Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
*The Washington Post Magazine* Cover Story: Identity Crisis, by Robert O'Harrow Jr. http://www.washingtonpost.com/wp-dyn/articles/A25358-2003Aug6.html Caption on pair of photos: LEFT: Meet Michael Berry: political activist, cancer survivor, creditor's dream. RIGHT: Meet Michael Berry: scam artist, killer, the real Michael Berry's worst nightmare ... [This is an extraordinary article. MUST READING for all of us victims-in-waiting. PLEASE dig it out while it is still on-line. PGN]
In the U.K., a man has been acquitted in Exeter Crown Court after successfully arguing that child pornography found on his personal computer had been placed there without his knowledge by network vandals who had used a "Trojan horse" program to infect his machine. The case creates two worries: one, that actual child pornographers now have a new alibi that would be difficult to disprove; two, that innocent Web surfers might find themselves charged with possessing illegal material planted on their computers by malicious invaders. Former U.S. federal computer crime prosecutor Mark Rasch says, "The scary thing is not that the defense might work. The scary thing is that the defense might be right. The nightmare scenario is somebody might go to jail for something he didn't do because he was set up." [*The New York Times*, 11 Aug 2003; NewsScan Daily, 11 Aug 2003] http://partners.nytimes.com/2003/08/11/technology/11PORN.html
The Dutch Central Bureau of Statistics (CBS) published an incorrect price index due to "an error in a computer program", according to the newspaper Trouw (7 August). The published index was too high by "a few tenths of a percent". No further explanation is given as to the nature of the error, why it was not discovered before publication, or how it was discovered later. This may have an impact on salary adjustments as well as pensions and various social benefits that are linked to the inflation rate. This is yet another example of how dependent we have become on "the computer says so, so it must be right". A few tenths of a percent on a country-wide basis, even in a small country, adds up to a lot of money.
A Nova Scotia [Canada] government employee has been fired for deleting her own speeding ticket from a computer database. ... The unidentified woman will not face criminal charges. Now the kicker is she was found by an audit conducted after another employee had also altered entries in the database of driver's records. Why can people delete records from such a database? Shouldn't it operate like the accountant's double-entry ledger? Where mistakes are not deleted, but a correction entry is appended. http://novascotia.cbc.ca/regional/servlet/View?filename=ns_firedwork20030806 M Taylor http://www.mctaylor.com/
Key backers of the Uniform Computer Information Transactions Act (UCITA) have bowed to pressure from opposition groups and will stop lobbying for the bill's passage. The bill was intended to protect software developers from intellectual property theft by bringing into conformity conflicting software licensing laws in various states, but critics, including the American Bar Association and the American Library Association, said the legislation would grant software makers too much power over their products at the expense of consumers. So far, UCITA has been enacted in only two states, Maryland and Virginia, and now that the effort has lost the support of the National Conference of Commissioners on Uniform State Laws (NCCUSL), UCITA is unlikely to gain further consideration from other states, says an NCCUSL spokeswoman. Opponents of the bill commended NCCUSL for its decision: "It is heartening to see NCCUSL backing away from a very flawed statute, but it will never be able to write sound law for the information economy until it takes to heart the criticisms of the user sector," said Jean Braucher, a law professor at the University of Arizona and a member of AFFECT — Americans For Fair Electronic Commerce Transactions. [CNet News.com 7 Aug 2003; NewsScan Daily, 8 August 2003] http://news.com.com/2100-1028_3-5061061.html?tag=fd_top
A federal judge in Boston has rejected subpoenas filed by the Recording Industry Association of America last month as part of its nationwide crackdown on digital music file-sharing. The subpoenas targeted students at Boston College and the Massachusetts Institute of Technology who used various screen names to share songs online. In his ruling, Judge Joseph L. Tauro said that under federal rules, subpoenas issued in Washington cannot be served in Massachusetts. The RIAA called the ruling "a minor procedural issue" but declined to say whether it would refile in Boston. pAP 8 Aug 2003; NewsScan Daily, 11 Aug 2003] http://apnews.excite.com/article/20030809/D7SQ5LC80.html
Many companies with names you know are benefiting Bob Sullivan, MSNBC, 8 Aug 2003 There wouldn't be spam if there wasn't money in spam. So to understand what primes the spam economy, MSNBC.com answered a single unsolicited commercial e-mail. Following this one spam trail led us from Alabama to Argentina, from a tiny Birmingham-based firm and someone named "Erp" past a notorious spammer named Super-Zonda - and right through big-name companies like Ameriquest, Quicken, and LoanWeb. And that's just the beginning. The truth about spam is this: While the dirty work is done by secretive, faceless computer jockeys who are constantly evading authorities, lots of companies with names you know profit, at least tangentially, from their efforts. ... http://www.msnbc.com/news/940490.asp
