precedence: bulk Subject: Risks Digest 29.18 RISKS-LIST: Risks-Forum Digest Thursday 24 December 2015 Volume 29 : Issue 18 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can be found at Contents: [Seasons' Greetings and best wishes for a less riskful new year] Power failure and equipment damage causing continuing major shutdowns at U.S. Patent and Trademark Office (USPTO) The Strangest, Most Spectacular Bridge Collapse -- and How We Got It Wrong (Motherboard) Driverless Cars (Analog) Driverless cars: too safe at any speed? (Keith Naughton) How difficult it is to do crypto properly (Steve Bellovin) Juniper backdoor (PGN) Apple Pushes Against British Talk of Softening Encryption (NYTimes) Meet the woman in charge of the FBI's most controversial high-tech tools (WashPost) MIT's Vuvuzela Messaging System Uses 'Noise' to Ensure Privacy (Tim Greene) Believe it -- or don't: InterApp: The Gadget That Can Spy on Any Smartphone (Softpedia) Vulnerability in popular bootloader puts locked-down Linux computers at risk (Lucian Constantin) The Mystery of India's Deadly Exam Scam (TheGuardian via Ashish Gehani) Cisco shocker: Some network switches may ELECTROCUTE you (The Register) European Space Agency records leaked (Clive Page) Database leak exposes 3.3-million Hello Kitty fans (CSO) Idiot naughty word filter strikes again (Gabe Goldberg) New cybercrime thread, forging deeds using online records (nasdaq item via Robert Schaefer) Super-literate software reads and comprehends better than humans (New Scientist) Hotmail and how not to block spam (Turgut Kalfaoglu) President of China calls for the world to cooperate with China to censor the entire Internet (USNews) Wish list app from Target springs a major personal data leak (Ars Technica) Comcast Users Beware (Malwarebytes & Help Net) US Politics: redirecting URLs (Politico) Re: British government admits selling Internet addresses to Saudi Arabia (Amos Shapir) Re: The Moral Failure of Computer Scientists (Karl Auerbach) Re: Philips Locks Purchasers ... (Chris Drewe) Re: Lie-detecting Software uses Machine Learning to Achieve 75% ... (Stephen Doig) Re: Lie-detecting Software uses Machine Learning to Achieve 75 Percent Accuracy (Gene Wirchenko) Re: A looming anniversary, and an offer (David Gillett) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 23 Dec 2015 14:28:35 -0800 From: Lauren Weinstein Subject: Power failure and equipment damage causing continuing major shutdowns at U.S. Patent and Trademark Office http://www.uspto.gov/blog/ebiz/ A major power outage at USPTO headquarters occurred last night resulting in damaged equipment that required the subsequent shutdown of many of our online and IT systems. This includes our filing, searching, and payment systems, as well as the systems our examiners across the country use. We are working diligently to assess the operational impact on all our systems and to determine how soon they can be safely brought back into service in the coming days. We understand how critical these systems are for our customers, and our teams will continue to work around the clock to restore them as quickly as possible, though the impacts may be felt through the Christmas holiday. We know many people have questions regarding filing and payment deadlines. We are reviewing this topic and will provide an update when we have further information. ------------------------------ Date: Tue, 15 Dec 2015 16:11:20 -0800 From: Lauren Weinstein Subject: The Strangest, Most Spectacular Bridge Collapse -- and How We Got It Wrong http://motherboard.vice.com/read/the-myth-of-galloping-gertie For physics teachers, the footage of Gertie has proved irresistible as a lesson in wave motion--and, specifically, a textbook example of the power of forced resonance. The image of the undulating bridge left its mark on scores of students (including me) as a demonstration of what one canonical version of the film calls `resonance vibrations'. Since then, scores of books and articles, from Encyclopedia Britannica to a Harvard course website, have reported that the Tacoma Narrows was destroyed by resonance. But it turns out it wasn't. A long and fascinating article about a bridge collapse, and the filmed footage that we've all likely seen many times in our lives. [This illustrated article is a fabulous item for RISKS. It is beautifully put together, and clearly illustrated. The `flutter' explanation seems to win out quite clearly, even after so many years of belief in `resonance'. But the explanation is quite elaborate and multifaceted. PGN] ------------------------------ Date: Tue, 15 Dec 2015 22:04:08 -0600 From: Alister Wm Macintyre Subject: Driverless Cars (Analog) The Jan/Feb 2016 (double) issue of Analog Science Fiction and Fact magazine has an article on challenges of implementing driverless cars. Check out `Home James' article starting page 88. For info about Analog, if it is not sold at your local news stand: www.analogsf.com Robot cars, of today, know the rules of the road, but not the psychology of other participants on the highways. One approach being taken is to try to mimic behavior of the most expert drivers, such as those who drive 150 mph in major auto races. This reminds me of the early days of computers playing Chess, which did not get really good, until programmers consulted Chess Masters, in other words international champions, so then the computers playing chess became as good as those guys. If bugs are found, the software can be patched overnight. If it were only that simple for Volkswagen anti-pollution and anti-theft. Stanford is experimenting with a driverless shuttle bus, traveling around campus @ 12 mph. If the OS does not know what to do, it stops. Have you ever watched bicycle races on sports channels? Those riders seem dangerously close to each other, that way to save energy. Driverless trucks can do the same thing, if linked electronically, so if anything bad happens with the one in front, they all slow down in unison, especially if the one with the best brakes is in the rear. This saves them significant fuel. Human reaction times can't handle that, and following less than a car length behind at 65 mph is illegal. Not addressed are the human self-confident drivers who might see that & think ``If they can do that, so can I,'' not knowing `they' are computers. ------------------------------ Date: Fri, 18 Dec 2015 07:18:52 -0800 From: spl@tirebiter.org (Steve Lamont) Subject: Driverless cars: too safe at any speed? Keith Naughton, 18 Dec 2015 [Not new to RISKS, but more. PGN] Accident rates are twice as high for driverless cars as for regular cars, but the driverless cars have never been at fault. https://www.autonews.com/article/20151218/OEM11/151219874/humans-are-slamming-into-driverless-cars-and-exposing-a-key-flaw DETROIT (Bloomberg) -- The self-driving car, that cutting-edge creation that's supposed to lead to a world without accidents, is achieving the exact opposite right now: The vehicles have racked up a crash rate double that of those with human drivers. The glitch? They obey the law all the time, as in, without exception. This may sound like the right way to program a robot to drive a car, but good luck trying to merge onto a chaotic, jam-packed highway with traffic flying along well above the speed limit. It tends not to work out well. As the accidents have piled up -- all minor scrape-ups for now -- the arguments among programmers at places like Google Inc. and Carnegie Mellon University are heating up: Should they teach the cars how to commit infractions from time to time to stay out of trouble? [...] ------------------------------ Date: Tue, 22 Dec 2015 9:39:16 PST From: "Peter G. Neumann" Subject: How difficult it is to do crypto properly (Steve Bellovin) https://www.cs.columbia.edu/~smb/blog/2015-12/2015-12-22.html is an attempt to demonstrate to policy types just how hard crypto is. --Steve Bellovin, https://www.cs.columbia.edu/~smb ------------------------------ Date: Sun, 20 Dec 2015 9:50:13 PST From: "Peter G. Neumann" Subject: Juniper backdoor This is an amazingly intricate situation that is still unfolding. Here are a few relevant URLs, more or less in REVERSE chronological order. https://www.imperialviolet.org/2015/12/19/juniper.html http://www.wired.com/2015/12/researchers-solve-the-juniper-mystery-and-they-say-its-partially-the-nsas-fault/ http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-government-backdoors/ https://news.ycombinator.com/item?id=10764274 ------------------------------ Date: Mon, 21 Dec 2015 18:28:19 -0800 From: Lauren Weinstein Subject: Apple Pushes Against British Talk of Softening Encryption http://www.nytimes.com/2015/12/22/world/europe/apple-pushes-against-british-talk-of-softening-encryption.html?partner=rss&emc=rss "The best minds in the world cannot rewrite the laws of mathematics," the company told the British Parliament, submitting formal comments on a proposed law that would require the company to supply a way to break into the iChat and FaceTime conversations of iPhone users. ------------------------------ Date: Wed, 16 Dec 2015 15:53:36 -0500 From: Gabe Goldberg Subject: Meet the woman in charge of the FBI's most controversial high-tech tools (WashPost) https://www.washingtonpost.com/world/national-security/meet-the-woman-in-charge-of-the-fbis-most-contentious-high-tech-tools/2015/12/08/15adb35e-9860-11e5-8917-653b65c809eb_story.html