Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
In a demonstration of how a distributed denial of service attack can affect an entire nation, Estonian governmental computer systems have been under sporadic attacks this month, which later extended to newspapers, TV stations, schools, and banks in Estonia. Although many zombie systems appeared to have (presumably unsuspectingly) contributed to the attacks, Russian servers were involved, leading the Estonian government to suspect Russian complicity. The attacks intensified on 3 May (which coincided with protests in Moscow against the Estonian removal of a Soviet-era war monument) and again on 8-9 May (when Europe commemorates the end of World War II). Russia denies complicity. [Source: Steven Lee Myers, Estonia Computers Blitzed, Possibly by the Russians, *The New York Times*, 19 May 2007; PGN-ed. The *NYTimes* article notes that Estonia is "a wired country that touts its paperless government and likes to call itself E-stonia."] [Various comments I have seen suggest that this may have been intended as an exploratory effort to see how effective such attacks could be, or perhaps a warning shot across the bow, rather than as an attack per se. The lack of ability for any definitive traceback on the Internet of course complicates analysis. The entire incident of course is illustrative of the potential for widespread disruption, and is therefore a case deserving serious study.]
After spending six years in development and $8 million dollars of state taxpayers' money, the new CSTARS registration system for Colorado's Department of Motor Vehicles apparently doesn't work. And it's just one of five major state computer projects worth $325 million that have failed to meet expectations. CSTARS was contracted at $10.3M. There was ample warning. State and DMV staff said that their efforts were basically ignored by state officials and the contractor, Avanade. The state fired the subcontractor in charge of seeking their advice. Code was written before any detailed specifications. The state even suspended the development contract for a while in 2004. [Source: Ann Imse, Doesn't compute: 'It's like you were having a baby, and it turned out ugly' New system to register motor vehicles just the latest to misfire for state, *Rocky Mountain News*, 16 May 2007; Long article starkly PGN-ed, but it is the full text should be no surprise to RISKS readers.] http://www.rockymountainnews.com/drmn/local/article/0,1299,DRMN_15_5538977,00.html
AP reports that Alcatel-Lucent has lost a disk containing names, addresses, SSN's, birthdates and salary data of thousands (on TV I heard 200,000) of employees, retirees and dependents [presumably including PGN and myself*]. http://www.physorg.com/news98775487.html [And numerous other RISKS readers as well! PGN]
A JUDGE stunned a court yesterday by admitting he did not know what a WEBSITE was. Judge Peter Openshaw brought a shuddering halt to the trial of three men accused of internet terror offences as a witness was being quizzed about an extremist web forum. He told shocked prosecutors at Woolwich Crown Court, South East London: ``The trouble is I don't understand the language. I don't really understand what a website is.'' [Source: Tom Wells, *The Sun*, 17 May 2007] http://www.thesun.co.uk/article/0,,2-2007220614,00.html
2900 Virginia students will have to re-take standardized tests because the computer systems failed during the testing process. There are two descriptions of what went wrong: the testing vendor "reported that there was a problem with a connection between two servers" and students' "computer screens suddenly turned blue and displayed an error message" (i.e., a BSoD). Whether this is one problem or two is unclear - but the RISKS of relying on systems that may not have been fully tested are pretty obvious. And in addition to the stress for the kids (and the time taken away from instruction when they redo the tests), there's another factor - presumably, the retest date will have to use a different test, since the students have already seen some of the questions on the first shot. "State officials said there was an unrelated computer problem with online testing last week [where] 1,300 tests were interrupted and that the students will have to be retested." The Standards of Learning (SOL) tests are how Virginia meets No Child Left Behind (NCLB). When it comes to actual learning, a more common usage for the acronym "SOL" is more appropriate, IMHO. http://www.washingtonpost.com/wp-dyn/content/article/2007/05/15/AR200705 1502060.html (free registration required)
A thread was posted to Slashdot this week, about a proposal that's been floated to leverage the magstripe on some state driver licenses to make them into a debit/credit card as well. I'm sure you can come up with some good reasons why that's RISKy, but you might be surprised to find out that quite a lot of the postings on the thread are well thought-ought and quite cogent, by RISKS standards. My two favorites: 1) It's illegal to give your driver license to anyone in many states, but you might want to lend your wife or child your debit card. and 2) It used to be obvious to a robber that you had nothing worth taking, if all you were carrying was a DL. Now, though, that DL *might* be a debit card... and they'll have to take *you*, too, to have the PIN at an ATM. That latter one, to me, is enough to *outlaw* this practice, whether the vendor who's implementing it likes that or not. But what do I know...? http://yro.slashdot.org/article.pl?sid=07/05/17/2345231 Jay R. Ashworth, Designer, Ashworth & Associates, St Petersburg FL USA +1 727 647 1274 http://baylink.pitas.com email@example.com
A friend is getting married. As many of you have, I went to the web site of the store where they registered and selected some gifts. When I checked out, I got the following (identifying and unimportant details elided.) SHIP TO ***** her ***** and ********* him ******** YES! We have their shipping address on file. (... items, prices, shipping, taxes, and total ...) CARRIER : UPS TRACKING NUMBER : 1Z1V0************* Although once upon a time, stores did list shipping address, they don't now, probably for privacy. However, when I later looked up the tracking number, UPS provided quite a few details about where the package went. I got a chuckle to think I could "buy" addresses for only a two dollar butter knife, plus shipping and handling.
