Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
There's a fairly scary history of past near-miss events on US offshore oil drilling facilities: http://www.theoildrum.com/node/6543 One of the points here is that the "Blow Out Preventer", the thing that apparently failed in April on the Deep Horizon's drilling facility, is the absolute last line of defence -things should not get that bad. Yet on a number of previous occasions they did, implying that what happened this year was just statistics catching up: if you spend too much time living on the edge, eventually you fall off. Common causes which should be familiar to us all. * Inadequate training of staff for them to properly undertake the risks of their actions * Failure of warning systems (lights, etc), failures that you don't notice while things are working normally, but which bite you when something does actually go wrong. There was also one incident triggered by corrupted data transfer between "terminals", causing the drilling rig getting invalid information about where it should be, causing it to move. That is something where the blame can be laid direct the door at we software developers. Checksums: they are there for a reason. Even basic CRC32 checks catch most problems, and while MD5 and SHA-1 checksums are starting to look cryptographically weak, they certainly catch data corruption.
An interesting suite of articles is in *The New York Times*, 7 Jun 2010. http://www.nytimes.com/2010/06/07/technology/07brain.html?hp The articles' basic question is whether the wide abundance of electronic devices, particularly those requiring some degree—however small—of interaction has lead to fleeting attention spans and high degrees of ineffective multitasking. Studies are cited in the article that indicate that those who are addicted to computers, iPads, iPhones, iPod Touch, electronic games,&c are not only spending 10 or more hours per day hooked into devices, but are easily distracted, not at all efficient in changing from one task to another (despite their feeling that they are effective at multitasking) and prone to letting big things fall through the cracks. Their lead example in the main article, of a hooked-up entrepreneur missed an e-mail that offered to buy out his business, finding it only after the passage of several days. There's an online 'test' feature in the sidebar to 'test your focus' and ability to juggle tasks. Not a pretty result, that, but it is motivated by the growing number of people whose home computers have multiple crts, some of which are dedicated to e-mail, instant messaging, and social media, another to newsfeeds and such, and a third that could be dedicated to work -- in the case of the entrepreneur it's his programming environment. Beside him, he has his headphones, iPhone and iPad. His wife, also addicted, can't even make it through preparing a meal without having something burn and, in one case, failing several times to prepare and cook a pastry. > Is the article anywhere near being accurate in representing a growing problem? How significant is the threat posed by electronic media addiction? We've all seen multiple people at the same table in restaurants—or in joint sessions of Congress—with their thumbs flying on Blackberries and even generic cellphones. Fatal accidents caused by texting and other electronic diversions (e.g., resetting GPS on the fly) are on the increase. We drove past a motorcyclist on the Interstate a couple of days ago, who was typing into a device with a monitor (I think it was a laptop) while he was 'driving' his bike (he was in the middle lane).
<http://www.firehouse.com/news/top-headlines/software-failure-linked-minn-womans-death> Software Failure Linked to Minn. Woman's Death; The woman died aboard a Red Wing, Minnesota, Fire Department ambulance on 22 Apr 2010, 3 Jun 2010 An ongoing investigation has revealed that a software glitch likely led to a woman's death aboard a fire department ambulance on 22 Apr 2010, according to *The Pierce County Herald*. Janice Hall was being transported to Minneapolis when the ambulance's onboard oxygen system unexpectedly quit, killing her, a Dakota County Medical Examiner's report states. Red Wing Fire Chief Tom Schneider told the newspaper that the system "spontaneously shut itself off." The friend who sent this was a paramedic in decades past, and wondered why O2 flow would ever be run by anything more complex. I had no answer for that. [02 = Medical oxygen; by mask or nasal cannula, but these would have been masks.]
The June 2010 issue of "The Railway Magazine" includes an article about the systems used to keep track of locomotives and train cars in Great Britain. In 1973, British Rail adopted a system called TOPS (Total Operations Processing System), which had been originated by the Southern Pacific Railroad in the US and allowed the location of every car to be tracked. But when they got this going, they found that "phantom" freight cars would keep appearing and disappearing in the system. Investigation revealed that the cars involved were always ones with wooden sides, and when the wood had to be repaired, sometimes the repairmen would take a plank from one car and reuse it on another -- not realizing that they should not do this *if the plank was the one with the car number painted on it*! As it was, some cars had no number at all and others had different numbers in different places.
I have a topper for all those GPS stupidity stories. [Source: Sarah Jacobsson, 3 Jun 2010] http://www.itbusiness.ca/it/client/en/home/news.asp?id=57836 Woman who 'didn't know how to look both ways before crossing street' sues Google for bad directions. She said it was dark, she had never been to the area before, and didn't know how to look both ways before crossing the street. And now Lauren Rosenberg has gone to court, blaming Google Maps for bad directions.
