Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Noted deep in the White House's proposed FY2004 budget, the administration is proposing to exempt the Pentagon's controversial national missile defense system from operational testing legally required of every new weapons system in order to deploy it by 2004. The requirements are of course intended to prevent the production and fielding of weapons systems that don't work [many of which have been the subject of discussion in RISKS in the past]. Last year, the Missile Defense Agency was already given managerial autonomy and removed procurement procedures that were intended to ensure new weapons programs remain on track and within budget. [From the RISKS perspective of having observed systems that do not work properly even with extensive oversight and testing, this seems like a very unwise approach.] [Source: Missile Defense Waiver Sought; White House wants to exempt the Pentagon's controversial weapons system from operational testing rules, a first for a major program, by Esther Schrader, *Los Angeles Times*, 24 Feb 2003; PGN-ed] http://www.latimes.com/news/nationworld/nation/ la-na-missile24feb24,1,5024689.story?coll=la%2Dhome%2Dheadlines
[Best code name since "carnivore." DPBS] US military planners hope to reduce the potential for civilian casualties in war by using a new computer program called Bugsplat. Instead of drawing concentric circles representing blast effects, Bugsplat generates blob-like images ("resembling squashed insects") that supposedly more precisely model expected damage. The hopes are that this program will help reduce collateral damage. QUOTE: "Because the program hasn't been used for actual targeting, this will be 'learn as you go.'" [Source: 'Bugsplat' program gives planners hope, By Bradley Graham, *The Washington Post*, 22 Feb 2003; PGN-ed]
A prominent French critic of Scientology has been fined 901 euros for maintaining a Web site that contained the name of a Scientologist in quotations from two published articles. The Scientologist sued, claiming his religious rights had been violated. A 1978 French law intended to protect privacy requires computer files containing names of people (even one name) to be declared with the National Commission of Computers and Liberties (CNIL). On 18 Feb 2003, Roger Gonnet became the first person disciplined under this law for his Web site, http://www.antisectes.net, which has been operating since March 1997. The judgment against Gonnet was 450 euros for violating the law, 450 euros for plaintiff's legal costs, and 1 euro for damages to plaintiff. (Plaintiff had been asking for 15,000 euros.) Gonnet says, "At least 20 million French people are guilty of the same 'crime': they have individual names in their organizers, electronic agendas, computers, laptops, CD Roms, DVD roms, hard disks, memory cards, and even in their cell-phone memories, WAPs, texts, and Web sites, as well as the employers and commercial employees or sellers have lists of their employees, clients, associates, etc." ["What's In A Name?" Oui! "What Name is In?" Non!!! PGN]
The Canadian Broadcasting Corp. reported that balloting at the 25 Jan 2003 NDP leadership convention in Toronto was disrupted by the SQL Slammer DDoS attack. The system that was being used was one provided by election.com -- one of the vendors also vying for Internet voting contracts in the USA. Apparently election.com's Earl Hurd thought it was a laughing matter when he told the CBC: "Unless he died in the last few minutes because of the evil thoughts in my brain, he or she is still out there." http://www.cbc.ca/cgi-bin/templates/print.cgi?/2003/01/25/ndp_delay030125
Bev Harris, Black Box Voting <http://www.blackboxvoting.com>, 21 Feb 2003 Dan Spillane, a voting machine test engineer, filed a lawsuit against his former employer, DRE touch-screen voting machine manufacturer VoteHere. Georgia recently approved VoteHere's machines, and the military is considering them for overseas voting. The company does business also in Sweden and England, and appears to be manufacturing, or planning to manufacture, components for other voting machine companies. Spillane alleges in his lawsuit that he reported over 250 errors in the system, including critical errors of "severity 1" which include errors that may prevent the machines from correctly registering the votes. He sought meetings with company officials to express concerns about system integrity flaws, and created logs and reports of such flaws. His complaint indicates that VoteHere did not address the flaws, and that the VoteHere system was certified by independent testing labs despite known flaws. Just when the testing lab began its examination of system integrity, VoteHere fired Spillane. VoteHere's board of directors includes former CIA director Robert Gates. VoteHere's Chairman is Admiral Bill Owens, who was senior military assistant to Secretaries of Defense Frank Carlucci and Dick Cheney. Carlucci, of course, now heads the Carlyle Group and Cheney is Vice President. I will retrieve a copy of the lawsuit early next week, case # 03-2-18779-85SEA, filed in King County, Washington. If possible we will post it later in the week. Bev Harris
I just received the following: From: firstname.lastname@example.org (Former NetGaming Programmer) Subject: Please help me Hello dear friend, I'm the developer who made the software for the NetGaming Casino. But since they still did not paid me for last six month of work I decided to reveal the backdoor in that casino I made for myself. This backdoor allow easily win the roulette. So: What do you need to win? Read below: 1. Go to the following secret link:: http://www.[deleted]/?affiliate_id=230083&campaign_id=20016 2. Open an account (click "Join Now"). 3. Play roulette until "13" turn out. That's it! The next turn will be "27"! I'll be happy if you ruin them by winning lots of money. Either it's legitimate, in which case the Web site is totally screwed, or (far more likely) it's the most recent devious way to attract unsuspecting suckers.
