Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
According to *The Washington Post*, 14 September 1998, *The New York Times* web site was repeatedly hacked over the weekend by attackers who replaced the home page with one "containing images of bare-breasted women", and also "attacked the newspaper and two reports, using vague threats and creative spelling". The attackers claimed to be defenders of Kevin Mitnick, who is currently in jail over a number of hacking episodes of his own. The article explains that the NYT staff removed the attackers' web page and replaced it with their own, only to be hacked again. The tug of war between the two versions went on for two hours, before the NY Times took their site off the air for several hours to prevent further attacks. The FBI is investigating, and claims to be familiar with the attacker group [Hacking for Girlies]. [Total time reportedly 9 hours] http://www.washingtonpost.com/wp-srv/WPlate/1998-09/14/138l-091498-idx.html [As the NY Times and Washington Post are fierce competitors for title of "best newspaper", I wonder how much glee the WP got from reporting this story :-) ] [In their 14 Sep 1998 article, *The NYT* quoted George Washington University professor Lance Hoffman: "The material posted by the hackers is offensive, childish, threatening and chilling. It's a good example of why we have to bring accountability to the Internet." In the 15 Sep 1998 *San Francisco Chronicle*, Jon Schwarz quoted Ira Winkler as saying ``Any Web site — no matter how secure — can be hacked.'' Although we often cite *The NYT* writers in RISKS, I guess *The NYT* management is not *reading* RISKS. No surprises here. PGN]
While *The Times* hacking was illegal, it should teach us a lesson. I would like to propose a more sinister event ... . Suppose someone who was more clever hacked *The New York Times* Web page not to destroy it but to modify a piece of news. Say, for example, the person, better yet a group, at 9am inserted into the business page a news item with a very downbeat news item on a company — preferably a widely traded company with a good short showing. It would, no doubt, drive down the price and enable the short sellers to made a lot of money while The Times/users recognized the breakin and fixed it. A well organized version of this might be very hard to solve. What would happen if there was an announcement of a, for example, coup in Russia.... Times for places we trust to protect their windows to the public a lot better than The Times seemed to have. Dave
Yesterday was one of those days when there was no power at work all day, beginning just after 8am and continuing until 2:30 this morning. ANOTHER squirrel attack took down the main transformer, and prevented use of both the cogeneration plant and public power. As usual, some computer systems were hosed and took further hours of work to restore. See RISKS-8.75 for SQ#3, RISKS-16.46 for SQ#4, and RISKS-16.47 for a protective measure that seems not to have been adopted by SRI. To quote from Where Have All the Flowers Gone, ``When will they ever learn?'' [For related items, see RISKS-17.91, RISKS-18.52 and 53.] [If your contributions and risks-requests bounced, please resubmit.]
We noted in RISKS-19.95 that many sites mirrored the Starr report soon after it was released. As a consequence, although Net traffic was very high, individual sites were not affected too dramatically — except for the three government sites (loc.gov, house.gov, and gpo.gov), which were so saturated that they were effectively nonexistent. Once again, there was a beneficial effect from not putting all of the eggs in one basket. Various folks have noted that if the Communications Decency Act (subsequently declared unconstitutional) were in effect, the Starr Report (subsequently declared indecent) might have resulted in fines of $250,000 and 5 years in prison to those posting it on the Internet. An Associated Press item on 15 Sep 1998 estimated that almost 6 million people had read the Starr report via the Internet. (... well, maybe browsed.)
Related to PGN's parenthetical comments in RISKS-19.95 (which you can find in that issue by searching for the words "sex" and "MP3"), I was searching for Grateful Dead bootleg recordings (not pirated!) in MPEG3 format and was surprised that many of the links that came up were porn sites that had no mention of MP3 nor Grateful Dead. Investigation revealed that the HTML source for the porn sites contained META tags with repetitions of the words "MP3" and a long list of rock bands, designed to fool the search engines. Add in to the mix the practice of many of these porn sites to spawn new browser windows when you try to back out of them (there has to be a pun there, somewhere) and I'm sure there are a number of risks for the unwary surfer. sidney markowitz <sidney@sidney.com>
>From Yahoo News - Monday September 14 2:17 PM ET 'Whois' blocks abusers domain database By Randy Barrett, ZDNet Network Solutions Inc. is blocking certain companies from using its public database of domain name holders. NSI's Whois database contains detailed information on 2.3 million Internet domain name recipients who have registered through NSI's InterNIC service. The listings, which include name, postal address, telephone numbers and e-mail addresses, were designed primarily to help network operators communicate with domain holders. But Whois has become increasingly popular with companies that mine the list for direct mail marketing campaigns and subsequently burden its servers. "You don't have to tie up all the bandwidth [to mine the list]," said David Holtzman, NSI's senior vice president of engineering. Hits soaring NSI allows mining of the Whois database, but in the past two months, the number of hits to the site has doubled every 20 days, Holtzman said. In June, the site received 12.2 million hits. In July, that number jumped to 21 million. The August statistic was not available. Holtzman found that 32 percent of the Whois traffic - more than generated by all of Europe - was initiated by a single company. He won't name names but said two companies in particular badly abused the database and are now locked out. The culprits initiated parallel sessions via HyperText Transfer Protocol with multiple computers and slowed down by 50 percent access to Whois for the rest of the Net. "I interpret it as a denial-of-service attack," Holtzman said. But, in this case, the companies' motives appeared more impatient than nefarious. Holtzman at first tried to meet the demand by adding new hardware but finally gave up and filtered the two companies instead. Whois access speeds are now improving, he said. Can identify source Numerous domain name holders said they regularly receive direct mail marketing solicitations from such companies as American Express Co. and Verio Inc. and can tell by the addressing that the source is Whois. "Every time I register a domain, I get paper junk mail from Verio telling me what a swell idea it would be to use their service. It's quite clear what they're doing, since it always comes to the contact listed for the new domain, which I always list care of my company," said John Levine, author of the book Internet for Dummies. NSI even uses the database for its own marketing. Last month, the company sent out e-mail messages to domain holders advertising digital identification services from VeriSign Inc.
