United Airlines has decided to stop using its controversial automated baggage-handling system at Denver International Airport, reverting to a conventional manual system by the end of 2005. The automated system (which began operation in 1995) never lived up to original expectations. It had enormous difficulties in its early days, including construction delays, cost overruns, lost bags, damaged luggage, derailed cars, traffic jams, upgrade problems, political battles, and so on. (For example, see RISKS-17.61 and 18.66). United is apparently obligated to pay $60 million a year for another 25 years under its lease contract with the city of Denver (which owns the airport). However, United expects to save $1 million a month in operating costs by NOT using the automated system. The airport cost $250 million to build (BAE Automated Systems of Dallas, no longer in existence), and the city reportedly put up another $100 million for construction and $341 million to get it to work. [Source: AP item, 7 Jun 2005; PGN-ed] http://msnbc.msn.com/id/8135924/ [The system will soon be carrion! Carry on with carry-on. PGN]
A recent report for the House Appropriations Committee has once again put the FBI's Virtual Case File (VCF, see RISKS-23.66) development effort under scrutiny. (The $170 million project was scuttled earlier this year.) An FBI report in 2004 had identified 400 problems with early versions, but the contractor was never informed. $17 million was spent on a testing program in December 2004 even after it seemed evident that the project would have to be scrapped. The new report documents many "errors and misjudgments that were made during the software project's troubled history." [Source: an article by Dan Eggen, FBI Pushed Ahead With Troubled Software, *The Washington Post*, 6 June 2005; PGN-ed] http://www.washingtonpost.com/wp-dyn/content/article/2005/06/05/AR2005060501213.html
The following story: http://news.bbc.co.uk/go/rss/-/1/hi/uk/4607657.stm tells of a U.S.-bound aircraft diverted to Canada (with fighter escort) after accidentally transmitting a hijack warning. The thing that strikes me most about the article is the following sentence: ...the false alarm was caused by a malfunction which meant that when the transponder began transmitting the 4-digit hijack code, the crew were unable to shut it off. Huh? It seems to me that "unable to shut off the alarm" is the proper behavior for such a system. You don't want a hijacker to hold a gun to the pilot's head, saying "Either shut off the hijack code or I'll kill you and crash the whole plane." Much better to make the switch one-way and spend the extra money and inconvenience to escort the plane to a safe landing spot while you investigate whether there really was a hijacking or it was a false alarm. Sometimes the proper fail-safe response is to insist on a human decision. Geoff Kuenning firstname.lastname@example.org http://www.cs.hmc.edu/~geoff/
*The Boston Globe* 9 Jun 2005 carries an Associated Press story about a man in New Hampshire who had taken some risque' digital photos of his granddaughter. He printed them out at a Kodak self-service print kiosk at a CVS pharmacy. Maybe he'd attracted the attention of the clerk -- or maybe it's normal practice - the store manager looked at the photos *that had been retained by the innards of the printer* and notified police. There must have been some more modest pictures as well, and these were shown on national TV, leading to the girl's parents calling in and identifying the perpetrator, who was then arrested. Want privacy and anonymity? Buy a printer.
"We have allowed concepts from information technology to enter the cognitive consciousness of physicians without critical analysis of their impact." Steven Merahn, MD, identifies Search Engine Dependence Syndrome as a neuropsychological disorder: 1. The assumption/perception that computers are "smart" 2. The task interference associated with competing problem-solving paradigms 3. The loss or lack of development of critical thinking skills that comes with prolonged reliance on IT infrastructure http://www.cliniscience.com/objects/Cliniscience%20TEPR.pdf [Thanks to Lindsay Marshall for finding the 25-slide presentation from which this item is PGN-ed.]