With regard to Jim Horning's issues with Internet Explorer 7, may I point out that Opera and Firefox have had tabbed browsing for quite some time, seem to have worked most of the kinks out, and do at least allow typing at more than 10words/min.
The last time I encountered this problem was about 25 years ago with an accounts package running on a Commodore PET where you had to type the account code fairly slowly in order for the CPU to keep up. The CPU in question was a 1MHz eight bit processor, the 6502, with 96 KB of RAM: so your Pentium is around 3,400 times faster, with over 10,000 times as much memory ... and four times as many bits! "The most amazing achievement of the computer software industry is its continuing cancellation of the steady and staggering gains made by the computer hardware industry..."-- Henry Petroski firstname.lastname@example.org http://www.cse.dmu.ac.uk/~mward/ G.K.Chesterton web site: http://www.cse.dmu.ac.uk/~mward/gkc/
Just recently, as a passenger, I was introduced to the wonders of a satellite navigation system. I was quite delighted with the delicacy and precision of its micro-management as we exited a residential neighborhood, and eventually got out into the the bustling world. I could so easily have been lulled into "leaving the driving" to that gentle but assertive guarding angle. But ... "stay in the left lane" (just do it) "turn left in 500 yards" (slow down a bit now) "turn left in 200 yards" (really slow down now) "turn left" ( this is it, TURN LEFT!) Whoops! It's heavy traffic both ways, and NO-TURNS here except by a jug handle. No, we didn't turn and, perhaps fortunately, hadn't even slowed down. The disembodied voice immediately noticed, forgave our disobedience and, thinking aloud but clearly unperturbed, intoned "course re-computation" ... I cannot begin to enumerate the RISKS.
