Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 25.00 (), Volume 25 summary REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Volume 25 : Issue 00 () FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. SUMMARY OF RISKS VOLUME 25 (Jan 2008 - ongoing) (NOTE: This summary is archived in ftp file risks-25.00 at ftp.sri.com, cd risks, and is also at http://catless.ncl.ac.uk/Risks/25.00.html.) ---------------------------------------------------------------------- Date: 17 Oct 2007 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request@csl.sri.com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users should contact . => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: for browsing, or .ps for printing ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ RISKS 25.00 Subject: SUMMARY OF RISKS VOLUME 25 (ongoing) (archived in ftp file risks-25.00) RISKS 25.01 Monday 7 January 2008 Fire! Works! oops, too slow (Mark Brader) Boeing 787 networking issues (Martyn Thomas) Feds Release Pass Card details (Brock N. Meeks via David Farber) Has chip-and-pin failed to foil fraudsters? (Pere Camps) Sears exposes customers' information via its web site (Rich Kulawiec via IP) User Data Stolen From Pornographic Web Sites (David Lesher) Election Computers Stolen in Tennessee (David Lesher) Er, Airline Captains Do What, Again? (Rick Moen) Risks of embedded javascript (Paul Wallich) Mercedes console display with conflicting information (Henry Baker) Mac Quickbooks update deletes user desktop (Bonnie Packert) No more loose lithium batteries in checked luggage (Peter Gregory) Risks of believing what you see on the WayBack Machine (Fred Cohen) Re: Computer Failure Causes Closure of Seattle Downtown Transit Tunnel (Stanislav Meduna) Re: Satnav: Nope, you can't get there from here. (Craig DeForest) Re: Satnav (Martyn Thomas) Re: Drunk a better guide than sat nav (Ross Younger) Passing of Computing and Information Security Pioneer: Jim Anderson (Gene Spafford) RISKS 25.02 Monday 14 January 2008 Coffee Grounds Qantas (Charles Wood) Computer problem suspected in erratic Airbus flight (Antonomasia) Metal structure beneath runway affects aircraft instruments (David Dixon) Polish teenager uses city trams as train set (Peter Houppermans) Novel approach to reducing electoral fraud (Peter Mellor) Risks of believing a GPS system (Paul Karger) GPS in a tea shop anecdote (Mark Brader) More GPS mishaps (Paul Saffo) Nightmare on VoIP Street (Ed Ravin) A risk of static analysis tools -- and refereeing (Peter Gutmann) Bank gives money to fraudster posing as its chairman (David Dixon) REVIEW: "Managing Knowledge Security", Kevin C. Desouza (Rob Slade) RISKS 25.03 Tuesday 29 January 2008 Data entry error leads to incompatible transplant (Mark Brader) London Heathrow plane crash (Colin Stamp) "Butterfly Award": French Bank Says Trader Hacked Computers (Henry Baker) Henhouses, guarding of, by foxes: Kerviel Kerfuffle (Steve Summit) Problems with the German tax software "Magpie" (Debora Weber-Wulff) Florida computer problems halt early voting (PGN) The risks of upgrading software (Clive D. W. Feather) Charter Cable deletes 14,000 e-mail accounts. No backups. (Danny Burstein) IRS: Kansas City lost our tapes. Lots of personal info.... (Danny Burstein) Automated parking garage reopens (Rich Mintz) Blue Screened Asphalt Jungle... (David Lesher) Windows virus protection on NASA Linux machines (David Lesher) Authors, pseudonyms, and software (Steven M. Bellovin) Re: Metal structure beneath runway affects aircraft instruments (Roderick A Rees) Re: Boeing 787 networking issues (Mark Siegel) Re: Coffee Grounds Qantas (Brian Hayes) Re: More GPS mishaps (Joel Maslak, Dag-Erling Smørgrav, Paul Saffo) REVIEW: "Fuzzing", Michael Sutton/Adam Greene/Pedram Amini (Rob Slade) RISKS 25.04 Saturday 2 February 2008 Transplant patient has NEW kidney removed after NHS computer blunder (Richard I. Cook) Tachometer error caused 2005 runway overrun (Mark Brader) Mideast submarine cable disruptions (David Lesher) Empire State Building car e-interference mystery (David Chessler) Technology Review: Stopping cars with microwaves (David Chessler) Manufacturer Blames Bankruptcy on Failed ERP Implementation (Ken Dunham) 2008 meltdown margin player blames s/w for failure to complete trades (George Michaelson) Fifth Amendment: Passphrase cannot be forced (David Lesher) British software pirate sells GBP 12K package at 1/1000 (Peter Mellor) DTV vs USPS (Peter Zilahy Ingerman) Voting Machine Usability Testing (Ken Dunham) Impersonating armored car personnel (Craig Partridge) Another public data loss in the UK (Robert Klemme) Automated calling system glitch locks down school (Steve Eddins) Re: Air Canada A319 upset (Peter Ladkin) Re: Coffee Grounds Qantas (Preston de Guise) Re: Metal structure beneath runway ... (Neil Youngman) Hoist by one's own petard: data security: UK Child Benefits (Adrian Cherry) REVIEW: "Software Testing Practice: Test Management", Spillner et al. (Rob Slade) RISKS 25.05 Monday 18 February 2008 L.A. School payroll system's spectacular failure (Richard I. Cook) FBI mistakenly receives supposedly protected e-mail (Steven