Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
According to security sources cited by *The Sunday Business*, intruders have seized control of one of Britain's four military communication satellites -- over two weeks ago — and demanded blackmail for them to stop interfering with the satellite. [Source: Reuters item 28 Feb 1999, PGN-ed. (*)] [Several respondents remarked on this item, suggesting either that it was a hoax, or a very serious event that has been largely covered up. PGN] [* For those of you who might ask, "PGN-ed" is a new verbal noun form (or, if you prefer, a nounal verb pun) implying that the item has been abstracted, summarized, or otherwise adapted for RISKS without violating any copyrights, that is, ``PGN-ed'', which is intended to be pronounced either as ``pee-gee-en'd'' or ``pee-gee-en-ed'', according to your verbal and nounal linguistic preferences, respectively.]
The U.S. Department of Defense is still studying the software glitch that caused DOD's $184 million Global Transportation Network (GTN) to have up to eight-hour delays in the availability of updated worldwide logistics information during the December 1999 Desert Fox bombing operations, despite GTN having being designed to provide updates worldwide within 30 seconds. GTN has 23 interfaces with other systems. [Source: Article by Daniel Verton (dan_verton@fcw.com), Federal Computer Week, week of 22 Feb 1999.] [Reference added in archive copy. PGN]
Charles Schwab & Co's electronic brokerage Website and Street Smart computer system were off the air for an hour and one-half, beginning 5 minutes after trading opened on the NYSE on 24 Feb 1999. The outage was the result of a software upgrade to hook in a new mainframe system in Phoenix, which failed to take flight. This follows failures of other on-line brokerage systems (E-Trade, Waterhouse, Ameritrade, and Datek) in recent weeks. I guess the market pressures are too great for anyone to take the time to do it right. [Source: *San Francisco Chronicle*, 25 Feb 1999, B1. PGN-ed. However, the fledgling Phoenix system eventually rose from its ashes. Pigeon pennies, anyone?]
A police computer in Fort Worth TX made 1,300 phone calls to invite residents to a police community forum — beginning at 3 a.m. Sunday morning, instead of during the day. [Source: Reuters item 25 Feb 1999, PGN-ed. At least 400 people answered, and heard the programmed caller identified as "reverse 911" — which sounds like "YOU ARE IN TROUBLE" rather than "I AM IN TROUBLE".)
<http://www.theregister.co.uk/990301-000021.html> Today's [London] *Daily Mail* reports that mobile phones cause memory loss. This link was demonstrated by a hospital in Bristol, which attached transmitters to the heads of volunteers, some with microwaves, others with none. On subsequent tests of mental acuity, the radiated patients did significantly worse than the rest. [Presumably relative to their previous behavior. The report is rather vague. PGN-ed]
The $500M Abilene Network is planned as a 2.4 gigabit/sec link among a few dozen research universities. To demonstrate this, a doctor in Washington DC's Union Station will work with a surgical team at Ohio State performing laparoscopic surgery on a volunteer patient suffering from a gastrointestinal disorder [an Internaut? seeking gut reactions?]. [Source: Article by Ted Bridis, Associated Press, 23 Feb 1999, PGN Abstracting] [Plans for live surgery rather than just remote advice are in the offing. <Pun NOT INTENDED.> Hopefully, by then the reliability, security, and general availability of networked systems will have improved sufficiently that would avoid risks of computer and network outages during open-brain surgery. PGN] (Stephen Wolff of Cisco Systems Inc. was quoted as asking one of the RISKS-related questions that comes to mind: "Can a surgery and multiplayer Doom coexist on a network?" [Cisco supplied about $5 million worth of high-tech network equipment for Abilene.] [NOTE: They never discuss the stability of the network, do they? Why does this article remind me of the Star Trek episode where Dr. McCoy is rewiring Mr. Spock's brain? About half-way through the surgery — which McCoy had described as "child's play" just prior to the commercial break — McCoy starts to realize that he doesn't know what he's doing because the helmet he's wearing with all the knowledge in it is starting to fail? Anyone should be able to figure out when to launch the denial-of-service attack against the remote connection. Aren't there plenty of critical moments in just routine surgery? In this case, there's a world-class specialist helping out a not-so-world-class specialist, because the surgery is important for some reason. A bunch of untraceable broken packets have no place in delicate vascular surgery. KAR] [Archive copy corrected to Abilene. PGN]
[Source: ABC News Australia, http://www.abc.net.au/news/state/vic/metvic-26feb1999-15.htm] > Cardiac monitoring equipment in a number of Australian hospitals is at > risk of malfunctioning due to digital broadcasting interference. > Melbourne's Epworth Hospital claims heart patients were put at risk > recently because a television station was given the same digital channel > it uses to monitor heart patients. The hospital was unaware Channel Seven > had been sold a licence to use part of the spectrum for tests ahead of > digital broadcasting. The risk is obvious:
Computer system results in errors in patient medical records
"Edelson, Doneel" <doneeledelson@aciins.com> Fri, 26 Feb 1999 12:26:31 -0500Vancouver Hospital installed a new computer system in mid 1997 that sends pathology reports on-line to the attending physicians. However, the software did not automatically update the patients' charts (unless staff members used a special code, which apparently they usually did not), significantly delaying treatments and discharges, and increasing costs. [From Leonard Lee's Glitches of the week, Newsbytes News Network <http://www.newsbytes.com/>, 24 Feb 1999, PGN-ed] ["Leonard Lee is a nationally recognized consultant and frequent speaker on computer errors. Readers are encouraged to e-mail news clippings of interesting computer glitches at www.homestead.com/doctorglitch <http://www.homestead.com/doctorglitch>."]
