Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
After a shutdown of 6 months during which the LEP vacuum system was opened at many locations, the accelerator was started up on 14 June 1996. After 5 days of machine studies it became clear that there was an obstacle inside the LEP vacuum chamber close to Point 1. On the morning of 19 June the vacuum system was opened and 2 empty beer bottles, some 5 metres apart, were found inside the beam pipe. This incident has caused a 5 day delay in the setting up of the accelerator and will result in a reduction of about 10% of the time available for running LEP2 at the W pair production threshold (161 GeV) in 1996.
According to the 24-30 June issue of *Space News* the 4 June 1996 explosion of the Ariane 5 rocket was caused by software in the inertial guidance system. Apparently an inertial platform from the Ariane 4 was used aboard the Ariane 5 without proper testing. When subjected to the higher accelerations produced by the Ariane 5 booster, the software (calibrated for an Ariane 4) ordered an "abrupt turn 30 seconds after liftoff", causing the airframe to fail. The article notes that a request to test the inertial platform under conditions similar to those produced by the Ariane 5 was "vetoed by CNES for budgetary reasons." Sextant Avionique, the builder of the inertial platform, has since performed these tests and confirmed that it would fail in an Ariane 5 launch. We are again reminded that crashing a simulator is lots cheaper than crashing a vehicle. Andrew C. Fuller Raytheon E-Systems | Box 12248 | St. Petersburg, FL 33733 email@example.com (813)381-2000 x3194 | Fax:(813)381-3329
[Via Bruce_Walter@ccmail.orl.mmc.com and Bob Schaefer <firstname.lastname@example.org> ] "tom briggum" <email@example.com> Don't know the validity of the following, but it sounds authentic to me. Talk about your major C4I problem! ... Tom Briggum >From: gwinn[SMTP:firstname.lastname@example.org] Sent: Wednesday, June 26, 1996 11:48 AM To: osswgx Subject: The Millennium comes early to GPS I have good news and I have bad news. The good news is that GPS will not have a "Year 2000" problem. The bad news is that GPS System Time will roll over at midnight 21-22 August 1999, 132 days before the turn of the millennium. On 22 August 1999, unless repaired, many or all GPS receivers will claim that it is 6 January 1980, 23 August will become 7 January, and so on. I would expect that some manufacturers have already solved the problem, but many have not. The details: Section 3.3.4(b) (page 33) of the ICD-GPS-200 rev B (30 November 1987 issue) states that the GPS Week count starts at midnight 5-6 January 1980 UTC (Julian Date 2,444,244.500), and that the GPS Week field is modulo 1024. This means that the week count will roll over 1024/52= 19.69 years from then, or in 1980+19.7= 1999, only a few years from now. Specifically, first rollover will occur at Julian Date (2,444,244.5 + 7*1024)= 2,451,412.500, which is midnight 21-22 August 1999 UTC. I could find no mention of any field in any GPS message that would tell you which 1024-week cycle you were in. In the July 1993 update of ICD-GPS-200, a note has been added (also on page 33) saying that the week number *will* roll over, and that users must account for this, but no way to accomplish this is mentioned. I take this note as further evidence that there is no way to tell, given only the signal-in-space definition as of July 1993. I have gotten some e-mail traffic indicating that, just as I had suspected, some manufacturers did realize that GPS would soon roll over, and were keeping it to themselves in the hope that the others would fall upon their swords. Not pretty. Our supplier was dumbfounded when I raised the issue, couldn't stop thanking me for pointing it out years before rollover. They clearly feel that it could have been a life-threatening disaster for them. Every GPS-related product they had ever made would have come back for repair, under warrantee, all at once. Too close for comfort. And, discovered by luck. The firmware in all older units will have to be replaced. This would involve replacement of PROMs; some are socketed, some are soldered. New units presumably will know better than to claim dates from before they were manufactured, and/or will allow the user to directly or indirectly tell the firmware which 1024-week cycle to assume, without requiring replacement of that firmware at the second rollover, in 1980+(2*1024/52)= 2019 AD. Some of this equipment will still be in use then, long after the manufacturer has forgotten the product. However, in spite of everything, not everybody will get the message, so system software will forever have to have an independent idea of what year it is, to know when to disbelieve a receiver or receivers (they could all be wrong), and to handle arguments between various GPS receivers (if only some are wrong). Without a GPS Simulator, there is no way for users to test a GPS receiver for this problem. All most users can do is to ask their manufacturer for a solution, and also to imbue the system software with a suitable degree of skepticism about GPS receivers' sense of time. My intent in posting this note is to alert the entire industry to the problem, allowing it to be solved with minimal disruption to all. As a technical matter, the solution is quite simple. It's the logistics that will take some years. Joe Gwinn
