The Cyber Security Industry Alliance is calling on the Bush administration to beef up its cybersecurity operations, starting with elevating the position of national cybersecurity director to assistant secretary level. "There is not enough attention on cybersecurity within the administration. The executive branch must exert more leadership," says Alliance director Paul B. Kurtz, who's a former senior cybersecurity official in the Bush administration. Kurtz was joined by Amit Yoran, the former director of Homeland Security's National Cyber Security Division who resigned in September. Meanwhile, a provision in the recently passed intelligence overhaul bill that would have raised cybersecurity's profile in the Homeland Security Department was stripped out before passage. The Alliance's recommendations mirror those outlined in a report issued Monday by the House subcommittee on cybersecurity, which also calls for the administration to consider tax breaks and other incentives for businesses that make computer security a top priority. In addition, both groups are urging the Homeland Security Department to take the lead in creating a disaster recovery and response plan, should the U.S. suffer debilitating digital sabotage. [*The Washington Post*, 8 Dec 2004; NewsScan Daily, 8 Dec 2004] http://www.washingtonpost.com/wp-dyn/articles/A45622-2004Dec7.html>
This is from the United Kingdom, and I really have to wonder how anyone can download an 'incompatible system' to 80,000 computers in this day and age. It boggles the mind! Recovery in a day is not shabby, either, if true. The Department of Work and Pensions (DWP) has suffered what has been described as the biggest computer crash in government history after a software upgrade that is believed to have downloaded an incompatible system throughout the entire DWP network. The government department lost 80 per cent of its roughly 100,000 PCs following a "routine software upgrade", a DWP spokeswoman confirmed today. The problem lasted all of yesterday but the "majority of our system is up and running now", she said. Microsoft and EDS run the DWP's network as part of a 2-billion pound IT contract. The situation had apparently been largely rectified by the next day. [Source: Government department wiped out by IT upgrade disaster; Another massive computer cock-up, this time at Work and Pensions. http://www.techworld.com/opsys/news/index.cfm?NewsID=2695&Page=1&pagePos=2 By Laura Rohde, IDG News Service, 26 Nov 2004; PGN-ed] R.S.(Bob) Heuman, Toronto, ON, Canada Independent Computer Security Consulting Web Site Auditing for Compliance with Standards email@example.com
The German-based Web portal Lycos Europe is offering a screensaver program that chokes spam servers by flooding them with junk traffic. The company argues that what it's doing is perfectly legal, but former FCC chief technologist David Farber comments: "You don't stop a bad thing by being bad yourself. The idea of somebody coming and hitting you and you hitting back, you both end up very hurt. It just aggravates an already serious problem." And noted computer security expert Dorothy Denning, a professor of defense analysis at the Navy Postgraduate School, points out that cyberspace activism of the kind offered by Lycos Europe is likely to have only minimal impact on spam because "the cost of adding extra bandwidth may be worth the reward" that spammers get from their activities. She adds: "The interesting question is whether or not that company [an anti-spam activist company] might be liable under some law, and would probably be liable, certainly, at least under a lawsuit by the spammers." [AP 30 Nov 2004; NewsScan Daily, 1 Dec 2004] http://www.usatoday.com/tech/products/2004-11-30-lycos-attack-spam_x.htm?csp=34
Errors by screeners--not random computer glitches that the federal government previously blamed--were responsible for false alarms over weapons that sparked the recent evacuation of Midway Airport and two other U.S. airports, according to the Transportation Security Administration. The confusion that led to the terminal evacuation on 15 Nov was prompted by a hand grenade appearing on an X-ray scanner. The image of the grenade, part of an exercise used to test screeners, should have been stored in a computer file by a security agency staff member as part of standard procedure before an employee shift change at the screening checkpoint, said Amy von Walter, spokeswoman for the security agency. Federal security officials initially said a malfunction in a software program used to test screener performance prompted a computer-generated image of the grenade to appear randomly on the X-ray screen. A screener operating the X-ray scanner thought the grenade, artificially projected inside a carry-on bag, was real. If the screener were being tested, the grenade image would have disappeared when the screener tapped a button on the device's console to acknowledge seeing the item. In this case, the grenade did not vanish. But the passenger was able to leave the security checkpoint with the suspect bag before screeners could search its contents, leading to the evacuation order. [DMcK submitted two items, a week apart. This is PGN-ed from the more recent and more accurate. Source: Jon Hilkevitch, Screeners blamed for bomb scare, *Chicago Tribune*, 23 Nov 2004] http://www.chicagotribune.com/news/local/chi-0411230350nov23,1,4870091.story ?coll=chi-newslocal-hed