Pentium III serial number is soft-switchable after all
"Peter G. Neumann" <neumann@csl.sri.com> Mon, 1 Mar 99 15:17:47 PSTAfter all the fuss about the risks of the Pentium III unique serial number, and Intel's claim that it can be permanently masked, a report from the German C't News says that despite Intel's claims, the ability to read the serial number can be turned on and off remotely under software control, without the user's knowledge. The trick uses only documented features. [Source: Christian Persson, *Computer Technology*, c't news, translated by Juergen Kuri, dated 24 Feb 1999, also noted by Leander Kahney in Wired News, 23 Feb 1999 [note the time difference; c't article preceded Wired], http://www.wired.com/news/news/technology/story/18078.html . PGN
Limiting liability for Y2K breakdowns
Edupage Editors <edupage@franklin.oit.unc.edu> Thu, 25 Feb 1999 13:35:16 -0500 (EST)A bipartisan group in the U.S. House of Representatives has introduced legislation that would limit litigation, lawyers' fees, and damages caused by Y2K-related computer breakdowns. Supporters of the bill claim that it would help avert Year 2000 problems, since the legislation would protect only those businesses and individuals who take reasonable actions to prevent them from occurring. (*The New York Times*, 24 Feb 1999, Edupage, 25 February 1999) [CA, FL, GA, HA, NV, and VA have already passed such laws. 31 other states are considering such legislation. There are of course also risks of this making the situation worse as well. PGN]
CIA predicts serious Y2K problems around the globe
"Keith A Rhodes" <rhodesk.aimd@gao.gov> Thu, 25 Feb 1999 09:12:16 -0500Amidst all the discussion of possible Y2K effects is the issue of foreign government preparedness. Air Force Gen. John Gordon, deputy director of the CIA, appeared at a hearing of the Senate Armed Services Committee and testified that other countries (including Russia) are far behind in preparing for possible crises, noting in particular breakdowns in nuclear reactors and strategic missile systems, midwinter power outages and disruptions in world trade and oil shipments. However, he discounted the possibility of accidentally missile launches due to Y2K. But he did add that malfunctions in temperature and humidity monitors could lead to incorrect information. He said that China will probably experience failures in key sectors such as telecommunications, electric power and banking. [Source: AP item by Jim Abrams, 25 Feb 1999, PGN Abstracting]
Y2K Test Fine Test Data Causes Problem (via Dave Farber)
Barry Frankel <bfrankel@ix.netcom.com> Sat, 27 Feb 1999 09:19:42 -0500Last October, PSE&G sent incorrect bills to 61,000 of their customers as a result of an operator error. Subsequent to testing their billing system for Y2K compliance, the residues from the test data were not properly removed, resulting in erroneous statements of past payments and amount owed. However, this error was announced only recently. [Source: New Jersey Online, *The Times* (Mercer County, NJ); this item has been PGN-ed from http://www.nj.com/mercer/times/stories/02-27-Q2BBFUMB.html .]
