http://www.azstarnet.com/star/Tue/30520SIERRAVISTACHARGES.html A grainy picture from an ATM surveillance camera aired by TV's "America's Most Wanted" connected three Sierra Vista residents to a June 2002 strangulation murder of a woman in Maryland. The mom, daughter and friend, authorities had said, were believed to have been trying to use the murder victim's bank card. The problem with that link, investigators now concede, is that the time recorded by the camera was three minutes off the time recorded by the ATM. The risks should be obvious; critical logs should be reliably synchronized either to each other or an independent source. [For non-ATM users, here ATM means Automated Teller Machine, although this bank transaction seems to have created a new form of Asynchronous Transfer Mode. Perhaps another use of the acronym might be Awfully Terrible Monitoring. PGN]
The Justice Department has charged more than 130 people with perpetrating a variety of Internet scams, as well as identity theft and failure to deliver goods purchased online. The crackdown, dubbed Operation E-Con, involved more than 90 investigations involving 89,000 victims whose losses totaled at least $176 million. In one case, the suspects used a Web site to sell more than $2 million worth of pharmaceutical drugs without any prescriptions or physician involvement with the purchasers. In another scam, about 400 men lost about $3,000 each when they sent money off in the hope of winning the hand a Russian bride. Other scams promoted fraudulent investment opportunities, Ponzi-type pyramid schemes and the illegal sale of copyright-protected software, games and movies. Officials say they've managed to recover about $17 million from alleged perpetrators. [AP/Siliconvalley.com, 16 May 2003; NewsScan Daily, 16 May 2003] http://www.siliconvalley.com/mld/siliconvalley/news/editorial/5876738.htm
Intel Corp. said that a flaw in some of its Itanium 2 microprocessors could cause systems running the high-end chip to shut down or crash under certain conditions. [Source: Matthew Fordahl, AP, 12 May 2003] http://finance.lycos.com/home/news/story.asp?story=34164664
Crashed Computer Traps Thai Politician, 14 May 2003 http://aardvark.co.nz/daily/2003/n051301.shtml Thailand's Finance Minister Suchart Jaovisidha had to be rescued today from inside his expensive BMW limousine after the onboard computer crashed, leaving the vehicle immobilized. Once the computer failed, neither the door locks, power windows nor air conditioning systems would function, leaving the Minister and his driver trapped inside the rapidly heating vehicle. Despite the pair's best efforts, it took a full ten minutes before they were able to summon the attention of a nearby guard who freed the two men by smashing one of the vehicle's windows with a sledgehammer. A report (http://www.bangkokpost.com/Business/13May2003_biz12.html) published in the *Bangkok Post* indicates that the vehicle was Mr Jaovisidha's own BMW 520 which was being used while his state-supplied Mercedes, was being repaired. BMW's more up-market 7-series range uses a computer system called i-drive which has Microsoft's WindowsCE at its core. http://www.microsoft.com/presspass/press/2002/Mar02/03-04BMWpr.asp Did Mr Jaovisidha narrowly miss being killed by the blue windscreen of death? Robert J. Berger - Internet Bandwidth Development, LLC. Voice: 408-882-4755 eFax: +1-408-490-2868 http://www.ibd.com IP Archives at: http://www.interesting-people.org/archives/interesting-people/ [At least 33 readers have noted this one thus far. TNX! PGN]
A new computer worm that disguises itself as an e-mail from Microsoft Corp. is spreading, computer security firms warned on Monday. The e-mail containing the worm, dubbed Palyh or Mankx, appears to come from email@example.com, but is not from the software company. When the attachment is opened, the worm copies itself to the Windows folder, scoops up e-mail addresses from the hard disk and starts sending itself out, said U.K-based Sophos. The malicious program can spread itself to other Windows machines on a local area network. [Source: Reuters, 19 May 2003] http://finance.lycos.com/home/news/story.asp?story=34253416