A manufacturer of Automated External Defibrillators (AED) recently announced a recall due to failure modes in which AEDs failed to deliver a shock when needed, or "turned themselves on" and subsequently failed to function (presumably due to drained batteries?). The maker claimed a failure rate of less than one percent, although it is not clear how that figure was obtained (many of these units are deployed in public buildings or other settings where few of them will actually be called upon to operate). Aside from the risk of shipping an inadequately tested product, the article below raises some other interesting points: The manufacturer says that no patient has died because of either failure mode - which should be obvious, since an AED is only to be applied to a patient who is already technically dead (pulseless). A fire chief cites the obvious concern of carrying a piece of equipment that may not work when needed. An EMS director notes that, where units cannot be immediately replaced, their removal turns a 1% probability of not defibrillating into a 100% probability. The AP article is at http://cms.firehouse.com/content/article/article.jsp?sectionId=17&id=36601
Exploding Cell Phones a Growing Problem; Injuries From Exploding Cell Phones Prompt Recalls; Bad Batteries or Chargers Often the Culprit (ABC News, AP item, 24 Nov 2004) Safety officials have received 83 reports of cell phones exploding or catching fire in the past two years, usually because of bad batteries or chargers. Burns to the face, neck, leg and hip are among the dozens of injury reports the Consumer Product Safety Commission has received. The agency is providing tips for cell phone users to avoid such accidents and has stepped up oversight of the wireless industry. There have been three voluntary battery recalls, and the CPSC is working with companies to create better battery standards. U.S. phone makers and carriers say most fires and explosions are caused by counterfeit batteries and note that in a country with some 170 million cell phone users, the number of accidents is extremely low. [PGN-abst]
Some local wildlife decided to get warm and intimate with power lines, blowing a transformer, and causing a cascade shutdown of substations across much of the city of Winnipeg, Canada. http://winnipeg.cbc.ca/regionalnews/caches/mb_hydro20041118.html This left every plane in central Canada (Saskatchewan, Manitoba, NW Ontario) flying blind for some eight minutes as YWG Center went down. Although power was restored after one minute -- backup power also failed -- the radar and communication systems took seven more minutes to restart. http://winnipeg.cbc.ca/regionalnews/caches/mb_powerout20041118.html D. Joseph Creighton [ESTP] | Info. Technologist, Database Technologies, IST Joe_Creighton@UManitoba.CA | University of Manitoba Winnipeg, MB, Canada, eh?
Software engineers at Hewlett-Packard are developing "virus-throttling" software to slow the spread of viruses and worms on the Internet by identifying suspicious behavior. HP chief technology officer Tony Redmond says, "Any worm or virus that depends on its ability to spread itself will be hurt by this technology." Alan Paller, director of research at the SANS Institute, says the overall idea "makes sense," and adds, "It's an arms race, not a simple war. I've been hearing people talk about the notion of throttling for a long time, and it's a spectacular idea if HP can get it to work." [*The Washington Post*, 30 Nov 2004; NewsScan Daily, 1 Dec 2004] http://www.washingtonpost.com/wp-dyn/articles/A23527-2004Nov30.html
I recently received e-mail from Southwest airlines informing me of an e-ticket. The only problem is that I didn't make the reservation, and it's not for me. While there's a Reply-To: header in the message, with the same address as the From: header, there's a note at the bottom saying please don't reply to this address, and the message provides no way to reach Southwest's customer service department. I suppose I can dig around their website, or call their general toll-free number to try and remedy this, but why on earth don't they include a customer service contact in their e-mail? [To Southwest's credit, they did NOT include a credit card number in the e-mail.] Drew Dean, Computer Science Laboratory, SRI International
I was recently looking to purchase some items from an online grocer in Germany, www.lila-se.de , which offers service in both English and German. Everything seemed relatively straightforward until I examined the section labelled "Shipping Cost Informations". Zone 1 countries and regions were listed as follows: (from the English-language part of the site) Generally Shipping Costs for Delivery Zone 1 (EU) Zone 1 - EU(European union) Andorra, the Azores, Belgium, Denmark, Faeroeer (DK), Finland, France, Greece, Greenland, Great Britain (inclusive Isle OF one), Guernsey, Ireland, Italy, jersey, Korsika, Liechtenstein, Luxembourg, larva Irish Republican Army, Monaco, the Netherlands (Holland), Northern Ireland, Austria, Poland, Portugal, San Marino, Sweden, Switzerland, Slowakei, Spain (inclusive Balearen), Tschechien, Vatikanstadt. vs. the German version (listed under "Versandkosten") Zone 1 - EU (Europäische Union) Andorra, Azoren, Belgien, Dänemark, Färöer (DK), Finnland, Frankreich, Griechenland, Grönland, Großbritannien (inklusive Isle of