Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Internet registrar VeriSign has launched a new service, Site Finder, that offers users who mistype a URL a list of alternative Web sites that they might be trying to reach. Several ISPs do the same thing — most notably AOL and MSN — but critics say that because VeriSign controls the directory computers for ".com" and ".net" names, they could easily reroute all queries to Site Finder. "We put so much of our research into developing this AOL search result page," says an AOL spokesman. "We are reviewing our potential options. We are strongly opposed to them interjecting themselves into our members' search experience." Site Finder's suggestions include both standard search results and pay-for-placement advertisements, which are identified as such. But while VeriSign VP Ben Turner says the new service is designed to "improve overall usability of the Internet," Danny Sullivan, editor of Search Engine Watch, warns that Site Finder's capabilities could also be abused — by directing users only to pay-for-placement sites, for instance. Meanwhile, the new service provides a much-needed new revenue stream for the Internet registrar. "Right now, VeriSign's business is not a growing business, and anything that they do to add the slightest amount of growth is going to be positive," says an analyst with U.S. Bancorp Piper Jaffray. [AP 15 Sep 2003; NewsScan Daily, 16 September 2003] http://apnews.excite.com/article/20030915/D7TJ2U5O0.html [This move by VS has caused huge reactions within the Internet community. We include just a few items here from among what is available on the Net, as a sample. The list of reasons why this is a very foolish move by VS is enormous. Apparently, the folks who really should have known that this was going to happen did not, and were blindsided. DNS disablers are being developed to circumvent the VS strategy, but the net results are ugly. See the People For Internet Responsibility (PFIR) statement by Lauren Weinstein, PGN, and Dave Farber: http://www.pfir.org/statements/vs-domain-abuse PGN]
[http://www.merit.edu/mail.archives/nanog/msg13603.html] Today VeriSign is adding a wildcard A record to the .com and .net zones. The wildcard record in the .net zone was activated from 10:45AM EDT to 13:30PM EDT. The wildcard record in the .com zone is being added now. We have prepared a white paper describing VeriSign's wildcard implementation, which is available here: http://www.verisign.com/resources/gd/sitefinder/implementation.pdf By way of background, over the course of last year, VeriSign has been engaged in various aspects of Web navigation work and study. These activities were prompted by analysis of the IAB's recommendations regarding IDN navigation and discussions within the Council of European National Top-Level Domain Registries (CENTR) prompted by DNS wildcard testing in the .biz and .us top-level domains. Understanding that some registries have already implemented wildcards and that others may in the future, we believe that it would be helpful to have a set of guidelines for registries and would like to make them publicly available for that purpose. Accordingly, we drafted a white paper describing guidelines for the use of DNS wildcards in top-level domain zones. This document, which may be of interest to the NANOG community, is available here: http://www.verisign.com/resources/gd/sitefinder/bestpractices.pdf Matt Larson <firstname.lastname@example.org> VeriSign Naming and Directory Services
http://www.theregister.co.uk/content/6/32872.html VeriSign DNS change broke my HP printer, By John Leyden, *The Register*, 17 Sep 2003 LettersReg readers have plenty of say about VeriSign's controversial move to direct surfers who get lost on the Web to a search site run by the company. Our coverage provoked a large number of letters, almost all hostile, about Versign's audacious typo-squatting land grab: "All your Web typos belong to us" Martin Ward is the first to fire brickbats at the company, which Reg readers have rechristened as "VeriSlime". VeriSign are essentially "squatting" on every unregistered domain name, and using them for profit. How many trademarked names does that include? What are the fines for squatting on just *one* trademark for commercial exploitation? Roger Thomas worries about the implications if other DNS providers adopt VeriSign's tactics. That's a worrying article, and just thinking about the issues raised I can see the following: 1) If it's good enough for VeriSign to mess about with the root servers I can see other DNS providers doing the same, by redirecting users to their own systems. 2) This will poison DNS servers across the world as they will end up caching the SOA records created by VeriSign for these 'dynamic' DNS entries. While the time to live on these records is short, real entries will be dropped as the junk entries are added to the database. There is now a new DNS attack were nodes on the Internet create vast numbers of random DNS look up requests so clearing the DNS caches of all the DNS servers they access. [...]
