Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Original story in "Dagbladet ... nettet" in Oslo (In Norwegian:
http://www.dagbladet.no/nyheter/2000/12/31/235007.html)
Abstracted:
In the morning of 31 Dec 2000, departures of the Airport Express train and
six "Signatur" departures were hit by a date handling problem. The airport
trains were quickly back in action, the 07:28 Signatur departure from
Kristiansand was canceled, and the five other departures were serviced by
older trains.
Preben Colstrup, a spokesperson for NSB, verifies that the trains appears to
not handle the date 31 Dec 2000 at all, he has no idea why. He promises
that all trains will be on schedule on 01 Jan 2001. NSB adds that the
trains still have not passed acceptance and belongs to the contractor,
Adtranz.
Ronny Solberg in Adtranz says that the problem was solved by setting the
date on the trains back a month. It only takes a few minutes, but it took
time to get service people around to all the trains. He stresses that all
trains were Y2K tested, but that no-one thought of testing 31 Dec 2000. He
promises that the problem will be found and fixed permanently.
Dictionary:
- NSB: Norges StatsBaner, the publicly owned train company in Norway
- Signatur and Airport trains: New high speed trains made for NSB by
Adtranz. Presumably carrying the same computer systems. Signatur is
used for long inter city routes.
Addendum: Later in the day, on national radio news a technical person in NSB
speculated that the problem might have been that Y2K was a leap year and the
number of days at the end of the year baffled the computers which *did*
handle 29 Feb 2000 well. There were no reports of non-starters on 01 Jan
2001.
[Quite a few readers noted an AP story in various US sources, including
http://www.nytimes.com/aponline/technology/AP-Norway-Y2K-Bug.html
which roughly mirrors the dagbladet item. PGN]
The Denver Post reported today
(http://www.denverpost.com/business/biz0103e.htm) that 7-Eleven stores have
not been able to process credit-card transactions since January 1, 2001.
The problem appears to be a faulty date-window fix for Y2K, reading the two
digit current year of "01" as "1901". A programmatic check in the system
rejects credit cards with expiration dates 100+ years in the future. One
wonders if they rushed to implement their new information system in order to
be Y2K compliant, deciding to skip low-priority system testing to make the
deadline. Relevant excerpt from the end of the article:
7-Eleven's retail information system, which handles almost all of the
store's operations, from payroll to purchases, was implemented into all of
its U.S. stores by late 1999. It was deemed Y2K-compliant. The home of
the Big Gulp didn't spend any money to ensure its systems would roll over
correctly from 2000 to 2001. [...]
[Also http://www.washingtonpost.com/wp-dyn/articles/A16320-2001Jan3.html]
[More likely a special-case fix that worked *only* in 2000, to
avoid Y2K, as suggested by Jeremy Epstein. PGN]
I turned my Sharp YO-550 Electronic Organizer on today for the fist time since last year. It displayed an error message that all data was corrupted and will be erased. About 4 years of notes and phone numbers lost (yes you can back it up to a computer - The backup kit cost about the same as the organizer). After my initial reaction I turned the unit off and on and it came up seemingly working correctly although it thought it was 1997. I reloaded the current time and date. Upon turning the unit off and on the same error condition resulted (Lost all data including current time and date). Several times I set the date to 2001 with the same error resulting. I then (for some strange reason) tried setting the date to 1/1/2000. The unit worked correctly. In fact with several dates prior to 2001 the error condition never occurred. If I set the date to 2001 or greater it goes into error and loses all memory. I write to RISKS to find out if other owners of Sharp Organizers have experienced this problem. I have been unable to reach anyone at Sharp (Customer Service Phone is always busy) to comment on the problem. Philip Berman <philip.berman@itt.com>
On 2 Jan 2001, the electrical grid for the entire northern region of India collapsed, affecting 226 million people. The outage began at a substation in Uttar Pradesh, and spread to neighboring states (Punjab, Kashmir, Rajasthan, Haryana and Himachal Pradesh) and to the capital, New Delhi. Trains, signalling systems, and the New Delhi airport were affected. Demand is often greater than supply, but such widespread outages are apparently unusual. [PGN-ed; see also http://www.cnn.com/2001/ASIANOW/south/01/02/india.blackout/index.html]
