Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
This is an excerpt from a monthly newsletter that sends out interesting news items. I don't believe this is an April Fools' item, but then who knows? Mark Batten-Carew HEARTBREAKING A Japanese woman's automatic rice cooker changed the settings on her pacemaker. Doctors doing a routine check up were baffled to find that the hi tech pumping device they had implanted in the woman, 60, had been remotely adjusted. They contacted the manufacturer, who visited her home and found that a rogue rice cooker had somehow beamed signals to the device. [Source: A&A Economic Digest - April 2003 Edition, http://www.aacb.com/edigest/, 1 April 2003] [Quite plausible, in light of previous reported cases of electromagnetic interference on pacemakers --- from ACM Software Engineering Notes back issues: * Arthritis-therapy microwaves set pacemaker to 214, killed patient (S 5 1) * Retail-store anti-theft device reset pacemaker, man died (S 10 2, 11 1) * Pacemaker locked up when being adjusted by doctor (S 11 1) * Electrocauterizer disrupts pacemaker (S 20 1:20) --- and from RISKS: * Stores' shoplifting gates can set off pacemakers, defibrillator (RISKS-20.05) * Heart pacemaker and implantable cardioverter defibrillator recalls and alerts involve 520,000 devices (S 26 6:8, RISKS-21.60) PGN]
Federal prosecutors in Maryland have accused PayPal, the Internet payments company acquired by eBay, of violating the Patriot Act by facilitating illegal gambling. The company disclosed the accusation in its annual report filed with the Securities and Exchange Commission; it says that prosecutors have offered a complete settlement of all possible claims and notes that the amount of its earnings from online gambling was less than what prosecutors asserted. [AP/*San Jose Mercury News*, 31 Mar 2003; NewsScan Daily, 1 Apr 2003] http://www.siliconvalley.com/mld/siliconvalley/5525363.htm
Mike Fisher, Pennsylvania's attorney general, is citing laws against distributing child pornography in refusing to identify any of hundreds of Web sites his office has forced Internet providers to block under a unique state law that the Center for Democracy and Technology asserts is blocking Web surfers from accessing legitimate sites, but cannot prove without access to the list of blocked sites. Fisher's office said disclosing the list of blocked Web sites would itself be disseminating such pornography, which is illegal. [Source: Ted Bridis, AP Online, 3 Apr 2003; PGN-ed] http://finance.lycos.com/home/news/story.asp?story=33704697
Taken from Slashdot [1]:
"The Register[2] talks about how a term ("Second Superpower") coined by the
anti-war culture suddenly got radically neutered and altered by a weblog[2]
that a lot of people link to. Searching for the term on Google now brings up
his blog and other people talking about his blog for the first several
entries. Can Google's power to give information to the people be misused and
perverted? This only took 42 days." First the widespread usage of "googling"
to mean web searching, and now this.
The Register article [2] has the details and how powerful google can be.
[3] is the weblog that managed to saturate Google's PageRank.
I had a quick peek on AltaVista and voila, numerous other usages of the term
"Second Superpower" [4].
The Risk? Blindy trusting Google and it's proprietary PageRank algorithm.
Worse yet, as Google gains users trust, it is very easy to trust Google alone.
[1] http://slashdot.org/article.pl?sid=03/04/03/2327239&mode=nested&tid=95
[2] http://www.theregister.co.uk/content/6/30087.html
[3] http://cyber.law.harvard.edu/people/jmoore/secondsuperpower.html
[4] http://www.altavista.com/web/results
?q=Second+Superpower&kgs=0&kls=1&avkw=xytx
Could the federal government find out what you're watching on TV? Even if you're not the subject of a criminal investigation? If you're a satellite TV or TiVo owner, the answer is yes, according to legal experts and industry officials. Under the USA Patriot Act, passed a month after the 9/11 terrorist attack, the feds can force a noncable TV operator to disclose every show you have watched. The government just has to say that the request is related to a terrorism investigation, said Jay Stanley, a technology expert for the American Civil Liberties Union. Under Section 215 of the Act, you don't even have to be the target of the investigation. Plus, your TV provider is prohibited from informing you that the feds have requested your personal information. ... Source: Phillip Swann, TVWeek.com http://www.tvweek.com/technology/030303isyourtv.html
[Source: Tan Ee Lyn, Reuters, 1 Apr 2003; PGN-ed] A teenager's Web Site hoax about the killer virus sweeping Hong Kong sparked panic food buying and hit financial markets on Tuesday, and the government said it was placing more than 200 people into isolation camps. Indonesia, the world's fourth most populous nation, reported its first three suspected cases. One official said one of the patients had died but this could not be confirmed. Severe Acute Respiratory Syndrome (SARS) has now affected almost 1,900 people in at least 12 countries, and 63 are known to have died. In Hong Kong, where 685 people have been infected and 16 have died from the virus, the Web Site hoax forced authorities to deny it would isolate the entire territory. ... http://news.lycos.com/news/story.asp?section=Breaking&storyId=691262