Nigeria's consul in the Czech Republic, Michael Lekara Wayid, was shot and killed by a Czech citizen at the Nigerian Embassy in Prague on 19 Feb 2003. The suspect had been victimized by a now-classical Nigerian scam, which resulted in the contents of his bank account vanishing. [Source: Michelle Delio, Wired News; PGN-ed] http://www.wired.com/news/culture/0,1284,57760,00.html?tw=wn_ascii [This type of scam still seems to sucker in enough people to make it worth the effort to keep the e-mail solicitations flowing. In the past week alone, SpamAssassin has picked out 150 Nigerian scam spams in my mailbox, out of 2400 redirected spams; in the past two weeks, it has trapped over 300 such scam spams addressed to RISKS, out of almost 1500 spams in all. So it is definitely a booming industry. PGN]
FYI — 'Causative Maintenance' ? Vodafone Spain's network virtually collapsed for almost 7 hours on 21 Feb 2003, following what was thought to be basic maintenance work. The company has 8.7 million customers. No substantial explanation has been given.
A friend of mine who is a postgraduate student at the University of New South Wales recently logged on to the university Web site to check the fees due for Semester 1, 2003. He was rather surprised to be told that his debt was slightly in excess of three million Australian dollars - by a strange coincidence, the sum owed was exactly equal to his student number. Perhaps a little range-checking is in order?
Patients who need transplants are entered into the national transplant waiting list maintained by United Network for Organ Sharing (UNOS, Richmond VA) through a federal contract. The list includes many items including blood type, height and weight, how sick they are, and the hospital where they are waiting. Nationally, more than 80,000 people are waiting for hearts, lungs, kidneys, livers and pancreases. When donor organs become available, information about blood type, size and location of the donor are entered into the computer generating a "match run" -- a list of all patients who are a medical match for that donor. They are listed in order of priority, determined by a complex calculation including components of illness and how near they are to the donor. A completed match run can range from tens of thousands to fewer than 10. Some organs are placed on the first call; others take hours. According to news reports, in Jesica's case, Duke officials say transplant coordinators called to offer the heart to two of their patients. The heart was the wrong size for one, and the other was not medically ready for a transplant. Jesica's doctor then asked about giving the heart and lungs to Jesica. Although she was not listed on the match run, the transplant coordinator said OK. Neither the coordinator nor the doctor realized that she was not the right blood type - the reason she was not on the computer's list of possible patients. The UNOS systems didn't make the mistake. Humans intervened and ultimately caused the mistake. It's sad that Jesica died as a result. But we will never know who else died because they didn't get the organs they should have in the first place. [Dan Graifer noted that lengthy articles appeared in *The Washington Post*. PGN] http://www.washingtonpost.com/wp-dyn/articles/A56656-2003Feb24.html http://www.washingtonpost.com/wp-dyn/articles/A2700-2003Feb25.html
[Although the original item was only marginally computer-related, we include this item to correct the archival record. PGN] Some corrections and clarifications: * It was four teenagers in the rowboat, not two. * The phone call from the distressed teenagers lasted about 12 seconds -- the 911 operator only heard that they were in a boat on Long Island Sound and were taking in water before the call was cut off. * The correct thing for the 911 operator to have done was to have assigned the call to the police harbor unit. The operator did not know this information, so he or she went to the supervisor for guidance. * All supervisors had previously received a notice clarifying what to do with marine distress calls — but this supervisor apparently had forgotten about that and also didn't know what to do with the call. * The supervisor is getting departmental charges, and could be demoted or dismissed. The operator received a "letter of instruction" but was not otherwise disciplined. * The cops claim that even if the harbor unit had been notified in time, with the scant amount of information available it was unlikely they would have found the boys in time. More details at: http://www.nynewsday.com/news/local/wire/ny-bc-ny--missingteens0218feb18.story And no doubt in other NYC-area daily newspapers. Despite what the cops say, things might have been different if they had properly logged the call - for example, the calling number for the cell phone should have been recorded, and had the police looked for the owner of the cell phone they might have been able to find one of the boys' parents and gotten a better idea of what was going on. However, given that the call was received on a frigid January evening, there probably wasn't much else that could be done until the next morning.
