Our local newspaper reports in print (but not on line) that Exelon Power's Cromby generator in Phoenixville, PA exceeded pollution limits for seven months in 2004 after an unidentified "vendor" programmed an emissions monitor for the wrong standards, and that the company will pay 600 grand. Websites for the company and the PA Dept of Environmental Protection confirm the story. Exelon is the parent company of PECO Energy, formerly Philadelphia Electric Co., which supplies power to the area. Cromby has two generators, one coal-fired and one switchable between oil and natural gas. The vendor ("a big company" says Exelon) set the monitor for the coal-fired unit to standards for the other unit. (I would guess that the SO2 limits for oil might be higher.) Exelon discovered the problem while aggregating data "for a large use," stopped it and turned itself in. DEP assesses a fine for each day of violation. Risks for a company: trusting the dials and trusting the vendor when you're on the hook. Risks for the rest of us: breathing in. Exelon report: http://www.exeloncorp.com/NR/rdonlyres/DDDBE22B-94E3-4EE1-9F3C-ED4266DB0093/977/environ_rpt_2004.pdf (see page 16, numbered 12) PA DEP: http://www.depesf.state.pa.us/news/cwp/view.asp?a=3&q=465363 Daily Local News (West Chester, PA): www.dailylocal.com (The article appeared 2005-07-05; who knows, it might yet show up on the site.)
E P I C A l e r t Volume 12.13 June 30, 2005 Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org/alert/EPIC_Alert_12.13.html EPIC Keeps Watchful Eye on US-VISIT Foreign visitors to the United States are experiencing a new kind of jet lag: delays and secondary security screenings prompted by technological glitches in the border security program known as the United States Visitor and Immigrant Status Indicator Technology (US-VISIT). Documents obtained by EPIC under the Freedom of Information Act from the Department of Homeland Security show that US-VISIT has resulted in many cases of mistaken identity. Commercial aircrew members, vacationers, and businesspersons have all been delayed by the gaffes. The problems caused unnecessary delays in the visitors' travels and resulted in the improper flagging of crewmembers by government watch lists. US-VISIT was launched at 115 airports and 14 seaports in January 2004. By the end of 2005, the program will be operational at all of the nations more than 400 ports of entry. US-VISIT requires foreign nationals entering or exiting the country to submit biometric and biographical information. This data collection often begins before a visitor buys her plane ticket, as U.S. consular offices abroad may, before issuing a U.S. visa, collect fingerscans from potential visitors and compare them against those in a criminal database. Fingerscans are again collected upon the visitor's arrival in the U.S. for verification and then stored in a government database, as are travelers' arrival and departure records. Failure to be processed through this departure confirmation system could jeopardize a visitor's re-admittance to the U.S., as the government compares the manifest information provided by air and cruise lines to ascertain that visitors have not overstayed their visas. Last September, US-VISIT expanded to include visitors from the 27 nations who are members of the Visa Waiver Program, thus requiring the screening of an additional 33,000 persons per day. Except for visiting diplomats and officials and persons under 14 or over 79 years old, US-VISIT now applies to virtually all foreign nationals holding nonimmigrant visas, regardless of country of origin. The documents obtained by EPIC show that some travelers are aware that the US-VISIT database contains erroneous information well before DHS realizes its own mistake and fear that their next visit to the U.S. will result in misidentification. Visitors reported missing their connecting flights due to errors in the database system, and airline crewmembers reported being delayed up to ninety minutes after a long international flight. Some travelers reported that the operator collecting fingerscans at a port had erroneously reversed their left and right index fingerprints, labeled a husband's fingerprints as his wife's, failed to collect the data required under