The U.S. Coast Guard launched a massive search and rescue effort earlier this week after picking up an emergency distress beacon signal. They finally pinpointed the cause - a turtle had become tangled in a rope tied to a discarded beacon. The original owner was located, and he said he'd lost it some time ago. http://www.cnn.com/2003/WORLD/americas/04/18/bermuda.turtle.search.ap/index.html
In an emergency, the hospital can't tell anyone except family that you're a patient. But it's free to use intimate medical details to forward marketing pitches to you from drug companies, insurers, and other "business associates". U.S. Representative Edward J. Markey, Massachusetts Democrat, has filed a bill that would require patient consent. ... [Source: Diane E. Lewis, subtitled Campaign afoot to give patients right to block release of files, *The Boston Globe*, 19 Apr 2003; PGN-ed] http://www.boston.com/dailyglobe2/109/business/ Rules_let_marketers_see_patient_data+.shtml
On a recent USAir flight, two people were both assigned to the seat in front of me. It turns out that they both had the exact same name. One was female and the other male, but their full names were spelled identically. Both were issued boarding passes for the same seat. This suggests that the algorithm the airline uses to issue boarding passes is based on the flight number and passenger name, and not based on a unique identifier such as ticket number or passenger id number. Besides being a potential security risk, I would not be surprised if it costs the airline some lost revenue. [Perhaps. But it also might be thought of as saving a little in programming complexity and maintenance? On the other hand, you would think there was a flag for "boarding pass already issued". PGN] Mark Kantrowitz PO Box 81620, Pittsburgh, PA 15217 1-412-422-6190 www.fastweb.com www.finaid.org www.edupass.org www.monster.com
A glitch on the CNN.com Web site accidentally made available draft obituaries written in advance for Dick Cheney, Ronald Reagan, Fidel Castro, Pope John Paul II and Nelson Mandela. "The design mockups were on a development site intended for internal review only," says a CNN spokeswoman. "The development site was temporarily publicly available because of human error." The pages were yanked about 20 minutes after being exposed. [CNet News.com 17 Apr 2003; NewsScan Daily, 18 Apr 2003] http://news.com.com/2100-1025-997367.html?tag=fd_top [As I recall, a similar situation happened previously, to *The New York Times*, but I cannot find the entry in RISKS. PGN]
A NASCAR fan faces up to a year in prison for flooding Fox Entertainment Group in Los Angeles with more than a half-million e-mails because he was angry the network aired a Boston Red Sox game instead of an auto race in early April and May 2001. Michael Melo of Billerica agreed to plead guilty to a federal misdemeanor charge of damage to a protected computer system, (Fearing a cyberattack, Fox shut down part of its Web site, and claims it cost them $36,000.) [Source: Mark Pratt, Associated Press, 16 Apr 2003. PGN-ed] http://www.boston.com/dailynews/106/region/ NASCAR_fan_faces_prison_time_f:.shtml
Most people who use Google routinely will have noticed that many of the "sponsored links" seem to be built from templates; this works reasonably well in most cases, but sometimes fails badly. While conducting a terrorism-related search, I was confronted with the following advert: Terrorism - Huge Range, Low Prices, Great Service - CLICK HERE! www.amazon.co.uk Free Super Saver Delivery on orders over #39 (see conditions) While in this case the only risk was one of unintended humour, it is clear that unforeseen consequences can ensue from allowing too wide a range of terms to be inserted into such a template. Imagine, for example, the possible reactions if "Terrorism" were replaced by "Child Pornography".
