Christmas Day was rough on people in the Northeastern U.S., with snow and nasty weather conditions. One very tired National Weather Service forecaster had worked 24 hours straight, into the following day, because relief could not make it to the Albany NY work site, with up to three feet of snow on the ground. He accidently clicked on an icon that triggered a high-alert general site emergency to neighbors of the Vermont Yankee nuclear power station, just one level below the evacuation order. That alert went via special tone-alert radios only to people who cannot hear the urban-centered emergency sirens. The alert was canceled shortly thereafter, after the VT Emergency Management Office checked with the power plant. There is a five-minute delay on such alerts going out to the general radio audiences, so this particular alert never made it more widely than the special alert system. Reportedly, the software will be modified to make this type of erroneous message less likely. [Source: Susan Smallheer, *Rutland Herald* (Vermont), 27 Dec 2002; email@example.com; PGN-ed] http://timesargus.nybor.com/Story/58206.html;
"A distant Pioneer whispers to Earth": Like the Energizer Bunny, Pioneer 10 is still going after 30 years -- sort of. Silent since March 2002, now 7.5 billion miles away, or 11 hours at the speed of light, faint signals were received but could not be locked on, and no scientific information could be obtained. http://www.cnn.com/2002/TECH/space/12/18/pioneer.contact/index.html [or http://reuters.com/newsArticle.jhtml?type=topNews&storyID=1921184 ?] [typo corrected in archive copy, alternative URL suggested as well. PGN]
The UK National Air Traffic Control Centre at Swanwick (RISKS-21.98, 22.02,03,09,12,13) is still having ``potentially catastrophic'' problems, including erratic communications breakdowns between controllers and pilots, unclear screen images, etc. http://news.bbc.co.uk/2/hi/uk_news/2589247.stm
ElcomSoft Co. Ltd., based in Moscow, has been found *not guilty* of criminal charges that it violated the 1998 U.S. Digital Millennium Copyright Act by selling a software program designed to circumvent the digital locks used to enforce copyright protections on Adobe Systems e-book software. The two-week trial was the first criminal prosecution under the controversial DCMA, which prohibits the sale of technology that can be used to break the code that "locks" digitally formatted movies, music and other software. The case hinged on whether ElcomSoft had "willfully" violated U.S. law, an intent the defendants denied. "They never intended to violate the law," said defense attorney Joseph Burton. ElcomSoft president Alexander Katalov pointed out that the program was legal in Russia and was not meant to be used for electronic books that had not been legally purchased. He said he didn't know that the software was illegal under U.S. law. [Reuters, 17 Dec 2002; NewsScan Daily, 18 December 2002] http://shorl.com/degreryliprujy
Emilio Calatayud, who worked for the U.S. Drug Enforcement Administration (DEA) for 14 years, has now been sentenced to 27 months in prison and a $5,000 fine for selling information on claimants in more than 1000 workers' compensation cases to Triple Check Investigative Services. He used his authorized access to the FBI's National Crime Information Center (NCIC), the California Law Enforcement Telecommunications System (CLETS), and the DEA Narcotics and Dangerous Drug Information System (NADDIS). He was paid at least $22,500 from 1993 to 1999 for these extracurricular services. On the first day of his trial in February 2002, he fled to Mexico, but was later caught. [Source: Kevin Poulsen, SecurityFocus Online, 18 Dec 2002; firstname.lastname@example.org; http://www.securityfocus.com/; PGN-ed; Courtesy of Richard M. Smith http://www.theregister.co.uk/content/55/28621.html]
A formerUBS PaineWebber computer expert was indicted on federal charges of trying to manipulate the stock price of the brokerage's parent company last spring by disseminating a computer virus among over 1,000 systems used by PW brokers. He had reportedly been hoping to gain from the resulting stock price drop. [Source: article by Robert Hanley, *The New York Times*, 18 Dec 2002; PGN-ed] http://www.nytimes.com/2002/12/18/technology/18SABO.html
In order to monitor the U.S. civilian population in its effort to detect terrorists, the government's Total Information Awareness program will rely almost completely on data collection systems that are already in place -- e-mail, online shopping and travel booking, ATM systems, cell phone networks, electronic toll-collection systems and credit card payment terminals. Technologists say that what the government plans to do in data sifting and pattern matching in order to flag aberrant behavior is not very different from programs already in use by private companies. For instance, credit card companies use such systems to spot unusual spending activities that might signal a stolen card. The early version of Total Information Awareness uses a commercial software collaboration program called Groove, which was developed in 2000 by Ray Ozzie, inventor of Lotus Notes. Groove enables analysts at various government agencies to share intelligence data instantly, and links programs that are designed to detect suspicious patterns of behavior. However, some computer scientists question whether such a system can really work. "This wouldn't have been possible without the modern Internet, and even now it's a daunting task," says cryptology expert Dorothy Denning, a professor in the Department of Defense Analysis at the Naval Postgraduate School. Part of the challenge, she says, is knowing what to look for. "Do we really know enough about the precursors to terrorist activity? I don't think we're there yet." [*The New York Times*, 23 Dec 2002; NewsScan Daily, 23 December 2002] http://partners.nytimes.com/2002/12/23/technology/23PEEK.html
