Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Anyone who has received an itinerary from a travel agent knows that airlines tend to publish their schedules with departure and arrival times expressed in local time. While this is little more than an inconvenience for travelers who want to figure out flight durations, it can become a more serious problem when the airlines use local times in their internal computer systems (and inflict these files on third-party software developers!). A case in point involves an airline who had a flight out of Athens at 0205 on 25sep94 (local time). Unfortunately, according to the airline's timezone information, Athens switches from daylight savings (UTC+0300) to standard time (UTC+0200) at exactly 0300 on 25sep94. In other words, 25sep94 0205 occurs twice, so when converting this time to UTC you have a 50/50 chance of being out by an hour. In our particular case the only risk was that the system would report the cabin crew working hours as being one hour less than reality, but the results could potentially be more serious, especially if the computers at the airport get confused. mkwan
I bought a used 1994 Geo Prizm with a factory-installed Delco radio that claims to have a "theft deterrent." The owner's manual says "the theft deterrent feature ... can be used or ignored. If ignored, the system plays normally. If it is used, your system won't be usable if it's ever stolen. The instructions below tell you how to enter a security code into the system. If your vehicle loses battery power for any reason, you must enter the security code again before the system will turn on." I was tempted to ignore it, but decided, what the heck, I suppose I'd better use it. Well, of course, I discovered that the previous owner had entered a security code, and had not removed it when the car was sold. So if anyone were to leave the car headlights on overnight and drain the battery (why, no, _I_ certainly couldn't be so stupid as to do that :-) ) the radio would become unusable. The used-car dealer had no idea what to do, but suggested I call a Chevy dealer. The Chevy dealer hadn't ever heard of the situation and wasn't aware the radio had such a feature, and suggested I call a Chevy 800 number. The Chevy 800 number know nothing, and suggested I call a Delco 800 number. At every stage, of course, I had to explain the security feature, which apparently was new to the 1994 model. And at every stage I had to endure further misunderstandings, because at each stage, they were initially unable to understand why there was any problem given that the radio worked. Delco said, "sure, no problem, we'll fax the dealer the directions, a lot of them don't know about it." I asked how long the fix took and was told, "it depends how good they are at following directions. If the radio isn't inoperative yet it's easy, otherwise it gets pretty involved." I took the car to the dealer. I had a chance to glance at the faxed instructions but not read them carefully. I have the impression that if the radio isn't inoperative, removing the security code just requires entering a complicated, but fixed series of digits and button-pushes. (A savvy radio thief would have to remember to do this BEFORE stealing the radio). After it has had power removed and decided to become inoperative, there is a much longer procedure, involving calling Delco to get a dealer code, leaving the radio unpowered for a long time, etc. Later that morning the dealer called me and said, "We think your ignition lock security system must be interfering with your radio because we tried your radio and everything works fine, including the cassette player." So I explained the problem once again. I came by at noon as agreed to pick it up and was told it would take a little longer, "because we are waiting for Delco to call us back with a dealer code." When I picked it up, they HAD removed the old security code (and installed a new one, but they told me what it was). It had forgotten all the station settings. I suspect that they either did the complicated procedure when they only needed to do the simple one, or someone disconnected the radio as part of their troubleshooting, or someone couldn't resist disconnecting it to see what would really happen... What's the RISK? Well, given that people do sell used cars, and that many people may not even bother to read that part of the manual-- especially if the radio is working--what has been achieved overall is to take a highly reliable car radio and reduce its life expectancy to the same as that of a car battery. Daniel P. B. Smith email@example.com
Does any one know anything about reported bugs in the Digital RAID Storage System ? One tends to hear so much of this bug.. nothing about it ?