Microsoft and its public relations firm are now saying that what they themselves thought was a hoax (the development of the iLoo, a portable toilet complete with wireless keyboard and Internet access) actually was a real project of the company's MSN group in the UK. The original press release indicated that the iLoo would offer its users "a unique experience." An MSN product manager now says: " "We jumped the gun basically yesterday in confirming that it was a hoax and in fact it was not," said Lisa Gurry, MSN group product manager. "Definitely we're going to be taking a good look at our communication processes internally. It's definitely not how we like to do PR at Microsoft." In any event, whether really a hoax or really real, the project is now dead -- flushed, as it were. [AP/*USA Today*, 14 May 2003; NewsScan Daily, 14 May 2003] http://www.usatoday.com/tech/news/2003-05-14-iloo-hoax-retract_x.htm
Bug-ridden programs are savagely costly. Microsoft engineer Amitabh Srivastava may have just what we need--a software insecticide. A strange thing happened last spring to the Board of Directors Web page of furniture maker Herman Miller, Inc. Instead of seeing the company's quarterly numbers, staffers saw a Star of David and a sad face. The chief executive thought someone was mocking his Protestant faith. Computer security chief Dennis Peasley thought, "This has to be a hack." But it was no hack, just a software glitch in how Microsoft's PowerPoint program recognized Herman Miller's custom fonts. Amitabh Srivastava, a computer scientist deep inside Microsoft Research, is the guy Microsoft is counting on to automate and accelerate the process of purging mistakes. "The impression is that we don't write very good software," says Srivastava. "Every time my computer crashes, it is a reminder of my failure." Computer bugs have been around since malfunctions in a 1945 [Harvard] Mark II were blamed (facetiously) on a moth trapped in a relay. Nowadays the term refers to programming flaws--commands that don't accomplish the desired result because computers have a habit of following the letter rather than the spirit of the instructions handed to them. The cost to customers of these flaws is necessarily a nebulous figure, but for what it's worth a National Institute of Standards & Technology report puts it at $38 billion a year. Evaluating only the cost of intrusions by hackers, who exploit flaws in computer security, Gartner Group comes up with $5.4 billion a year. Srivastava's fix is an arsenal of tools that help code testers fumigate buggy code. He has a big fan in Microsoft Chairman Bill Gates. "Software quality is about removing or preventing defects. The sooner any defect is caught, the better--ideally, they are simply never coded," says Gates. Building clean code is getting more daunting, especially for Microsoft . The Windows operating system has 50 million lines of code (a line averages 60 characters) and grows 20% with every release. It's put together by 7,200 people, comes in 34 languages and has to support 190,000 devices--different models of digital cameras, printers, handhelds and so on. ... [Source: Lycos.com, 26 May 2003] http://finance.lycos.com/home/news/story.asp?story=34131541
Reuters reports that pilots approaching Luton airport were hearing a baby's cries instead of instructions from the controllers. It turned out that a baby monitor, in a house in the approach path, was being picked up by their radios. Replacing the monitor fixed the problem, so seemingly it was transmitting on the wrong frequency. The article says that no one was endangered because the pilots could switch to another frequency. My question: exactly how powerful a transmitter is in this baby monitor if a plane moving at hundreds of kilometers per hour would stay in its "radius of interference" long enough to have to switch frequencies? http://news.excite.com/odd/article/id/327280|oddlyenough|05-20-2003%3A%3A10%3A44|reuters.html Carl Fink http://www.jabootu.com firstname.lastname@example.org
