Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
This past year the Internet proved a lucrative haven for phishers, online auction scammers and Nigerians proffering cash-sharing partnerships, according to statistics from the Internet Fraud Complaint Center, which reports it received more than 120,000 online fraud complaints in 2003. That translates to an increase of 60% since 2002, when 75,000 complaints were processed. The Center provides cybercrime victims with a convenient process for filing complaints, which it then analyzes and routes to the appropriate FBI field office or local law enforcement agency for further action. [*The Register*, 29 Dec 2003; NewsScan Daily, 29 Dec 2003] http://www.theregister.co.uk/content/55/34667.html
Both home computer users and corporations use outside testing services to do port scans and vulnerability scans. This testing is performed to verify that expected safeguards are in place, and that configuration changes haven't left the network more open than anticipated. Some are free port scans, like the http://www.grc.com service ShieldsUp, and some port/vulnerability scans cost tens to hundreds of dollars per IP address. The testing is based on the assumptions that, subject to network congestion, packets sent to any port on a network perimeter device will arrive, and that open ports are equally visible from the Internet and from a computer in the building next door. Both of these assumptions are incorrect for some ISPs. What is increasingly occurring is that some ISPs are blocking certain ports from the Internet. Worse, when you inquire, they are incorrectly stating that they are not blocking any ports, and they are making changes without any notification to customers. The same ports are not always blocked between two addresses on the same ISP network. This raises the possibility that a vulnerability test from the Internet will fail to disclose an actual vulnerability, which can be exploited from any address inside the ISP network. I had exactly this situation occur when testing a vulnerability scanning service. Some ISPs have been blocking NetBIOS ports for home networks, such as on cable modems, but could quit blocking ports if asked, on an individual connection basis. This was to assist home users with Microsoft operating systems who had no other security. I have been told by two ISPs that blocking is implemented in their routers or "core router" and cannot be changed for business connections. A search on Google indicates that some ISPs are blocking a number of ports, not just NetBIOS, primarily in response to recent network worms. In order to use a vulnerability scanning service, companies will be forced to check for ISP port blocking just at the outside of their firewalls, with the further problem that the results are subject to unannounced change at any time. This will lower the benefit of frequent periodic testing. Charles Preston, Information Integrity
The biometrics industry — spurred on by heightened terrorist concerns -- has rolled out a variety of new ways to identify people, ranging from retina and iris scans to mapping voice patterns or walking styles, but there's a clear winner among the competing technologies — the old-fashioned fingerprint. "They are looking for proven technology that's stable and familiar," says Joseph J. Atick, CEO of biometric firm Identix. "It's not about technology. It's about lowering your deployment risk." But these aren't your father's fingerprints — today's equipment does away with messy ink in favor of digital records, created by software when fingers are pressed against an electronic pad or sensitive photoplate. And often as not, the fingerprints are then combined with some other form of biometric ID, such as facial recognition. Meanwhile, growing use of passports, drivers' licenses and employment ID cards embedded with ID-data microchips is spawning a new business for data processing giants such as IBM, Unisys and Siemens. "The technology (to integrate ID data with public records) is advancing rapidly. The big growth will be in 2005 and 2006," says a Unisys official. [*The New York Times*, 29 Dec 2003; NewsScan Daily, 29 Dec 2003] http://partners.nytimes.com/2003/12/29/business/media/29face.html
I live in the UK and my parents live in the USA. Every year, at Christmas, I send them a parcel containing food items that are hard or impossible to get in the USA, or are prohibitively expensive there. (Apologies if any of this takes on the attributes of a rant. I find it difficult to talk about this rationally.) I find that as of 12th Dec 2004, any food items mailed to the US have to be pre-registered with the FDA. From the Web site http://www.cfsan.fda.gov/~dms/fsbtact.html: "Nearly 20% of all imports into the U.S. are food and food products. In 2002 Congress passed the Bioterrorism Act as a part of its ongoing effort to combat terrorism - in this instance, by reducing the ability for international terrorists to carry out terrorist attacks in the U.S. by contaminating imported foods." Now for the rant bit. I can appreciate that the US Government wants to protect the food supply against bio-terrorism, but what in the name of Ghod do they think this is going to achieve? Were I a bio-terrorist, about to ship a boxful of Ebola contaminated sausage to the USA, would I register it on the FDA site? Or would I write "Books" on the Customs form and send it anyway? And that brings me to the registration process itself, in order that I might legally send Christmas Cake, Christmas Pudding and Marmite (*) to my poor deprived parents. At least I can do it online (see http://www.cfsan.fda.gov/~pn/pnoview.html). But do I have to register at all? "Private residences of individuals" are excluded. Why? My box of Ebola could just as easily come from my kitchen as from the local sausage plant. And if I'm a terrorist (which I'm not), again I ask, why would I register at all? And if I do register (which I haven't), why threaten me with US law (which the site repeatedly does.) I know the US Government struggles with the concept of extra-terratoriality In short, what is the point of this? Other than make-work for Government employees. Still, at least the website works with Mozilla. I guess I should be thankful for small mercies. "Something must be done. This is something. Therefore we will do it." (* Yes, I know Americans regard Marmite as a bioweapon, but it isn't. Honestly.)
