info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Risks Digest 28.61
74 views
Skip to first unread message
RISKS List Owner
May 1, 2015, 5:34:17 PM5/1/15
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Friday 1 May 2015 Volume 28 : Issue 61
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/28.61.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
An iPad glitch grounded several dozen American Airlines planes (Adam Pasick
via Jim Reisert)
At least one American Airlines plane is grounded because the pilots' iPads
crashed (Ben Moore)
FAA Orders Fix for Possible Power Loss in Boeing 787 (Jad Mouawad via
Jan Wolitzky)
Re: Software Overflow Could Cause Complete Power Loss in 787 (Richard Karash)
Congressman with computer science degree: Encryption back doors are
``technologically stupid'' (Andrea Peterson via Lauren Weinstein)
Cybersecurity mandated by those who don't use it (*The Guardian via
Devon McCormick)
Public wifi & man-in-the-middle (Henry Baker)
Preparing for Warfare in Cyberspace (*The New York Times* via Monty Solomon)
All cars must have tracking devices to cut road deaths, says EU
(Chris Drewe)
Doctors don't like EHRs? (DKross)
Now you can embed classic MS-DOS games in tweets (Ian Paul via Jim Reisert)
Re: Iowa casino doesn't have to pay $41M jackpot error (Craig Burton)
Re: Starbucks Outage (Clay Jackson)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Wed, 29 Apr 2015 07:42:38 -0600
From: Jim Reisert AD1C <jjre...@alum.mit.edu>
Subject: : An iPad glitch grounded several dozen American Airlines planes
(Adam Pasick)
American Airlines flights experienced significant delays this evening after
pilots' iPads--which the airline uses to distribute flight plans and other
information to the crew--abruptly crashed. "Several dozen" flights were
affected by the outage, according to a spokesperson for the airline.
"The pilot told us when they were getting ready to take off, the iPad
screens went blank, both for the captain and copilot, so they didn't have
the flight plan," Toni Jacaruso, a passenger on American flight #1654 from
Dallas to Austin, told Quartz.
"The pilot came on and said that his first mate's iPad powered down
unexpectedly, and his had too, and that the entire 737 fleet on American had
experienced the same behavior," said passenger Philip McRell, who was also
on flight #1654. "It seemed unprecedented and very unfamiliar to the
pilots."
Other passengers in New York and Chicago also said they were being
affected by the outage.
http://qz.com/393909/american-airlines-planes-are-grounded-because-their-pilots-ipads-have-crashed/
------------------------------
Date: Tue, 28 Apr 2015 22:03:36 -0500
From: Ben Moore <ben....@juno.com>
Subject: At least one American Airlines plane is grounded because the
pilots' iPads crashed
Where's the backup system?
------------------------------
Date: Thu, 30 Apr 2015 21:08:16 -0400
From: Jan Wolitzky <jan.wo...@gmail.com>
Subject: FAA Orders Fix for Possible Power Loss in Boeing 787 (Jad Mouawad)
Jad Mouawad, *The New York Times*, 30 Apr 2015
Federal regulators will order operators of Boeing 787 Dreamliners to shut
down the plane's electrical power periodically after Boeing discovered a
software error that could result in a total loss of power.
The Federal Aviation Administration said on Thursday that Boeing found
during laboratory testing that the plane's power control units could shut
down power generators if they were powered without interruption for 248
days, or about eight months. The findings were published in an airworthiness
directive.
Boeing said the problem had occurred only in lab simulation and no airplane
had experienced it. Boeing said that powering the airplane down would
eliminate the risk that all power generators would shut down at the same
time.
The company said it was working on a software update that should be ready by
the fourth quarter this year.
The plane maker said that power was shut down in all airplanes in service in
the course of the regular maintenance schedule, and that it would be rare
for a plane to remain with power on without interruption for eight months.
[... Truncated for RISKS. PGN]
------------------------------
Date: Fri, 1 May 2015 09:41:01 -0400
From: Richard Karash <ric...@karash.com>
Subject: Re: Software Overflow Could Cause Complete Power Loss in 787
It's not clear how likely it is that generator could be left on for eight
months. Do they run between flights and over-night? Only powered down at
maintenance checks? Or go off when parked, like your car? Nice to see this
was discovered in a lab simulation, not in mid-air.
