My lead message in RISKS-22.08 announcing the use of a filter resulted in those of us using that filter to have the issue designated as s-p-a-m! If you did not receive that issue because YOUR filtering is configured to pipe the message off to somewhere else or to delete it altogether, then you may pick RISKS-22.08 up at www.risks.org. But the effect of installing that filter was very dramatic, having taking the RISKS spam rate instantly from 98% to close to 0%. The false positive trigger on RISKS-22.08 resulted largely from one triggers: Hit! (4.4 points) BODY: O-n-e h-u-n-d-r-e-d p-e-r-c-e-n-t g-u-a-r-a-n-t-e-e-d which had to do not with s*p*a*m, but with fraud detection. [Hyphens inserted to minimize further false positives? PGN] Incidentally, because of the new regime, I will be able to look at more messages from you all, in the same amount of my limited screen time.
Also install Vipul's Razor if you can, from razor.sourceforge.net . My own experience is that SpamAssassin is the best spam trapper I've ever used, and I've tried a lot of them over the last several years. But, make sure you have auto-whitelisting turned on. You also might want to salt your config file(s) with whitelist and blacklist information based on your history, which SpamAssassin won't know about yet. Once I did that salting, my false negatives and false positives dropped to zero per month, but I only process 10Meg of mail in that time.
Yet again the new multi-million-pound air-traffic computer system at Swanwick near Heathrow crashed last Friday (May 17, 2002) shortly after 6.30 am. This is a time of maximum inbound flights from the Middle and Far East -- with full 747's arriving at one a minute. Also too it is just when the morning rush hour for domestic and European departures and arrivals begins to build up. The crash was the result of a 'routine upgrade' which made half the air traffic controllers' computer screens inoperable. This meant that only half the normal flights could be handled. This meant that airlines had to cancel most of their flights into and out of Heathrow - a situation which lasted for most of the day. Imagine one flight being canceled and all the disruption that can cause, then multiply that by many hundreds. And the knock on effect of the wrong planes and crews in the wrong places at the wrong times lasted for most of the following weekend. The consequent loss of revenue to the struggling airline industry is inestimable, to say nothing of the increased loss of confidence in the safety of flying amongst the traveling public. The risks are obvious. The new computer system at Swanwick is a disaster waiting to happen. A 'routine upgrade' should not result in a major loss of service. The upgrade was obviously made to the primary system before testing on any back up system (is there one?), and if a routine upgrade can cause such a system loss then what would happen to a major upgrade? Confidence in the safety of the ATC system at Heathrow is not increased with the U.K. Government's refusal to financially bale out - yet again - to the tune of millions of pounds - the owners of the new system, the privatised NATS (National Air Traffic Services).
Confusing screens at Swanwick's new air-traffic control centre near Heathrow have resulted in aircraft being directed towards the wrong airports. Controllers have also misread the altitude of aircraft because letters and numbers are difficult to distinguish on the screens, according to the *Daily Mail*, 23 May 2002. For example, the numbers 0, 8 and 6 are confused, leading to mistakes of thousands of feet in the height of flightpaths (noted in a report in *Computer Weekly* magazine). Controllers and their supervisors at the privatised NATS (National Air Traffic Services) centre at Swanwick have detailed the errors in a health and safety report, which revealed that one controller has repeatedly misread requested flight levels, and mixed up FL360 (36,000 ft) with FL300 (30,000ft). Others reported difficulties of seeing some letters clearly, particularly the Glasgow code EGPF and the Cardiff code EGFF. NATS and the CAA (Civil Aviation Authority, U.K.) have said that difficulties in reading screens has been experienced only by a small number of controllers, and that it is not a safety matter. NATS also said that an improved display had been developed and a prototype was shortly to undergo testing. The risks are many and unfortunately obvious. But what happened to the principles of good HCI design (human-computer interface) and user acceptance testing? Obviously no-one thought to ask the controllers if they could actually read the screens clearly as they play three-dimensional chess with the aircraft and passengers flying into, out of, and past one of the busiest airports in the world.
