risks-info July 2011 archive
Main Archive Page > Month Archives  > risks-info archives
risks-info: [RISKS] Risks Digest 26.49

[RISKS] Risks Digest 26.49

From: RISKS List Owner <risko_at_nospam>
Date: Tue Jul 26 2011 - 00:49:15 GMT
To: risks-resend@csl.sri.com

RISKS-LIST: Risks-Forum Digest Monday 25 July 2011 Volume 26 : Issue 49

Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at

  Contents: [Way backlogged. I've been very busy. Catching up. PGN]
Planes collide in midair, land safely (Monty Solomon)
Aviation Experts Worry About Aircraft Mishaps on the Ground (Monty Solomon)
Pilots to use iPads instead of manuals (Peter Houppermans)
Safety on China's Railroads (Chuck Weinstock)
Toyota to recall 82,200 vehicles in the US (Monty Solomon)
Don't throw away Grandma's wind-up desk clock (Danny Burstein)
Electronic vote stealing in Ohio's 2004 Presidential Election (PGN)
Bruce Schneier's CRYPTOGRAM item on Dropbox and clouds (PGN)
A Mouse Ate Your Network? (Ted Samson via Gene Wirchenko)
Apple Laptops Vulnerable To Hack That Kills Or Corrupts Batteries
  (Andy Greenberg via Monty Solomon)
Patient alleges Tufts breached privacy (Chelsea Conaboy via Monty Solomon)
Beth Israel reports potential data breach (Hiawatha Bray via Monty Solomon)
Most cellphone voice mail is vulnerable to hackers (Hiawatha Bray via
  Monty Solomon)
Staples resold devices holding consumer data (Jenn Abelson via Monty Solomon)
Somebody is using my e-mail address, but I can't figure out why
  (Jonathan Kamens)
Empowering Evil Through Search and Surveillance: Why Corporate Ethics Matter
  (Lauren Weinstein)
Book review: Surveillance or Security?: The Risks Posed by New Wiretapping
  Technologies (Ben Rothke)
Abridged info on RISKS (comp.risks)


Date: Fri, 15 Jul 2011 22:12:41 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Planes collide in midair, land safely



Date: Fri, 15 Jul 2011 22:12:41 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Aviation Experts Worry About Aircraft Mishaps on the Ground

Aviation Experts Worry About Aircraft Mishaps on the Ground

Delta 767 winglet sheared off in Boston collision


Date: Wed, 06 Jul 2011 09:05:45 +0200
From: Peter Houppermans <peter@houppermans.com>
Subject: Pilots to use iPads instead of manuals

    Flaps up - check<br>
    iPad charged - check<br>


  The Federal Aviation Administration has approved the use of iPads in the
  cockpits of commercial and charter aircrafts - in the US, at
  least. Traditionally, each plane would house a collection of bulky flight
  manuals, weighing up to 40-pounds. Now though, a pilot is allowed to store
  digital versions of the books on a tablet device.

I hope they still have to keep the tree version as a non-battery dependent
backup for redundancy. I also hope pilots are made to look up things in the
original manuals as a regular exercise (just on the basis of observing what
has happened to the map reading skills of the average car driver as a result
of GPS use).

There are upsides in terms of better referencing and easier information
updates, but I'd be interested to see how they approached updates and

  [What about in-flight real-time manual updating? PGN]


Date: Sun, 24 Jul 2011 14:23:04 -0400
From: Chuck Weinstock <weinstock@conjelco.com>
Subject: Safety on China's Railroads


The article in today's paper was somewhat different with more of an emphasis
on the lack of a safety culture in China. The apparent cause was the train
being struck by lightning causing it to stop. That combined with
malfunctioning signaling caused the following train to rear end the first


Date: Sat, 2 Jul 2011 18:38:13 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Toyota to recall 82,200 vehicles in the US

Toyota Motor Corp. said it will recall about 82,200 hybrid SUVs in the
U.S. due to computer boards with possible faulty wiring. The car giant said
the recall will involve Highlander and Lexus brand hybrid SUVs from its 2006
and 2007 lines. The action covers just the vehicles sold in the U.S., with
no other models affected. ... *The Boston Globe*, June 29, 2011



Date: Sat, 25 Jun 2011 15:03:11 -0400 (EDT)
From: Danny Burstein <dannyb@panix.com>
Subject: Don't throw away Grandma's wind-up desk clock

Power-grid experiment could confuse electric clocks [AP story via msnbc]
Traffic lights, security systems and computers may be affected by frequency
change as well.