This has nothing to do with sat-navs, and everything to do with driver stupidity. *The Western Telegraph* has an article on the incident, with a high resolution photograph showing all the road signs on the approach to the crossing: http://www.westerntelegraph.co.uk/display.var.1224413.0.0.php http://www.westerntelegraph.co.uk/_images/db/42/91/LEVELCROSSING1.429125.full.jpg Not quite fully visible in the photograph is a sign that reads: * Check that green light shows * Open *both* gates * Check that green light *still* shows * Cross *quickly* * Close both gates http://www.rail-reg.gov.uk/upload/pdf/rspg-2e-levxngs.pdf Page 66 Here is the section of the Highway Code dealing with level crossings: http://www.highwaycode.gov.uk/26.htm#265 Some crossings have 'Stop' signs and small red and green lights. You MUST NOT cross when the red light is showing, only cross if the green light is on. If crossing with a vehicle, you should * open the gates or barriers on both sides of the crossing * check that the green light is still on and cross quickly * close the gates or barriers when you are clear of the crossing. Note the explicit mention of "both sides of the crossing" Here is the sign for a level crossing, clearly visible in the picture in the Western Telegraph report. http://www.highwaycode.gov.uk/signs05.htm http://www.highwaycode.gov.uk/sign117.htm The upper sign is "risk of grounding": http://www.highwaycode.gov.uk/sign115.htm Knowledge of the highway code is required of all drivers, and a written examination on it is part of the UK driving test. Alan J. Wylie http://www.wylie.me.uk/ * * * * Note added Wed, 16 May 2007 18:23:40 +0100 A discussion in the newsgroup uk.railway has revealed further interesting information. See the thread following on from the posting Message-ID: <SOETzQo61GSGFAAb@perry.co.uk> <http://groups.google.co.uk/group/uk.railway/msg/ec4b544a942994a0> 1) The picture in the Western Telegraph is not the view that the driver saw - she was heading north. Images of this are at http://www.wjm.clara.net/ffynnongain/ The separation between the level crossing sign and the crossing itself is much more than it appears in the long focal length shot in the Western Telegraph. 2) The official UK government document <http://www.rail-reg.gov.uk/upload/pdf/rspg-2e-levxngs.pdf> describes this type of crossing as a "User Worked Crossing" and states "129. This type of crossing is only applicable where the railway crosses a private road". The crossing is at the centre of this map: <http://getamap.ordnancesurvey.co.uk/getamap/frames.htm?mapAction=gaz&gazName=g&gazString=SN264175> On the map the road does not appear to be private, and posters to the newsgroup who have visited the area state that they think it is a normal public highway. 3) Heading west along the A40, and then at St. Clears turning off it to head north-west to Hebron, there is a complicated limited access junction, which requires a driver to go almost 360 degrees round a roundabout and head back the way they had come to join the "B" road which is the obvious route, rather than the unclassified road on which the incident occurred. <http://getamap.ordnancesurvey.co.uk/getamap/frames.htm?mapAction=gaz&gazName=g&gazString=SN274160> This may have confused the Sat-Nav system.
There have been two recent letters to Risks (http://catless.ncl.ac.uk/Risks/24.66.html#subj16.1 being the most recent) complaining about how Microsoft implements DST and saying, as if it is obvious, that Microsoft is wrong ("fundamentally broken" was one quote). They don't, however, waste anytime exploring the alternatives and their problems. As Nick Bender says, when you change to daylight savings time then Windows displays all of your file timestamps using daylight savings time, even those that were created outside of daylight savings time. This is a good thing, for many reasons: If you create a file, and then an hour later create another file then Windows will show their time stamps as being an hour apart, always. If the 'current wall clock time when they were created' is used instead then these two files might have times that are an hour apart, or they might have times that are two hours apart (in the spring) or they might both have the same time stamp (in the fall)! In order to display these times unambiguously you would need to display the time-zone, so that instead of: readme.txt 5:00 pm you would need: readme.txt 5:00 pm EDT Even if Windows did this, all is not happy and consistent. If I am in Seattle and I create a file at 5:00 pm then it will show a timestamp of 8:00 pm when I am in New York. According to the ambitious 'show creation time' strategy this file should show 5:00 pm PST (or PDT) as its creation time. That sounds nice, but not very likely, and without that the proposed 'solution' seems incomplete. Another problem is that daylight savings time rules vary by year and by location. The UK started daylight savings time two weeks after the US. Some states within the US don't use daylight savings time. Some countries (crazy Australians) use daylight savings time during what we call winter! So how, I want to know, is Windows supposed to know whether daylight savings time was in effect when a file was created? Unless it records that fact at creation time then it cannot display the 'local creation time'. Recording the local time zone at creation time is not possible for a host of compatibility reasons. The Win32 rules are not perfect for all cases, but they make perfect sense in many contexts. Changing this behavior, in addition to the backwards compatibility implications, would just trade one set of problems for another. Raymond Chen covered this in his blog in October 2003, where he also points out that .NET does it differently. http://blogs.msdn.com/oldnewthing/archive/2003/10/24/55413.aspx
Nick Bender <email@example.com> wrote: > > I cannot say for certain not having looked at the code but I can only assume > that products such as Outlook/Exchange which do calendaring which must be > correct across time changes have entire libraries of code to deal with this > issue outside of the standard Windows system libraries. Maybe someone who > knows can enlighten the rest of us.... The process that sysadmins managing Exchange servers had to go through to deal with the US DST rule change was astonishing. It revealed a catastrophically wrong-headed database design. All the data in the Exchange database had to be scanned and re-written to fix incorrect timezone offsets stored in appointments that were to happen in the period between the new and old offset changes. Utterly brain-damaged. http://support.microsoft.com/?kbid=930879
(Spyker, RISKS-24.66) > ... as no doubt it would break a few thousand apps. It would break absolutely nothing, since apps get their time from the operating system, not from the BIOS RTC (which they cannot access anyway; attempting to do so would trigger a general protection fault). The only issue would be having to set your clock when upgrading from a Windows version that uses local time to one that uses UTC.