Man), Guernsey, Irland, Italien, Jersey, Korsika, Liechtenstein, Luxemburg, Madeira, Monaco, Niederlande (Holland), Nordirland, Österreich, Polen, Portugal, San Marino, Schweden, Schweiz, Slowakei, Spanien (inklusive Balearen), Tschechien, Vatikanstadt. Note the entry in the English-language page: "larva Irish Republican Army", between Luxembourg and Monaco. This is definitely a puzzle until one looks at the corresponding entry on the German page: Madeira. What presumably has happened is that the word "Madeira" has beeb split in two for some reason, becoming "Made" and "ira". Then "Made" was translated, becoming "larva", whereas "ira" was not translated but expanded to become "Irish Republican Army.". (Why other place names were not subjected to this treatment remains a mystery). Three risks (at least): 1) The usual hazards of doing a literal, contextless translation, magnified by an unexplained parse-split-translate procedure, leading to a result that, in this case, can be described without exaggeration as "weird" (not to mention inaccurate). 2) That a potential customer will see these idiosyncratic translations and assume that they're just the tip of the iceberg in terms of sloppiness, and take his or her business elsewhere. 3) While no reasonable person will see this site as "terrorist-related" there's a real risk that blocking software could spot the phrase "Irish Republican Army", and categorize this site as "Political Extremism-related", for no evident reason. The RISKS to even cautious web-surfers living under authoritarian regimes, of accidentally viewing "Political Extremism" sites need no further explanation.
While perusing some job posting web sites I found an interesting commentary. I suspect the comments are intended for either in-house or external recruiters who just posted it using select-all copy & paste resulting in text that probably was not intended for public view. Particularly the set of competitors to raid. Required: C Plus Plus; Perl; Network Protocols; Linux; TCP/IP; Yes I will notify you guys in the case that anything else even gets warm. Right now I don't even have any other recruiters working on this but that may change by the end of the week. Companies to Pinpoint Recruit from include: <List of competing companies> (my former boss at <one of the competitors> is now the VP of Engineering here)
> 7. Accurate and transparent voting roll purges. or doing away with purges... if convicted felons are allowed to write the proprietary software that the machines run and manage the company that manufactures the machines <http://www.blackboxvoting.com/modules.php?name=News&file=article&sid=132>, then convicted felons should be allowed to use the machines. > 11. An end to minority vote suppression, disenfranchisement, harassment, > dirty tricks. to a large extent, it can be argued that purging voters *is* a form is suppression, disenfranchisement, harassment, and dirty tricks. purging felons from voting roles was devised as a "jim crow" law, and it can be argued that jim crow is still proud of it. this article <http://www.heraldtribune.com/apps/pbcs.dll/article?AID=/20040708/COLUMNIST36/407080376> points out how the purge can be used as a precision weapon in the war against democracy.
Regarding the summary of the NYT editorial, I do not see any requirement that voters be citizens of the U.S. or any identification requirement. [Citizens, yes. That is understood. Identification? It varies from place to place, and is seriously abused in some, one way or the other. PGN] Appalled as I am at the allegations regarding the 2004 elections, I do not think that these .orgs address all the anomalies. For example: Laying the Groundwork: A Study Of Voter Registration In Missouri http://cf.townhall.com/linkurl.cfm?http://www.centerforethics.org/VoterRegistrationStudy.htm Moreover, a more fundamental threat was not addressed in the editorial at all. Both parties are at fault here, recalling the Bush amnesty: Carrying out the Mandate: Get Borders and Illegal Immigration Under Control http://cf.townhall.com/linkurl.cfm?http://www.humaneventsonline.com/article.php?id=5718 As PGN stated in an earlier issue of RISKS: [including] the actual casting of ballots and the creation, evaluation, certification, testing, and maintenance of voting equipment. But it also includes the _registration of voters; identification, authentication, and challenging of voters_; creation of the actual appearance of ballots and setting up the voting machines; distribution and handling of ballot and polling-place information, absentee ballots, and especially provisional ballots; processing of ballots; tabulation and collection of results; and proper assurance that voters' ballots are treated with adequate respect for privacy -- along with oversight of each of the steps in the entire process. comp.risks 23.58, November 4, 2004, (emphasis added) Many of these are not matters of technology (rushing a polling place in the last minutes) but surely fall within the ambit of comp.risks. But if either major party has consistently addressed any of these, I've missed it. I find the Democratic inattention to the deficiencies of the 2004 technologies before election very perplexing. Appalling as the allegations which have appeared in sources quoted on this list are (some of which find corroboration in the RISKS archives), I am afraid that the proposals, laudable as many of them are, in the NYT editorial insufficient.
