Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Central London was brought to a standstill in the rush hour today when 800 sets of traffic lights failed at the same time — in effect locking signals on red. http://www.thisislondon.com/dynamic/news/top_story.html?in_review_id=649242&in_review_text_id=620267 http://www.thisislondon.com/dynamic/news/top_story.html ?in_review_id=649242&in_review_text_id=620267 Oops. I liked this bit: "The worst gridlock the capital has seen for years was caused by a computer which crashed as engineers installed software designed to give pedestrians longer to cross the roads." So, in essence, that worked perfectly. Testing complete. [Are you longing to cross the road on red? PGN]
Six days before it is set to launch a new trading platform, the Nasdaq Stock Market experienced a glitch as its systems accidentally rebroadcast the day's data for stocks beginning with the letters 'M' and 'N'. That resulted in daily volumes figures appearing much higher than they actually were for the affected stocks [with Microsoft, Nextel, and Novellus being listed among the top 10 movers]. [PGN-ed from Reuters item, 23 Jul 2002] http://news.moneycentral.msn.com/ticker/article.asp?Feed=RTR&Date=20020723&ID=1802531&Symbol=US:MSFT http://news.moneycentral.msn.com/ticker/article.asp ?Feed=RTR&Date=20020723&ID=1802531&Symbol=US:MSFT
The 26 Jul 2002 issue of the *Wall Street Journal* carried an article by Charles Forelle detailing how the Princeton admissions office was caught "accessing confidential Internet records to see whether its rival had admitted or rejected students who had applied to both schools." Princeton suspended, with pay, associate dean and director of admissions Stephen LeMenager, pending an investigation of the incident. "Princeton was able to use the publicly available Yale.edu1 Web site to get the confidential admissions data because it had the students' passwords — the names, Social Security numbers and dates of birth they had provided on their Princeton applications." After hearing rumors about Princeton accessing their site, Yale officials reviewed access logs for the site and discovered that computers using IP addresses belonging to Princeton had accessed the site. Yale contacted the students to ask if they had used computers near Princeton to check their accounts. No one said yes. The IP addresses were traced to the Princeton admissions office. "Lauren Weinstein, the founder of the Privacy Forum, an electronic-rights group, said Princeton's actions were clearly wrong, but Yale's site should not have relied on Social Security numbers and birth dates, which can sometimes be retrieved from public records, to secure the data." Excerpted and paraphrased from the Wall Street Journal article found here: <http://online.wsj.com/article/0,,SB1027628736531063280.djm,00.html> (subscription required) Steve Klein 1-248-YOUR-MAC-EXPERT (248-968-7622)
The 26 Jul 2002 *Metro* notes the appearance of strange chalk patterns on the streets of London. These consist of two semicircles, a circle, or a circumscribed W, with some numbers added. "Far from being the work of aliens, they have been created by something even more sinister - computer geeks." The symbols are the creation of one Matt Jones (a "British Internet expert"), and denote places where wireless connections to the Internet can be accessed. From what I can make out from the article the two semi-circles indicate an unsecured network, the circle indicates a closed network and the circumscribed W indicates secured network. The recording of this information is called "Warchalking". Businesses claim that this is a major risk to security. That may be so - it is certainly not a good advertisement for the Business in question (the real threat to security is the Business that has not taken care to secure it's wireless network). OK, not a new risk (Wireless LANs go back at least as far as Risks 10.83), but a more visible incarnation of an existing one.
Customers received two surprises from Handspring this week: an e-mail announcing the delay of the Treo handheld Treo 90 and Treo 270 (because of faulty screen parts), and customer names, e-mail addresses and phone numbers of other Treo customers. Handspring confirmed that its customer service department inadvertently attached a spreadsheet with customer information to an e-mail sent to about 250 people who placed Treo orders in recent days. [Source: Richard Shim, CNET News.com, 26 Jul 2002, retitled and PGN-ed] http://news.com.com/2100-1040-946624.html
Cybersecurity experts are busy lobbying Congress for protections from liability lawsuits but some analysts say the media may be over-stating the risks from terrorist cyber attacks. Marc Maiffret of eEye Digital Security says, "Terrorists are only recently starting to realize the benefits of having people within their organizations that have real hacking skills," and University of South California professor of communications Douglas Thomas adds: "Cyber-terrorism is a lot more difficult than many people assume." Even so, security expert Stanley Jarocki warns that terrorists could do a lot of damage by cracking U.S. corporate systems: "Today, some say it would be easier for a terrorist to attack a dam by hacking into its command-and-control computer network than it would be to obtain and deliver the tons of explosives needed to blow it up. Even more frightening, such destruction can be launched remotely, either from the safety of the terrorist's living room, or their hideout cave." [AP/USA Today 24 Jul 2002; NewsScan Daily, 25 July 2002] http://www.usatoday.com/tech/news/computersecurity/2002-07-24-cybersecurity-protection_x.htm http://www.usatoday.com/tech/news/computersecurity/ 2002-07-24-cybersecurity-protection_x.htm
According to CNET News.com, US Reps. Howard Berman, D-Calif., and Howard Coble, R-N.C., are planning to introduce a bill "that would permit copyright holders to perform nearly unchecked electronic hacking if they have a 'reasonable basis' to believe that piracy is taking place." http://news.com.com/2104-1023-945923.html I had already gotten a feeling of indigestion after researching the "palladium" issue, and now words are failing me - so may I ask the experts in this forum to share some of their insights about the proposed cyber warfare legislation and associated risks?
