A previously-unknown software flaw in a widely-deployed General Electric energy management system contributed to the devastating scope of the 14 Aug 2003 northeastern U.S. blackout. The bug in GE Energy's XA/21 system was discovered in an intensive code audit conducted by GE and a contractor in the weeks following the blackout, according to FirstEnergy Corp., the Ohio utility where investigators say the blackout began. "It had never evidenced itself until that day," said spokesman Ralph DiNicola. "This fault was so deeply embedded, it took them weeks of pouring through millions of lines of code and data to find it." On Tuesday, the North American Electric Reliability Council (NERC), the industry group responsible for preventing blackouts in the U.S. and Canada, approved a raft of directives to utility companies aimed at preventing a recurrence of the outage. One of them gives FirstEnergy a June 30th deadline to install any known patches for its XA/21 system, though the company says it's already installed the fix. A NERC spokesperson said all electric companies using GE's XA/21 system would likely be instructed to install the patch in a final report due next month. http://www.securityfocus.com/news/8016 [Also reported to RISKS by Chuck Weinstock. PGN]
*The New York Times*, 6 Feb 2004, reported (and not *too* smugly) that newsgathering at its rival *The Washington Post* was disrupted when registration lapsed for washpost.com, which the newsroom uses for e-mail. The renewal notice from Network Solutions was delivered unnoticed to a "dropbox" (whether e-mail or the old-fashioned kind was not clear). However, the registration was renewed soon after the disruption started, before any squatters could jump on it. (Don't dwell on that image.)
General Motors will recall certain Chevrolet Corvettes to correct a condition in which the vehicle can operate when the electronic steering column lock fails to unlock. The vehicles included in this recall are 1997-2000 Corvettes with automatic transmissions in the United States, Canada, and Mexico; 1997-2004 Corvettes with automatic transmissions in Europe and export countries; 1997-2004 Corvettes with manual transmissions in North American, European, and export countries. GM is still working to determine the recall population and the breakdowns by countries; however, the estimate is a total of about 127,000. For manual transmissions, the dealers will reprogram the Powertrain Control Module software, at no cost. GM has not confirmed any occurrences of this condition in the field. There are no confirmed crashes, injuries, or fatalities related to the condition. [Source: 10 Feb 2004, PR Newswire; PGN-ed] http://finance.lycos.com/home/news/story.asp?story=40508961
Australian Police in Victoria are facing an embarrassing new privacy scandal after an internal audit found fresh evidence of improper access to confidential computer files. The audit has found up to 35 police have used the police Law Enforcement Assistance Program (LEAP) computer to check information on a security guard charged with manslaughter over the death of former Test cricketer David Hookes. All police who have accessed the files, other than homicide squad police investigating the death, are expected to be asked by ethical standards department police to justify their actions. Police who cannot give legitimate reasons face the sack. This incident comes in the wake of an investigation in 2003 into allegations that the files of 32 current and former Victorian Members of Parliament have been accessed without legitimate reason. [*TheAge*, 11 Feb 2004; NewsScan Daily, 12 Feb 2004] http://www.theage.com.au/articles/2004/02/11/1076388435627.html
According to Bob Sullivan, MSNBC, 8 Feb 2004 http://www.msnbc.msn.com/id/4186130/ A programmer hired by a community college to manage a database for a child care center posted the entire database onto an Internet site in order to obtain help doing the database work. The database contained sensitive information like names, addresses, children's schedules, etc. At one point the fellow was warned that he shouldn't be posting confidential information, but apparently he had a bit of trouble with the concept: On Jan. 26, another programmer — who requested anonymity — sent a message to Dennis, warning him of the possible privacy problems. He replied: "Thank you for the note. That was my mistake and I will be more careful in the future," according to the programmer. The next day, Dennis posted the same database in a different question. The person who ended up doing the work (recruited via rentacoder.com) is three outsourcing steps away from the county agency that maintained the data in question. It's fairly common for social service agencies to outsource most of their work to non-profits, but it appears that neither the first outsourcing level (the community college) nor the second (the alleged "programmer", Dennis, who posted the databases) had the ability to actually do the work. At least no one seems to have sent this job to India...
[The previous item] exemplifies some of the risks of allowing private corporations to manage sensitive data without adequate government oversight. The current administration's efforts at increasing data collection against its own citizens, along with its promotion of privatization, bodes for similar future events on a national scale.
