Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
http://news.yahoo.com/news?tmpl=story&cid=509&u=/ap/20040501/ap_on_bi_ge/delta_computers&printer=1 A computer glitch kept Atlanta-bound Delta Air Lines flights on the ground for about two hours Saturday, but the company was gradually restoring service to its main hub. http://news.yahoo.com/news?tmpl=story&cid=562&u=/ap/20040502/ap_on_hi_te/delta_computers&printer=1 Delta told the Federal Aviation Administration it had a problem with dispatch computers, which calculate weight and balance and handle information related to preparation for flight, plus gate information, FAA spokeswoman Kathleen Bergen said. Sounds reassuring.
For taxpayers who do not owe Alternative Minimum Tax (AMT), but may have sufficient items on their tax returns to require the preparation of Form 6251, TurboTax when using the electronic filing option does not send the Form 6251. This has prompted refund delays and letters from the IRS requesting the Form 6251 to be faxed or mailed. The number of taxpayers that have this problem is not known, but may be significant. Richard Mason, Assistant Professor, MAcc Program Director, University of Nevada, Reno, College of Business Administration Reno, NV 89557 1-775-784-6886
[Source: Kim Zetter, wired.com, 30 Apr 2004] California Secretary of State Kevin Shelley ended five months of speculation and announced on 30 Apr 2004 that he was decertifying all electronic touch-screen voting machines in the state due to security concerns and lack of voter confidence. He also said that he was passing along evidence to the state's attorney general to bring criminal and civil charges against voting-machine-maker Diebold Election Systems for fraud. "We will not tolerate deceitful tactics as engaged in by Diebold and we must send a clear and compelling message to the rest of the industry: Don't try to pull a fast one on the voters of California because there will be consequences if you do," he said. Shelley said the ban on touch-screen machines would stay in effect unless and until specific security measures could be put in place to safeguard the November vote. http://www.wired.com/news/evote/0,2645,63298,00.html
The Government has been forced to make an embarrassing U-turn on its electronic voting plans. Environment Minister Martin Cullen issued a statement saying that plans to introduce electronic voting in all constituencies for the local and European elections this June were being scrapped, after the independent Electronic Voting Commission said the system was open to potential interference and its accuracy could not be guaranteed, and said it could not recommend the introduction of such a system. [Source: PGN-ed from 30 Apr 2004 item] http://212.2.162.45/news/story.asp?j=125409434&p=yz54yxz97&n=125410377
[Source: CityRail gremlin could strike any day, Joseph Kerr, Transport Reporter, *Sydney Morning Herald*, 3 May 2004: PGN-ed] http://www.smh.com.au/articles/2004/05/02/1083436476114.html A mysterious computer software glitch halted half of Sydney's rail fleet on 2 May 2004. Rail officials admit they do not know what caused the breakdown in the system that keeps train drivers connected through a radio network, but it left as many as 50,000 of the usual 300,000 Sunday train travellers stranded for up to two hours. While the computer network was fixed by 1.50pm, the gremlin wasn't found, leaving open the possibility of a repeat performance on any given weekday — when up to 950,000 commuters could be thrown into chaos. The Glenbrook rail disaster inquiry recommended that all trains needed radio communication. According to a CityRail spokeswoman, Jane Lavender, the radios on most suburban trains are connected to a central computer so rail control and other workers can be constantly aware of the location of every train. Red-eyed technicians had worked through Saturday night and much of yesterday to repair the computer fault. But CityRail train drivers arriving at work in the morning found their radios would not communicate properly with central control. Realising this, RailCorp officials decided about 5am to switch to alternative communications: the mobile phones and pagers carried by every train guard. RailCorp's chief executive officer, Vince Graham, admitted it took some time to switch over and this caused train delays, and that the impact would have been much more grave on a weekday. CityRail called in 109 buses to replace the cancelled trains yesterday. It made announcements through the morning calling on passengers to avoid trains if they could, delay their journey or "make their own arrangements". John Colville, Dept of Computer Systems, University of Technology, Sydney, PO Box 123, Broadway NSW Australia 2007 +61-2-9514-1854 colville@it.uts.edu.au
The American Civil Liberties Union disclosed on 28 Apr 2004 that it filed a lawsuit on 6 Apr 2004 challenging the FBI's methods of obtaining many business records, but the group was barred from revealing even the existence of the case until now, to avoid violating secrecy rules contained in the USA Patriot Act. The ACLU was allowed to release a redacted version of the lawsuit only after weeks of negotiations with the government. The ACLU alleges that a section of the act is unconstitutional because it allows the FBI to request financial records and other documents from businesses without a warrant or judicial approval. The group also says such requests are being used much more broadly than they were before the Patriot Act. [Source: Patriot Act Suppresses News Of Challenge to Patriot Act Dan Eggen, *The Washington Post*, 29 Apr 2004 (Page A17); PGN-ed] http://www.washingtonpost.com/wp-dyn/articles/A51423-2004Apr28.html