In support of Don Norman's posting Proper understanding of "The Human Factor", I would recommend a 1999 Institute of Medicine report which makes pretty much the same argument about medical errors. It points out that one consequence of taking an approach which blames the person, rather than the system, is that the information needed to fix the system is suppressed! To quote from the report: "One of the report's main conclusions is that the majority of medical errors do not result from individual recklessness or the actions of a particular group--this is not a "bad apple" problem. More commonly, errors are caused by faulty systems, processes, and conditions that lead people to make mistakes or fail to prevent them. For example, stocking patient-care units in hospitals with certain full-strength drugs, even though they are toxic unless diluted, has resulted in deadly mistakes." The report is at: http://www.iom.edu/includes/DBFile.asp?id=4117
E-voting firm reports computer break-in Federal authorities investigating VoteHere intrusion MSNBC.COM EXCLUSIVE By Alan Boyle, Science editor http://www.msnbc.msn.com/id/3825143 A company developing encryption-based software for secure electronic voting has itself become the victim of a computer break-in, the company's top executive told MSNBC.com. Federal authorities have confirmed that the incident is under investigation. The intrusion into Bellevue-based VoteHere's corporate network occurred in October, said Jim Adler, VoteHere's founder, president and chief executive officer. No suspects have yet been named, but Adler said his company, in cooperation with investigators, had developed substantial information about the source of the intrusion over the past two months. "We feel that it may have been politically motivated," Adler said. Adler's revelation came amid a deepening debate over e-voting and its vulnerability to election fraud — and a controversy over surreptitious methods to get information about how e-voting software works. [Another report indicates they know who the culprit is. PGN]
> .. I feel that privacy concerns should not eliminate the public > availability of what have traditionally been public records. Sounds very similar to the "shut up and get used to it" response I got from a Provincial Legislative Committee (chaired by Barry Jones) in my province. Rather than giving it up as hopeless, I continued to lobby and to make various interest groups (such as Doctor's professional associations, battered women's shelters, rape relief centers, police associations, etc.) aware of the issues and the evidence of voter list abuse. During the election which got Mr. Jones into office, one campaign office reported that the only thing stolen during a break-in was the CD copy of the voter list. The computers and all the office equipment were left. I also provided them with copies of documents I obtained after suing "Datex Services", a Vancouver-based junk-mailing-for hire outfit. Those invoices showed Datex purchasing a copy of the "geographic alpha sort" fiche copy of the voter list, 2 days before provincial legislation declaring such uses illegal was proclaimed. While I had him in front of a Judge, Mr. Vandersteldt of Datex stated that if he was denied access to voter lists for junk mailing purposes, he would simply create a fringe party to obtain a "free" copy. That seemed to get some attention. Next thing I knew, both the provincial election act and the municipal act had been amended to allow voters to have their addresses suppresed, even from routine access by elections branch staff. The amended legislation authorizes seeding voter lists with fake names to allow abuse of the personal information to be detected. My wife and I chose to opt out of the "motor voter" program which uses driver licence and vehicle registration changes of address to update the voter list. I got a bit of a hassle from a young poll clerk the last time I showed up to vote, but an older clerk she consulted informed her that it is now quite common to be on a voter list without an address. Election staff have wide discretion to suppress addresses. Shortly after the legislative change the Municipal Clerk for Squamish suppressed the address of every voter when a man with a history of violence ran, apparently seeking non-published addresses of people he was stalking. The severance was upheld by the Office of the Information and Privacy Commissioner. http://www.oipc.bc.ca/orders/Order69.html