A yearlong experiment with America's electric grid could mess up traffic
lights, security systems and some computers - and make plug-in clocks and
appliances like programmable coffeemakers run up to 20 minutes fast.
"A lot of people are going to have things break and they're not going to know
why," said Demetrios Matsakis, head of the time service department at the U.S.
Naval Observatory, one of two official timekeeping agencies in the federal

Since 1930, electric clocks have kept time based on the rate of the
electrical current that powers them. If the current slips off its usual
rate, clocks run a little fast or slow. Power companies now take steps to
correct it and keep the frequency of the current - and the time - as precise
as possible.

The group that oversees the U.S. power grid is proposing an experiment that
would allow more frequency variation than it does now without corrections,
according to a company presentation obtained by The Associated Press. ...
The North American Electric Reliability Corp. runs the nation's interlocking
web of transmission lines and power plants. A June 14 company presentation
spelled out the potential effects of the change: East Coast clocks may run
as much as 20 minutes fast over a year, but West Coast clocks are only
likely to be off by 8 minutes. In Texas, it's only an expected speedup of 2


Date: Fri, 22 Jul 2011 4:49:07 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Electronic vote stealing in Ohio's 2004 Presidential Election

Freepress.org: New court filing reveals how the 2004 Ohio presidential
election was hacked

See also


Date: Wed, 29 Jun 2011 17:33:34 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Bruce Schneier's CRYPTOGRAM item on Dropbox and clouds

Bruce Schneier, CRYPTOGRAM:
I haven't written about Dropbox's security problems; too busy with the
book. But here's an excellent summary article from The Economist.
The meta-issue is pretty simple. If you expect a cloud provider to do
anything more interesting than simply store your files for you and give
them back to you at a later date, they are going to have to have access
to the plaintext. For most people -- Gmail users, Google Docs users,
Flickr users, and so on -- that's fine. For some people, it isn't.
Those people should probably encrypt their files themselves before
sending them into the cloud.
Another security issue with Dropbox:


Date: Tue, 05 Jul 2011 09:52:57 -0700
From: Gene Wirchenko <genew@ocis.net>
Subject: A Mouse Ate Your Network?


Ted Samson, InfoWorld Tech Watch, June 28, 2011
Security company infects client's network with 'Trojan mouse'
By loading a USB mouse with malware and exploiting end-user blabbing,
NetraGard succeeds in infecting a client's network

Security consulting company NetraGard has demonstrated that something as
seemingly innocuous as a USB mouse, along with tidbits of information freely
available on the Internet, can provide a hacker quick and easy access to a
seemingly secure IT environment. ...


Date: Sun, 24 Jul 2011 01:01:13 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Apple Laptops Vulnerable To Hack That Kills Or Corrupts Batteries

Andy Greenberg, Apple Laptops Vulnerable To Hack That Kills Or Corrupts
Batteries, *Forbes*, 22 Jul 2011

A pile of dead Apple laptop batteries, victims of Charlie Miller's research.
Your laptop's battery is smarter than it looks. And if a hacker like
security researcher Charlie Miller gets his digital hands on it, it could
become more evil than it appears, too.

At the Black Hat security conference in August, Miller plans to expose and
provide a fix for a new breed of attack on Apple laptops that takes
advantage of a little-studied weak point in their security: the chips that
control their batteries. ...


