Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Network vandals have infiltrated supercomputers at as many as 20 colleges, universities and research institutions in recent weeks, disrupting the TeraGrid, a network of computers funded by the National Science Foundation and used in support of such scientific projects as weather forecasting and genome sequencing. The vandals have not been identified. None of the systems was permanently damaged, but the intruders gained the ability to control the various networks for short periods of time, prompting TruSecure security expert Russ Cooper to warn, "This could be a wake-up call to what should be very, very secure computing environments, because these machines should never have been compromised." The attacks were made against Unix machines. Stanford University computer security officer Tina Bird comments: "This incident is definitely giving us an opportunity to reevaluate the maintenance and protection we provide to our Unix systems. When you're completely focused on widespread attacks on Windows systems, it's certainly startling." [*The Washington Post*, 13 Apr 2004; NewsScan Daily, 14 Apr 2004] <http://www.washingtonpost.com/wp-dyn/articles/A8995-2004Apr13.html>
At a recent workshop one of the authors presented his latest insights in seasonal predictability using his laptop connected to the beamer - not unusual. However, he was not aware that his computer also surreptitiously connected itself to the wireless network of the university, and worse, that it had determined that it was vulnerable to attack! So, suddenly a notice propped up, informing him that the latest Windows update had been installed successfully, that a reboot was necessary, and and asking him whether he would like to reboot now. The only option available was [Yes], and a timer announced it would reboot anyway within three minutes. Rushing through his conclusions he just finished his presentation before this unexpected deadline. Geert Jan van Oldenborgh <http://www.knmi.nl/~oldenbor>
Source: Sarah Huntley, *Rocky Mountain News*, 2 Feb 2004, starkly PGN-ed] Angel Eck, driving a 1997 Pontiac Sunfire found her car racing at high speed and accelerating on Interstate 70 for 45 minutes, heading toward Denver -- with no effect from trying the brakes, shifting to neutral, and shutting off the ignition. To make a long story short, she eventually gained cell-phone coverage and called a co-worker airliner mechanic, whose suggestions failed but who then had another colleague call 911. Recalling a 1980s CHiPs TV show, police then cleared the highway into Denver, and while she was going 80 mph, a cruiser was positioned just in front of her and — after a light initial impact — eventually brought her car to a halt. The car was awaiting review by a GM rep to see what caused the malfunction.
I recently received a typical phishing scam. I'm reproducing the poorly done (NB: by SRI's MTA) Received: headers below. Received: from localhost (HELO mailgate-external1.SRI.COM) (127.0.0.1) by mailgate-external1.sri.com with SMTP; 11 Apr 2004 14:31:00 -0000 Received: from ibank.barclays.co.uk ([126.96.36.199]) by mailgate-external1.SRI.COM (SAVSMTP 188.8.131.52) with SMTP id M2004041107305827172 for <DDean@CSL.sri.com>; Sun, 11 Apr 2004 07:30:59 -0700 As I'm not a Barclays customer (how many Americans are?), I wasn't fooled for a minute. But note the last Received: header. Ibank.barclays.co.uk has 2 IP addresses: 184.108.40.206 and 220.127.116.11. An inverse lookup on 18.104.22.168 yields catv-50623f6e.catv.broadband.hu. I included the 2nd header so you can see what things should look like. Why it didn't note the mismatch between claimed domain and and inverse IP mapping is beyond me. RISK: If someone was trying to determine the legitimacy of this message and looked at the Received: headers, nothing appears to be wrong. (Anyone sophisticated enough to look at headers hopefully won't fall for a phishing scam, but that's another story.) Drew Dean, Computer Science Laboratory, SRI International
I used an ATM the other day which had been upgraded with a new touchscreen system. Judging by the UI and the design of its overlaid peripatetic mouse pointer, the underlying OS is an elderly MS-Windows variant. It was very slow to repaint the screen, and made no acknowledgement of touchscreen input whatsoever, leading to me stabbing at the touchscreen repeatedly with my finger. There was no fallback to choose options from the keypad instead of the touchscreen. I noticed that the alignment between where I touched and where the mouse pointer would gravitiate to on the screen was quite a bit off. When I finally got to the screen for choosing the amount of money to withdraw, I stabbed 7 or 8 times at the $100 button. After some delay, and still no on-screen acknowledgement, the machine dispensed $70 - just as I was about to explode, there followed a receipt for the same amount, proving at least that it could count. I looked up, and suddenly I understood why the UI was so horrible - there before me was a little badge that said "Diebold ix". The issues had it been a voting machine I leave to the reader. David Crooke, Chief Technology Officer, Convio Inc. 11921 N Mopac Expy, Austin TX 78759 1-512-652 2600
The latest "Reality Reset" satire column explores the potential for manipulation of hi-tech voting systems (touch-screen voting, Internet voting, etc.). It's in the form of a "progress report" titled: "Global Domination Via Voting Manipulation" and resides at: <http://www.vortex.com/reality/2004-04-16> Unfortunately, the technological scenario it postulates is far from impossible. Lauren Weinstein firstname.lastname@example.org email@example.com Tel: +1 (818) 225-2800 http://www.pfir.org/lauren http://www.pfir.org http://www.factsquad.org