I always find these discussions about voting systems fascinating, mainly because my experience is so utterly different to what gets discussed. Here in Australia, elections are managed by the AEC, an independent federal statutory body with no links to any political party. (Their website at http://www.aec.gov.au/ covers the whole process in great detail). We don't use mechanical or electronic voting machines. The same standard applies in all electorates across the country. We vote by ranking candidates in order of preference, by writing numbers in pencil in boxes on paper ballots, which are later counted by hand. Voting in elections at all levels of government (local, state, federal) is mandatory for every citizen over the age of 18. If you don't vote, you get fined about $20, unless you have a very good reason. We have almost 13 million voters who vote in over 8000 polling places spread across a country roughly the size of the continental United States, and we still usually get most results reported within a few hours of the polls closing at 6pm on election Saturday. As a computer engineer, I'm astounded at the idea that relying on a private company using proprietary software running on consumer-grade operating systems without a paper trail could even be considered as a reasonable way to run an election. To my mind, if you're going to have a computerised voting system, it 1) must have specifications, source code, test procedures & results publicly available & open to rigourous scrutiny, 2) must use secured, tamper-resistant machines with stable operating systems in known & authorised configurations (I'm thinking some minimalist variety of BSD or Linux so that the underlying operating system source code can also be publicly available for inspection), 3) must give voters tangible evidence that their vote has been cast as they intended (a printed human & machine readable "vote card" which gets checked by the voter then placed in a ballot box), 4) must link these "vote cards" back to the electronic vote (via an anonymous ID such as a serial number) so that they can be routinely cross-checked during counting to confirm that the electronic votes match the printed votes exactly, and 5) must provide extensive audit trails & logging to ensure that any necessary post-vote inspections & verifications can be confidently carried out. Without at least that (and probably a whole lot more I haven't thought through yet), there's no way you can honestly be comfortable that your votes are reasonably safe from fraud, election rigging, or simply incompetence in counting.
I've recently posted an essay on electronic voting online, looking at some of the social and cultural aspects of the issue, and examining the implementation in Ireland. In short, the rush to prove how 'cutting edge' the Irish economy is has led to the unnecessary adoption of a system that has serious flaws (no independent audit trail) and that may be of more harm than benefit to Irish democracy. It may be of interest to some readers. http://funferal.org/mt-archive/000455.html Andrew o' Baoill PhD student, Institute of Communications Research, University of Illinois andrew@funferal.org / +1-217-332-3263 / http://funferal.org
Ironically, the best antidote to PowerPoint may be a guide to technical
writing that was published by NASA many years ago, and can still be
downloaded from NASA's own servers:
http://techreports.larc.nasa.gov/ltrs/1964-cit.html
That page is a link to this file:
http://techreports.larc.nasa.gov/ltrs/PDF/NASA-64-sp7010.pdf
"Clarity in Technical Reporting" by S. Katzoff was written in 1955 and
circulated informally at NASA's Langley Research Center. Popular demand led
NASA to publish it officially in 1964. The PDF file on the web is a scan of
a copy that was printed in 1973.
The first 16 pages are about written reports, the last 9 pages are about
verbal presentations. The author assumes that the slides will be charts and
graphs, not bullet points.
Of course this doesn't solve the real problem at NASA, which is that people
didn't want to talk about the bad news. Tufte's anti-PowerPoint document
calls the NASA presentation "an exercise in misdirection", which implies
that it was done that way on purpose.
[A response by Lauren Weinstein to this subject on Dave Farber's IP had
this message, added here by PGN:
An interesting point is that the 1-inch recorder and the related sensor
array was installed ONLY on Columbia. As the first operational shuttle,
it had been outfitted with masses of sensors (and the tape system) that
later shuttles didn't have. Luckily, they kept running the system
instead of pulling it out or shutting it down, even 20+ years later...
otherwise much of that data would have been unavailable.
It staggers the mind to think that that data tape (and the camcorder
tape that apparently was loose from its case) survived at all.]
>... Specifically, WYSIWYG systems lead to a focus by the user on >appearance, not on structure or content. To say nothing of management who emphasize appearance, not content.
I worked for a time in an engineering department of a power company. The vice president in charge of engineering forbade the use of any PowerPoint presentation in any meeting he headed. His argument was economic: he didn't want his engineers wasting time and the company's money making pretty presentations when they should be engineering.