M. Bellovin) Canadian Government Mails Out Confidential Data (Ken Dunham) JAL cabin crews sue over personal info (PGN) JAL near miss on attempted takeoff (PGN) Future of e-voting in doubt in Japan (PGN) Computer Error Strands Tanker off Massachusetts (Lee Rudolph) Bell Canada Data on 3.4 Million Customers Stolen (Ken Dunham) Royal Canadian Mounted Police Censured for Privacy Violations (Ken Dunham) Re: Lost Kansas City IRS tapes with personal info. (Danny Burstein) Critics chuck MS 'friendly worm' plan on the compost heap (Chris Leeson) Another BlackBerry Outage Caused by System Upgrade? (Ken Dunham) Vulnerability info suppressed by criminals paying to hide it (Ken Dunham) New GAO Report on IRS Information Security Pervasive Vulnerabilities (Diego Latella) The GPS miracle (Rich Mintz) 'Woman Says Being Declared Dead Ruins Life' (PGN) A reminder: Eric Sevareid's Law (Ken Knowlton) Ah yes, just what you need!!! (David Lesher) RISKS 25.06 Monday 25 February 2008 Securing The Wrong Spaces: A Lesson (Paul Ferguson via Gregory Hicks) Software problem at London Heathrow Terminal 4 affects baggage (Peter Mellor) YouTube outage blamed on Pakistan (Amos Shapir) One way not to conduct Internet voting (Peter Kaiser) Being declared dead ruins life (Andrew Koenig) New RFID ticketless bus system in Brisbane goes live... with glitches (George Michaelson) US Treasury "TreasuryDirect" Web site security enhancements (Jonathan Kamens) EU money for 4 small businesses IT risk mgmt pilot (Patrick O'Beirne) Cold Boot Attacks on Disk Encryption (Jacob Appelbaum, Declan McCullagh) Illegal drag race kills eight (John Curran) Free-to-download password cracker (Peter Mellor) Re: the GPS miracle (Steven M. Bellovin) RISKS 25.07 Saturday 1 March 2008 Risks of Leap Years and Dumb Digital Watches (Mark Brader) Risks of Leap Years and Dumb Airline Software (PGN) $1.2 billion up in smoke (Paul Saffo) Southeast Florida Massive Power Outage (Steven J. Greenwald) FL power failure triggered by human error (Lauren Weinstein) Competent? We can't even archive our own e-mail reliably! (Jim Horning) DreamHost Accidently Bills Customers $7,500,000 (Dan Jacobson) IT Project Failure Blog (Ken Dunham) Is the "law of unintended consequences" biting W3C DTD reference? (George Michaelson) Pakistan, YouTube, Google, and No Simple Answers (Lauren Weinstein) Re: YouTube outage blamed on Pakistan (R A Lichtensteiger, Richard Grady, Jay R. Ashworth) Cold Boot Attacks: Vulnerable While Sleeping (Ed Felten via Monty Solomon) Citibank needs a clue (Rich B. Astaird) Re: Hoist by one's own petard: data security: UK Child Benefits (Merlyn Kline) REVIEW: "Better Ethics Now", Christopher Bauer (Rob Slade) RISKS 25.08 Friday 14 March 2008 Wind Power Risks (Charles Wood) FBI Found to Misuse Security Letters (lynn via Dave Farber's IP) RFID hack could crack open 2 billion smart cards (Sharon Gaudin) Nasty scanner attack: AccuBasic malware (PGN) Hacking a pacemaker (Gadi Evron) More on pacemaker risks (PGN) Stopping cars with microwaves (Matthew D. Healy) It's too easy to access the "off" switch (Robert P Schaefer) UK ISPs to sell users' private browsing information (Mike Scott) TSA can't believe MacBook Air is a real laptop; owner misses flight (Paul Saffo) Deja Vu all over again (Andrew Koenig) CAPTCHA attacks (Monty Solomon) Safari "beachball" black on black (Richard A. O'Keefe) Risks of Leap Years and Dumb Digital Watches (Clive D. W. Feather, Amos Shapir) USENIX Announces Open Access to Conference Proceedings (Lionel Garth Jones) RISKS 25.09 Thursday 27 March 2008 Billion-dollar IT failure at Census Bureau (eekid via David Farber) A Heart Device Is Found Vulnerable to Hacker Attacks (Barnaby Feder via Monty Solomon) FL power outage NERC updates (Catherine M Horiuchi) Vandals halt some hybrid buses using external 'off' switch (Rick Damiani) Flight Service Software Crashes; Pilot Briefings Delayed (Gabe Goldberg) Substantial supermarket breach affects millions (Robert Heuman) Man arrested by mistake over phone system bug (Rick Damiani) Hoax on Craiglist causes duped victims to steal property (Mark Brader) Payment by fingerprint disappears (Jon Van and Becky Yerak via Paul Saffo) Cute e-mail leak (Steve Summit) Search engine bait? (Steve Schafer) RISKS 25.10 Tuesday 1 April 2008 A modest proposal for the improvement of Daylight Saving (Tony Finch) A Current Affair: Lauren Weinstein, Inside Risks, CACM April 2008 (PGN) Chaos Computer Club publishes Minister's fingerprint - and more (Peter Houppermans) DST transition time mismatches (Tony Finch) Mini-Y2K fears over Aussie daylight saving change (Max Power) NYPD erases crime statistics for February 29 (Ed Ravin) More flights canceled as Heathrow remains in chaos (Alan Cowell via David Farber's IP) Heathrow: The risks of hubris (Diomidis Spinellis) GPS Errors are riskier than you may imagine: consider Liability-Critical Applications (Bern Grush) Re: Securing The Wrong Spaces: A Lesson (Rick Damiani) Re: Arrest over phone system bug: Trailing zeroes (Graham Reed) Re: Thieves become victims? (stanley) RISKS 25.11 Wednesday 9 April 2008 Crossed wires cited in recent UAL skidding incidents (Monty Solomon) Unanticipated