BKBSWNW8.RVW 20030208 "Building Secure Wireless Networks with 802.11", Jahanzeb Khan/Anis Khwaja, 2003, 0-471-23715-9, U$40.00/C$62.95/UK#29.95 %A Jahanzeb Khan %A Anis Khwaja %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2003 %G 0-471-23715-9 %I John Wiley & Sons, Inc. %O U$40.00/C$62.95/UK#29.95 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0471237159/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0471237159/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0471237159/robsladesin03-20 %P 330 p. %T "Building Secure Wireless Networks with 802.11" As with any hot topic, there are lots of people willing (eager!) to tell you about the security of wireless local area networks, without first making sure that they really know the subject. Part one is an introduction to wireless LANs. Chapter one is a history of networks, an outline of topologies (concentrating on cabling, interestingly enough), and a review of the TCP/IP (actually OSI, [Open Systems Interconnection] protocol stack. The last page gives too little information for an exercise in setting up a home LAN. Terms in regard to wireless technology are listed in chapter two, but the material is verbose without being informative. The explanations given for spectrum multiplexing are unclear, and seem to be delivered by rote without any understanding. The discussion does not build on that from chapter one to, for example, point out that ad hoc wireless networks are similar to bus topologies, while infrastructure networks are more akin to stars. The various IEEE (Institute of Electrical and Electronics Engineers) 802.11 standards are listed in chapter three. However, there is a great deal of material repeated from prior text (the discussion of spectrum is reprised almost word for word), and, other than some frequency and maximum bandwidth information, there is little additional detail. (Repetition and duplication is rife throughout the book, as well as a good deal of space wasted with pointless figures and graphics. On page 125 we are told that "The 40- bit shared key is concatenated with a 24-bit long initialization vector" and referred to figure 6.1. Figure 6.1 tells us "Concatenated-Key = Shared-Key + IV." Not very helpful.) Chapter four is supposed to help you decide whether a wireless LAN is right for you, but only has some vague opining, a little content on wireless ISPs (Internet Service Providers: hardly suitable for LAN discussions), and almost no analysis or details. Part two purports to emphasize secure wireless LANs. Chapter five has random topics regarding network security. Most of it is irrelevant to the specific needs of wireless situations or is not discussed in terms of the particular needs of wireless networks. (Physically securing the components of a wireless LAN has some importance in overall security, but may be pointless if someone driving by can take over the network). Securing the IEEE 802.11 wireless LAN is not reviewed well in chapter six. There is more duplication of content, few details about WEP (Wired Equivalent Privacy), and some clear evidence of misunderstanding of the base technologies. (If you are going to talk about 40 bit keys at the low level, higher level security should be 104, rather than 128, bit. And a 128 bit key is *not* equivalent to 64 characters, in anybody's representation.) When security aspects are discussed, often they relate to issues that are beyond the control of the user, such as moderation of signal strength. Part three collects topics related to the building of secure wireless LANs. Chapter seven is a simplistic overview of generic LAN planning. Shopping for the right equipment is important, but the list of product specifications in chapter eight fails to address vital areas, such as driver availability, default key length, and the existence of default accounts. More space is devoted to where you can buy equipment than how to evaluate it. The installation instructions, in chapter nine, pretty much ignore security considerations. Chapter ten supposedly deals with advanced wireless LANs, including security, but has little new material aside from screenshots of Microsoft Windows utilities with some relationship to VPNs (Virtual Private Networks). Part four covers troubleshooting and maintenance. Chapter eleven touches on a number of possibly wireless connectivity problems. A collection of text repeated from prior chapters is in chapter twelve. There is a glossary included with the book. It is quite limited, and, in particular, does not deal well with acronyms. In fact, the book is full of TLAs (Three Letter Acronyms) and other abbreviations that get used before they are defined, and do not appear in either the glossary or the index. This can be quite aggravating, particularly in cases where the acronyms aren't standard. (The authors use "PHY" to refer to the physical layer of the OSI model, which is not commonly so represented in either communications or security literature.) The text of the book is excessively padded with useless verbiage and irrelevant material. The actual content pertinent to the security of wireless LANs is barely enough to fill a decent magazine article. Overall, the book is poorly structured, limited in detail, and bloated with meaningless or repetitious content. copyright, Robert M. Slade, 2003 BKBSWNW8.RVW 20030208
Please report problems with the web pages to the maintainer