[Thanks to Marcus H. Sachs for this one.] August 11, 2006 President George W. Bush The Western White House Crawford, TX 76638 Mr. President, I write with deep concern over the lack of attention your Administration continues to demonstrate for computer and cyber security in the federal government. Repeated failures at numerous government agencies have caused the disclosure of the personal or medical information of government employees, members of the military, veterans, and ordinary Americans. Your Administration has not seen fit to respond, however, and for the last year the position of Assistant Secretary of Homeland Security for Cyber Security has remained vacant. In fact, the previous official in charge of cyber security resigned in protest due to your Administration's persistent failure to attend to this critical security issue. Shockingly, the acting Assistant Secretary has been a lawyer with no background in computer security who has questionable business ties to institutions that do business with the office he is supposed to manage. Yesterday, the Department of Transportation reported that a laptop containing the personal information of approximately 133,000 drivers and pilots has gone missing. Three days ago, the Department of Veterans Affairs reported that it had lost a computer with the personal information of as many as 38,000 veterans. These disclosures come on the heels of previous failures at the VA that put the information of 26.5 million active duty, reserve, and retired military at risk. Over the course of your Administration, similarly grievous cyber security failures have occurred at the State Department, the FBI, the Energy Department, the Agriculture Department, the Federal Trade Commission, the Department of Health and Human Services, the Department of Defense, with our military in Afghanistan, and in the United States Navy. This level of insecurity is unacceptable, and your Administration's repeated failure to correct the problem must cease. To that end: * 1. Why has the position of assistant secretary of homeland security for cyber security not been filled, and what steps are you taking to ensure that it will be appropriately staffed at the soonest possible time? * 2. What administration-wide reviews are you undertaking and administration-wide guidelines are you instituting to ensure these repeated failures do not continue? * 3. What studies have you directed your administration to undertake to ensure that all previous data disclosures and security breaches are accounted for, and that the damage caused by each is minimized? As we approach the fifth anniversary of September 11th, 2001, it is critical that the American people trust that their government is taking every possible step to protect them. Given the continued threat of al Qaeda and international terrorism and the volume of important personal and other information held by the federal government, your administration's cavalier attitude toward cyber security cannot continue. The security of the American people demands a new direction. I hope you will direct your administration to answer these questions quickly and thoroughly, and will give the security of American people the attention it deserves. Sincerely, Harry Reid Senate Democratic Leader [This really *should* be a nonpartisan issue. Perhaps there is a similar message from a Republican? PGN]
[ Please distribute widely, as considered appropriate ] I'm conducting a little unscientific survey on whether or not airline passengers are willing to place their expensive or important electronic equipment in airline checked baggage (whether "locked" or not, but on most flights unlocked will be required), and how this would affect their flying patterns. With the above as preface, there are three questions: 1) Are you willing to place all of your significant electronic equipment (including laptop or other computers, cellphones, DVD players, iPods, etc.) in checked baggage for airline flights? 2) If you are required to place such electronic equipment in checked baggage, would it have a significant negative impact on your willingness to fly? 3) Do you mainly fly for business or pleasure? I will only publish aggregated statistics from this survey, unless individual persons specifically note that their responses may be released publicly. To participate in the survey, please e-mail a note (or simply forward this message) with your responses to: email@example.com Only a one word reply is necessary to each of the questions unless you wish to add comments, which are invited. Thanks very much. Lauren Weinstein firstname.lastname@example.org or email@example.com Tel: +1 (818) 225-2800 http://www.pfir.org/lauren Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org Co-Founder, IOIC - International Open Internet Coalition - http://www.ioic.net Moderator, PRIVACY Forum - http://www.vortex.com Member, ACM Committee on Computers and Public Policy Lauren's Blog: http://lauren.vortex.com DayThink: http://daythink.vortex.com
A major study lists confusion over names and wrong doses among the mistakes, and urges more use of computers in prescribing drugs. At least 1.5 million Americans are injured or killed every year by medication errors at a direct cost of billions of dollars, according to a report issued Thursday by the prestigious Institute of Medicine in Washington, D.C. For hospitalized patients, the report said that on average, one medication error per day was caused by confusion in drug names, wrong doses, failure to deliver drugs or a host of other problems. The study is a follow-up to a 1999 report from the institute, which is part of the National Academies, that outlined all medical errors and claimed that as many as 98,000 people were killed each year as a result of medical errors -- 7,000 of them as a result of medication errors. The study lays out a detailed series of recommendations for new procedures and research to minimize the risk of future medication errors, emphasizing computerization of prescribing and administering drugs and data acquisition. [Source: Medication Errors Hazardous to Your Health, Thomas H. Maugh II, *Los Angeles Times*, 21 Jul 2006; PGN-ed, tnx to Lauren Weinstein] http://www.latimes.com/features/health/la-sci-drugs21jul21,0,5771929.story?coll=la-home-health