As reported in various Swedish news media, The Swedish bank Nordbanken has suffered repeated computer outages during late December and early January. The outages, each with a duration of several hours, shut down ATMs, Internet bank services, debit card purchases and office teller services for Nordbanken's 3.5 million customers. In an article on the Swedish CNN Web site (cnn.passagen.se) 4 Jan 2001, Nordbanken CEO Magnus Falk says that the bank still does not know what caused the outages, but that they are now able to restart their system faster the next time it crashes... Ulf Lindqvist, System Design Lab, SRI International, 333 Ravenswood Ave, Menlo Park CA 94025-3493, USA +1 650 859-2351 http://www.sdl.sri.com/
On Thursday, 28 November 2000, 17 of the 21 telephone exchanges in the City of Schenectady NY were taken out of service by a water-main break (for those not familiar with the North American phone system, exchanges uniformly contain a range of 10,000 phone numbers). The Central Office serving downtown Schenectady is located on the block between Franklin and State Streets and Jay and Clinton Streets. The water main break was on Clinton St, and caused the closure of Clinton and State Streets. The break occurred at 3 AM, and the phones went out around 9 AM. The cellular telephone networks appear to be unable to cope with the additional traffic. I received a frantic call from my wife, who called me at work from her cell phone to tell me the house phone was out. The signal quality was extraordinarily bad, as is the nature of CDMA digital when the cell is overloaded. One is left to assume that users of FDMA and TDMA-based phones may have been cut off completely, especially analog phone users, where the cells have a hard limit of 20 simultaneous calls. Meanwhile, my Internet service, provided by TV cable, continues unabated. So, where do we begin on this one? Well, here are the RISKS: 1. Placement of mission-critical equipment below ground level leaves it susceptible to flooding. One might assume that an unusually heavy downpour might also have caused problems here. 2. This is a good example of network stress, looking at the behaviour of the cellular networks. 3. This is also a classic demonstration of a single point of failure. A problem in one location has cut off a critical service to an entire (although small) city. It does not matter if your service is through the IBOC (Verizon, in this area) or a CLEC (Sprint, AT&T, Met Tel, to name a few), all fo the equipment is owned and maintained by the IBOC and housed at the corner of Franklin and Clinton. 4. It is also a classic demonstration of diverse paths, as my Internet service continues to run. It does not pass through that same building, but is rather located a mile away on Eastern Parkway (or at least I believe that is the location). glasher@nycap.rr.com [As an addendum on 29 Dec 2000, the majority of the phone service in the city was restored as of this morning, 29 Dec. During the outage, the city was being patrolled by police, DPW trucks, Amateur (HAM) radio operators, GMRS radio operators, and telco vehicles. A command post was set up at the city police station to serve as a center of all of these diverse communications. It is further worth noting that the telco vehicles were equipped only with cellular phones for communications. As mentioned before, the cellular networks were next to useless due to traffic overload. For this reason, the ad-hoc radio network that was established became the primary means of emergency communication. This information was gathered by listening on two of the frequencies used: 147.06 MHz (the local HAM repeater) and 462.550 (the GMRS channel that was in local use). Other frequencies could have been monitored as well, but since my monitoring was being sent back out through an MP3 broadcaster, the content needed to be constrained. GCL]
The Ukrainian space rocket design bureau blamed "computer faults" for the failure of a Ukrainian Tsiklon-3 light booster rocket that carried 6 small satellites for the Russian Defense Ministry and space agency Rosaviakosmos. The rocket engines were shut down 367 seconds after lift-off (presumably automatically). [Source: CNN, 1 Jan 2001 (a.k.a. as 1/1/01!!!!); PGN-ed; http://www.cnn.com/2001/TECH/space/01/01/space.russia.crash.reut/index.html]
