Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
I am collecting endorsements for a statement I have written (with a lot of help) opposing electronic voting machines that do not produce paper ballots (or, in the future, some other independent voter-verifiable audit mechanism). A lot of communities (and whole states, in some cases) are buying these machines because of pressure resulting from the 2000 election. The problem is that if errors or fraud are detected in an election using these machines, there is no way to recover, other than a revote. Worse, and more likely, errors or fraud may remain be undetected. I have already collected endorsements from over 100 computer scientists, many of them leading experts in elections, computer security, and software engineering. I have a Web page with background material, the statement, and the current list of endorsements. It would be great if you could join us in endorsing this statement. It would also be great if you could bring the issue to the attention of others who might be interested. http://verify.stanford.edu/evote.html If you are especially enthusiastic, other offers of help would be appreciated. This has turned out to be a bit more difficult than I thought it would be! Thanks a lot, David Dill Stanford University
On mission STS-107, the space shuttle Columbia (OV-102) suffered physical damage to its left wing during ascent. It is possible that this damage contributed to the subsequent breakup and loss of the orbiter during descent. During the entire flight, despite being aware that damage had occurred, NASA remained unaware of the extent of the damage, making inadequate efforts to determine the nature of the damage. This error is ascribed to three aspects of NASA's management of manned spaceflights: excessive reliance on checklists, cumbersome EVA procedures, and a lack of autonomy for astronauts in flight. http://www.fysh.org/~zefram/nasa/sts107_culture.txt [NASA is now backing off on the tile-damage theory. PGN]
When the Columbia shuttle stopped transmitting voice signals at 9 a.m, and debris began raining down over a 200-mile-long swath of Texas and Louisiana, some data apparently continued to flow for another 32 seconds after contact was lost. However, computers on the ground rejected the data because it was "corrupted". NASA is trying to reconstruct this data. [Source: John M. Broder, NASA Now Doubts Tank Debris Doomed Columbia, PGN-ed] *The New York Times*, 5 Feb 2003; PGN-ed] http://www.nytimes.com/2003/02/06/national/nationalspecial/06XSHU.html One obvious solution would be to have at least one process save all data, corrupt or not. Eric De Mund <ead@ixian.com> Ixian Systems, Inc., Mountain View, CA http://www.ixian.com/ead/
*Washington Monthly* has reposted its April 1980 critique of the space shuttle design. It's worth reading as a reminder that there have long been serious criticisms of the space shuttle for safety and economic reasons. http://www.washingtonmonthly.com/features/2001/8004.easterbrook-fulltext.html
In an extreme example of computing risk, the December 1996 issue of Fast Company profiled the software developers for NASA's space shuttle program and tremendous rigour they apply to their jobs. Bill Pate, one of the senior programmers, is quoted: "If the software isn't perfect, some of the people we go to meetings with might die." http://www.fastcompany.com/online/06/writestuff.html The truth is, as we have been reminded, that might happen even if the software _is_ perfect. After the space shuttle Columbia broke up on re-entry last weekend, I wondered whether astronauts have the most dangerous job in (or around) the world. While I'm not a statistician, my quick calculations indicate that they do. Fatality statistics are usually listed in numbers per 100,000, because for most activities they are pretty small: the risk of death is 2 per 100,000 scuba divers; 22 per 100,000 vehicle drivers; and 122 per 100,000 loggers (apparently the most dangerous of "normal" jobs). We should be careful about making comparisons using astronauts and other occupations with very small numbers of participants, where we can only really calculate historical averages rather than yearly rates (which is how most fatality rates are reported). With that in mind, however, I did a quick Google search and figured out that the death rate for astronauts and cosmonauts over the past 40+ years is (as of this week) about 7.5%, or 7,500 per 100,000 — something like sixty times the rate for loggers. It is also nearly twice the 4.3% rate calculated for high-altitude mountaineering (often called the world's most dangerous job). That is especially notable since mountaineers often die from their own decisions, sometimes alone, while astronauts are supported by