Produce Palace International, a grocer in Warren, Mich., has accepted $250,000 from Tec America Inc. of Atlanta (a subsidiary of the Tec Corporation, an affiliate of Toshiba of Japan), which makes its cash registers and credit-card verification systems. (The plaintiff's attorney claimed this is the first reported Y2K settlement.) Produce Palace said the entire system routinely crashed when a single register was presented with credit cards with 00, for the Year 2000, in the expiration date, with crashes one-fifth of the days over a 500-day span. The case was filed in 1997. David Nadler (a Washington lawyer) was quoted saying, "It's a lemon-law case dressed up in year 2000 clothing." [Source: *The New York Times*, 14 Sep 1998]
At Logan Intl Airport in Boston on 14 Sep 1998, there was a lot of milling about and frustration as people entered the lineup for a Business Express commuter flight to Philadelphia. The flight that was boarding was actually for Halifax, Nova Scotia, and Philadelphia passengers were being turned away. They would then go to the harried flight attendant at the counter for an explanation, causing yet more delays as they interfered with newcomers trying to register for later flights. The problems were caused by the electronic announcement board, which clearly showed that the Philadelphia flight was boarding even though it wasn't. A few minutes later, while the Philadelphia flight, now 10 minutes late, was _really_ boarding, the board entry winked out, giving the impression that the Philadelphia flight had left. Late-coming Philadelphia passengers now besieged the desk in panic demanding to know what they would do having supposedly missed their flight. I asked the agents why the board was inaccurate; could they not adjust the flight information? No, said the agent, it was all computer-controlled and there was nothing she could do about it. The flight attendant on the little commuter place to Philly was apparently better-informed. The flight status is controlled by a human being in operations (via a computer program, of course). In the absence of feedback, the signs are causing more trouble than if they were turned off. The fundamental problem is that no one is integrating information about late flights or allowing for real-time information from the gate. An information system based on theory isolated from reality is bound to fail. I will send a copy of this message to the president of Business Express so he will see to a simple improvement: allowing for feedback from the gate. M. E. Kabay, PhD, CISSP / Director of Education ICSA, Inc. <http://www.icsainc.net>
RISKS frequently reports problems caused by cut cables to voice or data communications, as a result of work of the [insert you favourite public utility here]. Especially those of you who suffered such fortune may be interested to know that on Friday night a worker of Cable and Wireless, UK, damaged a British Gas pipe while repairing phone lines in Chiswick, West London. As a result approximately 1,400 people had to be evacuated and had to spend the night away from their homes. [ITN News, Sat 12/9/98]
All of Bob's concerns about what access is really needed, different roles, the problems of "super" users, and the basic requirement of always being able to just trust the system are addressed by B2 operating systems. Mike [Well, not all, but many. But then, there are very few B2 systems, and system developers are not very eager to develop any more. PGN]
Yuzhnoye is not in Russia. It is in the Ukraine. Eugene [Spasi'ba! PGN]
Periodically I will remind you of TWO useful digests related to privacy,
both of which are siphoning off some of the material that would otherwise
appear in RISKS, but which should be read by those of you vitally interested
in privacy problems. RISKS will continue to carry general discussions in
which risks to privacy are a concern.
* The PRIVACY Forum is run by Lauren Weinstein. It includes a digest (which
he moderates quite selectively), archive, and other features, such as
PRIVACY Forum Radio interviews. It is somewhat akin to RISKS; it spans
the full range of both technological and nontechnological privacy-related
issues (with an emphasis on the former). For information regarding the
PRIVACY Forum, please send the exact line:
information privacy
as the BODY of a message to "privacy-request@vortex.com"; you will receive
a response from an automated listserv system. To submit contributions,
send to "privacy@vortex.com".
PRIVACY Forum materials, including archive access/searching, additional
information, and all other facets, are available on the Web via:
http://www.vortex.com
* The Computer PRIVACY Digest (CPD) (formerly the Telecom Privacy digest) is
run by Leonard P. Levine. It is gatewayed to the USENET newsgroup
comp.society.privacy. It is a relatively open (i.e., less tightly moderated)
forum, and was established to provide a forum for discussion on the
effect of technology on privacy. All too often technology is way ahead of
the law and society as it presents us with new devices and applications.
Technology can enhance and detract from privacy. Submissions should go to
comp-privacy@uwm.edu and administrative requests to
comp-privacy-request@uwm.edu.
There is clearly much potential for overlap between the two digests,
although contributions tend not to appear in both places. If you are very
short of time and can scan only one, you might want to try the former. If
you are interested in ongoing discussions, try the latter. Otherwise, it
may well be appropriate for you to read both, depending on the strength of
your interests and time available.
PGN
Please report problems with the web pages to the maintainer