Richard Karash Ric...@Karash.com +1 617-308-4750 -- http://Karash.com
[Also noted by Jeremy Epstein... PGN]
------------------------------
Date: Thu, 30 Apr 2015 17:03:40 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Congressman with computer science degree: Encryption back doors
are ``technologically stupid''
*The Washington Post*, 30 Apr 2015, via NNSquad
http://www.washingtonpost.com/blogs/the-switch/wp/2015/04/30/congressman-with-computer-science-degree-encryption-back-doors-are-technologically-stupid/
The debate over whether companies should be forced to build in ways for
law enforcement to access communications protected by encryption took a
tense turn this week in a congressional hearing. On one side were law
enforcement officials, including a high-ranking FBI official. On the
other were tech-savvy members of the House Government Oversight and Reform
Committee's Information Technology subcommittee -- two with computer
science degrees. "It is clear to me that creating a pathway for
decryption only for good guys is technologically stupid," said Rep. Ted
Lieu (D-Calif.), who has a bachelor's in computer science from Stanford
University. "You just can't do that."
------------------------------
Date: Tue, 28 Apr 2015 09:46:15 -0400
From: Devon McCormick <devo...@gmail.com>
Subject: Cybersecurity mandated by those who don't use it
There's a good article in *The Guardian* pointing out that the members of
the U.S. Congress, who would legislate cybersecurity for all Americans, do
not themselves take the slightest security precautions - none of them
encourage (or, for the most part, use) encrypted communication and none of
their websites use https.
http://www.theguardian.com/commentisfree/2015/apr/18/congress-cannot-be-taken-seriously-on-cybersecurity
------------------------------
Date: Tue, 28 Apr 2015 08:40:13 +0200 (GMT+02:00)
From: hbaker1 <hba...@pipeline.com>
Subject: Public wifi & man-in-the-middle
Public wifi networks in airports & hotels often utilize man-in-the-middle
techniques to require some sort of login -- e.g., Ruckus Wireless.
With "HTTPS Everywhere" & other new browser techniques to stop MITM
techniques, it becomes almost impossible to use these networks.
I now have to use a "throwaway" Chrome browser on my laptop that I use
*only* for initial login to these networks with an HTTP throwaway home page.
Once logged in, I can then fire up a real, *locked-down* browser that uses
HTTPS Everywhere, NoScript, Tor, etc.
Since public wifi networks place computers *most* at risk, these public wifi
networks are going to have to find a better -- i.e., more secure -- way to
login, as MITM'ing an http request is perhaps the world's worst (i.e., most
insecure) idea ever invented.
------------------------------
Date: Tue, 28 Apr 2015 16:41:23 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Preparing for Warfare in Cyberspace
http://www.nytimes.com/2015/04/28/opinion/preparing-for-warfare-in-cyberspace.html
A new strategy begins to lay out the conditions under which America would
use cyberweapons.
------------------------------
Date: Wed, 29 Apr 2015 15:38:40 +0100
From: Chris Drewe <e76...@yahoo.co.uk>
Subject: All cars must have tracking devices to cut road deaths, says EU.
This idea has been around for a while, but the title says it all.
All new cars will within three years contain tracking devices that alert
the emergency services in the event of an accident.
Under EU laws passed on Tuesday the technology will be compulsory from
2018 and fitted as standard in every model of car and small van.
A serious crash will prompt an automatic call to the nearest emergency
centre. Even if nobody in the vehicle is able to speak, the device will
still relay the exact location, time, direction of travel, the scale of
the impact and whether airbags have been deployed.
<http://ec.europa.eu/digital-agenda/en/news/ecall-all-new-cars-april-2018>
Apart from the privacy concerns mentioned, a couple of queries occur to me,
assuming that this feature will use the regular public mobile telephone
(cellphone) network:
- If there's a multi-vehicle pile-up, could the cellphone network in the
vicinity of the crash be overloaded by these automatically-generated
calls, possibly blocking other urgent communications (as happened in the
Boston Marathon bombing)?
