Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Anyone surfing the New Brunswick government website on 1 Nov 2007 might have wondered if the province's former Conservative government had staged a coup. A computer glitch posted the week's agenda for Premier Bernard Lord and a news conference on pandemic planning with Health Minister Elvy Robichaud. However, neither man is still in office. It turns out a faulty computer server spit out information for January 2006 -- well before the Tories were defeated in the last provincial election and replaced by Premier Shawn Graham and his Liberal government. Technicians are trying to trace the problem. [Source: Canadian Press item, 1 Nov 2007] http://ca.news.yahoo.com/s/capress/071101/technology/technology_oddity_computer_glitch
This is what happens when there is NO full OFF-SITE back-up available! Bob As a result of two disks failing on 21 Oct 2007, thousands of hours' work over many years on the part of 690 staff members at the Waikato District Health Board has vanished after a major computer error at Waikato Hospital. The lost data — which includes countless e-mails and personal work files, reports, letters, communications, teaching material, guidelines — was information that was backed-up in the hospital's storage area network. The hospital is spending at least $60,000 trying to retrieve the information and has hired experts in the US. [Source: Natalie Akoorie, Error blitzes health records, *Waikato Times* 3 Nov 2007; PGN-ed] http://www.stuff.co.nz/4260645a11.html [Also noted by Andrew King in the NZ Herald. PGN]
"Thousands at risk after data loss" http://news.bbc.co.uk/2/hi/programmes/moneybox/7076106.stm A CD-ROM containing personal details about some 15000 people was lost by a courier. I remember a time when such stuff was moved on magtapes in huge aluminum boxes, not as easy to mislay, I guess. Risks of miniaturization? One really intriguing thing here (for me): The Revenue refused to say "on security grounds" whether the information was encrypted. Does anybody have a plausible idea what kind of security grounds that might be? Bonus: "Dog starts car after eating chip" http://news.bbc.co.uk/2/hi/uk_news/england/southern_counties/5382878.stm This one shows that new technology can cause not only unintended new failure modes, but also new modes of recovery from failures. [Perhaps the dog thought it was a BONE-US. PGN]
"Network Neutrality Squad": Users Protecting an Open and Fair Internet http://lauren.vortex.com/archive/000327.html Greetings. I'm very pleased to announce a new project from PFIR - People For Internet Responsibility: "Network Neutrality Squad" - NNSquad http://www.nnsquad.org PFIR Co-Founders Peter G. Neumann and I are joined in this announcement by Keith Dawson (Slashdot.org), David J. Farber (Carnegie Mellon University), Bob Frankston, Phil Karn (Qualcomm), David P. Reed, Paul Saffo, and Bruce Schneier (BT Counterpane). Recent events such as Comcast's lack of candor regarding their secretive disruption of BitTorrent protocols, and Verizon's altering of domain name lookup results to favor their own advertising pages, are but tip-of-the-iceberg examples of how easily Internet operations can be altered in ways that may not be immediately obvious, but that still can have dramatic, distorting, and in some cases far-reaching negative consequences for the Internet's users. The Network Neutrality Squad ("NNSquad") is an open-membership, open-source effort, enlisting the Internet's users to help keep the Internet's operations fair and unhindered from unreasonable restrictions. The project's focus includes detection, analysis, and incident reporting of any anticompetitive, discriminatory, or other restrictive actions on the part of Internet service Providers (ISPs) or affiliated entities, such as the blocking or disruptive manipulation of applications, protocols, transmissions, or bandwidth; or other similar behaviors not specifically requested by their customers. Other key aspects of the project are discussions, technology development and deployment, and associated activities — fostering cooperation and mutually agreeable methodologies whenever possible — aimed at keeping the Internet a maximally unhindered, useful, competitive, fair, and open environment for the broadest possible range of applications and services. We invite individual, commercial, nonprofit, government, and all other Internet users and stakeholders (including ISPs) to participate in the Network Neutrality Squad. Please join the moderated mailing list (choice of immediate distribution or digest) for project announcements and discussions, by sending a message (any subject or text) to: email@example.com or by signing up at the mailing list Web page: http://lists.nnsquad.org/mailman/listinfo/nnsquad A moderated, interactive discussion and incident reporting forum is also available for more real-time communications on related topics: http://forums.pfir.org/main/messages/714/714.html Questions and comments are welcome at firstname.lastname@example.org, or feel free to contact me directly for details. Working together, we can help to keep the Internet an incredibly useful resource for everyone around the globe, unhampered by any efforts to skew its enormous capabilities in ways that could hinder the many while benefiting the relative few. We hope that you'll join this cause. Thank you for your consideration. (Affiliations shown for identification purposes only.) Lauren Weinstein http://www.pfir.org/lauren email@example.com Tel: +1 (818) 225-2800 Lauren's Blog: http://lauren.vortex.com People For Internet Responsibility - http://www.pfir.org Founder, PRIVACY Forum - http://www.vortex.com
