risks-info August 2011 archive
Main Archive Page > Month Archives  > risks-info archives
risks-info: [RISKS] Risks Digest 26.52

[RISKS] Risks Digest 26.52

From: RISKS List Owner <risko_at_nospam>
Date: Tue Aug 02 2011 - 22:25:24 GMT
To: risks-resend@csl.sri.com

RISKS-LIST: Risks-Forum Digest Tuesday 2 August 2011 Volume 26 : Issue 52

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/26.52.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents: [Catching up. PGN]
Motorcycle 'smart key' can disable steering (Steven J Klein)
Internet Addiction (Sharon Gaudin via Gene Wirchenko)
Researchers Expose Cunning Online Tracking Service That Can't Be Dodged
  (Lauren Weinstein)
House Committee sweepingly hypocritical Internet data retention bill
  (Lauren Weinstein)
Bot-Bashed by Google (Robert X. Cringely via Gene Wirchenko)
Re: Study Faults Approval Process for Medical Devices (Kevin Fu)
Re: Patient alleges Tufts breached privacy (Steve Loughran)
Re: FB & facial recognition software (Peter Houppermans)
Re: Risks of verbose automated e-mail (Eriks Ziemelis)
Re: Don't throw away Grandma's wind-up desk clock (Kurt Fredriksson,
  Mark Kramer)
Taking over a stranger's phone number (Geoff Kuenning)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 26 Jul 2011 19:59:28 -0400
From: Steven J Klein <steven@yourmacexpert.com>
Subject: Motorcycle 'smart key' can disable steering

Motorcycle maker Ducati rolled out a new `smart key' that lets riders leave
the key in their pocket. When they sit down on the bike, a sensor detects
the key, allows the engine to be started, and unlocks the steering.

At least that's how it's supposed to work. *The Wall Street Journal* reported:

  Ducati says that while testing the new bikes it found that -- under very
  specific conditions -- the electronic steering lock could fail to
  disengage: a rider could potentially start the bike and begin riding while
  the steering is still locked -- a situation that could result in a
  tip-over or collision.

Maybe they should call it a stupid key?

Source: <http://blogs.wsj.com/drivers-seat/2011/04/30/smart-keys-not-so-smart-for-motorcycles/>

Steven Klein * http://yourmacexpert.com/

------------------------------

Date: Wed, 27 Jul 2011 10:05:31 -0700
From: Gene Wirchenko <genew@ocis.net>
Subject: Internet Addiction (Sharon Gaudin)

http://www.itbusiness.ca/it/client/en/cdn/News.asp?id=63479
Sharon Gaudin: Internet as hard to give up as cigarettes, liquor, study says;
Losing 'Net access even for a day described as 'nightmare', *ITBusiness*,
27 Jul 2011

How would you handle giving up your Internet connection -- your Facebook
friends, Twitter, online news and shopping -- for just a single day?

If you think being disconnected for even a day might drive you nuts, you're
not alone. A survey of 1,000 people between the ages of 18 and 65 in the
U.K. showed that many Britons are as emotionally connected to the Internet
and all of their devices as smokers are to their cigarettes.

However, not everyone reported being so tied to their digital lives. The
survey showed that 23 per cent of respondents said they would feel "free" if
they were disconnected from online activities.

------------------------------

Date: Fri, 29 Jul 2011 17:05:09 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Researchers Expose Cunning Online Tracking Service That Can't Be Dodged

  "Researchers at U.C. Berkeley have discovered that some of the net's most
  popular sites are using a tracking service that can't be evaded - even
  when users block cookies, turn off storage in Flash, or use browsers'
  "incognito" functions. The service, called KISSmetrics, is used by sites
  to track the number of visitors, what the visitors do on the site, and
  where they come to the site from - and the company says it does a more
  comprehensive job than its competitors such as Google Analytics. But the
  researchers say the site is using sneaky techniques to prevent users from
  opting out of being tracked on popular sites, including the TV streaming
  site Hulu.com." http://j.mp/ndoBts (Wired)

------------------------------

Date: Fri, 29 Jul 2011 09:50:53 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: House Committee sweepingly hypocritical Internet data retention bill

  [From Network Neutrality Squad. PGN]

  Rep. John Conyers of Michigan believes the bill is mislabeled. "This is
  not protecting children from Internet pornography. It's creating a
  database for everybody in this country for a lot of other purposes," he
  says. Rep. Lofgren of California, a leading Democrat in opposition to the
  bill said was a "stalking horse for a massive expansion of federal power."
  http://j.mp/plNgUu (Digital Trends)

In the usual Congressional demonstration of hypocrisy, the bill is entitled
"Protecting Children from Internet Pornographers Act of 2011" but actually
allows the collected data to be used for any purpose, including government
tracking down of whistleblowers, file sharers, peace activists, or anyone
else for virtually any reason.