- Presumably this will increase the call-handling load for the cellphone
network, so who pays? Do car owners have to take out a cellphone
subscription, or will cellphone companies get some sort of Gov't funding,
or will their other customers effectively subsidise the service?
http://www.telegraph.co.uk/news/uknews/road-and-rail-transport/11569453/All-cars-must-have-tracking-devices-to-cut-road-deaths-says-EU.html
------------------------------
Date: Wed, 29 Apr 2015 18:50:07 PDT
From: "Peter G. Neumann" <neu...@csl.sri.com>
Subject: Doctors don't like EHRs?
[I think that they may be thinking about closing the gate (after the horses
ran away) by putting in a few pieces of bamboo :-) DKross]
http://www.c-span.org/video/?325544-1/health-human-services-secretary-testimony-fiscal-year-2016-budget
Sen Lamar Alexander to HHS Secretary Burwell "... half of doctors don't like
their EHRs to the point that they'll accept Medicare penalties rather than
deal with workflow disruption..."
And added that the "...AMA found that 70 percent of doctors say their EHRs
weren't worth the cost and that EHRs are the leading cause of physician
dissatisfaction..."
------------------------------
Date: Thu, 30 Apr 2015 09:30:27 -0600
From: Jim Reisert AD1C <jjre...@alum.mit.edu>
Subject: : Now you can embed classic MS-DOS games in tweets (Ian Paul)
Ian Paul, PCWorld, 30 Apr 2015
Twitter Cards are cool for watching videos or listening to tunes without
leaving Twitter. But now the Internet Archive has the best use for Twitter's
rich media feature yet: old-school MS-DOS games that can be played right
inside a tweet.
http://www.pcworld.com/article/2916528/now-you-can-embed-classic-ms-dos-games-in-tweets.html
I guess this is one way to find/fix security exploits, but probably not the
best way...
------------------------------
Date: Tue, 28 Apr 2015 10:17:10 +1000
From: Craig Burton <craig.alexa...@gmail.com>
Subject: Re: Iowa casino doesn't have to pay $41M jackpot error (RISKS-28.60)
A case came up in Australia in 2011 of scratch-off gambling cards showing a
winning match, and the winner got AUD100,000. However, company sue and won
due to the code on the bottom of the card not being a "winning code". I was
surprised the lotteries law allowed for this kind of opacity which could
presumably be abused.
http://www.abc.net.au/news/2011-08-25/scratchie-case-loss-a-picture-of-pain/2855046
------------------------------
Date: Wed, 29 Apr 2015 08:58:10 -0700
From: "Clay Jackson" <cl...@nwlink.com>
Subject: Re: Starbucks Outage (RISKS-28.60)
I worked in IT for Starbucks the 1990s (1996-1999) and we had a VERY similar
(at least from what I can glean from the press reports of this one) failure
in 1998 (might have been '97).
Jeremy Epstein comments, "I don't know anything about running global IT
infrastructures, so perhaps I'm naive, but I would think that rollouts would
be done in a rolling fashion to avoid shutting down the entire company" - I
do know a bit about this, and I don't think I'd be violating any
non-disclosures by saying that even in the earlier failure, the updates
"pushed" to the stores were staggered (and I assume still are). I'm sure
the "failure mode" was much more complex. And, yeah, there probably is some
naiviety there, preventing ALL possible failure modes like this costs money
(at the very least, having onsite or rapidly available backups at every
store AND having at least 2 partners trained in how to perform the restore),
AND, even if that WAS a possibility, I can see how the "fog of the moment"
could make it difficult to implement ("Before we strike out on our own,
let's give corporate a chance to fix this", or "They told us they'd be back
up in 1 hour, and the recovery will take at least 2"). I also worked for
WaMu (another whole set of Risks:)); and I know the steps we took to ensure
"branch Independence" were pretty amazing and also VERY costly.
This is interesting from a number of standpoints - we now have 2 datapoints
from the same company; I would assume that the various systems have
changed/grown over the years (it would be REALLY interesting to have a
current or more recent Starbucks partner comment). IMHO, 2 failures in 17
or 18 years is really not too bad.
------------------------------
Date: Mon, 17 Nov 2014 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-...@csl.sri.com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-s...@csl.sri.com or risks-un...@csl.sri.com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users may contact <Lindsay....@newcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line.