thousands of people and billions of dollars in technology, but still die more frequently. Other jobs have been more hazardous in the past. Sixty-three percent of German U-boat crew members were lost during World War II, nearly ten times the death rate of astronauts. But being a frontline soldier actively hunted in the open ocean during wartime is a different sort of "job," I would say. I provide a bit more detail and links to my sources at: http://www.penmachine.com/journal/2003_02_01_news_archive.html#90270862 with a followup here: http://www.penmachine.com/journal/2003_02_01_news_archive.html#90276578 Again, these numbers are quick and off-the-cuff. But it seems pretty clear that being an astronaut has always been and will remain a very risky endeavour for the foreseeable future. Astronauts and cosmonauts have always known that very well, even if the rest of us sometimes forget. Derek K. Miller, Vancouver, Canada dkmiller@pobox.com Penmachine Media Company | http://www.penmachine.com
I was on a flight back from Chicago to San Diego yesterday afternoon. We were scheduled to leave a bit after 5, but we instead took off around 6. The pilot said that all American Airlines flights were unable to take off because "a big supercomputer in ... (I forget where; in the south, I believe) crashed." It seems, according to him, that all flight plans, weight allowances, and fuel amounts are computed at this one machine and distributed out to the flights. I had not known of this single point of failure. Does anyone know more? How large of a region does this cover? Are crashes really rare enough to not have a hot standby? (Okay, AA is on the verge of bankruptcy).
A virus apparently attacked an AC Jazz flight-planning computer that provides essential information on fueling, weather, and other variables. Without the computer's flight information releases, aircraft cannot take off. The problem affected only Air Canada's regional operations. About 200 flights were affected, some canceled, some delayed. [Source: *National Post*, 6 Feb 2003] http://www.nationalpost.com/national/story.html ?id=%7B04638B16-6927-49FB-A548-1E8DC2D6E430%7D
Federal prosecutors in Manhattan have charged 19 people with being part of an identity-theft ring in the Bronx that received at least $7 million in federal tax refunds by filing thousands of fraudulent income tax returns, using stolen Social Security numbers for people who were deceased or otherwise not filing returns. Having been implicated, one corrupt tax preparer in the Bronx then decided to cooperate with federal authorities, recording conversations and gathering evidence, and enabling the other culprits to be apprehended. (They used the IRS's electronic filing system!) The returns yielded an average of $2500 each. [Source: Benjamin Weiser, *The New York Times*, 5 Feb 2003; PGN-ed] http://www.nytimes.com/2003/02/05/nyregion/05TAX.html
Handling bills, claims sends costs climbing When President Bush took aim last week at bloated medical bills, he blamed lawyers, bureaucrats, and insurance companies for driving up costs. But there is a hidden culprit he did not mention: woefully outdated back-office technology. The medical system has invested heavily in new ways to heal patients, but it has neglected the nuts-and-bolts business of managing bills and records. Of all the intractable challenges in health care, updating bill collecting and claims processing might seem the simplest to address. But the $1.4 trillion health industry for years has lagged the rest of the economy in high-tech spending. Only agriculture and education spend less. Even in Boston, where world-class hospitals spare no expense to treat cancer or deliver babies, and software gurus thrive on solving complex problems, health care was left behind in the drive for efficiency that changed the face of American business in the 1990s. Dr. Harris A. Berman, chief executive of Tufts Health Plan, said the medical sector's failure to harness new systems is wasting a fortune: one-third of every health-care dollar is spent on administration. The piles of paperwork and thickets of mismatched databases make life more difficult for consumers and affect the care they receive. Bankers, car dealers, and tax collectors have all raced past health-care providers in basic technology, he said. ... [Source: Beth Healy, *The Boston Daily Globe*, 4 Feb 2003] http://www.boston.com/dailyglobe2/035/nation/Old_data_systems_a_health_care_burden+.shtml
By Declan McCullagh
Staff Writer, CNET News.com
February 5, 2003, 4:00 AM PT
In a move that raises questions about the security of governmental domains,
the Bush administration has pulled the plug on a .gov Web site pending an
investigation into the authenticity of the organization that controlled it.