After stealing $7,000 from a PNC Bank in Evendale, Ohio, Kenneth Maples climbed into a white Ford pickup driven by his wife, Jewell, according to a police report. ... But the suspects never had a chance. A Global Positioning System tracking device had been tucked inside the stolen cash, according to the report, allowing a small army of local police officers and F.B.I. agents to follow the signal from on-ramps and overpasses as it moved south into downtown Cincinnati. [Source: Christopher Maag, Tracking Thieves, or Teens: Technology, the Stealthy Tattletale, *The New York Times*, 27 Oct 2007; PGN-ed] http://www.nytimes.com/2007/10/27/technology/27tracking.html?ex=1351137600&en=8d6b9fafbd080801&ei=5090
The most advanced attempt at dynamic content is currently being made by Dash Navigation, whose portable GPS device not only receives positioning signals from satellites, but also collects driving speed and road data from cars that use it and anonymously report this information to a database. That data would let Dash know the actual speed at which traffic travels at different times of the day, so that it could route cars more effectively than current systems can. But for the Dash to build the database, it needs many drivers to buy the things and use them. [Source: Roy Furchgott, *The New York Times*, 24 Oct 2007; PGN-ed] http://www.nytimes.com/2007/10/24/automobiles/autospecial/24gps.html
This may be old news to some, but it was rather surprising to me, so I thought I'd pass it on... At around 3:21pm US/Eastern on November 4, 2007, a zombie botnet began a dictionary spam attack against one of the domains I host. *zombie botnet* --- a group of PCs that have been broken into by a hacker and turned into "zombies," i.e., PCs over which the hacker now has control, so that he can tell them to do things like send out spam on his behalf. *dictionary spam attack* --- an attempt to deliver spam to legitimate users at a particular domain by attempting to send email to many different addresses within the domain in the hope that some of them will be valid. I knew this was happening because the log monitor I run on my mail server began reporting many "User unknown" mail delivery failures for this domain every minute. If this has been a typical dictionary spam attack coming from a single host, it would have been quickly blocked by my fail2ban <http://www.fail2ban.org/> configuration, which temporarily bans any host which attempts a few failed SMTP deliveries within a short period of time. However, since the delivery attempts were coming from many different IP addresses all over the world, fail2ban was powerless to stop them. When I realized what was going on, I wrote a script to block all the IP addresses from which invalid deliveries to the domain had been attempted, and I set up the script to run frequently to block any new IP addresses that turned up. The attack continued until around midnight, i.e., for over eight hours. During that time, I saw failed delivery attempts from 3,025 different IP addresses, along with 815 delivery attempts from IP addresses that I had already blocked. At this point, I have two outstanding questions about this attack: 1. Was it really a dictionary spam attack, or was it actually a denial-of-service attack of some sort? I consider the latter a possibility because the email addresses to which delivery was attempted during the attack simply do not look like email addresses that someone would guess if they were seriously trying to get email through to a domain. Here are some examples of the addresses that were attempted: Lundberghrpor, Lanhamypxg, zsgohuwrhykr, CLIFFORDforonda, Lange, ThreeRiojas, Witold-Johannesen, birtlesioiis, Djurkovicnyqz, NevenHeinritz. 2. Is there anything productive I can do with the list I now have of the IP addresses over 3,000 compromised PCs? Is there a site somewhere to which I can submit the list that will notify the appropriate network service providers about compromised PCs on their networks? Is there any point in doing that? I suppose I could write a script to run "whois" on each of the IP addresses, try to parse out the contact email addresses, and send a form letter to those addresses, but (a) I don't really have the time, and (b) I believe that multiple whois queries from a single host are throttled, so it would take me an awful long time to get through them all.
