http://cbc.ca/cgi-bin/view?/news/2001/01/25/sobeys010125 Sobeys (Canada's second largest grocery mega chain) had a computer systems outage that lasted over a five day period. The result of the outage is that they will miss their projected profits. [CBC reported that Sobeys will take an after-tax charge of Canadian $49.9 million because it had to scrap its SAP software system. Dan Haggerty also noted this item. PGN]
Last week's Finnish papers were full of the continuing story of how a Russian Aeroflot plane leaving Helsinki Vantaa airport came within 450 feet of a Finnair charter flight returning from Malaga. (This happened in November 2000, but was just reported.) Apparently the Russian plane kept disappearing (and coming back) from the radar screen in the tower. In the following days the plot thickened. * Helsinki Vantaa has since March 2000 a new modern French radar system. * Aeroflot planes have (since then) often displayed this fault. * Conclusion (Finnish spokesperson - day one) the problem is with the Russian planes. * Day two Aeroflot came back with the comment that their planes were flying to many other Western European destinations and Helsinki/Finland was the only airport that had reported this problem. * Day three the Finnish reply was that the old planes that Aeroflot were using on the Helsinki run were old, Russian (undertone - rubbish) whereas they were using better planes in the rest of Western Europe. Somewhere in the midst of this we had statements from the Finnish side that passengers were not at risk. Oh yes? Given the Finnish/Russian history, we're not likely to have this thing cleared up any day soon. I tend to **wildly guess** that as the only thing that has changed is the (French) radar system (we've had old rubbishy Russian planes on this route for years), someone should be looking at that a bit more closely. It maybe assumes newer planes than those Aeroflot use. Anyway, the Risk: Should I choose my Finnair charter flight on the basis of whether a Russian plane is due to land or take off at roughly the same time, and how do I cater for the inevitable delayed flights on either side? Mike Walsh, Helsinki <email@example.com> [I suppose if there had been an Irish controller in the tower, the blame would have fallen on a Mickey Finn. PGN]
From the Guardian, Saturday Jan 20, an update on the proposal for GPS speed control of vehicles, where the car determines its maximum speed from an in vehicle database of speeds of roads. http://www.guardianunlimited.co.uk/uk_news/story/0,3604,425344,00.html The government has commissioned a trial of speed limiters in cars, which could lead to computer-controlled overrides as a standard fitting within five years. Twenty trial vehicles will be fitted with a system which has won praise on a prototype Ford Escort driven over thousands of rigidly monitored miles in the past three years. The tests, which prevented the car from topping 30mph, 40mph and other limits, were "highly reliable" according to the Institute of Transport Studies at Leeds University, which has won funding for the expanded trials from the Department of Transport, Environment and the Regions." "We've had two dozen people driving along a 40 mile route, including the A1M motorway," said Oliver Carsten, head of the project, which has also been demonstrated on the north circular road in London. The system uses a computerised navigator linked to the car's electronic controls and a positioning satellite. Areas with speed restrictions are fed into the system to trigger action as soon as a limit is breached. Just think how much fun you'll be able to have by a UK motorway in five years time from jamming the GPS signals. Or how much a 'chipped' database or speed limiter will be worth. A more rigorous trial would be to place the speed limited vehicles in the hands of well known violators of the speed laws to see how much effort it takes to disable — the UK home secretary himself, for example. Steve Loughran [Home, Secretary, and don't spare the tires. PGN]
A laptop computer with sensitive files on high-level drug investigations was stolen from an RCMP officer's house on New Year's Eve. Apparently, the officer's van was first stolen while he was attending a hockey game. The thieves discovered his address from the vehicle registration and drove to his home where they made off with thousands of dollars in personal property and the computer. [Source: *Winnipeg Free Press*, 11 Jan 2001] The risks in keeping such sensitive information at home, presumably not protected with any sort of encryption, are obvious. But I never realized that home address information on registration papers was a risk until now. D. Joseph Creighton [ESTP] | Programmer Analyst, Database Technologies, IST Joe_Creighton@UManitoba.CA | University of Manitoba Winnipeg, MB, Canada,
Together with his loot, a Vancouver bank robber jumped into a taxi that was equipped with satellite tracking technology. At the request of the police, the taxi company was able to track the cab by GPS, and the police apprehended the robber a few blocks away. [PGN-ed from a Reuters item <http://news.excite.com/news/r/010116/10/odd-taxi-dc>] Roger H. Goun, Senior Staff Kennel Boy, Brentwood Country Animal Hospital, P.C. Exeter, New Hampshire, USA
