Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
When will people learn? Computerworld reports that Northwest Airlines had to cancel about 130 flights during a 3.5-hour outage at their Twin Cities hub. It seems a contractor accidentally bored into the cable cluster containing both main and redundant fibre lines. [http://www.computerworld.com/home/print.nsf/CWFlash/000322CBDE] When will people learn they need to know where their redundancy lies? Cables run through the same conduit are only partially redundant, as events like this will happily take out all the cables in a conduit, making the conduit itself a single point of failure. [It sure is a common thread in RISKS! Thanks to the others of you who noted this case also. PGN]
>From the BBC: http://news.bbc.co.uk/hi/english/world/americas/newsid_689000/689329.stm Yet again the Patriot missile has hit the news. Again units on high alert status for long periods have developed problems. Tests have shown that missiles kept constantly on high alert have developed problems in receiving a radio frequency downlink, which guides the missiles in flight. General Kern said the Patriot's manufacturer, Raytheon Co., had guaranteed that the missiles would work properly if on high alert for a maximum of six months. The full article provides ore details. However the risks are 1) the missile fails when required to work (seen before in the Gulf War) and 2) people believe that the missile works, when it may not. The former means it is a less reliable form of defence and the latter means people might assume they are safe. [Of course checking the Raytheon web site shows nothing about this on the top page. A search of their site does not seem to feature the story either. Another risk here: absence of information. John] Global Research Information Systems, Glaxo Wellcome, Gunnels Wood Road, Stevenage SG1 2NY UK +44 1438 76 3222 http://ds.dial.pipex.com/lordjohn/
Jo Le Guen, the Frenchman who is rowing solo across the Pacific, six weeks into a four-month trip from NZ to Cape Horn in Chile, in hopes of raising awareness of the plight of our oceans. [http://www.wired.com/news/print/0,1294,35077,00.html] Rune Gjeldnes and Torry Larsen, two Norwegians, are attempting to be the first known to ski from Russia to Canada over the North Pole. [http://dailynews.yahoo.com/h/nm/20000320/tc/iridium_norway_1.html] What do they have in common? Both efforts may lose their communications lifelines when the plug is pulled on the Iridium satellite network at midnight on 24 Mar 2000, after Iridium LLC failed to be rescued from bankruptcy. However, Motorola will attempt to keep the network running in remote areas "for a limited period of time." Le Guen gets his weather forecasts from France, and talks with his doctor. (He has some alternative modes of communication, but with practical restrictions.) [Thanks to Mark Brader and George Mannes for the source material.]
This came from one of my staff. - harlan > Check the bank statements carefully this month!!! > My bank missed a posting made 29 Feb 2000. > > I was about to panic when I checked with the company to be paid - they did > have the payment, received 29 Feb. My bank account statement went from 28 > Feb to 1 Mar, the payment wasn't shown, and it looks like the amount was > not accounted for.
The risk here? Total reliance on a website. Fortunately, my reality check
(an open window) gave me the 0day info on the genuine weather conditions.
This morning, I was told by my sweetie to go look at http://www.weather.com/
to see what the daily forecast is. You can only imagine my surprise when I
saw this week's forecast for ZIP code 91109!
http://www.weather.com/weather/us/zips/91109.html
TODAY Windy hi 18F
lo 7F
TUE Partly cloudy hi 19F
lo 9F
WED Partly Cloudy hi 21F
lo 9F
THU Partly Cloudy hi 22F
lo 9F
FRI Mostly Cloudy hi 22F
lo 9F
SAT Showers hi 19F *
lo 8F
SUN Partly Cloudy hi 22F
lo 46F
* I'd like to know how we're going to have "showers" when it's
19 degrees F, too.
Now either I'm re-acclimated to Iowa-like weather very darn quick, or the
database is mixed up between Celsius and Fahrenheit. This parka of mine is
just too darn warm, I tell ya!
