Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
The federal government, vastly extending the reach of an 11-year-old law, is requiring hundreds of universities, online communications companies and cities to overhaul their Internet computer networks to make it easier for law enforcement authorities to monitor e-mail and other online communications. The action, which the government says is intended to help catch terrorists and other criminals, has unleashed protests and the threat of lawsuits from universities, which argue that it will cost them at least $7 billion while doing little to apprehend lawbreakers. Because the government would have to win court orders before undertaking surveillance, the universities are not raising civil liberties issues. The order, issued by the Federal Communications Commission in August and first published in the Federal Register last week, extends the provisions of a 1994 wiretap law not only to universities, but also to libraries, airports providing wireless service and commercial Internet access providers. It also applies to municipalities that provide Internet access to residents, be they rural towns or cities like Philadelphia and San Francisco, which have plans to build their own Net access networks. So far, however, universities have been most vocal in their opposition. The 1994 law, the Communications Assistance for Law Enforcement Act, requires telephone carriers to engineer their switching systems at their own cost so that federal agents can obtain easy surveillance access. ... [Source: Sam Dillon and Stephen Labaton, *The New York Times*, 23 Oct 2005; PGN-ed] http://www.nytimes.com/2005/10/23/technology/23college.html?ex=1287720000&en=36556cd12f8fc287&ei=5090
Many color printers (Xerox, HP, etc.) add barely visible yellow dots that encode printer serial numbers and time stamps (down to the minute). Intended primarily to combat counterfeiters, the purportedly "secret" steganographic code in color printer copies has now been decoded by four people at the Electronic Frontier Foundation. (The encoding is straightforward, and includes no encryption.) There are of course various slippery-slope privacy issues. [Source: Mike Musgrove, Sleuths Crack Tracking Code Discovered in Color Printers, *The Washington Post*, 19 Oct 2005, D01; PGN-ed] http://www.washingtonpost.com/wp-dyn/content/article/2005/10/18/AR2005101801663.html [Also noted by Amos Shapir, who suggests you look at the eff site, which nicely documents the encoding: http://www.eff.org/Privacy/printers/docucolor/ PGN]
The Berlin daily newspaper "Tagesspiegel" has reported on the newest software chaos in town [we actually have a number to contend with at the moment... — dww]: http://archiv.tagesspiegel.de/archiv/13.10.2005/2112250.asp http://archiv.tagesspiegel.de/archiv/15.10.2005/2117152.asp It seems the registration offices bought themselves some brand-spanking-new software. All people living in Germany must register their address and the names of people who live with them with this office (which is part of the police jurisdiction) inside of a week of moving into town. The police use the data for all sorts of purposes. They cut over to the new system October 4, and the police suddenly discovered that they were offline - their systems did not work anymore, probably because the API was different. The police had to set up emergency computers directly linked to the official system and have police officers in the field *call in* their requests. Result: the line is always busy. But of course, there is no threat to the general public, just nasty waiting for the police [so maybe they don't need it at all? --dww]. The registration office was pointing the finger at the police, saying they had known for a year that this was coming. Then people called the papers complaining that waiting times at the office - which also issues passports and ID cards and the like - had gone from an hour to FOUR hours. The official excuse is that clerks were not sufficiently trained in the use of the 23 million Euro software called "Meso". And they insist that the waiting time is "only" doubled, not more. They request the good taxpayers who paid for the software to just stay home and not bother them until they get the kinks worked out - really, one office gave out a press release to just leave them alone! An added problem is that many people are trying to apply for new passports because from December on people have to pay more for them because they have to have RFID chips with biometric data stored in them so that the US government is appeased and will still let Germans in without visas..... Prof. Dr. Debora Weber-Wulff, FHTW Berlin, Internationale Medieninformatik 10313 Berlin http://www.f4.fhtw-berlin.de/people/weberwu/ +49-30-5019-2320
An item in an Information Week article (http://www.informationweek.com/story/showArticle.jhtml?articleID=170702055 : "Car Smarts") brings new meaning to the admonition to keep your eyes on the road: Toyota is testing technology meant to keep a driver's eyes on the road, according to The Associated Press. The technology employs a camera attached near the car's steering wheel and image-processing software that recognizes when the driver isn't facing forward. The system flashes a light on the dashboard and beeps when the driver looks away, according to the AP. If the driver doesn't respond, *the brakes are applied automatically*. The feature will be in Lexus luxury models to be sold in Japan next spring. (my emphasis). Well, *that* sounds reliable... I feel safer already. I hope they paint them a distinctive color so I can recognize them on the road and stay well away...
