risks-info September 2011 archive
Main Archive Page > Month Archives  > risks-info archives
risks-info: [RISKS] Risks Digest 26.56

[RISKS] Risks Digest 26.56

From: RISKS List Owner <risko_at_nospam>
Date: Thu Sep 15 2011 - 04:43:02 GMT
To: risks-resend@csl.sri.com

RISKS-LIST: Risks-Forum Digest Weds 14 September 2011 Volume 26 : Issue 56

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****

  <http://catless.ncl.ac.uk/Risks/26.56.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Air France 447: Smart planes still vulnerable to human error (Don Norman)
Re: United Airlines uses 11,000 iPads to take planes paperless
  (Geoff Kuenning)
Automation in the air dulls pilot skill (AP item)
Many US schools adding iPads, trimming textbooks (Stephanie Reitz via
  Monty Solomon)
Benefits of IT on Education? (NYTimes)
DigiNotar SSL Security Cert Breach (Gregg Keizer via Gene Wirchenko)
Risks in Google, specifically Gmail (Paul Robinson)
Microsoft posts security bulletins 4 days early, scrambles to fix
  mistake (Jon Brodkin via Monty Solomon)
$100 Bill: The Fed Has a $110 Billion Problem with New Benjamins
  (Leonard Finegold)
Re: Bitcoin + Cloud Computing = Approx. USD$231K Up In Smoke (Arno Wagner)
Dutch Government Websites No Longer Secure (Danny Burstein)
Forged Google crypto certificate found in the wild (Lauren Weinstein)
Google+ Security/Privacy Risks? (Tony Bradley via Gene Wirchenko)
The Internet's Secret Back Door (Lauren Weinstein)
Closed, Says Google, but Shops' Signs Say Open (David Segal via
  Monty Solomon)
Re: Researchers crack APCO P25 public safety encryption ... (Jeremy Ardley)
Re: Visa to adopt chip & pin in the US (David Alexander)
Re: T-Mobile JavaScript comment stripper breaks websites (Amos Shapir)
Re: Yet another incident of over-reliance on GPS navigation (Geoff Kuenning,
  Amos Shapir)
Man unable to open car from the inside and dies of dehydration (Clive Page)
Patient Data Posted Online in Major Breach of Privacy (Kevin Sack via
  Monty Solomon)
Cash for iPhones -- spam, scam, or phishing (DoN. Nichols)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sun, 28 Aug 2011 03:12:54 -0700
From: Don Norman <norman@nngroup.com>
Subject: Air France 447: Smart planes still vulnerable to human error

> On flight 447, the handoff from computer to pilots proved fatal for the
> 228 aboard.

I really get annoyed when people quickly and without evidence claim "human
error." With regard to the Air France accident, it is far too soon to come
to a final judgment. As for the notion that when automation fails, it just
gives up and turns control over to the pilots, well, that problem has been
discussed and studied for decades. Many knowledgeable experts in aviation
safety people have studied and written about this problem. I've written
about it in my books and journals. The aviation safety people at NASA Ames
have studied it over and over again and made many recommendations, a number
of which have been followed.

Readers of RISKS should be sophisticated enough not to jump on the "human
error" bandwagon every time it seems convenient.

  [Don, Thanks for rubbing this one in again. In RISKS, we have repeatedly
  emphasized that blame is usually widely distributable, and that many
  so-called human errors are the result of inadequacies in requirements,
  specifications, system designs, implementation inconsistencies and bugs,
  and so on, but human beings are still always a potential weak link. And
  yet the poor humans get fingered, because they have fewer champions such
  as you. PLEASE keep up the good work. Cheers! PGN]

Don Norman, Nielsen Norman Group. KAIST (Daejeon, S. Korea), IDEO Fellow
norman_at_nngroup.com www.jnd.org http://www.core77.com/blog/columns/
 Latest book: "Living with Complexity <http://www.jnd.org/books.html#608>"

------------------------------

Date: Tue, 30 Aug 2011 21:45:50 -0700
From: Geoff Kuenning <geoff@cs.hmc.edu>
Subject: Re: United Airlines uses 11,000 iPads to take planes paperless

But of course passengers will still be prohibited from using those same
devices while the pilots have them turned on...

