Reuters, 19 Nov 2003: Sony Corp said on Wednesday it would recall about 550,000 external battery packs for its CD Walkman worldwide because of a defect in the connector cord that could cause the pack to heat up and partially melt. A Sony spokeswoman said there had been one reported instance of the battery pack damaging the CD player's nylon carrying case. http://finance.lycos.com/home/news/story.asp?story=36534151
The latest in the spam wars — Amber Alert! This one promises to clog your email box with photos of children who may or may not have vanished, probably for years even after they've (hopefully) been found. It's so much more convincing than those "estate of Nigerian millionaire deposit account" messages. Makes you nearly want to cry. Hey, if it was my kid, I'd spam the universe. But it's still spam. So when you reply to the sender (who is inevitably going to be some kindhearted soul that you know who received this from a long chain of other friends whose email addresses they've included to prove it's "authentic") with a "this is spam" message you're just going to appear to be heartless. There's no good way out of this one other than to immediately redirect all messages with the subject phrase "Amber Alert" into your trashbin, pray you never need to do this for your own kid or someone you really do know FIRSTHAND, and don't look back.
[PGN-ed from an AP item] http://www.cnn.com/2003/US/South/11/16/southern.drawl.ap/ Southern drawls ("lazy mouth") have thwarted voice recognition equipment used by the Shreveport, Louisiana, Police Department to route non-emergency calls to persons or departments. Switching to a more conventional voice menu touch-tone response system is planned.
According to the Associated Press, California's Secretary of State Kevin Shelley has ordered that by 2006, all electronic voting machines in the state must provide a "voter verified paper audit trail". He also introduced stricter requirements for testing and auditing the software used for both recording and tabulating votes. Steve Bellovin, http://www.research.att.com/~smb [See also Kim Zetter, wired.com, 21 Nov 2003. PGN] http://www.wired.com/news/evote/0,2645,61334,00.html
CA SoS Shelley has apparently taken the recommendations of some of the members of his review panel seriously, in light of recent strange events previously recorded here. As RISKS readers are aware, this is in essence an approach recommended by Rebecca Mercuri, in which voters verify that the paper record is identical to what is on the touch-screen. The machine- and human-readable audit trail would remain within the voting system. In the pure Mercuri Method, the machine-readable audit trail would be the official ballot, although the California wording seems to suggest that the electronic version would be the official version unless irregularities had to be resolved by comparing the electronic and paper versions. Clearly, any discrepancies detected during the voting process should result in the machine being taken out of service.
Astonishingly, several Diebold Automatic Teller machines were infected by the "Nachi" worm last August, and the company has confirmed this. These were an "advanced line of Diebold ATMs built atop Windows XP Embedded", and were therefore vulnerable. They weren't on the public Internet, but of course many recent worms have displayed remarkable potency in their ability to hop over firewalls and infect private intranets. Full story at http://www.theregister.co.uk/content/55/34175.html . To me, this incident reinforces a worrisome trend. On the one hand, everyone knows that critical functions shouldn't be implemented using less-than-rugged components such as "consumer grade" operating systems. But the ubiquity of the market leader's products and the resulting convenience of using them means that the temptation to do so, even when it's formally inadvisable, is quite often irresistible. Such decisions are always papered over with superficially plausible rationalizations such as "this component performs a non-critical function of the otherwise critical system" (e.g. "these computers are involved with nonessential railway communication functions, not signalling") or "these computers are not connected to the public Internet in any way" (as in the present incident), but as we know all too well, in complex, interconnected systems, those convenient assumptions have a way of breaking down.