US-VISIT, or collected data from travelers exempt from the program, such as holders of a G-4 visa. Passengers' numerous requests to the DHS for correction of erroneous personal information suggest that the rush to implement US-VISIT has come at the expense of data accuracy and passenger privacy. IDENT, the government database containing US-VISIT fingerscans, is based on technology that even the DHS considers outdated, even though the government has already invested about $1 billion in the program. The current fingerscan technology does not meet the government's biometric standard, which mandates imaging of all ten fingerprints. Last fall, Stanford University professor Lawrence M. Wein testified before Congress that the chance of identifying a terrorist by matching two index fingerscans poorly imaged by IDENT against the government's biometric watch list is no more than 53%. Privacy concerns are increasing as the government turns to the private sector for full implementation of US-VISIT; global consultant Accenture received a $10 billion contract last year for full-scale implementation over the next decade. Freedom of Information Act documents obtained by EPIC on US-VISIT: http://www.epic.org/foia_notes/note7.html EPIC's US-VISIT Page: http://www.epic.org/privacy/us-visit/ More information on the US-VISIT technology and cost is available at: http://www.epic.org/redirect/wpvisit605.html
[Noted by Keith Rhodes. This is another database full of unreliable information that will inadvertently released?] The Defense Department has begun working with BeNow Inc, a private marketing firm, to create a database of high school students ages 16 to 18 and all college students to help the military identify potential recruits in a time of dwindling enlistment in some branches. The program is provoking a furor among privacy advocates. The new database will include personal information including birth dates, Social Security numbers, e-mail addresses, grade-point averages, ethnicity and what subjects the students are studying. Chris Jay Hoofnagle, West Coast director of the Electronic Privacy Information Center, called the system "an audacious plan to target-market kids, as young as 16, for military solicitation." He added that collecting Social Security numbers was not only unnecessary but posed a needless risk of identity fraud. Theft of Social Security numbers and other personal information from data brokers, government agencies, financial institutions and other companies is rampant. "What's ironic is that the private sector has ways of uniquely identifying individuals without using Social Security numbers for marketing." The Pentagon statements said the military is "acutely aware of the substantial security required to protect personal data," and that Social Security numbers will be used only to "provide a higher degree of accuracy in matching duplicate data records." [Source: Recruiting Tool For Military Raises Privacy Concerns, Jonathan Krim, *The Washington Post*, 23 Jun 2005; PGN-ed]
A programming error in the University of Southern California's online system for accepting applications from prospective students left the personal information of ``hundreds of thousands of records'' publicly accessible. The flaw was discovered by a student in the process of applying. [Source: Robert Lemos, SecurityFocus; PGN-ed] http://www.theregister.co.uk/2005/07/06/usc_site_cracked/ [We hope that the student's application was not rejected because he had discovered the flaw! PGN]
Information passed on could have been used to clone credit cards Police are investigating reports an Indian call centre worker sold the bank account details of 1,000 UK customers to an undercover reporter. The Risks? Obvious really - overseas call centres in poverty stricken third world countries, the staff of whom have unlimited access to personal and private information of the more wealthy, are the worst security risks ever devised by financial organisations. See: http://news.bbc.co.uk/1/hi/uk/4121934.stm