Geoff Kuenning geoff_at_cs.hmc.edu http://www.cs.hmc.edu/~geoff/

------------------------------

Date: Tue, 30 Aug 2011 02:24:34 -0700
From: Lauren Weinstein <lauren4321@gmail.com>
Subject: Automation in the air dulls pilot skill

WASHINGTON (AP) -- Are airline pilots forgetting how to fly? As planes
become ever more reliant on automation to navigate crowded skies, safety
officials worry there will be more deadly accidents traced to pilots who
have lost their hands-on instincts in the air....
http://hosted.ap.org/dynamic/stories/U/US_AIRLINE_PILOTS_AUTOMATION?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT

------------------------------

Date: Mon, 5 Sep 2011 02:00:28 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Many US schools adding iPads, trimming textbooks (Stephanie Reitz)

Stephanie Reitz, Associated Press, 3 Sep 2011

HARTFORD, Conn.-For incoming freshmen at western Connecticut's suburban
Brookfield High School, hefting a backpack weighed down with textbooks is
about to give way to tapping out notes and flipping electronic pages on a
glossy iPad tablet computer.

A few hours away, every student at Burlington High School near Boston will
also start the year with new school-issued iPads, each loaded with
electronic textbooks and other online resources in place of traditional
bulky texts.

While iPads have rocketed to popularity on many college campuses since Apple
Inc. introduced the device in spring 2010, many public secondary schools
this fall will move away from textbooks in favor of the lightweight tablet
computers.

Apple officials say they know of more than 600 districts that have launched
what are called "one-to-one" programs, in which at least one classroom of
students is getting iPads for each student to use throughout the school day.

Nearly two-thirds of them have begun since July, according to Apple. ...

http://www.boston.com/news/local/massachusetts/articles/2011/09/03/many_us_schools_adding_ipads_trimming_textbooks/

------------------------------

Date: Sun, 4 Sep 2011 8:57:14 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Benefits of IT on Education?

  [From D Kross]

As schools embrace digital learning, evidence is scarce that expensive
technology is improving education.
http://www.nytimes.com/2011/09/04/technology/technology-in-schools-faces-questions-on-value.html?hp

------------------------------

Date: Tue, 06 Sep 2011 09:40:35 -0700
From: Gene Wirchenko <genew@ocis.net>
Subject: DigiNotar SSL Security Cert Breach (Gregg Keizer)

Gregg Keizer: Hackers gain ability to impersonate CIA, MI6, Mossad, 6 Sep 2011
http://www.itbusiness.ca/it/client/en/home/News.asp?id=63989

Dutch firm DigiNotar has admitted its network was hacked and SSL security
certificates were stolen. The certificates can be used for "man in the
middle" attacks.

The tally of digital certificates stolen from a Dutch company in July has
exploded to more than 500, including ones for intelligence services like the
CIA, the U.K.'s MI6 and Israel's Mossad, a Mozilla developer said Sunday.

The confirmed count of fraudulently-issued SSL (secure socket layer)
certificates now stands at 531, said Gervase Markham, a Mozilla developer
who is part of the team that has been working to modify Firefox to blocks
all sites signed with the purloined certificates.

Among the affected domains, said Markham, are those for the CIA, MI6,
Mossad, Microsoft, Yahoo, Skype, Facebook, Twitter and Microsoft's Windows
Update service.

"Now that someone (presumably from Iran) has obtained a legit HTTPS cert for
CIA.gov, I wonder if the US gov will pay attention to this mess,"
Christopher Soghoian, a Washington D.C.-based researcher noted for his work
on online privacy, said in a tweet Saturday.

------------------------------

Date: Sun, 11 Sep 2011 10:02:55 -0700 (PDT)
From: Paul Robinson <paul@paul-robinson.us>
Subject: Risks in Google, specifically Gmail

Having heard about the problem of the guy whose account with Google was
suspended because he was suspected of storing child pornography, I'd like to
mention a problem with Google's Gmail that I discovered.

I use Yahoo for web mail. My DNS provider for paul-robinson.us forwards all
mail addressed to any address ending in @paul-robinson.us to my mailbox on
Yahoo. And Yahoo provides a drop-down selector on its composition option so
when I send mail, I can select whether to send it from Yahoo under
paul@paul-robinson.us or from my Yahoo account number.

It works flawlessly, whether someone sends me a message from Yahoo or from
any other domain, I get any mail they address to my domain.