In *The New York Times* for 23 Dec 2002, John Markoff and John Schwartz find that "Many tools of Big Brother are up and running." In this article, they describe how the Total Information Awareness or TIA program hopes to use the eXtended Markup "Language" (XML) as a form of Krazy Glue to create the mathematical union of existing and wildly disparate data sets. Quite apart from genuine concerns about privacy, the real problem may be correctness. This is because the "end user's" vision of a data base, as opposed to a large program, is relatively optimistic. Intelligent end users know in some way the Turing pessimism: that there is no automated procedure, and often no practical procedure, for determining whether a large software artifact "halts" or more generally arrives at a desirable state. But what they may not know is that modern data bases including Oracle and SQL Server include meta-data that in effect transforms the non-Turing-complete (and therefore controllable) data base into a very large Turing machine. This meta-data traditionally consisted of format declarations, which do not in themselves present the Turing problem, but also consists of "stored procedures." These are modally small but sometimes large programs written in a Turing-complete programming language that have the ability to form part of the semantics of the data base. For example, a yes/no flag (indicating "probable terrorist involvement") may be accessed via an automated trigger that returns not its raw value, but its value, ANDed with another flag that overrides the raw flag. The latter flag may indicate an explanatory condition such as association with organizations already known to be neutral (such as the Red Crescent), which association lowers the probability of the original condition. And, although traditional meta-data (such as the use of Long or 32-bit representation for an integer value) does not make a data base Turing incomplete it may (or may not) represent a statement about the data. The selection of 32 bits may represent a decision that the value in question ranges between -2**31 and -2**31-1, or it may represent ONLY the absence, at the time the data base was created, of a 64 bit architecture. The problem is that eXtended Markup Language CAN represent all these subtleties in principle but WILL NOT in practice owing to time pressures. Already in the literature one finds a split. Managerial articles on XML promise complete control, while in the same journal, programmers and system administrators are assured that XML is permissive and will allow the representation of values as ASCII strings...without type constraints. XML is no Pascal but is instead in the tradition of C, which allows the developer to make forensic decisions on his own without oversight. The manager believes that everything is under control, while in the server room it is decided, modally in an undocumented way, that a citizen who posts long articles on the Internet is a potential troublemaker. The problem is that the artifact resulting will be an uncontrollable, because Turing complete, PROGRAM that will form its own documentation. As a form of de facto electronic law, it will result in even more Constitutional mischief than we've seen enough of already in the war against terrorism.
We've got a curious case in White Plains, NY (about 20 miles north of NYC) in which one of the older mechanical voting machines broke down - leading to a great deal of messiness as to who won the election. The allegation is that the lever for one candidate jammed, so people couldn't readily vote for him. The good thing here is that there was feedback to the voters that they weren't getting through and that these concerns were, indeed, taken seriously. (We all know far too well the problems with more "modern" systems). For various legal reasons the losing candidate doesn't have direct standing, but has to defer to the Attorney General. Mr. Spitzer's office investigated, and has now filed the court paperwork. to quote from the AG's press release: "In March, Delgado requested that the Attorney General consider bringing a *quo warranto* action. Following long-standing office policy, the Attorney General's Office convened a panel of three seasoned assistant attorneys general to investigate the White Plains Common Council election. During its six-month investigation, the panel interviewed Delgado and Hockley, as well as officials from the Westchester Board of Elections and poll workers. "Information uncovered in the investigation showed that the voting machine in the 18th Election District had, in fact, jammed only on the line with Delgado's name, preventing votes for him from being recorded. In the investigation, the panel received 103 sworn affidavits from White Plains voters who said they voted for Delgado on the voting machine in the 18th Election District. The investigation also determined that those voters had signed in and voted at the 18th Election District. Those 103 votes would have been more than needed to overcome the 47-vote differential between the candidates. [...] So while it's taking much longer than I'm sure anyone would like, the process is clearcut and making its way through. further details at: http://www.oag.state.ny.us/press/2002/dec/dec03c_02.html
