Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
http://www.cnn.com/2002/US/Midwest/09/27/offbeat.teacher.paid.ap/index.html The only overpaid teacher, AP item, 27 Sep 2002 A Detroit public school teacher's pay was enough to make Bill Gates or Donald Trump envious. Thanks to a computer glitch, the teacher was paid $7.9 million before taxes for 18 minutes of work. The teacher, who wasn't identified, received $4,015,624.80 after taxes. Someone alerted the school district earlier this month, and the money was returned after six days, chief financial officer Ken Forrest said in Thursday's Detroit News. The error occurred when a clerk entered an employee number in the hourly wage field for the teacher's wage adjustment check. The district's payroll software didn't catch the mistake. "One of the things that came with (the software) is a fail-safe that prevents that. It doesn't work," Forrest said. The district has since installed a program to flag any paycheck exceeding $10,000, he said. [Gee, did they test the fix?] Jon Lasser email@example.com http://www.tux.org/~lasser/ http://www.cluestickconsulting.com
> Bear Stearns placed an erroneous order to sell $4 billion worth of stock > late Wednesday at the New York Stock Exchange, but most of the order was > canceled before it was executed. The NYSE said a clerical error caused > the brokerage house to enter the order to sell $4 billion worth of > Standard & Poor's securities at about 3:40 p.m. — 20 minutes before the > stock market closed. The order should have been for $4 million. All but > $622 million of the $4 billion transaction was canceled prior to > execution, the NYSE said in a statement. The NYSE had no further > comment. Officials at Bear Stearns were not immediately available for > comment. [AP item] We have talked about sanity checking time after time. You'd think that a major move would require MULTIPLE management approvals.....but.. We have met the enemy and he is us...
A friend is being admitted to a respected eating-disorders clinic in Southern California, which I was interested to learn more about. They have a fantastic supportive Web site at http://www.raderprograms.com/, mostly directed at individuals who have plucked up the courage to investigate treatment options. However, a small slip of the keyboard can destroy that courage. Drop the "s", and http://www.raderprogram.com/ redirects you to the Web site of Nutri/System --- ``your online weight loss solution'' asking ``how much weight you would like to lose? 10-20 pounds? more than 40?''. Changing `rader' to the more intuitive spelling `radar' gives the same results... The Nutri/System site seems quite legitimate, and of utility to a large percentage of the population (pun intended). But to litter the `typo space' in this way is of potentially life-threatening consequence to the individuals seeking the Rader Programs site, and thoroughly immoral. [Weight! Wait! Don't Spell Me! PGN]
A colleague recently sent me an e-mail containing material that was clearly not supposed to reach me. Apparently the sender had copied some text from another e-mail, with the intention to sanitize out the unsuitable bits, but had accidentally hit "send" before having completed the edits. While this certainly happens all the the time and should be no news to any RISKS readers, it did stop me to think about e-mail client UI design. In our e-mail software, the keyboard shortcut for sending the message out is CTRL-Enter. In our word processing software (from the same manufacturer) the command to delete the last word is CTRL-backspace. The same word deletion method also works in our e-mail client, and seems to get frequent use by many people. The two keys are rather close together on most keyboards. Composing e-mail, I sometimes accidentally hit CTRL-Enter instead of CTRL-backspace. The e-mail client then happily sends out the uncompleted e-mail. Acknowledging my bad keyboard technique, I have chosen to leave my e-mail client in an offline mode, so I will have time to go back to my Outbox to rescue any stray e-mail before synchronizing with our IMAP server. I have therefore had to change my working mode due to the design of keyboard shortcuts. The RISKS? Bad shortcut design coupled with too fast fingers can cause embarrassing situations, possibly exposure of improper material, and increased global demand for an UNDO feature in sendmail.