Thanks go to my sweetie for mentioning this to me this morning, otherwise
I'd have froze to death! ;)
Financial losses attributed to malicious hacking, online corporate espionage and other computer crimes probably doubled last year, according to a survey by the Computer Security Institute. The survey covered 643 major corporations and public agencies that estimated their computer crime losses at $266 million in 1999. Based on that number, CSI estimates that total losses attributable to computer crime are around $10 billion annually, mostly from financial fraud and proprietary information theft. However, only one company in four surveyed reported the crimes in 1999, down 32% from 1998. Suspected reasons for the decline are fear of bad publicity and distrust of the FBI. Based on the survey responses, 59% of the companies said the computer attacks initiated from the Internet, while 38% said they initiated from internal company computers. [*Los Angeles Times*, 22 Mar 2000, http://www.latimes.com/business/20000322/t000027053.html, NewsScan Daily, 22 Mar 2000]
In Jan 1999, a computer vandal stole information on 485,000 credit cards from an e-commerce site and then secretly stored them in a database on a U.S. government agency's Web site. Although the theft was discovered in March 1999 when a government administrator noticed that "a lot of the memory (on the Web site) was chewed up for no reason, so he checked and found the file (containing the stolen data)," many of the credit cards remain in use today because credit-card companies and card-issuing credit unions decided that it would be too much trouble to shut down the accounts and issue new numbers, according to an unnamed source. There is no evidence that the any of the cards have been used to commit fraud, and Secret Service spokesman Jim Macken says investigations point to an Eastern European perpetrator. It's unclear why the data was deposited on a government Web site, although Macken suggests that it may be the online equivalent of thumbing one's nose at U.S. authorities. [MSNBC 17 Mar 2000 http://www.msnbc.com/news/382561.asp NewsScan Daily, 17 Mar 2000]
The Register <http://www.theregister.co.uk/000324-000017.html> reports that is is "preposterously easy" to hack many sites that collect credit card information. One computer enthusiast well known to The Register, who goes by the alias 'Ksoze' (as in Kayser [Kaiser?] Soze), shows particular contempt for the security of the popular CGI log-in forms which enable consumers to enter their credit details when making a purchase on line. These Perl scripts are ripe for exploitation — the real low-hanging fruit of the IP jungle. ... It's all too easy: "Just hit 'update account' and you get the form as filled in by customers," he says. ``**** are thieves, OK, but they're morons too. They supply a CGI to their customers named ccbill-local.cgi by default. Site administrators need that CGI to add users, update accounts, and so on; but **** supplies the CGI chmod-ed as world-readable, in a world-readable directory! Aren't they totally lame?'' Transcribed (with the CGI vendor name removed) by Martin Minow, minow@pobox.com [Credit-card fraud worldwide is reportedly just under $1 billon a year, at about .7 percent of gross, but that represents only about 2% of banking losses. Private communication. PGN]
The BBC on line news, 24/March/00 covers an embarrassing laptop theft
http://news.bbc.co.uk/hi/english/uk/newsid_688000/688814.stm
MI5 laptop snatched
Special Branch detectives are searching for a computer containing
sensitive information on Northern Ireland after it was stolen from an MI5
agent. The 2,000-pound laptop was snatched as the agent stopped to help a
passer-by at Paddington Underground station in central London. Its data
was encrypted and security officials are thought to be confident it could
not be accessed.
The article continues with some opinions on how there is no such thing as a
``completely safe encryption system'', and the implications of the loss.
One must hope that the ``hibernate'' partition and swap file of the notebook
is also suitably encrypted, and that in the unlikely event that they are
using Windows 2000's encrypting file system, that all the files have
innocuous names.
As a recent Microsoft knowledge base article describes:
http://support.microsoft.com/support/kb/articles/Q248/7/23.ASP , their
encrypting file system only encrypts the contents of files, not the file
names. Whereas an encrypted file ``secret plan to subvert the
government.html'' would not be readable, the fact that you had a secret plan
would be widely known...