  [PGN adds: Lauren later noted on 2 Aug 2011 an item from CNET:
  How The New 'Protecting Children' Bill Puts You At Risk:
  Last Thursday the U.S. House of Representatives passed a bill that
  makes the online activity of every American available to police and
  attorneys upon request under the guise of protecting children from
  pornography. http://j.mp/o2eVhO (CNET)]

------------------------------

Date: Wed, 27 Jul 2011 13:42:43 -0700
From: Gene Wirchenko <genew@ocis.net>
Subject: Bot-Bashed by Google (Robert X. Cringely)

Robert X. Cringely: When Google bots go wrong -- one user's story; Dylan
Marcheschi felt the full brunt of a faulty Google algorithm; now he's urging
the company to offer real customer support
http://www.infoworld.com/t/cringely/when-google-bots-go-wrong-one-users-story-168212

Dylan Marcheschi found out the hard way what happens when you get on
Google's bad side. Worse, he didn't do anything to deserve it, and he was
victimized not by a human but by a bot.

About two weeks ago, the artist from Brooklyn was having an e-mail
conversation with a friend in Thailand when he received a message telling
him his Google account had been disabled. Everything he'd built up over the
past seven years had just gone poof.

Worse, there was no one to talk to about it. There is no customer support
line for Google -- no e-mail support, no live chat. All you can do is post a
message on a forum and hope that somebody -- anybody -- weighs in with an
answer. But for Dylan, nobody did.

So Marcheschi went public. [and all hell broke loose. PGN]

------------------------------

Date: Mon, 1 Aug 2011 23:17:51 -0400
From: Kevin Fu <kevinfu@cs.umass.edu>
Subject: Re: Study Faults Approval Process for Medical Devices (Meier, R-26.51)

> [Can we learn anything from this relating to computer systems being
> trustworthy and effective? PGN]

As one of the writers commissioned by this Institute of Medicine (IOM) panel
and a regular attendee of related workshops and Senate/House hearings over
the last few years, I would say yes. But it's complicated at so many
levels.

The IOM released multiple publications on this topic. The earlier
publication includes my commissioned report on "Trustworthy Medical Device
Software" along with several other fascinating topics that relate to medical
device safety and effectiveness (think epidemiology). Download the chapter
via the no-paywall and watch the webcast respectively on:

http://www.nap.edu/catalog.php?record_id=13020
http://www.tvworldwide.com/events/iom/100728/default.cfm

Caveat lector: the intended audience is primarily that of physicians and
healthcare professionals. There was only one computer scientist on the IOM
panel. If you consider yourself a computer scientist, put on your HCP cap
before reading.

You can download the panel's 246-page final recommendations (cited in last
week's NYT) from http://www.nap.edu/catalog.php?record_id=13150

Safety and effectiveness share many themes with trustworthiness, but it's
not a bijection. Security is a part of trustworthiness. I believe that
Nancy Leveson briefly compares and contrasts safety with security in her
1995 book, "Safeware: System Safety and Computers." Both safety and
security are negative goals, for instance.

Kevin Fu, Assoc. Professor, Computer Science Department http://spqr.cs.umass.edu/
University of Massachusetts Amherst Ph: 616-594-0385 Fax: 413-545-1249

------------------------------

Date: Tue, 2 Aug 2011 10:56:53 +0100
From: Steve Loughran <steve.loughran@gmail.com>
Subject: Re: Patient alleges Tufts breached privacy (Chris D., RISKS-26.49)

Chris D. raises the issues of the NHS still using faxes to communicate.

I can reassure him that my local GP has a special defence against spoof
faxes: namely they lose them and deny they were ever received.

Unfortunately, this security system can be bypassed by turning up with a
printout of an e-mail from the hospital saying "we faxed it" and a phone
number which they will then dial to get the prescription repeated, rather
than dialing the hospital's exchange:

http://www.1060.org/blogxter/entry?publicid=2AF115A1F11CA5CAC3791BBF7673E80B

To get a fake prescription all you have to do bring a fake e-mail printout
and have an accomplice at the end of the line who appears to not know who
you are, be uninterested in the problem but eventually able to find your
paperwork and read out what the prescription is.

