Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
A new data system named Pegasos has forced doctors in Helsinki to ask patients to remember their case history and to take hand notes. The fact that doctors cannot get any historical data forces them to spend m= ore time writing (*sigh*) the data and reviewing the past treatments. As a conclusion, computers can, instead of speeding up the process, slow it down. [Source: http://www.helsinki-hs.net/news.asp?id=3D20030206IE8] Jesus Climent | Unix SysAdm | Helsinki, Finland | pumuki.hispalinux.es
http://www.baselinemag.com/article2/0,3959,880881,00.asp Eighty-five hundred people at St. Mary's Mercy [in Grand Rapids, Michigan] thought they were still alive. But the hospital's computers were telling them they were not. ... It turns out St. Mary's Mercy had recently completed an upgrade of its patient-management software system... A "mapping error" in the conversion process resulted in the hospital assigning a disposition code of "20"--which meant expired--instead of "01," which meant the patient had been discharged. Worse, that errant data wasn't sent just to the shocked patients but to their insurance companies as well as the local Social Security office, which helps determine whether elderly or disabled patients are eligible for Medicare. Obviously, once a patient is dead, Medicare--assuming its electronic-records system is accurate--isn't going to make any payments on bills for future medical services or medication.
One remarkable aspect of techno-enthusiasm is the willingness to recast failure as a form of success. A long piece in CIO Magazine, "Off the Charts" describes a failure of the electronic medical record system as evidence of the value of the system itself. The piece describes a chip failure (burned out Alpha processor) that went on to generate a 20-minute delays in viewing medical records in the system at the University of Illinois medical center. According to the Christopher Koch, the author, the fact that "angry calls streamed into IS" from physicians (who had conveniently forgotten that there was a "read-only database that had been built for such emergencies") serves as prima facie evidence that the system is valuable. No mention is made of whether patient care was impeded or if missing information contributed to accidents during the interval. [http://www.cio.com/archive/020103/eva_charts_content.html] If a small failure marks a favorable climate, perhaps a full fledged catastrophe marks real success? Richard I. Cook, MD, Associate Professor Clinical Anesthesia and Critical Care Univ. Chicago, 5841 S. Maryland Ave MC4028, Chicago, IL 60637 www.ctlab.org
A state auditor found that at least one computer used by staffers counseling clients with AIDS or HIV was ready to be offered for sale to the public even though it still contained files of thousands of people. Auditor Ed Hatchett said: "This is significant data. It's a lot of information lots of names and things like sexual partners of those who are diagnosed with AIDS. It's a terrible security breach." Health Services Secretary Marcia Morgan, who has ordered an internal investigation of that breach, says the files were thought to have been deleted last year. [AP/*USA Today* 7 Feb 2003; NewsScan Daily, 10 February 2003] http://www.usatoday.com/tech/news/2003-02-07-surplus-computer_x.htm
The new TETRA two-way radio system is being widely adopted by emergency services. Because it is pulsed more slowly than GSM (17.6 Hz rather than 217 Hz) the signal is harder to filter and causes a greater level of RFI. For comparative tests on hospital equipment, see http://www.medical-devices.gov.uk/mda/mdawebsitev2.nsf/ webvwSearchResults/37CE5B0D2F6E45C900256A99005B8734?OPEN
In the spring of 1997, David Beck of Bechtel/Parsons Brinckerhoff (the Big Dig's contracted managers) discovered that the entire 19,600-seat Fleet Center arena (whose own dig had begun in April 1993) was missing from the 1994 design drawings for what was then only a $10.8-billion project. Instead, there was an obstacle-free area through which contractors were expected to lay utility lines. Bechtel apparently failed to fix the problem before signing off on the final design drawings three years later, which (according to the headline) cost over $1 billion extra. [PGN-ed from Raphael Lewis & Sean P. Murphy, *The Boston Globe*, 9 Feb 2003, First of 3 articles.] http://www.boston.com/dailyglobe2/040/nation/Artery_errors_cost_over_1b+.shtml
Apart from all the user uproar over TurboTax's activation scheme, the program has additional security problems. TurboTax's online registration and update facility will work only if Windows' Internet security parameters are reduced to their lowest setting (when you do this Windows itself tells you this setting is NOT recommended). Access to online update is *required* because the distribution CDs are pressed before all tax forms are available and you MUST update the product in order to have the current forms for filing. My Win2K system is on an internal LAN behind a Linux firewall, and Intuit tech support initially blamed the problems on this configuration. When I connected the Win2K system directly to the cable modem and reproduced the problem, they were forced to find the correct solution. There are several RISKS here: 1) Telling people firewalls are a problem 2) Extremely poor error handling — Both registration and online update just hang forever, displaying an "in progress" dialog box. 3) Writing code that requires the user to reduce Operating System security protections in order to use it.