The advent of strong encryption, however, is presenting Hess with a huge, perhaps insurmountable, challenge. In the past few years, tech firms and app developers have increasingly built platforms that employ a form of encryption that only the user, not the company, can unlock. The bureau's encryption dilemma is exacerbated by a chill that settled over the relationship between the FBI and Silicon Valley in the wake of leaks in 2013 about government surveillance by former National Security Agency contractor Edward Snowden. Firms that feared being tagged as tools of a privacy-invading government became less willing to assist in surveillance ``because it was perceived as not a good business model to be seen as cooperating with the government,'' Hess said. It used to be, she said, that companies meeting a legal requirement to provide `technical assistance' generally would try to comply with wiretap orders. ``Now all of a sudden we get hung up on the question of what, exactly, does that mean I have to provide to you?'' she said. In recent months, the FBI's conversations with companies have become more productive, she said, ``but it's not to the level we were pre-Snowden.'' ... More than any other FBI executive, Hess must navigate the tension between privacy and security. While she might be seen as a kind of female Q, head of the fictional spy agency Skunkworks in the James Bond movies, Christopher Soghoian, principal technologist at the American Civil Liberties Union, sees her as ``the queen of domestic surveillance''. Said Soghoian: ``All of the most interesting and troubling stuff that the FBI does happens under Amy Hess.'' Whether it's turning on the taps to collect data from tech companies to pass to the NSA (under court order), or covertly entering people's houses to install bugs (with a warrant), he said, ``if it's high-tech and creepy, it's happening in the Operational Technology Division.'' ... Privacy advocates also worry that to carry out its hacks, the FBI is using `zero-day' exploits that take advantage of software flaws that have not been disclosed to the software maker. That practice makes consumers who use the software vulnerable, they argue. Hess acknowledged that the bureau uses zero-days -- the first time an official has done so. She said the trade-off is one the bureau wrestles with. ``What is the greater good -- to be able to identify a person who is threatening public safety?'' Or to alert software makers to bugs that, if unpatched, could leave consumers vulnerable? ``How do we balance that? That is a constant challenge for us.'' She added that hacking computers is not a favored FBI technique. ``It's frail.'' As soon as a tech firm updates its software, the tool vanishes. ``It clearly is not reliable'' in the way a traditional wiretap is, she said. [What could go wrong?] ------------------------------ Date: Fri, 18 Dec 2015 12:13:23 -0500 (EST) From: "ACM TechNews" Subject: MIT's Vuvuzela Messaging System Uses 'Noise' to Ensure Privacy Tim Greene, Network World, 17 Dec 2015 (via ACM TechNews, 18 Dec 2015) Massachusetts Institute of Technology (MIT) researchers' experimental Vuvuzela messaging system offers more privacy than The Onion Router (Tor) by rendering text messages sent through it untraceable. MIT Ph.D. student David Lazar says Vuvuzela resists traffic analysis attacks, while Tor cannot. The researchers say the system functions no matter how many parties are using it to communicate, and it employs encryption and a set of servers to conceal whether or not parties are participating in text-based dialogues. "Vuvuzela prevents an adversary from learning which pairs of users are communicating, as long as just one out of [the] servers is not compromised, even for users who continue to use Vuvuzela for years," they note. Vuvuzela can support millions of users hosted on commodity servers deployed by a single group of users. Instead of anonymizing users, Vuvuzela prevents outside observers from differentiating between people sending messages, receiving messages, or neither, according to Lazar. The system imposes noise on the client-server traffic which cannot be distinguished from actual messages, and all communications are triple-wrapped in encryption by three servers. "Vuvuzela guarantees privacy as long as one of the servers is uncompromised, so using more servers increases security at the cost of increased message latency," Lazar notes. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-e70bx2d991x066779& ------------------------------ Date: December 20, 2015 at 4:31:57 PM EST From: Lauren Weinstein Subject: Believe it -- or don't: InterApp: The Gadget That Can Spy on Any Smartphone http://news.softpedia.com/news/interapp-the-gadget-that-can-spy-on-any-smartphone-497864.shtml Tel Aviv-based Rayzone Group is selling a nifty little gadget called InterApp that [they claim - Lauren] can leverage outdated mobile devices and intercept and extract information from nearby smartphones. ------------------------------ Date: Wed, 16 Dec 2015 13:16:52 -0800 From: Gene Wirchenko Subject: Vulnerability in popular bootloader puts locked-down Linux computers at risk (Lucian Constantin) Lucian Constantin, InfoWorld, 16 Dec 2015 The flaw can allow attackers to modify password-protected boot entries and deploy malware http://www.infoworld.com/article/3016098/security/vulnerability-in-popular-bootloader-puts-locked-down-linux-computers-at-risk.html opening text: Pressing the backspace key 28 times can bypass the Grub2 bootloader's password protection and allow a hacker to install malware on a locked-down Linux system. [These are presumably breaking backspaces. GW] [Definitely backbreaking. The breakback is mountin'. PGN] ------------------------------ Date: Sat, 19 Dec 2015 11:09:03 -0800 From: Ashish Gehani Subject: The Mystery of India's Deadly Exam Scam This is a disturbing article, a portion of which is of particular relevance to RISKS: ``Mohindra hooked all of Vyapam's computers to a common office network and retained all administrator privileges,'' said Tarun Pithode, an energetic young civil servant who was appointed Vyapam's new director to set things straight after the scam broke. After the multiple-choice exam sheets were scanned, Mohindra could access the computer that stored the results, and alter the answers as he wished. Once the results had been altered on the computer, Mohindra would approach the exam observers and ask for the original answer sheet, claiming that the student had requested a copy under India's Right to Information Act. He would then sit in Trivedi's office and fill out the originals so that they tallied with the altered version saved on the computer. [...] In our review, we found almost every system had been subverted, Pithode said. For example, every question paper set has an `answer key' that is put into a self-sealing envelope before the exam and opened only at the time of tabulating results. Trivedi would seal the envelope in the presence of observers, but later would simply tear open the envelope, make copies of the key, and put the original document into a new envelope. [...] And while the investigation drags on, it has been further muddied by an elaborate and increasingly impenetrable series of allegations and counter-allegations between the ruling BJP and the opposition Congress over the veracity of the evidence seized from Mohindra's computer. http://www.theguardian.com/world/2015/dec/17/the-mystery-of-indias-deadly-exam-scam ------------------------------ Date: Wed, 16 Dec 2015 09:36:59 -0500 From: Monty Solomon Subject: Cisco shocker: Some network switches may ELECTROCUTE you *The Register*, 22 Sep 2015 Oh dear: Cisco is warning that screws in a couple of its compact Catalyst switches may be poking into wires carrying live voltages. In this field note, the Borg says the problem occurs when WS-C3560CX or WS-C2960CX switches are installed without a mounting tray -- for example, screwed to a desk, shelf, or wall. Screws not installed to the correct depth, ``coupled with appreciable force in order to mount the switch, might cause the insulator to be punctured, which exposes a voltage circuit,'' the note states. http://www.theregister.co.uk/2015/09/22/cisco_switch_screw_problem/ ------------------------------ Date: Wed, 16 Dec 2015 11:25:28 +0000 From: Clive Page Subject: European Space Agency records leaked A colleague alerted me to this a few days ago and I had an anxious few moments before finding that my own email address was not among those leaked. I was worried because I have been an ESA consultant in the past and am still involved in some ESA projects. My experience is that ESA take network security very seriously where they need to. For example in order to provide them with a new version of my software I have to log in to an FTP server with not just a simple password but with a rather long pass-phrase. The emails and passwords exposed here are, I think, from people who needed to post a message on a bulletin board, wiki, or similar. Such systems very often force you open an account before you can post, but my guess is that most people don't take this very seriously, hence the prevalence of very short and simple passwords like `esa'. With luck, few users will have used the same password on anything that matters, so this may not be a very serious leak, although unfortunate all the same. The