According to http://www.bof.nl/nieuwsbrief/nieuwsbrief_2006_16.html (in Dutch) Vrije Universiteit in Amsterdam, The Netherlands, has developed a prototype of a device capable to: - Detect all RFID chips and scanners in its neighbourhood; - Keep an inventory of all RFID chips you carry on your person, and alert you to new additions to the "inventory"; - Block the reading of any RFID you carry; - Spoof a given RFID. More details at http://www.rfidguardian.org/ (in English)
Ladies and Gentlemen, Boys and Girls: Web site privacy issues in general, and search engine privacy concerns in particular, are turning into a three-ring circus of ironies. I discuss these issues until I'm figuratively blue in the face and yet it's deja vu over and over again. The article referenced below in fact failed to mention the key aspect of the search engine data situation that makes this all so bizarre. We have Rep. Markey, et al., pushing data destruction laws in the wake of DOJ's push (in support of their Child Online Protection Act case) to get Google's query data — which Google wisely resisted, though ultimately they had to turn some of that data over to DOJ. I do agree with some observers who feel that Markey's proposal is so encompassing that it remains unlikely to ever become law — I'd much prefer to see more highly targeted and focused legislation. But meanwhile, as some of us had been predicting for ages, DOJ/Gonzales are out there pushing for broad Web site data *retention* laws — ostensibly (do we see a pattern emerging?) using child abuse investigations as the hook. Gang, we can't have it both ways in any kind of simplistic scenario. The simple choices are (1) Burn the data to prevent abuse — and also prevent any other non-abusive uses of that data, or (2) Retain the data, along with major internal and external abuse potentials. The simplistic scenarios are each highly problematic. We need to advance these issues in more sophisticated directions. The only research and policy paths I see that could possibly lead toward better outcomes in this area are being largely ignored by the major players, so we have this repeating cycle of events and reactions banging back and forth. A few months ago, in: "An Open Letter to Google: Concepts for a Google Privacy Initiative" ( http://www.vortex.com/google-privacy-initiative ) I set forth a proposal urging Google, as the global search leader, to apply its formidable resources toward advancing these issues — both for Google's own benefit and ultimately for the benefit of the entire global community. In light of the whole series of recent events relating to the Web site data retention/destruction sphere, I assert that such efforts are needed now, on a priority basis. As I've noted previously, we must demand that our data be protected. Accomplishing this properly requires serious thinking, hard work, and in the real world more than a little compromise. We need to develop effective and reasonable technology and policy paths toward management of the vast amounts of personally-related data that Web sites are collecting. AOL's search query data screw-up is bad enough, but it's only a drop in the bucket compared with the sorts of abuses and problems that could take place if we don't move forward appropriately. We can be enriched by data, or we can be enslaved by it. The choice remains ours. Lauren Weinstein +1 (818) 225-2800 http://www.pfir.org/lauren Lauren's Blog: http://lauren.vortex.com DayThink: http://daythink.vortex.com
[My web provider has reassured me that the LA power outages are no risk:] World class first tier facility, two redundant grid hookups, backup battery array with two separate sets of diesel generators. Trucks full of diesel are on standby and the datacenter is run on each for 12 hours each month to make sure everything is working as it should. There's more: 24/7 armed security on premises, perimeter badge required + biometric hand scanners at the steel doors to each suite, locked cages in each suite and video cameras recording throughout with video archived for 30 days. You can't even get into the front door of the building without clearance and ID which is logged. Very early smoke detection systems as well as privately lit fiber directly into the meet me room at One Wilshire (over 200 of the worlds first tier providers connect to each other in that room). This is *very* expensive space... even the power comes at a pretty penny since it is fully backed up power not just plain municipal. This is something I rail about constantly because there is no shortgage of competition out there on municipal power with a single homed local loop into an office somewhere who can obviously beat me on price because they don't have any of this. And explaining all of this to people is seemingly impossible sometimes. In short: at least for now, we're good. :-) You're right though the AC units are wreaking havoc here right now - it got up to 90 degrees Fahrenheit!! Us Southern Californians can't handle that any more than we can handle half an inch of rain! The AC units are flying off the shelves. It's a feeding frenzy! ;-)" Dan Jacobson wrote: > News has it that there are LA power outages. > Certainly you have prepared bicycle and rodent wheel generators? > "Global warming kills information age."