PRIVACY INTERNATIONAL, MEDIA RELEASE PRIVACY WATCHDOG LAUNCHES QUEST TO FIND THE WORLD'S MOST STUPID SECURITY MEASURE Global competition will identify absurd and pointless security requirements The human rights watchdog Privacy International today launched a competition to discover the world's most pointless, intrusive, annoying and self-serving security measures. The "Stupid Security" award aims to highlight the absurdities of the security industry. Privacy International's director, Simon Davies, said his group had taken the initiative because of "innumerable" security initiatives around the world that had absolutely no genuine security benefit. "The situation has become ridiculous" said Mr Davies. "Security has become the smokescreen for incompetent and robotic managers the world over. I have stood for ages in a security line at an inconsequential office building and grilled relentlessly only to be given a security pass that a high school student could have faked. And I resent being forced to take off my shoes at an airport that can't even screen its luggage" he said. Even before 9/11, a whole army of bumbling amateurs has taken it upon themselves to figure out pointless, annoying, intrusive, illusory and just plain stupid measures to "protect" our security. It has become a global menace. From the nightclub in Berlin that demands the home address of its patrons, to the phone company in Britain that won't let anyone pay more than twenty pounds a month from a bank account, the world has become infested with bumptious administrators competing to hinder or harass us. And often for no good reason whatever. Unworkable security laws and illusory security measures do nothing to help issues of real public concern. They only hinder the public and intrude unnecessary into our private lives. Until 15 Mar 2003, Privacy International is calling for nominations to name and shame the worst offenders. The competition will be judged by a panel of well-known security experts, public policy specialists, privacy advocates and journalists. The competition is open to anyone. Nominations can be sent to email@example.com Winners will be announced on 3 Apr 2003 at the 13th Computers, Freedom & Privacy conference in New York.
Because the newest cell phones are essentially mini-PCs, with full operating systems, heavy-duty processor power, and high-resolution color screens, they are becoming better suited to remote gambling. "Certainly wireless is the next generation of e-gaming that is looking to take hold," says Nancy Chan-Palmateer of CryptoLogic, a Toronto-based Internet gambling software company. The Internet gambling market is expected to bring in $5 billion this year for casinos and game operators. [Source: Chana R. Schoenberger, *Forbes*, 10 Feb 2003; PGN-ed] http://www.forbes.com/2003/02/10/cz_cs_0210gaming.html [Not surprisingly, this prompts your Moderator to note that today's all-electronic voting machines (without any voter-verified nonelectronic record of each vote) are essentially equivalent to Internet gambling on an unknown off-shore Web site. "Trust us. We're completely honest." PGN]
Republican Senator Hagel was the CEO of the company that produced the voting machines that tallied his "upset" victory in Nebraska. Go figure. http://www.thehill.com/news/012903/hagel.aspx http://www.theregister.co.uk/content/55/29247.html Steven Hauser http://www.tc.umn.edu/~hause011/ [The machines used at the time were apparently a version of the AIS DataMark mark-sense card system (now owned by ES&S) rather than all-electronic systems. PGN]
AP Online, 11 Feb 2003 Washington state regulations to protect the privacy of telephone customer account information, some of the toughest in the country, have been suspended by a federal judge. State regulations that were adopted in November  and took effect in January  required phone companies to obtain customer approval before selling calling records or using them to market anything but telecommunications services. But Verizon Communications Inc. of New York, which has about 1 million customers in Washington, sued the state, saying its Utilities and Transportation Commission overstepped its authority and infringed on the company's ability to speak to and serve customers. U.S. District Judge Barbara J. Rothstein ruled Monday that Verizon had raised "serious questions" about the constitutionality of Washington's privacy rules, and granted a preliminary injunction blocking their enforcement while the case is pending. ... http://finance.lycos.com/home/news/story.asp?story=31474529
Like many colleges, Boston College has a multipurpose magstripe ID card which is used for identification, access, purchases at dining halls and the campus bookstore, and even local restaurants. A BC student managed to reprogram his ID card with the ID numbers of other students, meaning that he could purchase meals, textbooks, etc. with his charges showing up on the bills of others. Evidently he had (among other things) broken into the student center after hours and installed sniffing software on computers there so that he could obtain the information to reprogram his own card with. A spokesman reassures us that the BC system has been "upgraded to prevent future breaches". http://digitalmass.boston.com/news/2003/02/07/bc_student.html . The RISKS of these multi-use cards have been known for some time; see for example Andre DeHon's 1995 paper at <http://www.ai.mit.edu/ people/andre/mit_card/security_assessment/security_assessment.html>. It's reasonably interesting to see those fears being realized.