In RISKS-19.13, Mich Kabay quoted the *EE Times* on "The Great Capacitor Scare Of 1997". People were building motherboards without enough power supply filter caps, it seems, and machines were locking up. Oh, to have problems that minor again... The Great Capacitor Scare of 2003 is going to be *much* worse. It seems, according to several news stories (linked at the end) that a materials chemist who worked for a Japanese company, Rubycon Corporation -- which manufactured electrolyte for electrolytic (! :-) capacitors -- left his employ, and ended up working for a Chinese capacitor maker, Luminous Town Electric. (These names tend to sound quaintly amusing to USAdian ears, which might not be accidental...) Apparently, in a fairly clear case of corporate espionage, the fellow's cow-orkers then "defected with the formula" (PCN says, in a confusing bit; defected to where he was?), and began to sell the electrolyte to many Taiwanese capacitor makers. Alas, there was one small problem. The formula wasn't *complete*. The capacitors, which ought to have been good (in some cases) for up to 4000 hours, were failing in half that -- or, if you believe Intel, in as little as 250 hours. The electrolyte apparently outgasses hydrogen, and pops the seals on the cap, leaking electrolyte onto the board. The missing ingredient was the one which prevented this. I'd speculate that this might not be a point-catastrophic failure... these caps might pop and leak out slowly, shorting out circuits. But it's even worse. The Inquirer may put it best: It is not currently known how many market segments may have been affected by these poor parts, which can be found in motherboards, switchmode power supplies, modems and other PC boards. The failures of the aluminum capacitors might just be the 'tip of the iceberg,' says Zogbi. "Other component failures from low-cost Asian suppliers might be forthcoming," he warns. Around 30 per cent of the world's supply of aluminum capacitors is manufactured in Taiwan, according to the Paumanok Group. Confusion over which manufacturers may have used the faulty electrolyte is sending buyers back to Japan to source their capacitors. The extent of the problem in product that has already shipped won't become clear until components start failing, which may not happen until halfway through the products' life expectancy. But even *that* may understate the problem... How many electronic products do *you* know of that use electrolytic capacitors? The RISKS are so obvious that I don't even have to say "The RISKS are obvious". [But you did anyway! PGN] *The Inquirer* coverage is at http://www.theinquirer.net/?article=6085 *Passive Component News* is at http://www.niccomp.com/taiwanlowesr.htm Check out the tenor of the editorial footnote; it's as classic as it is uncommon. TTI, who bill themselves as "The world's leading distributor of Passive, Interconnect, and Electromechanical components" have put up an entire page tracking press coverage of the issue: http://www.ttiinc.com/MarketEye/Aluminum_Cap_Issue.asp Jay R. Ashworth, The Suncoast Freenet, Tampa Bay, Florida http://baylink.pitas.com email@example.com +1 727 647 1274
The Los Altos Vault & Safe Deposit Company has been running an ad in local newspapers (here from the May 14, 2003, Los Altos Town Crier, p. 12) with the following: "It is impossible for hackers to penetrate our computer system. Reason - We have no computers. We do business the old fashioned way." Now that's a convincing assurance argument! I find it quite interesting that this is being advertised to the general public, or at least that portion living in Silicon Valley. On the other hand, the old fashioned way has its own risks, but those aren't mentioned. Again, interesting from a marketing viewpoint. Drew Dean, Computer Science Laboratory, SRI International
I recently downloaded a copy of an MSDS document for a particular chemical used frequently in water treatment. While scanning through the pages I noticed the following: "US Patent No. ................ 5E + 06" I can only assume (bad policy?) that this is related to the document being automatically generated from a database of chemical information. A quick look at the rest of the document showed no obvious errors, but in something as potentially important to health and safety as an MSDS, one would expect better proofreading by the distributor. That's not to mention any legal problems they may run into regarding disclosure of product hazards. David W. Brunberg, Engineering Supervisor - Field Process The F.B. Leopold Company, Inc.