Courtesy of PA News via CompuServe's Executive News Service: POLICE COMPUTER SNATCHED FROM DETECTIVE'S CAR PA News 30 Jun 1996 Police Computer Stolen By Tim Moynihan, PA News <> A police computer has been stolen from a senior officer's <>car, it was confirmed today. <> Two youths snatched the laptop from a car being driven by <>Detective Superintendent Brian Edwards, who investigates major <>crimes in central London. <> Scotland Yard declined to comment on whether there was <>sensitive material on the computer though they stressed it was <>"security protected". o Taken by two youths when the car was stopped in traffic at about 1740 hrs Thursday June 27, 1996. o Police dismissed a report that the laptop contained information about two current, notorious cases, the Lawrence stabbing and the death of Member of Parliament Stephen Milligan, who was found naked except for suspenders and stockings with a plastic bag over his head and a noose of electrical cord around his---neck. <> Police advice to the public is not to put valuable items on <>the back seat, but to keep them in the boot. [DMK: Article makes no mention to the state of consciousness of the driver of a police car stopped in traffic. TBFTGOGGI (there but for....)] Dave Kennedy [CISSP] InfoSec Recon Team Chief, National Computer Security Assoc.
The online Sydney Morning Herald (*) of June 28, 1996 contains the following phrases: "arjpgicial turf" and "The stereotypes Glover idenjpgied go like this" Someone has obviously done a search-and-replace to convert "tif" to "jpg" on the HTML source with the rather cryptic results above; I suspect the culprit is a single missing backslash - they've searched for '.tif' not '\.tif' The risk? Looking foolish by publishing nonsense. (*) To be found at <http://www.smh.com.au/> Tom McDermott : email@example.com
I still treasure the following response by MS Word's grammar checker. When it came to the following fragment: The School reviews applications by students . . . The checker highlighted *School reviews*, and asked: Is this a misspelling? Is it the expression *Rigor mortis*? [It may know better than us how effective the reviews were] John Colville, School of Computing Sciences, University of Technology, Sydney P O Box 123 Broadway, NSW, Australia, 2007 +61 2 514 1854
In RISKS-18.20, "Richard S. MacDonald" <firstname.lastname@example.org> describes how he had trouble buying some ZIP disks because "the computer is always right", even though it was wrong. In the UK, we have a sales tax called VAT, which is levied on most things at 17.5% (It's a lot more complicated than that, but that's outside the scope of this posting.) One of the things that it's not levied on are books, which are zero-rated. Recently, I went into my local Ford dealer to buy a workshop manual for my car. They wanted the price listed, plus VAT, since car parts are liable to the tax. I pointed out that the workshop manual was a book, and therefore zero rated, but they said that the computer had no provision for selling zero rated items. Presumably, this is because car dealers are unlikely to sell the most common zero rated items (food, children's clothing, er, books). In the end, they manually calculated what the price had to be such that the price including VAT (which the computer insisted on adding) was the price excluding VAT, and they charged me that. Of course, this makes their VAT accounts wrong, which the Customs & Excise (who administer VAT) take very seriously. Afterwards, I called the Customs & Excise to confirm my stance, and they said that it sounded like this dealer could do with an audit ... Hugh
Taking Metro line 6 in Paris from Etoile yesterday at around 9 am I arrived at Kleber and stood and watched while the station initiated departure signal sounded several times while the train didn't move. The train initiated departure/door-closure signal sounded as well but we still didn't move. Two other trains arrived on the parallel track and then departed, ahead of us, although we were on the 'primary' track. They had been diverted to the 'secondary'. I some fit of desperation I looked out from the first carriage and saw the machiniste (driver/motorman) appear from this small cabin at the head of the train with a cup of coffee (I presume). He then entered his compartment and the train departed. I can only assume that he was counting on the automatic re-routing of the subsequent trains. Or perhaps he signaled some sort of problem, while he made his coffee. Trains leave Etoile about every minute or less and then can be re-routed back to Etoile from Kleber to alleviate congestion on the platform. As I got off at Passy I remembered the story, reported in RISKS, about the Victoria line Tube train that departed without its driver. If only I'd been so lucky.
