Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Anyone who has received an itinerary from a travel agent knows that airlines tend to publish their schedules with departure and arrival times expressed in local time. While this is little more than an inconvenience for travelers who want to figure out flight durations, it can become a more serious problem when the airlines use local times in their internal computer systems (and inflict these files on third-party software developers!). A case in point involves an airline who had a flight out of Athens at 0205 on 25sep94 (local time). Unfortunately, according to the airline's timezone information, Athens switches from daylight savings (UTC+0300) to standard time (UTC+0200) at exactly 0300 on 25sep94. In other words, 25sep94 0205 occurs twice, so when converting this time to UTC you have a 50/50 chance of being out by an hour. In our particular case the only risk was that the system would report the cabin crew working hours as being one hour less than reality, but the results could potentially be more serious, especially if the computers at the airport get confused. mkwan
I bought a used 1994 Geo Prizm with a factory-installed Delco radio that claims to have a "theft deterrent." The owner's manual says "the theft deterrent feature ... can be used or ignored. If ignored, the system plays normally. If it is used, your system won't be usable if it's ever stolen. The instructions below tell you how to enter a security code into the system. If your vehicle loses battery power for any reason, you must enter the security code again before the system will turn on." I was tempted to ignore it, but decided, what the heck, I suppose I'd better use it. Well, of course, I discovered that the previous owner had entered a security code, and had not removed it when the car was sold. So if anyone were to leave the car headlights on overnight and drain the battery (why, no, _I_ certainly couldn't be so stupid as to do that :-) ) the radio would become unusable. The used-car dealer had no idea what to do, but suggested I call a Chevy dealer. The Chevy dealer hadn't ever heard of the situation and wasn't aware the radio had such a feature, and suggested I call a Chevy 800 number. The Chevy 800 number know nothing, and suggested I call a Delco 800 number. At every stage, of course, I had to explain the security feature, which apparently was new to the 1994 model. And at every stage I had to endure further misunderstandings, because at each stage, they were initially unable to understand why there was any problem given that the radio worked. Delco said, "sure, no problem, we'll fax the dealer the directions, a lot of them don't know about it." I asked how long the fix took and was told, "it depends how good they are at following directions. If the radio isn't inoperative yet it's easy, otherwise it gets pretty involved." I took the car to the dealer. I had a chance to glance at the faxed instructions but not read them carefully. I have the impression that if the radio isn't inoperative, removing the security code just requires entering a complicated, but fixed series of digits and button-pushes. (A savvy radio thief would have to remember to do this BEFORE stealing the radio). After it has had power removed and decided to become inoperative, there is a much longer procedure, involving calling Delco to get a dealer code, leaving the radio unpowered for a long time, etc. Later that morning the dealer called me and said, "We think your ignition lock security system must be interfering with your radio because we tried your radio and everything works fine, including the cassette player." So I explained the problem once again. I came by at noon as agreed to pick it up and was told it would take a little longer, "because we are waiting for Delco to call us back with a dealer code." When I picked it up, they HAD removed the old security code (and installed a new one, but they told me what it was). It had forgotten all the station settings. I suspect that they either did the complicated procedure when they only needed to do the simple one, or someone disconnected the radio as part of their troubleshooting, or someone couldn't resist disconnecting it to see what would really happen... What's the RISK? Well, given that people do sell used cars, and that many people may not even bother to read that part of the manual-- especially if the radio is working--what has been achieved overall is to take a highly reliable car radio and reduce its life expectancy to the same as that of a car battery. Daniel P. B. Smith dpbsmith@world.std.com
Does any one know anything about reported bugs in the Digital RAID Storage System ? One tends to hear so much of this bug.. nothing about it ?
The following article appeared in the 8 Jan 1995 Washington Post:
Maryland Delays New Auto Tests
A computer glitch has forced the delay of Maryland's tough new
auto emissions testing program.
The state Motor Vehicle Administration announced Friday
that the start-up of the program would be delayed for several
weeks to fix the problems in the software used to measure
emissions. The MVA had planned to start mailing notices Friday
to about 25,000 ddrivers to get their cars and trucks tested.