Former anti-piracy 'bag man' turns on DirecTV By Kevin Poulsen, SecurityFocus, 16 Apr 2004 A one-time enforcer in DirecTV's anti-piracy campaign is suing his ex-employer for wrongful discharge, after he allegedly resigned rather than continue to prosecute the company's controversial war against buyers of hacker-friendly smart card equipment. John Fisher, a former police officer, alleges in a complaint filed in Los Angeles County Court late last month that he joined DirecTV as a senior investigator in July, 2002, expecting to serve a legitimate investigative role tracking signal pirates. He wound up instead "as little better than a 'bag man for the mob,'" the lawsuit claims. He's seeking unspecified damages, and an end to DirecTV's tactics. At issue is DirecTV's end-user campaign, aimed at shutting down and collecting money from TV watchers who use smart card programmers and other equipment to get free or expanded satellite TV service. Because there's no way to trace people who are passively receiving DirecTV's signal, the company turned to a strategy of physically raiding equipment sellers that cater to pirates, using the authority of the Digital Millennium Copyright Act. The company then sends out threatening letters to everyone on the seized customer lists. ... <http://www.securityfocus.com/news/8472>
I have access to the press-only section of the website for a particular company. As one would expect, it requires a login and password assigned by the manufacturer and given only to people with appropriate press credentials or equivalents. The login combination I received from them was pretty cryptic and hard to guess. They have recently added a new feature to update your profile online. One of the fields on the form — inside a colored box marked Admin Only — is a drop-down selector for the login. Naturally, some programmer foolishly populated it with their entire database of authorized logins. The supposed protection to keep one authorized user from selecting the login of another is implemented with client-side JAVA Script that pops up a message and resets the field to its original value. The RISKS are pretty obvious. By merely selecting View/Source in your browser, you have access to a list of all their authorized logins. But even worse, since the 'security' on this field is implemented in client-side code, all one has to do is turn JAVA Script off in the browser and then there are likely no restrictions to overwriting the profile of any other authorized user. Oh, and one of their authorized logins is 'x' — I wonder if the password to that one would be hard to guess?
I work at the UW business school and we have been recording, editing and producing video for instructional use for over two years. Recently all of our video equipment failed connecting thru our firewire/1394 cables. We found only one explanation for this failure, one cable was connected in reverse to our dell workstation(with front 1394 connectors). From this evidence, we surmised that switching the cable at one end would put power to data lines and data to power lines. This affected all our equipment like a virus, we had a few key components that failed and put our video production to an abrupt halt. Consulting with our IT group and other video production areas as the UW brought no help. We've sent our minidv/vhs vcr to the shop for repair, they estimate a 600 dollar repair bill with new motherboard etc.. Our cameras (2) are now reduced to s-video or composite use. Last year our vcr also broke and required a 600 dollar repair in california. Our dell computer 1394 interface card still has weak protection against installing this cable backwards. Why is the firewire technology so fragile? This technology needs solid re-engineering. Ron Erwin, Business School, University of Washington Ethnic Cultural Center 543-4635 Business School Technology Center 616-9049
I'm British and I live in England. I've had the extreme misfortune of recently having to fill in my income tax declaration. There is a Government web-site, www.inland-revenue.gov.uk, which does it's best to hide contact information from you, but nevertheless from which I finally managed to find a page where I can search for local tax offices, from whom I can obtain advice filling in aforementioned tax form from hell. To find your local tax offices, there is a form into which you can enter your post code (zip code to you American types). Now things get interesting. This form returns a page which contains a map centered on your postcode and a table containing the details (address, phone, distance to, etc) of your nearest few tax offices. This page, with the map and table, actually comes from www.multimap.com, who have a custom interface for the Inland Revenue. Now, the problem is this; when you view the page in IE, it looks fine. When you view the page in Mozilla, the font for the table contents is *minute*. One or two pixels per character. Now, there's no reason for this at all. Table contents are *not* hard to get right and there's no reason for this to be browser dependent. So, I felt annoyed about this, so I contacted Inland Revenue and told them about the problem. This was six months ago. I had to look at the page again recently, still the same problem. I contacted Inland Revenue again. This time I received a response; to wit, the site is IE only, and that this is a browser issue, so nothing is going to be done. I was not happy about this, because given the nature of the fault, I felt it was a case of bad or lazy programming rather than and genuine browser dependency. So I examined the page closely and found the bug. The DOCTYPE for the page is; <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.1 Transitional//EN"> This is interesting, because this *is* no HTML 4.1. The final HTML version was 4.01, release in 1998. The consequence of this is that Mozilla renders the page in Mozilla-mode, rather than in IE-compatability-mode. When the DOCTYPE is corrected, to; <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> Mozilla renders the page correctly. There are a number of issues here. 1. Developer mind-set; thinking "IE-only" and attributing, without investigation, all bugs in other browsers to the fact they are not IE. In fact, making a site multi-browser is an excellent way of achieving robustness, since different browsers will highlight different errors in your code. 2. Browsers providing minimal feedback for page errors and very generously rendering broken HTML. If a browser supports broken HTML, given the quality of the mass of page writers, broken HTML will become the norm. 3. DOCTYPE syntax being sensitive, high-impact and both silent and non-obvious as the cause, in failure.