Here's Boucher talking about this bill as far back as July 2001: http://www.politechbot.com/p-02308.html I've put the text of the Boucher bill here: http://www.politechbot.com/docs/boucher.dmca.amend.100302.pdf A similar bill, though not as widely supported, introduced by Rep. Lofgren is here: http://www.house.gov/lofgren/press/107press/021002_act.htm News article on Lofgren bill: http://news.com.com/2100-1023-960531.html -Declan By Declan McCullagh, Staff Writer, CNET News.com, 3 Oct 2002 A proposal to defang a controversial copyright law became public on Thursday, after more than a year of anticipation and months of closed-door negotiations with potential supporters. Formally titled the Digital Media Consumers' Rights Act, the new bill represents the boldest counterattack yet on recent expansions of copyright law that have been driven by entertainment industry firms worried about Internet piracy. The bill, introduced by Reps. Rick Boucher, D-Va., and John Doolittle, R-Calif., would repeal key sections of the 1998 Digital Millennium Copyright Act (DMCA). It would also require anyone selling copy-protected CDs to include a "prominent and plainly legible" notice that the discs include anti-piracy technology that could render them unreadable on some players. [...] http://news.com.com/2100-1023-960731.html POLITECH — Declan McCullagh's politics and technology mailing list. You may redistribute this message freely if you include this notice. To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Declan McCullagh's photographs are at http://www.mccullagh.org/
Faulty access controls open DISA's technology requisition system to snoops. An improperly secured database operated by the U.S. Defense Information System Agency (DISA) allowed Internet surfers to view and place orders for computers, networks, cell phones, software, and other technology used by the military. Before it was locked down over the weekend, visitors to the Web site of DISA's Requirements Identification and Tracking System (RITS) were able to peruse hundreds of requisition documents, such as a $310,000 order for "new generation STE crypto devices" in support of the Global Command and Control System. http://online.securityfocus.com/news/911
British researchers have been able to use quantum cryptography keys encoded in photons of light to communicate through air for 23 kilometers, and the expectation is that by March of next year this capability will be extended to 1000 kilometers — far enough to reach all LEO satellites. Because any measure of a photon will alter its quantum properties, quantum cryptography guarantees that any attempt to intercept a message will be evident. (*New Scientist*, 2 Oct 2002; NewsScan Daily, 4 Oct 2002) http://www.newscientist.com/news/news.jsp?id=ns99992875
A 32-year-old restaurant busboy pleaded guilty on Thursday to pilfering personal and financial data belonging to America's rich and famous, including billionaire Warren Buffett. Abraham Abdallah, a high-school dropout, entered his guilty plea in response to a 12-count indictment charging him with wire, mail, and credit-card fraud, identity theft, and conspiracy — in what authorities believe is the largest identity theft in Internet history. The federal case accuses Abdallah of using the information as part of a scheme to steal more than $80 million from individuals, corporations and financial institutions. Although he pleaded guilty, Abdallah told U.S. District Judge Loretta Preska he was not driven by greed. ... Reuters, 3 Oct 2002 http://news.com.com/2100-1023-960754.html [This case was reported originally in RISKS-21.29. PGN]
Per an announcement in from Steath MediaLabs, Inc., http://biz.yahoo.com/bw/021003/32166_1.html, quote: "How many unpaid copies of music would you circulate if each contained your own credit-card number?... Built upon a new MS Windows Media-compatible technology... The StealthChannel is capable of stealthily embedding up to 20 kb/s of data into almost any digital audio signal. Embedded data can be anything from images to text to credit-card numbers... In most cases, data hidden in the StealthChannel can be embedded without increasing filesize..." They go on to mention that this is intended to be used as a "carrot" for those that do authorized copying of music by providing "goodies" such as discounted tickets or a couple of chapters of books yet to be published... It doesn't take much imagination to see the risks of this technology... Music companies "releasing" singles that when executed, check for other "unauthorized" music files and then delete them or at least send a list back to the music company for legal prosecution, Songs released to Kazmaa or Gnutella that have viruses embedded in them, etc. The only limitation (currently, wait till future releases of MS Media players) is that you need the Stealth MediaLab plug-in to execute these "goodies". Ah, to go back to the good old days of having to worry only about subliminal messages and what the music said when play backwards... M@ Anderson, Enterprise Architect, American Financial Group 580 Walnut Street, Cincinnati, OH firstname.lastname@example.org (513) 412-4457
Tell it to the judge - or better yet, e-mail it to the judge. County officials are setting up a program under which people who get traffic tickets can e-mail their excuses and explanations to a judge. Until now, they'd have to sit for hours in court, waiting for a hearing. So far this year in the county, there have been more than 1,200 people who want to explain to a judge the circumstances surrounding their traffic tickets. After reading the e-mails, the judges will send their reply - either by e-mail, or an old-fashioned postcard. http://www.nandotimes.com/technology/story/555311p-4377123c.html [Mike Hogsett asked, "How long until someone writes the automated excuse generator? And starts collecting stats for them so that only the successful ones are used?"]
