New Product Release: SnackGuard WireX Communications, Inc., 1 Apr 2002 [This arrived too late for the April Fool's Issue, but better late than never? (Or better never than later?) PGN] WireX is pleased to announce the latest addition to the Immunix family of security tools: SnackGuard. SnackGuard effectively guards your favorite snacks in the break room from "snack smashing" attacks: the predations of other hungry engineers. This protection is especially vital in these trying times of unemployment, when nomadic tribes of hunter/gatherer geeks roam the halls of once mighty dot.com's in search of food and caffeine. Following on StackGuard's "canary" defense, SnackGuard employs WireX's patent-pending "turkey" defense: when SnackGuard detects the "gobbling" noise of some turkey scarfing down your favorite pop tarts and heavily caffeinated beverages, it issues a pink slip, halting the gobbler. While SnackGuard is effective in defending your snacks, it is not without costs. SnackGuard increases run time when you are running to catch the bus or the elevator, in that successful defense of your snacks tends to increase "programmer's butt". Excessive consumption of caffeinated beverages without intervening bathroom breaks may also induce personal "buffer overflows". While SnackGuard is "free speech", it is not "free beer": you may modify and distribute this gag as you wish, but go buy your own brewskis. Crispin Cowan, Ph.D., Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution http://immunix.org
In this year's April Fool edition, RISKS-22.01, our fearless moderator reprinted that old item that purports to be from the auto industry: if we made cars like computers, we'd always be crashing, rebooting, upgrading, ... In particular, item 10 stated: 10. You'd have to press the "Start" button to turn the engine off. Just because it's funny doesn't mean it's not real. The automobile industry is copying all the worst features of the computer industry, ignoring all the advances in user-interface design, and all the lessons about safety. I fear that someone in the industry a few years ago missed the significance of the date "April 1" in the United states. They took it seriously. I point your attention to the new BMW Series 7 automobile. The key is simply a personal identifier that instructs the car to adjust the seat, mirrors, steering column, etc. to the key owner's preferences. To start the engine, push the "Start" button. To turn the engine off? Push the same "Start" button. That takes care of Pont number 10 in the "joke." (To be fair, the button is actually labeled START STOP, but then again, so too should the MS Windows button.) But it gets worse. The New 7 series BMW no longer has all those knobs and buttons that clutter up the dashboard - you know, where each knob does one thing that you can count on. Instead, it has a single controller located on the center console that "functions similarly to a computer mouse." It drives a display in the center of the dashboard. It is called the iDrive: i for "intuitive") (Don't get me started on intuitive. You know what's intuitive? Fear of heights. Everything else we call intuitive, such as walking or using a pencil took years of practice. Is that what we want? A control that takes years of practice?) The iDrive plus display, says the sales brochure, is a "user-friendly interface (that) offers quick access to over 700 settings, plus navigations system maps, phone book listings, and more" One control, one display -- 700 settings? What were they thinking? As USA Today put it: "it manages to complicate simple functions beyond belief." Auto review said "iDrive is not simple, no matter how clean it looks to the naked eye. ... Our advice ... Is to ... retain basic manual controls for functions that are used every day.") I work in the field of usability and safely. I am appalled. I do, however, have to keep an open mind. After all, I have not tested it. I did sit in the front seat in a showroom, but with everything turned off. I should drive it down the highway -- or better, a crowded city street - and test the iDrive. Set a new radio station, check the directions to my destination, see how much fuel I have left, adjust the temperature of the interior -- things I might actually do while driving. Only then can I pass judgment. Until then, I'm simply delighted that I am not planning to buy one. Alas, BMW promises that the features will migrate downward to all their autos. Beware of April Fool jokes: they may come back to haunt you. Don Norman, Computer Science, Northwestern University Nielsen Norman Group firstname.lastname@example.org http://www.jnd.org
>6. The oil, water temperature, and alternator warning lights would all be >replaced by a single "General Protection Fault" warning light. It's labeled "Check Engine". But opening the engine compartment and checking ("Yup, still there.") accomplishes little; instead you need to read some diagnostic code by plugging in a debugger that was not furnished when you bought the car.
Quite a few people have apparently gone to Amazon.com to order "Hacking For Dummies" -- a bogus (i.e., nonexistent) book reviewed by Rob Slade in RISKS-22.01. Perhaps, not surprisingly, the ISBN bears a strange resemblance to the ISBN for "S*x for Dummies". We have to call a Slade a Slade. Perhaps his review was too subtle? Perhaps your fearless moderator needs to be more obvious in highlighting April Fools' items, besides putting it up front in the issue rather than buried in its usual end-of-the-issue position? Aw, come on! April Fool's Day is seemingly a worldwide tradition, and that's part of the fun.