Yesterday I received a letter which read, in part: "Dear Valued Client, "I am writing to inform you that on January 29, 2003, ISM Canada, a subsidiary of IBM Canada Limited that provides client statement services to Investors Group, notified us that a significant proportion of our clients' 2002 third-quarter statement data was contained on a computer hard drive that went missing from their Regina, Saskatchewan offices. Some of our information was determined to be on the missing drive. "I understand the concern this may cause for you. Investors Group wishes to assure you that there is no ability for anyone to access your Investors Group accounts with this information. "The missing data is the same information that you see on your quarterly client statement, being your name and address, your Investors Group Consultant, the details of your Investors Group Plans and Accounts ... and any beneficiary designations you may have made. The missing data *does not include any of the confidential personal information typically involved in the misuse of personal data,* such as social insurance numbers, dates of birth, or banking information. "IBM Canada and ISM Canada have expressed their regret to you and to Investors Group, and have been working with us to ensure this matter is handled quickly and properly. ISM had previously notified Investors Group of a hard drive that was missing at the Regina facility, believed to contain a small amount of securely protected Investors Group data. They indicated that they were investigating the incident. Subsequently, on January 29th, ISM Canada advised Investors Group of the full extent of the missing data and that the local authorities were treating the incident as a theft." I checked my statement, and it's true that my SSN, DOB, etc., are not there. I don't know what the author means by "banking information" since the statement includes my name, account numbers, balances and previous quarter's balances. This makes it much easier to do social engineering, e.g. "I notice that my account #12345 is down 15%, so I'd like you to wire the remaining balance to ..." The double reassurance that the data is "securely protected" and that it's also not confidential is worrisome: if it truly were secure, we wouldn't care whether it was confidential. I asked how the data was protected, and haven't heard back yet. I *was* told that police have recovered the drive, and the thief's apparent intention was to get the drive, rather than the data on it. I'm curious about how somebody steals a disk drive from a presumably running system, but I'll be pesky about one question at a time. firstname.lastname@example.org Tel: +1 650 485 2818 Fax: +1 650 485 4917 Agilent Technologies MS 24M-A, 3500 Deer Creek Road, Palo Alto CA 94303
Seventeen people allegedly involved in the theft of satellite TV signals were arrested after a year-long undercover FBI investigation, as part of the FBI's nationwide "Operation Decrypt". Six of them were accused of violating the Digital Millennium Copyright Act, marking only the second grand jury indictment under that statute. Losses for satellite broadcasters reportedly involved millions of dollars. Source: Reuters, 11 Feb 2003; PGN-ed] http://finance.lycos.com/home/news/story.asp?story=31494999
Twice in the past two weeks, online vandals broke into the Web server of former hacker Kevin Mitnick's security start-up, Defensive Thinking. [Source: Robert Lemos, Special to ZDNet News, 11 Feb 2003] http://zdnet.com.com/2100-1105-984084.html [As one correspondent noted this item, ``As the credit card commercial says, 'Priceless.' ''
My laptop shares a messy desktop with the usually assortment of papers and pencils. Yesterday I opened the CD tray, then shuffled around the desktop looking for the CD. I found it and was just about to close the drawer when I noticed that a staple had fallen into the CD tray. Delicate electronics and paper do mix, sometimes not happily.
Suppose you have an 8-digit decimal password. This means there are 100 million possible combinations. You will on average need to try on average 50 million times to find the right password by trial-and-error. Or, if you have the customary 3 tries before being forbidden access, the probability that you will get in by trial and error is 3/100 000 000. Suppose instead that you first have to pass one barrier with a 4-digit decimal password, and then pass a second barrier with a new 4-digit decimal password. You will then have to try on average 5 000 times on the first password, and then an average 5 000 time on the second password, or a total of on average 10 000 times. Or, if you have the customary 3 tries before being forbidden access in each step, you will have a probability of passing the first barrier of 3/10 000 and then a probability of passing the second barrier of 3/10 000. The probability of passing both barriers is then 9/100 000 000. In summary: The 8-digit barrier requires 5000 times more trials than the two 4-digit barriers to find the password, and the probability of success with the customary 3 allowed trials is three times higher with the two 4-digit passwords than with the single 8-digit password. I gave this example as a comment on the debate of whether one strong security measure is better than several weaker, or the reverse. Jacob Palme <email@example.com> (Stockholm University and KTH) for more info see URL: http://www.dsv.su.se/jpalme/