The small liberal-arts college where my wife teaches has an campus-wide alert system. One component of that system is the ability to make an announcement over a PA system. It is used very rarely and has dubious sound quality. In fact, previous to this week the only two times anyone can remember it being used were for a severe ice storm when the university was about to be closed; and 9/11. Yesterday, a moderately severe ice storm struck the region (we are in Western New York). There was also a recruiting event for potential new students that evening for which the publicity flyers had the wrong venue. As a consequence, high-school seniors and their parents were going from building to building looking for the event. You guessed it, they used the campus emergency PA system to make an announcement that those "All those looking for the recruiting event should gather in <name of building omitted> for directions." The dorms emptied, both because the message was poorly understood and because if it came over the campus PA, it must be critical. So a few hundred college students left their dorms and wandered out on a cold night, some in pajamas, only to find out there was no need to be out. The RISK is obvious, if it was meant for emergencies, only use it for an emergency. Kevin Stevens, Department of Computer Science, University of Buffalo, SUNY
Cyberstalking — stalking people over the Net — is increasing across the U.S., according to a new study by Wired Safety. And while women remain the most likely targets, they're getting into the act as perpetrators, too. In addition, growing numbers of children are cyberstalking children. "We didn't find much good news," said Wired Safety executive director Parry Aftab. "Identity theft is increasing. And because more people are cyber dating they become victims of cyberstalking when things don't work out." Aftab expressed concern over a recent court ruling that compelled Verizon to turn over the name of an ISP subscriber under the subpoena power of the Digital Millennium Copyright Act. "This is an outrageous and dangerous ruling. It was supposedly about music piracy, but the result of the case is that anyone can obtain personal information about any Internet user by simply filling out a one-page form and submitting it to a court clerk. There is absolutely nothing you can do to protect yourself, even if you are a police officer doing undercover work against s*xual predators. The future safety and privacy of all Americans engaged in online communications now rests with Verizon winning this case on appeal." [Asterisk inserted so that NewsScan Daily doesn't get caught in the software filters meant to ward off pornography.] [Internet News 18 Apr 2003; NewsScan Daily, 18 Apr 2003] http://dc.internet.com/news/article.php/2193131
Arab-American activist Nawar Shora checked his e-mail one day and found scores of angry messages asking why he hated Americans and Jews. The messages were responding to e-mail messages with his spoofed From: address. However, he had never sent the hate mail; the From: address had been forged [which is easy to do]. [Source: New online harassment involves provocative messages sent under guise of activists, Anick Jesdanun, Associated Press, 18 Apr 2003; PGN-ed] http://www.boston.com/dailynews/108/economy/ New_online_harassment_involves:.shtml
The technique of Bcc'ing all the recipients is often used to send e-mail messages where the nature of the subject matter is controversial with the intent of not disclosing who is interested in the message. However qmail discloses some or the recipients by listing the first of the bcc'd recipients in a Received by header. What seems to happen is that the MTA adds a header like this: Received: from 18.104.22.168 (HELO some.domain) ([22.214.171.124]) by some-other.domain (qmail-ldap-1.03) with SMTP for <firstname.lastname@example.org>; This happens even when there are no To: or Cc: recipients listed. A trivial search of my mail archive finds many cases where a "for" clause in a received header was neither my address or the address of any of the publicly listed recipients. So far I've only found this behavior in qmail-ldap and it's not clear if the problem exists beyond the first hop in the delivery chain or in other MTA's. (My tests on postfix suggest it's not a problem.)
Consumer electronics giant Sony Corporation said on 18 Apr 2003 that it would recall 20,000 Vaio desktop personal computers sold in Japan between Sep 2002 and Jan 2003, to replace defective power supply parts. This is in addition to 20,000 Vaio PCs recalled in the United States and Canada in Dec 2003 due to a similar problem, a Sony spokesman said. [Source: Reuters, 18 Apr 2003; PGN-ed] http://finance.lycos.com/home/news/story.asp?story=33881151
Last week my elder daughter had her 7th birthday. The party was held at a local Macdonalds. (NOT my choice.) One of the things they provided was a cake. On the box, there was a use-by date. It was a day in July 1903. Makes me wonder how many Y2K bugs are still lurking in dark corners. [This one really takes the cake! PGN]
> SSN's are hopelessly easy to obtain Well, there is a good opportunity to turn a bug into a feature: The U.S. social security administration could simply make their entire database of social security numbers and associated names and dates of birth openly available to the general public for download, and of course publicise this step prominently. As a result, the SSN would instantly lose any usefulness whatsoever as an authenticator and become even more harmless and fear-free than telephone numbers or ZIP+4 codes. Problem solved. [I can literally hear a few thousand US RISKS readers breathing in sharply at this idea as they feel cold shivers running down their back, so deeply is the cultural fear of anyone else knowing a few digits associated with you engraved in a nation's collective psyche ... ;-] Such a step would of course require [listed in order of increasing difficulty] (a) some warning time for organizations who currently use the SSN as part of an authentication procedure to give them time to adjust their practices, (b) the introduction of a proper authentication mechanism as an alternative, (c) a population that can mentally make that step and overcome deeply embedded phobias about the entire idea of other people being able to look up *YOUR* number, no matter how little (ab)usefulness knowledge of that number has in practice > It is tempting to propose something