Radioactive prostate sets off security alert Margaret Munro, CanWest News Service, 13 Apr 2004 In an unexpected and embarrassing complication from prostate cancer therapy, a Canadian was recently pulled aside by guards at a major airport and interrogated after radioactive "seeds" near his private parts set off security alarms. The man, who frequently travels to the U.S., was passing through customs at an international airport late last year when he was approached by a guard, according to a report on the incident in the Canadian Medical Association Journal today. "He was taken into a separate room where he was asked to stand against the wall and refrain from speaking while workers examined his luggage," says the report by Hamilton doctors involved in his treatment. "Eventually, he was asked why he kept setting off the radiation detector." The man explained it might have something to do with the radioactive iodine "seeds" implanted in his prostate gland, which is tucked inside the body under the penis. The seeds emit radiation and are implanted to kill cancerous cells. "The agents had not heard of such a procedure and called for their superior. Fortunately, the superior's brother-in-law had recently undergone an implantation procedure, and our patient was immediately released," report doctors Ian Dayes, Jink Sathya and Ian Davis at the Hamilton Health Sciences Centre. The amount of radiation leaking from the seeds is "minute," say the doctors, who have never heard of a patient setting off security alarms at an airport before. They believe the episode "probably occurred because of the use of increasingly sensitive radiation detection devices, especially in relation to the recent Code Orange security status invoked in the United States." Hamilton doctors now provide a letter to patients undergoing the radioactive seed implantation which they can show to security agents. The Edmonton Journal 2004 firstname.lastname@example.org email@example.com firstname.lastname@example.org http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Andrew Watkins' article on the Greenwich Time Signal reminds me of another technology-induced risk with the pips. The digital broadcasts of the time signal on DAB (Digital Audio Broadcasting) and Freeview are no longer accurate, due to the delays introduced by compression at the BBC and decompression at the receiver. So you might be setting your clocks about one second slow using the latest technology. The BBC confirm this on http://news.bbc.co.uk/1/hi/magazine/3462079.stm
> Date: Sat, 10 Apr 2004 09:15:04 -0400 > From: Adam Shostack <email@example.com> > Subject: Radar guns, again > > [Suppose they had put a bounds check that was somewhat greater than > maximum that any vehicle was capable of attaining, thus preventing the > system from issuing tickets for such obviously ridiculous speeds. But the even scarier possibility is that they 'fix' it by merely capping the maximum, so an obviously false data reading of 3000 MPH gets translated into a 'reasonable' maximum of 120MPH — for which the automated ticket is written. Then it becomes phenomenally harder for the driver to prove he wasn't driving that speed. In effect, the system would be masking clearly erroneous data by translating it into seemingly valid data.
On Apr 15, 2004, at 06:39 PM, Adam Shostack wrote: > A Belgian motorist received a speeding ticket for traveling in his > Mini at three times the speed of sound. A few months ago, I was pulled over when I was driving home from a motorsports event. The vehicle I was driving was a fully-prepared Subaru Impreza rally car, complete with SCCA ClubRally graphics, roll cage, composite seats, 6-point harnesses, and coilover suspension that's worth more than the chassis. What was I pulled over for? 137 MPH in a 65 MPH zone while traveling in a pack of traffic. Riiight. I fully admit that I (along with everyone else) was going a little faster than I should have but, after giving me the third degree because I should "know better", the officer insisted that his radar was correct and he would be citing me for reckless endangerment. As calmly as I could, I informed him that the ECU of my vehicle hard limited me to around 115 MPH, and that I'd be more than happy to fight the ticket with the assistance of my factory service manual that listed the exact full cutoff speed. He stuck to his guns. I stuck to my guns. Eventually, logic got the better of him as he admitted that it was highly unlikely that the two or three cars in front of and behind me were also traveling at 137 MPH. Especially since it took him less than a mile to catch up to me from a dead stop on the side of the road. I got away with a warning. ;) The kicker? Seconds after letting me go and pulling around me into traffic, he painted someone else and pulled them over...knowing full well that his radar gun was throwing less than accurate readings.