-Steve
Dave Kormann and I took a look at Microsoft's Passport protocol and examined the risks. Our full paper is available at http://cs.nyu.edu/rubin/passport.html Here is the abstract: Passport is a protocol that enables users to sign onto many different merchants' web pages by authenticating themselves only once to a common server. This is important because users tend to pick poor (guessable) user names and passwords and to repeat them at different sites. Passport is notable as it is being very widely deployed by Microsoft. At the time of this writing, Passport boasts 40 million consumers and more than 400 authentications per second on average. We examine the Passport single signon protocol, and identify several risks and attacks. We discuss a flaw that we discovered in the interaction of Passport and Netscape browsers that leaves a user logged in while informing him that he has successfully logged out. Finally, we suggest several areas of improvement. Avi
Jerry Orbach ("Law and Order", _DIRTY DANCING_, _FX_, and many others) is
suing eBay for allegedly allowing a user to auction two of his old acting
contracts. Reportedly, the scanned images of the contracts showed his
Social Security number, which allegedly resulted in credit card fraud.
http://www.cnn.com/2000/SHOWBIZ/News/03/21/showbuzz/#story2
That sort of problem is a constant worry to large-course coordinators, who
have to assemble grades submitted by various graders into one database,
while adding and deleting students from the classlist. As students are
added, formulae must be copied, relatively, and summation ranges must be
extended. One wrong mouse click can invisibly drag a cell somewhere else.
One obvious check, which was not made, is to sample a few students, and
check for reasonableness. An after-the-fact check is to give the students
complete info about the inputs and outputs for their individual grades.
However, that's not so easy. At times, I've used nested shell scripts to
e-mail each student. At other times, I've created a separate AFS directory
for each student, permitted to only that person.
One deep reason for the problem is as follows. It's hard to destroy or
mutilate info on paper. It's easy to delete info from a computer file.
This sort of user interface and metaphor problem is one of the areas in
which Computer Science has not advanced in decades.
Does anyone remember the Florida contractor who used Lotus to prepare a bid,
which was too small since his summation range was too small? He won the
bid, then sued Lotus, leading to a cover story in (I think) Business Week.
Wm. Randolph Franklin wrf+risk@mab.ecse.rpi.edu (PGP available)
http://www.ecse.rpi.edu/Homepages/wrf/
[WRF is undoubtedly referring to the SYMPHONY case:
Lawsuit vs Lotus' Symphony dropped (omitted General Costs
proposal section)(ACM Softw.Eng.Notes 11, 5, RISKS section,
pp.11-12, October 1986, and SEN 12 1, January 1987. PGN]
On 14 Mar 2000, Stephen King's latest Novella, published only as an Electronic Book, was made available "free of charge" by Barnes and Noble on the company's web site. Thanks to recent upheavals in the UK Telco/ISP marketplace, for once this truly was a "free" offer, since I would be able to download the book without incurring metered telephone call charges. The book was available in three formats: o RocketBook Only for owners of a NuvoMedia's physical Rocket Book device. Those of us in possession of the eBook software were SOL. o GlassBook A new (to me) format that required the download of a free-of-charge reader that includes Adobe PDF technology, o Adobe PDF To be sent by e-mail. Having discovered that the Rocket edition was not available to me, I requested an e-mail copy (for which I am still waiting) and decided to download the free GlassBook version with its free viewer. I won't go into the length of time it took to connect to clearly- overloaded servers at bn.com and glassbook.com. Needless to say, I was not permitted to get the book until I had finished downloading the 7MB reader, which I eventually managed to do, and installing it. The reader installed, and asked me to reboot my Windoze NT4 SP6a PC to enable it, which I did. The PC restarted, got to the "blue startup screen", restarted itself, got to the "blue startup screen", restarted itself, got to the "blue startup screen", restarted itself, got to the "blue startup screen", restarted itself... Two hours, and much detective work later (thanks to my being able to dual-boot into SuSE Linux and see my NT partition outside its crippled OS host), the culprits turned out to be a SYS and a VXD (tpkd.*) that the software had installed. Both were "InterLok(R)" files created by "PACE Anti-piracy, Inc". My PC had been crippled by anti-piracy measures applied to a "free" software product I'd installed to read a "free" book. It is entirely feasible that others were locked out of their systems for good by this software. Epilogue Fortunately, some things in life *are* free (if one owns the right Advertisement-blocking software ^-^), so I was able to use dialpad.com to telephone the US-based support desk for Glassbook using my PC as a telephone. After a 30 minute hold, I was put through to a technician, and explained the problem. While sympathetic, the response boiled down to "This is Beta software. I'll log the report for action." I've heard nothing since, and I still haven't got a copy of the book. Malcolm Pack <mpack@email.com>