Stuart Staniford, Vern Paxson, and I have completed our paper, "How to Own the Internet in Your Spare Time" http://www.cs.berkeley.edu/~nweaver/cdc.web/ to appear in the 11th Usenix Security Symposium (Usenix Security '02). We've combined an analysis of Code Red I (which is still endemic on the net, with ~2000+ hosts still infected), the effects of Code Red II and Nimda, with the possibility of some new threats we have discussed before (Warhol strategies, Flash worms), and some we haven't (contagion worms, which are highly resistant to traffic analysis and similar detection strategies, and programmatic updates which represent a natural evolution in utility for worm writers). We then use this to make a case for a CDC-like institution to proactively develop defenses for such threats. Nicholas C. Weaver email@example.com
On May 1, MSNBC ran a story, "Best Buy closes wireless registers; Hackers say credit-card data vulnerable; other retailers at risk." It's still there at http://www.msnbc.com/news/746380.asp. But the story also says "An anonymous security researcher announced on a computer security research mailing list Wednesday that several U.S. retailers have made the mistake of installing wireless cash registers and transmitting the traffic in clear text, without encryption." So what's that other mailing list? Jim Laurenson, ICF Consulting, JLaurenson@ICFConsulting.com * http://www.ICFConsulting.com
Apparently, someone was able to steal credit reports from Experian by masquerading as Ford Motor Credit. They don't know how, but it won't happen again. Very confidence inspiring... No further comment, just some excerpts: Officials still aren't sure who, or how, someone snatched 13,000 credit reports through Ford Motor Credit Co.'s Grand Rapids office." What they are sure about, however, is that no more credit reports will be stolen -- at least from this group. "We're not sure how this happened, to be honest," said Melinda Wilson, spokeswoman for Ford Motor Credit. "We thought we had a tight system. We're going to have an even tighter system now." The reports provided the intruders with a wealth of information, such as Social Security numbers, credit ratings, account numbers for bank accounts and credit cards, and creditors names and payment histories, Experian said. Full Story at http://www.mlive.com/business/grpress/index.ssf?/xml/story.ssf/html_standard.xsl?/base/business-0/102199233690053.xml (watch URL wrap).
Oh, vending machines are the most defective thing I have ever seen in public service. Check around for a vending machine with a green/blue LCD screen, and a numeric pad using a telephone-style grid. Press 8. Then press 2. Then quickly press 8 and 2 at the same time. It will crash, and reboot. Any money in the slot is 'forgotten.' An obvious sign of buffer overflow bug, or a sad case of a slow processor trying to keep up with an user's fast fingertips, as programmers tend to have. :) Unfortunately, I do not remember to check for any identifying signs to distinct that model from any other models. Also equally unfortunate, I do not find any bugs that somehow reward the user instead of the vendors, implying that the developers were at least careful enough to prevent users from grabbing free grub.
At one time or another, I signed up for Passport--I believe because it was required to get the 90 days of free technical support with some software product or another. Recently, Microsoft decided to opt in every Passport user for information sharing. I went to my Passport account to attempt to change it this preference, but found that I could not, because between the time when I first enrolled in Passport and now they have added a number of new personal information items--and (for some reason) it will not allow you to change ANY of the items unless you've entered ALL of them. Naturally, I did what anyone would do--filled in all the blanks with bogus information. And while I was at it, I decided to change my first name to "Mickey," my last name to "Mouse," and my date of birth to 04/01/2001. I unchecked the "Share Information" box and clicked the confirmation button. To my horror, a screen came up saying that because I was under thirteen I would need my parents' consent! I then received the following email: "Dear Parent or Guardian: Your child, Mickey Mouse, has registered for a Microsoft .NET Passport and needs your consent to sign in to a Kids Passport-participating Web site or service. Your child indicated that he or she is under 13, and according to U.S. law, Web sites and services that collect, use, or share visitors' personal information must obtain a parent or guardian's consent to allow children under 13 to sign in.... If you do not have a .NET Passport: You need to have a .NET Passport in order to give or deny consent. .NET Passport is a free service from Microsoft that allows you to use a single e-mail address and password to sign in to a growing number of participating Web sites. NOTE: To register as a parent or guardian, you will need to verify that you are at least 18. You can use a credit card to do this. Your credit card account will not be charged, and .NET Passport will not retain or share the information."
