Siri's new voice, new name: Comey (James Cook)

Henry Baker <hbaker1@pipeline.com>
Mon, 03 Aug 2015 16:46:31 -0700
Comey voice: "You have reached the telephone of John Doe.  Please leave a
detailed message so that we may get track to you."

[No iWarrants necessary.]

Although the NSA politely refused comment on the Apple announcement,
Adm. Michael Rogers was seen to be giving a high five to Mr. Comey.

http://www.businessinsider.com/apple-siri-voicemail-transcription-service-2015-8

Apple is preparing to launch a voicemail service that will use Siri to
transcribe your messages

James Cook  Aug. 3, 2015, 5:51 AM

Apple employees are testing a voicemail service that uses Siri to answer
your calls and transcribe voicemail messages.  Apple's iCloud service will
then send you the text of the transcribed voicemail—meaning you will
never need to listen to your voicemails again, sources tell Business
Insider.  The new service is being prepared for launch in 2016, we hear.

Apple's proposed solution is both incredibly simple and incredibly clever:
People like to leave voicemails (it's often quicker to orally deliver your
information than it is to type it in a text message).  But they don't like
to receive voicemails (it's a lot quicker to read a text than it is to
listen to the person talking to you).  The new product will also bridge a
generation gap: Older users like voicemails.  Young people do not.

We first heard about Apple employees using a new kind of voicemail service
several weeks ago.

Here is how it works: When someone using iCloud Voicemail is unable to take
a call, Siri will answer instead of letting the call go to a standard
digital audio recorder.

iCloud Voicemail can relay information about where you are and why you can't
pick up the phone to certain people.  But the coolest feature of the service
is that Siri will transcribe any incoming voicemails, just as it does with
anything else you say to it.

Here's what it looks like at the moment when Siri transcribes something you
say into text:

http://static3.businessinsider.com/image/55bf3a6add0895fa668b4682-800-250/fullsizerender.jpg

Apple sends voice data to company servers, where Siri converts the words
spoken into text.  iCloud Voicemail will presumably function in the same
way, sending the raw voicemails to Apple, and Siri will then transcribe them
and make them available on your iPhone.

Siri is already going to be upgraded in iOS 9, Apple's coming mobile
operating system.  It will be able to search within applications and predict
what you want to do.  Clearly, Apple is focusing on its virtual assistant,
and iCloud Voicemail will be another part of what it can do.

Multiple Apple employees are testing iCloud Voicemail.  Business Insider
understands that the service is scheduled to be released in 2016 if it works
reliably enough, presumably with the iOS 10 mobile operating system.

Apple has already launched products that stray into the domain of mobile
phone network and wireless service providers.  It quietly launched Apple SIM
in 2014, which lets customers switch between networks easily, all through
the device.  There has been continued speculation that Apple may want to
become its own mobile virtual network operator.  (An MVNO rents bandwidth
from traditional wireless service suppliers and bills customers who go
through it.)  iCloud Voicemail would replicate something that carriers
already do.  Another incentive for Apple to launch its own carrier network
would be to compete with Google. Google is operating its own service, but
only through its Nexus 6 smartphone.


CISA could 'sweep away' Internet users' privacy

Henry Baker <hbaker1@pipeline.com>
Tue, 04 Aug 2015 07:50:19 -0700
"the bill that would give participants in the proposed information-sharing
program immunity not just from prosecution, but from regulatory action"

Sam Thielman, *The Guardian*, 3 Aug 2015
Homeland Security admits Cybersecurity Information Sharing Act raises
concerns while corporations and data brokers lobby for bill as it returns to
Senate
http://www.theguardian.com/world/2015/aug/03/cisa-homeland-security-privacy-data-internet

The Department of Homeland Security (DHS) on Monday said a controversial new
surveillance bill could sweep away `important privacy protections', a move
that bodes ill for the measure's return to the floor of the Senate this
week.