Over the last few months, I've noticed an increase in unfiltered spam within my GoogleMail inbox. The spam - usually for online pharmacies - falls into two characteristics. 1) A sales pitch pointing to a Google Pages website e.g. http://12312.googlepages.com 2) A sales pitch pointing to a Google Search e.g. http://www.google.co.uk/search?q=somestring The string that is passed to Google is usually the name of the pharmacy, ensuring that the spammer is in the top or the returned rankings. However, many spammers are using a "Googlewhack" - a unique string - to ensure that their page is the *only* one that is returned. The risks are two fold. Google's spam filter seems to trust "Google" content disproportionately. Users may trust their search engine to provide clear and unbiased results, they may not expect that a search engine can be so easily bamboozled. http://www.google.co.uk/search?q=terence+Novarra+betavine
"Pakistan city virtually shut down after strike call. The opposition blames the government and the pro-government Muttonhead Quail Movement (MQM), which runs Karachi, for the violence." [Someone noted that MQM actually stands for "Muttahida Quami Movement".] ["This is possibly the most unfortunate spell-check blunder I've ever seen. We corrected it: GBU Editor"] [From Reuters blogs, filed by The Good, the Bad, & the Ugly Editor (GBU), 14 May 2007; PGN-ed; thanks to Charles C. Mann for spotting it.] http://blogs.reuters.com/blog/2007/05/14/muttonhead-quail/
His cellphone charger was broken, so 17 year old Christoffer connected his phone, a Sony Ericsson k800i, via USB to his parents computer and left it to charge over night. A month later, he got a bill of SEK 6911 (about USD $1100). It turns out that the phone became the "default broadband" when plugged in via USB, and his long-running downloads were done over the phone instead of his broadband connection. The common price per Mbyte GPRS/UMTS data traffic is SEK 10 to 15 (about USD $1.5 to $2.3), which would correspond to about 500 Mbyte downloaded data. Christoffer claims "there was no warning to allow the phone to take over the connection. I did not even know it was possible". According to the operator Tele2, he must pay the bill even if it was a mistake. They concluded that the phone modem had been used, but could not tell how it happened. The operator were not aware of previous incidents, but claims that "there is software to link the phone to the computer and start the phone Internet function, but it's not possible for the computer to do this on its own". Original article in Swedish: http://www.aftonbladet.se/goteborg/article1141706.ab
We see reports like this twice a year, with some variation in timing because of different cut-over days in different countries. This time, Alltel — a mobile phone company — reported that some of its customers saw the time on their phones move forward an hour instead of back. http://ap.google.com/article/ALeqM5idDfj-VyOMd0rsD0UlwoSxGaIMLwD8SN4B001 Steve Bellovin, http://www.cs.columbia.edu/~smb
After reading RISKS for more than a decade, it takes *a lot* to shock me. Here's "a lot" (lightly edited for name-hiding): Date: Sun, 04 Nov 2007 17:24:49 -0500 From: Modest Needs Technical Support <firstname.lastname@example.org> To: Someone <email@example.com> Subject: Re: Modest Needs - Technical Dear Someone, Since we only allow one account per household, we've merged everything under your partner's (Aahz) account. Please ask him/her for the login information. I hope this helps. Please write back if you still need technical support. Sincerely, Thierry Mellon, Chief Information Officer Modest Needs is a charitable foundation that supplies short-term loans to people in sudden need. I've been donating to them for several years now, but given their unwillingness to use a sane security system, I shan't in the future. (We have received additional messages that communicate quite clearly that they have no intention of fixing this.) Aside from the obvious RISKS about sharing passwords and financial information even for people who are partnered, what if Someone was just my roommate? Under what sane account-management regime do you simply merge accounts without asking permission?