The ISO standards body will take the unprecedented step of withdrawing the JPEG image format as a formal standard if Forgent Networks, a small Texan company, continues to demand royalties on a seventeen-year old patent. According to Richard Clark, JPEG committee member and JPEG.org webmaster, Forgent's royalty grab — coming after two decades of royalty-free use -- means that ISO is obliged to withdraw the specification. [Source: Andrew Orlowski, *The Register*, 23 Jul 2002] http://theregister.co.uk/content/4/26339.html
In the days when disk drives were expensive and the size of washing machines, they usually had a "read only" physical switch. Flip the switch, and no matter what the software did, it couldn't write to the disk, because the write circuitry was disabled. Fast forward twenty years, where Scarabs Corp just introduced a disk drive with two heads and two cables. One cable is connected to a head (or more likely, a set of heads) that can read the disk and the other cable to an administrative computer that can both read and write the disk. Even if a hacker is successful at breaking into a system, they can't deface the web site. Too bad we don't have those old fashioned switches.... with the exception that you couldn't simultaneously have one machine updating and another in read-only mode, it's pretty much the same deal. Of course, none of these solutions are any good for web sites that need to update information on the fly (e.g., to put an order into a database). Details at http://computerworld.com/securitytopics/security/story/0,10801,72943,00.html
Algorithms for determining the day-of-week from year-month-day - whether or not truly Zeller's - can, for certain dates, compute a negative number mod 7, which does not yield the desired result. Zeller himself dealt with this. Tests using "current" dates in the later 1900's would not have seen this problem. A good test date is 2001-03-01 (1st March 2001); the algorithm can easily be run manually. The problem has been seen, for example, in C code in an Internet draft. Those whose systems do suitable run-time checking may already have discovered the problem. John Stockton, Surrey, UK. http://www.merlyn.demon.co.uk/programs/ Dates: miscdate.htm moredate.htm js-dates.htm pas-time.htm critdate.htm etc.
[Note the return of an old favourite: "People who have nothing to hide - why would they worry?" PH] Row over finger-printing in schools Source: http://news.bbc.co.uk/hi/english/education/newsid_2144000/2144188.stm Tens of thousands of children are being finger-printed in school — often without the consent of their parents, a human rights group has complained. Prints are taken for a library lending system which the makers say makes lending more efficient and less vulnerable to abuse. But the pressure group Privacy International says the practice is illegal and breaches the human right to privacy. [Dangerous] One of the makers of the technology, Micro Librarian Systems (MLS), say they have sold about 1,000 systems to schools in the UK and abroad. Simon Davies, of the campaign group Privacy International says the practice is "dangerous, illegal and unnecessary". He says the use of the technology should be banned in schools. "It dehumanizes our children and degrades their human rights," he said. "Such a process has the effect of softening children up for such initiatives as ID cards and DNA testing. It's clearly a case of 'get them while they're young'. They are seen as a soft target for this technology". [Encrypted] The group says it has been contacted by parents who are angry that they have not been asked for to give their consent for the finger-printing. Manufacturers MLS say it would be very difficult for a third party to access the prints and make use of them. The company's technology director Stephen Phillips said: "The system does not store the actual finger-print, but a map of it which takes in the print's key features. "The image is then compressed and encrypted, so it would take a lot of effort to use it. "People who have nothing to hide - why would they worry?" Mr Phillips said the company advised schools to consult or inform parents before they used the technology. He said only two parents had complained about the use of the technology to the company. Privacy International says it expects there to be legal challenges to the use of the technology in schools. [Also commented on by Gary Barnes. PGN]
(From Bugtraq, submitted to RISKS by Monty Solomon) (http://online.securityfocus.com/archive/1/284087) The password for an Apple iDisk is sent via HTTPS/WebDAV. However, if you configure OSX with an iDisk password, the same password is copied to the Mail.app configuration (which might not have been previously configured). Clicking on a "mailto" link fires up Mail.app, which then connects to mac.com which *does not* support any method of encrypted password transmission. Net effect: your iDisk password is transmitted in the clear without your awareness, albeit as a mail password. Problems: - mac.com SMTP doesn't support encrypted passwords - mac.com's mail password is *always* identical to iDisk password - OSX's "do what I mean" friendliness saves passwords without knowledge