The latest in a series of failed attempts to reform cybersecurity, the
Cybersecurity Information Sharing Act (Cisa) grants broad latitude to tech
companies, data brokers and anyone with a web-based data collection to mine
user information and then share it with `appropriate Federal entities',
which themselves then have permission to share it throughout the government.

Minnesota senator Al Franken queried the DHS in July; deputy secretary of
the department Alejandro Mayorkas responded today that some provisions of
the bill `could sweep away important privacy protections' and that the
proposed legislation `raises privacy and civil liberties concerns'.

Much of the attention on Cisa has been directed at companies such as Google,
Facebook and Comcast, which have large hoards of Internet user behavior.
But arguably more important are data brokers.  Among the groups lobbying for
the passage of Cisa are Experian, which tracks consumer trends using
information from loyalty cards and other sources and licenses the
information to help target advertising; Oracle, whose Data Cloud product
works similarly; and Hitrust, which aggregates healthcare information.

The paragraph generating the most concern can be found in section 4 of the
bill: [a] private entity may, for cybersecurity purposes, monitor A) the
information systems of such a private entity; B) the information systems of
another entity, upon written consent of such other entity and D) information
that is stored on, processed by, or transiting the information systems
monitored by the private entity under this paragraph.

Debate on the bill could start on Wednesday with a vote on Thursday.

Privacy concerns are already significant in the private sector, where the
use of personal data at scale is largely unregulated.  “With respect to
data brokers that sell marketing products, the Commission recommends that
Congress consider legislation requiring data brokers to provide consumers
access to their data, including sensitive data held about them, at a
reasonable level of detail, and the ability to opt out of having it shared
for marketing purposes,'' wrote the FTC in a whitepaper titled Data Brokers:
A Call for Transparency and Accountability last May.  Such legislation has
been introduced, but is repeatedly referred to committee.

https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf

Data brokers are anxious to avoid losing the ability to aggregate vast
quantities of personal data - the sale and licensing of consumer databases
is a lucrative practice, as web advertising booms and TV advertising becomes
more sophisticated.

It's also a practice that prefers not to disclose exactly what information
it is holding.  Mike Seay, an Illinois man whose child died the year
previous, received in 2014 a junk mail flier from OfficeMax addressed to
“Mike Seay, Daughter Killed in Car Crash'' (this was indeed how his
17-year-old daughter had died).

Cisa's mandate would seem to cover the publicly used interfaces of the
health insurers and banks—including SunTrust, Prudential, American
Express, Aflac and Bank of America—that lobbied on the bill.

Drew Mitnick of digital advocacy organization Access Now pointed to language
in the bill that would give participants in the proposed information-sharing
program immunity not just from prosecution, but from regulatory action.
“The transparency requirement is so narrow that, if you met the
requirements within the bill to get protection, it would give [participating
companies] broad range to collect data and then send it to the government.''

Lobby group the Financial Services Roundtable (FSR) on Monday launched an
advertising campaign, stopcyberthreats.com, aimed at tackling an online
campaign by privacy activists who have dubbed Cisa `the Darth Vader bill'
and are worried by the sweeping legal immunity corporations will receive
under Cisa.

If the bill were to pass and enough of those companies were to cooperate
with any given agency, the amount of information floating free within the
federal government could easily extend to credit card histories (collected
by data miners at Argus), lists of goods purchased (aggregated from customer
loyalty cards by companies including Acxiom and Experian), and healthcare
records (tracked by insurers).

Credit check giant Experian said that the company would like to see the
legislation pass.  “Experian supports legislation that would facilitate
greater sharing of cyberthreat information among appropriate private and
government entities,'' said a company spokeswoman in a statement to the
Guardian.  “Such sharing arrangements, under parameters set by law, could
improve our mutual efforts to better detect and respond to emerging cyber
threats.''

The company also laid the duty to walk the knife's edge between citizens'
information security and their personal safety at the feet of their elected
officials.  “Congress has the responsibility to balance the need for
facilitating greater information sharing, and thereby enhancing cyber
security, with important consumer privacy concerns. We encourage and support
Congress' effort in striking this balance.''