I had Visa card through Bank of America which I canceled last January (2000). Imagine my surprise when a bill arrived in the mail yesterday! Fortunately, it was for $0.00, but I was concerned that B of A might have somehow reactivated my account. When I called their customer service number, the rep was not at all surprised by my situation. "It's a computer error. Just ignore it," she said. Sadly, I don't have any firm proof, but I suspect this was a slow-acting Y2K glitch. If they're still using two-digit years, they might have set up the system to read "00" as "100." Noting that it's the year 01 and my card isn't going to be cancelled until 100, the computer decided to send me a bill. Ethan McKinney, 1750 E. Appleton St. #4, Long Beach, CA 90802
You know how bank ATMs have those little buttons down the side of the screen to select from an on-screen menu? Mostly, they're useful: they allow only the valid options to be presented to the user, and keep the number of different buttons required down to a minimum. But ATMs also have a variety of other buttons on the keypad (usually including "OK" and "Cancel") and this split screen/keypad user interface can lead to problems. For example, today I met young lady who was quite distressed because she thought the ATM had "eaten" her card. The problem was that the on-screen menu was laid out as follows: Push here for other services --> [::] Press Cancel if finished [::] The poor lady was pushing the bottom (non-active) screen button, rather than reading the instructions to press a separate key. The screen layout here is not terribly helpful, since it suggests that the bottom button might do something. But the real risk is that if you provide shortcuts to perform common tasks, then users won't learn how to do things that aren't available from a shortcut. Austin
[sent to journalists on Peacefire's press contacts list; RISKS saw it in a forwarding of a message from Monty Solomon] We recently discovered that for the last five months, HotMail has been blocking their users from sending e-mail to peacefire.org addresses. If you tried to send mail to a peacefire.org address from HotMail, you'd get a fake error message a day later saying that there was a problem on the recipient's end — when it was really HotMail blocking the message from being delivered. HotMail is part of the same boycott that AboveNet was part of, when AboveNet was blocking their downstream users from accessing our Web site. After our ISP owner complained, HotMail stopped blocking their users from e-mailing us and other Media3 customers. HotMail is still, however, blocking their users from e-mailing other sites on their "boycott list". I've talked to several of our members who are using HotMail, and most of them are furious that HotMail would be censoring their outgoing mail without telling them. Again, the irony is that HotMail didn't single us out for anything, we just happened to be in the same IP address block as other sites that were the original target of the boycott (e.g. ListSorcerer.com). When our ISP, Media3, didn't kick them off, the boycott organizers expanded the "boycott list" to include hundreds of unrelated sites also hosted by Media3. Several HotMail members that I talked to, have said they would be willing to talk to the press about HotMail blocking their outgoing mail. Many of them said they never would have signed up with HotMail if they knew their mail would be blocked, and some have even said that they're going to switch to another mail service. (Especially since HotMail is *still* blocking outgoing mail — it was just our IP address block that they exempted from the list.) -Bennett firstname.lastname@example.org http://www.peacefire.org (425) 649 9024 - - -- The Telecom Digest is currently mostly robomoderated. Please mail messages to email@example.com. [Incidentally, for the mailing of RISKS-21.21, bigfoot.com blocked the mailing to every subscriber there, because of the number of subscribers exceeding some spam limit. Too bad. Perhaps they won't get this message either, letting them know what happened, although we are trying a different mail configuration for this issue! PGN]
Just a day after Microsoft's Web sites were down for an extended period of time because of the "human error" of a technician, they were victimized by the "human malice" of a network vandal who subjected them to a "denial of service" attack that flooded them with bogus communications, causing them to gridlock and reject legitimate communications from their customers. The company has called in the FBI for assistance. Computer security expert Abe Singer of the San Diego Supercomputer Center said that part of Microsoft's vulnerability to attack was due to the fact that its four domain-name servers are linked in a single network. "They had all their eggs in one basket and basically someone knocked down the basket." (*The Washington Post*, 26 Jan 2001; NewsScan Daily, 26 Jan 2001 http://washingtonpost.com/wp-dyn/articles/A47581-2001Jan25.html)
Twenty-one-year-old Jerome Heckenkamp has been indicted by federal prosecutors for allegedly hacking into computers at eBay, Exodus, Juniper, eTrade, Lycos, and Cygnus and causing a total of more than $900,000 in damage, in events that took place in 1999 while he was a student at the University of Wisconsin. He has pleaded innocent of all charges and says the break-ins were done by someone else using his computer. (AP/*San Jose Mercury News*, 25 Jan 2001; NewsScan Daily, 26 Jan 2001 http://www.mercurycenter.com/svtech/news/breaking/ap/docs/786396l.htm)
