Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
It is with deep sadness that we note here the sudden passing of Martin Minow last Thursday. He was a long-standing, noble, insightful contributor to RISKS, dating back to Volume 1, number 33, on 1 Jan 1986. A quick search shows that he had 172 messages in RISKS over the past 15 years, including translations of some otherwise inaccessible news items that appeared in Swedish sources. He was a delightful person, and will be sorely missed by many of us. Thanks to all of you who forwarded the e-mail message from his brother, Robtminow@aol.com. Greg Marriott <greg@spies.com> added URLs for Martin's Web pages: http://www.vmeng.com/minow/ http://homepage.mac.com/k6mam/ http://www.ag.ohio-state.edu/~natres/faculty/homepage.html PGN
On 23 Dec 2000, Ansett Airlines, Australia's second national airline, grounded six of its fleet of seven B767-200 aircraft (its largest domestic aircraft) when "it realised that important maintenance inspections had not been carried out". (The seventh aircraft was already out of service for maintenance.) See http://www.abc.net.au/news/2000/12/item20001224050838_1.htm and http://www.smh.com.au/news/0012/24/national/national1.html. This, at perhaps the busiest travel weekend of the year, and when Ansett has been steadily losing market share to Qantas. Oddly enough, while this inconvenienced thousands of passengers, it was reported that only 18 flights were cancelled (what do these aircraft do all day then?). It appears that a mandatory 25,000-cycle maintenance check was completely overlooked, but the good news (if true) is that an Ansett spokesperson was reported by the Australian ABC network as saying that "the decision to take the aircraft out of service was entirely [Ansett's] own". So, if there were risks introduced by cost cutting or other measures by management of Ansett, owners Air New Zealand, or part shareholder Singapore Airlines, the system corrected itself. Albeit, likely with huge commercial pain. One Ansett customer was quoted by the *Sun Herald* Sunday newspaper as saying, "I haven't flown Ansett for 20 years and it's only now that I remember why." http://www.smh.com.au/news/0012/24/national/national2.html While there is no reason to consider that Australian airline travel is more risky than it used to be, the landing of a Qantas B747 in a Bangkok golf course last year http://www.theage.com.au/news/20000430/A31680-2000Apr29.html was the first of a number of breakdowns of types we have not hear about before. Earlier this year, the new Sydney Airport control tower was blacked out by electrical supply failures twice within a few days. The result was short term chaos. Last week the control tower was evacuated due to smoke from burning computer equipment. However, backup procedures cut in quickly and the old control tower took over. Conclusion? Positive... I think. It seems that maybe organisations are becoming more transparent about risks, and improving measures to deal with them. While passengers inconvenienced by the Ansett grounding might have a different view, it was, from the information publicly available, a brave decision. Even so, the threads at www.pprune.org abound with contrary suspicions. Neither the regulator, Civil Aviation Safety Authority Australia, nor the Australian Transport Safety Board has yet posted any comment on the event on their web sites. We shall see. Mike Martin, Sydney mike_martin@altavista.net
RAF to abandon faulty landing system, by Mark Henderson, science correspondent excerpted from http://www.thetimes.co.uk/article/0,,2-58265,00.html ROYAL AIR FORCE pilots will stop using a bad-weather navigation system from January 1 because new commercial radio frequencies have made it unreliable, the Ministry of Defence said yesterday. Pilots of military planes and helicopters fitted with the Instrument Landing System (ILS) will not be allowed to use it to land in poor weather in the new year. Instead they will have to ask air traffic controllers to talk down their flights. o Commercial FM growth cited as cause. o Commercial ILS on different frequencies has not been affected. o Affected aircraft are Nimrod reconnaissance and search and rescue helicopters. RAF transport a/c have already been upgraded and tactical aircraft do not use ILS. "There is no operational impact whatsoever," a ministry of Defense spokeswoman said. "It is a worldwide problem which affects all countries." "New landing assistance systems use more reliable technology, such as global positioning satellites, which are not affected by radio frequencies. ILS can also be disrupted by signals from mobile telephones." Dave Kennedy CISSP Director of Research Services TruSecure Corp. http://www.trusecure.com
In 1992 (RISKS-14.06), David Honig reported that a "certain very-popular-workstation-tape-storage-device will reload its firmware upon finding a firmware-reconfiguration tape within its maw upon power-cycling." Funny how history keeps repeating.. seems the same technique is now used for upgrading the firmware of dolby digital sound processors. Those are used in movie theaters for processing the stream of digital data which is read optically from the 35mm film. Citing http://www.dolby.com/cinema/cp500bro.html: [..] Moreover, updates to the audio coding used for Dolby Digital soundtracks, which are included from time to time right on Dolby Digital release prints, download automatically into the CP500 the first time such a print is played in the cinema. [..] In a German discussion forum dedicated to the projection of cinema movies (http://www.filmvorfuehrer.de/forum/) on 9 Nov 2000, the