Here's another longstanding anomaly: Nearly 50,00 duplicate registrations: Florida Redux? http://www.eagleforum.org/column/2004/oct04/04-10-27.html Here's a Republican warning about technological deficiencies, in May: Don't Let Judges Jimmy Elections http://www.eagleforum.org/column/2004/may04/04-05-12.html The most serious risk: The Scam of Voting by Noncitizens and Felons http://www.eagleforum.org/column/2004/aug04/04-08-18.html If this isn't fixed, the system will be broken. More predictions of the current debacle, from someone with first-hand experience as a local office candidate: http://www.NewsWithViews/Devvy/kidd72.htm Mark my words: We will never know the true vote count next month no matter how many times the ballots are run through a machine or how many lawsuits the Democrats file against the Republicans and visa versa. ... As someone who has run for public office, put their whole heart into the effort, along with all the volunteers and the financial generosity of so many, I would rather have waited four or five days for a real vote count than be cheated. I don't want election results at the speed of a button, I want a true vote count. ... A must is to get rid of the insidious Motor Voter Law of 1993. All states of the Union must purge their voting rolls and start over from scratch. There is a two year period between elections. That's more than enough time for anyone who has a real desire to vote, to obtain a certified birth certificate and personally get down to the county clerk's office to register. If someone can't find those few minutes over a two year period, then fine, keep them out of the voting booth.
As I write this, the extremely close vote for mayor of San Diego is still up in the air. From http://www.signonsandiego.com/uniontrib/20041107/news_1m7frye.html : "But she clearly benefited from the unusual technical aspects of this election. Because of problems in the March primary with a touch-screen voting system, the county shifted to optical-scan ballots, which required voters to fill in bubbles next to their choices. That meant all voters were handed a pen when they got their ballot, a remarkable turn of luck for Frye." This highlights a risk of computerized voting: More difficult to write in a candidate, and conversely, if a fallback system is used, that can stimulate a change in vote. Also, the web page that shows the results http://www.sdcounty.ca.gov/voters/Eng/Eindex.html is a bit difficult to figure out the vote tally, whoever wrote it didn't seem to consider the possibility of a write-in - so there is a separate link to see the slowly increasing Frye vote, as opposed to the regular candidates and "write in."
> Apple is missing out on a huge market here by not allowing their OS to run > on other vendors' hardware. Nobody's going to buy a Mac to run an ATM or a > cash register, but they might buy the OS if they thought it would work > better. Apple being wrong about not letting their OS run on non-Apple hardware is an age-old argument. The age-old counter argument is that part of the quality of Apple's OS is the fact that Apple controls the hardware. That gives them an enormous advantage when it comes to guaranteeing some level of quality to customers. Without it, when Mac OS X would have to run on any (and *cheap*) third-party hardware, Apple cannot guarantee the hardware quality, customers with crappy hardware will blame Apple for problems, Apple loses its name of offering quality products. If you want quality, you need to be willing to pay for it. It's that simple. It seems Apple understands that. Of course that doesn't mean some enterprising bank could not try to get Apple interested in working together on building ATM hardware running Mac OS X. Steve Jobs might like the challenge. But it seems to me that something like Mac OS X is way overkill for an ATM machine... Possibly Darwin. But then there's other BSDs too to choose from. Sander Tekelenburg, <http://www.euronet.nl/~tekelenb/>
I thought RISKS folks might be interested in a paper I've written which is just now available on SSRN. In part it's a response to the periodic calls for "liability" (notably from Bruce Schneier) as a mechanism for solving computer problems. The upshot is that I think Bruce is right that there is a need for a regulatory response, but that extending, say, tort liability to software would be a disaster. In addition to my more complicated law & economics argument for why this is, I point out in passing that ordinary tort liability could crush open source software, which has the potential to act as a positive force in addressing the underlying market failure. Douglas Barnes http://www.salguod.com Abstract: Both law enforcement and markets for software standards have failed to solve the problem of software that is vulnerable to infection by network-transmitted worms. Consequently, regulatory attention should turn to the publishers of worm-vulnerable software. Although ordinary tort liability for software publishers may seem attractive, it would interact in unpredictable ways with the winner-take-all nature of competition among publishers of mass-market, internet-connected software. More tailored solutions are called for, including mandatory "bug bounties" for those who find potential vulnerabilities in software, minimum quality standards for software, and, once the underlying market failure is remedied, liability for end users who persist in using worm-vulnerable software. http://papers.ssrn.com/abstract=622364
Please report problems with the web pages to the maintainer