Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 25.00 (), Volume 25 summary REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Volume 25 : Issue 00 () FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. SUMMARY OF RISKS VOLUME 25 (Jan 2008 - ongoing) (NOTE: This summary is archived in ftp file risks-25.00 at ftp.sri.com, cd risks, and is also at http://catless.ncl.ac.uk/Risks/25.00.html.) ---------------------------------------------------------------------- Date: 17 Oct 2007 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request@csl.sri.com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users should contact . => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: for browsing, or .ps for printing ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ RISKS 25.00 Subject: SUMMARY OF RISKS VOLUME 25 (ongoing) (archived in ftp file risks-25.00) RISKS 25.01 Monday 7 January 2008 Fire! Works! oops, too slow (Mark Brader) Boeing 787 networking issues (Martyn Thomas) Feds Release Pass Card details (Brock N. Meeks via David Farber) Has chip-and-pin failed to foil fraudsters? (Pere Camps) Sears exposes customers' information via its web site (Rich Kulawiec via IP) User Data Stolen From Pornographic Web Sites (David Lesher) Election Computers Stolen in Tennessee (David Lesher) Er, Airline Captains Do What, Again? (Rick Moen) Risks of embedded javascript (Paul Wallich) Mercedes console display with conflicting information (Henry Baker) Mac Quickbooks update deletes user desktop (Bonnie Packert) No more loose lithium batteries in checked luggage (Peter Gregory) Risks of believing what you see on the WayBack Machine (Fred Cohen) Re: Computer Failure Causes Closure of Seattle Downtown Transit Tunnel (Stanislav Meduna) Re: Satnav: Nope, you can't get there from here. (Craig DeForest) Re: Satnav (Martyn Thomas) Re: Drunk a better guide than sat nav (Ross Younger) Passing of Computing and Information Security Pioneer: Jim Anderson (Gene Spafford) RISKS 25.02 Monday 14 January 2008 Coffee Grounds Qantas (Charles Wood) Computer problem suspected in erratic Airbus flight (Antonomasia) Metal structure beneath runway affects aircraft instruments (David Dixon) Polish teenager uses city trams as train set (Peter Houppermans) Novel approach to reducing electoral fraud (Peter Mellor) Risks of believing a GPS system (Paul Karger) GPS in a tea shop anecdote (Mark Brader) More GPS mishaps (Paul Saffo) Nightmare on VoIP Street (Ed Ravin) A risk of static analysis tools -- and refereeing (Peter Gutmann) Bank gives money to fraudster posing as its chairman (David Dixon) REVIEW: "Managing Knowledge Security", Kevin C. Desouza (Rob Slade) RISKS 25.03 Tuesday 29 January 2008 Data entry error leads to incompatible transplant (Mark Brader) London Heathrow plane crash (Colin Stamp) "Butterfly Award": French Bank Says Trader Hacked Computers (Henry Baker) Henhouses, guarding of, by foxes: Kerviel Kerfuffle (Steve Summit) Problems with the German tax software "Magpie" (Debora Weber-Wulff) Florida computer problems halt early voting (PGN) The risks of upgrading software (Clive D. W. Feather) Charter Cable deletes 14,000 e-mail accounts. No backups. (Danny Burstein) IRS: Kansas City lost our tapes. Lots of personal info.... (Danny Burstein) Automated parking garage reopens (Rich Mintz) Blue Screened Asphalt Jungle... (David Lesher) Windows virus protection on NASA Linux machines (David Lesher) Authors, pseudonyms, and software (Steven M. Bellovin) Re: Metal structure beneath runway affects aircraft instruments (Roderick A Rees) Re: Boeing 787 networking issues (Mark