GPS risk: foreign translations (Paul Schreiber) Census to scrap handheld computers for 2010 count (Bob Schaefer) Boston city complaint line lags (Donovan Slack via Monty Solomon) Indiana school district wipes out high school grades (Danny Burstein) Re: Search engine bait? (Martin Ward) Another genuine mail that looks like a phish (Andy Piper) Nissan GT-R sports car recognizes racetrack coordinates and aftermarket parts (Clark Family) REVIEW: "Security Data Visualization", Greg Conti (Rob Slade) RISKS 25.12 Tuesday 22 April 2008 Industrial Control Systems Killed Once, Will Kill Again (Ryan Singel) GPS leads a bus astray (David Caley) Neighbor's data shows up in my browser (borborugmus) Oklahoma Dept of Corrections Website URLs contain raw SQL (Jim Garrison) Real-time spying on credit card holders (Nick Brown) Larger Prey Are Targets of Phishing (John Markoff via Monty Solomon) Aer Lingus economy 5-euro flights to the US after test data leaked to web (Patrick O'Beirne) Gone in 60 seconds: Spambot cracks Live Hotmail CAPTCHA (Emil Protalinki via Monty Solomon) Bouncing Merrily Along (Peter B. Ladkin) The 10,000 web sites infection mystery solved (Bojan Zdrnja via Monty Solomon) Re: Census to scrap handheld computers for 2010 count (Derek P Schatz) Re: Search engine bait? (Randall Roberts) Re: Another genuine mail that looks like a phish (Gregory Hicks) Re: Nissan GT-R sports car and GPS (Peter Houppermans, JTaylor) 2008 IEEE Symposium on Security and Privacy (Yong Guan) REVIEW: "Computer Security: Principles and Practice" (Rob Slade) RISKS 25.13 Sunday 27 Apr 2008 Hack into Obama campaign site exploited a coding flaw (Jordan Robertson via Joseph Lorenzo Hall) Hacking a rival smart card? (Robert P Schaefer) Face scans for air passengers to begin in UK this summer (Brian Randell) 30th Spamiversary (Brad Templeton via Mike Hogsett) Re: Bouncing Merrily Along (Paul Karger) Re: Real-time spying on credit card holders (Ron Garret) Re: Neighbor's data shows up in my browser (Paul D. Smith, Erik Mooney) Re: GPS leads a bus astray (Roger Scrafford) Re: Nissan GT-R sports car and GPS (Chris Kantarjiev, Dag-Erling Smørgrav, Dag-Erling Smørgrav, Peter Houppermans, Dag-Erling Smørgrav) RISKS 25.14 Friday 2 May 2008 U.S. Customs computer system fails nationwide (PGN) Protecting Yourself From Suspicionless Searches While Traveling (Jennifer Granick via Monty Solomon) Air marshals' names tagged on 'no-fly' list (Audrey Hudson via Monty Solomon) Italy posts salary details on web (Amos Shapir) Tot dies after Internet 911 call fails to reach dispatchers (Tony Toews) Canadian Human Rights Commission investigator hijacks woman's Internet connection (Kelly Bert Manning) Microsoft anti-encryption toolkit (David Lesher) "Default Password" exploits still work (William Nico) Protecting credit card holders (Kearton Rees) Police officer uses real witness statement as template document (Identity withheld by request) False alarm guaranteed after 7 years (Daniel P.B. Smith) Facial recognition in airports... please say it's April 1st. (Fred Cohen) Re: Face scans for UK air passengers (Peter Houppermans) Re: 30th Spamiversary (Amos Shapir) Re: Real-time spying on credit card holders (Nick Brown) Blown to Bits, Abelson/Ledeen/Lewis (PGN) RISKS 25.15 Friday 16 May 2008 No-flies on you? (PGN) Gone in 60 seconds: Spambot cracks Live Hotmail CAPTCHA (Emil Protalinski via Monty Solomon) Hacker leaks 6 million Chileans' records (Amos Shapir) Dilbert site wants to install a widget (William Ehrich) Used hardware containing sensitive data (Tony Harminc) 88,000 hospital patient records stolen in NYC (Danny Burstein) UK CCTV used to create a music video (Forest Mars) QWERTYUIOOPS (Charles C. Mann) Post Office changes 100 SF addresses (Rob McCool) PO-boy (Peter Zilahy Ingerman) Debian OpenSSL Predictable PRNG Toys (H D Moore via Monty Solomon) Debian OpenSSL Vulnerability (Monty Solomon) How not to use SSL (Nickee Sanders) A risk for those that own Digital photo frames (Identity withheld) 'Peel and Stick' Tasers Electrify Riot Control (Paul Saffo) Risks of Be-clowning Yourself at Computerized Speeds, Internationally (R.G. Newbury) REVIEW: "Geekonomics: The Real Cost of Insecure Software", David Rice (Rob Slade) RISKS 25.16 Thursday 22 May 2008 Betting glitch spurs calls for reform (Will Oremus via PGN) Animal tricks, take n+1 (Jeremy Epstein) Ants and Computers (Gene Wirchenko) F.B.I. Says the Military Had Bogus Computer Gear (John Markoff via Monty Solomon) Another undeleted/deleted Document - "Krolls Associates" (Danny Burstein) Don't phlash that dwarf - hand me the pliers! (John Leyden via Randall) Geolocation software risks (Mickey Coggins) Shopping centers tracking cell phones (PGN) China's All-Seeing Eye (EEkid via Dave Farber) Re: Real-time spying on credit card holders (Curt Sampson) Microsoft security advice for sale (Peter Houppermans) Old-Style Pumps Balk At $4-a-Gallon Gas, Too (Nick Miroff via Monty Solomon) Clueless in France (Pete Kaiser) PayPal XSS Vulnerability Undermines EV SSL Security (Paul Mutton via Monty Solomon) More GPS Mishaps (Gene Wirchenko) Re: UK CCTV used to create a music video (Chris Drewe) Re: Dilbert wants a widget (Bill Bumgarner) Re: Debian OpenSSL Predictable PRNG Toys (Jim Horning) Re: Securing The Wrong Spaces: A Lesson (David E. Price) RISKS 25.17 Friday 30 May 2008 Wrong patient gets appendix removed, software to blame (Rex Sanders) E-Voting Banned by Dutch Government (Udo de Haes) Don't phlash that dwarf -- hand me the pliers! (John Leyden) Firmware-based phone vulnerabilities (David Magda) A Low-cost Attack on a Microsoft CAPTCHA (Jeff Yan and Ahmad Salah El Ahmad via Monty Solomon) SYN attack from RIAA contractor (David Lesher) Random and haphazard are not synonyms (Andrew Koenig) An iTunes file database problem Apple will never fix (Max Power) Microsoft's Masters: Whose Rules Does Your Media Center Play By? (Greg Sandoval) Fundraising that is too Excel-lent to report (Mark Brader) On-line registration for College Reunion 2008 (F John Reinke) Why not set the pump to half price and post a sign? (Daniel P. B. Smith) Re: Securing The Wrong Spaces: A Lesson (John Sullivan, Bill Hopkins) An account of the Estonian Internet War (Gadi Evron) RISKS 25.18 Tuesday 3 June 2008 Fire at The Planet takes down thousands of websites (Gene Wirchenko) UK power rationing causes fires and false fire alarms (Alistair McDonald) Beware of Error Messages At Bank Sites (Brian Krebs via George Sherwood) Still even more lost data (Gene Wirchenko) Mass exploitation with Adobe Flash (Monty Solomon) Risks in Instant Runoff Voting (PGN) Arkansas Election Officials Baffled by Machines that Flipped Race (PGN) Spelling checker runs amok in Pennsylvania high-school yearbook (Al Stangenberger) Full Disclosure and why Vendors Hate it (Jonathan A. Zdziarski via Monty Solomon) Re: An iTunes file database problem Apple will never fix (Alistair McDonald) Re: Wrong patient gets appendix removed, software to blame (PGN) REVIEW: "Secure Programming with Static Analysis", Chess/West (Rob Slade) RISKS 25.19 Sunday 8 June 2008 Control-Alt-SCRAM; update reboots nuke plant (Brian Krebs via David Lesher) Sensor error caused $1.4 bill B2 crash! (David A. Fulghum via Paul Saffo) UK bank takes 9 months to combine computer systems (Peter Mellor) Online registration for US visa waiver scheme from August 2008 (Donald Mackie) The ID Divide: Peter Swire and Cassandra Q Butts (Monty Solomon) ISP Secretly Added Spy Code To Web Sessions: Ryan Singel (Monty Solomon) Advice from HM Revenue & Customs on NI number fraud (Peter Mellor) Stanford employees' data on stolen laptop (PGN) Sometimes the computer is right... (David Hollman) "She'll never fail to stop at a railroad crossing ever again" (Jeff Rosen via Mark Brader) Experts Revive Debate Over Cellphones and Cancer (Tara Parker-Pope via Monty Solomon) Re: Risks in Instant Runoff Voting (Richard Gadsden) Re: Fire at The Planet takes down thousands of websites (Paul Czyzewski) Re: Whose Rules Does Your Media Center Play By? (Steve Wildstrom) Re: Beware of Error Messages At Bank Sites (Paul Czyzewski) Re: An iTunes ... problem Apple will never fix (Henry Baker, Max Power) RISKS 25.20 Sunday 15 June 2008 Security hole exposes utilities to Internet attack (PGN) Representative Frank Wolf's computer owned by China (PGN) Hidden Code Costs Poker Players Thousands (Chuck Weinstock) Wikipedia for medical students? (Steven M. Bellovin) Wartime global temperature anomaly kicks the bucket (Mark Brader) Colleges With Federal Contracts Will Have to Use New E-Verify (PGN) Google "safebrowsing" diagnostic page (Rob Slade) ID cards by the back door (Peter Mellor) Spuds and system security (Rob Slade) Clothing firm "Cotton Traders" customer database breached (Peter Mellor) Update on ISP Actions Regarding C-Porn and Usenet (Lauren Weinstein) Re: Risks in Instant Runoff Voting (Stewart Fist, Andrew Koenig) Re: Stanford employees' data on stolen laptop (Hal Murray) Re: Advice from HM Revenue and Customs (Edward Rice) Re: She'll never fail to stop at a railroad crossing (Leonard Finegold) Re: An iTunes ... problem Apple will never fix (Andrew M. Langmead) Tracking the Trackers: Piatek et al. (Monty Solomon) RISKS 25.21 Sunday 29 June 2008 Federal Agency Grounds Light Jet Used as Air Taxi (Matthew Wald) Spyware bill cloaks a mini-UCITA (Ed Foster via Monty Solomon) Wireless systems called disruptive (Robert P Schaefer) More on election system integrity (Gene Wirchenko) Re: Risks in Instant Runoff Voting (Scot Drysdale) Chrysler announces the rolling WiFi hotspot automobile (Drew Lentz) X-rated SMS case gives employees some privacy guarantees (John Timmer via Monty Solomon) Attorney-client calls from jail recorded (Joel Garry) HTML comments reveal corporate weakness (jidanni) Photos and laptop crypto (Rob Slade) Michael Fiola fired (Gene Wirchenko) REVIEW: "Challenges to Digital Forensic Evidence", Fred Cohen (Rob Slade) RISKS 25.22 Tuesday 8 July 2008 InciWeb map coordinate errors for California fire (Henry Baker) Oyster and Mifare cracked: NXP sues to silence Oyster researchers (PGN) Free Berlin subway rides (Debora Weber-Wulff) Citibank ATM breach reveals PIN security problems (Jordan Robertson) Web-based SSH key generation with escrow (Tina Bird) ComCast in Concrete? (Robert P Schaefer) State