The following article appeared in the 8 Jan 1995 Washington Post: Maryland Delays New Auto Tests A computer glitch has forced the delay of Maryland's tough new auto emissions testing program. The state Motor Vehicle Administration announced Friday that the start-up of the program would be delayed for several weeks to fix the problems in the software used to measure emissions. The MVA had planned to start mailing notices Friday to about 25,000 ddrivers to get their cars and trucks tested. "it's not going to start until we're satisfied we can give a quick and accurate test." MVA Administrator W. Marshall Rickert Jr. said. The General Assembly passed the tougher testing program after the federal government ordered the state to reduce smog. Comments heard on this topic include the opinion that it might be an excuse to delay this testing which includes having a state driver test your car at 55 mph on a dynamometer. The test will be more costly that the present test and is expected to result in a high failure rate.
I read this in comp.os.vms this morning and it made me wonder just how well this plant in Georgia is managed. Jonathan Welch VAX Systems Manager Umass/Amherst JHWELCH@ecs.umass.edu - - - - - Newsgroups: comp.os.vms Subject: VAX 4000 Upkeep/Maintenance From: firstname.lastname@example.org (WBwhaley) Date: 9 Jan 1995 06:33:26 -0500 At work recently we just installed a Vax 4000 with 2 model 100's as our hosts and numerous model 60's, VLC's, and a few model 90's as our basic system workstations. Approx 20 workstations total along with an assortment of LAN Bridge 150's / 200's, local segment repeaters all tied together on thick wire ethernet and fiber optic cable. Its primary use is being our plant computer for the nuclear power plant I work at, so it is in constant use. A vast majority of the extra network equipment is for redundancy being that we hate to loose any plant info/data in case of a failure. Anyway, I was curious to see what other system users performed on their systems as regular preventive maintenance and the such being that we are new to the system. Defrag HD, cleaning bridges/repeaters/servers, host cpu's, etc. Right now, we are tied to using built in VMS utilities and I would like your suggestions. I have gotten a good bit of info from the system managers manual, but wasn't sure if there were any other tricks I may have missed. VMS is totally new to me, so pardon my simple description. <G> Any help would be appreciated. Bill Whaley Augusta, Ga
Excerpts from the July, 4, 1994 Aviation Week and Space Technology follow: "Telesat Canada engineers have succeeded in a five-month rescue effort by reestablishing pointing control over the Anik E2 satellite without the use of its failed momentum wheel systems, thus salvaging a $203-million asset." This is the first time that a rescue of a geosynchronous, 3-axis stabilized satellite without a serviceable momentum wheel on board has been successful (other satellites with this type of problem have been abandoned, in the past). No one is certain why the integrated circuits in the control systems failed, but it is believed that electrostatic discharge during an intense solar storm is to blame. "...during the five months that the satellite was out of action, Telesat Canada lost about $15 million. Engineers devised an alternative pointing system...and installed two entirely separate ground-based systems for redundancy. A software program developed by Telesat Canada engineers...keeps track of the satellite in three axes and calculates adjustments in pointing." Anik E2 service life will be shortened by one year because of the extra fuel used in re-positioning the satellite during it life.
In the Jan. 12 LA Times, Pacific Bell, the US Geological Service, and CalTech, announced an 18 month trial of a new system for measuring the effects of earthquakes. The system uses sensors placed around Southern California that relay data to CalTech's computers during a 5+ magnitude earthquake. The data is reduced to give emergency crews the location of large ground accelerations so that they can tailor their responses. (Large ground motion can occur far away from the epicenter, e.g. Filmore is about 20 miles from Northridge yet it was severely damaged in the 6.8 quake.) One interesting issue is testing the system: a 5+ quake is required. A Pacific Bell official said they would extend the test period if an appropriate quake doesn't occur. Talk about waiting a long time for test runs... Mark Stalzer, email@example.com