Britain's biggest blackout for 25 years, which plunged large parts of London into darkness, was the result of a one-amp fuse being fitted in place of a five-amp fuse at a substation. *The Guardian*, 11 Sep 2003: http://www.guardian.co.uk/transport/Story/0,2763,1039722,00.html The full report is available at: http://image.guardian.co.uk/sys-files/Guardian/documents/2003/09/10/ London28082003.pdf [An off-er they could not re-fuse! PGN]
Goddard Space Flight Center: Earth Science Missions Anomaly Report: GOES/POES Program/POES Project: 6 Sep 2003 http://www.spaceref.com/news/viewsr.html?pid=10299 As the NOAA-N Prime spacecraft was being repositioned from vertical to horizontal on the "turn over cart" at approximately 7:15 PDT on 6 Sep 2003, it slipped off the fixture, causing severe damage. The 18' long spacecraft was about 3' off the ground when it fell. The mishap was caused because 24 bolts were missing from a fixture in the "turn over cart". Two errors occurred. First, technicians from another satellite program that uses the same type of "turn over cart" removed the 24 bolts from the NOAA cart on September 4 without proper documentation. Second, the NOAA team working today failed to follow the procedure to verify the configuration of the NOAA "turn over cart" since they had used it a few days earlier. IMPACT ON PROGRAM/PROJECT AND SCHEDULE: The shock and vibration of the fall undoubtedly caused tremendous damage. Significant rework and retest will be required. NOAA-N Prime is planned for launch in 2008. CORRECTIVE ACTION: Lockheed Martin formed an Accident Review Team in which GSFC is participating. The immediate actions concern safety (preventing the spacecraft from rolling, discharging the batteries, and depressurizing the propulsion system). NOAA-N Prime is under guard, all records have been impounded, and the personnel interviewed. After the safety issues are addressed, attention will focus on assessing the damage to NOAA-N Prime.
So, Lockheed Martin dropped my satellite! [I say "my" because I reckon that my U.S. tax dollars are paying for NOAA equipment.] Under-construction satellite drops to floor in mishap: http://www.sfgate.com/cgi-bin/article.cgi ?file=/news/archive/2003/09/09/state1637EDT0153.DTL Risks: Never move anything worth $239M (regardless of it's technological complexity, or overall robustness) without first making sure that you can do so without utterly dropping it! I imagine that it would be relatively easy to check for the presence or absence of a few load-bearing bolts beforehand. Also, because the poor thing was energized, they can't even go examine it to see how bad the damage is. It may be a number of days before we truly know the effects of dribbling satellites. Somebody is going to get a bad performance review this year. There is a purportedly exclusive photograph on Effed Company (most of you know the site I mean). I would include the link; but, I know that this would merely be filter-bait. =-) The photo can be easily found on the front page. Just how many companies are there building satellites these days? Could a relative lack of competition have anything to do with it; or, is the market healthy? This can't be good for business (even if the customer just awarded you some extra rocket launches that were surrendered by your misbehaving competitor).
By Kim Zetter, Wired.com, 18 Sep 2003 A security audit ordered by Maryland Gov. Robert Ehrlich on Diebold Election Systems' touch-screen voting machines is complete, and a version of it is ready for public consumption. Shareese DeLeaver of the governor's office said the 200-page report has been shown to Diebold officials and is now being reviewed by the state's Department of Budget and Management and the State Board of Elections. The report was commissioned by the governor after researchers at Johns Hopkins University and Rice University discovered serious security flaws (PDF) in code for the AccuVote-TS voting terminals. A redacted version of the report, with information useful to malicious crackers taken out, will be available on the state's Web site Friday or early next week. The severity of Hurricane Isabel and the amount of energy the governor's office must devote to recovery from the storm will determine the timing of the report's posting. Last month Gov. Ehrlich charged Science Applications International, or SAIC, in San Diego with conducting the audit before the state would proceed with a $55.6 million purchase and servicing contract for Diebold's electronic voting machines. Ehrlich said it was imperative the government ensure the integrity of the election process by conducting "a thorough, fully independent review of the Diebold system." Diebold has maintained that its system has no security vulnerabilities. ... http://www.wired.com/news/technology/0,1282,60486,00.html
The investigation of a Wall Street trading scandal (in which a former Bank of America broker has been charged with grand larceny and securities fraud) is the first case that has used a chain of evidence derived from the instant messaging records of licensed brokers and dealers. Instant messaging (IM) systems are now widely used on Wall Street and to a large extent have replaced traditional e-mail. One attorney who consults on electronic communications said a New York Stock Exchange executive's question about instant messaging was: "Wait a minute, is that what my 13-year-old daughter uses at home?" The answer: "I said yes — and your traders." [*USA Today*, 18 Sep 2003; NewsScan Daily, 18 Sep 2003] http://www.usatoday.com/tech/techinvestor/techcorporatenews/ 2003-09-18-ims_x.htm
There's a scam e-mail going round purporting to come from Yahoo. It is a bulk e-mail stating that anyone with a Premium Account (that is one where you pay by credit card for extra e-mail storage) needs to update their account details or else the account will be closed. The e-mail links to the following page: http://yahoo-wallet.com/ When you click on the link you get a form requesting your: Yahoo E-mail address, Password, First Name, Last Name, ZIP code, Debit or Credit Card no,. Expiration Date AND - Debit / ATM Pin. no. <==== NOTE THIS !! The form has the Yahoo logo and appears innocuous, but .... why do they want passwords and pin nos.? The risks are obvious - but this e-mail is either the most stupidest yet and if it comes from Yahoo then they have learned nothing about such scams in the years that they have they been in the Internet business. And if it is a scam then it is the most blatant fraud on the Internet yet. Of course e-mail to email@example.com remain ignored.