Dept: Celebrity passport files viewed repeatedly - CNN.com (PGN) California's Super-Stupid Anti-Science Cell Phone Law Takes Effect (Lauren Weinstein) Re: HTML comments reveal corporate weakness (Ivor Hewitt) Re: Approval voting and sincerity (Andrew Koenig, Dag-Erling Smørgrav) REVIEW: "The dotCrime Manifesto", Phillip Hallam-Baker (Rob Slade) RISKS 25.23 Friday 18 July 2008 E-mail response to wrong address, intended recipient arrested (Danny Burstein) San Francisco admin hijacks city net (David Lesher) Risks of wrong preprogrammed emergency message system being sent (C.Y./J.E. Cripps) P2P Data Breach affects SCOTUS (Jay R. Ashworth) "Plug and Play" Hospitals (Terrence Enger) Gmail Reveals the Names of All Users (Gene Wirchenko) Google Desktop, Word may expose encrypted data (Gene Wirchenko) UPS "Virus Warning" virtually indistinguishable from phishing attack (Jonathan Kamens) DR/BCM lessons from the Vancouver fire (Daniel Wesemann in SANS via Brent J. Nordquist) Re: Map coordinate errors for California fire (Henry Baker, Al Stangenberger) California's Super-Stupid Anti-Science Cell Phone Law Takes Effect (Kurt Thams) Handheld mobile safety (Paul D.Smith) The toll for terrorism is too high (David Lesher) Firefox 3's Step Backwards For Self-Signed Certificates (Lauren Weinstein) A not-so-obvious hyperinflation risk (B. Elijah Griffin) Re: Approval voting and sincerity (Anthony W. Youngman) Re: ComCast in Concrete? ((Greg Fife, Paul Wallich) US FTC seeks comments on privacy in contactless payments (Kevin Fu) RISKS 25.24 Wednesday 23 July 2008 Washington Metro farecard fraud (David Lesher) The $100,000 Keying Error (Patrick O'Beirne) What happened to handcuffing the briefcase to James Bond's wrist? (Randall Webmail) Taking a grab at what's the real system error (Jared) What's in a name? (Peter Houppermans) Yet more GPS risks: Angry Mob Stones Lost Tourist (Steven J Klein) Shocking idea for air passenger security (Robin Stevens) Re: Oyster card hack to be published (Amos Shapir) Re: San Francisco admin hijacks city net: Paul Venezia (David Lesher) Re: ComCast in Concrete? MAC addresses (R A Lichtensteiger) Re: P2P Data Breach affects SCOTUS (Pete Klammer, Jay R. Ashworth) Re: Approval voting and sincerity (Geoffrey Brent, Richard Gadsden) NC State Voter site exposes voter addresses (John O Long) RISKS 25.25 Sunday 3 August 2008 "Software bug" downs AA baggage handling at JFK (PGN) Intermittent network card causes air traffic control problems (Steven M. Bellovin) Crypto box failure causes MTA credit card processing failure (Steven M. Bellovin) 200,000 medical records sent to wrong patients, some with SSNs (George Mannes) DNA Database Searches (jared) Another GPS error story (Gene Spafford) Electronic voting: Indications of Sanity? (Geoff Newbury) Risks of Inflation: new Zimbabwe bank notes (Jim Reisert) Bruce Schneier: Inside the Twisted Mind of the Security Professional (jidanni) Details of DNS Flaw Leaked (Kim Zetter via Monty Solomon) Apple Fails to Patch Critical Exploited DNS Flaw (Rich Mogull via Monty Solomon) Fascinating phishing attack: valid links, dangerous toll-free number (Jonathan Kamens) Re: San Francisco FiberWAN and Terry Childs (Jeff Williams) Re: ComCast in Concrete? MAC addresses (Tanner Andrews) REVIEW: "Internet Denial of Service", Jelena Mirkovic et al. (Rob Slade) REVIEW: "AVIEN Malware Defense Guide for the Enterprise", David Harley et al. (Rob Slade) RISKS 25.26 Wednesday 6 August 2008 'Fakeproof' microchipped British e-passport is cloned in minutes (Martyn Thomas) On Metro Fraud and NXP (David Lesher) 11 charged in largest ID theft in U.S. history (Paul Saffo) Theft perils 150,000 on Busch laptop (PGN) Verified Identity Pass: CLEAR Suspended Following Laptop Theft (PGN) Unsuspected travelers' laptops may be detained at border (Ellen Nakashima via Monty Solomon) Neglecting to logout from Skype means sharing your Instant Messages (Michael Weiner) Another small interface risk (Peter Zilahy Ingerman) E-Z Pass Maryland training customers to visit random sites? (Mike Porter) Prescription Data Used To Assess Consumers (Ellen Nakashima via Monty Solomon) Re: What's in a name? (Dag-Erling Smørgrav) Re: UPS ... indistinguishable from phishing (G.M.Sigut) Re: Fascinating phishing attack: valid links, dangerous ... number (Al Macintyre) Re: Apple Fails to Patch Critical Exploited DNS Flaw (Robin Stevens) Re: Another GPS error story (J R Stockton) Survey: Perception of security in online environments (Gene Spafford) REVIEW: "The Innocent Man", John Grisham (Rob Slade) RISKS 25.27 Friday 8 August 2008 Strange Yahoo! vote count (PGN) Trust TSA? Maybe... Trust Akamai...? (David Lesher) "How reliable is DNA in identifying suspects?" (Robert P Schaefer) GPS causes nightmare vacation (PGN) Re: Another small interface risk (Thomas Wicklund) Re: Unsuspected travelers' laptops may be detained at border (Thomas Hamann) Re: Neglecting to logout from Skype (Dimitri Maziuk) Pizza delivery and postal addresses (Mark Brader) RISKS 25.28 Tuesday 12 August 2008 Internet attacks against Georgian web sites (Gadi Evron, Gadi Evron) Russia/Georgia: Tanks, Bombers, Keyboards (Edward Rice) Patch