http://www.pacificepoch.com/newsstories?id=33425_0_5_0_M Game Accounts Take Center Stage In Divorce Legend of Mir 2, Online Game, SNDA, Shanda Posted by: <http://www.PacificEpoch.com/members/profile_view_ind.php?id=164 Zhou Zhengqian on Jul 01 | 17:07 A divorce in Chongqing has turned ugly when both parties want their joint online game accounts, Chongqing Business Post reports. Mr. Wang from Chongqing and Ms. Ye from Huibei met last September on Shanda's (Nasdaq: SNDA) online game Legend of Mir 2. Wang saved Ye's character from being killed by another player. The couple married at the end of October but decided to get a divorce in June. During their marriage, the couple jointly played over ten Mir 2 accounts, attaining level 40 to 50 status for all of them. The characters and virtual items are estimated to be worth 40,000 to 50,000 Yuan. Wang said that he wants to keep the accounts and virtual items and is willing to give their joint apartment to Ye. However, Ye wants to split the apartment and game items equally. Esther Dyson Always make new mistakes! Editor, Release 1.0 CNET Networks - www.cnet.com 104 Fifth Avenue (at 16th Street) New York, NY 10011 USA +1 (212) 924-8800 www.release1-0.com PC FORUM: http://www.edventure.com/pcforum/ FLIGHT SCHOOL: http://www.edventure.com/pcforum/flight.cfm current status (with pictures!) at http://www.flickr.com/photos/edyson/
Dawn S. Onley, GAO: Army's FCS initiative faces uncertain future, Government Computer News, 8 Jul 2005 The major communications programs that will support the Army's transformational Future Combat Systems initiative are in jeopardy of failing to meet technical challenges and an accelerated schedule, according to the Government Accountability Office. GAO found that each of the communications pillars of the Army's Future Combat Systems (FCS) program - two Joint Tactical Radio System (JTRS) clusters, the Warfighter Information Network-Tactical (WIN-T) program and the System of Systems Common Operating Environment (SOSCOE) - would likely fail to meet aggressive schedules due to immature technologies. "As currently structured, the JTRS, WIN-T and SOSCOE programs are at risk of not delivering intended capabilities when needed, particularly for the first spiral of FCS," according to GAO. "They continue to struggle to meet an ambitious set of user requirements, steep technical challenges and stringent time frames." FCS is designed to link 18 manned and unmanned weapons systems via a common computer network known as WIN-T and the System of Systems Common Operating Environment. The Army restructured its FCS program last year into spirals, with officials announcing the first spiral would happen in fiscal 2008. But GAO said the first spiral may not demonstrate key networking capabilities. GAO found the FCS program faces network, developmental and financial challenges that continue to slow progress. FCS' information network is dependent on the success of JTRS, WIN-T and SOSCOE - programs that are not included in FCS costs. "Because JTRS, WIN-T and SOSCOE all rely on significant advances in current technologies and capabilities and must be fully integrated to realize FCS, there are substantial risks to this effort," wrote Paul L. Francis, GAO's director of acquisition and sourcing management, in the report. For the full article, with a link to the original GAO report, see: http://www.gcn.com/vol1_no1/daily-updates/36302-1.html Peter Mellor, Centre for Software Reliability, City University, Northampton Square, London EC1V 0HB +44 (0)20 7040 8422
So I ordered some parts on-line. They arrived. Then 45 days later, my credit card bill listed a PayPal charge. Whoa... I don't engage in such foolishness; certified letter to CC Co, asking "huh?"... Two weeks later, PayPal starts sending ME email about fraudulent use of MY account...to the email address that I use for on-line buying. Doh! The *merchant* uses PayPal to do their processing. OK. But I try to write to PayPal to explain. No Joy. Only option to contact them is to FIRST log into my PayPal account; and use the webform.... and I don't HAVE an account.. Write CC Co, dropping protest. Now, 4 months later, PayPal writes again. My account is locked.... (Need I continue?) Paypal assumes only account holders have a reason to reach them. They can't grok that that merchants and/or buyers may be involved. Further, they wrote ME about the holder's account. [They did NOT, at least give me his account ID just a incident number.] Risks: Identity theft is sometimes TOO easy....