*** NOTE: Including the string `notsp' at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
is no longer maintained up-to-date except for recent election problems.
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 28.61
************************
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/28.61.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
An iPad glitch grounded several dozen American Airlines planes (Adam Pasick
via Jim Reisert)
At least one American Airlines plane is grounded because the pilots' iPads
crashed (Ben Moore)
FAA Orders Fix for Possible Power Loss in Boeing 787 (Jad Mouawad via
Jan Wolitzky)
Re: Software Overflow Could Cause Complete Power Loss in 787 (Richard Karash)
Congressman with computer science degree: Encryption back doors are
``technologically stupid'' (Andrea Peterson via Lauren Weinstein)
Cybersecurity mandated by those who don't use it (*The Guardian via
Devon McCormick)
Public wifi & man-in-the-middle (Henry Baker)
Preparing for Warfare in Cyberspace (*The New York Times* via Monty Solomon)
All cars must have tracking devices to cut road deaths, says EU
(Chris Drewe)
Doctors don't like EHRs? (DKross)
Now you can embed classic MS-DOS games in tweets (Ian Paul via Jim Reisert)
Re: Iowa casino doesn't have to pay $41M jackpot error (Craig Burton)
Re: Starbucks Outage (Clay Jackson)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Wed, 29 Apr 2015 07:42:38 -0600
From: Jim Reisert AD1C <jjre...@alum.mit.edu>
Subject: : An iPad glitch grounded several dozen American Airlines planes
(Adam Pasick)
American Airlines flights experienced significant delays this evening after
pilots' iPads--which the airline uses to distribute flight plans and other
information to the crew--abruptly crashed. "Several dozen" flights were
affected by the outage, according to a spokesperson for the airline.
"The pilot told us when they were getting ready to take off, the iPad
screens went blank, both for the captain and copilot, so they didn't have
the flight plan," Toni Jacaruso, a passenger on American flight #1654 from
Dallas to Austin, told Quartz.
"The pilot came on and said that his first mate's iPad powered down
unexpectedly, and his had too, and that the entire 737 fleet on American had
experienced the same behavior," said passenger Philip McRell, who was also
on flight #1654. "It seemed unprecedented and very unfamiliar to the
pilots."
Other passengers in New York and Chicago also said they were being
affected by the outage.
http://qz.com/393909/american-airlines-planes-are-grounded-because-their-pilots-ipads-have-crashed/
------------------------------
Date: Tue, 28 Apr 2015 22:03:36 -0500
From: Ben Moore <ben....@juno.com>
Subject: At least one American Airlines plane is grounded because the
pilots' iPads crashed
Where's the backup system?
------------------------------
Date: Thu, 30 Apr 2015 21:08:16 -0400
From: Jan Wolitzky <jan.wo...@gmail.com>
Subject: FAA Orders Fix for Possible Power Loss in Boeing 787 (Jad Mouawad)
Jad Mouawad, *The New York Times*, 30 Apr 2015
Federal regulators will order operators of Boeing 787 Dreamliners to shut
down the plane's electrical power periodically after Boeing discovered a
software error that could result in a total loss of power.
The Federal Aviation Administration said on Thursday that Boeing found
during laboratory testing that the plane's power control units could shut
down power generators if they were powered without interruption for 248
days, or about eight months. The findings were published in an airworthiness
directive.
Boeing said the problem had occurred only in lab simulation and no airplane
had experienced it. Boeing said that powering the airplane down would
eliminate the risk that all power generators would shut down at the same
time.
The company said it was working on a software update that should be ready by
the fourth quarter this year.
The plane maker said that power was shut down in all airplanes in service in
the course of the regular maintenance schedule, and that it would be rare
for a plane to remain with power on without interruption for eight months.
[... Truncated for RISKS. PGN]
------------------------------
Date: Fri, 1 May 2015 09:41:01 -0400
From: Richard Karash <ric...@karash.com>
Subject: Re: Software Overflow Could Cause Complete Power Loss in 787
It's not clear how likely it is that generator could be left on for eight
months. Do they run between flights and over-night? Only powered down at
maintenance checks? Or go off when parked, like your car? Nice to see this
was discovered in a lab simulation, not in mid-air.
