A new $5.5M military two-way radio system being tested at Eglin Air Force Base in Florida is preventing garage doors from opening in the neighboring communities of Niceville, Valparaiso and the Crestview area. Motorola said it will try to minimize the problem, altering the frequencies for the next tests. However, a news report suggests that homeowners "may have to change the frequencies" on their remote controllers because the FCC indicates the Air Force is operating within its licensed frequencies. The problem is also likely to propagate further: a similar system has been requested for the Pensacola Naval Air Station and other bases. [Source: AP item, *South Florida Sun-Sentinel*, 19 May 2004; PGN-ed] Gee, if the avionics are jamming the garage door mechanisms, ya gotta wonder what the garage door openers are jamming. PW
A boa constrictor triggered a 15-minute nationwide blackout when it slithered into a generator at a major hydroelectric plant that supplies 60% of Honduras' electricity. Power outages are common in Honduras; a failure at the same dam left the nation without power for three hours in Sep 2003. [Source: AP item from Tegucigalpa, 19 May 2004; PGN-ed. Yes, the boa was electrocuted, but earns the RISKS-archives size prize for animal-inspired outages -- beating out the raccoons, rats, and 6 SRI squirrels.] http://www.sfgate.com/cgi-bin/article.cgi ?file=/news/archive/2004/05/19/international1934EDT0786.DTL
On 6 May 2004, the online satire magazine *The Daily Farce* ran a tongue-in-cheek story saying that US Secretary of Defense Donald Rumsfeld had banned the use of digital cameras in Iraq: "Donald Rumsfeld told reporters in a press conference "those found guilty of following my orders, I mean, of performing these acts will be tried and prosecuted by a jury as effective as the one that prosecuted O.J. Simpson." He continued "Further, to protect the Iraqi prisoners from any future abuses; any digital cameras, camcorders, or cell phones with cameras are strictly prohibited anywhere in any military compound in Iraq." http://www.thedailyfarce.com/world.cfm?story=2004/05/world_moreabusepictures_05200400006 A few weeks later, someone picked this up and ran with it, rather than recognizing it as a satire piece. It reproduced and began appearing in news media all over the world, especially overseas, as an established fact. A search of Google News found it on at least 40 news sites, and a web search found it on more than 4,000 sites. Risks: 1. News organizations assuming that everything they read online must be true 2. Reporters using questionable sources for facts 3. (perhaps) Non-native english speakers not recognizing satire 4. Humans assuming that everything reported by a newspaper -- especially an online newspaper -- is fact. Jean Palmer, Northrop Grumman firstname.lastname@example.org 1-410-993-2627 [5. Some folks might think it true, and are happy to pass it on as such. 6. Some folks, knowing it is bogus, want to poke at the underlying situation. 7. Some folks get fooled even on April Fools' Day. and lots more. PGN]
*Reason Magazine* (http://reason.com) got some coverage in both slashdot and the New York Times for their May cover, which was tailored individually to feature an aerial photo of the residence of and the name of each subscriber. Alas, it looks like someone screwed up the columns in one of their SQL queries. The article on the inside of the cover was intended to give some more entertaining facts about the subscriber, but for me it said "...the same information networks that tell me that 1.82% of your neighbors have college degrees or that Rep Denise percent of the kids in your ZIP code are cared for by their grandparents...". I cannot tell whether the 1.82% number is accurate, but I have my doubts. Denise Majette is my representative, but I think they really wanted a number there. They also mixed up the column headings on the table of demographic data printed at the bottom of the inside cover, although the nature of the data there makes it possible to sort out what number goes where. I'm most curious to know how general these problems were in the print run, which featured close to 40,000 different covers. This illustrates one of the many ways that you can screw up while using a database to characterize your customers, clients or suspects. In this case the consequences are minor, but a supermarket which guesses too wrong will lose a lot of money, and a government could victimize exactly the wrong people.