By Caryn Rousseau, Associated Press, 7 Aug 2003 A computer hacker gained access to private files at Acxiom Corp., one of the world's largest consumer database companies, and was able to download sensitive information about some customers of the company's clients, the company said Thursday. "The data on the servers was a wide variety of information, some of which was personal, some of which was not," Jennifer Barrett, the company's chief privacy officer, said in an interview with The Associated Press on Thursday. The AP was notified of the intrusion by an anonymous caller who would not identify himself or his connection with the company. Barrett said the company did not know about the breach until a law enforcement agency from Ohio contacted it last week. Barrett said both the hacker and the stolen information are in police custody. She said about 10 percent of the company's customers were affected and that, "it would include some of our larger customers." ... http://finance.lycos.com/home/news/story.asp?story=35190673
"... The breach involved one external FTP server outside Acxiom's firewall that is used to transfer files back and forth between Acxiom and its clients. The company said no internal databases were accessed and no breach penetrated its firewall. Additionally, the firm said only a small percentage of its clients' data was involved in the incident. Acxiom's client list includes a number of Fortune 500 companies, like Microsoft, IBM, AT&T, and Blockbuster. The company says it services 14 of the top 15 credit card companies, 7 of the top 10 auto makers, 7 of the top 10 media entertainment companies, 6 of the top 10 magazine publishing companies, 4 of the top 5 telecom companies, 5 of the top 6 retail banks and 3 of the top 5 retailers. ..." <http://www.internetnews.com/article.php/2246461>
By William Jackson, GCN Staff Whenever the Defense Department's Computer Emergency Response Team Coordination Center sends out a vulnerability alert, each DoD systems administrator must acknowledge it and respond with a plan for closing the hole. The notification and response is becoming more automated, said a security manager at a DoD software development shop, who contacted GCN and asked that neither he nor his agency be named in print. The problem is that the remediation is manual. When you get two or three alerts an hour, it gets out of control. The DoD security manager said he uses the Hercules automated remediation tool from Citadel Security Software Inc. of Dallas to cut the time for fixing flaws in multiple machines from weeks to days or hours. [...] [And when it is *fully* automated, think of how wonderful it will be to have new Trojan horses and security flaws installed instantaneously, without having to require human intervention. Perhaps someday we might have systems that do not require continual patching, but I'm not holding my breath. PGN]
Magic Number: 30 Billion By John C. Dvorak, 4 Aug 2003 So what actually happens when your Windows XP machine crashes and asks if you want to send a report? The reports obviously accumulate in some database, and I can only assume that when one bin piles up with similar crash memos, the coders get to work. Exactly how many notifications does Microsoft get? Nobody knows for sure, but based on comments Bill Gates made at a recent meeting for analysts, the number must be astronomical. Gates said that 5 percent of Windows machines crash, on average, twice daily. Put another way, this means that 10 percent of Windows machines crash every day, or any given machine will crash about three times a month. Since Bill is a math junkie, I have to assume this number is real and based on something other than a phone survey. Those reports seem like the obvious source. Now according to StatMarket.com, as of March 2003, Windows XP had 33.41 percent global market share among operating systems. Let's give Microsoft the benefit of the doubt and make Windows XP's share an even 35 percent at this point. How many computers are in use? According to the Computer Industry Almanac, there were 603 million worldwide in 2001, and the growth rate seems to be around 10 to 15 percent per year. Let's be relatively conservative, and add just under 100 million to get a round number of 700 million PCs. With 10 percent of them crashing daily, we have 70 million crashes every 24 hours. And since only 35 percent are XP machines, 24.5 million reports a day accumulate in Redmond-nearly 9 billion per year. I doubt this number will go down anytime soon. ... http://www.pcmag.com/article2/0,4149,1210067,00.asp [Wonderful article. John goes on to estimate that this works out to a minimum of 30 billion Windows system crashes per year. He points out that this magic number is also the number of gallons of fresh water California wastes because of mismanagement, the dollar total for the Enron scam, and a few other nice examples. But he concludes that he is partial to the number ZERO, and thinks maybe that should be the target for Microsoft. PGN]