Looking at Dewie the Turtle (RISKS-22.27), I can't help but be reminded of Bert the Turtle from "Duck and Cover" (available at http://www.archive.org/movies/details-db.php?collection=prelinger&collectionid=19069 ). As a matter of fact, looking at the "totality of security measures" taken since September 11th, I can't help but be reminded of "Duck and Cover"; "what has changed" since that fateful day is of no more importance to the "security" of this nation or its people than the bombproof school desks of yesteryear. In re Dewie, I notice the essential difference between cyber security and civil defense in light of the atomic bomb — since there was nothing a young child could reasonably do to mitigate the risk of atomic attack, it is reasonable to "at least calm their nerves", at the very least it does no harm. In the case of cyber security, from the perspective of someone who sees so much of IT as _fundamentally_ insecure, providing such a "false sense" of the same seems ill-advised, as it encourages us to deny the causes of our problems rather than to fix them (standard practice in the computer industry, but practice that will have to change if we're going to _materially_ improve IT security) — in other words, to "cure the symptoms" while leaving the disease untouched. The same could of course be said about US "antiterrorism" policy in general, but RISKS is of course not the place for such a discussion. Jason T. Miller, One View Engineering 317-915-9039 ext. 302 [URL also noted by Richard Akerman. PGN]
Canada Post recently changed my home mailing address. Previously my address involved a rural route number and mail was addressed to the town in which the post office was situated. The new address has the same street and number, but omits the rural route designation and has a different town and postal code. This change was first announced over a year ago, but the new postal codes were only announced a few weeks ago, and are "official" on Oct. 21, 2002. BC (before computers) I would simply have mailed change-of-address cards that take only minutes to fill out. Now I have a choice. I can spend minutes online trying to find an actual mailing address, or minutes filling out an online form, only to find that the new address fails the online entry validation when I submit the form. Many of the companies I deal with, including well-known online retailers, allow customers to update their personal information online. In one case, when I clicked "submit", the result was an error page stating that my postal code was not valid for my street address. After contacting customer support, I was told that I could bypass the checks by submitting the form a second time. The risks here are from data validation systems which assume that there is a unique mapping (e.g., between street address and postal code) and can only be updated at a single point in time, so users will be making updated entries before the database has been updated, or will fail to make the update so their records become "invalid" when the mapping is updated. During a transaction, a mailing address is required when the order is placed. Credit card companies may check the shipping address when the charge is applied, hopefully not long before when the item is ready to ship. My new postal code is interesting, as it consists entirely of pairs of easily confused letters and numbers: "2Z", "3B", and "6G". Was this error-prone code rejected when postal codes were first issued, and then pressed into service when a new code was required? It will be interesting to observe how often errors are made by people manually transcribing the values I entered in WWW address forms into their mailing databases. George N. White III <email@example.com> Head of St. Margarets Bay, Nova Scotia, Canada
Office evacuated when box of batteries explodes A box of recycled nickel-cadmium batteries used in voting machines exploded at a county building Monday afternoon. No one was injured, but about 30 employees were evacuated from the Elections Office at 40 Tower Road. Around 3:30 p.m., the box of about 1,100 button-shaped batteries blew up, scattering small metal pieces 10 to 15 feet in all directions of the warehouse where they were stored, according to Capt. Gary So of the California Department of Forestry. So theorized that some of the used batteries had charges left and when their negative terminals touched, heat built up and they exploded. http://www.bayarea.com/mld/mercurynews/news/local/4187348.htm
Re: Paper ballots, no panacea (Neff, RISKS-22.27) Andy Neff states in RISKS-22.27 "Paper ballots ... still have to be counted by machines in an election of any reasonable size." Not so. British elections still [mostly] consist of voters manually entering 'X' in a box adjoining the candidate's name on a sheet of paper. For each constituency [ranging from 1,000,000 eligible voters in a European election to 1,000 in town elections] these sheets of paper are then brought together and counted manually. Candidates (or their agents) are allowed to observe the process. [Also noted in the UK by T Panton. in provincial and federal elections in Canada by Charles Cazabon, and David Skoll (next). PGN] Being a human process, mistakes will of course be made. If the finall totals are close, the losing candidate may request a recount. Manual recounts will continue until everyone is satisfied. In extreme cases where candidates are separated by 1 or 2 votes, there will be several recounts. It's old technology and not very flashy, but it's demonstrably accurate and foolproof. However the government is now going down the road of making voting sexier by trying out new-fangled (even online) voting methods. I fear the worst ... RE: Elections In America - Assume Crooks Are In Control (Landis, RISKS-22.25) Lynn Landis stated in RISKS-22.25 "As far as we know, some guy from Russia could be controlling the outcome of computerized elections in the United States." She is partially correct. I say "As far as I know, some guy from the United States could be controlling the outcome of computerized elections in the United States." For many of us in Europe, the US voting system lost all credibility in the last presidential election.