"it's not going to start until we're satisfied we can
give a quick and accurate test." MVA Administrator W. Marshall
Rickert Jr. said.
The General Assembly passed the tougher testing program after the
federal government ordered the state to reduce smog.
Comments heard on this topic include the opinion that it might be an
excuse to delay this testing which includes having a state driver test
your car at 55 mph on a dynamometer. The test will be more costly that
the present test and is expected to result in a high failure rate.
I read this in comp.os.vms this morning and it made me wonder just how well this plant in Georgia is managed. Jonathan Welch VAX Systems Manager Umass/Amherst JHWELCH@ecs.umass.edu - - - - - Newsgroups: comp.os.vms Subject: VAX 4000 Upkeep/Maintenance From: wbwhaley@aol.com (WBwhaley) Date: 9 Jan 1995 06:33:26 -0500 At work recently we just installed a Vax 4000 with 2 model 100's as our hosts and numerous model 60's, VLC's, and a few model 90's as our basic system workstations. Approx 20 workstations total along with an assortment of LAN Bridge 150's / 200's, local segment repeaters all tied together on thick wire ethernet and fiber optic cable. Its primary use is being our plant computer for the nuclear power plant I work at, so it is in constant use. A vast majority of the extra network equipment is for redundancy being that we hate to loose any plant info/data in case of a failure. Anyway, I was curious to see what other system users performed on their systems as regular preventive maintenance and the such being that we are new to the system. Defrag HD, cleaning bridges/repeaters/servers, host cpu's, etc. Right now, we are tied to using built in VMS utilities and I would like your suggestions. I have gotten a good bit of info from the system managers manual, but wasn't sure if there were any other tricks I may have missed. VMS is totally new to me, so pardon my simple description. <G> Any help would be appreciated. Bill Whaley Augusta, Ga
Excerpts from the July, 4, 1994 Aviation Week and Space Technology follow:
"Telesat Canada engineers have succeeded in a five-month rescue
effort by reestablishing pointing control over the Anik E2
satellite without the use of its failed momentum wheel systems,
thus salvaging a $203-million asset."
This is the first time that a rescue of a geosynchronous, 3-axis
stabilized satellite without a serviceable momentum wheel on board has
been successful (other satellites with this type of problem have been
abandoned, in the past). No one is certain why the integrated
circuits in the control systems failed, but it is believed that
electrostatic discharge during an intense solar storm is to blame.
"...during the five months that the satellite was out of action,
Telesat Canada lost about $15 million. Engineers devised an
alternative pointing system...and installed two entirely separate
ground-based systems for redundancy. A software program developed
by Telesat Canada engineers...keeps track of the satellite in
three axes and calculates adjustments in pointing."
Anik E2 service life will be shortened by one year because of the
extra fuel used in re-positioning the satellite during it life.
In the Jan. 12 LA Times, Pacific Bell, the US Geological Service, and CalTech, announced an 18 month trial of a new system for measuring the effects of earthquakes. The system uses sensors placed around Southern California that relay data to CalTech's computers during a 5+ magnitude earthquake. The data is reduced to give emergency crews the location of large ground accelerations so that they can tailor their responses. (Large ground motion can occur far away from the epicenter, e.g. Filmore is about 20 miles from Northridge yet it was severely damaged in the 6.8 quake.) One interesting issue is testing the system: a 5+ quake is required. A Pacific Bell official said they would extend the test period if an appropriate quake doesn't occur. Talk about waiting a long time for test runs... Mark Stalzer, mas@acm.org