Reading RISKS, there are endless stories of badly designed and implemented electronic voting machines. The authors are passionately committed to the democratic process, and hate to see even a chance of voter disenfranchisement. The authors elicit dismay at the "authorities" callous disregard for due process and good engineering. The authors care. A comparison comes to mind: Much of modern art is, frankly, rubbish. The artists will say that its purpose isn't to be beautiful, its purpose is to make us think. Question. Have an opinion. Care. Maybe, just maybe, "they" are doing the same thing with the voting machines? Putting bad products in the field to make "us" care, to think, to act... even, as a last resort, vote. Voter apathy and low voter turnout is well known. Begging people to vote hasn't worked. Perhaps there is no better way to make people cherish their vote, and use it, than to make them think it is being taken away. Nothing like an even bigger conspiracy theory, is there? John Bechtel, Maidenhead, UK
> It's interesting to wonder what might have happened if the initial > inaccurate result had not been so glaringly obvious ... [PGN] Perhaps I am too paranoid, but it looks as though "someone" is testing to see just how big a "glitch" they can get away with, while at the same time getting the punters accustomed to regular "glitches" in e-voting software (just as MS has got people accustomed to desktops which regularly crash, freeze or scramble documents). How many other results were there that were *not* so glaringly obvious? How do you know that the results of this "test" were not: "Just keep the total number of votes less than the total number of voters, and people won't notice a thing"? Martin.Ward@durham.ac.uk http://www.cse.dmu.ac.uk/~mward/
I went to run a whois inquiry on a domain at www.tucows.com. I get a screen which asks me to validate a number which appears on a graphic. And it doesn't take the entered number. It displays another number in graphical format. Which it also doesn't take. Repeat until frustrated. I later reread the screen and decided to check my browser's cookie settings -- which I manually set for each Web site I visit. If I see anything suspicious in the cookie site I tell IE to not save that Web site cookies. Turns out that was the problem. 1) I complained a week ago and have not received a response. 2) A sentence along the lines of "If the system doesn't accept the number you enter double check your cookie settings." would've saved a lot of frustration on my part. Tony Toews, Microsoft Access MVP Microsoft Access Links, Hints, Tips & Accounting Systems at http://www.granite.ab.ca/accsmstr.htm
In Toronto, Canada, this week: After pulling the man over, Sgt. Don Woods discovered the man was naked from the waist down as he downloaded images on a laptop computer of a young girl involved in a sex act with an adult. Investigation showed the man had hooked into a wireless computer network at a nearby house to gain access to a resident's Internet connection and download images from child pornography Web sites. http://www.canoe.ca/NewsStand/LondonFreePress/News/2003/11/22/264890.html
[For those of you who wonder why you keep getting variants of the confidential scam spams asking you to help launder millions of dollars, here is one of the reasons why: There are still suckers falling for them. PGN] The *Daytona Beach News Journal* (13 Nov 2003) reported that a local man had fallen for the Nigerian 419 e-mail scam to the tune of $400,000. Even after being informed it was a scam, he continued to send money. He had mortgaged his house and used up his life savings. [PGN-ed] http://www.news-journalonline.com/NewsJournalOnline/ News/Headlines/03NewsHEAD01111303.htm The Risk? With no spam regulations and no cooperation between national governments con-men are getting away with many people's hard earned money. Some folks think that the greedy get what they deserve, but falling for this type of scam, may also be a sign of mental illness. [Gambling is addictive behavior. Perhaps so are Nigerian-type scams. PGN]
I am in the process of getting a DoD security clearance in connection with my job. My contact in my employer's security office claimed to have sent me the information I needed to apply for the clearance by e-mail, but I never got it. When I talked to this person by phone she said that she had sent me "the program" several times. The following exchange ensued: Me: The program? You mean, you sent me an executable attachment? She: That's right. Me: Well, no wonder I didn't get it! It was deleted by my virus protection program, which deletes all e-mails with executable attachments. She: No problem, I'll just send you a URL where you can download it. Me: OK. Er, isn't there any other way for me to submit my application, like on paper for example? She: No. The URL she sent me was: http://www.dss.mil/epsq/index.htm Note it's http, not https. It is quite a challenge to find the right link on that page, but when you do you eventually get lead to: https://sclient.dss.mil/download/ Thankfully a secure page, but one whose certificate is not signed. From there you are lead to a page where you "certify" (by clicking on a button that says, "I certify that the above answers are true") that you are in the U.S. and promise not to export the program outside the U.S. (because it contains encryption technology). Finally, you get to the download page, where you have the following choices of operating systems: 1. Windows 95, 98, NT or 2000 2. Windows 3.x Mac and Linux users like me are out of luck. Fortunately, I have a dual-boot Linux/Win2000 machine at home, so I tried running the program on that machine. The executable I got from the site turned out to be an installer, which installed 212 different files (that I could find) on my disk. The punch line, of course, is that when I tried to run it, it didn't work. The cursor changed into an hourglass, then back to an arrow, and nothing else happened. God only knows what it did. I'll probably have to wipe the disk and reinstall the OS before I can trust this machine again. The degree of cluelessness on the part of the people who are responsible for guarding our country's military secrets that this episode reveals is truly scary. Think about it: the only way to get a security clearance is to agree to 1) run a program whose pedigree you have no way of verifying 2) on an operating system that is notoriously insecure and 3) (presumably — I never got a chance to find out) give that program sensitive personal information. To my mind, anyone who agrees to this ought to be summarily denied a clearance, but of course, that fate is probably reserved for troublemakers like me who raise these kinds of issues.