following was posted by Stefan Mueller: (translated from German) The trailer of "Billy Elliott" has got some nasty bug: If the trailer is being cut right behind start mark three, the CP500 will do a software reset with data upload as the trailer runs through the machine. Either Dolby Digital crashes completely or the Cat 673 is set to factory default, which means setting the digital soundhead delay to 500 perforations, i.e. the digital sound lags 5.5 seconds behind the picture. [..] Nice, isn't it? Concerning David Honig's report: I own a streamer which seems to have been built in 1995 (same company? maybe same streamer?), and according to the manual it has this "feature", too. Though no power-cycling is necessary, the firmware upgrade will happen right after inserting the "Firmware Upgrade Tape" into the drive. I guess this barrier (the need to power-cycle the device) was removed for better user friendliness.. (or it is some different kind of streamer and it never had this barrier, which is just as bad). I won't go into the evil details of what to do to a streamer's firmware in order to maximize the devastating effect as i am sure you all can make up some nice ideas yourself. It seems this "auto-firmware-upgrade" feature is making its way in more and more products. I just can't wait for cars to be firmware upgraded by refueling them at the gas station. *irony*
[From cryptography@c2.net; Source: Stealth plan puts copy protection into every hard drive http://www.theregister.co.uk/content/2/15620.html] *The Register* has broken a story of the latest tragedy of copyright mania in the computer industry. Intel and IBM have invented and are pushing a change to the standard spec for PC hard drives that would make each one enforce "copy protection" on the data stored on the hard drive. You wouldn't be able to copy data from your own hard drive to another drive, or back it up, without permission from some third party. Every drive would have a unique ID and unique keys, and would encrypt the data it stores -- not to protect YOU, the drive's owner, but to protect unnamed third parties AGAINST you. The same guy who leads the DVD Copy Control Association is heading the organization that licenses this new technology — John Hoy. He's a front-man for the movie and record companies, and a leading figure in the California DVD lawsuit. These people are lunatics, who would destroy the future of free expression and technological development, so they could sit in easy chairs at the top of the smoking ruins and light their cigars off 'em. The folks at Intel and IBM who are letting themselves be led by the nose are even crazier. They've piled fortunes on fortunes by building machines that are better and better at copying and communicating WHATEVER collections of raw bits their customers desire to copy. Now for some completely unfathomable reason, they're actively destroying that working business model. Instead they're building in circuitry that gives third parties enforceable veto power over which bits their customers can send where. (This disk drive stuff is just the tip of the iceberg; they're doing the same thing with LCD monitors, flash memory, digital cable interfaces, BIOSes, and the OS. Next week we'll probably hear of some new industry-wide copy protection spec, perhaps for network interface cards or DRAMs.) I don't know whether the movie moguls are holding compromising photos of Intel and IBM executives over their heads, or whether they have simply lost their minds. The only way they can succeed in imposing this on the buyers in the computer market is if those buyers have no honest vendors to turn to. Or if those buyers honestly don't know what they are being sold. So spread the word. No copy protection should exist ANYWHERE in generic computer hardware! It's up to the BUYER to determine what to use their product for. It's not up to the vendors of generic hardware, and certainly not up to a record company that's shadily influencing those vendors in back-room meetings. Demand a policy declaration from your vendor that they will build only open hardware, not covertly controlled hardware. Use your purchasing dollars to enforce that policy. Our business should go to the honest vendors, who'll sell you a drive and an OS and a motherboard and a CPU and a monitor that YOU, the buyer, can determine what is a valid use of. Don't send your money to Intel or IBM or Sony. Give your money to the vendors who'll sell you a product that YOU control. John
This past summer, CERT sponsored a two-day workshop on security issues with ActiveX controls. The final report was just released today and is available as a PDF file at the CERT Web site: http://www.cert.org/reports/activeX_report.pdf There is a lot of good information in the report about how individuals and organizations can reduce security risks in Internet Explorer when using ActiveX controls. In addition, there is a section aimed at software developers on how to create safer controls. A good bit of the technical information in the report has not been made public before. Richard
I'm a pretty trusting fellow, and a very early adopter of new technology, but the disclaimer in Quicken 2001's Online Billing agreement gave even me pause: "....USER ACKNOWLEDGES THAT HE OR SHE BEARS THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE ONLINE BILLING SERVICE" I'm currently a 'wage slave', but have done my share of consulting - I sure wish I could get this blatant a disclaimer in MY contracts. To add possible injury to the insult, the NEXT page (when I clicked 'Accept' on this) asked me for my SSN, birthdate, place of birth and mother's maiden name, with NO indication as to where and how this information might be used, or even if the transmission would be 'secure' or encrypted in any way. Needless to say, I cancelled out of THAT agreement. Clay Jackson <clayj@nwlink.com>