The same is not true with Gmail. There is a weird technical problem with
Gmail, if a Gmail client sends mail to a domain that redirects its mail -
like mine - and the terminating address that the redirection goes to is a
Gmail account, Gmail discards the message. I found this out because my
sister has her own domain name, the way I do, and I have mail sent to her
domain to redirect to her account, same as I do. She even has the same DNS
provider as I do. The difference is, she gets her mail from Gmail, and if a
Gmail customer mails something to her domain name, she does not get the mail
in her Gmail box.

------------------------------

Date: Sat, 10 Sep 2011 18:55:59 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Microsoft posts security bulletins 4 days early, scrambles to fix
 mistake (Jon Brodkin)

Jon Brodkin, ArsTechnica

Each month, there is a clearly defined process Microsoft uses to release
security patches to fix flaws in Windows and its other products. On a
Thursday, Microsoft releases an advance notification, listing the software
affected by the upcoming patches and the type of threat fixed, such as
"elevation of privilege" or "remote code execution." But no specific details
are released until the following Tuesday, the second Tuesday of each month,
when the full security bulletins and accompanying patches are made public.

But this month, the process went awry. The vague advance notification went
out as scheduled yesterday. But today, the full security bulletins went
live, four days before their scheduled release.

We were able to view two of the five security bulletins before Microsoft
unpublished them. Given that the security bulletins were unpublished within
an hour of their release, give or take, and that they were dated "Tuesday,
September 13, 2011" during the brief time they were live, it seems pretty
clear someone at Redmond screwed up. ...

http://arstechnica.com/microsoft/news/2011/09/microsoft-posts-security-bulletins-four-days-early-scrambles-to-fix-mistake.ars

------------------------------

Date: Tue, 6 Sep 2011 21:08:10 -0400
From: Leonard Finegold <L@drexel.edu>
Subject: $100 Bill: The Fed Has a $110 Billion Problem with New Benjamins

http://www.cnbc.com/id/40521684/

  [The total face value of the printed but totally unusable new high-tech
  $100 bills represents more than 10% of the entire supply of U.S. currency
  on the planet, according to this article. PGN]

------------------------------

Date: Sun, 28 Aug 2011 14:29:05 +0200
From: Arno Wagner <arno@wagner.name>
Subject: Re: Bitcoin + Cloud Computing = Approx. USD$231K Up In Smoke

This strikes me as a strong indication that Bitcoin cannot be taken
seriously, except maybe as a elaborate and well-camouflaged Ponzi-scheme.

The last time I checked, processing credit card information on Amazon EC2
was still not allowed. Forget about any real money transactions. Not only
processing Bitcoin transactions there, but in addition doing so without
adequate backup, shows a level of unprofessionalism that is staggering. I do
not even want to know what serious security problems they had.

On the other hand, this kind of blind enthusiasm and lack of understanding
is typical for Ponzi-schemes. Sometimes even the scheme instigators seem to
suffer from it and do not see what they are doing. This may be the case
here.

Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name

------------------------------

Date: Sat, 3 Sep 2011 18:18:50 -0400 (EDT)
From: danny burstein <dannyb@panix.com>
Subject: Dutch Government Websites No Longer Secure

[Source: dutch daily news]

The Dutch government can no longer guarantee the security of its
websites. This means, for instance, that the Internet identification site
DigID is no longer reliable, which Dutch residents use for government
services.

The Dutch Interior Minister Piet Hein Donner has given a press conference in
the early hours of Saturday morning to indicate the urgency of the problem.

There is doubt about the reliability of Government sites because the Dutch
Internet security company DigiNotar appears to have been hacked on July 19,
compromising its security guarantees for "a number of domains, including
Dutch Government Websites. ...

http://www.dutchdailynews.com/dutch-government-websites-no-longer-secure/

------------------------------

Date: Sat, 3 Sep 2011 18:18:50 -0400 (EDT)
From: danny burstein <dannyb@panix.com>
Subject: Dutch Government Websites No Longer Secure

[Source: dutch daily news]

The Dutch government can no longer guarantee the security of its
websites. This means, for instance, that the Internet identification site
DigID is no longer reliable, which Dutch residents use for government
services.

The Dutch Interior Minister Piet Hein Donner has given a press conference in
the early hours of Saturday morning to indicate the urgency of the problem.

There is doubt about the reliability of Government sites because the Dutch
internet security company DigiNotar appears to have been hacked on July 19,
compromising its security guarantees for "a number of domains, including
Dutch Government Websites. ...

http://www.dutchdailynews.com/dutch-government-websites-no-longer-secure/

------------------------------

Date: Sat, 3 Sep 2011 18:18:50 -0400 (EDT)
From: danny burstein <dannyb@panix.com>
Subject: Dutch Government Websites No Longer Secure

[Source: dutch daily news]

The Dutch government can no longer guarantee the security of its
websites. This means, for instance, that the Internet identification site
DigID is no longer reliable, which Dutch residents use for government
services.