Ben Charny, CNET News.com, 5 Feb 2004 Janet Jackson's Super Bowl flash dance was shocking in more ways than one: Some TiVo users say the event brought home the realization that their beloved digital video recorders are watching them, too. [On 9 Feb 2004,] TiVo said the exposure of Jackson's breast during her halftime performance was the most-watched moment to date on its device, which, when combined with the TiVo subscription service, lets viewers pause and "rewind" live television broadcasts, among other features. TiVo said users had watched the skin-baring incident nearly three times more than any other moment during the Super Bowl broadcast, sparking headlines that dramatically publicized the power of the company's longstanding data-gathering practices. http://news.com.com/2100-1041-5154219.html [Evidently, it pays to keep abreast of TiVo's capabilities. PGN]
Kevin Poulsen, SecurityFocus, 5 Feb 2004 A small and diverse band of hobbyists steeped in the obscure languages of embedded systems has released its own custom firmware for a popular brand of cable modem, along with a technique for loading it — a development that's already made life easier for uncappers and service squatters, and threatens to topple long-held assumptions about the privacy of cable modem communications. The program, called Sigma, was released in its final version last month, and has reportedly been downloaded 350 to 400 times a day ever since. It's designed to be flashed into the non-volatile memory of certain models of Motorola's Surfboard line, where it runs in parallel with the device's normal functionality. It gives users almost complete control of their cable modem — a privilege previously reserved for the service provider. The project is the work of a gang of coders called TCNiSO. With about ten active members worldwide, the group is supported by contributions from the uncapping community — speed-hungry Internet users who rely on TCNiSO's research and free hackware to surmount the bandwidth caps imposed by service providers, usually in violation of their service agreement, if not the law. To them, Sigma is a delight, because it makes it simple to change the modem's configuration file — the key to uncapping, and, on some systems, to getting free anonymous service using "unregistered" modems. "I've known TCNiSO for two years now and I've done a lot of things with their techniques," wrote a Canadian uncapper in an e-mail interview. "Sigma is the greatest one I've seen." ... [http://www.securityfocus.com/news/7977]
In 1997, I wrote a piece for rec.humor.funny based on an idea by Steve Lancaster, in which the Mars Pathfinder landing was reported from the Martian point of view, a la Roswell. http://groups.google.com/groups?selm=Sb43.21d1%40clarinet.com http://www.netfunny.com/rhf/jokes/97/Jul/marspress.html It was well-received, and I'm rather proud of that piece. In early January, some anonymous nitwit took my original piece, changed about four words to make it fit Spirit instead of Pathfinder, tacked on a couple of brand new paragraphs, and sent it circulating again, anonymously. This modified version has now shown up in various monthly astronomy publications, always without attribution. As moderator of RHF, I understand the difficulties of identifying the original source of a piece, and the ease with which people remove attributions. I'm disturbed by the casual way so many publications blindly printed the piece without doing a serious attempt to identify the source or the original version. Granted, that source isn't immediately obvious, but a reasonable Google search or a date-sorted Google Groups search would have definitively identified both the author and the original wording. In effect, Google Groups is now my primary hope for preserving my original copyright (although I did have the foresight to encode in the piece an in-joke that only I know — and the plagiarized versions preserve that in-joke). Had I originally distributed the piece via e-mail, I'd now have no hope of ever claiming credit or preserving the original version. I'm mainly disturbed by the ease with which the original piece was corrupted, and that that corruption was blindly accepted and propagated. It is now the case that corrupted version is more prevalent than the original. This is disappointing, given that an advantage of electronic communications is supposed to be the way it preserves information. I wonder if we'll find that in a hundred years, the most popular Internet version of "Romeo and Juliet" is one with a new, happier ending?