A federal judge awarded Earthlink $16.4 million in damages and instituted a permanent injunction against a Buffalo, NY, man identified as the ringleader of a group that used Earthlink's network to send 825 million spam messages over the past year. Earthlink said Howard Carmack and his cronies used Internet accounts opened with stolen identities and credit cards to send junk e-mail. The ruling is the latest in a series of legal actions taken by ISPs against bulk spammers. Last year Earthlink won $25 million in damages in a suit against another bulk e-mailer, Kahn C. Smith of Tennessee, but it hasn't collected the award. The company also has several other lawsuits pending. Meanwhile, last December, America Online won a $6.9 million judgment against a now-defunct Illinois company that specialized in p*rnographic spam. Over the last few years, AOL has won 25 spam-related lawsuits against more than 100 companies and individuals, says a company spokesman. [AP 7 May 2003; NewsScan Daily, 8 May 2003] http://apnews.excite.com/article/20030507/D7QSJOQ80.html
This morning, I noticed that in the IEEE copyright form (which authors must sign when they publish papers with the IEEE), the signer must warrant that "publication or dissemination of the work" will not violate the DMCA. Sean W. Smith, Ph.D. firstname.lastname@example.org http://www.cs.dartmouth.edu/~sws/ Department of Computer Science, Dartmouth College, Hanover NH USA
> [Ardley: over 30 years ago ... reinvented in software...] WELL OVER 30 years ago, considering that the machine described in the "First Draft" paper on EDVAC (leaked by John von Neumann) was "tagged", in a sense. Every word of memory was meant to be designated as "Instruction" or "Data" during the program-loading process. It was not exactly the way we think of such things today. An attempt to "execute data" produced not an exception but effectively a "load immediate", while an attempt to "store to an instruction" altered only the address-part of the word. Yes, chilluns, this was before B-Boxes :-) > Memory that was tagged as data could not be executed. The result > was that no stack overflow attack was possible. This ignores the prevalence of interpreted "data", the basis of numerous email and web malware. There is still plenty of mischief that can be done without the ability to "execute the stack", and some utility in being able to convert from data to executable, vis. work by David Keppel, et al. (http://citeseer.nj.nec.com/78783.html) "They may make it illegal, but they'll never make it unpopular" (as noted in another context, in RISKS-10.27). [The Harvard Mark I went even further. There were programs in program store and there were data words in data store. And ne'er the twain could meet. PGN]
For three minutes, an AP story posted on *The New York Times* Web site about Justice Clarence Thomas referred to his predecessor as "Turgid Marshall." After checking that MS Word indeed deemed "Thurgood" a misspelling and suggested "turgid" as a replacement, I discovered that the story had been updated to use the correct name of the distinguished jurist.
A long long time ago, on a Microsoft Mail version far far obsolete by now, I forwarded a copy of my department's org chart to somebody. Unfortunately, MS.Mail decided to spell-check the message and change anything it didn't like without checking with me first. So, it not only changed any of the names it didn't recognize to words it did, including my department head's name, it also changed her Org Chart to an Orgy Chart. Fortunately, either nobody read it carefully, or they ignored it, so there weren't embarrassing explanations to be made, but my attitude did change from "Lousy unreliable mail client" to "Bill Gates Must ... ." [Verb deleted by moderator for RISKS-obvious reasons. PGN] MS.Outlook is much better than its earlier versions, though it's still fundamentally flawed in a few areas.