Federal regulators will require banks to strengthen security for Internet customers through authentication that goes beyond mere user names and passwords, which have become too easy for criminals to exploit. Bank Web sites are expected to adopt some form of "two-factor" authentication by the end of 2006, regulators with the Federal Financial Institutions Examination Council said in a letter to banks last week. [...] [Source: Feds Want Banks to Strengthen Web Log-Ons, AP item, 18 Oct 2005; PGN-ed] http://finance.lycos.com/home/news/story.asp?story=52442651
Excerpt from http://www.boston.com/news/local/articles/2005/10/16/state_rejects_somerville_i_93_lane_shift/ We finally have an answer about how those new state mileage signs got so terribly messed up. And the blame is being placed on Bill Gates. MassHighway admitted that the state had found 19 legends on the new signs with significant errors in mileage. That's 12 percent of the 164 new signs in the $1.05 million contract. According to the contractor, some of the distances were calculated using Microsoft's Streets & Trips software. According to Microsoft, the software without a GPS hookup costs $39.95. This contractor was paid $130,000 by the state. Apparently the contractor had tried to use Mapquest, but found it unreliable. - - - - Excerpt from http://www.boston.com/news/local/articles/2005/09/25/in_chelsea_pedalers_celebrate_the_bus/ One sign on Interstate 93 north, near Exit 45 in Andover, reported that Manchester, N.H. was 42 miles away, although the actual distance is just a bit more than 28 miles. Another sign on Route 128/95 in Needham reported that Wellesley is 7 miles away. The actual distance is slightly less than 3 miles. A sign on Route 3 north in Braintree listed the distance to I-93 as 5 miles when the distance by odometer was 3 miles. [Also reported by Mark Lutton. PGN]
San Francisco administrators of OARS, Online Assessment Reporting System, issued a generic password (same for all teachers) that left the system wide open to anyone who knew a teacher's user name, because many teachers had not gotten around to changing the password. [Source: Nanette Asimov, *San Francisco Chronicle*, 21 Oct 2005, B2; PGN-ed] Cingular moved its voicemail system over to an AT&T wireless service over the past two weeks. Anyone initializing the account before the legitimate owner can then gain total access to the account. Approximately 26 million Cingular subscribers of the old system are potentially affected. [Source: Ryan Kim, *San Francisco Chronicle*, 21 Oct 2005, C1; PGN-ed]
http://www.computerworld.com/governmenttopics/government/legalissues/story/0,10801,105386,00.html?source=NLT_PM&nid=105386 Interex membership list for sale to highest bidder; The bankrupt user group's member database is being sold to satisfy creditor demands A California bankruptcy court will sell Interex's membership database to the highest bidder to help satisfy creditor demands of the bankrupt user group, according to recently filed court papers. The Hewlett-Packard Co. user group claimed about 100,000 members before filing in August for bankruptcy in U.S. Bankruptcy Court for the Northern District of California after incurring more than $4 million in debt. The court filing is dated Oct. 5, but notices of the sale apparently reached some Interex members this week.
Repetitive motion injuries are now entering the mobile handheld world, with doctors reporting a spate of complaints about BlackBerry Thumb. [AP item seen in the (Palo Alto) *Daily News*, 21 Oct 2005; PGN-ed]
A woman is being summoned to court, and faces a 1000-pound fine if found guilty, over non-payment of a 1.20-pound London bus fare. Most of London's transport system is moving over to the Oyster card system, where quasi-smartcards are touched against readers at tube station barriers or doors to buses. A card can contain season tickets, top-up funds for pay-as-you-go travel, or both. According to the television news coverage today, Jo Cahill believed that she had paid on entering the bus, but the reader did not register her card in order to deduct the fare from the top-up funds. An inspector has treated her as a fare-dodger, even though she explained the situation and offered to pay. This seems to set the precedent that users are required to confirm that the reader has indeed registered their card, even though the visual and audible signals are not always clear. Transport for London claims that its Oyster card readers rarely fail, although they do not specify whether or not users will always be taken to court when they do fail. (I frequently get onto buses where the reader has a post-it note saying "reader broken" stuck to it.) More at: http://news.bbc.co.uk/1/hi/england/london/4361286.stm nick rothwell — composition, systems, performance — http://www.cassiel.com
Effective 26 Oct 2005, Cingular is switching to a new voicemail system for all its customers. One of the "features" is "Skip Password"--apparently, one will no longer need to enter a password if one has physical access to a handset. The option to continue to use a password will still be available, but "skip password" appears to be the default. >From their website (<http://cingular.com/voicemail_west>): > Skip Password > Save time accessing Voice Mail from your wireless handset. Just a one-time > password setupthat's it. Press and hold 1 from your wireless handset to go > straight to your voice mail. When accessing your voice mail from another > phone, your password will be required. > > To require a password for all calls from the Main Menu, > 1) Press 4 for Personal Options 2) Press 2 for Administrative Options 3) > Press 1 for Password and follow instructions to turn on your password The risks are obvious--to everyone except decision-makers at Cingular.