[From Dave Farber's IP distribution. PGN] Malware embedded into legitimate-looking games designed for Windows Mobile has appeared, automatically dialing up foreign telephone services to ring up hundreds of dollars in illicit charges for users behind their backs. ... ... Critics have chafed at Apple's secure software signing model and have praised Google's alternative Android model, which enables users to download software from any source, without any security model in place, at their own risk. The appearance of malware on Windows Mobile is particularly interesting because the motivation of this assault was entirely financial. That being the case, the fact that the malicious developers targeted Windows Mobile, which is almost entirely limited to the US and now trails Symbian (42%), RIM (21%), and Apple's iPhone OS (15%) in market share (9% over the last year), throws decades of Windows-based punditry on its head because "malicious hackers" supposedly only target the largest platform. iPhone security features deter malware Just the fact that Apple has a real security policy in place for iPhone mobile software in its iTunes App Store serves as a strong deterrent for rogue developers from even attempting to distribute malicious iPhone OS software like the tainted games discovered for Windows Mobile. Jim Finkle, writing for Reuters, claimed that "hackers are increasingly targeting smartphone users as sales of the sophisticated mobile devices have soared with the success of Apple Inc's iPhone and Google Inc's Android operating system," but in reality, any attacks aimed at iPhone users are not software based expressly because of Apple's strict security policy, and must be limited to social engineering exploits that prey upon people directly, rather than infecting their devices with malware. Android users (just like Mac and Windows users) have no similar security protection in place, and should be very careful about downloading software, even from legitimate appearing websites. Unlike desktop malware, which is somewhat limited in the scope of damage it can cause, mobile malware has the ability to rapidly run up very expensive mobile bills for weeks before the user is likely to even notice a problem. http://www.appleinsider.com/articles/10/06/04/expensive_malware_appears_for_microsofts_windows_mobile.html http://www.reuters.com/article/idUSTRE6535TS20100604 Archives: https://www.listbox.com/member/archive/247/=now
[From Dave Farber's IP distribution. PGN] http://news.bbc.co.uk/2/hi/uk_news/politics/8707355.stm ID card scheme 'axed in 100 days' The National Identity Card scheme will be abolished within 100 days with all cards becoming invalid, Home Secretary Theresa May has said. Legislation to axe the scheme will be the first put before parliament by the new government - with a target of it becoming law by August. The 15,000 people who voluntarily paid 30 pounds for a card since the 2009 roll out in Manchester will not get a refund. Ms May said ID card holders would at least have a "souvenir" of the scheme. TIMELINE # July 2002: Plans unveiled # November 2004: ID cards bill # March 2006: Act becomes law # November 2009: Cards available # May 2010: Scheme scrapped The Labour scheme was aimed at tackling fraud, illegal immigration and identity theft - but it was criticised for being too expensive and an infringement of civil liberties. The cards were designed to hold personal biometric data on an encrypted chip, including name, a photograph and fingerprints. The supporting National Identity Register was designed to hold up to 50 pieces of information. The cards already in circulation will remain legal until Parliament has passed the legislation to abolish them and the register. The short abolition bill will be pushed through Parliament as quickly as possible with the aim of cards being invalid by 3 Sep. Anyone who has a card or has to deal with them, such as airport security officials, will be told the termination date in writing. Once the cards are illegal, the National Identity Register will be "physically destroyed", say ministers. Some 60 people who were working on the scheme for the Identity and Passport Service in Durham have lost their jobs. Ms May said: "This bill is a first step of many that this government is taking to reduce the control of the state over decent, law-abiding people and hand power back to them. With swift Parliamentary approval, we aim to consign identity cards and the intrusive ID card scheme to history within 100 days." Officials are renegotiating two contracts worth 650M pounds with companies who had agreed to deliver parts of the scheme. It's not clear how much the government will need to pay compensation, but officials say there is no "poisoned pill" in the deals and they expect to save 86M pounds once all exit costs are met. [...]