Siegel) Re: Coffee Grounds Qantas (Brian Hayes) Re: More GPS mishaps (Joel Maslak, Dag-Erling Smørgrav, Paul Saffo) REVIEW: "Fuzzing", Michael Sutton/Adam Greene/Pedram Amini (Rob Slade) RISKS 25.04 Saturday 2 February 2008 Transplant patient has NEW kidney removed after NHS computer blunder (Richard I. Cook) Tachometer error caused 2005 runway overrun (Mark Brader) Mideast submarine cable disruptions (David Lesher) Empire State Building car e-interference mystery (David Chessler) Technology Review: Stopping cars with microwaves (David Chessler) Manufacturer Blames Bankruptcy on Failed ERP Implementation (Ken Dunham) 2008 meltdown margin player blames s/w for failure to complete trades (George Michaelson) Fifth Amendment: Passphrase cannot be forced (David Lesher) British software pirate sells GBP 12K package at 1/1000 (Peter Mellor) DTV vs USPS (Peter Zilahy Ingerman) Voting Machine Usability Testing (Ken Dunham) Impersonating armored car personnel (Craig Partridge) Another public data loss in the UK (Robert Klemme) Automated calling system glitch locks down school (Steve Eddins) Re: Air Canada A319 upset (Peter Ladkin) Re: Coffee Grounds Qantas (Preston de Guise) Re: Metal structure beneath runway ... (Neil Youngman) Hoist by one's own petard: data security: UK Child Benefits (Adrian Cherry) REVIEW: "Software Testing Practice: Test Management", Spillner et al. (Rob Slade) RISKS 25.05 Monday 18 February 2008 L.A. School payroll system's spectacular failure (Richard I. Cook) FBI mistakenly receives supposedly protected e-mail (Steven M. Bellovin) Canadian Government Mails Out Confidential Data (Ken Dunham) JAL cabin crews sue over personal info (PGN) JAL near miss on attempted takeoff (PGN) Future of e-voting in doubt in Japan (PGN) Computer Error Strands Tanker off Massachusetts (Lee Rudolph) Bell Canada Data on 3.4 Million Customers Stolen (Ken Dunham) Royal Canadian Mounted Police Censured for Privacy Violations (Ken Dunham) Re: Lost Kansas City IRS tapes with personal info. (Danny Burstein) Critics chuck MS 'friendly worm' plan on the compost heap (Chris Leeson) Another BlackBerry Outage Caused by System Upgrade? (Ken Dunham) Vulnerability info suppressed by criminals paying to hide it (Ken Dunham) New GAO Report on IRS Information Security Pervasive Vulnerabilities (Diego Latella) The GPS miracle (Rich Mintz) 'Woman Says Being Declared Dead Ruins Life' (PGN) A reminder: Eric Sevareid's Law (Ken Knowlton) Ah yes, just what you need!!! (David Lesher) RISKS 25.06 Monday 25 February 2008 Securing The Wrong Spaces: A Lesson (Paul Ferguson via Gregory Hicks) Software problem at London Heathrow Terminal 4 affects baggage (Peter Mellor) YouTube outage blamed on Pakistan (Amos Shapir) One way not to conduct Internet voting (Peter Kaiser) Being declared dead ruins life (Andrew Koenig) New RFID ticketless bus system in Brisbane goes live... with glitches (George Michaelson) US Treasury "TreasuryDirect" Web site security enhancements (Jonathan Kamens) EU money for 4 small businesses IT risk mgmt pilot (Patrick O'Beirne) Cold Boot Attacks on Disk Encryption (Jacob Appelbaum, Declan McCullagh) Illegal drag race kills eight (John Curran) Free-to-download password cracker (Peter Mellor) Re: the GPS miracle (Steven M. Bellovin) RISKS 25.07 Saturday 1 March 2008 Risks of Leap Years and Dumb Digital Watches (Mark Brader) Risks of Leap Years and Dumb Airline Software (PGN) $1.2 billion up in smoke (Paul Saffo) Southeast Florida Massive Power Outage (Steven J. Greenwald) FL power failure triggered by human error (Lauren Weinstein) Competent? We can't even archive our own e-mail