The Dutch Interior Minister Piet Hein Donner has given a press conference in
the early hours of Saturday morning to indicate the urgency of the problem.

There is doubt about the reliability of Government sites because the Dutch
internet security company DigiNotar appears to have been hacked on July 19,
compromising its security guarantees for "a number of domains, including
Dutch Government Websites. ...

http://www.dutchdailynews.com/dutch-government-websites-no-longer-secure/

------------------------------

Date: Mon, 29 Aug 2011 22:12:11 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Forged Google crypto certificate found in the wild (NNSquad)

  "Security researchers have discovered a counterfeit web certificate for
  Google.com circulating on the internet that gives attackers the encryption
  keys needed to impersonate Gmail and virtually every other digitally
  signed Google property." http://j.mp/oPlzjQ (UK Register)

A couple of notes on this. First, a widely syndicated story on this topic
was titled "Hackers acquire Google certificate ..." -- which isn't exactly
true, what they acquired was strictly speaking a *forged* Google
certificate, an important distinction when certificate revocation is
considered. Secondly, as bad as this is (and regular readers know how
critical I've been of both existing PKI certificates and DNS environments),
the forged cert alone doesn't provide the ability to perform a
man-in-the-middle attack without the added factor of *access* -- either
through poisoned DNS diversions, or direct tapping of traffic (e.g. by
ISPs/governments), and so on.

------------------------------

Date: Thu, 01 Sep 2011 11:21:24 -0700
From: Gene Wirchenko <genew@ocis.net>
Subject: Google+ Security/Privacy Risks? (Tony Bradley)

http://blogs.itbusiness.ca/2011/09/privacy-concerns-with-google/
Tony Bradley, Privacy concerns with Google+ [Long item truncated for RISKS]

My issue with Google+ Games is that when I try to play a game I have to
first agree to grant the game and its developer various permissions to
access and use information from my Google+ Profile -- including my Circles.
[...]

------------------------------

Date: Thu, 1 Sep 2011 11:22:15 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: The Internet's Secret Back Door (NNSquad)

  "But years before the RIM battle boiled over, other Western companies
  handed the country a far greater power: the capability to infiltrate the
  secure system used by most banking, mail, and financing sites, making the
  most protected data on the Web available to the prying eyes of the
  emirates' government-connected telecommunications giant."
  http://j.mp/rrZIGC (Slate)

------------------------------

Date: Tue, 6 Sep 2011 08:46:36 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Closed, Says Google, but Shops' Signs Say Open (David Segal)

David Segal, *The New York Times*, 5 Sep 2011

In mid-August, Jason Rule learned some surprising news about the coffee shop
that he owns and operates in Hays, Kan.: the place had closed for good.

Not in the real world, where it is thriving. Coffee Rules Lounge was listed
for a few days as "permanently closed" on Google Maps. During that time,
anyone searching for a latte on a smartphone, for instance, would have
assumed the store was a goner.

"We're not far from Interstate 70," said Mr. Rule, "and I have no doubt that
a lot of people running up and down that highway just skipped us."

In recent months, plenty of perfectly healthy businesses across the country
have expired - sometimes for hours, other times for weeks - though only in
the online realm cataloged and curated by Google. The reason is that it is
surprisingly easy to report a business as closed in Google Places, the
search giant's version of the local Yellow Pages. ...

http://www.nytimes.com/2011/09/06/technology/closed-in-error-on-google-places-merchants-seek-fixes.html

------------------------------

Date: Wed, 14 Sep 2011 19:18:08 +0800
From: Jeremy Ardley <jeremy.ardley@gmail.com>
Subject: Re: Researchers crack APCO P25 public safety encryption ...

I presently work in the Emergency Services communications sector and am
appalled at the desire to encrypt Emergency Services communications in the
same way as Police Communications are.

There is a fundamental difference between Police usage and Emergency Service
usage.

In the Police case there is a possibly understandable desire to keep
communications private. In Emergency Services case, the more information
that is disseminated the better.