And yes, certificate based signed/encrypted e-mail with a requirement that
all e-mails are in the domain nhs.gov.uk and mail servers dropping out of
network e-mails from that domain would work better. In fact, they'd be better
of fixing the e-mail infrastructure than trying to do a national patient
record system, as at least moving the health service to e-mail may actually
be possible -and if it isn't, there's no point trying anything more
ambitious.

------------------------------

Date: Tue, 02 Aug 2011 06:59:16 +0200
From: Peter Houppermans <peter@houppermans.com>
Subject: Re: FB & facial recognition software (Klein, RISKS-26.51)

I've been aware of the potential for facial recognition code to be applied
to public pictures for a while. Facebook and Google are working along the
same path, although FB would at least link tagging to existing accounts
(allowing you to undo the tagging), whereas Google's Picasa did not.

Although images are not always taken to the exacting standards that a
passport biometric requires, it seems to me quite possible that someone will
develop a way to create a usable average from a collection of pictures.

Some experimenting with software called Portrait Professional yielded an
interesting discovery: it also subtly adjusts facial geometry, which gave me
an idea.

I wonder if it would not be possible to craft an application that creates a
sufficiently subtle deviation in facial characteristics to throw off facial
recognition code. We humans tend to have a far greater tolerance level for
variation than most facial recognition code so it would not create *human*
recognition issues. It would only throw a spanner into the works of
unauthorised automated online identity data collection.

Having said that, if you're going as far as digitally adjusting images of
yourself you could consider a simpler approach: not posting them at all :-).

------------------------------

Date: Tue, 2 Aug 2011 10:22:33 -0700 (PDT)
From: Eriks Ziemelis <eriks.ziemelis@yahoo.com>
Subject: Re: Risks of verbose automated e-mail

Seems like there are two risks here, and one not being Jet Blue's fault.

As Paul pointed out, SMS is wide-spread, and that Jet Blue's notification
system does not have an SMS option seems to be a bit of a poor design, what
with just about every notification system of the ilk I've used has SMS
capabilities.

The real risk is trying to force a feature/system to work in a manner that
it was not designed for (and the vast majority of "Average Joes/Janes" do
not know or care about) and expect success.

------------------------------

Date: Tue, 02 Aug 2011 20:47:42 +0200
From: Kurt F <kurt.fredriksson@ieee.org>
Subject: Re: Don't throw away Grandma's wind-up desk clock

I am bit surprised that no-one has mentioned that the frequency is the
main factor in the control of an electricity grid.
If the load increases, the frequency will drop and more electricity must
be generated until the frequency is back to normal again.
If the load decreases, the frequency will go up, and less electricity
must be generated.
It is thus the amount of electricity generated and consumed in real time
that will result in small variations in frequency. And a very small
variation indeed.

------------------------------

Date: Tue, 2 Aug 2011 13:23:40 -0400
From: Mark Kramer <c28f62@theworld.com>
Subject: Re: Don't throw away Grandma's wind-up desk clock (Lee, RISKS-26.49)

Ted Lee asks "how much is 'just over'" when a clock gains 14 seconds a day?

86400 seconds in a day. To see 86414 in a day, the reference frequency must
be 86414/86400 too high. E.g., 60*86414/86400 = 60.009722 Hz.

Not very far over at all.

  [Also noted by Anthony DeRobertis. PGN]

------------------------------

Date: Sat, 30 Jul 2011 03:29:59 -0700
From: Geoff Kuenning <geoff@cs.hmc.edu>
Subject: Taking over a stranger's phone number

A year ago I went on sabbatical and rented out my house. I asked my tenants
to take over my phone number so that I would be able to recover it when I
returned, and I called Verizon and authorized that action. However, the
tenants misunderstood and got an entirely new number, so from Verizon's
point of view I had canceled my account and my number went back into the
pool.

When I returned a few weeks ago, I set up new phone service with a different
company. Thinking that my tenants had only recently closed their Verizon
account, I asked that my number be ported to the new company. You can guess
what's coming: it worked. No sooner had my phone been connected than it
rang; it was the old number's new owner, trying to reach his house.

Once I figured out what had happened, I arranged to give the number back to
the innocent stranger. But that took over a week. What saddens me is that
if you call up Verizon and try to do something simple to your account, such
as enable voicemail, they will take you through a painful ID verification
process. So why did they let a third party grab a phone number without any
attempt to ensure that the request was valid?

Geoff Kuenning geoff_at_cs.hmc.edu http://www.cs.hmc.edu/~geoff/

------------------------------

Date: Mon, 6 Jun 2011 20:01:16 -0900
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you. The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request@csl.sri.com
 containing only the one-word text subscribe or unsubscribe. You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address. Instructions
 are included in the confirmation message. Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall@newcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 26.52
************************