Oracle founder and CEO Larry Ellison says the high-tech industry is poised for another sweeping consolidation that will eliminate many of his rivals. "We think there's at least 1,000 Silicon Valley companies that need to go bankrupt," says Ellison, who predicted Oracle would be one of the survivors, along with Microsoft and IBM. He noted that nearly all software profits are generated by five companies (including Oracle), out of hundreds in the sector. Ellison says companies in Silicon Valley haven't come to grips with the realities of a maturing industry and have resisted the changes necessary to improve efficiency: "The whole model doesn't make sense. There's a bizarre belief that we'll be young forever." [*Wall Street Journal*, 1 Apr 2003; NewsScan Daily, 2 April 2003] http://online.wsj.com/article/0,,SB104923666370767900.djm,00.html (subscription required)
The Recording Industry Association of America (RIAA) has filed lawsuits against four students it says it misappropriated academic computing resources to "illegally distribute millions of copyrighted works over the Internet." Two of the accused students are enrolled at Rensselaer Polytechnic Institute, one student is enrolled at Princeton, and the fourth is at Michigan Technological University. If they are convicted, they could be fined as much as $150,000 for each song they illegally traded. Digital media analyst Phil Leigh says of the RIAA's action: "This is just another step in the direction of demonstrating to the public that there will be penalties for what they consider to be copyright violations. I think they're attempting to take a carrot-and-stick approach here. They're whacking a few people with a stick now. And the carrot is the more liberal rules relating to label-backed subscription online services." [*San Jose Mercury News*, 4 Apr 2003; NewsScan Daily, 4 Apr 2003] http://www.siliconvalley.com/mld/siliconvalley/5558442.htm
Acacia Research says it owns five U.S. and 17 international patents covering the transmission and receipt of digital audio and digital video content, otherwise known as streaming media. But before attempting to enforce its patents with big outfits such as Yahoo! and The Walt Disney Co., Acacia instead chose to go after the smallish adult Internet sites that peddle videos of women (and men) doffing their clothes--and much more. They sent letters to 700 racy Web sites with offers to arrange royalty deals, typically consisting of 1% to 2% of gross revenue. Do the deal or we'll see you in court, warned Acacia. Eight firms agreed to Acacia's terms. But 40 didn't, and Acacia promptly slapped them with lawsuits. Rather than buckling, though, several of the porno sites joined together and stood their ground. Now Acacia is in the fight of its life and may even face a shareholder revolt as a result. ... [Source: Seth Lubove, Forbes.com, 2 Apr 2003; PGN-ed] http://www.forbes.com/2003/04/02/cz_sl_0402porn.html
[See items by Ed Felten (USe a Firewall, Go to Jail), Steve Bellovin and William Allen Simpson in RISKS-22.66). PGN] [Some of this legislation] could have bizarre consequences for E-voting advocates, as well as for the entire Internet community. I quote from Section 750.540c of the Michigan Penal Code, Full text online at: http://www.michiganlegislature.org/mileg.asp?page=getObject&objName=mcl-750-540c-amended This goes into effect today (March 31, 2003): (1) A person shall not assemble, develop, manufacture, possess, deliver, offer to deliver, or advertise an unlawful telecommunications access device or assemble, develop, manufacture, possess, deliver, offer to deliver, or advertise a telecommunications device intending to use those devices or to allow the devices to be used to do any of the following or knowing or having reason to know that the devices are intended to be used to do any of the following: (b) Conceal the existence or place of origin or destination of any telecommunications service. (c) To receive, disrupt, decrypt, transmit, retransmit, acquire, intercept, or facilitate the receipt, disruption, decryption, transmission, retransmission, acquisition, or interception of any telecommunications service without the express authority or actual consent of the telecommunications service provider. In effect, item 1b makes it illegal to create any anonymous communication service, and all of the interesting protocols for ballot deposit appear to rely on anonymization schemes of one kind or another. Item 1c is really hard to make out. It appears to be intended as an anti-wiretapping rule, but the plain wording appears to require the express authority or actual consent of every ISP for any use of that ISP's facilities; does this mean that if I was in Michigan, I'd have to ask permission before I hit the send key to E-mail this message? I checked their definition of telecommunications service provider and it is broad. The owner of the wire, the owner of the switching systems, they're all involved and each must give permission. According to slashdot, a goodly number of states are now considering this kind of law. See: http://yro.slashdot.org/article.pl?sid=03/03/28/1541230&tid=103 It's pretty obvious that they haven't thought these bills through.