Last night at around 2:15am (yup, everyone's just leaving the bars) my area had a widespread power failure when someone wrapped themselves around a main distribution line power pole (this is a Friday and Saturday night tradition of course). While LADWP started on it pretty quickly, power was not restored for around seven hours. That long an outage is enough to expose one of the serious weak points in our telecom networks — remotely situated batteries. They don't last very long without external charging power, and we already know that microcell sites tend to go down quickly for this reason when power fails. Early this morning when I started walking the area to see the effects, I quickly found an unmarked white bucket truck with engine running, parked at a nearby corner, with an orange extension cord running from its open hood to the open cable backup power box on the nearby pole, containing what looked like about three gel cells. When I went over and talked to the friendly cable guy splicing wires on the back of his truck, he told me that he wasn't even trying to charge the batteries, all he could do was try to keep the system running from his truck until power was restored. Cable modems? Cable VoIP? Our whole world of modern cable telecom, dependent on a guy with an extension cord and an old bucket truck. I found it rather amusing, in a "sad commentary" sort of way. +1 (818) 225-2800 http://www.pfir.org/lauren Lauren's Blog: http://lauren.vortex.com DayThink: http://daythink.vortex.com
http://daily.stanford.edu/article/2006/8/10/thievesPhishForStudents A CompUSA survey of US college students * 88% keep on their computer desk tops and laptops the kind of info that could get their identity stolen if that computer was stolen or broken into * 41% ignorant of the concept of phishing * 21% had been tempted to give personal private info to web sites where they unsure of the security or of the source of the request for their personal data * 9% had already responded to phishing e-mails There was an incident with Stanford's Axess system, where a student's account was cracked, then someone else opened credit in the student's name, intercepting that student's money. That case has been solved. > Increased cases of identity theft have led the Office of the Inspector > General at the U.S. Department of Education to establish a Web site, > www.ed.gov/misused, dedicated to informing students and parents about > identity theft. Victims of identity theft can contact the Office of the > Inspector General's Identity Theft hotline at 1-800-MIS-USED. > Additionally, the Stanford Residential Computing Security Web site is > available at http://rescomp.stanford.edu/info/security Should students have billing sent home, rather than to a school address whose mail system may be less secure? Are cell phones locked up when not being used? How often do you change passwords, PIN#s? Do you know how your financial institutions contact you, so you can recognize a fraudulent contact? Do you know which institutions are brain dead on security, so you should avoid doing business with them at all? http://daily.stanford.edu/article/2006/8/10/thievesPhishForStudents
http://www.thisismoney.co.uk/news/article.html?in_article_id=411576&in_page_id=2 Millions of customers, with one of Britain's biggest banks, exposed to on-line attack. The bank says the loophole can only be exploited by sophisticated attackers, while critics talk about how easy it is for troublemakers to get at the tools to do so. This incident also illustrates a problem in ethics for computer security researchers. If you find a flaw, who should you report it to? * The institution with the flaw * Law enforcement * Only those who subscribe to your service * Publish some research document * The general news media If you report it to the institution and to law enforcement, and they do not seem to take you seriously, you also have a responsibility to the potential victims NOT to be telling the news media, who in turn also guide cyber criminals to exploit the flaw. If this is not easy for people to understand, put it in terrorist terms ... you observe a flaw at an airport, in other transportation, that a terrorist could exploit to kill a staggering number of people. You tell the authorities and they ignore you. If you tell the news media, you may be giving ideas to criminals that they might not otherwise have figured out on their own.