> all railroad cars should be required to have reflectors (or reflective > paint) on the sides. They already do here in the US. All freight cars have reporting marks, which are read via optical readers. These are painted in highly visible reflective white on black for machine reading. Taggers in the 'hood have figured out that if you don't paint over those marks, the RR doesn't have to repaint the car, and the artwork lasts till the next scheduled paint job. Selling ad space on the sides of cars is of limited use, none to the rail car leasing companies, or the rail road, and you sure wouldn't want a railcar advertising your competition sitting on your rail spur. [A sampling of other responses follows. PGN]
"A friend once told me that in the Great Plains there are many accidents of this sort each year. Most crossings are completely unguarded, and at night a train on an unlit level crossing is almost completely invisible." Ah, statistics and word of mouth. I work on a couple of preserved steam locomotives, so maybe I can give a slightly different perspective. I'll call this "John's Ten Steps to Enlightenment", and will let the reader determine whether the reasoning is sound or not. 1) In Canada, and I presume in the USA, it is my understanding that at a crossing without gates, a car driver must stop, look, listen, then proceed. 2) Which, if my understanding is correct, leads me to wonder about the type of people who do not follow these rules; so: 3) A quick web search brings to light this *very* interesting web page: http://www.rrc.state.tx.us/divisions/rail/vtstats.html 4) and looking at the "By Gender" column shows that, in this survey, by far, males are the ones that are getting killed driving through crossings. Which brings up: 5) a recent unprotected crossing accident in Southern Ontario where the police have indicated that impact was at 180km/h, and brakes were applied by the car driver when the car was doing 240 km/h. (references can be found again, I have not bothered, because this is an example reference, not a specific one) 6) maximum speed on roads in North America is, what, 65mph in some states? 100km/h in Canada? 7) young male drivers have very, very high insurance premiums, as inferred from talking to colleagues with male teens in their house. 8) all recent automobiles have computer controlled engines, 9) leading me to wonder if it is not the lack of paint on trains that is killing males at grade crossings, but the speed that cars travel at; 10) bringing me to the conclusions that: 1) paint is not going to make much difference, at all; and 2) cars have the technology to restrict speed, it should be mandated so.
Don't they have signs that say "RR Crossing"? [...] Railroad crossings are a good example of the "adverse operator" environment discussed earlier in RISKS postings. Even crossings with full gates have collisions from time to time, because of motorists deliberately "sneaking around" the gate when it is down. Every intercity bus I've ever been on always stops before going through a grade-level railroad crossing. This is because the bus drivers have been properly trained and understand the consequences of making even the slightest mistake when crossing railroad tracks (especially if they're caught, they could lose both their bus driver's license and therefore their livelihood). I don't know how often buses collide with railroad trains, but I suspect it is very, very, infrequently.
Then simply place the reflective markers on the far side of the crossing, facing across the tracks and *through* the train. Or place them at track level, beside or between the rails. In either case, the view of the reflectors will be regularly interrupted either by the body of the rail car or by the wheels. The overall effect will be that of a flashing light in the driver's view; this should be more likely to attract attention than the dark train. This has a couple of other advantages. The solution is easily scalable, in that it can be deployed almost instantly at the most problematic crossovers. Furthermore, the rail owner of a crossing is not on the move across the country, and may be more amenable to local pressure to take action to make their crossings safer when presented with an easy and low-cst solution.
I would have thought that a better solution would be for drivers to look where they are going. Certainly when I am driving, I can see walls and hedges and trees when they leap out in front of me. I am quite sure that I would be able to see large moving metal objects in front of me. Lord Protector David Cantrell | http://www.cantrell.org.uk/david
Regarding Geoff Kuenning's suggestion of attaching reflective markings to the sides of trains to prevent collisions... I wonder if the railroads who are against any such regulation have ever considered the cost of the damage from the vehicles that hit the trains. Perhaps they did make sure that regulation was in place that completely absolved them of all liability in those types of accidents, so their cost is zero?
This is an old issue, and does not apply just to "illegally modified transceivers". I used to own a car whose engine management crashed when an entirely legal amateur radio 70cms handheld was operated inside the vehicle. And with the pressure from governments to exploit bandwidth, the continuing rush to 'wireless everything' and the lack of analogue skills among todays electronic engineers, I can only see the problem getting worse.
Please report problems with the web pages to the maintainer