Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Beginning at 5:30am on Sunday morning 18 Jul 2004, the *Chicago Tribune* began a planned upgrade of their server systems and their Newsdesk software (developed by Denmark-based CCI Europe A/S). By noon, everything tested out OK. However, around 4pm, proofing pages for the Monday morning paper could not be generated. At 7pm, pages sent to the off-site Freedom Center printing facility would not produce plates. A third-party trouble-shooter (CCI in Denmark) was called in. At 9:45pm, the disaster-recovery backup system was considered, but CCI thought that would not be necessary. At 1:30am Monday sending scanned pages to Freedom Center was abandoned as taking too long, and preparations were made to switch back to the backup plan. However, by 2am some pages were correctly processed, and a hybrid plan was cobbled together. Finally, at 3am, the paper was abbreviated to 24 pages and printed — except for four pages that would not print, and which were replaced by advertisements. Production of the paper was finally begun at 5:30am, well beyond the normal time. It was reportedly the first time since the Great Chicago Fire of 1871 that the *Tribune* failed to print as planned. Source: Computer glitch nearly stops Tribune presses; A story we never thought we'd print, James Coates, *Chicago Tribune*, 20 Jul 2004; starkly PGN-ed; also noted by Rich Harrington; PGN-ed]
A tourist balloon tethered over downtown Baltimore stalled during a wind squall on 17 Jul 2004, with 17 occupants stranded 200 feet in the air for two hours, amid strong wind gusts that swung the balloon around the tether, resulting in the computer control system losing track of the balloon's position — which apparently automatically shut down the winch engine. Because the program cannot restart the engine unless the balloon is on the ground, a smaller backup engine was invoked — although an added complication was involving releasing the brakes that had automatically clamped on the winch. (This was supposed to be a 20-minute excursion.) Four people were hospitalized. [*The Baltimore Sun*, 18 Jul 2004; PGN-ed] http://www.baltimoresun.com/news/local/bal-te.md.balloon18jul18,0,4500292.story?coll=bal-home-headlines http://www.baltimoresun.com/news/local/ bal-te.md.balloon18jul18,0,4500292.story?coll=bal-home-headlines
John Kelly, NASA begins repairing station glitches, 29 Jul 2004 NASA and the Russians are beaming a series of software-upgrade files from Earth to several International Space Station computers with the goal of eliminating hundreds of potentially dangerous glitches before year's end. The carefully scheduled updates are meant to fix about 500 of the more than 1,000 errors in the computer code that operates everything from the space station's robot arm to critical life-support systems. Most notably, the repairs are expected to fix 35 of 39 software bugs that were deemed "safety critical" in a review done by the space station program in the wake of the shuttle Columbia disaster. Source: http://www.floridatoday.com/news/space/stories/2004b/spacestoryN0729STATIONBUG.htm http://www.floridatoday.com/news/space/stories/2004b/spacestoryN0729STATIONBUG.htm Earlier items: http://www.floridatoday.com/news/space/stories/ISS2004/spacestoryONSOFTWARE06.htm http://www.floridatoday.com/news/space/stories/ISS2004/spacestoryONSOFTWARE06.htm
Hiawatha Bray, *The Boston Globe*, 22 Jul 2004 The Democratic National Convention will attract thousands of visitors armed with laptop computers that feature wireless Internet access. And that could be a formula for disaster, according to Michael Maggio, whose Newbury Networks Inc. recently ran a vulnerability test in the area around the FleetCenter: Unless proper precautions are taken, computer vandals will be able to tap into these laptops by using wireless transmitters located outside of the FleetCenter. The attackers could then use the compromised laptops to gain access to the computer network used to run the convention. http://www.boston.com/business/technology/articles/2004/07/22/laptops_at_the_fleetcenter_at_risk_of_breaches_attack/ http://www.boston.com/business/technology/articles/2004/07/22/ laptops_at_the_fleetcenter_at_risk_of_breaches_attack/
Censorware installed either at the LinuxElectrons or IBM press release site has inadvertently deleted part of the name of a Japanese city in a press release from IBM: http://www.linuxelectrons.com/article.php/20040714101727502 relevant excerpt: The trial is expected to be completed by early August and then, if successful, onsite testing will take place at Kureha Environmental Engineering's waste processing site. When the effectiveness of RFID tagging is confirmed the company plans to equip Kureha General Hospital, in *censored*ushima, Japan, with the RFID technology to track their discarded medical waste. John Karabaic, 3545 Zumstein Ave, Cincinnati OH 45208-1309 513.295.6365
Good news for the spammers!! As most of us are aware that Google provides various options/operators for writing effective queries. One of the operator is the "site:" option, which restricts the search to the website specified with this tag. Just tried googling for some gmail accounts with site:gmail.google.com and the results were a list of urls with the title "Link Already Used". The area of concern is that all these pages are actually error pages with a valid gmail user accounts.... so with a small script its very easy for some one to glean a list of _valid_ gmail accounts. Do you have a gmail account? ....check if your name is already harvested ;-)