'Hack Back' NACK (Grant Gross)

Henry Baker <hbaker1@pipeline.com>
Tue, 04 Aug 2015 08:05:45 -0700
http://www.kattenstoet.be/en/page/497-510/cat-torturing-in-the-middle-ages.html

Once again, people who live in glass houses shouldn't be throwing anything,
much less rocks.  Focusing on fixing vulnerabilities is like building a
“10-foot wall at the price of $1 million around your complex,'' he added.
Then, [the criminals] “go out and purchase a 15-foot ladder for $30.''

And when you can't find the criminals, the alternative is?

“When you decide you're going to breach territorial jurisdiction and go
after someone, you have opened up a can of worms which is well beyond the
scope of your threat,'' Rogers added.

I never thought I would agree with Mike Rogers on anything!

Grant Gross, IT World, 3 Aug 2015
Counterterrorism expert says it's time to give companies offensive
cybercapabilities
http://www.itworld.com/article/2956115/business/counterterrorism-expert-says-its-time-to-give-companies-offensive-cybercapabilities.html

The U.S. government should deputize private companies to strike back against
cyberattackers as a way to discourage widespread threats against the
nation's businesses, a former government official says.

Many U.S. businesses have limited options for defending their IP networks,
and the nation needs to develop more `aggressive' capabilities to discourage
cyberattacks, said Juan Zarate, the former deputy national security advisor
for counterterrorism during President George W. Bush's administration.  The
U.S. government should consider allowing businesses to develop “tailored
hack-back capabilities,'' Zarate said Monday at a forum on economic and
cyberespionage hosted by think tank the Hudson Institute.  The U.S.
government could issue cyberwarrants, giving a private company license “to
protect its system, to go and destroy data that's been stolen or maybe even
something more aggressive,'' he added.  Zarate, now a senior counselor
focused on sanctions at antiterrorism think tank the Foundation for Defense
of Democracies, called for better cybersecurity tools as well, but suggested
a new way of thinking about the tools “that not only puts us on the
defensive, but also on the offensive.''

Also:
http://hudson.org/research/11408-cyber-enabled-economic-warfare-an-evolving-challenge
https://s3.amazonaws.com/media.hudson.org/files/publications/2015.08CyberEnabledEconomicWarfareAnEvolvingChallenge.pdf


Stolen Consumer Data Is a Smaller Problem Than It Seems

Monty Solomon <monty@roscom.com>
Sun, 2 Aug 2015 19:15:06 -0400
It can easily feel as if no one's bank account or credit card is safe. But
for consumers, the effect is quite different from what the headlines suggest.

http://www.nytimes.com/2015/08/02/business/stolen-consumer-data-is-a-smaller-problem-than-it-seems.html


Vehicular connectivity system vulnerabilities may be far more widespread than Fiat Chrysler Jeep

"Bob Gezelter" <gezelter@rlgsc.com>
Sun, 02 Aug 2015 21:33:15 -0700
Reuters is reporting that the mobile interfaces found to be vulnerable to
recently reported remote control exploits in Fiat Chrysler Jeep vehicles may
also be present in other manufacturers' vehicles. Apparently, the vendor who
produced the systems has other automotive customers.  This incident
highlights the need for integral firewalls when constructing remote access
mechanisms for network connected devices. This is not a problem limited to
vehicular electronics, it is present a large number of devices that are
network-enabled (e.g., IoT).  The complete Reuters article is at:
http://www.reuters.com/article/2015/07/31/us-fiat-chrysler-hacking-regulator-idUSKCN0Q525U20150731
- Bob Gezelter, http://www.rlgsc.com


Re: Space Ship Two crash investigation results (Macintyre, R-28.83)

Peter Bernard Ladkin <ladkin@rvs.uni-bielefeld.de>
Mon, 3 Aug 2015 14:47:10 +0200
In Risks 28.82, Alister Macintyre writes about the NTSB public hearings on
the accident to SpaceShipTwo (SS2). The NTSB customarily presents the
provisional findings, statement of probable cause, and any safety
recommendations they have made or will make. Presentations are made by
investigators and comments are received. Little to no written reasoning is
given, but matters may be verbally discussed. The final report appears
typically months later.