lesson, if there is one, is that operators of bulletin boards etc. ought to think carefully before forcing their users to choose a password, as they will choose a simple one if they can, or will be annoyed if they are forced to choose a strong password for some trivial purpose. Forcing them to use a real email address rather than a made up identifier is also unfortunate, as no doubt some of the addresses exposed here will get more spam as a result of this leak. ------------------------------ Date: Sun, 20 Dec 2015 17:47:49 -0800 From: Lauren Weinstein Subject: Database leak exposes 3.3-million Hello Kitty fans http://www.csoonline.com/article/3017171/security/database-leak-exposes-3-3-million-hello-kitty-fans.html A database for sanriotown.com, the official online community for Hello Kitty and other Sanrio characters, has been discovered online by researcher Chris Vickery. The database houses 3.3 million accounts and has ties to a number of other Hello Kitty portals. Vickery contacted Salted Hash and Databreaches.net about the leaked data Saturday evening. The records exposed include first and last names, birthday (encoded, but easily reversible Vickery said), gender, country of origin, email addresses, unsalted SHA-1 password hashes, password hint questions, their corresponding answers, and other data points that appear to be website related. Will "My Little Pony" be next? ------------------------------ Date: Thu, 17 Dec 2015 16:16:04 -0500 From: Gabe Goldberg Subject: Idiot naughty word filter strikes again "Macy's Makes It Difficult For Someone To Give Them Money Because His Last Name Is Slutsky" http://consumerist.com/2015/12/11/macys-makes-it-really-difficult-for-me-to-give-them-my-money-because-my-last-name-is-slutsky/ ------------------------------ Date: Wed, 16 Dec 2015 11:30:11 -0500 From: Robert Schaefer Subject: New cybercrime thread, forging deeds using online records http://www.nasdaq.com/article/latest-cyberthreat-stealing-your-house-20151208-01179 ``The clues were there for months, but property investor Sybil Patrick didn't put them together. The locks to a vacant Harlem brownstone she owns were changed...The case was one of about 30 related incidents in Manhattan in which a group of people allegedly forged or attempted to forge new deeds using easily available online records, to sell the homes and collect the proceeds...'' [*The New York Times* had articles on this happening particularly in Brooklyn a week or so ago. Definitely not *new*, even then. PGN] ------------------------------ Date: Wed, 16 Dec 2015 09:31:14 -0500 From: Monty Solomon Subject: Super-literate software reads and comprehends better than humans (New Scientist) In a lab next to the river on New York's Upper West Side a computer will soon start reading. It is part of a cadre of computers that are learning to read more like humans, helping us digest and understand society's huge volumes of text on a large scale. Called the Declassification Engine, it will comb through 4.5 million US State Department cables from the 1930s to the 1980s -- everything the department has declassified so far. It's more than any human could read, but the software will analyze the lot, mapping social connections and looking for new narratives about the behavior of US diplomats and officials abroad in the 20th century, says Owen Rambow, a computer scientist at Columbia University, which runs the Declassification Engine. https://www.newscientist.com/article/mg22830512-600-super-literate-software-reads-and-comprehends-better-than-humans/ ------------------------------ Date: Thu, 17 Dec 2015 10:23:42 +0200 From: "turgut_kalfaoglu" Subject: Hotmail and how not to block spam Hotmail, and its aliases like Live.com, Outlook.com, etc, have devised a special way to prevent spam. If a user decides they no longer want a particular newsletter, they can click the "unwanted mail" button, and flag it as spam. This cascades into events that lead to the blocking of multiple IP addresses belonging to the company that's sending the particular newsletter. Apparently it makes no difference that the customer subscribed to the newsletter him or herself in the first place. Therefore, if you wish to take down a competitor, simply sign up to a newsletter mailing that they offer using your hotmail address, and then flag it as spam when it arrives. Then watch them squirm for weeks trying to get their IP addresses unblocked. It makes no difference if the sender score of the company is very high, nor that their DNS entries are correct. I think all users should refrain from using hotmail services for mission-critical applications. ------------------------------ Date: Tue, 15 Dec 2015 23:50:27 -0800 