It's a groundbreaking court decision that legal experts say will affect everyone: Police officers in Louisiana no longer need a search or arrest warrant to conduct a brief search of your home or business. Leaders in law enforcement say it will keep officers safe, but others argue it's a privilege that could be abused. The decision in United States v. Kelly Gould, No. 0230629cr0, was made March 24 by the New Orleans-based 5th Circuit Court of Appeals. ... [29 Mar 2004] http://www.theneworleanschannel.com/news/2953483/detail.html http://caselaw.findlaw.com/data2/circs/5th/0230629cr0p.pdf http://caselaw.findlaw.com/data2/circs/5th/0230629cv0p.pdf http://caselaw.lp.findlaw.com/data2/circs/5th/0230629cv0p.pdf
Yesterday, I was annoyed yet again--by Mac OS X, as it happens, but OS X and WinNT/2K/XP are equal-opportunity annoyers in this regard. I was about to hit "return" to accept the default in a dialog box, and another application that was running at the same time popped up its own dialog box just as I was pressing the key. I couldn't stop in time. I intended to OK one dialog box, and I ended up OK-ing a completely different one. No harm done this time. But this sort of thing happens to me several times a week. Frequently I will type two or three keystrokes into an window that has unexpectedly popped up before I can stop myself. Occasionally I will actually mouse-click on a button in a window that popped up just as I was starting to press the mouse. It seems astonishing to me that nobody complains about this, and that in twenty-odd years of GUI use there isn't a well-established solution to this problem. It appears that when it comes to computer usability, any problem that persists for more than a few years is apparently no longer perceived as a problem. Or am I the only person this happens to? The RISKS when a user who intends to confirm one dialog box accidentally confirms another are obvious. Serious consequences in ordinary daily use are admittedly unlikely; contriving a suitably example will be left as an exercise for the reader.
Some choice bits from this site: http://www.crn.com/sections/breakingnews/breakingnews.jhtml;?articleId=23905071 "CRN Test Center engineers evaluated a release candidate two (RC2) version of SP2, and upon completion of the install on three out of five systems, the machines blue-screened." "[Microsoft] provided instructions on how to work around the blue screen and uninstall SP2. After that process finished, some interesting events occurred. The rollback process uninstalled every device that existed in the PC. Network cards, video cards and all system resources were uninstalled. The rollback also removed SP1; absolutely no remnants of SP1 existed anywhere in the system. " If they can't get the installation process right, I highly doubt they got the security fixes right either.
Here's one from the absurd department... (As reported on http://www.netfunny.com/rhf/jokes/04/Jul/cia.html) Did they really say that ? bruce.sinclair@NOSPAMagresearch.NOTco.NOTnz (Bruce Sinclair) TelstraClear Found recently on a web site as part of a privacy policy statement ... [http://www.odci.gov/cia/notices.html#priv] Privacy Notice: The Central Intelligence Agency is committed to protecting your privacy and will collect no personal information about you unless you choose to provide that information to us.
http://news.ft.com/servlet/ContentServer?pagename=FT.com/StoryFT/FullStory&c=StoryFT&cid=1087373456479 http://news.ft.com/servlet/ContentServer ?pagename=FT.com/StoryFT/FullStory&c=StoryFT&cid=1087373456479 Customers of Citibank, the world's largest bank, are suffering a wave of current account service problems that has forced the company to post a seven-page "service update" explanation on its website. The bank admitted receiving complaints from customers over direct debit payments which mistakenly defaulted to 999,999.99 pounds and personal identification numbers for automatic teller machines, internet and telephone banking that did not work. Other problems included current accounts being debited twice, incorrect reference and cheque numbers, changes to statements, canceled cheques and replacement cheque books and cards being sent to old or wrong addresses. Citibank said that it was "very sorry" about the problems, which were caused by a large systems upgrade in late March that triggered a big increase in the volume of calls from customers. Patrick O'Beirne, Systems Modelling Ltd. +353 55 22294 www.sysmod.com/blog
Today an a phishing scam e-mail got past the spam filters. It had the usual wording about clicking on the link to update my e-mail address with CityBank, which "required" my ATM card and PIN. The strange thing about the URL was it wasn't the expected "this site @ that site", instead, it began with: http://www.citi.com/domain/redirect ... YIPES! Sure enough, replacing the scammer's URL with Google's took me to Google ... which didn't like the Citibank-specific query string. Being curious, I clicked on the original URL, and was taken to what appeared to be the Citibank site, after bouncing around a while. Needless to say, I exited Mozilla after doing this.