for Web Security Hole Has Some Leaks of Its Own (John Markoff via PGN) MIT Students Gagged by Federal Court Judge (EFF via David Farber) CloudAV (Rob Slade) Two on-line travel booking risks (Chris Drewe) 'Fakeproof' microchipped British e-passport ... (Lars Poulsen) Re: Unsuspected travelers' laptops may be detained ... (Steven M. Bellovin, R. G. Newbury) Re: GPS causes nightmare vacation (Fernando Pereira) Re: How reliable is DNA ...? (Michael Black, Steve Schafer) Re: Neglecting to logout from Skype ... (Al Macintyre) RISKS 25.29 Tuesday 19 August 2008 Olympics Windows crash (PGN) Translate of device mech auto-reproduce (Rob Slade) Electronic voting and antivirus software (jared) Officials Say Flaws at Polls Will Remain in November (Ian Urbina via PGN) Glitch let hundreds get free transit rail tickets (William Neuman via PGN) Big trouble with Germany's New Unified Tax Identification Codes (Ralf Fritzsch) Online Consumers at Risk and the Role of State Attorneys General (CAP/CDT item via Monty Solomon) 11 charged with massive ID theft (Monty Solomon) Re: Firefox 3's Step Backwards For Self-Signed Certificates (Michael Barrett) Re: 'Fakeproof' microchipped British e-passport (Hamish Marson) Billion dollar IT failure at Census Bureau (Michael Lewchuk) Attempt to muzzle MIT subway research backfires (B.K. DeLong) My date and place of birth are public (jidanni) Re: How reliable is DNA ...? (Geoff Kuenning, Rob Searle, Brian Hayes, Bob Buxton) RISKS 25.30 Thursday 28 August 2008 Bruce Schneier on Airport Photo ID Checks (PGN) Flight-plan FAAilure (PGN) Aug 26 FAA flight plan fiasco (Ken Knowlton) Commuter Flights Grounded Thanks To Bumbling TSA Inspector (PGN) Computer viruses make it to orbit (Gabe Goldberg) Ohio Voting Machines Contained Programming Error That Dropped Votes (PGN) States throw out costly electronic voting machines (vim) Risks of going on Internet record (Spamcop) And here we go off the rails: "spam hunter" (Identity withheld by request) Educational "testing firm" flunks Internet Security 101 (Danny Burstein) A cellphone bill roams to the stratosphere (Gabe Goldberg) Weird Clock Issue (Steven J. Greenwald) Risks of omitting off-site backups? (C.Y./J.E. Cripps) Telephone banking password /in/security (Tim Bradshaw) Boston judge tosses MIT students' gag order (Richard Forno) Re: DNA Database Searches (Hal Murray, Ken Knowlton) Re: Couple of On-Line Travel Booking Risks (Chris Drewe) Re: Germany's New Unified Tax Identification Codes (Ralf Fritzsch) Re: P2P Data Breach affects SCOTUS (Hal Murray) RISKS 25.31 Wednesday 10 September 2008 FAA redundancy -- or the lack thereof (Tessler and Robertson via PGN) Corrupt File Brought Down Flight Planning System (Gabe Goldberg) UK software upgrade issues (John Sawyer) JPMorgan Chase: The Bank Account That Sprang a Leak (Monty Solomon) Software problems affect the bottom line at J. Crew (Steven M. Bellovin) Google ads and language (Erling Kristiansen) Worditudinality (Rob Slade) Control-C vs. Bourne-Again SHell (jidanni) Control-C Control-C vs. gnus (jidanni) Risks of better security and "smarter" users (Ron Garret) BNY Mellon Data Breach Potentially Massive (George Hulme via Monty Solomon) Student hacker exposes Carleton U cash, ID card security holes (Sergei Patchkovski) Whit Diffie and Susan Landau: Internet Eavesdropping (Randall Webmail) US .gov website asks for personal info without https protection (Jonathan Thornburg) Re: Germany's New Unified Tax Identification Codes (Kevin Pfeiffer) Re: Firefox 3's Step Backwards ... (Dimitri Maziuk) RISKS 25.32 Thursday 11 September 2008 Google revives 6-year-old news story, sends United shared down 75% (Steven J Klein, Drew Dean, Scott Nicol) How Steve Jobs' obit got published (Philip Elmer-DeWitt via Monty Solomon) Internet Traffic Begins to Bypass the U.S. (John Markoff via Monty Solomon) Global Trail of an Online Crime Ring (Brad Stone via Monty Solomon) Automated Bill Payments Are a Cinch: Not So Fast (Ron Lieber via Monty Solomon) Hackers prepare supermarket sweep (Gabe Goldberg) Antivirus software in critical systems? (Erling Kristiansen) Re: States throw out costly electronic voting machines (Peter Houppermans, Jim Haynes) Risks of GPS Devices that we had Not Previously Heard Of (Mark Brader) Over-reliance on automated real estate valuation (Jeremy Epstein) Re: Control-Z vs. Bourne-Again SHell (David Chau) Re: Weird Clock Issue - a single bit error (Chris Smith, Mark Lutton, Amos Shapir) Re: Bruce Schneier on Airport Photo ID Checks (Andy Piper, Amos Shapir) Re: Risks of better security and "smarter" users (Dag-Erling Smørgrav, Ron Garret) RISKS 25.33 Monday 15 September 2008 Antivirus software in critical systems? (Rob Diamond, Robert P Schaefer, PGN) Re: States throw out costly electronic voting machines (Patrick J Kobly) Re: FAA redundancy -- or lack thereof (Mike Martin) Misleading headline: 'Big bang' experiment is hacked (Gabe Goldberg) Change name, get off no-fly list (David Magda) Re: Amos Shapir on Airport Photo ID Checks (Danny Lawrence) iPhone Takes Screenshots of Everything You Do (Brian X. Chen via Monty Solomon) Re: UAL, Automated trading gets spoofed! (Howard Israel) San