A scam e-mail message now circulating the Internet purports to be from a "Special Forces Commando" in Afghanistan who's found $36 million in drug money while on patrol, and who wants your help in moving the cash. Sure he does. "We will thus send you the shipment waybill, so that you can help claim this luggage on behalf of me and my colleagues. Needless to say the trust in you at this juncture is enormous. We are willing to offer you an agreeable percentage of funds." Stop laughing, and grab onto your wallet. [AP/San Jose Mercury News 23 May 2002; NewsScan Daily, 23 May 2002] http://www.siliconvalley.com/mld/siliconvalley/3319360.htm [The Nigerian scams have been spawning numerous copycats, but this one is a new variant. PGN]
He tried eleven commercially available fingerprint systems and spoofed *all* of them (100%). The average single attempt had an 80% chance of success. The reputable German magazine c't ran a cover story just now with similar claims. They tested 11 iris, face, and fingerprint recognition system and spoofed *all* of them. Some of their techniques were hilariously simple... it'll be a long time until this reader can take biometrics seriously. [Quite a few readers noted my mistake in RISKS-22.08. It has been corrected in the archives. Thanks to all of you. PGN]
> How did her mobile phone make a call by itself at 5am? I don't know Samsung phones, but does it have a quick-dial feature using a longer press of a key? I can well imagine some conductive piece of dirt or moisture "making" the call - these keypads are not very robust. It stopped before answering it because the calls get dropped by the switches if not answered in 1 minute or so (pretty normal at this time). As to why at 5 am I have another story: Plain old alcaline batteries in one of my devices have the nasty habit of going empty early in the morning (the device tells it quite loudly). They seem to nearly always wait with their last breath until I sleep the best. My theory is that it is simply colder at this time and as the voltage correlates with the temperature, the most of the daily voltage drop occurs when the temperature also falls and so it is more probable that the warning is triggered at night. If the quick-dial theory is right, a change in temperature could well be the triggering factor. Sometimes there are connections where nobody expects them - this is often a risk. > Here's the weird bit: A call at a very similar time was made on > my HOME phone to the same number (which I don't recognise at all). There are some obscure possibilities involving callback requests (possible in some networks) or redirecting calls, but this really smells like a problem of the phone company (either billing software, or worse - phreaking). I heard of people finding missed calls from themselves on a mobile phone - and without an entry in the outgoing calls list.
Gremlins in the mobile firmware? Unlikely - since caller-id typically doesn't pick up a telephone number until the _second_ ring I suspect mum was awakened by a wrong number or a crank caller, and the mobile phone & caller id were simply showing a call completed earlier in the day (or perhaps the preceding day, given the time!)
For one thing, they aren't copy protected, and for another, they aren't CDs. We should be careful about allowing Sony to call the disks "CDs", because that is making their stunt legitimate. We should also be careful about allowing Sony to call the scheme "copy protection", because it does not protect against copying, but rather against (presumably legitimate) use. Call it "usage prevention", "usage limitation" or other such. > But it would seem that the folks that created the format in direct > violation of published standards should share some of the blame and > resulting liability. If we choose to follow the line of thinking I mentioned above, we should also take the consequences when the disks are marketed without clearly specifying that they aren't CDs, or that they may possibly break your CD players if you do so; just labelling them with "Does not play on PC or Mac" is hardly sufficient. Return the disk to the vendor, asking for your money back. If it has damaged your equipment, require an adequate replacement or financial compensation for the damage. And if you're a US citizen, consider the possibility of a class action lawsuit.
I agree that it can be considered unfair to PC manufacturers that CDs are being deliberately 'corrupted' in the name of Copy Protection. However, I am not convinced that liability should be considered to be anywhere other than with the PC hardware/software manufacturers when the PC crashes/freezes. Why shouldn't either the hardware or OS handle the error when the CD is corrupted? After all, corruption could happen for other reasons. Even though it is extremely unlikely that a dirty/scratched/faulty CD will contain the stream of bits that cause the current problems, there should never be a case that can't be handled by the combination of PC hardware and operating system. The good news for consumers: Surely it can't be long before PCs simply ignore the 'error' and carry on...