John Miller, Dow Jones Newswires (07/26/04); seen via ACM Tech News:
http://www.acm.org/technews/articles/2004-6/0728w.html#item1
"European citizens and governments generally prefer traditional
paper-based voting because of unresolved reliability and security issues
surrounding electronic voting. ...
[DF comment: what a fair summary, and in the UK issues are also being
raised by the extension of postal paper voting]
... Fueling the arguments of paper ballot supporters are incidents such as
a 2003 Belgian election in which almost 4,100 extra votes for Maria
Vindevoghel's Communist Party were recorded in a precinct of Brussels due
to a malfunction triggered by a cosmic ray. ..."
I found this jaw-dropping — not the possibility of a cosmic ray causing a
computer malfunction, which is an obvious threat for space-borne systems,
but how such an apparently unrepeatable external event could be accepted as
the cause of a terrestrial computer malfunction. The lack of any
confirmation through Google seems to support my astonishment. Can the select
RISKS readership confirm whether this actually occurred, or is it an urban
legend?
If people are prepared to accept this as an explanation for computer
malfunctions, maybe we're wasting our time testing software?
Alan Elsner, Reuters, 15 Jul 2004 http://story.news.yahoo.com/news?tmpl=story&cid=584&e=3&u=/nm/20040715/pl_nm/campaign_florida_dc http://story.news.yahoo.com/news ?tmpl=story&cid=584&e=3&u=/nm/20040715/pl_nm/campaign_florida_dc Florida faces another debacle in the upcoming presidential election on Nov. 2, with the possibility that thousands of people will be unjustly denied the right to vote, the U.S. Commission on Civil Rights heard on Thursday.
Almost all the electronic records from the first widespread use of touch-screen voting in Miami-Dade County have been lost. [Abby Goodnough, *The New York Times*, 28 Jul 2004] http://www.nytimes.com/2004/07/28/politics/campaign/28vote.final.html?ex=1092033819&ei=1&en=5808587bdbefd3a6 http://www.nytimes.com/2004/07/28/politics/campaign/28vote.final.html ?ex=1092033819&ei=1&en=5808587bdbefd3a6
Big Brother evictee returns after SMS error http://www.abc.net.au/news/newsitems/200407/s1147056.htm The most recent evictee from the Big Brother reality television household, Bree, will return to the show tonight after the company which tallies telephone and SMS votes for the show admitted it made an mistake. Bree was voted out of the show last night but Channel Ten, which airs the show, and Endemol Southern Star, its producers, have released a statement admitting the vote count was wrong. Apparently this was detected by the phone/SMS company by an internal audit so at one level, 'the system worked' but there are so many questions about HOW they counted SMS votes wrong.. I'm guessing this is not a very integrated process, and somebody either slipped up doing spreadsheet column/field edits, or in parsing data. With $AU 1,000,000 up for grabs in a winner-takes-all outcome, I think both the phone company and the TV station felt it was better to head off litigation. Else, why does anybody care? its not like this is a 'real' vote is it... (obvious comparisons to 'beauty contest' electronic election methods invited) George Michaelson, APNIC, PO Box 2131 Milton, QLD 4064 Australia +61 7 3858 3150 | ggm@apnic.net | http://www.apnic.net
Excerpt from
Piper Rudnick E-Commerce & Privacy Group @lert, 25 Jun 2004, Vol. 4, No. 5
http://www.piperrudnick.com/db30/cgi-bin/pubs/E-Commerce%20Alert062504.pdf
CALIFORNIA LAW REQUIRING WEB SITES AND ONLINE SERVICES TO POST A PRIVACY
POLICY GOES INTO EFFECT JULY 1, 2004
Overview and Summary of Requirements
On 1 Jul 2004, the first online privacy law in the country that applies to
the collection of information from consumers over the age of 13 will take
effect.
The California Online Privacy Protection Act of 2003, CAL. BUS. & PROF. CODE
22575 et seq., ("Section 22575") is a privacy notice requirement law. It
contains a generous safe harbor that gives companies 30 days to come into
compliance if notified of failure to post a policy. The law also prohibits
"negligently and materially" or "knowingly and willfully" failing to follow
promises in a posted privacy policy.