Francisco officials looking for hidden network device (Gabe Goldberg) PayPal phishes their own customers (Andrew Pam) Re: Risks of better security ... (Chris Adams, Ron Garret on David Bliss) Re: Control-Z vs. Bourne-Again SHell (Philippe Pouliquen) Re: Weird Clock Issue -- a single bit error (David Magda) Re: Risks of GPS Devices ... (Sergei Patchkovski) Re: Automated Bill Payments Are a Cinch: Not So Fast (CBFalconer, Sten Carlsen, Erling Kristiansen) RISKS 25.34 Sunday 21 September 2008 SciAm article on Smart Grid (William P.N. Smith) Wall Street; where nothing can go worng wrogn wrgno.... (David Lesher) Mortgage loan crisis due to wishful thinking, Garbage In Garbage Out (Geo Swan) BNY Mellon data breach now at 200K in Mass, 12M in U.S. (Monty Solomon) Risks of financial systems too complex to understand (Daniel P. B. Smith) Risks of not using check digits in bank account numbers (Toby Douglass) Risks of banking in Holland (Toby Douglass) Re: PayPal phishes their own customers (Sidney Markowitz) Re: Automated Bill Payments Are a Cinch: Not So Fast (Huge) Capability creep strikes again (Jay R. Ashworth) Expiration of cryptographic certificate killed airline ticket (Kenji Rikitake) Antivirus software in critical systems? (Martyn Thomas) Re: Antivirus software in critical systems? Aurora! (Al Mac Wheel) Re: Control-Z vs. Bourne-Again SHell (jidanni) Re: Risks of GPS Devices ... (Richard Grady) USENIX Annual Tech '09 Call For Papers (Lionel Garth Jones) RISKS 25.35 Monday 22 September 2008 Sydney road tunnel closed by computer 'glitch' (John Colville) DC Primary votes don't add up... even with a fudge factor (David Lesher) Hurricane Ike (Les Denham) Hacker claims Palin e-mail hacked via password reset (Rob McCool) Re: Wall Street; where nothing can go worng wrogn wrgno.... (Martin Ward) Re: Risks of financial systems too complex ,,, (Jim Horning) Re: Risks of not using check digits (Erling Kristiansen, Paul van Keep) Re: capability creep on red-light cameras (Paul Wallich) RISKS 25.36 Tuesday 30 September 2008 Mersenne-aries receive benevolence (PGN) Wall Street's Collapse May Be Computer Science's Gain" (ACM technews) BBV: Two-Minute warning on voting machines (Steve Kelem) Online flight bargains not as good as they seemed (Donald Mackie) Risks of all-encompassing backups (Peter Gutmann) ATM reprogramming scam; Two arrested (Kevin Poulsen via PGN) Default passwords and gasoline thefts (Jim Haynes) ATM bug (Phil Smith III) Re: Sydney tunnel: When is a backup not a backup? (Martin Ward) Sydney Australia or Sydney Nova Scotia? (Rick Gee) Too big to fail = single point of failure? (Bill Hopkins) Flooded computers disposed of? (Marty Brenneis) Burning wheelchair almost destroys airplane (Andrew Koenig) Re: Risks of financial systems too complex ,,, (Robert P Schaefer) Re: Hacker claims Palin e-mail hacked via password reset (Scott Miller) Re: Risks of not using check digits (Toby Douglass) Risks in Networked Computer Systems, Andre' N. Klingsheim (PGN) Study on InSecurity of Social Networks (LinkedIn et al. via Klaus Brunnstein) Estonian Cyber Security Strategy document (Gadi Evron) RISKS 25.37 Thursday 2 October 2008 NASDAQ's Google surprise (PGN) Computer Failure Hobbles Hubble, Derails Shuttle Mission (Sharon Gaudin) Amazon multiple account weirdness (Graham Bennett) Alarm sounded on second-hand kit (Gabe Goldberg) Seeking tales of IT gone wrong (Andrew Brandt) Re: Risks of financial systems too complex ,,, (Robert P Schaefer) Re: When is a backup not a backup? (Mark F) The folly of retaining default settings (Ken Knowlton) Weak password reset procedures (identity withheld) New castle rules in chess? (Andy Walker) Re: Hacker claims Palin e-mail hacked ... (Rob McCool, Scott Miller, Allen Hainer) RISKS 25.38 Tuesday 14 October 2008 Investigator: Computer likely caused Qantas plunge (Paul Saffo) Qantas A330 accident (Martyn Thomas) B-2 crash on takeoff (Ken Knowlton) Illinois high-speed trains (Jon Hilkevitch via David Lawver) D10T: National Debt Clock is out of digits (Mark Brader) Passport RFID attack: missing validation (Aaron Emigh via PGN) Missing hard drive "not encrypted" because it was "secure" (John Carlyle-Clarke) Russian researchers achieve 100-fold increase in WPA2 cracking speed (Monty Solomon) Defective news submission website (Steven M. Bellovin) Risks of a new laptop (Nick Brown) Researcher Liuba Belkin: Workers more prone to lie in e-mail (Monty Solomon) Thomas Crown escape, revisited (Peter Houppermans) Re: Sydney NS vs. Sydney NSW (Steve Schafer) Oyster card hack details revealed (Gabe Goldberg) Re: Remarkable -- United Airlines Stock (Russ Nelson) RISKS 25.39 Friday 17 October 2008 NSA posts secrets to writing secure code (Joab Jackson via Jim Innes) Excel error leaves Barclays with extra Lehman assets (Gabe Goldberg) LAPD blames fingerprint errors for false arrests (PGN) Maryland Police Put Activists' Names On Terror Lists (David Hollman) Airport baggage screener charged with stealing passengers' stuff (Peter Houppermans) Credit card readers compromised (Peter Houppermans) More Smart Card Cracking (Gene Wirchenko) Stolen Votes and Stolen Elections (Mark