As reported on 1 Apr 2002, http://news.com.com/2100-1023-873181.html Brilliant Digital has been distributing 2 programs with KaZaA , one of which allows 3D, animated banner adds (ala Flash for 3D), and the second being the framework for what can only be described as a "leech" peer to peer network: using unused bandwidth, storage, and processor cycles on client machines to do tasks like banner advertisement serving, distributed computation, and distributed storage. The second program is not complete, but is basically a Trojan which can be woken up to create this network. Being on April 1st, it smelled like an April Fool's prank, just far enough out to be believable, but not quite right. Unfortunately, this isn't a hoax, but is 100% true. Firstly, an e-mail with the reporter confirms that this was based on an interview with the CEO (possibly a point of fraud) and the SEC filings (annual report, form 10KSB). One could believe that the reporter was hoaxed by the CEO, but the SEC filings are presumed to be accurate in such matters. Reading the SEC filings http://biz.yahoo.com/e/020401/bde.html confirms that this is what they are doing and HAVE been doing: the Trojan has been and continues to be distributed as part of KaZaA "third party" software, and they plan on creating a distributed, secure, network for distributed storage, bandwidth, and computation using this Trojan. And by installing the 3rd party software, KaZaA users have already agreed to these terms and conditions. What are the RISKS, let me count the ways: 1) Serious news being released on 1 Apr. This is actually a pretty BIG deal: this story should have real legs, the implications are pretty astounding. But apart from being posted on slashdot (and being largely dismissed as April 1st), and being mirrored on MSN, it doesn't seem to have spread beyond that. 2) Trojans being "legitimately" installed as part of various applications. And if this forms a distributed network upon activation, this is another huge security risk.  3) That some company thinks it can do "secure" content delivery using untrusted clients (not just untrusted, but rater hostilly acquired). Secure storage is reasonable (encrypt everything, distributed copies) but still hard. Secure distributed computation is very hard (an open research area, outside some very select problems), and secure distribution of bandwidth (say, for add serving) is a total crack-pipe dream. 4) The unwavering acceptance of license agreements on the part of users (who are so conditioned to click "OK").  KaZaA's business model is "we give the program free, but charge people to bundle mandatory/voluntary programs with our download".  Peer To Peer networks are hideously vulnerable to both active worms (which can spread quickly using the inherent topology) and contagion worms (which masquerade as "normal" traffic). Be Afraid. Be Very Afraid. Nicholas C. Weaver <email@example.com>
Subject: IRS Form W-9095" -- that is NOT ISSUED by the Gov't Given the source of who sent this to me this is almost certainly legit. Just be aware. Adam. - --------- Forwarded message ---------- Date: Thu, 28 Mar 2002 17:52:30 -0500 Subject: "IRS Form W-9095" - that is NOT ISSUED by the Gov't FYI.... I personally know the person who posted this information and she does work for the USSS. I have not seen the document yet so if you have any questions direct them to Jean Dugger directly. -----Original Message----- Sent: Thursday, March 28, 2002 3:57 PM To: METROTECH-L@LISTSERV.CC.EMORY.EDU Subject: "IRS Form W-9095" - that is NOT ISSUED by the Gov't To - ALL METRO TECH MEMBERS (PARTICULAR INTEREST - BANK SECURITY) Fm - Jean Dugger, U S Secret Service SUBJ - IRS Form - not from the Government.... Just when you think you've heard it all....you find out you haven't!! Today, we were notified by a bank security good friend of the USSS that a form "W-9095" is circulating - which was accompanied by a letter, looking much like an official letterhead of the bank, requesting their customer to complete the form and fax it back to phone #914-470-9245. I'm sure you'll be surprised to learn that the form requested all kinds of personal identifier information - ie, name, DOB, SSN, address, phone, parents' names and mother's maiden name - just about everything you would need to set up shop doing identity fraud!! Luckily, a customer of the bank brought the form into a branch, to turn it in, and bank security was alerted. The form, called an "Application Form For Certificate Status/Ownership For Withholding Tax", is quite a work of art - and I feel sure that it has been widely distributed - my concern is that it could be VERY widespread - perhaps by some former employee(s) who could gain access to bank customer records base - and send out such a thing! The form, official looking as it is, claims to be a "Department of the Treasury Internal Revenue Service" form - which it is NOT. I have forwarded this info to IRS Internal investigations to see if they would take a look at it. I will bring copies to share at MetroPol Fraud next week! My thought is that someone worked way too hard on this form to limit it's distribution to even one bank's customers! BE AWARE! The bank letter is signed "Monique Meeuws" - and smells a lot like a "419" letter scam!! Please notify the U S Secret Service - me or Chad Laub, 404-331-6111, if you identify these forms circulating to your customers!! For the info of credit union organizations - please feel free to post this message on your systems as well. We are looking into this and trying to develop more information. Please call me if you have info. More details to follow! Jean, USSS
Authorities are trying to restore order at a maximum security jail after an electrical storm led to the failure of cell locks. <http://news.bbc.co.uk/go/em/-/hi/english/uk/scotland/newsid_1910000/1910131.stm> A lightning strike destroyed an electricity sub-station supplying power to Shotts prison in Central Scotland, and the cell locks defaulted to what should be the fail-safe for electronic door locks - open. However should that be the case in a prison? Luckily for us who live close by the main prison security is still mechanical. The risks - fail-safe modes must be carefully designed for the system application: don't rely on the component default fail-safe mode.