Given the attention this story has been commanding in Australia, I was surprised to find no record in RISKS. The country is proud of its strictness in enforcing speed rules, sometimes fining motorists for driving one kilometer above the posted limit (however absurd that sounds). The state of Victoria has numerous speed cameras. Last year their accuracy was questioned after reports that a truck with a maximum speed of 140 km/h was caught traveling at 164 km/h, and other similar incidents. After the first such report the Assistant Commissioner said (Melbourne Age, 11 Nov 2003): "There's no evidence to support that any of the other cameras are malfunctioning [...] in any other way," but he later had to change to: "It's embarrassing for everybody... Technology is technology and I think we have had indications where it doesn't say the right thing." The state government then ordered tests of all the cameras in the system, and had to suspend fines from all fixed cameras. According to the Age of 29 April 2004, the problems were supposed to "take six weeks to fix" but: almost six months after the State Government suspended the issuing of fines from Victoria's fixed speed cameras, problems with the cameras are still unresolved [...] A State Government spokesman confirmed yesterday that the 47 fixed cameras were still under review. He was unable to say when the issue would be resolved. More than 40,000 fines notified to motorists have been suspended until the results are in. This represents a total sum of over six million Australian dollars. For details: http://theage.com.au/articles/2004/04/29/1083224516563.html (30 Apr 2004) http://theage.com.au/articles/2004/04/28/1083103551024.html (29 Apr 2004) http://www.theage.com.au/articles/2003/11/10/1068329487082.html?from=storyrhs (11 Nov 2003) Bertrand Meyer ETH Zurich / Eiffel Software http://www.se.inf.ethz.ch — http: //www.eiffel.com
A fast spreading worm known as "Sasser" surfaced over the weekend and is making its way around the globe, warn computer security experts at Finland's F-Secure. The worm shares many characteristics with the Blaster worm that infected hundreds of thousands of PCs last year, says F-Secure antivirus research director Mikko Hypponen, who notes that both worms exploit relatively new holes in the Windows operating system and frequently cause computers to repeatedly reboot. However, this time more companies appear to be ready to take preventive action, which may mitigate Sasser's damage potential. "With Sasser it seems that companies are (using software) patches better and more quickly than last year (with Blaster), but for those that are hit, they are hit hard," says Hypponen, who adds that he believes Sasser originated in Russia. The worm does not need to be activated by double-clicking on an attachment and can strike even if no one is using the PC at the time. [Reuters/*The Washington Post*, 3 May 2004; NewsScan Daily, 3 May 2004] http://www.washingtonpost.com/wp-dyn/articles/A62063-2004May3.html
I was reading up on the Sasser worm this afternoon and came across the following rather interesting recommendation on Symantec's Web site: 2. To disable System Restore (Windows XP) If you are running Windows XP, we recommend that you temporarily turn off System Restore. Windows XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer. Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations. Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat. For instructions on how to turn off System Restore, read your Windows documentation, or "How to turn off or turn on Windows XP System Restore" Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents. Clearly, the "System Restore" feature has not been carefully thought out! Geoff Kuenning geoff@cs.hmc.edu http://www.cs.hmc.edu/~geoff/
In Australia, RailCorp has dispatched software engineers to find the source of the outage that left up to 300,000 commuters stranded yesterday, saying the new Sasser worm, which has already spawned two variants, is being evaluated as a possible cause. A RailCorp spokesman confirmed that software engineers were investigating the problem, which prevented drivers from talking to signal boxes. A virus attack was one possibility being investigated. RailCorp was unable to confirm when the investigation would be complete. RailCorp chief executive Vince Graham raised the possibility of a virus attack at a press briefing yesterday: "There is no evidence that hacking is an issue here, the viral infection could have been introduced by one of our own people not taking sufficient care." [*The Australian*, 3 May 2004 (Received from John Lamp, Deakin Univ.); NewsScan Daily, 4 May 2004] http://australianit.news.com.au/articles/0,7204,9455677%5E15306%5E%5Enbv%5E,00.html
Our campus just received word of a sophisticated new identity-theft scam: > The other night, a woman was outside Collins Hall offering pre-paid phone > cards and T-shirts to students who filled out and signed a form and let her > take a digital picture of their drivers' licenses. Apparently, when Campus > Safety arrived, she told them she was from the Alumni Association. One > student later pressed her about it and she left, but he believed she had > gotten information (including photos of licenses) from several students by > that point. Wow. Geoff Kuenning geoff@cs.hmc.edu http://www.cs.hmc.edu/~geoff/
Both the Disaster Recovery Guide and the ISO 17799 Newsletter report a story of a major banking group getting major business continuity issues right, but the small details badly wrong. There's an irony to it somewhere. They had been diligent in spending time and money on their disaster recovery planning operation. Indeed, it went swimmingly well when a gas explosion occurred in their offices on a Sunday afternoon. Recovery from the actual damage was swift, but not from the fall out from, of all things, staff leaving papers and documents on desks! These, which included confidential information on customer accounts, where scattered throughout the streets for days afterwards. The risks of not locking away sensitive materials manifested themselves in a most unexpected and spectacular way. References: http://www.disaster-recovery-guide.com/stories.htm http://www.iso17799-web.com/issue5.htm
As reported by CNN from AP, hybrid vehicles pose special concerns for
accident responders:
http://www.cnn.com/2004/TECH/05/04/hybrid.rescues.ap/index.html
"Chris Peterson, a service training instructor for Toyota, said the Prius'
electric system should shut down if anything goes wrong. 'There should not
be high voltage in those cables, but I'm not going to stand up and say there
isn't,' he said."