From: Lauren Weinstein Subject: President of China calls for the world to cooperate with China to censor the entire Internet China's Xi calls for cooperation on Internet regulation; activists warn of threat to speech http://www.usnews.com/news/business/articles/2015-12-16/chinas-xi-calls-for-cooperation-on-internet-regulation Chinese President Xi Jinping called Wednesday for governments to cooperate in regulating Internet use, stepping up efforts to promote controls that activists complain stifle free expression. Xi's government operates extensive Internet monitoring and censorship and has tightened controls since he came to power in 2013. ------------------------------ Date: Tue, 15 Dec 2015 15:57:10 -0800 From: Lauren Weinstein Subject: Wish list app from Target springs a major personal data leak http://arstechnica.com/security/2015/12/wish-list-app-from-target-springs-a-major-personal-data-leak/ To our surprise, we discovered that the Target app's Application Program Interface (API) is easily accessible over the Internet. An API is a set of conditions where if you ask a question it sends the answer. Also, the Target API does not require any authentication. The only thing you need in order to parse all of the data automatically is to figure out how the user ID is generated. Once you have that figured out, all the data is served to you on a silver platter in a JSON file. ------------------------------ Date: Wed, 16 Dec 2015 03:22:17 -0600 From: Alister Wm Macintyre Subject: Comcast Users Beware (Malwarebytes & Help Net) If you need to get tech support from your ISP, check their literature, such as monthly billing, to get the correct phone #, or url, because if some site supplies that to you, just maybe you are going to a scammer instead of your ISP. Try not to have all your security in one vendor basket. Ask yourself what will be your situation if the place to supply your security, is itself compromised. Will you also be sucked in, or do you have layered security, using more than one vendor, to reduce probability of all your security being compromised at the same time? Comcast is currently the largest home ISP in USA. Comcast uses Xfinity search. Some Xfinity search pages get a Google AdWords advertisement for a review site called SatTvPro. When people click on the ad, they get to the review site, running an outdated version of Joomla CMS, and silently loading a series of redirects, to try to deliver a ransomware malware to the user's computer. Then it redirects the users to a phishing site which looks just like Comcast Xfinity portal, displaying a warning that Comcast security has detected that they may have malware, and supplies a 1-800 # to get Comcast tech support to fix their PC. The 1-800 # is really to the scammers., who want money from the victim, to get their computer clean again. There is speculation how the crooks got all their pieces, such as the possibility that SatTvPro was compromised by the recently discovered and patched flaw (CVE-2015-8562) present in Joomla versions 1.5.0 through 3.4.5, and is so severe that even though some older versions of the software have reached end of life and are no longer being developed or supported by the Joomla project, a patch has been provided for them. http://www.net-security.org/malware_news.php?id=3179 http://www.net-security.org/secworld.php?id=19233 ------------------------------ Date: Tue, 15 Dec 2015 22:57:57 -0600 From: Alister Wm Macintyre Subject: US Politics: redirecting URLs (Politico) In a sign of our modern times, users who visit JebBush.com are redirected to DonaldJTrump.com, the official campaign site for the billionaire business mogul, through it's not clear who created the redirect. JebBush.com is unaffiliated with Bush's campaign ... I suspect this is aimed at people who use a search engine to find info about candidates, not knowing their official sites. http://www.politico.com/story/2015/12/jeb-bush-website-donald-trump-redirect-216501 ------------------------------ Date: Wed, 23 Dec 2015 18:33:30 +0200 From: Amos Shapir Subject: Re: British government admits selling Internet addresses to Saudi Arabia (RISKS-29.17) I truly hope that IT managers in these departments were informed of the sale, and had updated their firewalls!! ------------------------------ Date: December 14, 2015 at 7:00:30 PM EST From: Karl Auerbach Subject: Re: The Moral Failure of Computer Scientists In this discussion of ethics and morality I think that the following adds a twist: http://www.mercurynews.com/news/ci_29245938/university-of-california-pressured-to-count-computer-science-toward-high-school-math-requirement Apparently the University of California is being pushed to count high