Barclays BACS payment system failed last week, and a large number of people did not get their pay check in their bank account. Normally this would not be a huge problem, but because it is Easter and so has two bank holidays leading up to the last day of the month it is a huge disaster. I don't know the details of the software problem at all, but arrangements were made with banks to extend credit and Barclay's said they would pay any bank charges that anyone incurred because of not being paid. I am astonished that Pete Mellor hasn't sent you details. If you have a look on any of the UK newspapre sites for last week you will find something about it.
Razor burn: Runaway popularity of Gillette's Mach3 creates a sales bonanza for thieves Gillette is taking steps to stem the flow of stolen Mach3 products. Perhaps the most important, Szynal said, is a pioneering antitheft technology consortium at the Massachusetts Institute of Technology sponsored by Gillette, Procter and Gamble, and other large consumer-products companies. The MIT scientists are developing a microchip that, once embedded in the packaging of the Mach3 and other products, would allow the product to be tracked from factory to warehouse to retailer and everywhere in between. The chip, which began a one-year field test in Oklahoma in October, will allow Gillette security officials to scan products for sale at a flea market and determine where they came from. [Excerpt] http://www.boston.com/dailyglobe2/089/business/Razor_burn+.shtml
Yahoo has apparently made a sneaky change to the "Marketing Preferences" of all subscribers to mailing lists on yahoogroups.com, changing all their "No's" to "Yes". The result will be not only a load of spam, but also junk mail and even junk phone calls if your address or phone number are on file with Yahoo. To change them back: Go to Yahoo Groups (http://groups.yahoo.com) and sign in. Go to My Groups and click on Account Info, verify your password if it asks you to, and your Yahoo ID card comes up. Click on 'Edit your Marketing Preferences' and change all those Yes's back to No's. Click Save Changes.
Yahoo users fume over "spam" switch, By Jim Hu, CNET News.com, 29 Mar 2002 Some Yahoo members on Friday reacted angrily to changes in the Web portal's e-mail marketing practices, comparing the company's revised policy to an open invitation to spam. "I never received any notification about this from Yahoo," one annoyed reader wrote in an e-mail to CNET News.com. "I was merely lucky enough to have a friend warn me about it." The ire stems from changes in Yahoo's "marketing preferences" page, which the company uses to secure permission to send service promotions. Along with other changes to the page, Yahoo said it had reset the default preferences for all members in a way that would require them to manually request that the company block the messages in the future--even if they had declined to accept such e-mail in the past. ... http://news.com.com/2100-1023-871730.html
> ... this computer was not connected with the computers at... Swanwick ATC > ["connected with" is of course ambiguous in this context. PGN-ed] The failing system was the National Airspace System, NAS, according to press reports. This provides Flight Data Processing for Swanwick. "Connected to", rather than "connected with"? Martyn Thomas, Holly Lawn, Prospect Place, Bath BA2 4QP 01225 335649
(Mellor, RISKS-21.98) And since then they have announced that they weren't calculating it correctly (an algorithm error, as opposed to a software glitch) and that it is in fact salmon. I think its safe to say that these guys really have no idea what color the universe is. Looks mostly black to me, maybe I'm looking in the wrong direction :) Douglas Siebert firstname.lastname@example.org
The current discussion on Spelling/Grammar prompts me to add some comments from my personal, first-hand perspective on the issue. I was the original developer of one of the first successful commercial grammar checkers - Grammatik. The major development of grammar checkers was at its peak in the late 1980's and early 1990's. One of the most distressing things to me is the fact that the quality of both spelling and grammar checking software available today is no better than it was almost 10 years ago. How did this happen? It may be hard to remember, but as recently as 1993 or 1994, you still had a real choice of what word processor you used. Today, Microsoft has a virtual monopoly with Word. In 1992, Microsoft decided that the state of grammar checking had gotten both good and essential enough that one should be integrated with Word. This decision has had many effects on the state of grammar checking. In 1992, there were at least four grammar checkers available that could be considered state of the art, or nearly so. Microsoft chose one, and WordPerfect followed their lead by acquiring my company. The other companies faded into oblivion, with the ultimate result that, after a couple of years, there was no major new R&D going on with English grammar checking (to the best of my knowledge). Because of this chain of events, the grammar checker you get today in Word is not significantly better than the grammar checker you might have used almost 10 years ago. This is really sad because we were making great improvements in the quality and accuracy of the software, and had the development continued, there is little doubt that many of deficiencies of grammar checking would have been overcome. Unfortunately, as long as Microsoft considers the current grammar checking good enough, and as long as Word remains the dominant word processor, there will be little or no incentive for anyone to independently develop better grammar checkers. The RISK in this? Monopoly and complacency. (This note has been spell checked, but not grammar checked. No grammar checking available for my e-mail software...) Bruce E. Wampler, Ph.D., Author of the V C++ GUI Framework email@example.com http://www.objectcentral.com