Not so many years ago, I needed a certified check from my large Boston-area bank. I arrived at my branch office at 9:05am, gave a teller appropriate paperwork to transfer funds from savings to checking, and then had the necessary incantations performed to transform my normal everyday check into a certified check. Among other things, this caused the check amount to be immediately debited from my checking account; but since I'd just requested a transfer of the necessary amount into checking, the teller did not complain about the apparent overdraft. So far so good. Within a week I received an overdraft penalty notice, because my transaction at the teller window to do the transfer was not processed until after midnight thus leaving my checking account short that day. I had to show my transfer receipt, with its 9:05am timestamp, to an actual human before the bank would clear the penalty. The incident taught me to avoid teller transactions whenever possible, though, because the nice human who cleared the penalty told me that all the ATM transactions were cleared first, before teller transactions, each evening. A RISK of avoiding new technology?? Paul T. Robinson firstname.lastname@example.org (NOT the Paul Robinson of email@example.com)
At the end of January middle of February this year Microsoft will be introducing Internet Assistant. A HTML creater and WEB browser for Word for Windows 6.0. The WEB browser will read Word 6.0 documents directly and therefore the risk. Word documents can come with programming that will activate on opening. While this has always been a problem document distribution hasn't generally been widespread until soon from now. Three types of things I can see happening. 1. Viral type documents. These are documents that will change your normal.dot and copy itself from document to document. 2. Trojan Horse type 1 documents. These are documents that do something on opening, like delete files etc....And possible even harmless things. 3. Trojan Horse type 2 documents. Really scary documents that communicate BACK to the web-server without your knowing it and sending additional information gleaned from your machine and or network. There are some truly scary things that could be done with a creative VBA/CGI programmer. It is unfortunate that these risks exist, because otherwise the ability to have "programmable" documents on the web is a really cool concept. But nonetheless risks like these have to be dealt with John
You can now read the complete RISKS archives on the World Wide Web (apart from the very earliest issues which will appear as soon as I have hand converted them...) Individual issues have a file name of the form volume.issue.html where issues is always a two digit number: http://catless.ncl.ac.uk/Risks/16.01.html is the first issue of volume 16. The URL http://catless.ncl.ac.uk/Risks gives you an introduction page and leads you to the indices for previous issues. The latest issue can always be found via the URL http://catless.ncl.ac.uk/Risks/latest The translation from RISKS to html is automatic so there may be errors. Please report any that you find to me so that I can fix them. Currently the text of messages is left as pre-formatted text. I have hand converted issues 16.74 to use the html formatting commands. Any feed back on what people would like to see and any improvements that I could make will be most welcome. Lindsay MAIL : Lindsay.Marshall@newcastle.ac.uk URL : http://catless.ncl.ac.uk/Lindsay.html POST : Dept. of Comp. Science, U of Newcastle, Newcastle upon Tyne, UK NE1 7RU VOICE: +44-191-222-8267 (FAX: -8232)
According to a Canadian Press reported printed in _The Globe and Mail_ (955.01.07, p. A4), Police crack illegal access to Internet WINNIPEG — Police have made what they believe is one of Canada's first arrests for breaking into the Internet.... a 31-year-old man was arrested...after an eight-month police investigation into illegal access to the Internet computing system at the University of Manitoba.... ...[T]he man will be charged with two counts of unauthorized use of a computer service.... The article states that the Crackerjack program "was used to decrypt the access codes of legitimate users" and that the accused is alleged to have stored stolen software and porn online. M.E.Kabay,Ph.D. DirEd/Natl Computer Security Assn (Carlisle, PA) Mgmt Consultant/LGS Group Inc. (Montreal, QC)