Posted on *The Register* http://www.theregister.co.uk/2005/10/21/phantoms_and_rogues/ with some background at http://www.cl.cam.ac.uk/~mkb23/phantom/ Interesting stuff on risks and responsibilities.
The organizations that should know better just don't seem to be learning. Today I received a request to participate in a survey, titled "New ACM Products/Services Survey" (I am a member of ACM). There were a number of things wrong with it: 1) The "From" address was not an acm.org address. 2) The link to the survey pointed to a site also not in acm.org 3) The survey link included an opaque token 4) The message was not digitally signed The fact that the from address and link don't point back to acm.org is a classic hallmark of phishing. The fact that the link contained an opaque token marks it as possible e-mail address harvesting. The lack of a signature means it's not possible to validate the message's authenticity. Actually, come to think of it, items 1 & 2 may ironically point to the message's authenticity. A real phisher would have made sure the reply-to address and displayed link were in acm.org. So this is either genuine or a very incompetent phisher :-) Unfortunately, this is the third such e-mail I've received from the ACM in the past couple of years. Each time I point out the obvious problems, and get a polite, if miffed-sounding reply. And nothing changes. How hard is it to buy a copy of PGP (or install GPG) and publish a key for this purpose on the ACM's website? Of all organizations in the world, I would hope that ACM would be leading the battle against e-mail fraud by example, not lagging far behind. Yes, I know key management isn't simple, but you'd think it would be worth the effort for the ACM. James Garrison, Athens Group, Inc. 5608 Parkcrest Dr Austin, TX 78731 http://www.athensgroup.com 1-512-345-0600 x150 email@example.com
It is that time of the year in the UK when then annual canvass of electors is done. My form came through the post yesterday. Originally the form had to be completed and returned in the post. A couple of years ago they started allowing you to register by phone, and this year you can now do it via the Internet. To register by phone or Internet there is a 10-digit reference number on the form. This is that is needed to update the register details by phone (usual automated answering service with 'press key n' to navigate responses). For registering via the Internet there is a 8-letter password. The reference number and password looks reasonably unguessable - no obvious patterns in the number and the password, although all lower csae letters, contains no words. On the down side, all the information is on a single sheet, which as I said was sent through the post. What extra security does the password provide? The real problem is that the envelope in which the form is sent is the one that is used to return the form in if it is to be returned, I suppose to try and save some money. Since the envelope is one you have to lick to seal, the registration form was delivered in an envelope that was open!
Last month while going over the statement for the one of our interest paying checking accounts from a major bank (one named for a western state that promotes its customer service in ads) I noticed a small discrepancy. The statement (which has recently been redesigned) has an entry for "Interest Earned" and a second one for "Interest Paid." The logical assumption is that you would be paid what you earned. But, this is not the case. Often (at least from recent experience) these differ by $0.01. In the first instance, the interest earned was $0.01 more than the interest paid. After noticing this, I had an interesting visit at the near-by branch, which occupied the branch manager for about 45 minutes while he discussed the issue with the people who should know what is happening ("the back office"). He was unable to relay a satisfactory explanation, other than that the 2 numbers come from 2 different systems, that over time it will even out, and that the operations people do not consider this an open problem (there was a strong indication that they had never heard of this problem). The next month the situation for this account was reversed, i.e. interest earned was $0.01 less than interest paid, so, at least so far, it has evened out. How common is this? We have a total of 3 checking accounts at this bank and in the past 2 months have seen this discrepancy 3 times (the 2 times on one account described above, and in the second month on another account). The first occurrence caused me to look through old statements more carefully, but I found no earlier cases. The risks: Inconsistent treatment of rounding and providing the customer inconsistent information.