The risk of allowing techno mumbo jumbo to get in the way of the truth: Whenever I read about the Chinook crash on the Mull of Kintyre, I observe that a number of important facts are conveniently ignored. These particular facts are not in dispute and they give incontrovertible proof that the pilots were acting negligently. Instead, the spectre of some mysterious fault is raised as an argument that the pilots should be absolved of blame. A few minutes before the accident, the helicopter was traveling at low level across the open sea. It was flying under Visual Flight Rules. VFR involves looking out of the window to see where you are going, which way up you are and to make sure that you do not hit anything. To operate under VFR, requires good visibility. (The actual requirements in terms of how many miles you must be able to see and how far you must be from cloud varies with aircraft type, pilot qualifications and where you are flying.) The Mull itself was covered in fog and low cloud and, as the flight neared the Mull, it entered this area of reduced visibility. Now, at this point, the crew were in full command of their aircraft and had no technical problems. There has been no dispute over this. As soon as they encountered the cloud, the crew must have switched to Instrument Flight Rules. That means referring to instruments to see which way is up and to find out where you are and it also means operating at or above the Minimum Safety Altitude. The MSA is defined as being one thousand five hundred feet above the highest obstacle on your flight path or within ten miles either side. The purpose of these figures is, in part, to give a margin for error but also to give pilots enough room to get out of trouble. For example, an aircraft flying inside cloud might suddenly find that it is picking up ice sufficient to mean that it cannot maintain altitude. By operating at the MSA, the pilot will have enough room to either side to turn back and fly out of the icing zone and shed the ice before being forced to the ground. Now, when the pilots of the accident aircraft encountered the cloud and fog around the Mull, they were not only below the MSA, they were actually below the high ground which they were approaching. Given this, the crew were required to make a 180 degree turn and fly out of the cloud. That is what they were trained to do. That is what the law required them to do and that is what the RAF rules required them to do. Instead, they opted to fly on towards the high ground and attempt to climb over it. Doing so was inarguably an act of negligence or recklessness that endangered the aircraft. The case that is made, that the aircraft may have suffered from some form of systems glitch that made it incapable of out climbing the rising ground, has no bearing on this. If the pilots had not made the decision to fly, in cloud, towards high ground at an altitude lower than the tops of the hills, the accident would not have happened. The decision that they made went against both their training and the law. Suppose that I decided to try to drive through the centre of my town as fast as I could and that I found that my brakes failed and I crashed and caused many deaths. Can I say that it was not my fault and that the accident would have not happened if my brakes had not failed? Of course not. Whether or not there is a problem with the Chinook is an important matter but it does not absolve the crew of the helicopter from blame for entering cloud at such a low altitude. Had they not decided to do that, the accident would not have happened. John O'Connor: http://www.jpoc.net [In some cases, but not this case, one could ask for a Mull-again (mulligan, or do-over, in golf parlance). PGN]
A national poll of 1,400 CIOs reveals that 90% have confidence in their network security, despite estimates that billions of dollars are lost every year to cybercrime. The survey, conducted by RHI Consulting, has raised eyebrows among security experts who point out that it's generally in a CIO's best interest to keep quiet when security breaches occur. A recent survey conducted by the Computer Security Institute indicated that more than half of the respondents said they did not report the intrusions to law enforcement out of fear of negative publicity or that rival companies would use the information to competitive advantage. In addition, many CIOs may feel that they must live with a "buffer of acceptable risk." "Just as credit card companies accept some level of loss as a cost of doing business, so some CIOs are saying, 'if I do a really solid job of protecting my systems, then I can live with the low-level pain that some break-ins cause,'" says one expert. Meanwhile, a 1999 survey found that Fortune 1000 companies lost more than $45 billion in thefts of proprietary information that year. [*InfoWorld*, 3 Jan 2001; NewsScan Daily, 4 Jan 2001]