HarperCollins has just released MASTERS OF DECEPTION: The Gang That Ruled Cyberspace, a new book by New York Newsday journalists Michelle Slatalla and Joshua Quittner. You might recall the book from a cover story in the December issue of WIRED. Slatalla and Quittner unravel the story of gang warfare between the Legion of Doom (LOD) and the Masters of Deception (MOD), a turf battle fought through the phone system that led to one of the most high-profile hacker prosecutions ever. Slatalla and Quittner followed the Masters of Deception story for five years at Newsday. When the WIRED excerpt appeared, their phone service was hacked and their e-mail attacked by a group calling themselves the Internet Liberation Front, or ILF. A police investigation is still in progress. The authors begin an 8-city tour in New York today. They are planning to kick off a "cybertour" in February. The book is available for purchase on Delphi (Online Bookstore) and CompuServe (Go HAR), or at your local bookstore.The WIRED excerpt is on HotWIRED at the following URL: http://www.hotwired.com/Lib/Wired/2.12/features/hacker.html For more information about the book — including a tour schedule — please send e-mail requesting a "digital flyer" to <firstname.lastname@example.org> STEVE O'KEEFE Electronic News & Reviews
Call for Participation (Deadline: March 15, 1995) INTERNATIONAL CRYPTOGRAPHY INSTITUTE 1995: GLOBAL CHALLENGES September 21-22, 1995 Washington, DC Presented by The National Intellectual Property Law Institute The International Cryptography Institute will focus on the cryptography challenges associated with meeting the information protection needs of users and the law enforcement and national security needs of nations. The Institute will address such topics as: - national encryption policies and regulations - meeting user needs for information security and data recovery - meeting law enforcement and national security needs - national and global encryption markets and product availability - international approaches and standards - creating an international cryptography infrastructure - the use of encryption technologies in different countries - cryptography in the financial industry and other industries - legal and policy issues of digital signatures and digital cash - new developments in encryption policies and technologies Persons interested in speaking at the conference are invited to submit a proposal to the Institute Chair: Prof. Dorothy E. Denning, Chair ICI '95 Georgetown University Computer Science Department 225 Reiss Building Washington DC 20057-0997 ph: 202-687-5703, fax: 202-687-6067 e-mail: email@example.com Proposals must be received by MARCH 15, 1995, and should include the following: - Name, title, organization, address, phone, fax, and e-mail address - Brief biography - Title of presentation - Abstract of presentation or paper - Amount of time requested for presentation and discussion Notification of acceptance will be made by April 15, 1995. Papers and materials for the proceedings will be due on August 15, 1995. Inquiries about registration or the proceedings should be addressed to: The National Intellectual Property Law Institute P.O. Box 27913, Washington, DC 20038-7913 ph: 800-301-MIND or 202-962-9494 , fax: 800-304-MIND or 202-962-9495
Information Systems Security Association (ISSA) is pleased to announce LEARNING From EACH OTHER, the 12th Annual Conference & Exposition to be held April 2-5 1995 at Sheraton Hotel and Towers Toronto, Ontario, Canada The cost is $795 (ISSA Member), $895 (nonmember); Full Day electives $295. Canadians may pay in Canadian Dollars (same rates!) Brochure and registration form are available from: ISSA Headquarters, 4350 DiPaolo Center, Suite C, Glenview, IL, 60025 Phone: (708) 699-6441; fax (708) 699-6369; or by sending E-Mail to: ISSA @ MCS.COM The event begins with Pre-Conference Specialty Seminars on Saturday and Sunday A Welcome Reception and Vendor Exhibition opening will be held Sunday evening - an excellent opportunity for networking! Each Day then begins with Registration at 7:30 and continental breakfast and Vendor Exhibition at 8:00. April 1 - Saturday (Pre-conference Activities) Four elective Full Day Seminars to choose among April 2 - Sunday The First CISSP Examination sponsored by (ISC)2 Two elective Half Day Seminars to choose 7pm Welcome Reception and Vendor Exhibition April 3 - Monday's Highlights: Welcome and General Session will include "How to Handle Internal Investigation and Establish Successful Compliance Programs" by Terry F. Lenzner, a former member of the Board of Overseers of Harvard University with a broad range of experiences in public and private legal investigations. AM Track Choices: 10:30-noon A1: Gale Warshawsky of LLNL will explore the merits and processes of Making Computer Security Information Available Electronically B1: Charles Blauner of Bellcore will Introduce the security issues involved in the use of Distributed Systems. C1: Francis