RISKS-23.32 mentioned the mini that was clocked by radar at mach 3. Someone once said something like, "The thirteenth strike of a clock is not only obviously wrong, but it throws great doubt upon the previous 12." How many of the tickets generated were for believable speeds, but were bogus nonetheless? The risk of NOT sending out a mach 3 speeding ticket is that the general public would not have proof that the radars could be wildly mistaken.
I extract briefly from a 1996 paper as it seems that business AND Educational institutions and State Government units are ignoring the laws/policies that cover accessibility to their web sites. They are therefore are risking their Federal Funding or are risking being sued for their 'violation' of the rights of the disabled. The US Federal Government has Section 508 requirements, and the W3C has its accessibility standards. [Note: Australia's Federal Government has legislated the W3C standards into its own requirements re Web Site accessibility, and Canada has a similar set of requirements. I believe EVERY US State has these requirements on their books as well, but there MAY be some that have ignored the issue. 1996 paper and extract http://www.icdri.org/CynthiaW/applying_the_ada_to_the_internet.htm United States Department of Justice Policy Ruling, 9/9/96: ADA Accessibility Requirements Apply to Internet Web Pages: "The policy ruling states that ADA Titles II and III require State and local governments and the business sector to provide effective communication whenever they communicate through the Internet. The effective communication rule applies to covered entities using the Internet for communications regarding their programs, goods or services since they must be prepared to offer those communications via an accessible medium... Applying the ADA to the Internet: A Web Accessibility Standard Therefore, as government and businesses increasingly depend on the convenience of the Internet as a vehicle for programs, goods or services, the more it is important that accessible web design be addressed. Accessible web design enables effective communication and saves government resources since documents can be readily available, requests for ADA Alternate Document Formats can be satisfied, and Internet/Intranet access for employees with disabilities can be provided." [End of Extract] I have found that these requirements are ignored far more than they are met. While the business sector is specifically named in the policy from 1996 above, business seems NOT to know that. Instead they seem to feel the rules only apply to Federal Government web sites. In addition, there are rules clearly applying to ALL universities receiving Federal Funding in the United States, but not all schools of higher learning meet them. They apply to the State Government agencies, but I have found them not being met by one US state's Office of the CIO, Governor's Office web site. This office is now aware that they fail, and I will not name the state. I tested the web page for Peter G. Neumann at SRI and it failed at W3C Priority 2, when I used Cynthia to do a quick test. Verified File Name: http://www.csl.sri.com/users/neumann/neumann.html Date and Time: 4/15/2004 11:14:25 PM Failed Automated Verification I tested the entry page for the University of Southern California, and it too failed at W3C Priority 2 Verified File Name: http://www.usc.edu/ Date and Time: 4/15/2004 11:19:57 PM Failed Automated Verification I tested Firstgov.gov and IT passed: Verified File Name: http://firstgov.gov/ Date and Time: 4/15/2004 11:57:34 PM Passed Automated Verification BUT the National Transportation Safety Bureau failed! Verified File Name: http://www.ntsb.gov/ Date and Time: 4/16/2004 12:00:51 AM Failed Automated Verification http://www.cde.ca.gov/webstandards/access/ specifically discusses the requirements from the California Department of Education and require USC to meet all W3C priority 1, 2 and 3 accessibility rules. To sum up, the vast majority of web page I have tested in the United States have failed to meet US requirements for accessibility. There are both legal and societal risks in failing to accommodate the visually disabled. I leave it to those responsible for web sites to address the issue, and to PAY for fixing their problems. There is a risk that few in the US even know of these requirements. http://www.access-board.gov/sec508/508standards.htm is clearly limited to the Federal Government itself. However, some US States have legislated so that it applies at the state level as well. Various states have legislated W3C into their own accessibility requirements in addition to 508 or instead of 508. This has been done at different levels of W3C priority application and the coverage varies widely re the state's business and businesses. Therefore one needs to find out the laws that specifically apply to their own web site and web pages. Even if NO law applies, it likely is a good idea to meet the needs of the disabled. Over 20% of the population in the US and in Canada is suffering from some from of visual disability, from simply being near or far sighted to being color blind to being totally blind, or having macular degeneration, etc. Check with your own lawyer, but keep in mind that (s)he may not have any idea of the issue or the laws that apply, and may have a web site that also violates the rules. Tests can be run at http://www.cynthiasays.com/ or other sites if anyone is interested. My signature below shows I have a vested interest in the subject. I also admit that it is NOT a popular topic with webmasters. A reminder: if anyone suspects their site does NOT meet the requirements, have an INDEPENDENT auditor or expert do the testing. The web site maintainers and designers do NOT make good checkers of the web site they designed or work on.
Please report problems with the web pages to the maintainer