Self-inflicted single point of failure
Malcolm Pack <m.pack@cableinet.co.uk> Mon, 22 Feb 1999 06:51:30 GMTAt approximately 04:10 on Sunday 21 Feb 1999, a transatlantic communications link belonging to Teleglobe developed a fault. By 19:30 that evening the fault (whatever it was) was repaired. In the interim period, almost all Internet connectivity, both within and outside the UK, was lost to customers of Teleglobe, of one of its major partners (and my main ISP) Cable Internet, and other ISPs taking their feeds from these two companies, including many of the UK's new "free" services such as Telinco and Aardvaak. The situation was compounded by a mail server upgrade which Cable Internet started at 4am, as part of which *all* routes and DNS caching were reset. With no easy path to other countries, routers failed to discover new routes and DNS lookups failed consistently. I have access to another free ISP apparently unaffected by the cable outage; but found it too slow to be of any use. That this was caused by increased traffic as new routes were found, and increased logging-in by users abandoning their primary ISPs, is mere speculation; but my son had to do without a better translation than the one I could offer of a key passage in "Le Roman de la Rose" because of timeouts on many search engines and their results. All this is normal fare for the Internet. It is a non-guaranteed service, after all. That there were no backup routes in place even 12 hours after the failure is annoying, but I await an explanation of this from Cable Internet. I was more bemused by the number of people posting messages on Cable Internet's support newsgroup complaining that they were unable to run their Internet-reliant businesses because of Cable Internet's failure to provide a backup service. Naturally, not one of them had made his or her own provision for a backup by using another ISP. What this all says about single points of failure is self-evident. Malcolm Pack <m.pack@cableinet.co.uk>
Rhode Islander sentenced for hacking
"Peter G. Neumann" <neumann@csl.sri.com> Tue, 23 Feb 99 18:14:24 ESTSean Trifero was sentenced to one year in prison by a U.S. District Judge for intentionally damaging computer systems (Harvard, Amherst, a Florida ISP, and Alliant Technologies, including planting sniffers and denial-of- service attacks) and unauthorizedly accessing others (Arctic Slope Regional Corp. and Barrows Cable, Alaska), three years subsequent probation, 150 hours of community service, and $31,650 restitution. [Source: PRNewswire, 23 Feb 1999]
Profiling
Andrew Koenig <ark@research.att.com> Fri, 26 Feb 1999 11:08:01 -0500 (EST)Recently, my wife and I ordered a bunch of tableware from a local jewelry-and-china-and-crystal store. Because of our slightly unusual taste, we had the honor of being the first customers ever to order some of those items, which meant that the store had no entries in their database for them. They therefore separated our order into two orders, one for the items that their database knew about, and the other for the new ones. Because there were two orders, there were two charge tickets. Four days later, after we had finished dinner in a restaurant, and half an hour before curtain time for the play we were about to see, our waiter informed us that he had put our credit card through the machine twice, that it had been declined twice, and that he could call them and talk to them if we liked. The ensuing confusion, which took long enough to clear up that we came within eight minutes of missing our play, involved not only our waiter but the restaurant manager, who said that the credit card people had eventually approved the purchase, but that we were to call them at our earliest convenience. The problem, of course, was that two purchases in rapid succession at a jewelry store had tripped the credit card company's fraud detectors, so they wanted to be sure that we were still in possession of the card and that we had actually made those purchases. They had been meaning to call us, but hadn't gotten around to it yet. The risk? Expert-system profilers are adding all kinds of unwritten rules to our lives, with various kinds of inconvenience and harassment as the penalty for violating them. Andrew Koenig, ark@research.att.com, http://www.research.att.com/info/ark
Re: Store Baelt Bridge not Y2K safe (Weber-Wulff, Risks-20.22)