Having recently decided to clear up any erroneous black marks on my credit rating, I ordered reports from both Trans Union and Equifax. Both informed me that they could not send my credit report because they could not verify my current address (where I have resided for over a year). To my surprise, I did receive a copy of my credit report, from a company called CSC Credit Services. The report gives no clues as to whether this company is affiliated with Trans Union, Equifax, or neither. At the top, I see why they had such trouble believing that I live where I do - all three of the addresses they have listed for me (one current, two previous) are completely unfamiliar to me. Since they also have my name listed incorrectly as my married name, I can only assume that they had surmised I was still living with my ex-husband, and that any address applying to his last name also applied to me. We have been willfully ignoring each other since the divorce, but it could be dangerous if I were a stalking or vindictive type. This would be an easy way for me to find out where he is, regardless of any measures he might have taken to safeguard his privacy. Alternatively, if I were seeking child support from him, it might come in handy for me. We had no children, so this doesn't apply. I am not sure whether the same type of mistake is possible in the reverse direction - that is, listing an ex-wife's post-divorce addresses in an ex-husband's credit report. This privacy problem may only occur when there is confusion as to the ex-wife's last name, so it may only potentially reveal the ex-husband. For me, it's just yet another piece of data I have to get them to correct, in addition to the three (out of ten) incorrect credit history entries that still show a balance due, even though I paid them off. Beth Roberts <beth@bethroberts.com>
I work for a large corporation that has recently outsourced "employment verification" (for use in credit applications and such) to a Web-based service, http://www.theworknumber.com . This system works as follows: You log into the system with a company code, a Social Security number, and a PIN. You then can generate single-use keys to distribute to those who need your credit or employment verification; then they log onto the same web site with that key and have access to your salary and I believe duration of employment. To make the system easy-to-use, you can look up a company code given a company name so that this tiny security barrier is useless. The default PIN is the last 4 digits of your Social Security number. Strike two for Security. My company has the unfortunate habit of using Social Security numbers, even though each employee has a unique employee number, for identification. Over the years, I have been exposed to many other employees' Social Security numbers, and I can only assume the reverse is true. Strike three. While we are given the opportunity to change our PIN, the timing of this situation while many people are off on vacation, coupled with human nature, barely lessens this RISK. I called their customer support number, and there is no way to "opt out" of their system. Whereas they DO use SSL to protect the web transactions, the real risks lie elsewhere. John Haselsberger <jhasels@fast.net>
Interestingly, Verizon has failed to come up, at least in public, with any evidence that this was in fact an attack. Given the company's dubious service record, a lot of folks suspect this may be a pretty lame attempt to blame a popular bogeyman for an inability to handle traffic. Sometimes, I feel that I personally get millions of spam messages a day, but our system generally handles it. An attack would almost certainly have involved a large number of messages from a small number of sources and at least the mail relays that the messages were sent through would have ben identifiable, if not the ultimate source. Steve Wildstrom, Technology & You Editor, *Business Week*, 1200 G St. NW #1100 Washington DC 20005 1-202-383-2203 steve_wildstrom@businessweek.com
It seems our favorite planet - Earth - barely missed yet another pyrotechnic run-in with a city-killer sized asteroid. It was early Xmas Eve 2000. Nobody saw it till it had already gone past. Range: 800,000 km. That's barely double the distance of earth to the moon. When you figure that we've got some serious gravity constantly inviting passing space rocks to to pay us a visit, I'd say that it's awful dang close. Although the collision probabilities for us and all known space rocks are officially listed as < 1e-9, I really don't trust that math. The risk is in insufficient funding for early warning systems and sub-zero funding for deploying solutions. If we are REALLY lucky a smallish rock like this one will touch down in a sparsely populated corn field, crating an instant tourist mecca and a kick in the pants for policy wonks.... not to mention a big ratings week for CNN. news.com.au has the first story of which I am aware @ http://news.com.au/common/story_page/0,4057,1550084%255E1702,00.html For fresh info on what we claim to know about the sky falling, click to the JPL news page: http://neo.jpl.nasa.gov/news.html [Somewhat off your normal news beat, but I'd bet it is something with high interest for your audience. SR] [Certainly has risks to computers and related systems, as well as to people. TNX. PGN]
Please report problems with the web pages to the maintainer