A new report on "data mining" , which is being released today by the General Accounting Office, reveals that practice is widespread in the the Federal government and that there are, at least, four programs that may be accessing and analyzing private-sector databases in ways that are reminiscent of the Pentagon's Total Information Awareness Program. The report was prepared at the request of Senator Daniel Akaka of Hawaii. The GAO's investigation uncovered 199 government uses of the statistical analysis techniques known as data mining, 54 of which use private-sector data. Such information could include any data held in corporate or other private hands, including credit-card records and Internet logs. In an appendix to its report, the investigators listed those programs, providing a brief description of each and indicating its purpose and whether it contained personal information, or made use of private-sector data and data from other government agencies. The 4 programs of special concern are: * Verity K2 Enterprise - Defense Intelligence Agency (DIA). Mines data "to identify foreign terrorists or U.S. citizens connected to foreign terrorism activities." (Page 30 of GAO report) * Analyst Notebook I2 - Department of Homeland Security. "Correlates events and people to specific information." (p. 44) * PATHFINDER - DIA. "Can compare and search multiple large databases quickly" and "analyze government and private sector databases." (p. 30) * Case Management Data Mart - DHS. "Assists in managing law enforcement cases" Using private-sector data. (p. 44) According to the GAO descriptions, all four programs draw on private-sector databases, contain personally identifiable information, and appear to constitute dragnets on the general population. Of course, many of the other programs listed by the GAO raise questions about how they are using information, including private-sector information -- and the GAO's list did not include programs run by the Central Intelligence Agency and the National Security Agency, which did not respond to its requests for information. The ACLU, together with the Electronic Privacy Information Center and the Center for Democracy and Technology, today sent a joint letter to Senator Akaka praising his efforts and the report. The joint letter to Sen. Akaka is online at http://www.aclu.org/Privacy/Privacy.cfm?ID=15858&c=130 The GAO [report] should be on their Web site shortly at http://www.gao.gov/. Barry Steinhardt, Director Technology and Liberty, American Civil Liberties Union (ACLU), 125 Broad Street, NYC 10004 www.aclu.org IP Archives: http://www.interesting-people.org/archives/interesting-people/
Privacy advocates fear consumers will face a flood of unwanted calls and junk e-mail, Jube Shiver Jr., *Los Angeles Times*, 20 May 2004: After years of anonymity, the numbers of most of the nation's mobile phones will be compiled later this year in the first wireless directory. The database being assembled by the Cellular Telecommunications and Internet Assn. is expected to include about 75% of the 163 million mobile phones in the United States, making looking up a wireless number as easy as dialing 411. ... http://www.latimes.com/la-fi-cellphones20may20,1,3236420.story [NO OPT OUT??? Beware! PGN]
[Source: Andy Sullivan, Reuters, 26 May 2004; PGN-ed] Internet "spam" purveyors who hide behind false e-mail addresses could face up to 10 years in jail and fines of $25,000 per day under The Maryland Spam Deterrence Act signed on 26 May 2004 by Maryland Governor Robert Ehrlich. The law allows state officials to arrest and fine those who engage in a variety of deceptive tactics to send junk e-mail. But one anti-spam activist said it would do little to stop the unsolicited bulk messages that now account for up to 83 percent of all e-mail, because most of those already violate anti-fraud laws. ... http://finance.lycos.com/home/news/story.asp?story=41660480
The Fight Against Spam, Part 3, by Francois Joseph de Kermadec, 21 May 2004 Editor's note: In part one, F.J. focused on laying the foundation for an anti-spam strategy and he covered how to block most of your unwanted mail. Then in part two, he fine-tuned this strategy, plus he took a closer look at the technologies inside of Mail.app. Now in part three, the conclusion of this series, F.J. covers rules and additional tools and techniques you can use to avoid becoming buried in spam. ... http://www.macdevcenter.com/pub/a/mac/2004/05/21/spam_pt3.html
According to MessageLabs Inc., in its monitoring of e-mail traffic for 8500 customers in April 2004, spam accounted for two-thirds of all e-mail traffic, and 80% of e-mail the United States. The first figure was 50% a year ago, and MessageLabs predicts 90% in another year. [Source: Bob Sullivan, MSNBC, 21 May 2004; PGN-ed] http://msnbc.msn.com/id/5032714/
I pay my bills through Paytrust.com. They have a "feature" called "SmartBalance", which attempts to infer the balance in your checking account including allowances for outstanding checks. Of course, this is possible only if you never use an ATM, write a check outside their system, incur bank service charges, etc., but that doesn't seem to bother them. The SmartBalance system requires that you provide them with the password to your online banking account so that they can fetch current information. A recently added misfeature tries to warn users if they are writing a check that would overdraw their account. So far, so good, despite the glaringly unavoidable inaccuracies. But if you haven't given them a password for your bank account, they assume it's zero -- and then make you walk through a "Please click OK" screen to "protect" you from the consequences of an overdraft. The RISKS are numerous: * Assuming that you can make a valid calculation with partial information. * Continuing with a calculation when some data is unavailable. * Warning the user of an error condition when it is impossible to avoid false positives. * Teaching the user to depend on an error warning when it is impossible to avoid false negatives. They would almost have been better off to hook the whole system up to a random number generator; the accuracy would have been roughly the same, and they would have saved an immense amount of programming time. Geoff Kuenning email@example.com http://www.cs.hmc.edu/~geoff/
There is an interesting additional twist to this story: The voting machines purchased by the Irish authorities are produced by the Dutch company Nedap. Essentially the same machines have been used in The Netherlands for several years, and did not attract much attention, at least not in the general press, until the Irish rejection. When questioned in the Dutch parliament, the responsible minister De Graaf declared that "he found the machines reliable". This statement seemed to suffice to avoid debating the matter further. It has also transpired from the discussion that the machines have been tested by an independent test lab, TNO. The reports were, however, kept secret. Until the problems started in Ireland. The Dutch TNO reports have now been released in Ireland! It turns out that "The reports by KEMA Quality BV and TNO were not concerned with either the accuracy or the security of the machines". The tests seem to have mainly addressed robustness of the machines, not the voting or counting itself. The whole affair has gotten very little media coverage in The Netherlands so far, most of the available information comes from newsletters of privacy groups like Bits of Freedom (in Dutch) (http://www.bof.nl/) and EDRI (in English) (http://www.edri.org/). So it looks like what was rejected in Ireland is happily being accepted in The Netherlands, without attracting much attention, neither by the government nor by the media.