Most of the disasters I have seen unfold are fundamentally hampered by lack
of effective communication. The systems just get overloaded and public
information release gets severely chocked. Having news agencies or others
monitoring emergency communications may - on the balance of probabilities -
just save a few lives. I'm thinking especially about bush fires where prior
warning may assist. The usual Emergency Services communications model
results in a big lag between operational orders and information being
released to public. Command and Control take the major part of the system's
attention. Public communications are pretty low on the rankings.

I realise that simply listening to the communications chat may cause undue
worry or even result in misjudged actions resulting in death. I argue that
having some information will - in general - give a better result than having
no information at all.

The recent Victorian bush fires are a classic example of lack of information
flow to the public. The result was hundreds of deaths.

As an aside, one of the major problems in the Victorian bush fires was lack
of a common communications network between Emergency Services and Police.
Basically the Police couldn't use their radios to talk to Emergency Services
units and vice versa. One solution proposed is to move all radio systems to
an encrypted Police standard. In contrast to this, in Western Australia,
there is a current program to deploy thousands of radios into the Western
Australian Emergency Radio Network (WAERN). These are analogue unencrypted
radios designed to allow Emergency Services communications across an area
about 2.5 times the total area of Western Europe. Quite how the encrypted
Police systems will integrate with this is an as-yet unexplained mystery.

------------------------------

Date: Mon, 29 Aug 2011 22:10:45 +0100 (BST)
From: David Alexander <davidalexander440@btinternet.com>
Subject: Re: Visa to adopt chip & pin in the US

I have studied the technology and security mechanisms behind Chip & PIN in
depth through the specialist smart card centre at Royal Holloway College,
University of London as part of the studies for my InfoSec MSc. I won't deny
that there are means by which they can be improved, but they are a lot less
broken than the current mag stripe cards and liability system still in use
in the USA and that used to be in effect in Europe. The banks wouldn't
change the system voluntarily because of the implementation costs, so they
were forced to by legal and regulatory means - the liability was transferred
to them from the customer, which forced their hands. Statistics show
that losses from card fraud dropped dramatically when C&P was introduced,
and criminals were forced to move a lot of their activities to other
areas. It's not perfect but it is much better. Fact. The terminals do
need better anti-tamper protection/detection, and the additional
verification system for online purchases (e.g. "Verified by Visa") has
definite flaws, especially around the initial enrollment process. Murdoch et
al. at Cambridge have done excellent work in highlighting the issues, but a
lot of the defences can be implemented in the design of the cards and the
terminals, and these are being improved all the time. I don't know for
certain, but I expect that the US system will contain extra security
features to reduce the vulnerabilities in the system. For obvious reasons
the banks refuse to discuss the details and future plans. They still believe
in security by obscurity, even if most of us do not. As for the reports in
other publications, I'm not impressed with the standard of much of their
analysis and reporting. As for the cost of card replacement, they are
normally replaced on a 3 year cycle anyway, so the cost of replacement with
new cards is nowhere near as high as it first appears. The C&P cards
also allows the introduction of the Chip Authentication Program (google
Barclays 'PINSentry') handheld device that can authenticate a cardholder and
digitally sign transactions. It improves the security of online
banking. Banks in the UK now use them to verify the identity of people at
the counter by using them to get the user to prove they know the PIN for the
card presented. In summary, I don't agree that the US banks shouldn't
do this. The EU economy now runs on the use of EMV and debit card payments
outstrip the use of cash and cheques by a very significant percentage. The
size of the EU economy is as big as the US economy and interoperability is
essential for travellers and e-commerce. I would also be interested to hear
of viable alternatives, I'm not aware of any at the moment.

------------------------------

Date: Wed, 14 Sep 2011 16:05:31 +0200
From: Amos Shapir <amos083@hotmail.com>
Subject: Re: T-Mobile JavaScript comment stripper breaks websites (R 26 55)

Earlier versions of enscript, a pretty-printing utility on UNIX, had a bug
which caused it to mis-identify comments within strings and strings within
comments, so such constructs would be printed in the wrong font format.

The funny thing was that among the examples which were included with the
program, was a pretty-printed listing of the enscript source code itself;
the bug had caused the very code which was supposed to deal with these
constructs -- which naturally contained strings like "/*" -- to be formatted
badly, thus pointing clearly to where the bug was lurking!

------------------------------

Date: Tue, 13 Sep 2011 17:24:39 -0700
From: Geoff Kuenning <geoff@cs.hmc.edu>
Subject: Re: Yet another incident of over-reliance on GPS navigation
  (Smith, RISKS-26.55)

> Police say 25-year-old Sarah Ho of Boston was driving on the Dover Road in
> South Newfane late Saturday afternoon when she came upon a road closed
> sign. She told police she drove around the sign after seeing other vehicles
> drive around the sign.