Richard Karash Ric...@Karash.com +1 617-308-4750 -- http://Karash.com
[Also noted by Jeremy Epstein... PGN]
------------------------------
Date: Thu, 30 Apr 2015 17:03:40 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Congressman with computer science degree: Encryption back doors
are ``technologically stupid''
*The Washington Post*, 30 Apr 2015, via NNSquad
http://www.washingtonpost.com/blogs/the-switch/wp/2015/04/30/congressman-with-computer-science-degree-encryption-back-doors-are-technologically-stupid/
The debate over whether companies should be forced to build in ways for
law enforcement to access communications protected by encryption took a
tense turn this week in a congressional hearing. On one side were law
enforcement officials, including a high-ranking FBI official. On the
other were tech-savvy members of the House Government Oversight and Reform
Committee's Information Technology subcommittee -- two with computer
science degrees. "It is clear to me that creating a pathway for
decryption only for good guys is technologically stupid," said Rep. Ted
Lieu (D-Calif.), who has a bachelor's in computer science from Stanford
University. "You just can't do that."
------------------------------
Date: Tue, 28 Apr 2015 09:46:15 -0400
From: Devon McCormick <devo...@gmail.com>
Subject: Cybersecurity mandated by those who don't use it
There's a good article in *The Guardian* pointing out that the members of
the U.S. Congress, who would legislate cybersecurity for all Americans, do
not themselves take the slightest security precautions - none of them
encourage (or, for the most part, use) encrypted communication and none of
their websites use https.
http://www.theguardian.com/commentisfree/2015/apr/18/congress-cannot-be-taken-seriously-on-cybersecurity
------------------------------
Date: Tue, 28 Apr 2015 08:40:13 +0200 (GMT+02:00)
From: hbaker1 <hba...@pipeline.com>
Subject: Public wifi & man-in-the-middle
Public wifi networks in airports & hotels often utilize man-in-the-middle
techniques to require some sort of login -- e.g., Ruckus Wireless.
With "HTTPS Everywhere" & other new browser techniques to stop MITM
techniques, it becomes almost impossible to use these networks.
I now have to use a "throwaway" Chrome browser on my laptop that I use
*only* for initial login to these networks with an HTTP throwaway home page.
Once logged in, I can then fire up a real, *locked-down* browser that uses
HTTPS Everywhere, NoScript, Tor, etc.
Since public wifi networks place computers *most* at risk, these public wifi
networks are going to have to find a better -- i.e., more secure -- way to
login, as MITM'ing an http request is perhaps the world's worst (i.e., most
insecure) idea ever invented.
------------------------------
Date: Tue, 28 Apr 2015 16:41:23 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Preparing for Warfare in Cyberspace
http://www.nytimes.com/2015/04/28/opinion/preparing-for-warfare-in-cyberspace.html
A new strategy begins to lay out the conditions under which America would
use cyberweapons.
------------------------------
Date: Wed, 29 Apr 2015 15:38:40 +0100
From: Chris Drewe <e76...@yahoo.co.uk>
Subject: All cars must have tracking devices to cut road deaths, says EU.
This idea has been around for a while, but the title says it all.
All new cars will within three years contain tracking devices that alert
the emergency services in the event of an accident.
Under EU laws passed on Tuesday the technology will be compulsory from
2018 and fitted as standard in every model of car and small van.
A serious crash will prompt an automatic call to the nearest emergency
centre. Even if nobody in the vehicle is able to speak, the device will
still relay the exact location, time, direction of travel, the scale of
the impact and whether airbags have been deployed.
<http://ec.europa.eu/digital-agenda/en/news/ecall-all-new-cars-april-2018>
Apart from the privacy concerns mentioned, a couple of queries occur to me,
assuming that this feature will use the regular public mobile telephone
(cellphone) network:
- If there's a multi-vehicle pile-up, could the cellphone network in the
vicinity of the crash be overloaded by these automatically-generated
calls, possibly blocking other urgent communications (as happened in the
Boston Marathon bombing)?