Labayen and Kimberly Clair of Andersen Consulting will discuss LAN Security issues by component, and their corresponding solutions. D1: Vendor panel: Viruses: an opportunity to see a virus contained and neutralized, as well as learn from leaders in the field how to avoid the beasties! E1: Lessons Learned: Richard Heffernan and William Haywood increase the participant's awareness of threats to intellectual property from industrial espionage. Lunch in the Exhibit Hall After Lunch Track Choices 1:30-3:00 pm A2: Rebecca Duncan of DataPro gives a blueprint for effective network security strategy. B2: Charles Blauner of Bellcore leads a discussion of OSF Distributed Computing Environment (DCE) and its security capabilities. C2: Robert Kane of Intrusion Detections describe Best Practices for Securing Novell Netware LANs. D2: Vendor Panel: PC Security Solutions, and the extent of their effectiveness. E2: Lessons Learned: Jamie Trainer examines a real world example of securing a multinational 1400 heterogeneous node network of workstations and PCs. Late PM Track Choices: 3:30-5:00 pm A3: Peter Davis' Manager's Guide to Internet Security B3: Tsvi Gal, Bank of America; discusses protecting "the network is the computer." C3: Ed Blackwell presents "Primer for PBX and Voice Mail Fraud" D3: Vendor Panel: Disaster Recovery - Business Resumption E3: Lessons Learned: L. Dain Gary, CMU SEI, Internet Security and CERTSM Late-Late Birds of a Feather and Committee meetings April 4 - Tuesday Highlights: Plenary: Crossroads, by Steven J. Green, University of Houston; application and development of computer and communications security responsibility with in the work setting. AM Track choices: 10:30-noon A4: Teresa Donatelli and Ann McHoes present a detailed discussion of Developing a Security Awareness Program B4: Will Ozier moderates a panel discussion of the activities of the ISSA GSSP committee in establishing Generally Accepted System Security Principles. C4: John Clark, Andersen Consulting discusses risks introduced by Frame Relay technology. D4: Vendor Panel; Pros and Cons of Encryption; determining your need for it. E4: Sadie Pitcher Department of Commerce Disaster Plans. Lunch in the Exhibit Hall After Lunch Track Choices: 1:30-3:00 pm A5: Charlotte Greig, Wells Fargo Bank; How to get (management's) Attention for Information Security Awareness Part I. B5: Allan Cobb, York University; The Architecture of Audit Facility for a Distributed Application: using OSF DCE in university student application processing. C5: Douglas Conorich, RAXCO, Strengths and weaknesses of TCP/IP Network Security. D5: Vendor Panel: What a network manager should consider in Distributed Informations Systems Security Management. E5: James P. Litchko; Internet Threats and Countermeasures. Late PM Track Choices: 3:30-5:00 pm A6: How to Get Attention for Information Security Awareness - Part II B6: Gary Baker, Ernst & Young; "Distributed Computing and Client Server - An Auditor's Perspective" C6: Ed Blackwell, "Value Added Networks Security Pitfalls" Using the security features provided by VANs. D6: Vendor Panel: Discuss the security ramifications of network components (routers, bridges, etc.) E6: Fred Sanborn, Booz, Allen and Hamilton; Securing the Enterprisewide Network. Late-Late Birds of a Feather and Committee meetings 5:00-6:30 pm Special ISSA Social Event 7-9 pm April 5 - Wednesday Highlights: Annual Meeting of The Information Systems Security Association AM Track choices: 10:30-noon A7: Alex Woda, "How to Secure, Audit and Control EDI"- a practical approach. An EDI audit program will available for participants B7: Colin Rous, Cerberus, "Distributed Computing and Client/Server Security: What it means for the Security Administrator." C7: Robert Clyde, RAXCO, "Multi-Platform Enterprise Security Management" C8: Panel: Security Issues for Electronic Commerce", Loreto Remorca and David Lyons, moderators. D7: Vendor Panel: Awareness and Training; ideas and solutions you can incorporate into your program. E7: Bart Burron, Auditor General Canada, "A Top Down Computer Security Assessment for Senior Management." After Lunch Committee Meetings 1 - 3 pm April 6 - Thursday: (Elective) CISSP Preparation Course. This session will assist in preparation for the CISSP exam and explain test contents as well as the tools and methods for preparation. Make your room Reservations with the Sheraton, and tell them you will be attending the 12th Annual ISSA Conference and the rate will be $127 (plus 15%) For more information call ISSA headquarters (708) 699-6441.
Please report problems with the web pages to the maintainer