Mark Brader <msbrader@interlog.com> Sun, 28 Feb 1999 22:48:55 -0500 (EST)Not quite right. The west half of the Storebaelt crossing consists of a side-by-side road and rail bridge, but the east half has a separate road bridge while the railway uses a tunnel. It's the east bridge that opened last year; the railway (which is presumably the part with a Y2K problem) opened in April 1997 to freight and June 1997 to passenger trains. See <http://www.railway-technology.com/projects/denmark/> for a description of the crossing in English. (However, it never had the world's longest main span, as claimed; the Akashi-Kaikyo Bridge in Japan is longer and opened a month or two earlier.) Mark Brader, Toronto, msbrader@interlog.com
Re: Store Baelt Bridge not Y2K-safe (Weber-Wulff, RISKS-20.22)
Chris Bagge <CBB@delta.dk> Mon, 22 Feb 1999 11:14:14 +0100The problem is mainly not with the bridge, but with the double train-tunnel running in parallel. This tunnel was heavily delayed during construction, due to 'the-fault-that-cannot occur', as both tunnel were flooded! The only limit on the road bridge would be the toll-gates, and there is a fast (and cheap :-)) solution to that problem. Regards Chris Bagge
Computers, Freedom, and Privacy, 6-8 April 1999, Washington, DC
Dave Banisar <banisar@epic.org> Sat, 20 Feb 1999 15:01:54 -0500Register now for the cyber event of the year (cfp99.org) COMPUTERS, FREEDOM, AND PRIVACY: THE GLOBAL INTERNET WASHINGTON, DC Omni Shoreham Hotel April 6-8, 1999 For almost a decade, the conference on Computers, Freedom and Privacy has shaped the public debate on the future of privacy and freedom in the online world. Register now for the number one Internet policy conference. Join a diverse audience from government, industry, academics, the non-profit sector, the hacker community and the media. Enjoy the U.S. Capital in the Spring at one of Washington's premier hotels. * Keynote speakers include Tim Berners-Lee (Director, World Wide Web Consortium), Vint Cerf (President, Internet Society), Congressman Ed Markey (sponsor of "The Electronic Bill of Rights Act"), Congressman Ron Paul (sponsor of the Freedom and Privacy Restoration Act), Henrikas Yushkiavitshus (Associate Director, UNESCO) * Lively and thought-provoking panels on — "the Creation of a Global Surveillance Network," "Access and Equity on the Global Internet," "Anonymity and Identity in Cyberspace," "Free Speech and Cyber Censorship," "Is Escrow Dead? And what is Wassenaar?", "Self-Regulation Reconsidered" and more * Tutorials — "The Electronic Communications Privacy Act" (Mark Eckenwiler); "Cryptography: Basic Overview & Nontraditional Uses" (Matt Blaze and Phil Zimmermann), "Free Speech, The Constitution and Privacy in Cyberspace" (Mike Godwin), "Techniques for Circumventing Internet Censorship" (Bennett Haselton and Brian Ristuccia) Early Registration Deadline - March 15, 1999 Register on-line at http://www.regmaster.com/cfp99.html or call +1 407 628 3602. Registration inquiries may also be sent to mann@regmaster.com. For more information about CFP99, visit http://www.cfp99.org/ or call +1 401 628 3186 Sponsored by the Association for Computing Machinery David Banisar (Banisar@epic.org), Electronic Privacy Information Center, 666 Pennsylvania Ave, SE, Suite 301 Washington, DC 20003 http://www.epic.org
IEEE Security and Privacy Symposium, 9-12 May 1999
Jon Millen <millen@csl.sri.com> Mon, 01 Mar 1999 09:54:36 -08001999 IEEE Symposium on Security and Privacy Special 20th Anniversary Program 9-12 May 1999 The Claremont Resort Berkeley, California Sponsored by the IEEE Technical Committee on Security and Privacy In cooperation with the International Association of Cryptologic Research Symposium Committee: John McLean, General Chair Jonathan Millen, Vice Chair Li Gong, Program Co-Chair Michael Reiter, Program Co-Chair Advance registration deadline 5 Apr 1999. Abridged for RISKS. Full registration info: http://www.csl.sri.com/~millen/sp99prog.txt PRELIMINARY PROGRAM Monday, May 10, 1999 8:45am-9:00am Welcome: Chairs 9:00am-10:30am Systems, Session Chair: Roger Needham, Microsoft Research Hardening COTS software with generic software wrappers Timothy Fraser, Lee Badger, Mark Feldman TIS Labs at Network Associates, Inc. Firmato: A novel firewall management toolkit Yair Bartal, Alain Mayer, Kobbi Nissim, Avishai Wool, Lucent Bell Labs Flexible policy-directed code safety, David Evans, Andrew Twyman, MIT 11:00am-12:00pm Policy, Session Chair: Ravi Sandhu, George Mason University Local reconfiguration policies Jonathan K. Millen, SRI International A modular, user-centered authorization service built on an RBAC foundation Mary Ellen Zurko, Richard T. Simon, Tom Sanfilippo, Iris Associates 12:00pm-12:30pm Surprise 2:00pm-3:00pm Verification, Session Chair: John Mitchell, Stanford University Secure communications processing for distributed languages Martin Abadi, Cedric Fournet, Georges Gonthier Compaq Systems Research Center, Microsoft Research, and INRIA Verification of control flow based security policies