Declan McCullagh, Staff Writer, CNET News.com, 26 May 2004 File swappers concerned about getting in trouble with record labels over illegal downloads may soon have a major new worry: the U.S. Department of Justice. A proposal that the Senate may vote on as early as next week would let federal prosecutors file civil lawsuits against suspected copyright infringers, with fines reaching tens or even hundreds of thousands of dollars. The so-called Pirate Act is raising alarms among copyright lawyers and lobbyists for peer-to-peer firms, who have been eyeing the recording industry's lawsuits against thousands of peer-to-peer users with trepidation. The Justice Department, they say, could be far more ambitious. One influential proponent of the Pirate Act is urging precisely that. "Tens of thousands of continuing civil enforcement actions might be needed to generate the necessary deterrence," Sen. Orrin Hatch, R-Utah, said when announcing his support for the bill. "I doubt that any nongovernmental organization has the resources or moral authority to pursue such a campaign." The Pirate Act represents the latest legislative priority for the Recording Industry Association of America (RIAA) and its allies, who collectively argue that dramatic action is necessary to prevent file-swapping networks from continuing to blossom in popularity. ... http://news.com.com/2100-1027-5220480.html
Chris Malme in RISKS-23.38 noted that the UK Post Office offers the option of checking your documents for you and indeed they do, unless you are exchanging a drivers license from a foreign country. In this case you have no option but post your Passport, the foreign drivers license to the DVLA. Your Passport is then returned to you via normal postage. Even if you include a postage paid recorded delivery self address envelope. This Risk of having to include all your identification documents in the same envelope should be evident for all and to require it on someone's arrival in the country seems somewhat dangerous. The only truly safe option seems to be to go down to Swansea to submit your documents in person but event then you can not collect them in person. (Swansea isn't exactly central to most of the UK population either as nice a part of the country as it surely is.) For a government so intent on introducing ID cards to prevent immigration fraud to have an agency acting in this manner is to my mind amazing.
I recently watched a repeat of a consumer show called Market Place. This one was on crash data recorders in cars and how they are being used more and more by police and insurance companies. The transcript of the show can be found here: http://www.cbc.ca/consumers/market/files/cars/blackboxes/index.html Apparently they are installed in over 25 million North American vehicles. My concern is the accuracy of these devices (odds are there are going to be a few duds) and the likelihood that they will win out in court over the drivers' word. Honest I wasn't speeding, black box says otherwise. Claimant refused insurance claim and probably has their insurance canceled.
[... In Mayfield's case, certain Muslim associations seem to have added circumstantial credibility to the confidence associated with the presumed match. Once again, some caution is needed in believing in digital evidence -- especially with only partial prints. PGN] My read on the "circumstantial credibility" is that it was flimsy in the extreme. He married a Muslim and once defended someone accused of a terrorism-related crime. Not to mention that apparently the Spanish authorities almost immediately informed the FBI the fingerprint was definitely not Mayfield's, but the FBI did not act until a positive match was found (by Spain). I also must wonder if what you cited is the true extent of the risk? The reliability of fingerprint and DNA evidence seems to go pretty much uncontested in criminal trials, and the examples of which I am aware are largely those in which the defendant can afford an adequate defense. I wonder how many persons could possibly be incarcerated on evidence no stronger than that on which Brandon Mayfield was detained? Particularly in cases where the defendant was represented by a public defender or other hired gun of less than top caliber? Combine this possibility with the sort of prosecutorial misconduct that seems to be all too common, and the imagination can conjure up some scary scenarios. I think that this might be worthy of further investigation...
What jumped out at me from the first page of the GAO report referenced in RISKS-23.38 was ... > As the amount of code on weapons systems increases, it becomes more > difficult and costly to test every line of code. Can it possibly be that the GAO (and DOD procurement people) have not yet noticed that testing every line of code is a completely inadequate way to demonstrate the correctness of a software system, and that testing can demonstrate the presence of errors, but never the absence? How long ago was Edsger Dijkstra railing against the folks who didn't realize that a program can contain errors even though each line of code has passed a test? I think that was in the 1970s, yet many people still haven't heard the message.