In the last couple of elections/referenda here we've had a few pilot schemes here for electronic voting. The plan is to introduce electronic voting countrywide in the next couple of years. The system is one that does not have an paper audit trail etc. Despite commissioning an report on the integrity/security of the systems used, the government department responsible seems set on ignoring the results of the report and will continue to roll out the process. >From the 'Irish Independent' 9 Dec 2002: Electronic vote machines open to tampering - report A PRIVATE report for the Department of the Environment has cast doubt on the security of the ballot in new electronic voting machines. The "powervote" machines, deployed in seven constituencies at the last general election and due to be used countrywide for the local and European elections in 2004, are vulnerable to tampering, the report claimed. Consultants Zerflow told the department that it would be easy to paste a dummy ballot paper over the face of the machine, rearranging the list of candidates, in a bid to attract votes away from someone perceived as likely to be the most popular candidate. The examination team also successfully obtained a key to operate one of the machines and copied it at a local shopping centre - raising the scenario of tamperers armed with many keys reactivating the machines after close of voting to engage in the electronic equivalent of ballot-stuffing. The Department of the Environment has rejected many of the concerns, pointing out that the machines' integrity is protected by a scrutineer who remains by each machine during voting. Fine Gael spokesman Bernard Allen said last night that the Minister for the Environment, Martin Cullen, must now publish the full facts relating to the Zerflow report. He said he would be asking the Chairman of the Oireachtas Environment Committee to convene a meeting to examine the situation in detail. The report's authors and the minister would be invited to discuss the matter. "There should be no further consideration given to extending electronic voting until such time as the system can be guaranteed to be secure," he said. The report identified several "high level" risks to the integrity of the vote, and suggested that results obtained under the current system could be open to legal challenge. Powervote said its machines have been operating in Germany and the Netherlands for over a decade without problems.
Wired has an article on a new Nigerian scam http://www.wired.com/news/culture/0,1284,56829,00.html The con can be abstracted into these steps: 1. Con artist sends you a cashier's check as payment for something. 2. Some reason you find plausible is given for you to send back a portion of the money once you are sure that the check has cleared 3. You deposit the check, wait until the bank says it has cleared, and send some part of the money to the con artist 4. Bank informs you some days or weeks later that the check was a counterfeit and you owe them the full amount they paid you There seems to be a really big RISK here, aside from the Nigerian scam: It is common for check transactions to be held until the check clears, to ensure that the check is good. Now we see that the time it takes for a check to clear is determined by US law that sets a limit on how long a bank can delay paying for a deposited check. But that limit does not make it any faster for the bank to really determine if the check is good. The unintended consequence of the law is that a cleared check may not be a cleared check, with the depositor being the one who is liable if something goes wrong.
Yesterday, I stopped by an ATM to pick up a bit of cash and experienced a truly stupid bit of interaction with the ATM. I inserted and retrieved my card, typed my PIN, typed the amount of money I wanted, agreed to pay the vig, and hit enter to receive my cash. Nothing. No warning, no beeping, no error message, no cash. No feedback whatsoever. Then I noticed that the machine had the previous customer's receipt sticking out of the printer slot. Assuming it wouldn't help, I removed the receipt. Lo and behold, the machine coughed up my cash, coughed up a receipt (that I didn't ask for), and the transaction was concluded. The risks should be obvious: - Machine enters a 'locked' state after concluding the transaction internally, but before cash is delivered to user - Zero feedback of what is holding up transaction completion - Spitting out a receipt when the user explicitly asks NOT to receive a receipt I would assume that the system completes the transaction with the user's account immediately prior to dispensing cash. As such, the cash to be dispensed is "in the queue" and no longer in the account? The potential scam is much more nefarious. It would be trivially easy to use a razor to cut off the receipt in the printer slot after a transaction is completed. Once done, the thief merely has to wait for someone who tries to obtain cash, but isn't aware that the machine will lock up in the fashion described above. The user will eventually walk away-- maybe pressing cancel, more likely not (I didn't test that the 'cancel' would really 'cancel' the transaction). Given that the ATM is on the side of the bank that owns the ATM, it is quite likely the user will step into the bank for assistance. As soon as the user steps away, the thief merely has to extract the old receipt to cause the machine to spit cash. It would be hard to even prove that the thief was actually a thief and not someone who just lucked into completing the transaction. I'm certainly going to check twice that the printer slot is clear before using any ATM, but I can think of a number of situations where a blockage wouldn't be visible. [Correction inserted in archive copy. PGN]
Regarding the break-in where crackers stole the password file from the University of Oslo [RISKS 22.39], the mere fact that they managed this isn't half as interesting as the reason they could pull it off. Apparently, the crackers got in via a computer used for testing a new administrative system for the telephone exchange. As it turns out, this system is based on the MS SQL server, a fact unknown to the people installing the software. Now they had installed the latest security patches for the whole system, except for the SQL server - since they were not aware that it was running. And that provided the crackers' opportunity.