Folks, get a grip. The opinion doesn't say anything about encryption being illegal. Quoting from the opinion, the justices were trying to determine: Did the district court err in admitting evidence concerning appellant's internet usage and encryption capability for his computer? They wrote: ... Appellant first argues that he is entitled to a new trial because the district court erred in admitting irrelevant evidence of his internet usage and the existence of an encryption program on his computer. Rulings involving the relevancy of evidence are generally left to the sound discretion of the district court. State v. Swain, 269 N.W.2d 707, 714 (Minn. 1978). And rulings on relevancy will only be reversed when that discretion has been clearly abused. Johnson v. Washington County, 518 N.W.2d 594, 601 (Minn. 1994). "The party claiming error has the burden of showing both the error and the prejudice." State v. Horning, 535 N.W.2d 296, 298 (Minn. 1995). Appellant argues that his "internet use had nothing to do with the issues in this case;" "there was no evidence that there was anything encrypted on the computer;" and that he "was prejudiced because the court specifically used this evidence in its findings of fact and in reaching its verdict." We are not persuaded by appellant's arguments. The record shows that appellant took a large number of pictures of S.M. with a digital camera, and that he would upload those pictures onto his computer soon after taking them. We find that evidence of appellant's internet use and the existence of an encryption program on his computer was at least somewhat relevant to the state's case against him. See Minn. R. Evid. 401. ... Think of it this way: (child pornography, (digital pictures, digital camera, computer, crypto software, photo sharing)) is like (check fraud, (computer, blank check stock, list of account numbers, MICR printer, ink removing solvent)) or (assault, (baseball bat, bloody towel, footprint)) or (burglary, (lock picks, bolt cutters, black cap, gloves)).
WWW2006 Refereed Track: Security, privacy & Ethics Viruses, spyware, and identity theft are turning the World Wide Web into a dangerous place. By undermining consumer trust, these problems are hampering e-commerce and the growth of online communities. A basic lesson is coming home to researchers, operators, and ordinary users alike: Security and privacy are not frills or features, but vital and enabling building blocks. As Web-based systems take on a physical dimension through wireless devices and sensors, and as they absorb varied media -- from books to online games to home movies -- digital security is ramifying in its economic and social reach. This track promotes the view that security, privacy, and sound guiding ethics must be part of the texture of a successful World Wide Web. In addition to devising practical tools and techniques, it is the duty of the research community to promote and guide business adoption of security technology for the Web and to help inform related legislation. The organizers seek novel research in security, privacy, and ethics as they relate to the Web, including but not limited to the following areas: * Biometrics and secure template management * Digital Rights Management from its technical, ethical, and legal perspectives * Economic / business analysis of Web security and privacy * Electronic commerce, particularly security mechanisms for e-cash, auctions, payment, and fraud detection * Intrusion detection, insider threats, auditing, and honeypots * Legal and legislative approaches to issues of Web security and privacy * Location-based services * Knowledge-based authentication, such as security questions for password recovery * Privacy-enhancing technologies, including anonymity, pseudonymity and identity management * Public-key infrastructure and supporting concepts like digital signatures and certification * Secure and robust management of server farms * User interfaces as they relate to digital signing, encryption, passwords, and online scams like phishing * Wireless devices that interface with the Web, including RFID, sensors, and mobile phones * Web-services and supporting standards like XML Chairs * Ari Juels (RSA Laboratories) (Vice Chair) * Angelos Keromytis (Columbia University) (Deputy Vice Chair) PC Members [see website] For more details, see http://www2006.org/tracks/security.php The World's WWW Conference WWW2006 will bring together the international communities of researchers, developers and business that drive the Web forward, shaping and developing its potential for new areas of communication, research, business and public administration. Since the first international WWW Conference in 1994, this prestigious event, organized by the International World Wide Web Conference Committee (IW3C2), has provided the annual public forum for communicating research and development of the Web infrastructure and applications, as well as W3C initiatives. The fifteenth conference in the series comes to the UK for the first time, and to one of the great historical centres of science and technology. Edinburgh is Scotland's capital city, home to one of the UK's oldest universities, an epicentre of the IT business sector and one of the world's great festival cities. The WWW2006 programme addresses topics in media, e-government, e-commerce, education and e-science. The technical programme will draw on global research and industrial strengths to provide a strategic forum for the dissemination of new techniques and applications throughout the research community, the business and company sector and government agencies.