I think in this case the liability is ENTIRELY in the hands of those making the discs. Anyone with a modicum of smarts will know that ONLY gas should go into the gas tank. And even though we call it toilet "paper", most know that only "real" paper goes into a printer. But who would suspect that a CD shouldn't go into a CD drive? It's worse than someone trying to throw in a Playstation disc or a DVD. Even BY NAME it's the same thing. Unless there's a warning on the disc, and in big print, the people making the discs are simply inviting trouble and encouraging consumer problems. That ain't right. And I'm sitting here facing the old Mac that IS my CD player; haven't ripped a single song with it, or my newer Mac, which would probably be my new CD player if the built-in speakers were better. So if one of these discs messes up my computer, when I had no intention or violating copyright law, you'd better believe that I'm not going to be happy at all. How can you tell the regular CDs from these killer CDs? Russ Perry Jr 2175 S Tonne Dr #114 Arlington Hts IL 60005 847-952-9729 firstname.lastname@example.org
Who's fault is it if a service station starts selling petrol (gas) containing a significant percentage of sugar solution? Especially if said garage does not give any indication that their product is any different from that which is for sale at every other station? Note that these copy-protected CDs are deliberately designed *not* to work in a PC. If the PC manufacturer "fixes" their machines so that the CDs *will* work, then they will be in violation of the DMCA. Martin.Ward@durham.ac.uk http://www.cse.dmu.ac.uk/~mward/ Erdos number: 4
> To my experience, the Return-Path header generally contains the infected > person's address, or enough of a clue that you can narrow down the > listmember who _might_ be infected. I have yet to see a single case where the Return-Path (that is, the smtp "mail from:") is the real sender. On the contrary, we are rejecting 400,000 relay attempts a day pretending to be our users sending mail. When we detect campus hosts sending Klez, the logged "mail from:" has never been the address of the owner of the PC. The biggest fallout problem is anti-virus programs smart enough to recognize Klez but not smart enough to know the sender is always faked. For Klez, sending a "helpful" notice to the apparent sender is a really bad idea. It adds to the problem, not to the solution. The only useful notice would be to postmaster or abuse at the host that sent the message. We can filter Klez; it is almost impossible to filter the varying notices that anti-virus programs send, so they ironically are now the biggest headache for support staff. Joseph Brennan Postmaster Academic Information Systems Columbia University in the City of New York email@example.com
BKCYBFOR.RVW 20020319 "Cyber Forensics", Albert J. Marcella/Robert S. Greenfield, 2002, 0-8493-0955-7, U$49.95 %E Albert J. Marcella %E Robert S. Greenfield %C 823 Debra St, Livermore, CA 94550 %D 2002 %G 0-8493-0955-7 %I Auerbach Publications %O U$49.95 +1-800-950-1216 firstname.lastname@example.org email@example.com %P 443 p. %T "Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes" The introduction to this book emphasizes the fact that this is a field manual, designed for quick reference, and not a textbook for study. Unfortunately, the authors seem to have taken this as licence to throw in all manner of random text and documents, without much structure or thought for the user. Section one outlines the various aspects of cyber forensics, according to the book's definition. Chapter one is entitled "The Goal of the Forensic Investigation," but the actual contents offer both more and less than that. The chapter starts with a few possible specific investigations, and provides directions on initial questions to ask. When the material moves to more general discussion of investigations, it becomes vague, and loses utility. Non-liturgical investigation (one that is not expected to end up in court) is examined in chapter three, even though the text admits that the procedure should be the same whether you expect to end in court or not: just collect everything you can. The content is limited to Windows, and specifically to the use of Internet Explorer. Much the same, with a little additional material on the Registry and event log, is done with liturgical investigations in chapter three. A repetition of the same information about Internet Explorer cache and cookies is found in chapter four. Chapter five describes nmap, and its author, in some detail, and then lists a number of other UNIX utilities. The broadest possible interpretation of intrusion investigation is discussed in chapter six, and, again, the advice boils down to the importance of careful collection of all possible information. Chapter seven outlines rules of and considerations for evidence in US courts of law. Section two expands on this last chapter, looking at US (and supposedly international) statutes. Chapter eight examines US law regarding the admissibility of evidence intercepted from communications or recovered from seized computers. Changes to the US National Information Infrastructure Protection Act, and an editorial stating that cybercrime is bad, are given in chapter nine. The preamble to, and some questions about, a draft of the Council of Europe Convention on Cybercrime, are reproduced in chapter ten. Chapter eleven contains random comments on privacy. US Presidential Decision Directive 63, calling for a plan for protection of information infrastructure, and a speech justifying the use of Carnivore are reprinted in chapter twelve. Chapter thirteen replicates an overview of US Public Law 106-229 on electronic signatures (E-SIGN) as well as a number of other pieces relating to electronic commerce. Legal considerations in providing the electronic systems mandated by the US government paperwork reduction act are discussed in chapter fourteen. Speeches and comments on the US government's attitude towards encryption ore given in chapter fifteen. Chapter sixteen looks at various pieces of US legislation related to copyright. Section three concerns tools for forensic investigation. Chapter seventeen discusses such tools in a very generic way, and then briefly lists a number of specific programs. There is a two page list of FBI office phone numbers in chapter eighteen, which is supposed to guide you in reporting Internet-related crime. Chapter nineteen is a simplistic four page list of questions to ask when conducting a computer audit. This is definitely not a field manual. It offers almost no practical advice on collecting evidence from computers: if the material in this book is helpful to you, you have too little knowledge of the technology to have any business being engaged in computer forensics. The most valuable part of the book involves the collection of documents regarding US computer related legislation, but that would be of interest only to American lawyers. It would be difficult to recommend this work to anyone else. Even security personnel wanting a background on US federal legislation might be advised to look elsewhere, since the lack of structure and analysis in the book makes it very hard to read. copyright Robert M. Slade, 2002 BKCYBFOR.RVW 20020319 firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Please report problems with the web pages to the maintainer