I think it's worth noting that this is only partially a GPS-trust issue.
Some years ago, my elderly mother was following written directions to my
brother's apartment when she discovered that the exit ramp she needed had
been closed for construction work. Undeterred, she drove around the
barriers and might have caused serious harm had a cop not intervened. (It
was shortly thereafter that we banned her from driving in Los Angeles.)

While it's true that people place too much trust in GPS navigation, it's
also true that drivers are notorious for ignoring obvious warnings.

Geoff Kuenning geoff_at_cs.hmc.edu http://www.cs.hmc.edu/~geoff/

------------------------------

Date: Wed, 14 Sep 2011 16:08:52 +0200
From: Amos Shapir <amos083@hotmail.com>
Subject: Re: Yet another incident of over-reliance on GPS navigation
  (Smith, RISKS-26.55)

The article quotes the driver "She told police she drove around the sign
after seeing other vehicles drive around the sign." This seems to be a case
of over-reliance on herd mentality, rather than a problem with using GPS.

------------------------------

Date: Sun, 28 Aug 2011 10:46:39 +0100
From: Clive Page <cgp@star.le.ac.uk>
Subject: Man unable to open car from the inside and dies of dehydration

We have a Subaru Legacy with a similar locking system. If the car is locked
using the button on the key-fob the doors cannot be opened from the inside:
this is supposedly an anti-theft feature. In addition if you unlock the
doors using this button but fail to open at least one door within a minute,
the doors are re-locked. These features made me worried that an electronic
fault could trap us inside. For this reason I bought a hammer designed to
break toughened glass windows and installed it in a handy position by the
driving seat. Perhaps all cars with anti-theft locking systems should have
one fitted as standard. Sometimes a mechanical over-ride is good to have.

------------------------------

Date: Thu, 8 Sep 2011 18:56:31 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Patient Data Posted Online in Major Breach of Privacy (Kevin Sack)

Kevin Sack, *The New York Times*, 8 Sep 2011
http://www.nytimes.com/2011/09/09/us/09breach.html

A medical privacy breach involving Stanford Hospital in Palo Alto, Calif.,
led to the public posting of data for 20,000 emergency room patients,
including names and diagnosis codes, on a commercial Web site for nearly a
year, the hospital has confirmed.

Since discovering the breach last month, the hospital has been investigating
how a detailed spreadsheet made its way from one of its vendors, a billing
contractor identified as Multi-Specialty Collection Services, to a Web site
called Student of Fortune, which allows students to solicit paid assistance
with their schoolwork. Gary Migdol, a spokesman for Stanford Hospital and
Clinics, said the spreadsheet first appeared on the site on Sept. 9, 2010,
as an attachment to a question about how to convert the data into a bar
graph.

Although medical security breaches are not uncommon, the Stanford breach was
notable for the length of time that the data remained publicly available
without detection. ...

------------------------------

Date: Tue, 13 Sep 2011 20:02:57 -0400
From: "DoN. Nichols" <dnichols@d-and-d.com>
Subject: Cash for iPhones -- spam, scam, or phishing

Today, in processing the spam which managed to sneak past my filters I found
one (personally addressed to me, not BCC'd) offering cash for old iPhones --
regardless of condition.

Now -- my first thought (other than noting that I have never owned an
iPhone, so what makes them think that I have used ones) was "How difficult
is it to totally remove all personal information from an iPhone --
especially a non-jailbroken one."

A bit of searching seems to find similar places buying laptops and cell
phones, offering a high initial price, and then discovering all kinds of
reasons to drop their price to practically nothing. So, it appears that
they do pay at least something for them -- but as little as possible.

I, personally, would drill through any chips which might store information
rather than sell a used iPhone (if I had one) to such a place. (Or more
likely, try to turn it into a portable device running linux or similar to
play with, but not to use for phone communication.)

But how many blindly turn over their used devices with no thought to what
information they may be releasing.

(703) 938-4564 http://www.d-and-d.com/dnichols/DoN.html

------------------------------

Date: Mon, 6 Jun 2011 20:01:16 -0900
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you. The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request@csl.sri.com
 containing only the one-word text subscribe or unsubscribe. You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address. Instructions
 are included in the confirmation message. Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall@newcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 26.56
************************