RISKS has for many years now provided us with commentary and insight into the problems that result from trusting computers too much. I think more comment is due on the collision of a cargo plane and a Russian airliner, which could have been prevented if the Russian Pilot had trusted the computerized collision avoidance system (TCAS) rather than the human air controller. Marty Solomon noted the event in RISKS-22.15. There are several reported aspects of this event that deserve some thought. Every non pilot (and several private aircraft pilots who do not use TCAS) that I have spoken to, without exception, say they would have trusted the human air controller rather than the computer, this despite the fact that the human was miles away, using a remote sensing device and managing other problems. The TCAS, on the other hand, was right on the scene, directly communicating with the other plane's TCAS. The Hollywood portrayal of 'infallible' machines, and perhaps daily experience with modern PC's clearly has downgraded the public trust in automated devices. Western pilots, it was reported (NPR I believe), are trained to trust the TCAS over the human controller, Russian aviators the reverse, so it appears that the pilot was following his training, rather than deciding on the spur of the moment who to believe. Russian trainers are no doubt rethinking this policy. It would be interesting to learn the historical source for this difference in training. As with almost all major aviation disasters, multiple mistakes led to this crash. The decision to ignore the TCAS was the last in a series, and if the reports on the Russian training are correct, was not, technically speaking, a mistake on the pilot's part, however horrific the results. The RISK of blind, unthinking MIStrust of computers, we now see, can be as great as the risk of blind trust. An educated understanding of the computerized systems that we use is essential. Public perception is, in my opinion, too monolithic. TCAS is a highly tested system with a flawless record; it cannot be compared to the computer program that calculates my power bill. Bob Morrell, Cancer Center, http://home.triad.rr.com/bmorrell/
As I understand it, the main purposes of the filters is to control the amount of unsolicited (usually commercial) bulk e-mail a.k.a. spam. I've seen reports that UBE is a significant contributor to network infrastructure costs, which accrue to the recipient, not the sender. The filters do seem to be having some positive (from the recipients point of view) impact on the spam problem. Something else to watch out for is legality ... Certainly in the UK I do not know of any ISP that filters incoming mail. There may be some, but none of the big boys (BT, Demon, Freeserve that I know of) do. To do so without the explicit knowledge of their customers would almost certainly lay them open to charges of censorship, of unlawfully tapping and tampering with communications, etc etc. Many ISPs do filter outgoing mail though. I know Pipex scan everything going out via their servers, as does (I believe) Freeserve. Freeserve go even further, forcing all outgoing SMTP through their mail proxies, which have sophisticated anti-spam checks. They can get away with scanning outgoing mail because of AUPs and customer contracts, but scanning incoming mail would be legally very dangerous. Cheers, Wol
IMHO, the problem stems (as usual!) from bad management, and to a lesser degree, to incompetent sysadmins (hired by the same bad managers). What typically happens is that a bunch of users (say, not-very-computer-literate bosses - think Dilbert's pointy-haired boss) receive spam which they deem offensive (say, females receiving invitations to p*rn sites, or males insulted by the suggestion that they need V*agra or other below-the-waist "enhancements"), and demand that "something must be done". Now in a 33.6K modem environment, spam is a waste of download time, but on a corporate LAN when mails are brought to your desk in real time, it really isn't much effort to click "delete", and after a few dozen, one can recognise 99% of spam from the title... if one cares to make the effort (not always a hallmark of the "PHB"). So, the PHB storms off to the IS department with cries of "stop this cr*p from getting through". Now, either the IS people are clued up - in which case they might or might not try to dissuade the PHB, depending on whether their previous experiences in the corporate culture lead them to believe that this is likely to be fruitful - or, in many cases, they aren't. Either way, it's likely that they will implement e-mail filtering with "a product", usually "the market leader", which in turn got to be that way by making the biggest and most far-fetched claims, while spending the minimum on R&D to actually get that way. Many of us have already been down exactly the same road with Web content filtering. Most RISKs readers will, of course, be horrified by the idea that a spam filter could unintentionally block even a tiny percentage of non-spam mail. But I suspect that for the average PHB, not getting quite as many [genuine] e-mails as s/he currently does, might not be a bad thing. Less time spent typing (ugh!) and working out how blind copy works, etc. If they do get shouted at for not answering an important mail, well, they can blame IS !