Until recently, visitors to the AONN.gov Web site were treated to a
smorgasbord of information about an agency calling itself the Access One
Network Northwest (AONN), a self-described cyberwarfare unit claiming to
employ more than 2,000 people and had the support of the U.S. Department of
Defense. [HOWEVER,] no federal agency called AONN appears to exist, and no
agency with that name is on the official list of organizations maintained by
the U.S. National Institute of Standards and Technology. The General
Services Administration (GSA), which runs the .gov registry, pulled the
domain on Jan. 24, after a query from CNET News.com. ...
http://news.com.com/2100-1023-983384.html
[The entire message from Declan is at
http://www.politechbot.com/p-04413.html
A mirror of AONN.gov before it was taken down is at
http://www.politechbot.com/docs/aonn/
A subsequent message from Declan is at
http://www.politechbot.com/
as is information on how to subscribe. Wonderful stuff. PGN]
Rather ironically, Members of Parliament have installed an offensive-e-mail filtering system that overzealously blocked distribution of a Sexual Offences Bill as well as a Liberal Democrat consultation paper on censorship, among other things. [PGN-ed. No surprises there.] http://www.vnunet.com/News/1138508
A colleague of mine just received this response from Microsoft, in response to a request to be REMOVED from an MS spam list. He/she remarked that "Not only is their SQL software buggy, it is slow too..." Date: Wed, 5 Feb 2003 12:48:26 -0800 (PST) From: Microsoft <TechEd2003@email.microsoft.com> Subject: Don't miss TechEd 2003: The definitive Microsoft technology event ... ... Please note that it can take up to eight weeks to update customer information in our database; therefore, you may receive e-mail from us within that time period.
While searching the Hewlett-Packard site for information about a particular model of Presario 63xx computer (which, incidentally, appears unfindable through their usual mechanisms) I happened on http://wwss1pro.compaq.com/support/reference_library/viewdocument.asp?source =DO020926_CW01.xml&dt=3 Customer Advisory: DO020926_CW01 - Various Issues May Occur After Installing Windows XP Service Pack 1 On Presario 6300 Series Computers After installing Windows XP Service Pack 1 on Presario 6300 Series computers and then performing a non-destructive restore, the system stops responding and will not boot into Windows.... The user must perform a destructive recovery to restore the system. All personal data that is not backed up will be lost.... HP recommends that customers refrain from downloading and installing SP1 on Presario 6300 Series computers at this time. "Various issues"! HP advises customers to "check back frequently", but the notice has been up for 4 months. According to Microsoft, SP1 is an important upgrade: Windows XP Service Pack 1 (SP1) provides the latest security and reliability updates to the Windows XP family of operating systems, and includes Internet Explorer 6 SP1. Windows XP SP1 is designed to ensure Windows XP platform compatibility with newly released software and hardware, and includes updates that resolve issues discovered by customers or by Microsoft's internal testing team. The RISK to the normal user seems clear enough: the user may perform the upgrade without ever knowing about the "advisory" on HP's site. My brother, for whom I was doing the research, bought his computer after the date of the advisory, but had never heard about it; luckily I was able to warn him before he did anything foolish, like attempting to install this recommended upgrade.