The Conservative government introduced a bill on Friday aimed at fixing a glitch in the Elections Act that could have prevented up to a million rural residents from voting... The bill introduced Friday clarifies that addresses do not need to contain a street name and number. CBC News, 2 Nov 2007
Ken Knowlton's musings on real-world stress testing of in-service systems reminded me of a missed opportunity some years ago. On Sunday, May 24, 1987, in celebration of its 50th anniversary, the Golden Gate Bridge District closed down the bridge and allowed pedestrians to roam freely on the span. The District estimates that nearly 300,000 people "surged" onto the roadway. Clearly, the weight of shoulder-to-shoulder people is much more than bumper-to-bumper traffic, and on this day, the slight upward arch on the bridge's roadway actually flattened under the weight. However, engineers did not anticipate this scenario, and the bridge had not been instrumented to record the stresses encountered on this day. The Center for Design Informatics at the Harvard Design School wrote a paper evaluating the stresses, but this effort would have been surely helped by empirical data.
This argument and the similar argument regarding wifi encryption comes up fairly often, which worries me because they're founded on an implicit assumption that network-specific security policies are a good idea. We have a mountain of evidence demonstrating that trusting any network is a bad idea because of rogue/unmanaged clients, malware and the difficulty of ensuring that the actual network setup faithfully conforms to policy. Things like the TJX disaster demonstrate just how costly it can be assuming that it's ever safe to use applications which depend on network-level security rather than incorporating security into the application itself. In contrast, refusing to use applications which are insecure by design is not only better from a security standpoint but also tends to be easier to use because the users don't have to learn different, network-dependent ways to work. I've been advocating the untrusted network approach for awhile but I can't claim the idea is particularly novel - of particular interest might be Abe Singer's 2003 report describing the San Diego Supercomputing Center's firewall-less network: http://www.usenix.org/publications/login/2003-12/pdfs/singer.pdf
Look, I don't want to be an apologist for Mac OS X security, which I do not think is invulnerable. But this statement is kind of ridiculous. The idea that some networks are trustworthy and some aren't has been disproven time and time again over the past years. It's perfectly possible for a virus to be carried inside of a network and disseminate there, and it's happened and made news several times that I've noticed in the past couple of years. Imagine how many times it *didn't* make news, or was mentioned in passing in a story about botnets attacking from inside corporate networks, where the focus of the story, unbelievably, was not even *on* the idea that such a network had been penetrated by a virus infestation. The problem here is not that Leopard trusts all networks equally — that is appropriate, because no network is "trustworthy." The problem is that Vista lulls people into a false sense of security by suggesting that it is only when they are sitting in Starbucks that they are at risk of attack. Nothing could be further from the truth. If you examine all the machines in all the botnets in the world, the ones that were infected in Starbucks don't amount to a hill of beans...