As I read the Texas bill, it starts out by saying:
http://www.capitol.state.tx.us/data/docmodel/78r/billtext/pdf/HB02121I.PDF
"A person commits an offense if, with the intent to defraud a communications
service..."
The Michigan bill starts out saying:
http://www.michiganlegislature.org/printDocument.asp
?objName=mcl-750-219a-amended&version=txt
http://www.michiganlegislature.org/printDocument.asp
?objName=mcl-750-540c-amended&version=txt
"(1) A person shall not knowingly obtain or attempt to obtain
telecommunications service with intent to avoid, attempt to avoid, or
cause another person to avoid or attempt to avoid any lawful charge
for that telecommunications service by using any of the following:"
> The Bill analysis basically quotes the MPAA website!
> http://michiganlegislature.org/documents/2001-2002/
> billanalysis/house/htm/2001-HLA-6079-b.htm
This analysis agrees with mine. That these bills increase penalties only
for already illegal actions and possibly criminalize what would currently be
some civil matters. If you are paying for one class of service (e.g., home
use of the Internet for one computer) and using it for another class of
services (e.g., selling access to your neighborhood by putting up a NAT
firewall), you are already violating the law and you will also be violating
these laws.
I know that this was the April 1 issue, but the rumors on these bills are
spreading faster than most computer viruses, and they have been spreading
for several days with increasing intensity and are being taken seriously.
Nothing in these bills in any way prevents firewalling, encryption, etc.
UNLESS it is being used to defraud.
Fred Cohen - http://all.net/ - fc@all.net - fc@unhca.com - tel/fax 925-454-0171
Fred Cohen & Associates - University of New Haven - Security Posture
[defraud ... in the eyes of the accuser! PGN]
I suspect at least the Michigan state legislature may reconsider — after their tech industries pick up and *leave*. The first to go will be the ones actually working on the criminalized tools etc. These will be followed by those whose lawyers were paying attention. The third wave will be triggered as both government and private actors start (ab)using the new laws for arbitrary "takedowns" of their enemies. Of course, quickly repealing or nullifying the laws *may* stop the exodus, but I expect the state will still be regretting this bonehead move for some time, as will any other states who follow suit. I do, however, doubt Massachusetts will actually *pass* any such law, given the assured and powerful opposition of MIT and their *many* friends. I would hope that whoever introduced it gets stomped at their next election, but that may be too much to ask. On the other hand, some of the other states in question may not have techies with enough pull to make their voice heard. Of course, a fair number of the companies and persons involved will decide to leave the country altogether, leaving us with fewer national resources for defense *or* productivity. Steve Kirsch was right: > The terrorists have won. They have successfully convinced America to > attack itself. (from: http://www.skirsch.com/politics/iraq/Lessons911.htm ) Dave H. PS: The basic pattern I'm seeing here is that private self-defense "in cyberspace" is being methodically outlawed. Has anyone *else* noticed that "we" are slowly dismantling the various obstacles to a _Handmaid's_ _Tale_ style techno-coup?
Cheating on income taxes or neglecting to pay sales taxes on online
purchases could get you five extra years in prison if the government
succeeds in restricting data-scrambling technology, and discourage human
rights workers to protect sensitive data. Draft legislation circulating in
the Justice Department would extend prison sentences for using encryption in
the commission of a crime, something encryption advocates fear would achieve
little in catching terrorists and hurt only legitimate uses of cryptography.
The new proposal is part of the proposed Patriot II legislation. [Source:
Anick Jesdanun, *The Washington Post*, 31 Mar 2003; PGN-ed via Dave Farber]
[The full item is available on Dave's IP Archives:
http://www.interesting-people.org/archives/interesting-people/
PGN]
If they declare that encryptions are arms, perhaps we should point out the Second Amendment (favorite of the National Rifle Association) guarantees the right to keep and bear arms. [via Dave Farber's IP]
The two Patriot "failures" in have different — and understandable -- modalities. Whether these incidents were indicative of a problem with the system has to be determined. The first thing you have to understand is that once a missile has been fired, if an aircraft flies between the target and the Patriot radar on the ground, the missile can acquire the closer aircraft. The Patriot operator can tell the radar not to track the closer aircraft when that plane is showing friendly IFF. If this happens, the missile should reacquire the original target. Off course, if the missile is close to the aircraft, the wrong target may be attacked anyway. This seems to be what happened in the incident where the British aircraft was shot down. It is not clear whether there really was an enemy missile — or if the incoming was really a mortar shell. The decision to put IFF recognition in the Patriot ground systems but not in the missiles is both a practical design decision and a military one. If the enemy starts broadcasting "your" IFF code do you want the Patriot system to be able to override IFF recognition? In the second incident, the operators were again under attack and apparently "unassed" the control trailer. My guess is that the radar was in TWS (track while scan) mode, and the F-15 countermeasures read it as a lock-on — which of course it was. If the Patriot battery had been manned they could have either told the radar not to lock on to the F-15, or turned off the radar so that the HARM would have lost lock. In both cases, note that the situation was a typical one for "friendly fire" incidents — multi-mode attacks that haven't been considered by the rules of engagement.