prescriptive, specifying how > organizations should authenticate people. ... Many countries have done that long ago. They run reasonably carefully administered population registers and residents are entitled to get a tamper-resistant copy of their entry of that register, to show it to other people whenever establishing identity is desired in a transaction. These tamper-resistant copies are usually "called ID" cards, or, where the form factor is a somewhat larger booklet with sufficient space for travel visas, they are called "passports". In those few (typically anglophone) countries where the term "ID card" causes shivers running down the back of too many scared people for cultural reasons, the same thing is now called "entitlement card" or "driver's licence". Passports and ID cards are widely considered the only accepted serious form of authentication in continental Europe. At first sight, they seem to be only useful for card-holder present transactions, e.g., were you physically walk into a bank, school, administration, etc. However, that does not mean that they are useless for using online services from home. It is not too difficult to build remotely usable proper authentication mechanisms on top of ID cards. For example, on top of a well-run ID card infrastructure, it becomes immediately feasible for the national postal service to offer authenticated personal delivery. For a small additional fee, a package or letter sent to you will only be handed over to you if you show up personally in the nearest post office and authenticate yourself with your ID card, which contains all the information that allows the postal office clerk to verify that your biometrics belong to the person named as the recipient of the letter. Once you have authenticated postal delivery, companies can easily send all sorts of authentication tools to you, such as lists of transaction numbers, floppy disks or chips with certified crypto keys, etc. Banks and delivery services might find it an attractive business opportunity to offer similar authenticated delivery services. By using two independent routes to deliver electronic authenticators to you (two shares of a secret key arrive via postal authenticated delivery and via pickup from your local bank branch), abuse of the system by malicious employees in the delivery chain can be made unattractive enough for potential fraudsters to look elsewhere for work. Governments setting up the underlying ID infrastructure remains a prerequisite for all these more convenient and safer forms of authentication to become available. Markus Kuhn, University of Cambridge, GB http://www.cl.cam.ac.uk/~mgk25/
The interference caused by the Millennium trains may simply be trashing the signal completely, possibly across a wide range of frequencies. In which case, as noted, the fail-safe for all listening devices would surely be "go to red". Indeed, if it were an analogue system, you'd expect the quote to be "turning lights red, green or orange for all following and leading trains" :-) (BTW, I suspect the original quote meant "interfering *on* the frequency of the ... signalling system", rather than *with* the frequency. :-)
In Risks 22.69, Gervase Markham described a ATM-like deposit machine booting Windows NT and allowing a little control with the provided keypad and buttons before displaying a "not in use" message. He summarised [various risks,] but I don't think these really capture the nature of the problem. Essentially, the interface presented to the end-user is wider than intended, exposing implementation details and associated risks. When engineering systems a key method of improving reliability and security is to reduce complexity. Providing the software with a normal keyboard interface for the keypad makes a lot of sense for reduced complexity. Similarly, keeping some of the debugging tools around is often helpful for diagnosing faults. As such, it would be better if the system restricted the built-in keys and display to the actual application, and have internal connections for attaching a second keyboard and display which act as normal for use when debugging. However, this does require that the operating system support using multiple keyboards and displays separately.
I'm reminded of the way that many people writing about the Titanic disaster tend to assert that about 1,520 *passengers* were killed. Actually it was 820 passengers and 700 crew, out of 1320 and 900 respectively, all this in round numbers. Note that the crew death rate was significantly higher.
Im my fratricide note in RISKS-22.68, I gave figures from FM 100-14 via Chris Johnson that the fratricide figure for Desert Storm/Shield was 1% according to FM 100-14. Well, FM 100-14 in fact says 5% for Desert Storm/Shield fratricide (I found an on-line copy). All the other figures in the table in my note are correctly transcribed from FM 100-14. [Annotated correction is being made in the official archives. PGN] In my new note, I give on-line source for FM 100-14, and also quote a UK National Audit Office report that says that US research has shown that historically the figure lies around 10-15%, not the 1-5% that FM 100-14 says. Peter B. Ladkin, Professor of Computer Networks and Distributed Systems, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
For those of us who ride bicycles, we've been dealing with this problem ever since the technology was introduced. Sometimes lying your bicycle on the ground over the sensor is enough to trigger it. Other options are to look for a button meant for use by pedestrians, to wait for a motor vehicle to show up and trigger the sensor, and finally, the most popular option in my observation, merge with traffic as best one can regardless of the state of the traffic signal. I'm told most of these devices can be tuned to sense bicycles, but traffic engineers in the U.S. are notorious for taking the "windshield view" - that is, they see everything on the road from the perspective of a driver in a motor vehicle. It's a classic case of building a system for 99% of the users and making life miserable for the other 1%. > You have no choice but to attempt to join a potentially busy road by going > through a red light or ride on the pavement to a safe spot to rejoin > traffic. To clarify for our American readers, I believe what Ryan calls "riding on the pavement" would be "driving on the sidewalk" in Americanese, or "operating a motor vehicle on the pedestrian right-of-way" in bureaucratese.