BKSLNOWR.RVW 20050603 "Silence on the Wire", Michal Zalewski, 2005, 1-59327-046-1, U$39.95/C$53.95 %A Michal Zalewski email@example.com lcamtuf.coredump.cx/silence/ %C 555 De Haro Street, Suite 250, San Francisco, CA 94107 %D 2005 %G 1-59327-046-1 %I No Starch Press %O U$39.95/C$53.95 415-863-9900 fax 415-863-9950 firstname.lastname@example.org %O http://www.amazon.com/exec/obidos/ASIN/1593270461/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1593270461/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1593270461/robsladesin03-20 %O Audience s- Tech 2 Writing 1 (see revfaq.htm for explanation) %P 281 p. %T "Silence on the Wire" I don't know why, exactly, the phrase "self-taught information security researcher" (in "About the Author") should give me such a sense of foreboding. (The phrase could apply to me, and to many colleagues, although we tend not to use it.) And even before I read it, a number of people had warned me I wouldn't like it. Well, I did like it, once I figured out what it was. I think a lot of people don't understand it. It is not a security text, by any means, but rather a series of explorations that take our "professional paranoid" mentality and examine some issues we seldom consider. The subtitle states that the book is about passive and "indirect" attacks. Although passive attacks are well defined, indirect does not have a formal distinction, and the introduction does not help in explaining what the author intends. Part one covers activities that occur at the origin of data and processing. Chapter one is titularly about typing, but spends a lot of time dealing with the problems of pseudo-random number generation, and seed data acquisition, and finally outlines an unlikely and very complex attack, heavily dependent upon specific functions and data availability, and seemingly directed at finding out if someone is typing at the computer. (The attack is also active, not passive.) A discussion of digital electronics, boolean algebra, and processor architecture, in chapter two, eventually leads to a brief discussion of the timing and power attacks that are well known in cryptology circles. (There are also odd and careless errors: readers are asked to contrast figure 2-4 with figure 2-4. There is a difference, it just isn't explained.) Chapter three reviews a few random and unrelated vulnerabilities. It is very difficult to determine what the point of chapter four might be, but it seems to be a screed against the use of Web crawling bots. Part two appears to address local communications links. Chapter five provides a brief review of data communications 101, and then notes the "flickering modem LED" vulnerability. The ethernet frame padding problem is described in chapter six, while chapter seven lists some other networking difficulties, and eight briefly mentions miscellaneous topics such as identification by keystroke analysis and war driving. (It should be noted that chapter length varies widely: chapters one, two, and five average twenty-five pages each, while the rest are closer to five.) Part three moves out to the Internet. Chapter nine reviews most of the TCP/IP protocol, and then discusses how the ways that different systems populate fields of the IP header can be used to identify operating systems without a direct connection. The discussion in chapter ten starts with passive mapping of an inaccessible network, but the attack described seems to be intended for sequence number guessing (and session hijacking). Chapter eleven addresses weaknesses in various types of firewalls. Dissection of an odd packet is in chapter twelve, a method of third party scanning in thirteen, some possible metrics for identifying software in fourteen, and some ways of recognizing attacker machines in chapter fifteen. Part four supposedly attempts to relate these disparate elements, apparently without much success. Chapter sixteen describes a storage method using packets bouncing around the net, seventeen looks at different methods of mapping the net and some possible uses, and eighteen considers the discovery of worms and other malware via the capturing of unusual packets. The material in the book is fascinating in places. However, the work is not structured in a way that makes the security implications obvious (the writing is not very direct, and the narrative or topical thread tends to wind around subjects), and, in fact, the security implications aren't very powerful at all. Yes, in the end, the author has written mostly about passive and indirect attacks, but the methods covered are unusual, and probably not very useful. Most of the material concentrates on rather weak covert channels. In this regard it can have some uses in a minor way: covert channel examples are not abundant in the general security literature. The attacks suggested are interesting thought experiments, but have limited uses either in attack or defence. As "Trivial Pursuit" (meaning the game of oddball facts) for the tech crowd it's great, but the author never intended the text to be a vulnerability warning. copyright Robert M. Slade, 2005 BKSLNOWR.RVW 20050603 email@example.com firstname.lastname@example.org email@example.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Please report problems with the web pages to the maintainer