E. Smith, PGN) Online health records (David Magda) New Data Privacy Laws Set For Firms (Ben Worthen via Monty Solomon) New Massachusetts Regulation Requires Encryption of Portable Devices ... (Monty Solomon) Amazon e-mail accounts (Steve Loughran) Security questions with unacceptable answers (Earl Truss) Worrisome money transfer (Martin Cohen) Stallman vs. Cloud Computing (jidanni) A comment on "outliers" (Ken Knowlton) The Risks of "Something you know" (Steve Taylor) Re: D10T: National Debt Clock is out of digits (Andrew Raybould) "Sydney NS vs. Sydney NSW" and popup adds! (Paul D.Smith) RISKS 25.40 Tuesday 21 October 2008 Treasury Office Faults IRS Computer Security (AP via PGN) Springer: Open for all to see (Debora Weber-Wulff) TBS leaves baseball championship game viewers in the dark (Jim Reisert) Drunk, and Dangerous, at the Keyboard (Alex Williams via Monty Solomon) Thousands Face Mix-Ups in Voter Registrations (Mary Pat Flaherty) Ohio Secretary of State's Web Site Hacked; voter suppression tactics (Steve Kelem) From BBV: Two-Minute warning on voting machines (Steve Kelem) Unbelievable security violation (Identity withheld) Re: More Password Reset Procedures (Identity withheld) Risks: Unlock your house via the Internet (Gabe Goldberg) Re: Remarkable -- United Airlines Stock (Martin Gregorie) Re: Outliers (Jurek Kirakowski) Re: Investigator: Computer likely caused Qantas plunge (Peter Rieden, Ron Garret) Re: Sydney NS vs. Sydney NSW (Chuck Charlton) Re: Illinois high-speed trains (Joseph Brennan) Re: Risks of a new laptop (Scott Miller) Correction/disclaimer re unistable polyhedron (Ken Knowlton) Re: The folly of retaining default settings (Mark Thorson) Re: D10T: National Debt Clock is out of digits (Mark Hull-Richter) RISKS 25.41 Thursday 23 October 2008 Re: Computer likely caused Qantas plunge (Peter Bernard Ladkin, Dag-Erling Smørgrav, Guy Dawson, Chris Kuan) U.S. Government to Take Over Airline Passenger Vetting (PGN) IEEE Spectrum review process upgrade curiosity (PGN) Dan Wallach's report on a vote-flipping examination (PGN) Deceptive practices in elections (PGN) Straight Party Voting Issues (Leonard Finegold) GAO report on Social Security Numbers (PGN) Re: More Password Reset Procedures (Ralph Jacobs) Re: Amazon e-mail accounts (Dimitri Maziuk, Klaus Johannes Rusch) 2 of 3 navigational devices functioning (Daniel P. B. Smith) RISKS 25.42 Friday 24 October 2008 Greenspan says computer input did it (CWmike via timothy via Wendell Cochran) Vint Cerf: Big Changes Ahead for the Internet (TechNews) UW researchers uncover gap in border security (Peter Gregory) Re: Computer likely caused Qantas plunge (Dag-Erling Smørgrav, Cameron Simpson, Adrian Edmonds) Re: Straight Party Voting Issues (David Phillips, Arthur Flatau) Re: Remarkable -- United Airlines Stock (John Levine) RISKS 25.43 Wednesday 29 October 2008 Driver hits NIPSCO pole; surge fries sewage treatment plant (Shawn Merdinger) Risks of escalating complexity: AA757 electrical power loss (David Lesher) Schlage BrightBlue wireless lock controllers (Shawn Merdinger) Computer screens out distress call from kidnap victim (David Tombs) Finnish E-Voting System Loses 2% of Votes (Pertti Huuskonen) Article on voting through American history (*The New Yorker* via Harlan Rosenthal) Poison-pill auto-disclosure for security vulnerabilities (Paul Robinson) They got us coming and going: tire monitoring (Paul Wexelblat) Holistic Systems (Pierre-Jacques Courtois) Twitter Jitters (Zachary Tumin) RISKS 25.44 Saturday 8 November 2008 U.K. NHS computer system "grinds to a halt" (Richard Cook) Risk of repairing Hubble too soon (Ted Blank) New GPS satellite may crash some receivers (William P.N. Smith) Risks of unilingual vacation-reply messages (Mark Brader) US court throws out most software patents (John Oram via Monty Solomon) Beware: T-Mobile's Voicemail Paging Trap (Lauren Weinstein) Re: BBC Domesday Project (Mike Tibbetts) Re: Treasury Office Faults IRS Computer Security (Paul Robinson) Computers Freedom & Privacy Conference 2009 - Request For Proposals (Bruce R Koball) REVIEW: "Handbook of Research on Technoethics", Luppicini/Adell (Rob Slade) RISKS 25.45 Monday 17 November 2008 Chinese hackers breach white house computer systems (PGN) Hacker Tool Targeting MS08-067 Vulnerability (Websense via Monty Solomon) Lose the BlackBerry? Yes He Can, Maybe: President-Elect Obama (Jeff Zeleny via Monty Solomon) Texas Suspends Massive Outsourcing Contract (Keith Price) Driver Blames GPS System For Car-Train Collision (Paul Saffo) Stop! Buses only! --What do you mean, you ARE a bus? (Mark Brader) Martian deep freeze: NASA's Mars Lander dies in the dark (Sharon Gaudin via PGN) The "Two Focaccia Buttons Defense" (Robert Hall) Risks of assuming constant hours in a day (Toby Gottfried) Excel auto-formatting (David Magda) Texting bug hits the Google phone (Amos Shapir) Vintage IBM tape drive in Apollo moon dust rescue (Chris Leeson) gnus-mime-print-part vs. Mom's room (jidanni) False security from privacy screens (David Alan Gilbert) Re: BBC Domesday Project (Martin Ward, Theo Bucher) Re: Poison pill auto-disclosure (Terje Mathisen, Al Macintyre, Richard O'Keefe)