school computer science courses taken by applying students as if those were mathematics or science courses. This disturbs me for several reasons. First is that I have only on occasion found computer science to be a substitute for the kind of intellectual disciple any of the hard sciences. Second is that what is being called `computer science' at the high school level is typically simple programming. There is no doubt that it would be useful if everyone coming out of high school had at least a thin knowledge of what programming is. However, writing code is an aspect of a much larger social issue: As a society we in the US and much of the rest of the world are not particularly skilled at solving problems. I would rather see coding/programming cast as one tool among several tools that can be used to solve problems. When cast in that light, i.e., that programming is a tool, then I would argue that our university educational focus should not be on the tool - that merely turns universities into trade schools - but rather on the broader context in which such tools may be applied. In other words, I am disturbed by those who advocate ever increasing our educational focus on mechanical trade skills than on teaching students the social, legal, cultural, and scientific understandings that they are going to need when they are called upon to be good engineers, good citizens, and good people. ------------------------------ Date: Wed, 16 Dec 2015 21:55:00 +0000 From: Chris Drewe Subject: Re: Philips Locks Purchasers ... (RISKS-29.17) When I was a kid, people looked forward to life in the 21st century with such delights as a manned colony on the Moon, land transport by nuclear-powered hovercraft, etc.; I don't recall anybody forecasting software-controlled light bulbs with security features... :o) [or even light bulbs with features without security ... PGN] ------------------------------ Date: Wed, 16 Dec 2015 01:27:39 +0000 From: Stephen Doig Subject: Re: Lie-detecting Software uses Machine Learning to Achieve 75% ... http://app.scientificcomputing.com/news/2015/12/lie-detecting-software-uses-machine-learning-achieve-75-percent-accuracy PGN: Actually, itıs much worse. Imagine this software is 75% accurate in detecting true liars and exonerating actual truth-tellers -- but that only 1% of a population of 10,000 that is being tested actually are liars. So there are 100 liars among the 10,000, and the software correctly fingers 75 of them. Among the other 9,900, the software exonerates 75% of them, or 7,425. But now we have the remaining 2,575 labeled as liars (100 true liars plus 2,475 falsely accused) which means that 96% of those accused actually are falsely accused. Stephen K. Doig, Knight Chair in Journalism, Cronkite School of Journalism, Arizona State Univ., Phoenix, AZ, http://cronkite.asu.edu/faculty/doigbio.php ------------------------------ Date: Tue, 15 Dec 2015 19:47:10 -0800 From: Gene Wirchenko Subject: Re: Lie-detecting Software uses Machine Learning to Achieve 75 Percent Accuracy (RISKS-29.17) How did they determine that 75%? According to the article: ``To determine who was telling the truth, the researchers compared their testimony with trial verdicts.'' Who decided the verdicts? I believe it was some of those pesky humans. You know, some of those mentioned in ``... compared with humans' scores of just more than 50 percent.'' http://app.scientificcomputing.com/news/2015/12/lie-detecting-software-uses-machine-learning-achieve-75-percent-accuracy ------------------------------ Date: Tue, 15 Dec 2015 23:42:55 +0000 From: David Gillett Subject: Re: A looming anniversary, and an offer (Spafford, RISKS-29.17) In his offer of autographed copies of Practical Unix and Internet Security, Gene Spafford mentions that he had recently worked on some construction projects before coining the term `firewall' for a network traffic filter. I derive a little personal satisfaction from this, as I have for some time been reminding colleagues that a firewall was one a common architectural feature to inhibit the spread of conflagration to adjoining structures, long predating the use of the term in automotive technology (for the barrier between the passenger and engine compartments) which I see cited as origin of the term by modern folk etymologists. ------------------------------ Date: Mon, 17 Nov 2014 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request@csl.sri.com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact . => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r . ==> PGN's historical Illustrative Risks summary of one liners: for browsing, or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 29.18 ************************