We have completed our preliminary analysis of the spread of the Sapphire/Slammer SQL worm. This worm required roughly 10 minutes to spread worldwide making it by far the fastest worm to date. In the early stages the worm was doubling in size every 8.5 seconds. At its peak, achieved approximately 3 minutes after it was released, Sapphire scanned the net at over 55 million IP addresses per second. It infected at least 75,000 victims and probably considerably more. This remarkable speed, nearly two orders of magnitude faster than Code Red, was the result of a bandwidth-limited scanner. Since Sapphire didn't need to wait for responses, each copy could scan at the maximum rate that the processor and network bandwidth could support. There were also two noteworthy bugs in the pseudo-random number generator that complicated our analysis and limited our ability to estimate the total infection but that did not slow the spread of the worm. The full analysis is available at http://www.caida.org/analysis/security/sapphire/ (click on tech report) http://www.silicondefense.com/sapphire/ http://www.cs.berkeley.edu/~nweaver/sapphire/ The animation (made by Ryan Koga and Jeffery Brown) is available at http://www.caida.org/analysis/security/sapphire/sapphire-2f-30m-2003-01-25.gif David Moore, CAIDA & UCSD CSE Vern Paxson, ICIR & LBNL Stefan Savage, UCSD CSE Colleen Shannon, CAIDA Stuart Staniford, Silicon Defense Nicholas Weaver, Silicon Defense and UC Berkeley EECS Caida mailing list <Caida@caida.org> http://login.caida.org/mailman/listinfo/caida
Bill Bumgarner's message in Risks 22.52 clarifying the purposes of the CSS encryption used on DVDs is a clear, well-written statement of why CSS is used. However, there is one point on which I think he is mistaken. He said, "CSS is intended to prevent unlawful access to the content in three ways." The problem here is the word "unlawful". These activities are not in themselves unlawful, although the MPAA would like everyone, including the legal system, to think that they are. These are activities the DVD publishers don't want you to be able to do, but with the exception of laws like the DMCA, they can only enforce their wishes by making it difficult. But to allow them to claim that they invented CSS to prevent "unlawful" activity makes a lot of otherwise fair uses of DVD appear illegal. I was watching a movie the other day (Goldmember) that deactivated the fast forward, rewind, and pause buttons on my DVD player. The only way to watch it is from the beginning, without stopping. If the phone rings, or something else distracts you, too bad. You'll have to start the movie over to see what you missed. Are the movie studios really wanting to claim it's unlawful to watch this movie any other way? Bob Langford, Silicon Masters Consulting, Inc.
BKCYBCRM.RVW 20030121 "Cybercrime: Vandalizing the Information Society", Steven Furnell, 2002, 0-201-72159-7, U$29.99/C$44.95 %A Steven Furnell %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2002 %G 0-201-72159-7 %I Addison-Wesley Publishing Co. %O U$29.99/C$44.95 416-447-5101 fax: 416-443-0948 bkexpress@aw.com %O http://www.amazon.com/exec/obidos/ASIN/0201721597/robsladesinterne %P 316 p. %T "Cybercrime: Vandalizing the Information Society" The preface states that this book is a general introduction to cybercrime, directed at any audience, and requiring no specific technical background. With certain provisos, those objectives are met. Chapter one is a historical look at information and the rise of the net, dealing particularly with basic concepts and security. Computer related crime is said to be happening, in chapter two, and some anecdotal examples are given. Blackhat "celebrities" and groups are examined in chapter three. While the jargon that Furnell uses tends to come from the media, his research is obviously superior to that of many similar books on the topic. Chapter four lists some exploits and attack approaches. Malware, in chapter five, also shows better than normal investigation, although some of the terminology is dated. Societal aspects of cybercrime, in chapter six, seems to rely primarily on opinion surveys, but there is some interesting material on laws and the public perception of cybercriminals. Recent developments, such as ethical hacking, hacktivism, information warfare, and cyberterrorism, are collected in chapter seven. Chapter eight lists some recommended security practices. The book does fall into the all-too-usual trap of concentrating on the sensational side of information and network related crime (that of the outside, and targeted, intruder), and therefore fails to provide a complete picture. However, within its limits, the work does present a reasonable and balanced view. copyright, Robert M. Slade, 2003 BKCYBCRM.RVW 20030121 rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
