I had to dig around to find the source of the latest news that tries to answer this question. Many sites are echoing that some study somewhere has evidence but none of them provide a cite. Yes, I just used site and cite in the same sentence. Grammar alert. Carefully read this sentence in an article on The Huffington Post by Christine Negroni:

The IATA report is not public, someone slipped it to me after my Times story ran to much controversy in January.

Ouch. My reading instruments just threw an error message and blew up. She must have meant too much controversy, instead of “to”. Good thing a grammar error does not really crash our brains — we may now continue reading her article.

Her point is that she has some super secret hidden file that proves to her that we all should be turning off personal electronic devices because they might interfere with aircraft safety.

I have in my possession a new confidential report from the International Air Transport Association’s safety data sharing program (STEADS) that shows over the past seven years, airlines around the world reported seventy five events in which portable electronic devices (let’s just call them PEDs, okay?) are suspected of interfering with flight deck equipment. While phones were the source of interference in 40% of the reports, iPods, other MP3 players, laptops and portable games were also implicated.

Might as well throw pacemakers on that list. That is probably why it is confidential. They do not want to upset the pacemaker lobby. Or maybe the distraction from the portable electronics is related to pilots watching movies instead of the instruments?

All joking aside, however, this is not a good reason to tell people to turn off their portable electronics. Why? Because even if you tell everyone to turn off their device they will forget or fall asleep or not understand what to do. The devices also will malfunction. That is why placing bets for a safe flight on the passengers correctly following directions is foolish. Likewise, placing bets for a safe flight on the correct functioning of passenger-owned electronics is foolish. Neither are reliable enough, at present, to ensure safety of a flight — they are far from compliant.

That is why resilience is meant to have been built into aircraft, which she admits.

The use of PEDs on board will not – I repeat – will not cause a plane to go tumbling through the sky like something in a made-for-TV-disaster movie.

Fine, nothing causing worry. And then she turns around and subtly contradicts herself.

What PEDs can and in fact have already done, is create a distraction for the flight crew. When that distraction comes at the wrong time it can lead to pants-wetting episodes and maybe even disaster. And that is why boys and girls, devices are supposed to be turned off as in OFF, below 10 thousand feet. The concept is that with sufficient altitude below us there is time to address any pesky error messages that might wind up being transmitted to the cockpit. Only now we know that those messages are pretty darn common

Fear. Panic. I thought nothing causing worry?

It seems now to say: Above 10,000 feet there is time to recover but below 10,000 feet, well, a plane may tumble into the ground like something in a made-for-PED-disaster-movie.

At the end of the story comes the real kicker. Negroni is digging for reasons to regulate the behavior of her fellow passengers.

Regulators, schmegulators, they could take forever to act. In the meantime, is it unreasonable for a woman who spends a heck of a lot of time in airplanes to ask her fellow travelers, please, Please, PLEASE, cool it with the electronics below ten-thousand feet?

Perhaps the airlines should deputize her and others officially so when they stick a nose into your seat you can laugh at the shiny star that says “PED Police” as you reply “of course I want this plane to crash”. Maybe a deputy program could actually help convince a passenger or two to take the time and trouble to guarantee their device is disabled (“the Captain says you may now put your batteries back in”, but it really does not address the core problem. Regulators would be wise to put pressure to fix a system affected by interference rather than hope passengers will suddenly and reliably (heroically?) overcome the shortcomings of their own inexpensive portable electronics.

So what would you think if you were the B777 pilot who’s radio communication with air traffic control was interrupted by a passenger’s cell phone call?

I would think it’s time to get Boeing on the horn and rip them a new exhaust hole and/or invest in an Airbus.

Funny that she mentions a B777. I have seen speculation that a B777-236 ER, G-YMMM crashed in 2008 because of cell phone interference. The actual Air Accidents Investigation report, which is not confidential, points only to a problem in the fuel system.

Restrictions in the fuel system between the aircraft fuel tanks and each of the engine HP pumps, resulting in reduced fuel flows, is suspected.

I searched all the other AAIB reports and found no mention of portable electronics as a cause of interference. Hopefully the IATA report will be released or at least discussed more transparently. While we can assume some older fleets with lack of maintenance in deprecated electronics could have interference issues, the solution is a rapid patch/upgrade to those systems.

Regulate the lack of resilience to interference to force airline behavior changes and don’t expect passengers to be perfect, especially if fear is based on secret memos seen by airlines that can’t be discussed in public.

Apparently Google wanted to help earthquake victims but gave them a tool that lacked even the most basic protection against abuse. It quickly attracted mischievous and hurtful anonymous comments. It then came under harsh criticism. Japan Probe, for example, issued this warning:

If you are using Google’s Person Finder App to search for information about people who were in Japan during the 2011 Tohoku Earthquake, please be warned: the site has fallen victim to dozens of trolls. Legitimate inquiries by family members are being met with untruthful death notice responses from mean-spirited jerks.

The comments are too awful to repeat here — racist and graphic — but can be found on the Japan Probe site.

I am not surprised that some people in the world are cruel and will try to attack or take advantage of those who are most vulnerable. That is a sad reality.

I am surprised, however, that Google developers would post an application for victims that exposes them and makes them targets of obvious/known threats and abuse. It did not filter on harmful language, it did not require any confirmation. Did Google allow a product to launch without even the most basic security review?

Google provides a disclaimer on the data entry page:

PLEASE NOTE: All data entered will be available to the public and viewable and usable by anyone. Google does not review or verify the accuracy of this data.

Obviously, however, they have responded after criticism. Japan Probe has posted an update: the fake death reports and fraud messages (asking for contact and personal information) they reported have been removed.