Associated Press, 6 Aug 2003 Some unsuspecting Verizon customers trying to pick a new long-distance plan were offered ''sexy introductions'' and a chance to ''continue the fun'' on an adult phone line. A letter sent to thousands of Verizon long-distance customers across the country last week listed a number for ''Intimate Connections'' as a Verizon customer service number, Verizon officials said Tuesday. ... http://www.boston.com/dailynews/218/region/Company_s_error_sends_customer:.shtml
GenCon is a large, annual game convention and trade show held at the end of July or early August. Although it was held in Milwaukee, Wisconsin for many years, this was its first year in Indianapolis, Indiana, with a record attendance figure of 28,000 people over the four days of the convention. The wait in line to register has always been a point of complaint, but this year that wait was particularly excessive, peaking at four hours on the Saturday. In an open letter to various message boards and newsgroups, GenCon CEO/owner Peter Adkison blamed most of the problem on the convention's computer network. A copy of the open letter can be found here: http://www.gamingreport.com/article.php?sid=9515 In summary: - The computers used for registration were on the same network as the computers that allowed convention attendees to freely access the Internet. Apparently there were no restrictions on the use of these public access computers. - By the first day of the convention 216 computers on the network were infected by a worm. The source of the infection was one of the public access computers, which also contained downloaded p*rn files. - The network wasn't sufficient to handle the traffic even without the worm problem. The worm amplified the problem. - Each attendee received a badge with their name printed on it. Badges were printed at a limited number of printers, 6 badges to a sheet. At times, the printers would time out due to the excessive network traffic. Sometimes the printed sheets would get lost. The badge printers were a major bottleneck in the system. The RISKS here should be obvious. This isn't the first time GenCon has had public access terminals on their network. The registration process doesn't appear to be much different from when I last attended (August 2000). Either the convention organizers were unusually lucky in previous years, or the problems weren't deemed sufficiently bad to warrant (in the minds of the organizers) stronger security and procedural changes. Adkison doesn't state whether or not the change in venue this year was a contributing factor.
Photoshop may not be to blame and the RISK may be broader than a single software product being the Microsoft Word of photography. According to Sue Chastain at http://graphicssoft.about.com/b/a/2003_07_26.htm the revealing thumbnails mentioned in RISKS-22.83 were not likely to be placed by Photoshop. Thumbnail previews, part of the EXIF metadata standard used by all digital cameras, may be created automatically when the picture is taken. She says "EXIF information and metadata is increasingly becoming a concern for professional photographers working in digital because it can potentially expose information [...]". Photoshop, rather than being the culprit, has a "Save for Web" command that strips out metadata including thumbnail previews.
Having just re-read John Brunner's 1975 novel "The Shockwave Rider", I was, umm, shocked to open RISKS 22.83 and find "New online futures market bets on next White House scandal" and "Pentagon's online trading market plan draws fire". In Brunner's future world (circa 200x), citizens gamble on the "Delphi" odds that such-and-so (everything from war and famine to soap opera events) will come to pass, in exactly the same fashion. Both schemes mentioned in RISKS could have been taken directly from the novel. Life imitating art?
About 25 years ago, someone had a computer hooked up to a Telex line and programmed it to trade commodities futures, sending telex orders to his broker. But it wasn't programmed to take into account the size of the various markets, some of which aren't all that big, and one day he got a phone call from the CFTC and they were not at all pleased that he had cornered the market in a thinly traded commodity, potatoes or something like that. He unwound his position and adjusted the program so it never traded that particular commodity again. I know this sounds like an urban legend, but I personally know the guy. > For companies, the RISKs are less clear. It's not clear whether > they had any way of finding out who was actually buying their stock, ... Not really. Stock held in accounts at brokers or banks (most of it these days), is nominally owned by one of a handful of specialist companies such as Cede & Co. There is a way that the broker can tell the company who the beneficial owner is so they can send out annual reports and proxy statements, but that takes a while, so that companies have only a vague idea of who owns their stock on any given day. That's one of the reasons you have to file notices with the SEC if you plan to buy a substantial amount of a company's stock. John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 330 5711 Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Please report problems with the web pages to the maintainer