BKCBRLAW.RVW 20021126 "Cyberlaw: National and International Perspectives", Roy J. Girasa, 2002, 0-13-065564-3 %A Roy J. Girasa rgirasa@pace.edu www.prenhall.com/girasa %C One Lake St., Upper Saddle River, NJ 07458 %D 2002 %G 0-13-065564-3 %I Prentice Hall %O +1-201-236-7139 fax: +1-201-236-7131 %O http://www.amazon.com/exec/obidos/ASIN/0130655643/robsladesinterne %P 433 p. %T "Cyberlaw: National and International Perspectives" The back cover states that this is the "most comprehensive Internet law text for students of any discipline." The preface doesn't really contradict that statement, but then, it doesn't really specify a particular audience. The text itself, on the other hand, does not appear to be a reference, but rather a textbook for law students, and law students only. (American law students, at that.) While one cannot fault the author for the presumption of the publisher (who ultimately gets to decide on jacket copy), the overly broad attempt at marketing is going to be frustrating for some readers. Part one provides an introduction and examines jurisdiction. Chapter one is an introduction and overview of both the technology and law. This demonstrates a number of limitations (the technology is limited to the Internet), and, of course, the sort of bias one would expect to see in a legal text. (The definition of the Internet is taken from a "Finding of Fact" in the case that struck down the Communications Decency Act and contains a number of errors in terminology and, well, fact. The legal system is described only in terms of the various levels of US courts.) A number of cases regarding jurisdiction, first between US states and then between states and foreign States, is presented in chapter two. While this will undoubtedly be of value to US lawyers engaged in such battles, for the layman the best that can be determined is that a) the situation is indeterminate, and b) the material is confusing. Part two deals with contracts, torts, and criminal law aspects of cyberspace. Chapter three looks at US case law regarding contracts and torts, including related topics such as commercial codes like UCITA. (Many implications of the legislation are poorly expressed: there are several paragraphs describing the implied warranties under UCITA, and a brief mention of the fact that using the words "as is" voids them all.) The construction of chapter four is very odd, since it begins with a review of international statutes dealing with commercial online transactions, and then moves on to torts, and back to US cases. Although the first presentation of criminal cases is from Germany, all of the remaining material in chapter five, primarily on censorship, obscenity, and a little fraud, comes from the US. Part three looks at intellectual property rights. Most of the copyright cases in chapter six, all from the US, deal with general issues unrelated to technology, at least not directly, while the cases presented in chapter seven are more directly related to technology. Chapter eight deals with trademarks, and the relation to technology is primarily made in terms of cybersquatting (the practice of registering a domain name using a famous name or trademark, so that the owner must buy it from you). Patents and trade secrets are covered in chapter nine, and the relation to network technology is rather slim. Part four addresses privacy and security issues. Except that there is only chapter ten, on privacy. Part five talks about antitrust, securities regulation, and relaxation. Antitrust, in chapter eleven, covers Microsoft, IBM, and a number of others. Chapter twelve's review of securities regulation cases primarily deals with fraud, and the technical links are basically irrelevant. The taxation of net businesses is in chapter thirteen. As a textbook for law school students, this is undoubtedly useful. The cases are collected, and questions are asked to encourage students to think about various aspects of cases, and related precedents that might be applicable. While US structures and law predominate, there is not only acknowledgement of foreign legislation, but some detailed case examination as well. In fact, practicing lawyers would also find this volume extremely valuable, for the direction in terms of case research on precedent if nothing else. For non-lawyers, such as security professionals, the content is extremely frustrating: all questions and no answers. Still, given the extremely murky state of US law in regard to the net and technology, this tome certainly could be worthwhile, even for those outside the US legal system. copyright Robert M. Slade, 2002 BKCBRLAW.RVW 20021126 rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com
Please report problems with the web pages to the maintainer