> * Just PGP signing an e-mail is enough to ensure that the e-mail content is > not altered without notice. This is true. However, if it is altered, recovering the content of the original message may be difficult if you don't know what the filter did. One can argue this is a feature, as the recipient cannot misunderstand what he cannot decode or decrypt. >> * Just PGP encrypting is enough to ensure that the e-mail content >> cannot be filtered. This is not true, and ignores the point of Bill Gunshannon's original post. It is nearly guaranteed that PGP's base64 encoding will contain words which may cause the e-mail to be modified or dropped. Your dirty jokes may get through, but your lunch plans with your mother may not. Of course, the presence of such words in the encoded ciphertext is completely uncorrelated to the presence of such words in the plaintext, but explaining this to your PHB is up to you.
>* Just PGP encrypting is enough to ensure that the e-mail content cannot be > filtered. Unfortunately, one of the most common and useful anti-spam heuristics is "e-mail contains none of the most commmon english words". This catches a lot of non-English spam and pure-html crud. As the maintainer of a database of anti-spam heuristics (and previously, an anti-virus program author), the fact is that perfect spam detection is impossible, it's yet another variant of the halting problem. I personally find that the most effective approach is spam-labelling; in other words, adding headers to suspect e-mail saying "I think this is spam, and this is why". Then let the user's e-mail app apply filtering rules using the additional context. For example, I filter all e-mail marked as spam to the bottom of my inbox (lowest priority), then use other filtering rules to whitelist e-mail from known sources. I get over 300 spams a day but it takes only a few seconds to quickly scan them for false positives. Robert Woodhead, Webslave & Mad Overlord http://selfpromotion.com/
Re: rejecting a horse named "Dr. Fager", I started to see other possible rejection problems. Proper names: Would the name of the current USA President being interpreted as a vulgar term deserving filtering? The possible derogatory term rejected by the DW filter Danny Lawrence encountered is also a British reference for a cigarette. (I guess some proponents of DW filters would consider cigarettes and smoking worth filtering out. But then how can one do an anti-smoking... oops,,, anti-[filtered]... education on the Web?) Speaking of British terms, a recipes for some traditional British food dishes would run afoul of the filters: "[filtered]ers and Mash" "Spotted [filtered]" "[filtered] in Gravy" But "Bubble and Squeak" should be be safe. <g> [Not entirely. PGN]
Actually horse's names are still limited to 18 letters and all names must be submitted to the Jockey Club for approval. There is an overview of allowable names here: http://home.jockeyclub.com/rules/rules.html#rule6 (see, there is a "Rule 6"!). Also note the last rule "B. In addition to the provisions of this Rule, the Registrar of The Jockey Club reserves the right of approval on all name claiming requests." One owner, after having several names rejected by Buddy Bishop, the registrar, decided to call his horse "Buddy Named Me".
The second quarter 2002 issue of news@sei interactive is now available. The articles in this issue are "Preventing Security-Related Defects" "TIDE: Promoting Technology Adoption Through Technology Collaboration" "First International Conference on COTS-Based Software Systems a Success" "CERT/CC and Secret Service Collaborate on Security" Our columns in this issue are Watts New: "Surviving Failure" The Architect: "Aligning Business Models, Business Architectures, and IT Architectures" The COTS Spot: "Risk/Misfit Redux" Security Matters: "Is There an Intruder in My Computer?" news@sei interactive (http://interactive.sei.cmu.edu/) is a Web-based publication of the Software Engineering Institute (SEI). The news@sei interactive team is interested in your comments, questions, and suggestions for improvement. Contact us at interactive@sei.cmu.edu. CERT, Capability Maturity Model, and CMM are registered in the U.S. Patent and Trademark Office. CMM Integration, CMMI, Personal Software Process, and Team Software Process are service marks of Carnegie Mellon University.
Please report problems with the web pages to the maintainer