BK8021SC.RVW 20030404 "802.11 Security", Bruce Potter/Bob Fleck, 2003, 0-596-00290-4, U$34.95/C$54.95 %A Bruce Potter %A Bob Fleck %C 103 Morris Street, Suite A, Sebastopol, CA 95472 %D 2003 %G 0-596-00290-4 %I O'Reilly & Associates, Inc. %O U$34.95/C$54.95 800-998-9938 fax: 707-829-0104 email@example.com %O http://www.amazon.com/exec/obidos/ASIN/0596002904/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0596002904/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0596002904/robsladesin03-20 %P 176 p. %T "802.11 Security" The preface states that this book is aimed at the network engineer, and the security engineer, or the hobbyist, but it is not an introductory work. The reader will need to know Linux to the kernel configuration level, and TCP/IP networking to the ARP (Address Resolution Protocol) level. Part one addresses the basics of 802.11 security. Chapter one provides a background, and looks at issues, in wireless communications, although primarily from a communications, rather than security, perspective. There is a review of attacks and risks, in chapter two, and for once there is a comparison of wired versus wireless hazards, ranging from the common (interference from portable phones) to the sophisticated (signal strength attacks related to diversity antennae). Part two deals with station, or remote device, security. Chapter three examines attacks against machines and networks, and suggests the use of SSL (Secure Sockets Layer) and SSH (Secure SHell). Configuration recommendations for the kernel, startup, firewall, and other aspects of FreeBSD are covered in chapter four. Chapters five, six, and seven do the same for Linux, OpenBSD, and Mac OS X, respectively (with a concentration on the AirPort utilities for the Mac). Windows, in chapter eight, reviews basic workstation items only, with limited advice and direction. Part three looks at access port security, and the setup of access points under Linux, FreeBSD, and OpenBSD are all contained in chapter nine. Gateway security is the topic of part four, with chapter ten looking at gateways and firewalls, while the use of the three UNIX variants as gateways is discussed in chapters eleven, twelve, and thirteen. Authentication and encryption, mostly with IPSec, is reviewed in chapter fourteen. A rather vague closing is given in fifteen. As noted, this is not a book for beginners. Presumably readers should already know the most common dangers of wireless LANs, such as allowing default access passwords to remain active, and broadcasting the station set identifier. WEP (Wired Equivalent Privacy) is dismissed as irrelevant: since it is deeply flawed, one can assume that the concentration on technologies such as IPSec and station security is of greater use than suggesting minor improvements in the use of WEP keys and initialization vectors. However, it is a bit of a pity that the authors took this route. With the addition of possibly an extra fifty pages this could have been an excellent reference for all wireless LAN administrators. copyright Robert M. Slade, 2003 BK8021SC.RVW 20030404 firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com
BKMBLVPN.RVW 20030401 "Mobile VPN", Alex Shneyderman/Alessio Casati, 2003, 0-471-21901-0, U$45.00/C$69.95/UK#33.50 %A Alex Shneyderman %A Alessio Casati %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2003 %G 0-471-21901-0 %I John Wiley & Sons, Inc. %O U$45.00/C$69.95/UK#33.50 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0471219010/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0471219010/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0471219010/robsladesin03-20 %P 330 p. %T "Mobile VPN" Part one presents wireless data fundamentals. Chapter one gives an introduction to mobile virtual private networks (MVPN), and the emphasis on cellular technology points out that the authors are familiar with the telecommunications, rather than security, field of work. The material contains a weak suggestion that MVPNs may be useful, lots of alphabet soup, and very little in the way of conceptual background. The data networking technologies in chapter two are not explained very clearly: basic ideas get bogged down with details. Cellular radio interfaces are listed in chapter three, with data services that can be provided over cellular networks in chapter four. Part two looks at MVPN and advanced wireless data services. MVPN fundamentals, in chapter five, basically reiterates the text from chapter two, with a little extra emphasis on virtual private networks. Chapter six describes various GSM (Global System for Mobile communications)/GPRS (General Packet Radio Service) and UMTS (Universal Mobile Telecommunication System) offerings. Options for CDMA2000 (Code Division Multiple Access) are listed in chapter seven. Chapter eight explains MVPN equipment components and requirements. Possible developments in mobile VPN are advanced in chapter nine. This book once again emphasizes the divide not only between the cellular and wireless LAN camps, but also between communications and security. It fails to bring all the related technologies together between two covers. At the same time, for those in the LAN or security fields who need to know about cellular service offerings, this work does not provide a consistent level of explanation and depth of background for those issues. Possible utilities are tabulated, but these could be obtained from almost any cell company sales office. copyright Robert M. Slade, 2003 BKMBLVPN.RVW 20030401 firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com
Please report problems with the web pages to the maintainer