The HERF-against-banks-story from the Sunday Times 3 weeks ago was somewhat overhyped and has a lack of facts.. I have collected some facts on real blackmail attempts performed in Germany on a much lower, but maybe comparable level. Since February 1996 until last week a person named Markus S=F6hnke Ungerb=FChler was calling German banks and corporations, claiming he was a member of the Chaos Computer Club and has hacked the corporate computer system. He claimed, that he has his hands on data that proves tax manipulations and other illegal activities of this company. He also claimed the hacking of several systems in main German press magazines like stern and Spiegel. Ungerb=FChler asked the banks and companies for paying him some 1000 Deutschmarks for giving them the data "back". Another scheme was to ask for payment for removing allegedly planted negative-stories from the press computers. As known by now all of some dozen companies and banks paid in panic reaction for avoiding any press coverage. Only a very, very small minority of victims asked the police for help - after paying. In several cases Ungerb=FChler handed out some disks with the "data" in exchange for the money. These disks were empty. Mr. Ungerb=FChler has escaped in February from an psychiatric hospital, where he was arrested cause of being an proven schizophrenic and blackmailer. He started his activities two days after his getaway. He based in London and operated via some Fax- and Voicemail boxes. The investigation of the case was difficult, cause none of the victims was willing to prove the identity of the blackmailer for the police etc. (Ungerb=FChler used to show money couriers from the banks his authentic passport to prove he is the right person to receive the money) He is definitely not a member of the Chaos Computer Club and is, as far as known by now, unable to hack into computer systems. He is simply a confidence trickster. The case shows, how fast and easy big companies pay, if they fear press coverage of real or alleged problems. They pay to everyone who believable claims to be _able_ to perform hacking or electronic attacks. In the light of this case, I could imagine, that around 40 banks in London City have paid for being not attacked by HERF - without the real prove, that the blackmailers own such weapons. There is a real huge amount of irrationality in computer security issues, especially in the financial sector. It seems like no one trusts his security measures. As I have learned in this case, these security-guys are thinking all the time in a worst-case manner and if the worst case occurs they are unable to react rational. You did not need Schwartau-style doomsday-weapons for getting lots of money - ou only have to be eloquent and know the right buzzwords. Finally the Ungerb=FChler-case was mainly fixed cause of massive activities of an well-known international security company paid by one of the victims, not cause of so good cooperation between police and the victims. Frank (source: partly from Der Spiegel 24.6.1996, http://eunet.bda.de/bda/int/spon/magazin/gesel02.html)
Richard L. Wexelblat writes: >Special note: I work for the IRS and have a work-related vested interest >============ in _not_ having the Department of Defense involved in > contracting for IRS software and systems. Therefore, > despite any claims of non-bias below, I am clearly > "interested" in the classical sense of the word. My special note: I work for the Army as a civilian. >That part out of the way, I'd like to say (as a private citizen, a >tax-and-spend liberal, and an almost-always defender of free speech and the >right of the citizen to privacy) that the present initiative by Congress to >have DoD become the contracting agent for IRS system and software >development is a clear and present danger to privacy in the Republic in >which we stand. I think it is funny that somebody from the IRS has the GALL to write about privacy worries about the DoD. This from a representative from an agency that wants access to all financial data from all its citizens. They want to know under criminal penalty about accounts outside the US borders. I don't even have to talk about the Social Security Number. >The initiative referred to above is in the "Subcommittee Mark" of the >proposed next year's budget. It's just a House Subcommittee so it's not >law, but it's a bad idea in my mind, even to consider it seriously. Is the >Department of Star Wars and the $700 toilet seat really so excellent a >contracting agency that they are the clear choice to handle IRS business? Typical attack based upon ignorance. First it is the Department of Defense. Second, he mentions the $700 toilet seat when in fact it was in the $600 range. For those who know about the $600 toilet seat, the cost is defensible. It was fabricated by an aircraft company at the request of the Air Force (not DoD). It was not mass produced and was made to AF specs. The company did not even want to make it. They produced it at cost. When a company produces a small amount of items they are expensive. I don't know the full details of the proposal. Is it the DoD, AF, or what agency that will procure the system? They do have separate procurement departments. They all operate under the FAR and Dod regulations but the AF and Army also have additional procurement regulations. >Well, that's my biased opinion, and I'd like very much to hear from >others who may have a more valid claim to disinterest! Well essentially there are no facts in this post. The IRS has already shown their incompetence in procuring ADP systems. If it is not the DoD, it might go to NASA or some other agency. Dennis