Apparently various hybrids run high-voltage power cables through places
rescuers normally use to disassemble vehicles in emergencies, like doors.
Also, there appears to have been no or little thought given to the necessity
to quickly cut power for such purposes — the standard advice noted in the
article is to turn off the key and disconnect the battery, but if you can't
do that, no one seems to have any good ideas besides "watch where you put
that thing."
Can anyone in the audience with auto-engineering experience give an idea of
the extent to which making things easy for rescuers is incorporated into
vehicle design? — Joe
[Joe added a note just as this issue was going out:]
Slashdot picked up the story later this afternoon and in all the discussion,
the following points emerged:
* Many people, some Prius owners and some not, assert that the high-voltage
does not actually run through the doors, but along the frame rails.
* Many people point out that the biggest hazard in hybrid cars is the risk
of delayed airbag detonation while rescuers are cutting apart the car.
This risk exists for modern non-hybrids just as much as hybrids.
The question I ended with, though, still seems relevant in light of that
last point: when designing vehicles, how much, if any, thought is given to
the safety of everyone involved *after* an accident? — Joe
References:
http://slashdot.org/article.pl?sid=04/05/04/1923240&mode=thread&tid=126
http://www.toyota.com/web/vehicles/prius/safety/prius_erg_2.pdf
http://www.gizmodo.com/archives/hybrid-cars-may-send-gods-electrical-wrath-to-punish-oilhating-pinkos-015878.php
[last url split:
http://www.gizmodo.com/archives/hybrid-cars-may-send-gods-
electrical-wrath-to-punish-oilhating-pinkos-015878.php]
The sky is falling! We're all going to die! No, it's not. No, we're not The latest "death of the net" rumour has to do with a recent paper that discusses the fact that something called "session hijacking" can be used to force an end to a specific connection (connected sessions over the Internet use an arrangement called TCP). If the session is ended or disconnected, you will be effectively denied the service you were attempting to obtain. Connected sessions are used for everything from transferring files to connecting to the Internet in special ways to virtual private networks. Sometimes they are used to transfer information between the machines that decide where Internet traffic goes (called routers). If the routers can't keep up to date, the Internet will not be as effective as it should be. So you will have heard that there is a new threat to the Internet, that it is a denial of service attack, that it can disconnect you from the net, that it can kill your sessions, that it affects the routers (and a router protocol called BGP), and that sessions can be hijacked. None of this is new. What is new is a paper that was originally presented in England, caught the attention of the media there, and has spread, kinda like a hoax virus warning, from media outlets to bandwagon jumpers in the security field and back to the media, around the world. Denial of service attacks are not new. Session hijacking is not new. Using TCP resets and session hijacking in combination has not been used in specific attacks before, but all the parts of this attack are well known to people who deal with such things. There are even ways to protect against this attack, and some institutions use them. So, rather than talking about the death of the net, and "The Man Who Saved the Internet": Net not dead, but was coughing up blood last night. Phlegm at 11. rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Florida Attorney General Charlie Christ is suing AT&T, accusing the giant of overcharging for long distance service and billing people who are not even AT&T customers. A week ago Christ issued a consumer alert urging all telephone customers to check their bills carefully for possible billing errors by AT&T. Since the alert was issued, more than 600 Florida residents have contacted Christ's office. Christ is seeking up to $10,000 restitution for each allegation of wrong billing. He also said the company violated the state's unfair and deceptive business law. Company officials have acknowledged that a computer problem erroneously assessed long distance charges on the bills of one million people nationwide. [Source: Associated Press, *Florida Today*, 1 May 2004, p. 10B]