There is *far* more going on here than meets the eyes. Those programmers are involved in the Peacefire anti-censorship group (http://www.peacefire.org). The site has had detailed instructions for getting around censorware software for months, without any legal action from the companies. But for some odd reason Symantec (I-Gear) threatened legal action only after Peacefire cracked their encrypted blacklist and determined that 76% of the sites in a quick sample (the first 50 .edu sites) were erroneously blocked. Likewise Mattel (CyberPatrol) sued only after Peacefire cracked their encrypted blacklist and published the results. To a critical mind, several questions scream out: - why are the blacklists encrypted? Is this to block access by competitors, or is it really to prevent parents and libraries from performing their own quality checks? (If it's an anticompetitive measure, why are the companies treating it as a "hackers, kids and porn" case?) - how would knowing that a site is on the blacklist permit a kid to access the blocked site? How many kids have the technical knowledge to edit the blacklist... and how hard would it be to check an MD5 checksum every so often? (Since the blocking software only works when the computer is on the 'net, it is trivial to automatically download the checksum every Nth request. If they don't match, download a new copy of the blacklist.) - why would the legitimately blocked sites have a problem with this? AFAIK most legitimate porn sites are more than willing to cooperate with censorware companies because it reduces their legal exposure - they can demonstrate a good-faith effort to prevent access by minors. The only sites that have a beef with this issue are ones that are blocked due to judgement calls, e.g., the pro-censorware Christian group that was was shocked to discover itself on a blacklist because of its firm, principled stand against homosexuals and heathens. Further complicating the issue is the apparent attempts to invoke the DMCA (essentially criminalizing political debate if one party uses even trivial encryption of key evidence; it brings to mind the 80's fad of putting a lawyer into every meeting so the company could claim lawyer-client confidentiality) and the pending UCITA legislation (which would explicitly criminalize badmouthing software). And we must never forget the absurdity of a U.S. judge telling a Swedish ISP that it can't host material for two Canadian residents - do all courts have worldwide jurisdiction in the prenatal millennium? I strongly recommend anyone interested in this topic review the Censorware Project's report on an analysis of the logs of all Utah schools and libraries. (http://censorware.org/reports/utah/) This report has been widely misquoted as proving that censorware works. The 0.0006% (or "1-in-6 million," as was allegedly misquoted at one point in the Bush-McCain slugfest) error rate is a total fiction; any sane analysis shows that about 1-in-20 blocked sites are blocked in error in practice. *** Late update: according to Slashdot (http://slashdot.org/article.pl?sid=00/03/20/0845236) Mattel (CyberPatrol) has not only sent mass mailings to all mirrors of the the critical webpages, they have allegedly added these mirror sites (and the author's homepages) to their blacklist *under all categories.* Slashdot also reports that Declan McCullagh, respected journalist for _Wired_ who has never hosted the essay in question has also received legal threats. This means there is an excellent chance that this issue of comp.risks will be unavailable to school children nationwide due to its shocking content of nudity, explicit sexual depictions, violence, drug use, satanic acts, gambling activities, etc. The RISKS created by an "informed public debate" on the merits of censorware, where the library patrons are quietly "protected" from legitimate criticisms of one side of the debate should be obvious to everyone. This is *not* an example pulled out of thin air — another recent Slashdot discussion covered the Holland, Mich. debate on whether to mandate this type of censorware in their libraries. One can only shudder in anticipation of the glorious day when nobody is even aware of this problem as DMCA and UCITA ensure that no software, anywhere, ever has any publishable defects of any kind. On the bright side, this one petulant act may be enough to raise serious constitutional issues of whether it will *ever* be legal for a government to mandate the use of censorware on publicly access systems. If this nonsense is allowed to stand, we might as well appoint the CEO of Mattel Lord High Emperor because he(?) will have demonstrated the ability to stifle the free political debate that lies at the heart of our democracy. (The preceding political screed was brought to you by the Drug-Running Child Pornography Terrorists of America.) Bear Giles <bgiles@coyotesong.com> P.S., some people are already calling for a Barbie-Q to protest this. I am seriously torn between the attraction of torching a little Mattel CEO-in-drag effigy on the steps of the state capitol (and passing out flyers explaining the situation to passing legislators) and the horrid fact that that means Mattel would get even one thin dime from me. [Does Barbie have a Mattelephone? PGN]
Regarding the question Steve Wildstrom poses in Risks 20.84, "Once you are
authenticated on line, how do you cast a secret ballot?"