The *London Evening Standard* is reporting that the "world's biggest computer hacker" has been arrested in London, giving us more evidence once again that intelligence and common sense do not necessarily go hand in hand: The unemployed former computer engineer is accused of causing the US government $1 billion of damage by breaking into its most secure computers at the Pentagon and NASA. He is likely to be extradited to America to face eight counts of computer crime in 14 states and could be jailed for 70 years... Friends said that he broke into the networks from his home computer to try to prove his theory that the US was covering up the existence of UFOs. The mind simply boggles. Full story: http://www.thisislondon.co.uk/news/articles/19164714?source=Evening%20Standard&ct=5 Commentary: http://it.slashdot.org/article.pl?sid=05/06/08/137249&tid=172 [Biggest hacker? He would perhaps have to exceed 450 pounds in weight to justify that claim. Pentagon's and NASA's most secure computers? Wow! Are we impressed? PGN]
I received e-mail from B&H Photo video about my order. I don't use an HTML-capable e-mail reader, and they don't send a text version. <td> <p><br> Dear WILLIAM D. COLBURN ,<br> <br> We are pleased to inform you that the following order has been shipped.</p> <!-- Comment out by YYW per bug #29992--> <!-- <p>PLEASE NOTE:</p>--> <!-- <p>You should be receiving your order shortly. </p>--> <!-- <p>Please review the information and verify that everything is correct.</p>--> Since I hate waiting, I had ordered prompt delivery of my new possession. Unfortunately, due to bug 29992 I will not be receiving my order shortly, and I should not review my order to make sure that it is correct. I hate bug 29992. B&H could be slowly shipping me the wrong thing, and I won't know it until it arrives. I'm also pretty baffled by what bug could possibly be fixed by commenting out a textual note that my order will arrive soon and I should check what I ordered to make sure it is correct.
Avishai Wool and Yaniv Shaked of Tel Aviv University in Israel have demonstrated a method of cracking Bluetooth security. Every Bluetooth device broadcasts its ID code to everything in the vicinity. The method is to pick up an ID code, then send a message to another device, spoofing the ID code, and telling it that the 'link key' used for encrypting communication has been 'forgotten'. This forces the two devices to go through a 'pairing' exercise to establish another link key. (Normally this is done only on the first occasion on which two devices communicate with each other.) The attacker can then eavesdrop on the messages exchanged in the pairing session, and analyse these using software which implements the Bluetooth algorithm. The four-digit PIN (set on each device by the legitimate user) can be cracked by 'brute force'. The link key can then be derived, and the attacker can then communicate with either device by pretending to be the other. Shaked and Wool will present their findings at the MobiSys conference next Monday in Seattle. For a more detailed description, see the on-line news item from New Scientist magazine: http://www.newscientist.com/article.ns?id=dn7461 Peter Mellor, Centre for Software Reliability, City University, Northampton Square, London EC1V 0HB +44 (0)20 7040 8422
Local and remote device wipe. The ability to remove all information, over the air, and reset a device to its original state enables IT administrators to better manage sensitive information on a misplaced Windows Mobile-based device. In addition, the administrator can choose to have the local memory on a device erased if the correct password is not entered after a designated number of attempts. http://www.microsoft.com/presspass/press/2005/jun05/06-06SFPWindowsMobilePR.mspx Oh sure, just wipe the device. Encryption is not an option, is it? :)
I recently received an e-mail challenge to a message claiming to be "From" me. if i choose to click the link provided, my e-mail address would be added to the recipients white-list. if i don't click the link then the message would be deleted... or filed in a folder where no one looks... i'm not sure...? this allows two distinct failure modes: 1) I ignore the challenge and a legitimate message is not delivered 2) I acknowledge the challenge and spam is delivered, "From" me regarding the first failure mode: when i post to a mailing list and receive a challenge, i will always ignore it. if the recipient wants to receive mail from the list, the list should be white-listed (not necessarily with an obvious header, such as "To: email@example.com"). regarding the second failure mode: this particular challenge (from earthlink) that i recently received only identified the message by the recipient and subject line, making it difficult to determine if i sent the message or not. i did not recognize the recipient or subject, so i had no reason to respond to the challenge. but, if one were to acknowledge the challenge without first determining the legitimacy of the message, 1) the recipient will receive the spam and 2) the person who acknowledged the challenge may ultimately be blacklisted for "sending" spam. it is assumed that a challenge/response system such as this works because spammers usually use invalid "From" addresses, and people would take the time to scrutinize any challenge they receive before responding to it. i know plenty of e-mail users who will be more than happy to click on any link in their e-mail to ensure that someone gets "their" mail. should the challenge include the original message? this introduces the risk of using "From" addresses of the intended recipient and "bouncing" the spam off of an account that generates challenges. the "sender" (as identified in a forged From address) would then receive the spam. this is in addition to the other flaw of challenge/response filter systems, which is that viruses may attack an address book and/or saved messages. this will facilitate spam that uses addresses that are likely white-listed. more than once i have received spam "From" my wife... we live and work in a m$ft-free home in NC, the messages originated from a cable modem in NYC. the simplest explanation is that our names and e-mail addresses were both participants in a message or address-book that was harvested by a virus. had i been white-listing her name and/or e-mail address those spams would have landed in my inbox; instead they were properly filtered and sent to my spam folder. another flaw that may be exploited in these automated challenge/response systems is if mail is sent "From" firstname.lastname@example.org and that mailbox is read by a program that clicks every link that comes in. variations on this (better mousetraps, better mice, etc) would further destroy the utility of such filtering systems (while consuming about three times the bandwidth of normal spam). my conclusion is that challenge/response systems, although at first seem like a Good Idea (tm), are no match for a good spam filter (CRM114, DSPAM, SpamAssassin, etc). i've been enjoying >99.95% accuracy with CRM-114, and now that i've trained it to recognize e-mail challenges as spam i'm not bothered by them so often.