and not the forest In an apparent coincidence, in RISKS 22.43, in the article that followed my recommendation that RISK readers read the new book by Mitnick & Simon, Rod Slade did his standard "this book has no merit" review of the book. Slade is wrong: you should read this book. Slade criticizes each individual tree, and thereby misses the forest. His critique of the individual trees is correct. Are the stories repetitive? Yes. (you know, each tree looks just like the other, and after awhile, it gets boring.) Is the book self-serving? Yes. Is Mitnick reformed or still a scoundrel (guess). Is the advice he gives rather pedestrian or even worthless? Yes. Are there any new, profound insights, well, no, not if you keep your head down and only focus on the trees. But individual trees add up to a forest, and there is value in studying forests. I'm a student of human psychology. That's what I do for a living. Technology and people. Among other things, I read books by ex-criminals: Thieves, bank robbers, con-artists. I learn a lot. This is not the first such book I have read. And it won't be the last. I learned a lot from Mitnick. I was impressed by his approaches. They are not as simple and easy to do as a quick reading would make them appear. After the fact, everything always looks obvious. But I, for example, would find it difficult to even think of the schemes, let alone carry them out successfully. As with all great confidence operators, he knows a lot about practical, human psychology. He knows how to set up the mark. How to make multiple phone calls or visits, each to a different person, each asking for help, and each time picking up one little piece of information that, by itself, does not seem important. How to win confidence. And then, put the little bits together, and you sound like a legitimate employee, supplier, or customer in an unfortunate situation, where just a little help would be useful. It's classic con-artist, and he does it very well. I believe that many readers of RISKS would learn a lot -- and be very bothered by what was learned; it would be very easy to fall for some of those ruses. (As Mitnick points out, even good con artists will sometimes fall for other people's cons.) This is a really good antidote to all those technical approaches to security. Slade also can't decide how to treat Mitnick: as a weak technologist (hey, most of his cons don't involve technology, so what's the big deal) or as too good a technologist (to do one fraud, you need to reprogram a DMS-100 switch). That last fraud, by the way, is quite interesting: Go out and buy a used switch -- or just get access to someone else's -- and you can make the telephone caller ID say anything you want it to. So don't trust caller ID to show that the caller is someone you know, or from your own company. Is this news to professionals? No. Is it good to know? Yes. Would a serious person trying to steal company secrets, or money, use the trick? Gee, I would -- wouldn't you? Of course they would. Can I program the switch? No, but I could learn, or more easily, just hire someone to do it for me. Slade complains that this is not a technology book, "this is a book about how to fool people." Well, yeah, duh, that's the point. Put up all the technology you want, it isn't that secure because I'll break in from inside, or fool people into giving me the information I seek. So, if you are a security professional, you can ignore the book. Maybe. You already know all this stuff. You could probably write a better book yourself. If you aren't such an expert, read the book. Its an easy read. Big print. Lots of stories. No big words or deep thoughts. Very repetitive. But I found it revealing -- and frightening. On one thing Slade and I agree: "Chapter four tells you to distrust everyone--which would probably be more damaging to society than social engineering." Yup, this was precisely the point of my posting in RISKS 22.43. It is already becoming more damaging. Read Mitnick & Simon. Don't take their recommendations seriously -- they are lightweight, sometimes wrong or irrelevant, and probably there for legal reasons -- to impress the court that this is a prevention book, not a "how-to" book. It's a great how-to book, and if you read it, you will become better at prevention. Maybe. Don Norman, Computer Science, Northwestern University http://www.jnd.org Nielsen Norman Group http://www.nngroup.com email@example.com
An airport metal detector was triggered by a Canadian woman, although no metal was evident. Noting that she had been suffering from persistent stomach pains ever since abdominal surgery, she went for an x-ray the next day. A four-inch surgical retractor was discovered in her abdomen. [CNN.com, PGN-ed] [BROKEN URL: http://www.cnn.com/2002/WORLD/americas/12/16/canada.woman.stomach.reut/index.html TRY http://www.hon.ch/News/HSN/510912.html which says it was a 33-centimeter retractor. NOTE ADDED in archive copy. PGN]
Please report problems with the web pages to the maintainer