  [Gene Wirchenko noted an item by Christina DesMarais:


Date: Fri, 15 Jul 2011 22:41:31 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Patient alleges Tufts breached privacy

Patient alleges Tufts breached privacy
Sues after medical history was faxed to job

Chelsea Conaboy, *The Boston Globe*, 15 Jul 2011

A patient has sued Tufts Medical Center and a primary care doctor
there, alleging that documents including her medical history were
sent to a fax machine at her workplace without her consent.

Kimberly White of Middleborough, 44, said in an interview that at
least two co-workers read the records, causing her embarrassment. She
filed a complaint in Plymouth County Superior Court alleging that her
privacy rights were violated and seeking punitive damages. The
hospital has denied wrongdoing.

While recovering from a hysterectomy in December, White asked Dr.
Kimberly Schelling to fax a required form related to a disability
claim to White's employer. Instead, according to the court filing,
four pages of White's medical records were sent to a shared fax
machine in the office. ...



Date: Mon, 18 Jul 2011 22:54:04 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Beth Israel reports potential data breach

Beth Israel reports potential data breach

Hiawatha Bray, *The Boston Globe*, 18 Jul 2011

Beth Israel Deaconess Medical Center is notifying more than 2,000 of
its patients that some of their personal information may have been
stolen from a hospital computer.

The hospital said today that an unnamed computer service vendor had
failed to restore proper security settings on the computer after
performing maintenance on it. The machine was later found to be
infected with a computer virus, which transmitted data files to an
unknown location.

The computer contained medical record numbers, names, genders, and
birth dates of 2,021 patients, as well as the names and dates of
radiology procedures they'd undergone. But the computer didn't
contain the patients' financial data or their Social Security
numbers, which can be used to steal identities and defraud banks. ...



Date: Wed, 13 Jul 2011 08:34:15 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Most cellphone voice mail is vulnerable to hackers

Hiawatha Bray, *The Boston Globe*, 13 Jul 2011

Breaking into someone's voice mailbox - in the style of the hackers at the
British tabloid News of the World - can be as easy in the United States as
it is on the other side of the Atlantic. It is done using a readily
available online service known as "caller ID spoofing,'' which can make a
call appear to be coming from any phone number. Hackers can use it to access
someone else's voice mail messages by fooling the system into thinking the
call is coming from the owner's cellphone. If the mailbox is not protected
by a password, as is often the case, the attacker can hear and even delete
messages in the target's voice mailbox.

There are numerous spoofing services in the United States; all you need to
do is Google them. Although these services are used by hackers to commit
crimes, they're also used legitimately by, for example, battered women who
do not want their calls traced, or law enforcement agents operating
undercover. ...


Date: Sat, 2 Jul 2011 16:52:55 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Staples resold devices holding consumer data

Jenn Abelson, Canada audit rips Mass.-based chain, *The Boston Globe*,
22 Jun 2011

Staples Inc. has repeatedly put consumers' data at risk in Canada by failing
to wipe clean returned storage devices that contain sensitive information
and are then resold. Those findings were reported yesterday following an
audit by the Office of the Privacy Commissioner of Canada. The audit
included tests of storage devices, including computers, USB hard drives, and
memory cards that had undergone a `wipe and restore' process and were
destined for resale. Of the 149 devices tested, 54 contained customer data,
including "highly sensitive personal information'' such as health card and
passport numbers, academic transcripts, banking information, and tax

``Our findings are particularly disappointing given we had already
investigated two complaints against Staples involving returned data
storage devices and the company had committed to taking corrective
action,'' Canada's privacy commissioner, Jennifer Stoddart, said in a
statement. ``While Staples did improve procedures and control
mechanisms after our investigations, the audit showed those
procedures and controls were not consistently applied, nor were they
always effective - leaving customers' personal information at serious
risk.'' ...


Date: Thu, 23 Jun 2011 12:40:18 -0400
From: Jonathan Kamens <jik@kamens.us>
Subject: Somebody is using my e-mail address, but I can't figure out why

A few days ago, I got e-mail from the Starwood hotel chain, thanking me=20
for contacting them. Except I hadn't. I figured it was just a spammer=20
using my e-mail address, so I ignored it.