The NTSB's summary of what happened is succinct. There are twin tail booms
on SpaceShip2 with aerodynamic surfaces ("feathers"). Booms with feathers
are actuated during reentry to maintain the craft in the design position for
aerodynamic braking and heat dispersion. Normal position of both booms is
nominally 0° and when activated they rise to 60°. After
release from the carrier aircraft, the rocket is fired up and SS2
accelerates nearly vertically. The booms are locked until the difficult
transsonic flight regime is passed, and they are unlocked at about Mach 1.4,
to ensure they remain ready for deployment when needed somewhat later. But
the pilot flying unlocked them while still transsonic, below Mach 1. The
actuators aren't able alone to hold the booms in place against the
aerodynamic forces during this flight phase and the booms deployed. And the
spacecraft broke. That is, as techies say, its structural integrity was
compromised.

The NSTB largely fingered - or aims to finger - weaknesses in the hazard
analysis (HazAn) involving human factors (HF). The point being that there
was a event with catastrophic effect (technical term) subject to a single
point of failure, namely the human error involved in unlocking too
early. Shouldn't be so, they suggest rightly, and say what weaknesses there
are in the HazAn process and the assessment process of release to flight
which might have allowed this feature to escape sufficient attention.

But Macintyre speaks of "cut corners" and various other deprecations. I
strongly disagree with any such suggestions. Getting a HazAn right is very
tricky, especially on novel equipment such as this. I don't see evidence for
anything like that at this stage. To the contrary, I see people doing a very
hard and novel job, largely succeeding, and finding out in the hardest way
possible where they need to do better.

I say more at http://www.abnormaldistribution.org/2015/08/03/the-accident-to-spaceship-two/

Prof. Peter Bernard Ladkin, University of Bielefeld and Causalis Limited
www.rvs.uni-bielefeld.de www.causalis.com


Re: Why you shouldn't trust your Intel/AMD/ARM chips (RISKS-28.83)

Bob Eager <news0005@eager.cx>
3 Aug 2015 09:41:09 GMT
Hagelin was around in about 1924, and tried to sell his ealy machine to the
US and the UK. They weren't interested so he sold it to the Germans.

BTW...that early machine was replicated in software for the original UNIX
'crypt'. There are arrays called wheel1, wheel2 (or similar).


Re: GW 9525 EASA crash report

Dick Mills <dickandlibbymills@gmail.com>
Mon, 3 Aug 2015 10:52:01 -0400
"... so there is an apparent need for a better balance between privacy of
the individual, and ..."

I've heard some variant of the above statement almost every day of my adult
life.  Erosion is the appropriate word when applied to privacy.  Each
"balance" chips away at it.  Thus, are mighty mountains eroded to mere dust.

After 50 years of struggle, I'm ready to throw in the towel.  Defense of
individual privacy is utterly pointless.


Re: Windows 10 and Wifi Sense

David Damerell <damerell@chiark.greenend.org.uk>
Mon, 03 Aug 2015 16:51:58 +0100
> What could possible go wrong?

A great deal, but one thing could possibly go right. This will, at a stroke,
ensure essentially every domestic user has plausible deniability for use
made of their Internet connection.

If a company's business model is to sue a small subset of the people who've
infringed copyright in some trivial fashion for wildly disproportionate
sums, this ought to nicely cut them off at the knees; and any idea of
legislating equally draconian penalties for third-party use of one's
wireless will, I hope, also become unfeasible when that turns out to include
basically everyone.