It appears that OnlineNIC, a discount bulk domain registrar that caters to domain squatters, has been attacked and their Web servers are unavailable. We had to deal with them about a year ago to transfer a domain name away from a squatter in Korea and found their customer support extremely lacking. On top of that, even after successfully transferring the domain name away from them, they seem to think that we're still a customer so we keep receiving promotional and maintenance e-mail from them. I received the following maintenance e-mail from them this morning informing me that their servers are under attack. It is unclear whether the attack is simply a denial of service attack or if their Web servers were actually compromised. Regardless, the request that OnlineNIC has made in the following e-mail is absolutely outrageous. After informing me that their Web servers are under attack (I didn't trust them before and I sure don't trust them now that I know they may have been compromised), they want me to change my proxies to one of theirs. To quote many RISKS posters that came before me, the RISKS here are obvious. If this request is legitimate due to a denial of service attack then I would assume that they are filtering out all traffic to their Web servers and only allowing traffic to their Web server from their proxies. In theory, I'm sure this idea made sense to someone somewhere in the OnlineNIC chain of command. Regardless, setting my proxy to one of theirs would send all my Web traffic through it...not just traffic to OnlineNIC. I really don't think I trust OnlineNIC with logs and caching of every Web site I visit. Since I'm a paranoid freak, I'm assuming that OnlineNIC's Web servers were completely compromised (my theory, no way to confirm), their customer base was leaked, the attacker sent this e-mail to all customers and the below proxies are hostile and designed specifically to log all Web traffic for OnlineNIC's customers. I only come to this conclusion because the headers of this e-mail are very sparse and seem forged (Received from: YOURNAME localhost.localdomain), there are typos in the e-mail and the e-mail asks me for my username/password. Oh well...even if the request was legitimate, how many naive users who actually switch their proxies are going to remember to switch them back after OnlineNIC comes back online? If the proxies are no longer required, how long with OnlineNIC keep those proxies online for the "convenience" of their customers? And, are these proxies wide open for anyone to use for semi-anonymous surfing? If the request is legitimate, OnlineNIC is opening themselves up to abuse by making these proxies available. /Sean/ Begin forwarded message: > From: "email@example.com"<firstname.lastname@example.org> > Date: Mon Mar 31, 2003 5:42:49 AM US/Eastern > To: email@example.com > Subject: About the problem of Onlinenic > > Dear Customer, > > We are sorry to inform you that our WEB server has been attacked by > somebody. Our technicicans are taking great effort in getting it > solved now. Please rest assured that the problem will be solved soon. > > To visit Onlinenic, would you please try it at > https://www.onlinenic.com, if it still fails, please try to use the > proxy server: 126.96.36.199:80 in the following way: > > Go to 'Tools' in IE, choose 'Internet' , it will lead you to an > interface, then choose 'Connect', click 'LAN setup', then you may set > up the proxy 188.8.131.52 with the port 80. > > If this proxy server doesn't work, you may try the following ones: > > 184.108.40.206:80 > 220.127.116.11:80 > 18.104.22.168:80 > 22.214.171.124:80 > 126.96.36.199:80 > 188.8.131.52:80 > 184.108.40.206:80 > 220.127.116.11:80 > 18.104.22.168:80 > > > Plus, Some of the e-mail sent to firstname.lastname@example.org may have lost. > If you haven't got any reply from us, please write to > email@example.com. Please rest assured that we will never ingore > any e-mail reaching us. > > If you have domains which are supposed to be registered urgently, > please kindly offer us your id, password and the detailed whois > information of your domains, we will try to help you register them > here. > > Please rest assured that you may feel free to change your account > password after the domains have been registered successfully here for > you. > > Your kind understanding and cooperation will be highly appreciated. > > Should you have further questions, please feel free to contact us. > > Sincerely, > > OnlineNIC Customer Care > > E-mail: firstname.lastname@example.org > https://www.OnlineNIC.com
Call for Papers Workshop on Wireless Security (WiSe) in conjunction with ACM MobiCom 2003 Sponsored by SIGMOBILE 19 Sep 2003, San Diego, CA http://www.ece.cmu.edu/~adrian/wise2003 [PGN-excerpted for RISKS. See full call for papers:] http://www.ece.cmu.edu/~adrian/wise2003/cfp.txt The workshop on Wireless Security will be held in conjunction with ACM MobiCom 2003. The objective of this workshop is to bring together researchers from research communities in wireless networking, security, applied cryptography, and dependability; with the goal of fostering interaction. With the proliferation of wireless networks, issues related to secure and dependable operation of such networks are gaining importance. Topics of interest include, but are not limited to: * Key management in wireless/mobile environments * Trust establishment * Intrusion detection, detection of malicious behaviour * Revocation of malicious parties * Secure PHY/MAC/routing protocols * Secure location determination * Denial of service * User privacy * Anonymity, prevention of traffic analysis * Dependable wireless networking * Monitoring and surveillance Instructions for electronic submission of papers will be posted at http://www.ece.cmu.edu/~adrian/wise2003/submission.html Paper submissions due: May 27, 2003 Workshop Co-Chairs: * Douglas Maughan, DARPA (email@example.com) * Adrian Perrig, Carnegie Mellon University (firstname.lastname@example.org)
Please report problems with the web pages to the maintainer