I got e-mail from Starwood asking me to clarify my service request=20
because it made no sense. They included the original request in their=20
e-mail, so I was able to see the text (which was, indeed, nonsense) as=20
well as the full name of whoever contacted them using my e-mail address.=20
I wrote back to them and told them to ignore it.

Today, however, things got crazy. I got an e-mail address from Google=20
congratulating me on the creation of my new Gmail account. Except I=20
hadn't created a new account; someone else had, and specified my e-mail=20
address as the password recovery address.

Thinking fast, I took advantage of that fact to take over the account=20
(the spammers and phishers aren't the only people who can play that=20
game!), so that whatever this individual was planning on doing with it,=20
they won't be able to. After doing so, I was able to confirm that the=20
full name they gave to Google when creating the Gmail account matches=20
the name they gave to Starwood, so it seems likely that either the same=20
person or two people working together did both things.

The thing is, I can't figure out what this person or persons hope to=20
gain with what they are doing, and that concerns me. I can't imagine=20
they'd be doing it if there weren't something to gain, and I can't help=20
but worry that if it helps them, it'll hurt me.

... more details about this on my blog at http://blog.kamens.us/?p=2258. If
anybody has any ideas about what's going on here, I'd sure love to hear them
(sent to me or RISKS via email or posted as comments on my blog).


Date: Tue, 5 Jul 2011 14:23:34 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Empowering Evil Through Search and Surveillance: Why Corporate
  Ethics Matter

Empowering Evil Through Search and Surveillance: Why Corporate Ethics Matter

Here in the U.S., we've just celebrated our Fourth of July holiday --
Independence Day. It's actually rather complex in nature, a celebration not
only of revolution and independence, but also of our foundational documents,
the Constitution and the first ten amendments to the Constitution, the Bill
of Rights.

These are remarkable written works from many standpoints. We have not
always been true to their ideals. But the men who wrote them were able to
create proclamations that have remained relevant for almost two and half
centuries, through our evolution from agrarian society to a technological
nation beyond the wildest imaginations of virtually anyone living at the
time (except, perhaps, my personal hero, Benjamin Franklin!)

The Bill of Rights and Constitution together suggest an ethical path for
this country, but no documents, no laws, can successfully legislate ethics
or morality. We can ban government interference in free speech, as does the
First Amendment, but we cannot assure that freedoms will be wisely used.
This is in the nature of laws, men, and women throughout history.

Still, it's difficult not to feel disappointed when our ideals are subverted
for commercial gain, and during this past holiday two examples of this were
thrust into the media.

As I criticized yesterday, Microsoft has now formally partnered with Chinese
search giant Baidu to provide Chinese government-censored English language
search results in China ( http://j.mp/kYyGO2 [Lauren's Blog] ).

And now comes word that Cisco will be providing the networking gear for a
massive Chinese surveillance system, that will almost certainly be used
primarily to target political dissent. Perhaps most alarming in this case
is the reaction of Cisco to questions about the ethics of the contract.
"It's not my job to really understand what they're going to use it for," was
the reaction of Cisco's executive VP in charge of their China strategy.

I know I'm not the only observer invoking the lyrics of the great satirist
Tom Lehrer regarding Wernher von Braun in this context: "'Once the rockets
are up, who cares where they come down? That's not my department', says
Wernher von Braun." Nor am I the only one who remembers the dark history of
IBM's involvement with Nazi Germany in the name of technology sales bottom
lines ( http://j.mp/j3JX7O [CNET] ).

A common meme is that corporations are amoral, unconcerned with ethics,
uninterested in anything but maximizing profits. This is sadly often true,
but certainly is not always the case.

Yes, questions of ethics and business are complex, and different situations
may be easily confused.

For example, if a company chooses to do business in a particular country,
they must obey that country's laws. They can challenge what they don't feel
is appropriate, but ultimately if they don't obey the laws they will very
likely be subjected to sanctions of some sort, civil and/or even criminal in
nature. And they may be denied access to those countries entirely.