Where is the RISK? The term "Department of Star Wars" shows a political objection, not a technical one. The "$700 toilet seat" outrages usually turn out to be (a) priced the same as comparable civilian items; eg. aircraft coffee makers, emergency flashlights, or (b) priced according to procurement regulations imposed by Congress; $15 for the toilet seat, $685 for overhead and in any case do not tell us much about software development. True, the history of software development in the DOD is not a happy one, but then the IRS hasn't done very well in the past, either. In terms of privacy concerns, the IRS is *much* more threatening than the DOD. That threat is not changed if DOD contractors start writing IRS software. Having DOD develop software for the IRS does not especially strike me as one of the best ideas of the 1990s — but where's the RISK? Dr. Scott A. Renner The MITRE Corporation P.O. Box 716 Langley AFB, VA 23665 USA +1 804 766-4592 email@example.com
As an ex-liberal and small-l libertarian, I submit that the true danger to privacy in the Republic is the practice of gathering detailed financial information from all (law-abiding) Americans under threat of asset confiscation and jail terms, and then giving tens of thousands of government employees access to this information in the course of their employment. I further submit that passing a few wimpy privacy laws and expecting them to prevent this information from being used for personal and political purposes is magical thinking. It doesn't take a genius to surmise that IRS data is used regularly for illegal purposes by everyone from the sitting President (of either party) down to grudge-bearing neighbors and ex-spouses. I believe the IRS attempted to assess the depth of the problem in their Southeastern Region (where my mother worked) at one time, and stopped at well over 300 violations. You or I would have ended up at Leavenworth, but all but a few of the most egregious violators were simply warned not to do it again. You can take voluntary action to keep yourself out of the TRW/ Equifax/TransUnion food chain and off junk mail lists...but Federal law requires you to remain in the IRS's gunsights for your entire productive lifespan. Neither party supports privacy when it means privacy from the government; it is a Democratic president who is enthusiastically supporting the FBI and NSA in their efforts to prevent American citizens from using encryption that they can't break, and to require that every phone, fax, and modem in the United States contain a chip that would allow government agencies to tap in at will. Do I need to add here that the very concept of economic privacy is anathema to those who believe that a portion of everything you earn, keep, spend, or invest belongs to them, and that not handing over the fraction they demand is stealing from them? > Is the Department of Star Wars and the $700 toilet seat > really so excellent a contracting agency that they are the > clear choice to handle IRS business? I don't expect the IRS to be abolished anytime soon...but letting the DoD design its computer systems would be an acceptable second choice. The DoD may be expensive, but they're not very good. My fondest hope is that with a spanking new Government Issue computer system, the IRS that the GSA says can't figure out where 60% of its own budget goes won't be able to find 60% of mine. I don't like paying for $700 toilet seats (or $320,000 spotted owls) any more than you do. The solution which provides the smallest RISK to privacy is not to gather the data in the first place. If tax compliance is truly voluntary, then the IRS should trust that we are reading 21,000 pages of IRS rules and case law and sending in the correct amount. Long Pig
In Germany a new book has been published by Markus Gaulke that describes and illustrates (by citing hundreds of precise and real computer mishaps) the risks and dangers connected to the increasing use of information technology in all parts of human life. The book is very interesting reading, easy to understand and gives valuable insights. Unfortunately the book (344 pages) is published only in German so far (original titel: "Digitale Abgruende - Was die Computerbranche ihren Kunden verschweigt"; verlag moderne industrie, ISBN: 3-478-91510-4), but the author offers a Web Page in English about the contents of his book (http://members.aol.com/Secuinfo/welcome.html). Kirsten Raach, computer consultant
Please report problems with the web pages to the maintainer