T. Jensen, D. Le Metayer, T. Thorn IRISA 3:30pm-5:00pm Panel Discussion Brief History of Twenty Years of Computer Security Research Panel Chair: Teresa Lunt, Xerox PARC Panelists: G.R. Blakley, Texas A&M University 20 years of cryptography Virgil Gligor, U Maryland 20 years of operating system security (Unix as one focus) Steve Lipner, MITRETEK 20 years of criteria development/commercial technology Jonathan K. Millen, SRI International 20 years of covert channel modeling and analysis John McLean, NRL 20 years of formal methods Steve Kent BBN/GTE 20 years of network security Tuesday, May 11, 1999 9:00am-10:30am Intrusion Detection Session Chair: Cynthia Irvine, Naval Postgraduate School A data mining framework for building intrusion detection models Wenke Lee, Sal Stolfo, Kui Mok, Columbia University Detecting intrusions using system calls: Alternative data models Christina Warrender, Stephanie Forrest, Barak Pearlmutter University of New Mexico Detecting computer and network misuse through the production-based expert system toolset (P-BEST) Ulf Lindqvist, Phillip A. Porras, SRI International 11:00am-12:30pm Panel 2 Near Misses and Hidden Treasures in Early Computer Security Research Panel Chair: Stan Ames, MITRE Panelists: Tom Berson, Anagram Labs and Xerox PARC Marv Schaefer, Arca Dick Kemmerer, UC Santa Barbara 2:00pm-3:30pm Information Flow Session Chair: John McHugh, Portland State University A multi-threading architecture for multilevel secure transaction processing Haruna Isa, William R. Shockley, Cynthia E. Irvine U.S. Navy, Cyberscape Computer Services, and Naval Postgraduate School Specification and enforcement of classification and inference constraints Steven Dawson, Sabrina De Capitani di Vimercati, Pierangela Samarati SRI International and University of Milan A test for non-disclosure in security level translations David Rosenthal, Francis Fung Odyssey Research Associates 4:00-5:30pm Work-In-Progress (5-minute Presentations) Session Chair: Heather Hinton, Ryerson Polytechnic University Wednesday, May 12, 1999 9:00am-10:00am Authentication and Key Exchange Session Chair: Dieter Gollmann, Microsoft Research Software smart cards via cryptographic camouflage D. Hoover, B. N. Kausik, Arcot Systems Analysis of the internet key exchange protocol using the NRL protocol analyzer Catherine Meadows, Naval Research Laboratory 10:30am-12:00pm. Panel Discussion Time Capsule — Twenty Years From Now Panel Chair: Michael Reiter, Lucent Bell Labs Panelists: Mark Weiser, Xerox PARC, Future of computing Roger Needham, Microsoft Research, Cambridge Future of hardware technology Howard Shrobe, MIT AI Lab, Future of software technology Hilarie Orman, DARPA, Future of networking Brian Snow, National Security Agency, Future of Security
USENIX Workshop on Smartcard Technology, 10-11 May 1999
Jennifer Radtke <jennifer@usenix.ORG> Sat, 27 Feb 1999 00:14:52 GMT10-11 May 1999, McCormick Place South, Chicago, Illinois, USA For Researchers, Product Developers and Smart Card Deployers Review the full program and register online at http://www.usenix.org/events/smartcard99/ Save when registering before Friday, April 16, 1999
'99 USENIX Technical Conference, 6-11 June, Monterey CA
Jennifer Radtke <jennifer@usenix.ORG> Mon, 1 Mar 1999 23:40:46 GMTA conference by and for programmers, developers, and system administrators working in advanced systems and software. 1999 USENIX ANNUAL TECHNICAL CONFERENCE June 6-11, 1999, Monterey, California http://www.usenix.org/events/usenix99 TUTORIALS, 23 REFEREED PAPERS, FREENIX TRACK--Quality Technical Forum Devoted To Open Source Software. John Ousterhout, creator of Tcl/Tk, will focus his keynote on a fundamental shift in software development to integration applications.
FastAbstracts at FTCS29, 15-18 Jun 1999
Chuck Weinstock <weinstock@sei.cmu.edu> Tue, 23 Feb 1999 16:52:11 -0500The Fault-Tolerant Computing Symposium is being held in Madison Wisconsin, 15-18 Jun 1999. Continuing a new tradition at FTCS, we are pleased to announce the FastAbstracts session. FastAbstracts are intended as a mechanism to: - report on current work that may or may not be complete - introduce new ideas to the community - state positions on controversial issues ("Outrageous Opinions") Participants in this session will present a short talk (5 to 8 minutes including 1 minute for questions), and publish a concise and succinct (two pages) abstract in a printed proceedings. A web version of the abstract will also be available on the FTCS website. Full details regarding FTCS and the FastAbstracts submisson process are available at <http://www.ftcs.org>. Chuck Weinstock, FastAbstracts Chair, FTCS-29Please report problems with the web pages to the maintainer
xTop