I am a college teacher and user of Turnitin.com. I've used it for several years for term papers, and occasionally for shorter papers. I am very familiar with what teachers see when they use this product or its competitors. > There are several problems with products of this sort: > (1) False positives... Turnitin.com and its various competitors do not detect plagiarism; they detect similarity of text in the student's paper to text found elsewhere: on the Web, in certain publications, and in previously-submitted papers. The teacher must then read the paper, checking for proper citation, and where appropriate, proper quotation. A teacher who does not do this is both lazy and intellectually dishonest. It is perhaps unfortunate that Turnitin produces a "similarity score" that's expressed as a percentage of text that is similar to text found elsewhere because it can facilitate lazy and intellectually dishonest behavior by teachers. However, it does help teachers in detecting something that's bad, but not plagiarism: the cut-and-paste paper. In such a paper, everything is cited and quoted properly, it's just that none of it, with the possible exception of some glue sentences, was written by the student. The material went through the Windows clipboard and not through the student's mind; no learning took place. I tell my students that the cut-and-paste paper is not plagiarism, but neither is it evidence of learning, and the *best* grade such a paper can earn is a D-minus. (I also help them to write good papers by talking and writing about the process.) > (2) Copyright infringement... Bogus argument. Does the student who solves a series of math problems assigned by the teacher hold copyright in the answers? Of course not! I assign short ethics cases and the students write answers. That's more complicated because there is both a right answer and the expression of it. I'd argue that the student who gets the right answer has exhibited evidence of learning, but has not done creative work. In the case of a term paper or creative writing assignment, the student has (we hope) done some creative work, but it is generally work that would never have been done but for the assignment. It is a work made for hire, and the payment is evaluation by the teacher and a grade. Further, Turnitin.com never "publishes" the papers that are uploaded, and publication is of the essence of copyright infringement. Teacher and student get to see the analysis, but no one else does. The only way to get to see what's in such a paper is to submit later a paper that is, at least in part, substantially identical. Those parts that are identical are called out, but what is highlighted is material in the *newly submitted* paper, not material in the stored paper. Turnitin.com does provide contact information for the teacher whose student submitted the original paper, and that teacher may then possibly release a copy if allowed by the school's policies and procedures. I have not yet had a student object to using Turnitin.com on intellectual property grounds. If ever I do, I will ask how much money the student expects to make from the sale of the paper and whether the student would want a third party to earn a good grade by submitting a copy of the student's paper as his own. (I am aware of the court cases. A Pennsylvania court decided that caller ID was an illegal wiretap, too. This issue is not yet decided, at least in the United States.) The real value of a service like Turnitin is not in detecting plagiarism. I can do that better than any computer system I've seen so far because I know my students' intellectual capacities and writing styles. I have, in fact, detected plagiarism not detected by Turnitin.com. The real value is in plagiarism prevention. Students do not believe that I can detect writing that's not their own. They do, however, believe that "the computer" can detect similarity with text on the Web, and the student who is tempted, but knows the paper will be submitted to Turnitin.com, is more likely to make a good decision than a bad one. While I have not done a controlled study, I have observed fewer instances of plagiarism when Turnitin.com is used in a class than when it is not, and *that* is what's valuable.
I received a similar e-mail from my wife's credit card company. In that case the links didn't match the URLs because they went through the CC's 3rd-party marketing firm. I called the CC company and said they either had lousy security or incompetent marketing, and that I would cancel the CC if I received a similar e-mail. The CC has now been canceled for that reason.
Tony Finch opines: The obvious answer is to leave UTC alone, even when it is an hour or more away from GMT. If the discrepancy becomes inconvenient for civil purposes then local time offsets can be adjusted. Local time changes do not need to be agreed globally and they do not need to be applied simultaneously around the world. Therefore no new mechanism or policy is needed to cope with a continuous UTC. Rob Seaman responds: A brief (negative) response is to consider that computer scientists have raised all this ruckus over the need to track a single list of historical leap-second events. However, leaving the question to local officials replaces that single list with hundreds, or potentially thousands, of such lists that our software systems would need to consult. Further discussion ensued and has been redirected to LEAPSECS: http://six.pairlist.net/mailman/listinfo/leapsecs Seaman also notes: Also see http://www.physorg.com/news113282110.html. The disruptions caused by unexpected Daylight Saving Time style jumps may not be the best model for establishing safe civil timekeeping practices.
Please report problems with the web pages to the maintainer