> shouldn't there be a failsafe that wouldn't allow two greens no matter what? And the answer, of course, is yes. When I was growing up, my dad was a traffic and parking coordination officer for the City of Boston, Massachusetts. Among his duties was interacting with contractors who did sign and signal work for the city, which, in addition to resulting in some pretty cool tchotchkes for a 10 year old, gave me the opportunity to feed the Elephant's Child, and that was one of the questions I asked. At least in that (late 70's) generation of controllers, yes, there was a physical interlock: the clocked drum on those motor-driven controllers switched the light heads through relays, as opposed to directly, and the wiring of the relays was such that it was not physically possible to cause the controller to display opposing greens, unless you managed to have *two* stuck relays — it might even have been three. Jay R. Ashworth, Member of the Technical Staff Baylink The Suncoast Freenet Tampa Bay, Florida http://baylink.pitas.com +1 727 647 1274 jra@baylink.com
Freedom 2.0: Distributed Democracy, Dialogue for a Connected World The Washington Club in Washington, DC, 20-22 May 2004 Information: http://www.epic04.org Registration: http://regmaster.com/epic04.html (Early registration deadline deadline 5 May.) Schedule: http://www.epic04.org/schedule/index.htm Special conference events include SWIPE http://www.we-swipe.us/about.html and Spy Museum http://www.spymuseum.org/index.asp Confirmed speakers include: Anita L. Allen, David Banisar, Ann Bartow, Francesca Bignami, James Boyle, David Burnham, Vinton G. Cerf, Enrique Chaparro, David Chaum, Julie E. Cohen, Lillie Coney, Amitai Etzioni, David J. Farber, David H. Flaherty, Oscar H. Gandy, Deborah Hurley, Jerry Kang, Ian R. Kerr, Judith F. Krug, Elizabeth Longworth, Gary Marx, Pedro Mendizábal, Mary Minow, Peter G. Neumann, Stephanie Perrin, Katitza Rodriguez, Pamela Samuelson, Paul M. Schwartz, Bruce Schneier, Barbara Simons, Brooke Singer and Jamie Schulte (SWIPE), Robert Ellis Smith, Daniel J. Solove, Edward G. Viltz, Paul Wolfson.
BKNNRPDT.RVW 20031205 "Non-Repudiation in Electronic Commerce", Jianying Zhou, 2001, 1-58053-247-0, U$89.00/C$131.95 %A Jianying Zhou %C 685 Canton St., Norwood, MA 02062 %D 2001 %G 1-58053-247-0 %I Artech House/Horizon %O U$89.00/C$131.95 617-769-9750 800-225-9977 fax: +1-617-769-6334 %O http://www.amazon.com/exec/obidos/ASIN/1580532470/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1580532470/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1580532470/robsladesin03-20 %P 200 p. %T "Non-Repudiation in Electronic Commerce" The preface outlines non-repudiation as a security service in its own right, with supporting requirements, rather than an effect of another security mechanism. This position is in rather interesting contrast to most works that tag non-repudiation onto the list of functions that can be accomplished by asymmetric (public key) cryptography: a benefit, but a bit of an afterthought. Chapter one gives us an introduction to the basics of non-repudiation, in both electronic mail and electronic commerce. Various parties to a transaction, the means, requirements, and forms of evidence all make up the fundamentals of non-repudiation in chapter two. Digital signatures are the traditional, but not the only way to prevent repudiation of a transaction or message, and chapter three examines four approaches for maintaining their validity. Chapter four investigates the concept of fairness in a non-repudiation system, ensuring that where the transaction is not completed neither side is able to obtain an advantage over the other. In general, fairness requires either gradual disclosure (in an ad hoc situation) or the involvement of a trusted third party. Specific "Fair" protocols are reviewed in chapter five. Chapter six looks at the ISO's (International Standards Organization) non-repudiation mechanisms. Case studies of the detailed requirements and proposed protocols for an online lottery (which also involves anonymity) and mobile (wireless) billing are in chapter seven. Chapter eight has a summary of the main points in the book, and appendix A deals with formal verification of non-repudiation. A detailed and interesting account of a rather neglected but important topic. copyright Robert M. Slade, 2003 BKNNRPDT.RVW 20031205 rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Please report problems with the web pages to the maintainer