Actually, having it be higher in the first Gulf War is not really that astounding, given the general circumstances. In that war, the overwhelming majority of all casualties were inflicted by the Coalition Forces. Given that tremendous disparity, even a very small error rate applied to the casualty causation numbers would end up being a very large part of the overall casualties. While good figures for the Iraqis are hard to come by, CNN's web site lists the following. Coalition 213 combat fatalities (plus another 145 nonbattle deaths). Iraqi military fatalities estimated at 100,000. If the latter is true, then having just a 0.1% error rate would explain about 100 friendly casualties or about half of all of them... (CNN did not break down US casualties by cause, although British losses were listed as 24, 9 by U.S. fire). Thomas A. Russ, USC/Information Sciences Institute tar@isi.edu
In the first Gulf War, our (the British) "friendly fire" casualties were about FIFTY percent of total casualties. Nearly all of them were caused by a single American "hunter air patrol" which, while OUT of its patrol area, and OUT of radio touch (accidental or deliberate?) with its controllers, mis-identified two Warrior APCs as Iraqi and destroyed them. It caused considerable bad press over here, and the impression left was that the pilots were fed up with not finding targets, wanted to attack something/anything, and had pretty much disobeyed orders in order to find something to shoot at. Shame it was a bunch of soldiers on the same side ...
The latest "Fact Squad Radio" short audio segment may be of interest. It concerns the issue of data accuracy in the FBI's NCIC system. It's called: "The FBI NCIC: Death by Oops?" and is available via: http://www.factsquad.org/radio +1 (818) 225-2800 lauren@pfir.org PFIR: People For Internet Responsibility - http://www.pfir.org
The current war in Iraq has highlighted a risky practice the Pentagon has been following for many years: using the Social Security number as a military member's "service number". Americans taken POW have been seen and heard on television identifying themselves as required by the Geneva Convention. Naturally this included reciting their SSNs. In every case I've seen (all on American TV), the interview was edited so only the first few digits were revealed. I'm not sure who did this; I hope it occurred at the source (presumably Iraqi state television). The use of SSNs as service numbers was an issue even before the war. In one incident, some senior officers suffered identity theft when their SSNs were published in the Congressional Record: http://www.washingtonpost.com/ac2/wp-dyn/A35194-2000Apr7?language=printer Foreign readers should understand the SSN is practically an American's national identity number, heavily used by the government, employers, banks, even schools. Broadcasting a POW's name and SSN worldwide creates a severe risk of identity theft and invasion of privacy. Perhaps when the change to SSNs occurred (in the Vietnam era, according to the newspaper article) the danger seemed minimal. But times have changed. The Pentagon should revert to service numbers which have no meaning or usefulness outside the military. Paul Hirose <x3xpp-c52ye-0401@earthlink.net>
*The Washington Post* reports on a number of cases where calling 911 from a cell phone was routed to the wrong jurisdiction, so "response to a life-threatening — and ultimately fatal — emergency was delayed because a cell phone call to 911 didn't work the way it was supposed to". The examples given were a caller in Chillum MD routed to 911 in Washington DC (an immediately adjacent jurisdiction) and the recent case [RISKS-22.58] where teenagers in Long Island Sound drown because 911 wasn't able to determine where the call was coming from. They note that in the Chillum case, the problem occurred because "a wireless signal can get picked up by the wrong cell phone tower". In this case, though, the technology isn't at fault, despite what *The Post* says. Radio waves don't respect human boundaries; the cell phone goes to the nearest/strongest signal (not sure exactly how this works). If I stand on one side of a street, I can be in a different jurisdiction from the other side of the street. There's no way for the cell tower to know which side of the street I'm on, and route the call to the correct 911 location. The RISK is that 911 dispatchers aren't trained to recognize calls from adjacent jurisdictions and route them appropriately. http://www.washingtonpost.com/wp-dyn/articles/A54802-2003Mar30.html
I have domain names with short names where all e-mail to anyone at that domain comes past me. One thing I find is that people from organisations that have a similar domain name to one of mine send their inter-office stuff to me as they mistype their own organisation's domain name in the intended recipients' addresses. I wonder if they would be more careful with internal documents if they realised it is actually not all that improbable that e-mail to Some.Odd.Name@wrong-short.domain that doesn't look like spam will be read by at least somebody instead of being bounced automatically.
Please report problems with the web pages to the maintainer