[An official Chinese government document. TNX to Paul Saffo; PGN-ed] http://www.chinadaily.com.cn/china/2010-06/08/content_9950198_7.htm Internet security is a prerequisite for the sound development and effective utilization of the Internet. Internet security problems are pressing nowadays, and this has become a problem of common concern in all countries. China also faces severe Internet security threats. Effectively protecting Internet security is an important part of China' s Internet administration, and an indispensable requirement for protecting state security and the public interest. The Chinese government believes that the Internet is an important infrastructure facility for the nation. Within Chinese territory the Internet is under the jurisdiction of Chinese sovereignty. The Internet sovereignty of China should be respected and protected. Citizens of the People's Republic of China and foreign citizens, legal persons and other organizations within Chinese territory have the right and freedom to use the Internet; at the same time, they must obey the laws and regulations of China and conscientiously protect Internet security. The remaining sections are * Protecting Internet security in accordance with the law * Secure information flow * Combating computer crime in accordance with the law. * Opposing all forms of computer hacking According to incomplete statistics, more than one million IP addresses in China were controlled from overseas in 2009, 42,000 websites were distorted by hackers, 18 million Chinese computers are infected by the Conficker virus every month, about 30% of the computers infected globally. ... [18M computers Re-Confickered? I wonder how many of those are pirated systems that were never updated. PGN]
[From NNSquad.org] The Chinese government has just released a white paper covering a wide range of topics related to their view of the Internet. It is *very* much recommended reading. Since this paper apparently was only released officially as a number of separate HTML pages, I have converted and combined them into a single PDF document for ease of handling, and am hosting the file locally. "The Internet in China" (Single PDF file): http://bit.ly/bGsTBK (Lauren's Blog) Original HTML version: http://bit.ly/cDglKq (China.org.cn)
[Nice testimony on the ineffectuality of govt IDs and Internet identity verification. PS] [Source: Yoo Jee-ho, Lee Young-jong, Joongan Daily, 2 Jun 2010; PGN-ed] http://joongangdaily.joins.com/article/view.asp?aid=2921288p North Korean defectors yesterday rallied at the Chinese Embassy in Seoul to criticize China's shielding of the North in the Cheonan case. North Korean hackers are using identity information purloined from South Koreans -- including their resident registration numbers - to post diatribes on local message boards accusing the government of fabricating the probe results into the sinking of the warship Cheonan. An intelligence source said yesterday North Korean hackers recently bombarded a message board at a South Korean online community site with posts claiming the government had made up the accusation against Pyongyang. The source said the hackers have obtained personal information through various channels and their servers were likely based in Beijing. In order to write messages on Web portals in South Korea, one must be a registered user, and the 13-digit resident registration numbers are required for membership. The hackers have tracked down those numbers and corresponding names, and used them to open accounts on Web sites, the source said. Authorities have been trying to crack down on rumors that the results of the probe into the Cheonan sinking were fabricated and used by Seoul to disgrace North Korea. Several netizens and left-leaning activists have been detained for questioning for allegedly spreading such rumors. On May 20, a multinational team of experts concluded North Korea attacked the Cheonan with a torpedo on March 26, killing 46 sailors on board. ... Last July, North Korea was accused of launching distributed denial of service, or DDoS, attacks that paralyzed key government and private Web sites in Seoul. Police in South Korea were busy yesterday trying to track down the origins of more rumors about the Cheonan sinking. Seoul police said yesterday about 300 postcard-sized printouts were distributed in Seongdong and Nowon districts in northeastern Seoul claiming the Cheonan probe was bogus and that the Grand National Party was ready to launch war.
Fairfax County (Virginia) police are writing 28% fewer tickets because their new computerized system takes so long to enter tickets. No surprise, but interesting that they're quantifying it and talking about it. It goes back to the old question: yes you CAN computerize it, but SHOULD you computerize it? http://www.washingtonpost.com/wp-dyn/content/article/2010/06/06/AR2010060603219.html
Yelp and other online sites and their cadre of amateurs have sent nervous ripples through the restaurant world [Source: Ike DeLorenzo, *The Boston Globe*, 2 Jun 2010; PGN-ed] Restaurant dining has new bookends. The experience often begins and ends with the Web. Before you go out, you find a good place to eat; after you dine, you post a review. Millions of diners are now civilian critics, letting Chowhound, Yelp, Citysearch, and others in on their recent meals. The domain of criticism was once the preserve of magazines and newspapers. This year has seen a flurry of activity for restaurant review sites, and for some new approaches to public critiques. Two big players - the biggest actually - want in on the action. Last week, Facebook began mailing door stickers to restaurants asking diners to "like'' (there's no "dislike'') and comment about restaurants with Facebook pages. Google recently launched Google Place Pages, also with door stickers, which allow diners with smartphones to point the camera at a bar code and instantly display a comments page. All of this is enough to make restaurateurs worry about every single diner. In the same way that travelers use various websites to find evaluations of hotels, diners are now turning to online food sites for advice on where to eat. As