> Does this not have direct precedence with snail mail? I am imagining CD > clubs here. You can't be legally obligated by anything that you receive in > the mail and just throw away. However, at least in the US it took legislation to establish the principle that receipt of unsolicited merchandise incurs no obligation on the recipient. I think this occurred roughly 40 years ago, but I don't have a reference and a quick search on "unsolicited merchandise" makes it apparent that there are now many relevant laws. Before such legislation was enacted, some merchants sent merchandise unsolicited and then dunned the unwilling recipients for payment unless they paid for return shipping. I don't know whether such merchants could actually collect in the face of determined opposition, but in most cases the individual recipient simply didn't have the resources to contest the bill. If there's a lesson to be learned from the parallel between snail mail and e-mail, it's that individuals often need to be empowered by legislation to effectively resist commercial abuse.
BKCMPFRN.RVW 20020221 "Computer Forensics", Warren G. Kruse II/Jay G. Heiser, 2001, 0-201-70719-5, U$39.99/C$59.95 %A Warren G. Kruse II firstname.lastname@example.org %A Jay G. Heiser %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2002 %G 0-201-70719-5 %I Addison-Wesley Publishing Co. %O U$39.99/C$59.95 416-447-5101 fax: 416-443-0948 email@example.com %P 392 p. %T "Computer Forensics: Incident Response Essentials" I'm still disappointed that authors seem to think computer forensics is limited to data recovery, but this work at least has utility value going for it. Chapter one is a rough outline of data recovery, with an emphasis on documentation and the chain of evidence. Basic information about IP addressing, for the purpose of tracing intruders, is given in chapter two: it is useful and does not drown the reader in inconsequential details. (There is an oddly vitriolic dismissal of the story of the origin of the term for Packet INternet Groper.) A valuable discussion of e-mail headers, and a very terse outline of intrusion detection systems (IDS) are also included. Hard drive basics and concepts are given in chapter three. The material is generally good, but some points on imaging and connecting are passed over rather quickly. Chapter four has a reasonable high-level overview of encryption abstractions, but it is difficult to see the immediate relevance of the material to forensics. "Data Hiding," chapter five, contains some meandering topics that range from password cracking to NTFS (NT File System) streams to steganography. A few tools for dealing with these problems are listed. The description of hostile code, in chapter six, matches that of weeds in gardening: anything you don't want. It is, therefore, unsurprising to find that the content, while basically sound, is not particularly structured or helpful. A list of software (and some hardware) tools are described in chapter seven. Chapter eight explains a number of points about the Windows operating system that might affect data recovery and forensics. (The material discussed is not, unfortunately, exhaustive, although it is very useful as far as it goes.) The introduction to UNIX, in chapter nine, is more structured and detailed, although it examines fewer specific tools. Chapter ten's general overview of an attack on a UNIX system is fairly standard, although there is a useful table of commonly compromised system utilities. A wide variety of tools and commands for collecting information from and about UNIX systems is given briefly in chapter eleven. Chapter twelve is a short introduction to general concepts in the (US) law enforcement system. The last chapter is a rather abrupt finish to the book. There are seven appendices, the most useful of which is a handy point form overview of incident response activities. Computer forensics books are starting to come out of the woodwork, and most offer such sage advice as "gather evidence" and "don't mess up the chain of custody." This book does tend to follow the same style and tone, but also has very valuable tips for practical work. It won't help you much in analysis, but it will help you become better at collecting data that will stand up in court. copyright Robert M. Slade, 2002 BKCMPFRN.RVW 20020221 firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Papers and presentations are now being accepted for the Black Hat Briefings 2002 conference. The conference is held from July 31-August 1, 2002 at the Caesars Palace Hotel and Resort in Las Vegas, NV, USA. Papers and requests to speak will be received and reviewed until May 1, 2002. Please read the full announcement at: http://www.blackhat.com/html/bh-usa-02/bh-usa-02-cfp.html
Please report problems with the web pages to the maintainer