I work for an ISP and, for a while, we had a Web mail system running on our servers; and we used to get all sorts of what we could only assume were AOL and Hotmail logins and passwords being entered. Given the human tendency to re-use passwords across services -- or at least, to use minimal munging between uses -- I suspect that anyone putting up a form with the appropriate fields could get a lot of passwords, as long as they got listed on the search engines. As the original poster says, the promise of MP3s, porn, pictures of pop stars &c. is a powerful motivating factor. I'm sure I remember something similar to this, dating back to the BBS days of the early '90s; it may even have cropped up in RISKS.
In RISKS-23.37, Samuel Liddicott reported that "Banks don't understand phishing social risks". I reported a similar instance in Risks 21:59 in regard to another UK bank, but without comment on the "phishing" aspects. The banks are making a rod for their own backs by their approach to authentication, and their systems designers appear ignorant of the basic security that needs to be applied. Of course, many of their customers are still trusting of the bank ... but sadly these contain a number who "trust" the phishers and scammers. The bank in question in my original posting has recently changed the log-in process for their e-banking Web site. Previously, in addition to other identification, one had to type in two randomly requested letters from a "password". These were entered in a form box with the usual asterisks being displayed instead of the letters. A redesign (in the interests of improving security) now forces the user to select the letters from two drop-down boxes, and the actual letters remain displayed on the screen. Yet another example of Hutber's Law: "Improvement means deterioration". The RISKS are inherent.
BKTTHTGR.RVW 20040306 "The Teeth of the Tiger", Tom Clancy, 2003, 0-399-15079-X, U$27.95/C$40.00 %A Tom Clancy %C 10 Alcorn Ave, Suite 300, Toronto, Ontario, M4V 3B2 %D 2003 %G 0-399-15079-X %I Penguin Putnam %O U$27.95/C$40.00 416-925-2249 Fax: 416-925-0068 firstname.lastname@example.org %O http://www.amazon.com/exec/obidos/ASIN/039915079X/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/039915079X/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/039915079X/robsladesin03-20 %P 431 p. %T "The Teeth of the Tiger" It is interesting to note, reading the reviews on Amazon, that even die-hard Clancy fans are starting to lose faith. Clancy has moved from curmudgeon to outright maverick in this work. The plot doesn't just depend on bending the rules, but by going completely outside them and playing God. (In which regard, I'm fairly sure that quite a few Catholics would take issue with the assertion that as long as you *think* you are doing the right thing, God can't say anything about it.) The "good guys" luck out a lot, but are extremely sloppy, and any group that did operate in this manner would tend to kill a lot of innocent people. Despite crises of conscience (very brief ones), none of the characters in this tale are attractive or sympathetic: they all seem to be pretty thin. But that isn't what we are here to talk about. Clancy demonstrated in "The Bear and the Dragon" (cf. BKBRDRGN.RVW) that he didn't understand cryptography, and he proves his lack of comprehension again here. Sun makes good workstations, but they aren't supercomputers. Single pass DES (Data Encryption Standard) has fallen to brute force attacks, but serious users have plenty of algorithms to choose from that haven't. Clancy has moved the myth of the NSA providing encryption standards with backdoors built into it slightly out of the house, but it's still a myth. (Yes, the NSA does have smart people, but the one time they did really try it, with the Clipper/SKIPJACK key escrow system, it failed. Ironically, the failure didn't lie in their ability not to get caught, since they were completely open about it, but in a weakness that meant the escrowing system could be broken.) As far as getting everyone to buy into a proprietary, unreviewed encryption system and use it pretty much universally for several years without anybody twigging as to what was going on, forget it. There are a number of players in the crypto market, everybody serious enough to study the field knows not to buy snake oil, and anyone following the security field at all knows that backdoors get found every day. Just because you use the same accounting system as someone else doesn't mean that you can read all their files. (In fact, if you are breaking in to someone's system, it is often easier to grab the data files themselves and process them with your own tools.) There is no discussion about getting access to files on remote systems at all: Clancy just seems to assume that it can be done. Admittedly, he is assuming a backdoor into Echelon, and assuming that Echelon can, in fact, collect all the transmission of voice and data anywhere in the world. (We'll leave that tall order for the moment, since it isn't inherently impossible, however unlikely.) The data under investigation, however, isn't in transit: it resides on a bank computer. This book has annoying errors in technology, flat characters, a shaky premise, and very little of the old Clancy flair. copyright Robert M. Slade, 2004 BKTTHTGR.RVW 20040306 email@example.com firstname.lastname@example.org email@example.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Please report problems with the web pages to the maintainer