Consumer DVD (video) players are also adopting this "load firmware from a data source" approach. My Phillips-Magnavox DVD850 will slurp up a new firmware load from a DVD. Video DVDs include a good deal of active content, and the industry seems to expand the programming environment on a regular basis. The DVD of the popular movie "The Matrix" wouldn't work at all on half of the installed players when it shipped in 1999 because it used up-to-the-minute constructs. When the authoritarian software forbids me to skip past a twenty-second copyright notice, it makes me nostalgic for the old 12-inch laser disks. Andrew Klossner (andrew@cesa.opbu.xerox.com)
Two 8th-grade honor students in Tampa, Hillsborough County, Florida, hacked into the school computer and copied the final exam for one of their courses. They have been suspended. [PGN-ed] We've wired up the country's schools, put the kids on the Internet, and only a small handful of teachers have any clue as to what goes on behind the mouse button. The teachers are not technically trained, they are underpaid and underappreciated. Is it any wonder? And I doubt the kids have been taught the first thing about CyberEthics by their schools or their parents. Winn Schwartau
The first response to intrusion news stories by most organizations is almost formulaic: deny the attack, make (often false) allegations that this could never happen HERE, attack the credibility of the source of the news, and lastly take a stand against such heinous activity. The response by the UWMC to the intrusion into their network generally follows the formula. They started back-pedaling the next day: "We have received the first tangible evidence from news-gathering organizations that someone did, in fact, gain criminal access to a limited number of administrative databases that contain some confidential information on at least 5,000 cardiology and rehabilitation medicine patients treated at our hospital," said Tom Martin, director and chief information officer for University of Washington Medical Centers Information Systems. >From MSNBC: "Hospital Confirms Hacking Incident" 2000-12-8 For more complete coverage, I recommend going to where the story broke: www.SecurityFocus.com and search on "University of Washington Medical Center" The original UWMC announcement, however, is still true. Read it carefully, they worded it so that they never actually denied the attack. Dan Theunissen, dan.theunissen.no.spam@ieee.org
[Received via Dave Farber, whom Patrick had requested to post a correction.] Content protection technology misinformation generates negative web-press coverage: An article on *The Register* website "Stealth plan puts copy protection into every hard drive" contains false information that the 4C's (Intel, IBM, MEI, Toshiba) Content Protection for Recordable Media (CPRM) is to be applied to all PC hard drives. It is misinterpreting a specification for use of CPRM with the Compact Flash media format (which supports either semiconductor flash memory or IBM microdrives) probably because Compact Flash uses the same command protocol interface as standard PC harddrives. The technology is neither intended nor licensed for use with PC harddrives and is optional even for the supported media types (flash memory and microdrives). John Gilmore, a noted privacy and consumer advocate, has picked up the article and further propagated the erroneous information and mentioned Intel "IBM&Intel push copy protection into ordinary disk drives". I have alerted public relations at Intel and are disseminating accurate information within Intel and among our industry contacts. Pat
There is another implicit risk in these stories which I am always
quick to bring to the attention of my would-be B2C e-commerce clients.
Suppose you have 500,000 VISA/MC numbers in your computer, and suppose
you have strong cryptographic SSL connections and all that certificate
jazz to ensure the customer and the e-store are who they say they are.
Let's also say that I am an organized crime boss who knows you have
those charge card numbers and have the means and desire to rack up just
$20 worth of purchase from each of them for a cool fast million dollar
profit ... now (and here's the kicker) what is to stop me from offering
your system administrator some tidy sum (even 10%!) to just slip in
a floppy disk and grab me a copy of the data?
Related to this, I asked a leading e-commerce Web site architect if the DLL
that contained the personal information access username and password might
be used by _any_ program that ran on the server (in java, a class can be
made accessible _only_ to a restricted set of applications). The answer was
that they hadn't thought of that.