I've recently received 2 spams from the same people. In one message, they offer: (1) heroin, (2) "Tomohawk" [sic] rockets, (3) cocaine, (4) (sex) slaves, (5) counterfeit currency, and (6) child pornography, among other commodities. Their "special offers" are rather beyond belief, too. The mail itself appears to have been sent from Japan, based on Received: headers added by SRI's mailservers. (Or they're perfect forgeries, which is extremely unlikely for reasons I won't go into here.) The URL in the message goes to a Web site for which the whois database gives contact info in Thailand, but the server itself physically appears to be in Florida (at least according to traceroute). (Why I am not surprised that these people are downstream from Global Crossing?) Tracking down contact e-mail info takes a detour via Latin America, but would seem to eventually end up in Missouri, although with Arizona contact information. There's a US toll-free number to call the spam-list manager, and a mailing address in Florida. Now, I can't imagine anyone actually responding to this: (1) it could be a sting operation, although that's kind of hard to imagine. "Your Honor, I didn't really expect a missile, but I wanted to see what they'd send me instead...." (2) As you'd be committing a felony, you can't go to law enforcement if the deal goes wrong, hence the prevalence of violent crime among criminals. However, this requires that you be able to find the other party.... It's also worth noting that the price of illegal narcotics depends greatly on where you are in the world: smugglers demand risk pay. It's not at all clear where these people are offering delivery. Meta-RISK: How many e-mail filters will this message trip? Drew Dean, Computer Science Laboratory, SRI International
[excerpt from an article by Robert X. Cringely, PGN] Recently my mail was stolen. It wasn't supposed to be stolen, which is a given, but it also wasn't supposed to be able to be stolen because I was out of town for two weeks and had the Post Office hold my mail. Only it turns out that in Santa Rosa, California at least, holding mail means different things to different mail carriers. Someone — a substitute carrier I'm told — saw that big old pile of mail down at the post office (the pile with the big "vacation hold" sign above it) and thought what the heck I'll just deliver that mail anyway. And so they did. That big old pile of mail sat in my big old mail box on my little old country road under a walnut tree and across from a pond and sometime in the next few days it was stolen. The only reason I know any of this is because a neighbor eventually found some of my mail and some of a lot of other people's mail strewn along the road like errant unmarked bills after a bank heist. Here is something you probably didn't know. If you have the Post Office hold your mail and they do something stupid like NOT hold it for some reason, as happened to me, you have no recourse. [...] <http://www.pbs.org/cringely/pulpit/../index.html>
Dave Barry column gives telemarketers headaches, 11 Sep 2003 http://www.thekcrachannel.com/news/2474750/detail.html Now it's the telemarketers who are refusing to answer their phones, thanks to a weekend column by *Miami Herald* columnist Dave Barry. The American Teleservices Association was targeted by Barry in his 31 Aug 2003 column. Barry urged readers to call the ATA and "tell them what you think" about telemarketers. Thousands have done so, forcing the association to stop answering its phones. Callers now hear a recording, which says that because of "overwhelming positive response to recent media events, we are unable to take your call at this time." ATA director Tim Searcy said the added calls will be costly to his group because of toll charges and staffing issues. Barry's only response is to sarcastically say he feels "just terrible, especially if they were eating or anything." [American Teleservices Association: (877) 779-3974]
Cehck tihs out. Aoccdrnig to a rscheearch at Cmabrigde Uinervtisy, it deosn't mttaer in waht oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the frist and lsat ltteer be at the rghit pclae. The rset can be a total mses and you can sitll raed it wouthit porbelm. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe. Amzanig huh? [This has been circulating around the Net. I'm not sure wehre it orginitaed. Apogolies to nonEgnilsh sepakres. PGN]
Call for Papers, Second IEEE International Information Assurance Workshop 8-9 April 2004 — University of North Carolina at Charlotte, NC, USA Sponsored by the IEEE Computer Society Task Force on Information Assurance in cooperation with the ACM Special Interest Group on Security, Audit, and Control Full paper submissions due: October 10th, 2003 Full CfP as well as PostScript and PDF versions of the call: http://www.iwia.org/2004/ Accepted papers will be published by IEEE Press in a proceedings volume. Program Chair, Stephen D. Wolthusen, Fraunhofer-IGD, Fraunhoferstr. 5, 64283 Darmstadt GERMANY Tel +49 (0) 6151 155 539 | Fax: +49 (0) 6151 155 499