Not so many years ago, I needed a certified check from my large Boston-area bank. I arrived at my branch office at 9:05am, gave a teller appropriate paperwork to transfer funds from savings to checking, and then had the necessary incantations performed to transform my normal everyday check into a certified check. Among other things, this caused the check amount to be immediately debited from my checking account; but since I'd just requested a transfer of the necessary amount into checking, the teller did not complain about the apparent overdraft. So far so good. Within a week I received an overdraft penalty notice, because my transaction at the teller window to do the transfer was not processed until after midnight thus leaving my checking account short that day. I had to show my transfer receipt, with its 9:05am timestamp, to an actual human before the bank would clear the penalty. The incident taught me to avoid teller transactions whenever possible, though, because the nice human who cleared the penalty told me that all the ATM transactions were cleared first, before teller transactions, each evening. A RISK of avoiding new technology?? Paul T. Robinson robinson_paul@tandem.com (NOT the Paul Robinson of paul@tdr.com)
At the end of January middle of February this year Microsoft will be introducing Internet Assistant. A HTML creater and WEB browser for Word for Windows 6.0. The WEB browser will read Word 6.0 documents directly and therefore the risk. Word documents can come with programming that will activate on opening. While this has always been a problem document distribution hasn't generally been widespread until soon from now. Three types of things I can see happening. 1. Viral type documents. These are documents that will change your normal.dot and copy itself from document to document. 2. Trojan Horse type 1 documents. These are documents that do something on opening, like delete files etc....And possible even harmless things. 3. Trojan Horse type 2 documents. Really scary documents that communicate BACK to the web-server without your knowing it and sending additional information gleaned from your machine and or network. There are some truly scary things that could be done with a creative VBA/CGI programmer. It is unfortunate that these risks exist, because otherwise the ability to have "programmable" documents on the web is a really cool concept. But nonetheless risks like these have to be dealt with John
You can now read the complete RISKS archives on the World Wide Web (apart
from the very earliest issues which will appear as soon as I have hand
converted them...) Individual issues have a file name of the form
volume.issue.html where issues is always a two digit number:
http://catless.ncl.ac.uk/Risks/16.01.html
is the first issue of volume 16. The URL http://catless.ncl.ac.uk/Risks
gives you an introduction page and leads you to the indices for previous
issues. The latest issue can always be found via the URL
http://catless.ncl.ac.uk/Risks/latest
The translation from RISKS to html is automatic so there may be errors.
Please report any that you find to me so that I can fix them. Currently the
text of messages is left as pre-formatted text. I have hand converted issues
16.74 to use the html formatting commands. Any feed back on what people
would like to see and any improvements that I could make will be most
welcome.
Lindsay
MAIL : Lindsay.Marshall@newcastle.ac.uk
URL : http://catless.ncl.ac.uk/Lindsay.html
POST : Dept. of Comp. Science, U of Newcastle, Newcastle upon Tyne, UK NE1 7RU
VOICE: +44-191-222-8267 (FAX: -8232)
According to a Canadian Press reported printed in _The Globe and Mail_
(955.01.07, p. A4),
Police crack illegal access to Internet
WINNIPEG — Police have made what they believe is one of
Canada's first arrests for breaking into the Internet....
a 31-year-old man was arrested...after an eight-month police
investigation into illegal access to the Internet computing
system at the University of Manitoba....
...[T]he man will be charged with two counts of unauthorized
use of a computer service....
The article states that the Crackerjack program "was used to decrypt the
access codes of legitimate users" and that the accused is alleged to have
stored stolen software and porn online.
M.E.Kabay,Ph.D.
DirEd/Natl Computer Security Assn (Carlisle, PA)
Mgmt Consultant/LGS Group Inc. (Montreal, QC)
HarperCollins has just released MASTERS OF DECEPTION: The Gang That Ruled
Cyberspace, a new book by New York Newsday journalists Michelle Slatalla
and Joshua Quittner. You might recall the book from a cover story in the
December issue of WIRED. Slatalla and Quittner unravel the story of gang
warfare between the Legion of Doom (LOD) and the Masters of Deception
(MOD), a turf battle fought through the phone system that led to one of
the most high-profile hacker prosecutions ever.
Slatalla and Quittner followed the Masters of Deception story for five
years at Newsday. When the WIRED excerpt appeared, their phone service was
hacked and their e-mail attacked by a group calling themselves the
Internet Liberation Front, or ILF. A police investigation is still in
progress.