"Paper ballots, be they optical scan or punch card, still have to be counted by machines in an election of any reasonable size." This is manifestly not so. Paper ballots can easily be counted by hand, providing enough people do the counting. The proper way to count ballots is to have officers and witnesses count the ballots for each polling station, and then send their totals to regional tallying centers. These regional centers add up the votes and send their totals to national centers. By having a tree of counters, and officials from all interested parties at each stage, truly huge numbers of votes can easily be counted by humans. If the election is close or results are contested, then the paper ballots are available for recounting. A human recount of all ballots may be slow, but it wouldn't be needed most of the time. Paper-based solutions can be badly designed, as Neff points out, but a well-designed paper solution is about the best we have, in spite of modern technology.
> 1) As most who witnessed the 2000 US Presidential Election agree, paper > ballots created problems. Paper ballots, be they optical scan or punch card, > still have to be counted by machines in an election of any reasonable > size. There was a general election in Germany a little more than a week ago. From 61 million eligible voters out of a population of a little over 80 million, 79% or about 48 million actually voted, each having two votes. I think this qualifies as "reasonable size". The ballot is one piece of paper, on which one has to make a mark in each of two columns. Thus, about 48 million sheets of paper were counted entirely by hand, although I'm sure the tallying above the level of the voting locale is done electronically (this is logarithmic in the number of votes counted in any case). Usually, it takes about six to seven hours to arrive at the "vorläufige amtliche Endergebnis" - roughly, the "provisional official final result". This time, due to some of the election officials leaving their job when it was half done, it took almost ten hours to get to that point. Cost: about one Euro (approx. one US dollar) per eligible voter. I see no reason to believe that this isn't applicable to almost all types of election. Even the most complicated of elections in Bavaria, where the voter has a large number of votes he can distribute, or not, according to certain rules to those wanting to be elected, take at most two days to get to the final result - the main effect is that the number of invalid ballots is much larger than the usual ~1%, and here a computerized system would surely be able to help in filling out the form according to the rules. Jan Vorbrüggen - MediaSec Technologies, Berliner Platz 6-8, D-45127 Essen +49 201 437 52 52 http://www.mediasec.com firstname.lastname@example.org
> Re: Paper ballots, no panacea > Remember the butterfly ballot in Palm Beach County, Florida ... I think what the butterfly ballot problem indicates is that ballot papers should be designed for humans, not machines. I have voted in both the UK and Germany, and I think I am not alone among Europeans in finding the current American debate surreal. We all have systems where ballot papers have two columns, with the candidates' names and/or parties listed in the first column, and boxes next to these names in which you put a cross or (for STV systems) a number. All votes are counted at least once, by humans, and (at least the UK) the candidates are entitled to send along representatives to watch every stage of the process. Where there is a problem which might affect the result of an election it ends up in the courts; for example a few years ago a local election turned on whether someone who had put a gigantic cross over the entire ballot paper intended to vote for the candidate whose box contained the centre of the cross, or just intended to spoil the paper. But this is so rare it hardly ever happens. The system is so obvious and so simple it is embarrassing to have to spell it in comp.risks, but I can't understand why American states instead seem addicted to mechanical solutions which will invariably go wrong somehow. Furthermore I just don't see the point of letting machines do the counting, but keeping backup paper ballots for humans to count just in case the machines go wrong or one of the candidates smells a rat. Why keep paper ballots unless you have trained and experienced humans in place to count them? And if you have that, why not just get the humans to count the papers in the first place? In the UK if the candidates dispute the result of a close-run election they can call for a recount. This is I think much quicker than the original count, since the ballot papers are already sorted, and it is only a question of checking that they are all correctly distributed. I'd have to check the Guinness Book of Records for this, but I think the record number of counts in a British General Election is something like 7, and it took about 20 hours from when the polls closed. A far cry from Florida in 2000, where it wasn't possible to count every vote even once in several months. I suppose American states choose to do counting by machines because it's cheaper. But you'd think that given that we only vote once every few years, it might be worth spending a dollar or two per voter (I doubt if it costs anything nearly as much as that in the UK) to see that you get every vote counted properly. I don't want to pretend the British system is perfect; you have other issues like the security problems allocating postal votes in the 2001 General Election, and the risk that, because there is no British identity card, it is very easy to vote pretending to be somebody else. But these are orthogonal to the question of how you actually vote and count the votes. I'm not an expert at all. I feel incredibly naive. But at least would someone be good enough to explain in baby-talk why it is necessary to have complex mechanical systems at all, when the simple paper one seems to work so well. [Incidentally, the butterfly ballot is apparently technically illegal in Florida, but was approved anyway. PGN]
Please report problems with the web pages to the maintainer