- Presumably this will increase the call-handling load for the cellphone
network, so who pays? Do car owners have to take out a cellphone
subscription, or will cellphone companies get some sort of Gov't funding,
or will their other customers effectively subsidise the service?
http://www.telegraph.co.uk/news/uknews/road-and-rail-transport/11569453/All-cars-must-have-tracking-devices-to-cut-road-deaths-says-EU.html
------------------------------
Date: Wed, 29 Apr 2015 18:50:07 PDT
From: "Peter G. Neumann" <neu...@csl.sri.com>
Subject: Doctors don't like EHRs?
[I think that they may be thinking about closing the gate (after the horses
ran away) by putting in a few pieces of bamboo :-) DKross]
http://www.c-span.org/video/?325544-1/health-human-services-secretary-testimony-fiscal-year-2016-budget
Sen Lamar Alexander to HHS Secretary Burwell "... half of doctors don't like
their EHRs to the point that they'll accept Medicare penalties rather than
deal with workflow disruption..."
And added that the "...AMA found that 70 percent of doctors say their EHRs
weren't worth the cost and that EHRs are the leading cause of physician
dissatisfaction..."
------------------------------
Date: Thu, 30 Apr 2015 09:30:27 -0600
From: Jim Reisert AD1C <jjre...@alum.mit.edu>
Subject: : Now you can embed classic MS-DOS games in tweets (Ian Paul)
Ian Paul, PCWorld, 30 Apr 2015
Twitter Cards are cool for watching videos or listening to tunes without
leaving Twitter. But now the Internet Archive has the best use for Twitter's
rich media feature yet: old-school MS-DOS games that can be played right
inside a tweet.
http://www.pcworld.com/article/2916528/now-you-can-embed-classic-ms-dos-games-in-tweets.html
I guess this is one way to find/fix security exploits, but probably not the
best way...
------------------------------
Date: Tue, 28 Apr 2015 10:17:10 +1000
From: Craig Burton <craig.alexa...@gmail.com>
Subject: Re: Iowa casino doesn't have to pay $41M jackpot error (RISKS-28.60)
A case came up in Australia in 2011 of scratch-off gambling cards showing a
winning match, and the winner got AUD100,000. However, company sue and won
due to the code on the bottom of the card not being a "winning code". I was
surprised the lotteries law allowed for this kind of opacity which could
presumably be abused.
http://www.abc.net.au/news/2011-08-25/scratchie-case-loss-a-picture-of-pain/2855046
------------------------------
Date: Wed, 29 Apr 2015 08:58:10 -0700
From: "Clay Jackson" <cl...@nwlink.com>
Subject: Re: Starbucks Outage (RISKS-28.60)
I worked in IT for Starbucks the 1990s (1996-1999) and we had a VERY similar
(at least from what I can glean from the press reports of this one) failure
in 1998 (might have been '97).
Jeremy Epstein comments, "I don't know anything about running global IT
infrastructures, so perhaps I'm naive, but I would think that rollouts would
be done in a rolling fashion to avoid shutting down the entire company" - I
do know a bit about this, and I don't think I'd be violating any
non-disclosures by saying that even in the earlier failure, the updates
"pushed" to the stores were staggered (and I assume still are). I'm sure
the "failure mode" was much more complex. And, yeah, there probably is some
naiviety there, preventing ALL possible failure modes like this costs money
(at the very least, having onsite or rapidly available backups at every
store AND having at least 2 partners trained in how to perform the restore),
AND, even if that WAS a possibility, I can see how the "fog of the moment"
could make it difficult to implement ("Before we strike out on our own,
let's give corporate a chance to fix this", or "They told us they'd be back
up in 1 hour, and the recovery will take at least 2"). I also worked for
WaMu (another whole set of Risks:)); and I know the steps we took to ensure
"branch Independence" were pretty amazing and also VERY costly.
This is interesting from a number of standpoints - we now have 2 datapoints
from the same company; I would assume that the various systems have
changed/grown over the years (it would be REALLY interesting to have a
current or more recent Starbucks partner comment). IMHO, 2 failures in 17
or 18 years is really not too bad.
------------------------------
Date: Mon, 17 Nov 2014 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-...@csl.sri.com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-s...@csl.sri.com or risks-un...@csl.sri.com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users may contact <Lindsay....@newcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line.
*** NOTE: Including the string `notsp' at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
is no longer maintained up-to-date except for recent election problems.
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 28.61
************************
0 new messages