The California law will require operators of a commercial Web site or online
service that collect through their Web site or online service personally
identifiable information(1) from consumers(2) residing in California to
conspicuously post their privacy policy on their Web site (or, in the case
of an online service, to use any other "reasonably accessible means of
making the privacy policy available to consumers"). The law exempts Internet
service providers and similar entities that transmit or store personally
identifiable information at the request of third parties. Because many Web
sites and online services do not collect physical address information, and
for that reason may be unaware that they are collecting personally
identifiable information from California consumers, sites and services may
be well advised to conform their privacy policies to the requirements of
this new law. ...
http://www.piperrudnick.com/db30/cgi-bin/pubs/E-Commerce%20Alert062504.pdf
It appears that it has occurred to folks that the iPod is a security risk http://www.cnn.com/2004/TECH/internet/07/13/britain.mod.reut/index.html If someone who had access to that dangerous USB port were going to down/upload some data, wouldn't a thumb drive be easier and smaller? If someone was serious, how hard would it be for a real baddie to give a CD player or Walkman (r) write capability. Gee, why not just plug a WI-FI device into some obscure RJ45 and get the stuff in the parking lot? or a Zip disk, or a floppy, or a laptop, or one of those non-spec 10Xpower bluetooth thingies Isn't it much more likely that this poor soul with the iPod is just trying to listen to music? Paul Wexelblat, Dept. of Computer Science, University of Massachusetts Lowell One University Ave, Lowell, MA 01854
I read with interest Craig DeForest's recent message about legislating for privacy. His argument - which is far from new - is that because legally protecting email privacy wouldn't be 100% effective, legal protection is foolish. You could equally well say that because legislating to outlaw burglary is not 100% effective, you may as well not legislate against burglary. A foolish notion! Laws won't stop determined evil-doers from doing bad things. However, they can be used to punish them after the fact, and do have a deterrent effect on evil-doers who are less brave. Just look at the effort companies go to to make sure they don't break (many) laws. Add privacy to that list of laws that they at least try not to break, and I for one will be a little happier.
This isn't news and isn't sudden to those of us in San Francisco who shop at Tower Market. Keyless remotes to cars have never functioned in much of Twin Peaks area. The seven television stations and numerous FM radio stations that broadcast from Sutro Tower appear to overwhelm the low-power keyless systems used in nearby cars.
I won't comment on the risks of accepting the novlang, but wondering why all these people don't use free software instead, what are the risks they take in using non-free software, in their countries? Assuming there's no legal risk for them, given the political and technical risks of using non-free software, why don't they switch to free software?
Metro has now reversed their decision and declared they will continue to sell SmarTrip cards until the current inventory runs out, by which point they hope new shipments will have come in: http://www.wtopnews.com/index.php?nid=25&sid=234093 "Taubenkibel says the agency decided to reverse course because it hopes to receive a new shipment of about 10,000 SmarTrip cards by the end of the month, and another 62,000 cards sometime in August."
BKSNDRNG.RVW 20040629 "The Sundering", Walter Jon Williams, 2004, 0-380-82021-8 %A Walter Jon Williams %C 10 East 53rd Street, New York, NY 10022-5299 %D 2004 %G 0-380-82021-8 %I HarperCollins/Basic Books/Torch %O 800-242-7737 fax: 212-207-7433 information@harpercollins.com %O http://www.amazon.com/exec/obidos/ASIN/0380820218/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0380820218/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0380820218/robsladesin03-20 %P 436 p. %T "The Sundering" Once upon a time, a long, long time from now (and far away) there was a great space war. Given that it's a long time from now, it's rather bemusing that technology hasn't advanced very far, aside from discovering traversable wormholes and producing antimatter in commercial quantities. This isn't entirely the fault of human beings, since a mysterious and powerful race has come along and generally interfered with social and technological development, although they now seem to have stepped out for an extinction. But you can forgive a lot to a book that understands that space battles, even those confined to a mere solar system, take place over days, and that the ability to withstand crushing accelerations for long periods of time is what makes the difference. Faster than light communications would certainly help, but that may be too much to ask from the universe. Smarter computers would *definitely* help, and should have been possible. The use and operation of computers in this brave new world is not clearly spelled out, but they seem to run on scripts, rather than machine code. The mysterious and powerful race have ensured that all computers are registered and known, thus fulfilling Microsoft's dreams for Palladium. (Apparently no Linux hackers, or other amateur computer enthusiasts, have survived.) Serious cryptography seems to have been forgotten: there is one reference to the fact that nobody can use cryptography since everyone has powerful computers and can therefore break any ciphers. This indicates that everyone has forgotten that, when computer power increases, you can just increase the key length. The fact that computers are known and registered is used to prove the need for low-tech communications solutions when the bad guys move in and take over the seats of power. However, a few pages later, our merry band of counter-revolutionaries is happily using communications devices that seem to have a lot of computer-related functions (even real-time broadcasts seem to be "store and forward"). Our underground heroine manages to become a fully-fledged intruder in the space of twenty-four hours. Along the way she does learn something that I wish every security professional knew: when you have functional security, you'd better have an assurance activity as well. (Of course, if anyone had put "defence in depth" in place, she'd have been sunk.) copyright Robert M. Slade, 2004 BKSNDRNG.RVW 20040629 rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade [Rob, It's typically Weakness in Depth rather than Defense in Depth. But I suppose things will not have changed much by then anyway. PGN]
Please report problems with the web pages to the maintainer