Andrew Rose <firstname.lastname@example.org> writes: > The technical work on SPF is now complete and adoption has started. I strongly disagree that technical work on SPF is complete: * The current specification is absolutely terrible, when one looks at the details. (As an experienced developer of networking software including a DNS resolver and an SMTP mail rejection agent, and participant in standards processes, I should know.) * SPF proponents haven't taken the proper route through the IETF for their `standard' — where the details of the spec might have been fixed. Instead, they're going for a publicity campaign to `bounce' people into adoption. * Many people I respect (myself not included) think that the principle of operation of SPF is broken for technical reasons. I'm sure those people can explain that themselves. For a personal perspective from a member of the IESG, see http://www.interesting-people.org/archives/ interesting-people/200401/msg00037.html
Re: Defeating phishing scams, Andrew Rose, RISKS 23.16 > The technical work on SPF is now complete and adoption has started. > Several thousand domains have published SPF records including some very > large domains such as aol.com. The SPF scheme requires all e-mail forwarders to rewrite the sender's e-mail envelope and return-path addresses. For example, each posting to a mailing must be rewritten to a local domain of the list host before redistribution. To enable (administrative) e-mail bounce notifications, each forwarding host is also more or less required to generate specially encoded one-time "sender" addresses for each forwarded e-mail, and keep a corresponding database of "reverse mappings" for an unspecified period of time. [http://spf.pobox.com/srs.html] The SPF website calls this an "unfortunate" problem — extremely unfortunate because every pre-existing mail transport agent in the world is incompatible with the SPF scheme and will lead to silent discarding of lots of legitimate (forwarded) e-mail (which would be considered forged by SPF-gnostic receiver sites). Worst of all, SPF will not stop spammers and viruses/worms from spreading - spammers will just start to set up their own SPF infrastructures (with throw-away domain names), and worms will just use legitimate e-mail addresses of compromised host PCs. (In fact, spammers nowadays are increasingly using compromised third-party PCs for their mass mailings as well, preferably badly secured ones with high-bandwidth connectivity to the Internet such as through cable modems OR xDSL lines.) In addition, the backwards-mapping database of SPF-aware mail forwarders must itself be secured against abuse of the e-mail bouncing mechanism by spammers and worms - by introducing even more stateful data keeping to their forwarding databases. The SPF site even proposes adding time-limited cookies to secure against this "open (back-)relay" problem — what an awful hack!  The RISKS? Several e-mail providers are adopting a half-baked non-solution with obvious deficiencies and a potential for silently sinking lots of legitimate e-mail into a black hole. And a proprietary three-letter ISP is trying to force their (centralized!) single-server world-view of communication protocols onto the Internet.
> What are the odds of having not only a matching door/ignition key, but > also the keyless entry remote? Apparently pretty good odds :) I heard 2nd- or 3rd-hand of an inventive software security person (name omitted because I want them to still talk to me :) who wanted to investigate precisely this problem when keyless entry first came out. Apparently the initial key space for keyless entry was only 16 bits, and so my friend built a device to brute-force the keyspace with a fairly powerful radio broadcaster attached. Friend then took the device to a large parking lot, turned it on, and watched with amusement as dozens of cars around the parking lot started honking and unlocking. I *think* the keyspace has improved since then, but I would bet it has not improved enough. Crispin Cowan http://immunix.com/~crispin/ CTO, Immunix http://immunix.com Immunix 7.3 http://www.immunix.com/shop/ [Things have improved enormously since the early garage-door openers, many of which opened and closed each time the orbiting Russian Sputnik went overhead. I have not noted that marvelous case here since RISKS-8.38, which appropriately was issued on the Ides of March 1989, so it is worth recalling for newer readers. Don't forget, all the RISKS archives are searchable at Lindsay Marshall's Web site (www.risks.org). PGN]
Microsoft has a message for Windows users: Patch your computers quickly. Robert Lemos, CNET News.com, 10 Feb On Tuesday, the software giant released a fix for a networking flaw that affects every computer running Windows NT, Windows 2000, Windows XP or Windows Server 2003. If left unpatched, the security hole could allow a worm to spread quickly throughout the Internet, causing an incident similar to the MSBlast attack last summer. ... [http://news.com.com/2100-7355-5156647.html] What You Should Know About the Windows Security Updates for February 2004 http://www.microsoft.com/security/security_bulletins/20040210_windows.asp Microsoft Security Bulletin MS04-007 ASN.1 Vulnerability Could Allow Code Execution (828028) http://www.microsoft.com/technet/security/bulletin/MS04-007.asp Microsoft Security Bulletin MS04-006 Vulnerability in the Windows Internet Naming Service (WINS) Could Allow Code Execution (830352) http://www.microsoft.com/technet/security/bulletin/MS04-006.asp Microsoft Security Bulletin MS04-004 Cumulative Security Update for Internet Explorer (832894) http://www.microsoft.com/technet/security/bulletin/MS04-004.asp
Finnish computer security experts warned Tuesday of a new worm, known as "Doomjuice," that is expected to attack computers infected by "Mydoom," despite the fact it's programmed to stop spreading later this week. The virus, first detected by F-Secure on Monday night, has so far infected at least 30,000 computers worldwide since it was activated Sunday, said the company's director of antivirus research, Mikko Hypponen. Like Mydoom.A and Mydoom.B, the new worm is designed to strike Microsoft Corp.'s Windows operating systems and is programmed to launch a worldwide attack on the web site of SCO, one of the largest UNIX vendors in the world. [Source: Matti Huuhtanen, Associated Press, 10 Feb 2004, AP Online] http://finance.lycos.com/home/news/story.asp?story=40507941
> Writing on Feb. 2, it's very hard to assess what the real impact of the > MyDoom-generate denial of service was on SCO. I find it curious that with about a week's notice of the actions of the MyDoom.A payload, SCO found it impossible to prepare an effective strategy in advance of the attack. I also find it somewhat curious (but anecdotal) that all of the MyDoom infected e-mail messages received on my personal POP account ~appeared~ to be sourced from the allwest.com domain, with admin contacts listed as physically located in Utah. As a result of the nature of the MyDoom.A payload and of the consequent reward offered by SCO, Darl McBride and his misbegotten (IMO) anti-Linux campaign have received a great deal of publicity and a reprieve from what appeared to be an imminent slip from the public consciousness. A cynical person (not I, heaven forfend) might be tempted to speculate whether SCO could have been involved in the release of the worm, or at best, played willing victim.