With regards to the IBM 1620 - Loughbourough University (UK) had one in the late 1960s / early 1970s - and it was my very first introduction to a real computer - a step up from the electrical mechanical adding up machines we had to use in the Numerical Analysis course. For my fourth year final computer project I had written a sophisticated program in Fortran 2D on hundreds of punched cards that plotted the contours of 3D graphs of complex mathematical functions. An early fractal program I guess. The IBM line printer used was exactly that with 200+ metal disks with the printing characters on 'teeth' around the edges. They all spun round to print an entire line at once - the whirring and clunking noise was horrendous. Anyway in on graduation day my parents, assorted relatives and my younger brother (then aged 11) attended my degree ceremony. Afterwards, during a tour of the campus, I tried to demonstrate my 'fractal' program that I'd spent many weeks preparing. It didn't work. It wouldn't even compile. It misread almost every card with a syntax error - which was labouriously output on the operator's old-fashioned typewriter a character at a time. It was only a few years ago that my uncle told me that whilst my back was turned my dear brother had shuffled some of the cards to see what would happen. Of course the cards weren't numbered so re-ordering them wasn't an option at the time. The risk: never let anyone near your stack of punched cards - especially inquisitive brothers. P.S. My brother is now a famous computer graphics visualiser / illustrator for clients designing new buildings and landscapes. Now he has more laptops than I have.
BKFRSPLI.RVW 20060710 "Frauds, Spies, and Lies", Fred Cohen, 2005, 1-878109-36-7, U$29.95/C$33.45 %A Fred Cohen Fred.Cohen@all.net %C 572 Leona Dr, Livermore, CA 94550 %D 2005 %G 1-878109-36-7 %I Fred Cohen and Associates %O U$29.95/C$33.45 925-454-0171 %O http://www.amazon.com/exec/obidos/ASIN/1878109367/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1878109367/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1878109367/robsladesin03-20 %O Audience n+ Tech 1 Writing 2 (see revfaq.htm for explanation) %P 234 p. %T "Frauds, Spies, and Lies: and How to Defeat Them" Over the years, lots of books have promised to teach us how to deal with social engineering, fraudulent practices, con jobs, deceit, and just plain old lies. There are the pedestrian warnings that it is dangerous out there, such as Barrett's "Bandits on the Information Superhighway" (cf. BKBOTISH.RVW). Or Mintz' listing of nasty Websites in "Web of Deception" (cf. BKWBDCPT.RVW). Or the repetitive recounting of confidence games in Mitnick and Simon's "The Art of Deception" (cf. BKARTDCP.RVW). Generally these works retail similar stories, with little variation and even less analysis. Cohen's slim volume is a bit different. Chapter one is a brief introduction to the structure of the book. Chapter two defines frauds, and then lists a huge series of variations on the theme. Many books that deal with the topic provide examples, but this exhausting (and nearly exhaustive) catalogue, even with minimal analysis, allows the reader to begin to see patterns and thus furnishes a useful alert for awareness of the issues, regardless of the student's background. (Fred, I wonder if you are entirely correct about 419 frauds.) The topic of deception, in chapter three, deals first with how we think, and what analytical mistakes we are likely to make. This preparation is augmented by examples of how fraudsters and confidence tricksters can use these errors. (An interesting addition is a section dealing with self-deception, in regard to the justifications scammers use.) Cohen's wit and humour are used to good effect in pointing out the absurdities of some of our thinking patterns. Most "spying" is not James Bond derring-do, and chapter four outlines the means that "HUMINT" (human intelligence) specialists use to obtain information, mostly in normal conversation. This material would be very useful in creating security awareness courses dealing with social engineering. Defence and counterintelligence is covered in chapter five. Chapter six leans more towards the countering of various types of frauds. This is not your normal security book, but then typical security works have had remarkably little success in addressing this particular topic. Security professionals will find little new in these pages, but the aggregation of the variant frauds is, itself, useful. Certainly no specialized background is needed to approach the text: anyone can pick it up and get a good deal of useful security awareness from a perusal of chapter two alone. The size of the work should not be daunting for anyone, and the content is quite readable. (I must note that the typography and formatting creates a bit of a problem: the lack of "white space" can sometimes make section changes a bit hard to follow, despite the careful and clear numbering of sections and subsections.) I'd recommend this book, particularly as bedtime reading for any security professional, and for those involved with security awareness programs. However, it should have a broader readership: any reasonably intelligent person will find something useful and helpful for building a safer and enlightened attitude to the dangers of this complex world. copyright Robert M. Slade, 2006 BKFRSPLI.RVW 20060710 firstname.lastname@example.org email@example.com firstname.lastname@example.org http://victoria.tc.ca/techrev/rms.htm
Please report problems with the web pages to the maintainer