The authors begin an 8-city tour in New York today. They are planning to
kick off a "cybertour" in February. The book is available for purchase on
Delphi (Online Bookstore) and CompuServe (Go HAR), or at your local
bookstore.The WIRED excerpt is on HotWIRED at the following URL:
http://www.hotwired.com/Lib/Wired/2.12/features/hacker.html
For more information about the book — including a tour schedule — please
send e-mail requesting a "digital flyer" to <okeefe@olympus.net>
STEVE O'KEEFE
Electronic News & Reviews
Call for Participation (Deadline: March 15, 1995)
INTERNATIONAL CRYPTOGRAPHY INSTITUTE 1995: GLOBAL CHALLENGES
September 21-22, 1995
Washington, DC
Presented by
The National Intellectual Property Law Institute
The International Cryptography Institute will focus on the cryptography
challenges associated with meeting the information protection needs of
users and the law enforcement and national security needs of nations.
The Institute will address such topics as:
- national encryption policies and regulations
- meeting user needs for information security and data recovery
- meeting law enforcement and national security needs
- national and global encryption markets and product availability
- international approaches and standards
- creating an international cryptography infrastructure
- the use of encryption technologies in different countries
- cryptography in the financial industry and other industries
- legal and policy issues of digital signatures and digital cash
- new developments in encryption policies and technologies
Persons interested in speaking at the conference are invited to submit
a proposal to the Institute Chair:
Prof. Dorothy E. Denning, Chair ICI '95
Georgetown University
Computer Science Department
225 Reiss Building
Washington DC 20057-0997
ph: 202-687-5703, fax: 202-687-6067
e-mail: denning@cs.georgetown.edu
Proposals must be received by MARCH 15, 1995, and should include the
following:
- Name, title, organization, address, phone, fax, and e-mail address
- Brief biography
- Title of presentation
- Abstract of presentation or paper
- Amount of time requested for presentation and discussion
Notification of acceptance will be made by April 15, 1995. Papers and
materials for the proceedings will be due on August 15, 1995.
Inquiries about registration or the proceedings should be addressed to:
The National Intellectual Property Law Institute
P.O. Box 27913, Washington, DC 20038-7913
ph: 800-301-MIND or 202-962-9494
, fax: 800-304-MIND or 202-962-9495
Information Systems Security Association (ISSA) is pleased to announce
LEARNING From EACH OTHER,
the 12th Annual Conference & Exposition
to be held
April 2-5 1995 at Sheraton Hotel and Towers
Toronto, Ontario, Canada
The cost is $795 (ISSA Member), $895 (nonmember); Full Day electives $295.
Canadians may pay in Canadian Dollars (same rates!)
Brochure and registration form are available from:
ISSA Headquarters, 4350 DiPaolo Center, Suite C, Glenview, IL, 60025
Phone: (708) 699-6441; fax (708) 699-6369;
or by sending E-Mail to: ISSA @ MCS.COM
The event begins with Pre-Conference Specialty Seminars on Saturday and Sunday
A Welcome Reception and Vendor Exhibition opening will be held Sunday evening
- an excellent opportunity for networking! Each Day then begins with
Registration at 7:30 and continental breakfast and Vendor Exhibition at 8:00.
April 1 - Saturday (Pre-conference Activities)
Four elective Full Day Seminars to choose among
April 2 - Sunday
The First CISSP Examination sponsored by (ISC)2
Two elective Half Day Seminars to choose
7pm Welcome Reception and Vendor Exhibition
April 3 - Monday's Highlights:
Welcome and General Session will include "How to Handle Internal Investigation
and Establish Successful Compliance Programs" by Terry F. Lenzner, a former
member of the Board of Overseers of Harvard University with a broad range of
experiences in public and private legal investigations.
AM Track Choices: 10:30-noon
A1: Gale Warshawsky of LLNL will explore the merits and processes of
Making Computer Security Information Available Electronically
B1: Charles Blauner of Bellcore will Introduce the security issues
involved in the use of Distributed Systems.
C1: Francis Labayen and Kimberly Clair of Andersen Consulting will discuss
LAN Security issues by component, and their corresponding solutions.
D1: Vendor panel: Viruses: an opportunity to see a virus contained and
neutralized, as well as learn from leaders in the field how to avoid
the beasties!
E1: Lessons Learned: Richard Heffernan and William Haywood increase the
participant's awareness of threats to intellectual property from
industrial espionage.
Lunch in the Exhibit Hall
After Lunch Track Choices 1:30-3:00 pm
A2: Rebecca Duncan of DataPro gives a blueprint for effective network
security strategy.