Terry Ward in RISKS-23.17 reports that to cancel another person's insurance, credit, etc., "I simply presented a plausible sounding story, knew his social security number ***" And yet lots of professionals and private citizens still think that the key to preventing identity theft is MORE reliance on Social Security numbers. The reality is that SSNs are no longer private bits of information, if they ever were, and no longer serve to authenticate an individual's identity. So each of us has to cease going along with this deceit. Robert Ellis Smith, Privacy Journal
Mark Brader states (RISKS-23.15): > It's for failing to get the criminal tried and convicted back then. And > even this is only true if the earlier alleged offenses were genuine. Errrmm... and even if "genuine" (=true?), how would they achieve that, precisely? If there was insufficient evidence to pass the first (evidential) test by which Branch Crown Prosecutors decide whether or not to prosecute, presumably the recommendation here is to manufacture more...? :-) > For police, it *is* reasonable to consider that someone previously > suspected should be suspected again: this is all right precisely because a > police suspect is not, ipso facto, a criminal. But that is at the heart of the argument: to know about the previous suspicion, the data about the (unsubstantiated) allegation would need to be retained for that purpose, which is precisely what is not *explicitly* provided for in the Act. My understanding is that the Information Commissioner was already pressing two other forces to delete data for that very reason, i.e. some non-conviction information was being retained by them for "longer than necessary", but there is nothing to explain what "necessary" actually means — in fact, the only explicit guidance is that it was, and is, for forces themselves to make that decision! In any event, any evidence supporting the allegation(s) not proceeded with is completely inadmissible in proceedings for any new allegation. That's the way society has made the rules, that's the way they are followed. Damned if you do, and damned if you don't...
I'm a member of a mailing list in which one of the members has chosen to sign up for one of those "identity verification" services for preventing spam. Every time anybody sends to the list, we get an autoresponse from "email@example.com", who asks us to go out of our way to prove that we're humans. The RISKs of this approach are well known, and most list maintainers (PGN included) refuse to allow subscribers to use these services. The problem in the current case is that nobody can figure out which of our 950+ subscribers is the culprit! That has led one member to propose that a group of volunteers divide up the subscriber list and send test e-mails to people until we discover one that produces the annoying bounce. Geoff Kuenning firstname.lastname@example.org http://www.cs.hmc.edu/~geoff/
This message is to inform you that a new NSF funding opportunity called SCIENCE OF DESIGN [Solicitation NSF 04-552] has been posted by the CISE Directorate. The CISE web page (http://www.cise.nsf.gov) has a link to the program page under "CISE FY04 Emphases" and there is additional information under "Hot Topics" on the CISE web page. [See the Program URL: http://www.cise.nsf.gov/funding/pgm_display.cfm?pub_id=13078] The goal of this solicitation is to stimulate research and education projects that build the Science of Design. This solicitation focuses on the scientific study of the design of software-intensive systems that perform computing, communications and information processing. Complex interdependencies strain our ability to create, maintain, comprehend and control these systems. The Science of Design seeks to rectify this situation by building a foundation for the systematic creation of software-intensive systems. This foundation will consist of a body of theoretical and empirical knowledge on design, computational methods and tools for design, and new design curriculum for the next generation of designers. Sol J. Greenspan, Ph.D., Chair, Science of Design Coordinating Group Directorate for Computer and Information Science and Engineering [PGN-ed] [If you have learned anything from reading RISKS, it might be quite relevant here! PGN]
Please report problems with the web pages to the maintainer