After seeing a rush of spam, and brainstorming possible remedies, AT&T sent out a mass e-mailing to business partners and customers asking for the IP addresses of all outbound SMTP servers (to be used for a white list), threatening to cut off e-mail access of nonresponders. Subsequently, they sent a follow-up apology, with a request to disregard the first e-mail, claiming that the original notices went out as a result of "human error". [Source: Ryan Naraine, 22 Oct 2003, Jupitermedia Corporation; PGN-ed] http://boston.internet.com/news/article.php/3097171
I thought RISKS readers might be interested in two books I came across recently. The first is "The End of the World: The Science and Ethics of Human Extinction" by John Leslie. It's focus is the so-called Doomsday Argument, first described by cosmologist Brandon Carter. The argument assumes that human population growth will continue to be exponential up to the point where some unspecified disaster wipes out the species. Therefore, most of the humans who will have ever lived will live in the one or two generations before Doomsday. If you take yourself as a random human, you must conclude that you are most likely to be in the last couple of generations. In other words, Doom is more likely to come sooner rather than later. About half the book defends the argument. Apparently mathematicians and philosophers have been trying to find an error in the reasoning for about twenty years, without success. Mr. Leslie goes on to discuss some of the ways in which we might become extinct, from nuclear war to plague to technology run amok to asteroid impact. He discusses whether we should, from an ethical perspective, try to preserve ourselves if we can't eliminate human misery. Some of these philosophical discussions are pretty tough reading. Ultimately, Mr. Leslie's point is that not only are the risks obvious, but they are also higher than we might otherwise think. The second book is "The Human Factor" by Kim Vicente. This very readable book is about why we need to consider the "human factor" in designing socio-technological systems. Without considering the way people use technology, we run the risk of our technological systems moving outside their "safety envelopes" and causing disasters. He uses a wide array of case studies, from the Reach toothbrush to the Aviation Safety Reporting System, to show how human factor engineering and systems approaches to design benefit everyone. Mr. Vicente also gives many examples of poor system design that led to disaster, including preventable accidental hospital deaths (which outnumber traffic accident deaths in the U.S.) and the Walkerton, Ontario, contaminated water tragedy. Mike Smith, Senior IT Security Engineer, AEPOS Technologies Corporation 819-772-8522 ext. 230 www.aepos.com
BKPRCCRP.RVW 20030918 "Practical Cryptography", Bruce Schneier/Niels Ferguson, 2003, 0-471-22357-3, U$50.00/C$76.95/UK#34.95 %A Bruce Schneier firstname.lastname@example.org %A Niels Ferguson email@example.com %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2003 %G 0-471-22357-3 %I John Wiley & Sons, Inc. %O U$50.00/C$76.95/UK#34.95 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0471223573/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0471223573/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0471223573/robsladesin03-20 %P 410 p. %T "Practical Cryptography" The preface points out that cryptography has done more harm than good in terms of securing information systems, not because cryptography fails in and of itself, but, rather, due to the improper use or implementation of the technology. This book is intended to provide concrete advice to those designing and implementing cryptographic systems. As such, it is not the usual introduction to cryptography, and is aimed at a fairly limited group. Chapter one asserts that we should be engineering for security, rather than speed or bells and whistles. Security is only as strong as the weakest link, we are told in chapter two, and (following from the idea of defence in depth) we need to have engineering in depth (and probably breadth, as well). The issues are important, but there is some lack of clarity to the organization and flow of the text and arguments: the reader may start to wonder what the essence of the message is. (I see that I should have trademarked "professional paranoia" when I started using it years ago, but it is nice to note that the point is being taken.) Chapter three is a rather unusual "Introduction to Cryptography" (and the mathematical format of the text doesn't make it easier for the math-phobic to concentrate on the meaning), but focussing on the applications and problems, the cryptanalytic attacks, and repeating the injunctions against complexity and the sacrifice of security for performance is a reasonable position. Having come this far, it is interesting to note that we are only starting part one, reviewing message security. Chapter four compares and reviews various existing block ciphers. The modes, and attacks against specific modes, of block algorithms are described in chapter five. (This material appears to be what would, in a more traditional book, be the introduction to cryptography.) Hash functions are explained, compared, and assessed in chapter six, while seven extends the concept to message authentication codes, which ensure not only detection of accidental alteration, but are also resistant to outsider modification attacks on the data or transmission. We therefore have the basic tools that we need to consider a channel that is secure from eavesdropping and manipulation by anyone not party to the communications, in chapter eight. Implementation, and the engineering or software development considerations, are examined in chapter nine. Part two deals with key negotiation, partly by introducing the concept of asymmetric (more commonly, if less accurately, referred to as "public key") cryptography, the major strength of which involves the handling of keys. Chapter ten raises