Risks Vol 27 Issue 3

Several interesting items from the current issue:

The Risks Digest
Forum on Risks to the Public in Computers and Related Systems
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Volume 27: Issue 3
Saturday 29 September 2012


Fake sign causes real outage
John Carr jfc@mit.edu
Tue, 18 Sep 2012 08:46:55 -0400

"High voltage" signs next to Verizon cable conduits were a bluff to
keep homeless people away. They did not work. Instead they kept
firefighters from extinguishing a mattress fire. Regional phone and
Internet service went out as the cables melted.

http://www.eagletribune.com/latestnews/x550073983/Something-that-valuable-has-to-be-secured


New Jersey bans smiling
Mark Thorson eee@sonic.net
Mon, 24 Sep 2012 08:55:28 -0700

Since January, New Jersey banned smiling for driver's license
photographs because it can't be handled by new facial recognition
software.

http://articles.philly.com/2012-09-21/news/33978387_1_smile-motor-vehicle-commission-facial-expressions

What good is facial recognition software that can be defeated
by a smile? If I see someone with a forced smile at an airport,
does that meant they're likely to be a terrorist?


20% of new PCs in China come with malware pre-installed
Jim Reisert AD1C jjreisert@alum.mit.edu
Mon, 24 Sep 2012 14:41:32 -0600

Wolfgang Gruener, 24 Sep 2012 (source: Microsoft)

"In China, there is not much you have to do to contract a virus on your
PC. Plus, you have a one in five chance that you will get that first virus
on your brand new PC right out of the box."
[Excerpted, follow link for entire text ... jc]

Holy cats! I used to read that all the time. Can't think, now, why I would've stopped. And then I forgot all about it.

Thanks for bringing that back to mind.

My pleasure. It's been around for quite a while, hasn't it. Always some good stuff, makes a person think.

Yeah, lots of food for thought. That and Schneier's Crypt-O-Gram. I was just scanning the archives. Here's a gem:

Hi-tech toilet swallows woman

And I'm reminded of what I read earlier today about the Android remote-wipe being not limited to Samsung phones.

The problem appears to be the Android dialer itself. Websites are able to link characters with a special prefix in order to pass digits to the dialer in a phone — the same functionality that allows you to initiate a phone call from a site, for example. However, the dialers in phones also support specialized strings of characters that can do anything from displaying a phone's IMEI code to wiping the device itself. In devices vulnerable to the attack, the dialer treats these special codes the same as any other phone number, allowing a website to initiate a reset without the user authorizing it to do so.

Remote wipe attack not limited to Samsung phones, Android dialer may be to blame - The Verge

Again, the common theme, of convenience taking precedence over security. And, apparently, the web browser can dial the phone without any user interaction at all? Nah ... that couldn't be risky, could it?