Gary Lawrence Murphy <garym@teledyn.com> TeleDynamics Communications Inc
Business Innovations Through Open Source Systems: http://www.teledyn.com
[Simson Garfinkel commented:
I simply do not understand why companies insist on keeping the old
VISA/MC numbers in their computers.]
This is not new. Spammers have been using these tactics (both @ in the domain name, and decimal and octal IP numbers in place of DNS names) to obscure the actual site hosting their spam content for at least a year. It's annoying, because it takes extra effort to parse out the true host of the web site being spammed. Conversely, its convenient, because it provides incontrovertable evidence that the post in question is a spam, because there is no valid reason to obscure an URL in this way other than to hide the guilty. Crispin Cowan, Ph.D., Chief Research Scientist, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org
It's the end of the year and time for everyone's top 10 list. The Privacy Foundation just released today its top ten list of privacy stories for the year 2000. Our press release is online at: http://www.privacyfoundation.org/release/top10.html Richard
Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy Stefan A. Brands ISBN 0-262-02491-8 For more information, please visit http://mitpress.mit.edu/promotions/books/BRAUHF00 [from which this is taken. PGN] As paper-based communication and transaction mechanisms are replaced by automated ones, traditional forms of security such as photographs and handwritten signatures are becoming outdated. Most security experts believe that digital certificates offer the best technology for safeguarding electronic communications. They are already widely used for authenticating and encrypting e-mail and software, and eventually will be built into any device or piece of software that must be able to communicate securely. There is a serious problem, however, with this unavoidable trend: unless drastic measures are taken, everyone will be forced to communicate via what will be the most pervasive electronic surveillance tool ever built. There will also be abundant opportunity for misuse of digital certificates by hackers, unscrupulous employees, government agencies, financial institutions, insurance companies, and so on. In this book Stefan Brands proposes cryptographic building blocks for the design of digital certificates that preserve privacy without sacrificing security. Such certificates function in much the same way as cinema tickets or subway tokens: anyone can establish their validity and the data they specify, but no more than that. Furthermore, different actions by the same person cannot be linked. Certificate holders have control over what information is disclosed, and to whom. Subsets of the proposed cryptographic building blocks can be used in combination, allowing a cookbook approach to the design of public key infrastructures. Potential applications include electronic cash, electronic postage, digital rights management, pseudonyms for online chat rooms, health care information storage, electronic voting, and even electronic gambling. Stefan A. Brands is Distinguished Scientist at Zero-Knowledge Systems, Inc., Montreal, Canada.
10th USENIX Security Symposium 2001 Conference 13-17 August 2001, Washington, D.C., USA Conference URL: http://www.usenix.org/events/sec2001 Sponsored by USENIX, the Advanced Computing Systems Association Paper submissions due: 1 February 2001 Program Chair Dan S. Wallach, Rice University Invited Talks Coordinator Greg Rose, Qualcomm For more details on the submission process, authors are encouraged to consult the detailed author guidelines on the symposium website at: http://www.usenix.org/events/sec01/cfp/guidelines.html USENIX Security Symposium 2000 is sponsored by USENIX, the Advanced Computing Systems Association, USENIX is an international membership society.
Fourth International Symposium on Recent Advances in Intrusion Detection 10-12 October 2001, University of California, Davis, CA, USA [Abridged for RISKS. See http://www.raid-symposium.org/Raid2001 for complete notice — and by 31 Jul 2001, the preliminary program. PGN] RAID executive committee chair: Marc Dacier (IBM Research, Switzerland) Program co-chair: Wenke Lee (NC State University, USA) Program co-chair: Ludovic Me (Supelec, France) Full and short papers submitted [by 30 Mar 2001] to RAID must be original contributions, not published or submitted to other conferences. Full papers are limited to 6000 words, short papers to 2000, full page figures being counted as 300 words. [...]
Please report problems with the web pages to the maintainer