> Remember last week's kerfuffle over whether the movie industry could own > random 128-bit numbers? (If not, here's some background: 1, 2, 3) Yes, that certainly is some useful background there. Just think, only 340,282,366,920,938,463,463,374,607,431,768,211,453 more terms in the series, and we start getting to 128-bit numbers! But what I really want to know is, which one is now claiming ownership of 1, 2, and 3 — Ed Felten or Monty Solomon? Mark Brader, Toronto, firstname.lastname@example.org [Oh yeah: ROTFL! Risks of copying from a web browser, I suppose. Those were actually supposed to be links, of course — to these pages by the same author: http://www.freedom-to-tinker.com/?p=1152 http://www.freedom-to-tinker.com/?p=1153 http://www.freedom-to-tinker.com/?p=1154 MB]
Top 5 Reasons to Attend the 2007 USENIX Annual Technical Conference June 17-22, 2007, Santa Clara, CA http://www.usenix.org/usenix07/progb USENIX '07 offers a cost-effective, one-stop shop for the latest in IT training, break-throughs, and systems research. Check out the top 5 reasons to join us in Santa Clara, CA, June 17-22, 2007: 1. Top-notch training: Highly respected experts provide you with new information and skills you can take back to work tomorrow. Topics include: -- Richard Bejtlich on TCP/IP Weapons School, Layers 2-3 -- Peter Baer Galvin on Solaris 10 Security Features -- AEleen Frisch on Administering Linux in Production Environments -- Steve VanDevender on High-Capacity Email System Design To view the entire training program, see: http://www.usenix.org/events/usenix07/training 2. Invited Talks that feature industry luminaries discussing timely and important topics, such as: -- Keynote Address by Mendel Rosenblum of Stanford University, "The Impact of Virtualization on Computing Systems," -- Plenary Closing by Mary Lou Jepsen, One Laptop per Child, "Crossing the Digital Divide: The Latest Efforts from One Laptop per Child" -- Rob Lanphier, Linden Lab, "Second Life" http://www.usenix.org/usenix07/ITs 3. You'll see it here first: -- The latest developments in cutting-edge systems research in the Refereed Papers track. http://www.usenix.org/events/usenix07/tech -- An introduction to interesting new or ongoing work at the Poster Session. http://www.usenix.org/events/usenix07/activities.html#poster 4. Answers to your toughest questions: -- Guru Is In sessions feature experts who come prepared to respond to your most burning technical questions on hot topics. The full list of topics will be announced soon! http://www.usenix.org/events/usenix07/tech 5. The chance to mingle with industry leaders: -- Evening events such as the Birds-of-a-Feather (BoF) sessions offer additional opportunities to network with peers to gain that all-important "insider" IT knowledge. http://www.usenix.org/events/usenix07/bofs.html And that's just the beginning. Visit http://www.usenix.org/usenix06/progb to see the full list of offerings. Don't forget: -- Register at the headquarters hotel by May 29, 2007, to receive the discounted hotel room rate: http://www.usenix.org/events/usenix07/hotel.html -- Register by June 1 and save up to $300! http://www.usenix.org/events/usenix07/registration -- Take advantage of the multiple employee discount for groups sending 5 or more: http://www.usenix.org/events/usenix07/registration/#multi 2007 USENIX Annual Technical Conference June 17-22, 2007, Santa Clara, CA http://www.usenix.org/usenix07/progb Early Bird Registration Deadline: June 1, 2007
Please report problems with the web pages to the maintainer