Apparently, a Trojan horse was developed for three major private investigators' companies in Israel, and later used for industrial espionage with some of the biggest corporations in Israel. Apart from the technical side of this attack and the extreme wide-scale of it, another interesting aspect is the use of social engineering. In one description, I heard that a woman called a certain individual at one of the companies with a business offer, and later sent him a presentation via e-mail. When that presentation did not work, she proceeded to send him a CD, which did not work either. You can find an article in English detailing some of the events here: http://www.haaretz.com/hasen/spages/581718.html This is not the first time this happened, and not the first time we've seen industrial espionage in IL, or private investigator companies developing their technological and operational capabilities. I've personally been approached about such a job twice in the past 2 years. Interesting tidbit of data: The perps paid 17K UK pounds per COMPUTER per MONTH. Gadi Evron, Infosec Manager, Israeli Government Internet Security.
http://www.reuters.com/newsArticle.jhtml=3Ftype=3DoddlyEnoughNews&storyID=3D8412873&src=3Drss/oddlyEnoughNews Audacious thieves in Romania have constructed a complete automated teller machine (ATM), minus the cash box, to steal the details of account holders. Fake ATMs have appeared at apartment buildings or in areas of the capital where there are no banks. Usually criminals only place a fake panel over an existing ATM, and do not construct a complete machine. Romania's biggest bank, Banca Comerciala Romana (BCR), said customers should only use ATMs situated around bank branches. "Banks do not install ATMs in blocks of flats," BCR spokesman Cornel Cojocaru said. Jim Bauman S-K Lotus Notes Group 847-468-3014 email@example.com
I expect that many of you have received spam messages containing "Your existing loan situation makes you eligible..." and "If your decision is not to make use of this final offer going here...". The URL for Request Form and opt-out look respectable, but they are not. They are in the form of http://rds.yahoo.com/a=b/*-http://www.google.com_cr3am.net/del.asp where "a=b" is about 100 characters and the "_" is another period. Yahoo must be running some sort of redirection service on their RDS server. It ignores everything between rds.yahoo.com/ and "*-", then issues a redirect to what's left. The end result is a URL pointing to a server that was registered in China on 2005-06-02. It's using a subdomain of www.google.com to trap the unwary.
I had occasion to contact my ISP to reset the password on an account (which I had misremembered). But instead of resetting the password to a whatever value and giving it to me, so that I could change the password to what I wanted, the ISP told me what the password had been! We went through a little back-and-forth about how they shouldn't be storing clear-text passwords ("but the login screen is secure!") without any impact.
I have to wonder if the individual controlling the message board is one of the people living in Windsor who commute to Detroit to work, and who is more familiar with kph, as used to the east and north of Michigan :-) Or, as an alternative, it really said 100 kph and someone expecting the mph misread the board. After all, when we cross the border at Sarnia/Port Huron or Windor/Detroit or Sault Ste. Marie/Sault Ste. Marie perhaps they are telling us the Michigan speed limit in terms that match our speedometers [KPH] :-) If either or those were the case, 100 kph is 62.5 mph and the 'error' makes more sense or was not an error but a misread of one letter. I wonder if we will ever know...