reliably! (Jim Horning) DreamHost Accidently Bills Customers $7,500,000 (Dan Jacobson) IT Project Failure Blog (Ken Dunham) Is the "law of unintended consequences" biting W3C DTD reference? (George Michaelson) Pakistan, YouTube, Google, and No Simple Answers (Lauren Weinstein) Re: YouTube outage blamed on Pakistan (R A Lichtensteiger, Richard Grady, Jay R. Ashworth) Cold Boot Attacks: Vulnerable While Sleeping (Ed Felten via Monty Solomon) Citibank needs a clue (Rich B. Astaird) Re: Hoist by one's own petard: data security: UK Child Benefits (Merlyn Kline) REVIEW: "Better Ethics Now", Christopher Bauer (Rob Slade) RISKS 25.08 Friday 14 March 2008 Wind Power Risks (Charles Wood) FBI Found to Misuse Security Letters (lynn via Dave Farber's IP) RFID hack could crack open 2 billion smart cards (Sharon Gaudin) Nasty scanner attack: AccuBasic malware (PGN) Hacking a pacemaker (Gadi Evron) More on pacemaker risks (PGN) Stopping cars with microwaves (Matthew D. Healy) It's too easy to access the "off" switch (Robert P Schaefer) UK ISPs to sell users' private browsing information (Mike Scott) TSA can't believe MacBook Air is a real laptop; owner misses flight (Paul Saffo) Deja Vu all over again (Andrew Koenig) CAPTCHA attacks (Monty Solomon) Safari "beachball" black on black (Richard A. O'Keefe) Risks of Leap Years and Dumb Digital Watches (Clive D. W. Feather, Amos Shapir) USENIX Announces Open Access to Conference Proceedings (Lionel Garth Jones) RISKS 25.09 Thursday 27 March 2008 Billion-dollar IT failure at Census Bureau (eekid via David Farber) A Heart Device Is Found Vulnerable to Hacker Attacks (Barnaby Feder via Monty Solomon) FL power outage NERC updates (Catherine M Horiuchi) Vandals halt some hybrid buses using external 'off' switch (Rick Damiani) Flight Service Software Crashes; Pilot Briefings Delayed (Gabe Goldberg) Substantial supermarket breach affects millions (Robert Heuman) Man arrested by mistake over phone system bug (Rick Damiani) Hoax on Craiglist causes duped victims to steal property (Mark Brader) Payment by fingerprint disappears (Jon Van and Becky Yerak via Paul Saffo) Cute e-mail leak (Steve Summit) Search engine bait? (Steve Schafer) RISKS 25.10 Tuesday 1 April 2008 A modest proposal for the improvement of Daylight Saving (Tony Finch) A Current Affair: Lauren Weinstein, Inside Risks, CACM April 2008 (PGN) Chaos Computer Club publishes Minister's fingerprint - and more (Peter Houppermans) DST transition time mismatches (Tony Finch) Mini-Y2K fears over Aussie daylight saving change (Max Power) NYPD erases crime statistics for February 29 (Ed Ravin) More flights canceled as Heathrow remains in chaos (Alan Cowell via David Farber's IP) Heathrow: The risks of hubris (Diomidis Spinellis) GPS Errors are riskier than you may imagine: consider Liability-Critical Applications (Bern Grush) Re: Securing The Wrong Spaces: A Lesson (Rick Damiani) Re: Arrest over phone system bug: Trailing zeroes (Graham Reed) Re: Thieves become victims? (stanley) RISKS 25.11 Wednesday 9 April 2008 Crossed wires cited in recent UAL skidding incidents (Monty Solomon) Unanticipated GPS risk: foreign translations (Paul Schreiber) Census to scrap handheld computers for 2010 count (Bob Schaefer) Boston city complaint line lags (Donovan Slack via Monty Solomon) Indiana school district wipes out high school grades (Danny Burstein) Re: Search engine bait? (Martin Ward) Another genuine mail that looks like a phish (Andy Piper) Nissan GT-R sports car recognizes racetrack coordinates and aftermarket parts (Clark Family) REVIEW: "Security Data Visualization", Greg Conti (Rob Slade)