B2: Charles Blauner of Bellcore leads a discussion of OSF Distributed
Computing Environment (DCE) and its security capabilities.
C2: Robert Kane of Intrusion Detections describe Best Practices for
Securing Novell Netware LANs.
D2: Vendor Panel: PC Security Solutions, and the extent of their
effectiveness.
E2: Lessons Learned: Jamie Trainer examines a real world example of
securing a multinational 1400 heterogeneous node network of
workstations and PCs.
Late PM Track Choices: 3:30-5:00 pm
A3: Peter Davis' Manager's Guide to Internet Security
B3: Tsvi Gal, Bank of America; discusses protecting "the network is the
computer."
C3: Ed Blackwell presents "Primer for PBX and Voice Mail Fraud"
D3: Vendor Panel: Disaster Recovery - Business Resumption
E3: Lessons Learned: L. Dain Gary, CMU SEI, Internet Security and CERTSM
Late-Late Birds of a Feather and Committee meetings
April 4 - Tuesday Highlights:
Plenary: Crossroads, by Steven J. Green, University of Houston; application
and development of computer and communications security responsibility with
in the work setting.
AM Track choices: 10:30-noon
A4: Teresa Donatelli and Ann McHoes present a detailed discussion of
Developing a Security Awareness Program
B4: Will Ozier moderates a panel discussion of the activities of the
ISSA GSSP committee in establishing Generally Accepted System Security
Principles.
C4: John Clark, Andersen Consulting discusses risks introduced by Frame
Relay technology.
D4: Vendor Panel; Pros and Cons of Encryption; determining your need for
it.
E4: Sadie Pitcher Department of Commerce Disaster Plans.
Lunch in the Exhibit Hall
After Lunch Track Choices: 1:30-3:00 pm
A5: Charlotte Greig, Wells Fargo Bank; How to get (management's) Attention
for Information Security Awareness Part I.
B5: Allan Cobb, York University; The Architecture of Audit Facility for a
Distributed Application: using OSF DCE in university student
application processing.
C5: Douglas Conorich, RAXCO, Strengths and weaknesses of TCP/IP Network
Security.
D5: Vendor Panel: What a network manager should consider in Distributed
Informations Systems Security Management.
E5: James P. Litchko; Internet Threats and Countermeasures.
Late PM Track Choices: 3:30-5:00 pm
A6: How to Get Attention for Information Security Awareness - Part II
B6: Gary Baker, Ernst & Young; "Distributed Computing and Client Server -
An Auditor's Perspective"
C6: Ed Blackwell, "Value Added Networks Security Pitfalls" Using the
security features provided by VANs.
D6: Vendor Panel: Discuss the security ramifications of network components
(routers, bridges, etc.)
E6: Fred Sanborn, Booz, Allen and Hamilton; Securing the Enterprisewide
Network.
Late-Late Birds of a Feather and Committee meetings 5:00-6:30 pm
Special ISSA Social Event 7-9 pm
April 5 - Wednesday Highlights:
Annual Meeting of The Information Systems Security Association
AM Track choices: 10:30-noon
A7: Alex Woda, "How to Secure, Audit and Control EDI"- a practical
approach. An EDI audit program will available for participants
B7: Colin Rous, Cerberus, "Distributed Computing and Client/Server
Security: What it means for the Security Administrator."
C7: Robert Clyde, RAXCO, "Multi-Platform Enterprise Security Management"
C8: Panel: Security Issues for Electronic Commerce", Loreto Remorca and
David Lyons, moderators.
D7: Vendor Panel: Awareness and Training; ideas and solutions you can
incorporate into your program.
E7: Bart Burron, Auditor General Canada, "A Top Down Computer Security
Assessment for Senior Management."
After Lunch Committee Meetings 1 - 3 pm
April 6 - Thursday: (Elective) CISSP Preparation Course. This session will
assist in preparation for the CISSP exam and explain test contents as well
as the tools and methods for preparation.
Make your room Reservations with the Sheraton, and tell them you will be
attending the 12th Annual ISSA Conference and the rate will be $127 (plus
15%)
For more information call ISSA headquarters (708) 699-6441.
Please report problems with the web pages to the maintainer