It also might, I hope, reduce the utility of ubiquitous snooping by the
security services - not just from plausible deniability but because it
really won't be that easy to tie an IP address to a person or household.  --
David Damerell <damerell@chiark.greenend.org.uk> Kill the tomato!  Today is
Tuesday, July.  Tomorrow will be Wednesday, July.


Re: Windows XP: Embedded systems, what fun...

Geoff Kuenning <geoff@cs.hmc.edu>
Sun, 02 Aug 2015 23:53:30 -0700
I still run XP (admittedly, it's in a virtual machine that doesn't respond
to the Internet and is relatively little used).  Why?  Well, Vista didn't
offer that much of an improvement.  Then everybody said Windows 7 sucked, so
no sense in upgrading to that.  I tried installing Windows 8 in a fresh VM
and found its UI changes so annoying that I shut the thing down and haven't
rebooted it.  Windows 9 was so bad that Microsoft didn't even release it.
And this very issue of RISKS lists severe (to be mild) privacy problems with
10.

I suspect a lot of consumers are of the same mind: XP works well enough for
them, and what they hear from their friends who have bought new computers
with Vista/8/10 is scary.  As for enterprises, those significant UI and
other changes make the cost of upgrading extremely high.

In my experience, software developers--especially young ones--rarely grasp
the cost of discarding backwards compatibility.  They're so focused on "new"
and "shiny" and "fancier" that they forget to consider whether it "works".


Re: Don't bring your drones to New Zealand (Risks 28.82)

"Richard A. O'Keefe" <ok@cs.otago.ac.nz>
Mon, 3 Aug 2015 17:17:08 +1200
It is said that hard cases make bad laws.  The New Zealand
"Civil Aviation Rules, part 102" can be found at
www.caa.govt.nz/rules/Rule_Consolidations/Part_102_Consolidation.pdf

There's certainly a "hard cases" issue here.  According to
http://www.stuff.co.nz/technology/gadgets/70493842/drone-operators-may-need-flying-permits-under-new-rules.html
the number of reported drone incidents was
2012: 3, 2013: 9, 2014: 27, 2015 (FIRST HALF): 53.

Combine that with the fact that the present government is strongly
pro-business, and they want to *allow* more businesses to use more drones
for more things, and the fact that previously drones were governed by part
101, which can be found at
https://www.caa.govt.nz/rules/Rule.../Part_101_Consolidation.pdf, and covers
things like model aircraft and kites, and the badness of the new regulations
is a little less clear-cut than might at first appear.

For example, under the old regulations, it was forbidden to
operate a "remotely piloted aircraft"
- within 4km of an aerodrome
- above people who have not given consent
- above property without prior consent
- any higher than 400 feet (feet? we went metric a long time ago;
  what are *feet* doing in NZ law?) except with detailed prior notice
- if your view is obstructed
- at night
- that weights more than 25kg
- or that might drop anything that could do damage.

The really important thing is that the new rules DO NOT TAKE ANY OLD
PERMISSIONS AWAY.  Part 102 only applies to "a person who operates an
unmanned aircraft OTHER THAN in accordance with Part 101" or who wants an
operator certificate anyway.  Any way that you were previously allowed to
operate a drone, you still are.

The point of Part 102 is to *free things up* so that businesses can operate
bigger drones, make deliveries, fly higher, fly in the dark &c.  The
requirement for a pretty detailed "exposition" covering hazards, risks, and
mitigation schemes, would be far more onerous for hobbyists than the
certificate fee, but seem fair enough for a business.

I am not a lawyer.  (My father was, but my Ouija board blew a fuse when I
tried to install Windows 10.)  So my reading of these regulations is
definitely subject to correction by people with real knowledge in this area.
But just this once, it seems that when a government minister talked about
new rules being intended to *increase flexibility*, he may have been telling
the truth.

Oh, you may feel that requiring consent before operating above people and
property is a hard burden for hobbyists.  It may be so, but it is not a
burden introduced in Part 102.

Please report problems with the web pages to the maintainer

Top