Telephone customers have some protections from the negative consequences of Caller ID precisely because privacy advocates expended a lot of energy to assure the availability of number-ID blocking and to create a culture of privacy protection within the new technology. We succeeded. We weren't mistaken! Geoff Kuenning's numbered arguments conflict with each other. Many of us still lead lives in which protecting the identity of our phone numbers from strangers - not to mention marketers - is vital. I believe that automatic rejection of incoming ID-blocked calls is irresponsible to one's family and self. We can't possibly anticipate when a loved one will be in distress, calling us from a stranger's telephone. Automatic blocking disallows such a call from reaching us. Geoff says that a parent with a teenager on the loose at night would be sure to disengage the automatic blocking feature. Maybe so. But how about the next night, when the kid is safely in bed and an aunt or a cousin or a business associate is trying to reach us from a strange phone? The call will not get through. Geoff's commentary is comparable to saying that Martin Luther King Jr., was wasting his time because African-Americans now have some degree of equal opportunity. How do we think that came about, by magic? The efforts of privacy advocates when Caller ID was first introduced make it possible for Geoff to blithely proclaim, there's no privacy problem in 2005, the battling back in the 1980s wasn't important. Robert Ellis Smith, Publisher, Privacy Journal www.privacyjournal.net, firstname.lastname@example.org.
Windows may also delete the wrong file. I had two files on a network drive, hosted via Samba on a UNIX server, whose names differed only by capitalization of some letters. Windows Explorer faithfully displayed both names, with the proper capitalization. But when asked to delete one file, it deleted the other one. No warning about a potential conflict was given. I think this goes back to the half-hearted use by Windows of lower and upper case letters in file names. In some contexts, they are taken to be equivalent, in other cases they are considered different. I don't know whether this specific problem was due to Windows or Samba. But the end result was rather scary. Luckily, in this particular case, I noticed the problem right away, and was able to re-create the lost file by re-running the application that created it.
Organized by The European Institute of Cognitive Sciences and Engineering In cooperation with ACM's Special Interest Group for Computer-Human Interaction (SIGCHI) Call for Papers The international aviation community is advocating goals that compel radical innovation in approach to the fundamentals of aeronautical operations. The role of Human-Computer Integration professionals is to contribute and participate in an active manner to the success of innovation. HCI-Aero 2006 seeks to gather experts and novices from industry, government and academia in the field of human factors in aerospace computing systems. We invite researchers and practitioners to present innovative methods, techniques, tools, and technology. These include air and ground operations, training, design, certification and support both in civil and military applications with a focus on safety challenges, cost effectiveness, performance and comfort. The theme of HCI-Aero 2006 is "Innovation of Aeronautical Operations". This innovation vision finds expression in international air traffic management, coordinated via a satellite-based information exchange, based on coordinated air-ground operations, 4-D trajectory control and reduced constraint in control of aircraft movement. Innovation asserts new modes of operation and technological requirements. These technologies fundamentally change aviation work processes. These advancements impact information redistribution, interactions among agents, decision-making and various optimization processes. The changes in the work of air transportation operations require an approach to research and analysis that includes concern for the changes in the cognitive processes that supports the work in context. =20 Florence Reuzeau and Kevin Corker, General Co-Chairs of HCI-Aero'06 Dea =20 Submission Deadlines: 15th March 2006 - Full Research Papers 15 April 2006 - Industry Papers and Early Stage Research Papers=20 15 April 2006 - Panels, Workshops, Posters and Demos For more information see the attached call for details or access the conference web site on: http://www.eurisco.org/hci-aero2006
Mark Stamp Information Security: Principles and Practice John Wiley (Wiley Interscience), Hoboken NJ 2006 xxi+390 In his preface, Mark Stamp says that he hates black boxes and that the book is intended to illuminate some of the currently popular black boxes. This book seems quite useful as a textbook, with four main thrusts: cryptography, access control, protocols, and software. It includes some challenging problems at the end of each chapter, some of which are quite specific while others are open-ended and thought provoking. Security is of course a huge problem area and difficult to circumscribe. Although this book does not attempt to delve into all of the primary historical paths taken thus far (for example, understanding the bad ones can be very useful), it does a good job of analyzing where we are today in the areas that it carves out.
Please report problems with the web pages to the maintainer