BKDSKWTN.RVW 20030819 "Desktop Witness", Michael A. Caloyannides, 2002, 0-471-48657-4 %A Michael A. Caloyannides %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2002 %G 0-471-48657-4 %I John Wiley & Sons, Inc. %O 416-236-4433 fax: 416-236-4448 %P 366 p. %T "Desktop Witness: The Do's and Don'ts of Personal Computer Security" The title and the subtitle of this book are somewhat at odds. Is this text about the evidence that can be extracted from desktop machines? Or is it about protecting yourself and your personal computer or information? Caloyannides would seem to be making the point that the answer is both: that there is an overwhelming need to ensure that your computer isn't finking on you, and that you must make every effort to ensure that the government cannot obtain the information on your desktop. While he is clearly on the personal side of the privacy versus national security debate, even those who agree with him may find the arguments shrill and extreme. The subtitle of chapter one; indicating that the material is the author's opinion; should warn the reader that the discussion is editorial rather than closely reasoned. Caloyannides may, however, have hurt his own case by taking an anarchistic and almost paranoid position in stating the need for privacy against government encroachment. He does make a number of valid points, but misses other grounds that might have been convincing to a much wider audience, such as the point that the responsibility of protecting your own information is recognized in such legal areas as the difference between patent and trade secret. (A patent offers control over a device for a limited time as long as the technology is disclosed, whereas a trade secret offers protection for unlimited time as long as reasonable efforts are made to protect the information from disclosure.) The major point of chapter two appears to be that the use of encryption could, in and of itself, land you in trouble, and you should prepare to either hide the fact that encryption is taking place, or have a diversionary explanation ready for the authorities. (The recommended use of one-time-pad technology and variant keys is technically interesting, but is unlikely to survive beyond a first use. Ironically, it seems to support a point that the author made earlier: "clever" tricks that rely on obscurity provide very poor protection.) The types of information that might be available from your computer, or Internet connection, are discussed in chapter three. The material ranges over a number of topics and has a difficult structure: some points are raised more than once and there are a number of related issues that are not mentioned at all. Means of recovering some of the data, and of getting rid of it, are reported, but not consistently. Chapter four lists a vast array of protective measures. Most are very useful. Depending upon your situation, many will be considered overkill. Some are questionable: Caloyannides makes a blanket recommendation to install all operating system patches, but notes that doing so for some versions of Windows requires you to give away a lot of information. He does not, though, detail the times that official patches have made the situation worse rather than better, nor the complexity of some patches: by mid-2002 one expert noted that an effective installation of the Windows NT operating system required twenty nine steps, including no less then three separate installations of the latest service pack at different points. Oddly, while this section is supposed to review measures for computers not connected to networks, some of the points relate to activities on the Internet. Protection for connected machines is discussed in chapter five, with a heavy emphasis on the usage of the PGP encryption system. There is also an interesting insistence that steganography *is* an effective means of hiding communications: while Caloyannides points out a number of pitfalls in the use of the technology he does not mention detection measures, such as the ease of determining excessive entropy in the low-order bits of graphic images used to hide files. Secure telephony is discussed in chapter six. The legal issues reviewed in chapter seven are mostly related to recent legislation providing for additional search authority. The author does include material and actions from outside the United States. The editorial finish in chapter eight warns against a society where everything must be homogenized in order to be safe. In many places the book suffers from very poor copy editing. There are a great many instances of improper punctuation, sentence fragments, and words or phrases dropped into apparently unrelated text. Generally speaking one can discern the meaning, but deciphering the organization and intention of a section can be difficult. (Given the thrust of the book, is the author embedding hidden messages?) While there are issues of general security in the book, it is, first and last, about privacy, and primarily personal privacy. The material could have been structured more usefully, and written less stridently, but a great deal of helpful content is included. Those interested in privacy will find it interesting, and computer forensic specialists may also find it to be a handy reference. copyright Robert M. Slade, 2002 BKDSKWTN.RVW 20030819 firstname.lastname@example.org email@example.com firstname.lastname@example.org http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Please report problems with the web pages to the maintainer