Nine state online sex-offender registries have had inadequate computer security and easily could have been hacked, an MSNBC.com investigation has found. And in two states, more general criminal records databases also were found to be insecure. The flaws put Web site data at risk and raised the possibility that a computer intruder could add or remove people from the online versions of the databases. http://www.msnbc.com/news/514284.asp
DirecTV has the capability to remotely reprogram the smart cards used to access their service, and also to reprogram the settop box. To make a long story short, they were able to trick hackers into accepting updates to the smart cards a few bytes at a time. Once a complete update was installed on the smart cards, they sent out a command that caused all counterfeit cards to go into an infinite loop, thus rendering them useless. A commercial use of information warfare? Very interesting article at http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D143 (sorry for the long URL). Jeremy [Reminder: As usual, no guarantee as to the future validity of URLs. PGN]
Macys.com was victimized by its own 50% discount coupon code that was inadvertently posted at FatWallet.com. The extent of the resulting spending spree was not divulged. "Although mistakes of this kind do happen in the offline world, the speed at which e-commerce moves can make a small glitch turn into a thousand-dollar error." (Note earlier problems involving staples.com and amazon.com.) [Source: Greg Sandoval, CNET News.com, 22 Jan 2001 URL: http://news.cnet.com/news/0-1007-200-4564219.html; PGN-ed]
PDAs considered insecure... now there's a surprise. Date: Thu, 25 Jan 2001 15:37:10 -0800 >From: Mitch James <mitchj@AVANADE.COM> Subject: Re: Palm Pilot Security To: PEN-TEST@SECURITYFOCUS.COM The headline is "@stake, a US-based security consultant, has written a piece of software code that can zap passwords off targeted Palm Pilots through taking advantage of the PDA's hotsync function. Hotsync is used to transfer data between the user's PC and a Palm Pilot." The link to the article is here http://www.vnunet.com/News/1116644 Mitch James
I have cell service with AT&T Wireless Services in the Bay Area, and I recently purchased a new phone from them. Along with the phone, I received a 1-800 number to activate my new phone. When I called it, I reached an automated service, which asked me for: 1. My phone number 2. My 5-digit zip code 3. The ESN (equipment serial number) of my new phone. After this, the friendly recording informed me that my account information had been updated, and the new phone should be active in half an hour. It then offered me the chance to change the ESN for any other phones. Not being in the cloning business, I declined. My new phone started working, just as they promised. The RISKS? Given the small number of possible zip codes in, say, the 415 area code, it shouldn't take long trying zip codes and phone numbers within the AT&TWS exchanges at random before you get one right. Or surprise your friends or business partners by taking over their cell phone service and answering their incoming phone calls! - Nikita [Note added later in response to a comment from PGN:] I actually received some further information from AT&T. In response to my concerns, they stated: 1) They have detection software that looks for sudden geographic migration (their example was a shift from Berkeley to Sunnyvale within a span of 10 minutes). 2) They promise that I won't be billed for an illegally changed ESN. 3) The incidence of such fraud is small enough for them not to take additional precautions. I'm still a little worried about the possibility of a directed attack, i.e., someone who knows me stealing my cell phone # to find out who calls me. But there are probably other ways to do this, if you're resourceful enough... - Nikita
> ... putting all your eggs in one basket - flying such a concentration of > critical expertise in a single aircraft was reckless The UK electrical engineering establishment (that is, regular Institution of Electrical Engineer magazine articles, local talks, and sundry university lecturers in their dotage) will tell you in detail about the tragic life of Alan Dower Blumlein, an electronics wizard, audio engineer par excellence, and all-round Good Egg, who sadly died with most of his almost-as-talented-yet-seemingly-nameless colleagues when a research plane jolly they were all taking together over England for a bit of a lark came something of a cropper during The Big One (World War II). Oh, the loss to electrical engineering! Oh, the loss to the war effort! Oh, the many retrospective articles on Blumlein's short and tragic life! Oh, the generations of bored undergraduates! Oh, what might have been! Half a century on, nothing has changed. <L.Wood@surrey.ac.uk>PGP<http://www.ee.surrey.ac.uk/Personal/L.Wood/>
Mike Beims suggests that "Data for whether or not there was a FADEC failure should have been available in the non-volatile memory built into the FADEC." This assumes that the FADEC memory survived the crash essentially intact. From my experience, NVMs in flight systems of this type are not crash-rated to the extent of a "real" crash recorder, and can fail in a crash.