At http://writ.news.findlaw.com/ramasastry/20050512.html it is written, amongst other things: > True, much information was available publicly before. But now it can be > collected together, online, at the press of a button. One scholar, > Professor Daniel Solove, calls such collections of data "digital > dossiers". > > And there's no reason these dossiers must be limited to addresses, > phone numbers, birth years, and property information. Digital > footprints can be tracked - so that digital dossiers could include > Internet activity. In theory, they could also be connected to security > camera footage from private stores, identification photos, and much > more. > > Such dossiers can be permanent, and may be instantaneously disseminated > around the world. > > They can also be stolen: Collecting information on an individual, and > making the dossier publicly accessible, risks making identity theft > virtually undetectable. The thief who steals your wallet may not know > your mother's maiden name, or the name of your pet - common security > questions. But what if that information ends up in your digital > dossier? And, of course, the answer is "then maybe companies will stop using such puerile choices of authenticators and get serious about security"... but that's politically incorrect to say aloud. So I'll say it here, instead. While Zabasearch may have problems, that's not one of them. The world is changing, and while there may be some risks involved in that, we would be well served to think long and hard about what those risks are, and where they *really* come from... instead of killing the messenger. Peter Brin's *TheTransparent Society* and Simson Garfinkel's *Database Nation* have interesting, if opposing, takes on this issue. Jay R. Ashworth, Ashworth & Associates, St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 firstname.lastname@example.org
In RISKS-23.88, Aaron Emigh includes a valuable summary of the operation of MarketScore. However, recent changes have made this description badly out of date. A different concern, however, is whether this is an "exploit" and an "attack". Although MarketScore does not tell their users precisely how the technology works, they are quite clear about what they are doing. Their End User Licence Agreement (EULA) specifically states that the examined data includes secure sessions. It's not at all clear that it is still a man-in-the-middle *attack* if one end of the connection has agreed to the process. Like many technologies, this one can be used for bad things. But just because this technology is used is not sufficient to make what is done with it a bad thing. MarketScore appears to now use a different technology, effectively summarized in this analysis from Cornell: http://www.cit.cornell.edu/computer/security/marketscore/technical.html Simply put: the proxy has been moved from MarketScore servers to the users' own machines, and MarketScore now simply records a datastream from the proxy. Where destination sites could formerly detect that proxied traffic arrived from marketscore servers, now the proxied traffic arrives from the users' regular IP address. Furthermore, the use of a LSP (Layered Service Provider) appears to allow the proxy to examine the contents of secured sessions without having to re-encrypt traffic under the special trusted certificate. If you check a site's credentials, it will show as secured by the site's own certificate, not by Marketscore's.
They're not the only ones. Microsoft ISA (Internet Security and Acceleration) Server 2004 does the same thing: it allows clients to establish a secure connection with it, and then it establishes a secure connection with the remote site. It does not log the content of the session (though future versions of ISA Server may allow this). But it does log the full URL, and HTTP headers (such as user agent) that you would normally expect to be invisible over an https connection. It can perform these tricks invisibly from the client's perspective because it is integrated with the rest of the LAN's infrastructure. It similarly needs a root certificate, but since this is automatically installed on the client when it is joined to a Windows domain with a certificate server, the added certificate is inconspicuous. The risk here, I guess, is trusting that the people who wrote the software have your best interests at heart. This is not the case for MarketScore, and is evidently not the case for end users of IE, Windows client, and ISA proxy. Doug Burbidge http://www.dougburbidge.com/ email@example.com
> As I've mentioned above, there will be some people who are philosophically > opposed to the notion of restricting Internet traffic so as to limit abuse... Yes, I am very opposed to such a notion. I'm sorry, but the Internet is not your private playground. If you have a spam problem, deal with it or buy your own intranet. Such "idealism" is what lets people use the Internet to communicate. The US FCC rules about devices which use radio frequency transmissions having to accept any "interference" come to mind. If some specific agent is disrupting your operations illegally, track down their activities, record them, and turn it over to law enforcement. Otherwise, just deal with the fact that the Internet is no longer a closed society, and you may have to deal with the same sorts of mischief you would in any other public arena, as well as a large number of people who just need to tell grandma about junior's first bowel movement with photos attached. I don't like the fact that the USPS promotes the delivery of junk mail to my home, but I don't demand that we require senders of postage to pass some sort of security interrogation. I just recycle or dispose of the junk. The fact is that the fees paid to mail this junk subsidize my ability to receive mail at my home, so I accept it as a cost of doing business or a cost of living. Much spam is identifiable and can be blocked by well established means. What can't is the cost of doing business in any public venue. Your convenience and avoidance of risk does not constitute an entitlement to restrict the expression or actions of others any more than you have the right to restrict the use of public highways to yourself and your assigned agents, or, within reason, to dictate what sorts of vehicles they may operate, who may occupy them or where and when they may travel. Furthermore, the argument you raise about bandwidth is largely absurd. One of the reasons for the collapse of WorldCom was overcapacity. If I have a dialup feed, I likely won't appreciate someone e-mailing me a five megabyte graphic file, but I have little right to demand that nobody do so unless there is obvious malicious intent. There are also workarounds such as IMAP.
Please report problems with the web pages to the maintainer