Note the URL, designed for easy abuse automation:

http://japan.person-finder.appspot.com/create?add_note=&age=&author_email=&author_name=&author_phone=&clone=&confirm=&content_id=&date_of_birth=&description=&dupe_notes=&email_of_found_person=&error=&first_name=&flush_cache=&found=&home_city=&home_country=&home_neighborhood=&home_postal_code=&home_state=&home_street=&id=&id1=&id2=&id3=&key=&lang=&last_known_location=&last_name=&max_results=&omit_notes=&operation=&person_record_id=&phone_of_found_person=&photo=&photo_url=&query=&role=provide&sex=&signature=&skip=&small=&source_date=&source_name=&source_url=&status=&style=&subdomain_new=&target=&text=&utcnow=&version=

An interesting Blogger exploit has just been highlighted by Nir Goldshlager, in his first blog post on his new blog. It already has been fixed.

Along with gushing compliments for Google’s security team is an example of HTTP Parameter Pollution (HPP), a growing class of web application problems. HPP is when an attacker injects a parameter with a value inside an application-generated URL. The impact of pollution depends on the application and so the best known way to test and find HPP is fuzzing for possible injections in links and forms.

Nir’s example shows, in three phases, how an Author can be added to any Blogger site and then elevated to Administrator privilege:

1. The attacker Use the invite author options in blogger (add authors):

Vulnerability location:

POST /add-authors.do HTTP/1.1

Request:

security_token=attackertoken&blogID=attackerblogidvalue&blogID=victimblogidvalue&authorsList=goldshlager19test%40gmail.com(attacker email)&ok=Invite

As you can see I added two blogid value in my post request (blogID=attackerblogidvalue&blogID=victimblogidvalue)

The server checks the first blogid value and executes the second blogid value of the attacker

2. After that the attacker receives a mail to confirm him as a author (author invitation link), After that, the attacker will be added as an author on the victim account.
3. At this step it becomes possible to modify the attacker permission from an author to an administrator,

Vulnerability Location:

POST /team-member-modify.do HTTP/1.1

Request:

security_token=attackertoken&blogID=attackerownblogid&blogID=victimblogidvalue&memberID=attackermemberid&isAdmin=true&ok=Grant+admin+privileges

as you can see there is Another field in this request called memberID, Any users in blogger have a memberID value, so the attacker also need to provide his memberId value in this post request, In Blogger service, any Administrator, Author have a memberid value, So to make a successful attack (become administrator), an attacker must add himself first as a author on the victim account, To perform the next step that will add himself as an administrator on the victim account.

Video of an attack:

Plastic hotel “key cards” with a mag-stripe are notoriously unreliable (at least 5% failure rate). They can easily be demagnetized and stop working, even by proximity to cell-phones and small fashion magnets (unlike payment cards, which are more resilient). I run mag-stripe payment card security tests and the hotel cards that sometimes use to calibrate and test my card reader (they usually have a 3 track .500″ stripe with the data stored on a very small spot on track 2) always have been the most prone to failure.

With that in mind I recently stayed at a chain hotel that issued me a generic key card. After a day or two the key stopped working. Maybe I was expecting it to stop working; but when it failed the first time I went straight to the front desk and asked that it be reprogrammed. To my surprise the hotel clerk, who I had not seen before, just asked me what room number I was in.

I said “I think it’s #305”

She ran the card hit a couple buttons and handed it back to me.

Then I said “Oh, sorry, it’s actually #302.”

She smiled, took the card back, ran the same procedure and handed it back to me.

At this point I was outraged and found my mind racing through a checklist of security controls. Laptop hard drive encrypted. Check. USB drives encrypted. Check. Laptop physically cabled to desk. Check…

I was amazed by this giant gaping hole in security procedure. Anyone, and I mean anyone, can get an old hotel key from any of their world-wide locations (they do not collect them — no revocation procedure) and just have it programmed by the front desk to get into my room.

I sent a formal complaint to the hotel management and then I heard nothing more about it…until I read a sad and shocking story in StlToday.

Hughes tried to enter a room on the same floor as his room at the Sheraton, and then went to the front desk to tell a clerk his key didn’t work. The clerk issued him a key for the room number he provided but failed to check to make sure it was the right room, Byrne said. The clerk has since resigned.

Hughes “really had it all screwed up on what his room number was,” Byrne said.

Thus, at least one hotel chain in America has security so lax you can walk in with an old key and they — no questions asked, no verification required — will program it for a free room for the night. You only have to give them a room number, which obviously is trivial to figure out, even if you’re “highly intoxicated”.

I would like to take this moment to point out that the problem is not with a clerk. Their resignation does not fix the vulnerability.

The St. Louis molestation case above has now publicly disclosed the danger of the exact vulnerability I reported to the hotel. A hotel’s key management policy and procedures may let anyone, and I mean anyone, else into your room.

The obvious, free and easy solution is for a key to be programmed for a door only after the front desk is able to perform a simple authentication check before authorization. There is no excuse for such poor key management. Firing a clerk is not a solution; this example casts a dark shadow over encryption as a solution for payment card security in the hospitality industry.

The cards fail often enough that hotels and their staff are probably under some pressure to reduce the cost of reprogramming them. Reasons for card error include the following:

• User — key used incorrectly
• Admin — wrong room number or check-out date
• Magnet — fields affected by static, cell phones, card cases, bags with magnets, metal clips
• Card material — sub-standard (non-compliant) keys, re-use of failed keys
• Lock mechanism not maintained
• Lock environment — dirty/humid
• Lock battery not maintained
• Software not maintained — encoders and locks out of sync
• Encoders not maintained

The entire list of reasons together is still not enough reason to remove validation from key management. Hotels should not be allowed to abandon the security of their rooms and guests just because the keys system often fails, especially given that the reasons for key failure are well known and the repairs are easy and inexpensive.