(Note that I've replaced all entries that had a USA dollar sign with the word "usads". The reason will be obvious in a bit.) [discussion of how the legend of 2,400 dollar phone calls came about] > If you ever see a spam claiming (usads) 242,425/minute, just remember > you saw it here first." Note that last line, with the "242,245/minute" comment. The original postings in comp.dcom.telecom, as well as the repost in comp.risks, used the graphical representation of a USA dollar sign. Which, naturally, would get misread by some software so as to prepend yet another "24" to the figure.
RISKS of technical terms with multiple meanings... Asante, http://www.asante.com/product/index.html, says proudly that their routers feature "security holes." This is their term for physical holes in the housing of their device, which facilitate the attachment of a steel cable so that the device can be physically secured against theft. Daniel P. B. Smith <firstname.lastname@example.org> "Lifetime forwarding" address: email@example.com
In RISKS-21.16, Dan Birchall writes about the exposure of possibly-sensitive data - where someone works, when they'll be away, who else works with them - in e-mail automatic responses. The more things change, the more they stay the same. Seven or eight years ago, when some variant of the old "vacation" program - which implemented such messages on Unix systems - became widely used, there were a bunch of flames on the old Unix-Haters mailing list about the deluge of junk "vacation" messages sent mailing lists. I humorously suggested at the time that the appropriate way to get across the message that this wasn't the kind of thing everyone in the world wanted to - much less *should* - see would be to create a new Usenet group, alt.houses.nobody-home, to which such messages could be gatewayed. For even greater effect, any readily available information (from phone books and such) could be added. These days, of course, the Internet is *much* larger, and it's *much* easier to go from a name to an address and from an address to such information as how likely there are to be valuables in homes in the area. It continues to astound me that people blindly let thousands of absolute strangers know not only that they will be away, but often for exactly how long - and often even where they will be. These same people probably are careful to have their mail picked up, their newspaper deliveries stopped, and lights on timers going off and on around their houses, all so that they don't look empty! Jerry
For example, if your name is Billingsley, you get an error message when you try to sign up. The objectionable word seems to be "Billing". Removing one 'l' lets you sign up.
ACM examines the future of information technology (IT) and the potential impact of IT on science and society at "ACM1: Beyond Cyberspace," a special Conference (March 12-14, 2001) and Exposition (March 10-13), held at the San Jose Convention Center. Register at: http://www.acm.org/acm1. Speakers include: Steve Ballmer (Microsoft), David Baltimore (California Institute of Technology); Rodney A. Brooks (MIT AI Lab); Bill Buxton (Alias/Wavefront); Vint Cerf (WorldCom); Rita Colwell (NSF); Sylvia Earle (National Geographic Society); Shirley Ann Jackson (RPI); Dean Kamen (DEKA and FIRST); Alan Kay (Disney Imagineering); Ray Kurzweil (Kurzweil Technologies, Inc.); Marcia McNutt (Monterey Bay Aquarium Research Inst.); Martin Schuurmans (Philips Center for Industrial Technology); and Neil de Grasse Tyson (Hayden Planetarium), with Bob Metcalfe as Master of Ceremonies. The FREE "hands-on" Exposition, a "field day for the mind," geared for families and kids, will showcase the latest R&D software & hardware from 70+ companies, universities, and research/educational institutions. ACM1 also features a FREE Educators Day (March 10th) that will address broad educational initiatives and provide educators with proven strategies for engaging girls and minorities in technology-based education. For ACM1 educational offerings: http://www.acm.org/acm1/educators.
Please report problems with the web pages to the maintainer