Yet companies can also choose not to extend their products and services into
countries where laws and government actions are obviously in conflict with
our own ethical considerations. Firms can choose ethics over profits, if
they care enough about the former, not just the latter.

And so we saw Google's decision to stop censoring its search results in
China -- censorship demanded by the Chinese government -- after a period of
compliance during which Google hoped Chinese sensibilities about access to
knowledge -- and freedom of speech -- would improve, a test that China
unfortunately failed.

Google initially and understandably gave China the benefit of the doubt.
Yet China -- and I'm speaking of the Chinese government, not the people
themselves -- then chose to be even more belligerent on these issues, not
less. Google rightly made the decision that in light of these developments,
participation in China's censorship regime was not good for the Chinese
people or for Google, and ceased participation. Google made the ethically
correct choice, one that should be roundly congratulated.

In light of this, it's difficult to accept Microsoft's new move to not only
provide censored search services in China, but to go one giant step farther
and actually partner with the Chinese search giant Baidu within the Chinese
censorship regime. By this action, Microsoft allies itself directly with
the Chinese government's information oppression, and becomes not just a bit
player in that regime, but a full-fledged comrade in censorship.

Microsoft can't claim ignorance of China's modus operandi in these regards.
Not only the Google experience dealing with China and search, but other
recent Chinese activities, have provided concrete examples. So without a
doubt, money has won out over ethics for Microsoft when it comes to China.
No excuses, no mitigating circumstances.

And similarly for Cisco. Like IBM and their dealings with German National
Socialism in the WWII era, Cisco appears to be purposely, directly, and
explicitly "averting its eyes" from knowledge of how its technologies will
certainly be abused.

It can indeed be argued that our actions as a nation have not always been in
keeping with the ideals and hopes of our Founding Fathers. Our government
and businesses -- and we the people -- are not perfect. Nobody is.

But the fulfillment of our ideals is ultimately a tapestry of individual
actions at all levels, and past mistakes do not justify present or future
unethical behaviors.

This applies not only to each of us, but also to our governments, to
Microsoft, to Cisco, and to every other corporation and organization.

While Microsoft's and Cisco's couplings with China may reap benefits for
their shareholders, these specific dealings are still a fundamental betrayal
of ethics, and of our fundamental values -- especially given what we know
today about Chinese government behaviors and reactions in these realms at
this time.

The Chinese people are not our enemies. And in the long run, a closer
relationship between China and the U.S. would be of immense value to both
countries. But an ethical path to that goal cannot be reasonably paved with
direct U.S. entanglements with the most oppressive aspects of China's
government today. An unethical path merely serves to help perpetuate those
very abuses that most slow any progress toward our best and finest

Lauren Weinstein (lauren_at_vortex.com): http://www.vortex.com/lauren [PGN-ed]
People For Internet Responsibility: http://www.pfir.org
Network Neutrality Squad: http://www.nnsquad.org
PRIVACY Forum: http://www.vortex.com +1 (818) 225-2800 / Skype: vortex.com


Date: Thu, 14 Jul 2011 08:31:10 -0400
From: Ben Rothke <brothke@gmail.com>
Subject: Book review: Surveillance or Security?: The Risks Posed by New
 Wiretapping Technologies

Surveillance or Security?: The Risks Posed by New Wiretapping Technologies
is a hard book to categorize. It is not about security, but it deals
extensively with it. It is not a law book, but legal topics are pervasive
throughout the book. It is not a telecommunications book, but extensively
details telco issues. Ultimately, the book is a most important overview of
security and privacy and the nature of surveillance in current times.

My full review of this excellent book is at:



Date: Mon, 6 Jun 2011 20:01:16 -0900
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you. The mailman Web interface can
 be used directly to subscribe and unsubscribe:
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
 containing only the one-word text subscribe or unsubscribe. You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address. Instructions
 are included in the confirmation message. Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall@newcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:


End of RISKS-FORUM Digest 26.49