One answer lies in a set of technologies called minimal disclosure
credentials. These were invented by David Chaum, and substantially enhanced
by Stefan Brands. The core of it is, you authenticate to some server, and
are granted a single-use credential which can not be linked to your
authentication. The inability to link back to the authentication is
provided by a technique called blinding, where the client takes a set of
actions to prevent the server from knowing what it is signing. This
technique forms the basis for anonymous electronic cash, and can be used to
create a 'coin' whose value is 'one vote.' The state can allow each voter
to withdraw one coin, and ensure that each vote is 'paid for' with one valid
coin, thus assuring one person, one ballot, per election. (This proposal
has a number of flaws, but is useful as a straw man if you understand
electronic cash.)
Schneier's Applied Cryptography, chapter 6, has a long list of electronic
voting protocols and systems which are intended to address these types of
questions.
Adam
[Wait until you see Bruce's next book, forthcoming, which takes a less
sanguine view of good crypto protocols in the presence of flawed
implementations or weak system embeddings.
Incidentally, Lauren Weinstein called to my attention an article on
Arizona's experience with Internet voting that is of interest here:
http://www.washingtonpost.com/wp-dyn/politics/A37369-2000Mar18.html
PGN]
A new Justice Department report, titled "The Electronic Frontier: The Challenge of Unlawful Conduct on the Internet," has put privacy activists on alert: "What the report amounts to is a law enforcement Internet wish list of ways in which they can strip away privacy and free-speech protections in order to get at what they claim is this criminal element online," says an ACLU spokeswoman. The most controversial part of the report is a passage that terms anonymous e-mail a "thorny issue": "Given the complexity of this issue, balancing the need for accountability with the need for anonymity may be one of the greatest policy challenges in the years ahead." A White House deputy press secretary attempted to reassure ACLU officials, saying the administration understands the importance of privacy, including the positive role anonymity can play in reporting crimes and war atrocities. [*The Washington Post*, 9 Mar 2000, http://www.washingtonpost.com/wp-srv/business/feed/a39970-2000mar9.htm; NewsScan Daily, 9 Mar 2000]
[TWA accidentally disclosed e-mail addresses of 80% their customers, albeit in alphabetically ordered batches. Spammers's delight? Advertiser's boon? Violation of their privacy policy? PGN] Again, mice prove to be erratic creatures: http://news.cnet.com/news/0-1007-200-1580221.html?tag=st.ne.ron.lthd.1007-200-1580221 It would seem a standard "Are you really really sure?" would be in order here so that the mice don't take the day. -R Radsoft Laboratories http://www.radsoft.net
> An earlier article explains that the cost overrun from 2.2 billion to 5.8 > billion (that's UK pounds and UK billions) [We have been around this one before in RISKS. For quite a few years, UK billions and and US billions have been unofficially the same, irrespective of whether OFFICIALLY the UK billion might still be a million million. I had inteded to take out Ursula's unofficially gratuitous parenthetical. PGN]
Please report problems with the web pages to the maintainer