BKPCFRFC.RVW 20021219 "PC Fear Factor", Alan Luber, 2003, 0-7897-2825-7, U$24.99/C$38.99/UK#17.99 %A Alan Luber www.alanluber.com %C 201 W. 103rd Street, Indianapolis, IN 46290 %D 2003 %G 0-7897-2825-7 %I Macmillan Computer Publishing (MCP) %O U$24.99/C$38.99/UK#17.99 800-858-7674 firstname.lastname@example.org %O http://www.amazon.com/exec/obidos/ASIN/0789728257/robsladesinterne %P 362 p. %T "PC Fear Factor: The Ultimate PC Disaster Prevention Guide" The introduction states that the book is aimed at non-technical users, but doesn't further refine the purpose beyond saying that bad things happen to computers. We are also told that a system administrator is really a risk manager (which may come as a surprise to a number of sysadmins), and that if you read this book you will never have to worry about computer disasters again. Even after reading chapter one I am not sure what the "root of all computer disasters" is, although I suppose that there is a fair chance that he means hard drives. There is a lot of irrelevant detail about the physical operations of drives, and Luber also is obviously confused between old hard drive crashes (caused when the heads physically contacted the platter, which was spinning at high speed) and modern "crashes," generally caused by bad pointers or other data errors. In chapter two, Luber recommends, with opinions, but not much in the way of proof or backup, a bunch of software. Chapter three offers us more opinions, this time about buying a PC. Setting up a new PC is covered in chapter four. Most of chapter five prints documentation for a couple of antivirus programs and a firewall. A decent discussion of backup strategy, and more documentation of a backup program, is in chapter six. A manual for another backup program is in chapter seven. Restoring a backup comes in chapter eight. Chapter nine advises on maintenance. Some hoary old myths about risky activities (using shareware, for example) are recycled in chapter ten. In one sense, Luber is right. If you keep your data backed up, you will be able to recover from pretty much any kind of disaster. On the other hand, I have said that in one sentence, and the book is over 300 pages long. copyright Robert M. Slade, 2002 BKPCFRFC.RVW 20021219 email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
BKMSNTSC.RVW 20021220 "Mastering Network Security", Chris Brenton/Cameron Hunt, 2003, 0-7821-4142-0, U$49.99/C$79.95/UK#37.99 %A Chris Brenton email@example.com %A Cameron Hunt firstname.lastname@example.org %C 1151 Marina Village Parkway, Alameda, CA 94501 %D 2003 %G 0-7821-4142-0 %I Sybex Computer Books %O U$49.99/C$79.95/UK#37.99 800-227-2346 email@example.com %O http://www.amazon.com/exec/obidos/ASIN/0782141420/robsladesinterne %P 490 p. %T "Mastering Network Security, Second Edition" The introduction states that this book is aimed at systems administrators who are not security experts, but have some responsibility for ensuring the integrity of their systems. That would seem to cover most sysadmins. However, whether the material in this work is at a suitable level for most sysadmins is open to question. Now, to be fair to the authors, it seems that this second edition is a reissue, only marginally revised, of a book that was originally published seven years ago. (Under most standard contracts, publishers have the right to do this, and authors can't do much about it.) At that point, the material might have been pretty reasonable. Currently, it isn't. Chapter one discusses systems theory. While the application of the text to network and security management is reasonably obvious in hypothetical terms, it is not at all clear in regard to direct operation in the real world. (This is particularly true for those who are not security professionals.) The systems development life cycle (SDLC) is covered in chapter two and, again, while it is an important topic, the relation to security is not made manifest. The introduction to networking itself covers the OSI (Open Systems Interconnection) model, routing, and bits of TCP/IP, in chapter three. One would have thought that this would have been old news to sysadmins. The same is true of the material on transmission and network topology, in chapter four. There is some mention of security issues, but the discussion is minimal. Chapter five has a reasonable overview of firewalls, although the terminology is not always standard. Chapter six is documentation for the Cisco PIX firewall. The information about intrusion detection systems, in chapter seven, provides good material on points often neglected by other works, and adds a guide to Snort. The coverage of cryptography, in chapter eight, has a confusing structure. Most of the material on virtual private networks consists of screen shots of Microsoft's RRAS (Routing and Remote Access Server), in chapter nine. Chapter ten relies on old concepts and technologies to discuss viruses and other malware. Disaster prevention and recovery, in chapter eleven, concentrates on building redundancy and the VERITAS server based backup system. A good deal of information about Windows, most of which may have some relevance to security, is in chapter twelve. Some introductory, and some network, data about UNIX is available in chapter thirteen. Chapter fourteen describes how information can be obtained about your system in order to mount an intrusion attack. Some resources for security are mentioned in chapter fifteen. Overall, the book does provide a fair amount of information that would likely be of help to most network administrators in securing their systems and networks. However, there is also a lot of detail that is not directly relevant to the task, some erroneous content, and not a few gaps. While the original authors may have mastered their topic, the volume currently on offer does not reflect that. copyright Robert M. Slade, 2002 BKMSNTSC.RVW 20021220 firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Please report problems with the web pages to the maintainer