staggeringly fast as participation in food and restaurant websites has grown, so has the attention being paid amateur critics. Comments and ratings from any one diner may, of course, be biased or even false. Many Internet pundits believe in something called "the wisdom of the crowd.'' The theory is that with many people commenting, you eventually get to the truth about a restaurant. As the public posts about the food, the service, the ambience, the bearnaise, the baguettes, a fuller and more accurate picture is supposed to evolve. The amateurs are not going away, which restaurateurs once might have hoped, and they are making chefs nervous. Yelp, a social networking site where users post their own reviews, in March had 31 million unique visitors, up from 20 million a month last year. Since Yelp launched in 2004, 10 million reviews, mostly for restaurants, have been written. Similar sites also show strong growth. But because they hope to profit from what is submitted, these sites have goals that may be at odds with the restaurants, and even with the commenters. Yelp and its aspirants are in the business of making money by brokering information. But there are suggestions - well, allegations even - that the natural ratings that should result are being manipulated. Kathleen Richards, a reporter for *The East Bay Express* in Oakland, Calif., wrote a widely circulated story last year about Yelp's advertising and editorial practices. According to Richards, Yelp sales representatives would routinely cold-call Bay Area restaurants asking that they agree to a yearly contract to advertise on Yelp ($299 per month and up). Part of the pitch involved promises to remove bad Yelp reviews or move them off the main page. Richards also presented evidence that, in some cases, bad reviews had been written by the Yelp sales representatives themselves to force a sale. Failing to agree meant prominent bad reviews. ... http://www.boston.com/lifestyle/food/articles/2010/06/02/websites_such_as_yelp_and_citysearch_are_adding_to_the_pressure_put_on_restaurants_and_their_chefs_by_amateur_critics/
[Since>] the article [appeared,] almost half of the back-log has been reviewed without finding anything. The tone of the article is shock-horror-outrage, but was anyone at risk of *suddenly* having a problem actually at risk—I assume that this test is part of a set and that it would rarely be the case that *only* this test found a *life-threatening* anomaly. It certainly seems that the hospital should make some changes to ensure that a) Every test undertaken is analysed b) Un-necessary tests aren't made. Caveat: I assume that some tests are more cost-effective if they are made at the same time and that some of the tests do not need to be analysed if the other tests are negative. These tests lead to exceptions to rules a) and b) above (and I assume are lurking somewhere at the root of this case).
> The correct prize for an apparent $42.9 million slot machine jackpot > that a Thornton woman hit at a Central City casino should have been > $20.18, Colorado gaming regulators said ... Well, that's $20.18 better than the last time this happened to someone. See my item "You have won $[2^32-1]/100, no wait, we mean nothing" in Risks-25.61.
The article about University of Reading scientist Mark Gasson infecting himself (or rather, his implanted RFID chip) with a computer virus pegs my bogometer. I've not been able to find any more details, though I did turn up the University's press release at the link below. I want to give Dr. Gasson the benefit of a doubt here. He's a senior research fellow at the University's Cybernetic Intelligence Research Group, so he *should* know better than this. However, the press release reads like a bad movie plot. "Once infected, the chip corrupted the main system used to communicate with it. Should other devices have been connected to the system, the virus would have been passed on." I'd think that for this to be at all possible, it would have to be a very specific attack against a particular vendor's hardware or RFID communication stack. The idea of an RFID chip infecting arbitrary equipment is about as believable as the virus Jeff Goldblum used to bring down the alien mothership in Independence Day. Press Release: http://www.reading.ac.uk/sse/about/news/sse-newsarticle-2010-05-26.aspx
In RISKS-26.07, Jeremy Epstein discusses the much-reported Lower Merion School District "spying via laptop case". While I agree with most of what he says, he does say: "Cameras that give no reliable indication of when they're on". The "camera live" light on all Mac laptops - the machines involved here - appears to be hardware controlled. (If there's a way to override that control through software, it hasn't made it into any of the literature.) In fact, in the Lower Merion case, students noticed that the "camera live" light would turn on at random times. When they complained, they were told "it's just a glitch, ignore it". A student who wouldn't accept that response ultimately discovered the facts. I don't know whether *other* cameras have hardware-controlled activity lights, or any activity lights at all. I suspect that even if they do now, cost-cutting will inevitably lead to their disappearance over time. The first desktop with an embedded microphone was introduced by Sun back in the '80's, as best I can recall. There was a great deal of concern at the time about the risks involved - especially when it was found that a configuration error granted open network access to the microphone. However, the machines *did* include a hardware-controlled "microphone activated" light, "so it's OK". In the years since, built-in microphones have become the standard - and it's been many years since I last saw a "microphone active" light of any sort. Of course, we're surrounded by microphones - in cell phones, game consoles, even pens. There have been cases of government tapping through "unexpected" microphones (the ones in "inactive" OnStar units of cars). I'm not aware of any *reports* of private clandestine listening - but I can't imagine that it isn't taking place.
Please report problems with the web pages to the maintainer