the issue of randomness, which is vital in the choice of keys, and also talks about the components of the Fortuna system for generating pseudo-random numbers. Prime numbers are explained in chapter eleven, due to their importance in asymmetric cryptography. The venerable Diffie-Hellman algorithm is reviewed, along with the math that makes it work, in chapter twelve. (If you want to follow the material all the way, you'll have to be good at mathematics, but the discussion, while interesting, is not vital to the use of the system.) A similar job is done on RSA in chapter thirteen. Chapter fourteen is entitled an "Introduction to Cryptographic Protocols" but really talks about trust, risk, and more requirements for the secure channel. The high level design of a key negotiation protocol is incrementally developed in chapter fifteen. Implementation issues specific to asymmetric systems are reviewed in chapter sixteen. Part three looks at key management, and various approaches to the problem. Chapter seventeen discusses the use, and risks of using, clocks and time in cryptosystems. The idea of the key server is illustrated by Kerberos in chapter eighteen, but almost no detail is included. A quick introduction to PKI (Public Key Infrastructure) is given in chapter nineteen, followed by a philosophical review of other considerations in twenty, and additional practical concerns in twenty one. (While the division is not unreasonable, these three could, without seriously distorting the book, have been one big chapter.) Storing secrets, important for key and password reliability, is contemplated in chapter twenty two. Part four contains miscellaneous topics, including the futility of standards (twenty three), the questionable utility of patents (twenty four), and the need for involving real experts (twenty five). As noted, this book is not simply another introduction to cryptography. The content is for those involved in the guts of a cryptosystem, and the material provides significant guidance for the concerns of people in that position. copyright Robert M. Slade, 2003 BKPRCCRP.RVW 20030918 firstname.lastname@example.org email@example.com firstname.lastname@example.org victoria.tc.ca/techrev/mnbksc.htm sun.soci.niu.edu/~rslade/secgloss.htm
BKWLSCES.RVW 20031018 "Wireless Security Essentials", Russell Dean Vines, 2002, 0-471-20936-8, U$40.00/C$62.50 %A Russell Dean Vines %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2002 %G 0-471-20936-8 %I John Wiley & Sons, Inc. %O U$40.00/C$62.50 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0471209368/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0471209368/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0471209368/robsladesin03-20 %P 345 p. %T "Wireless Security Essentials" The introduction asserts, as a statement on the rapid pace of technological innovation, that wireless security may have changed between the writing and the publication of the book. It may be an interesting comment on security that the book is still relevant and that wireless security is unchanged in the two years since the book's completion. It may also be a measure of the good job that Vines did on his subject. Part one deals with the foundational aspects of the technology. Chapter one covers computing technology, with a basic but brief look at computer architecture and some network architecture (but mostly protocols). Both wireless LAN and cellular telephone are discussed, but the LAN material predominates. Wireless theory, including radio communication and transmission protocols, is examined in chapter two. The explanations are good: Direct Sequence Spread Spectrum (DSSS) and Frequency Hopping Spread Spectrum (FHSS) are much better than in other related works, although the text could still use some improvement on details such as DSSS chipping and the mapping of bits to the frequency signals. Wireless reality, in chapter three, is an odd mix of the security portions of wireless LAN protocols (except for Bluetooth, which has a number of functions explained in detail), the Infrared Data Association (IrDA), wireless operating systems and devices, and wireless services. Part two covers security essentials. Chapter four outlines security concepts and methodologies in a well-chosen (with the signal exception of cryptography) but not well-structured list. (Given Vines' participation in "The CISSP Prep Guide" [cf. BKCISPPG.RVW] this is not surprising.) According to chapter five, security technology primarily encompasses cryptographic aspects of wireless LAN protocols. There is a very comprehensive examination of a broad range of attacks against wireless devices (Personal Digital Assistant [PDA] viruses, for example) and transmissions (there is an extremely detailed analysis of WEP weaknesses, backed up by even more details in appendices B and C), as well as recommended countermeasures, in chapter six. Although not perfect, this book is an extremely useful guide to the security issues surrounding the use of wireless devices. Of the various books reviewed on the topic of wireless LANs and security, it is the best work seen to date. copyright Robert M. Slade, 2003 BKWLSCES.RVW 20031018 email@example.com firstname.lastname@example.org email@example.com victoria.tc.ca/techrev/mnbksc.htm sun.soci.niu.edu/~rslade/secgloss.htm
In my recent review of "The GSEC Prep Guide" by Mike Chapple, I probably did not sufficiently stress the point that the faults of the book are not necessarily to be imputed to the GSEC program itself. I have been asked by Stephen Northcutt to note that Chapple has no association with SANS, and that Northcutt has (in a review under the book's listing on Amazon.com) noted that the material in Chapple's book does not adequately reflect the breadth of the material tested for in the GSEC exam. firstname.lastname@example.org email@example.com firstname.lastname@example.org victoria.tc.ca/techrev/mnbksc.htm sun.soci.niu.edu/~rslade/secgloss.htm
Please report problems with the web pages to the maintainer