At 1:49pm on 24 Jul 2007, 365 Main's San Francisco data center experienced a power surge when transformer breakers opened unexpectedly. Three of the ten backup generators failed to start, resulting in the loss of 40% of the customers. Attempts to close the breakers caused voltage fluctuations in PG&E's Martin Substation in Daly City. That resulted in a transformer failing in a manhole under 560 Mission Street. Between 30- and 50-thousand customers were out, in some cases up to two hours. The final incident FAQ, with an introduction by Christopher M. Dolan, President and CEO, 365 Main Inc., is online, and worth reading. http://www.365main.com/status_update.html There is also an article in the San Francisco Chronicle that appeared online that evening. (Valleywag renamed the datacenter ``364.98 Main''.)
US-VISIT (allocated $1.7 billion since 2002), the U.S. government's main border control system, is plagued by computer security weaknesses, increasing the risk of computer attacks, data thefts, and manipulation of millions of identity records including passport, visa and Social Security numbers and the world's largest fingerprint database. A GAO report said "Weaknesses existed in all control areas and computing device types reviewed." US-VISIT has compiled digital facial images and fingerprints of 90 million individuals and is used to vet 54 million border crossings each year. But Marc Rotenberg, executive director of the Electronic Privacy Information Center, said the government has not taken adequate steps to safeguard the privacy of millions of people whose citizenship, immigration, law enforcement and national security records are used in the customs checks. [Border Computers Vulnerable to Attack GAO Report Details Problems in System, Spencer S. Hsu, *The Washington Post*, 3 Aug 2007; A02; PGN-ed] http://www.washingtonpost.com/wp-dyn/content/article/2007/08/02/AR2007080202260.html
So there was I thinking "Tsk. Can't even build bridges properly!" and recalling Tacoma Narrows, the Hyatt Regency walkway, etc. Then I recalled a few UK disasters: Aberfan: Although the Coal Board (R.I.P.) had understood for years that spoil tips from coal mines could slip downwards and outwards catastrophically when wetted by rain, it took the deaths of around 70 Welsh schoolchildren to force action. Ronan Point: No tie-bars in a tower block. A relatively small gas explosion in one flat blew out the walls and one whole corner of the block collapsed like a stack of cards. Box Girder Bridges: Major problem for years with a cheap prefabricated method of constructing motorway bridges. The "wobbly" Millennium Bridge: Well, I belong to a small but irritating minority that thinks it was more fun when it wobbled. No doubt UK readers will be able to provide details of these and think of many more. BTW (slightly related to PGN's mixed metaphor): Does anyone recall a demonstration by the Animal Liberation Front at which one of the banners read: "Free Schroedinger's Cat"? BTW (even less related, but a variation on proverbs and metaphors): Dorothy Parker, when asked to demonstrate te use of the word "horticulture", came up with: "You can take a horticulture, but you can't make her think". Peter Mellor; Mobile: 07914 045072; email: MellorPeter@aol.com Telephone and Fax: +44 (0)20 8459 7669
I decided to look up some numbers to see how close the I-35W bridge disaster is to the 1:16 ratio in the adage about ounces and pounds. For good measure, I did some unit conversions to bring numbers in the millions and billions down to small ones that people find easy to visualize. This is all approximate to get the right order of magnitudes, based on new reports that you can find through Google, so I'm not including links. Congress allocated $250 million to Minnesota for emergency repairs of the bridge. Other news reports quote an estimate of what would be needed to repair failing bridge infrastructure in the US of over $9 billion per year for 20 years, based on a figure of $188 billion total required to repair the estimated 73,533 "structurally deficient" bridges in the country. That comes out to an average of about $2.5 million per bridge in repair costs. Currently only $2 billion per year is being spent on such repairs. On a separate topic, the Congressional Budget Office said that the Iraq war has cost about $500 billion so far, or about $10 billion/month or $4000/second. So it would have cost a little over 10 minutes of Iraq war expenditures to have repaired the I-35W bridge before it collapsed, and now it will cost about 100 bridges worth of preventative maintenance to repair this one bridge after the fact. That doesn't add in the cost of loss of life, injuries and their aftermaths, destroyed cars, and the economic effect of the disruption to traffic with a major urban bridge down.
Quoting from Department of Homeland Security, SECURITY IN THE SOFTWARE LIFECYCLE: Making Software Development Processes — and Software Produced by Them — More Secure, DRAFT Version 1.2 - August 2006, which in turn quotes from Dr. Nancy Leveson, A Systems-Theoretic Approach to Safety in Software-Intensive Systems, *IEEE Transactions on Dependable and Secure Computing*, Vol. 1 No. 1, January-March 2004. The assumption for almost all causal analysis for engineered systems today is a model of accidents (the safety corollary of security compromises) that assumes they result from a chain of failures and human errors. From an observed error, the analysis backward through the chain eventually stops at an event that is designated as the cause. A root cause selected from the chain of events usually has one or more of the following characteristics: 1. It represents a type of event that is familiar and thus easily acceptable as an explanation for the accident. 2. It is a deviation from a standard. 3. It is the first event in the backward chain for which a *cure* is known. 4. It is politically acceptable as the identified cause.
http://blogs.technet.com/neilcar/archive/2007/06/28/arp-cache-poisoning-incident.aspx Neil Carpenter, a Microsoft Escalation engineer on the PSS Security Support team, has a retrospective on his blog on an ARP-cache poisoning incident he was involved in analyzing. In this case, the attacker used an arp-cache-poisoning transparent HTTP proxy to interrupt all HTTP requests and inject a piece of malicious attack code in a 0-size Iframe. Any vulnerable browser on the local network would quickly find itself infected with the malicious code. The interesting thing was the automation: the automated tool, once installed on a victim, served to attack all the other systems. Also, the trick of looking at the MAC string to find the vendor tag seems a useful one to remember.
One significant risk to those who spend lots of money on intrusion detection systems to monitor incoming network traffic is that they may grow to assume that outbound communications are not of high interest. In recent months a small group of researchers and I have been spending a significant amount of time developing a dialog-tracking engine to focus on the analysis of outbound traffic. In particular we've been interested in understanding the kinds of dialog interactions malware-infected local systems have with external systems. Last week we made our dialog-correlation engine freely available on the Internet at http://www.cyber-ta.org/BotHunter/. BotHunter should be of interest particularly to security researchers and system administrators. To illustrate the effectiveness of BotHunter, the website include a link to our live malware analysis pages — where we've been able to test BotHunter against roughly 9000 successful malware infections over the last 90 days. The website includes the details of our system, including our must recent paper, which is being presented at this year's Usenix Security Conference on 8 Aug 2007: Guofei Gu, Phillip Porras, Vinod Yegneswaran, and Martin Fong, BotHunter: Detecting Malware Infection through IDS-Driven Dialog Correlation If you have doubts whether all the machines inside your network perimeter are infection-free, BotHunter may help you assess the "risks from the inside." Phillip A. Porras (firstname.lastname@example.org), Program Director, SRI International 333 Ravenswood Ave, Menlo Park CA 94025 USA (650) 859-3232 [BotHunter seems to be attracting considerable interest. As of this week, it reached its first 1000 downloads. PGN]
Dan Ring <email@example.com>, 4 Aug 2007 Massachusetts Governor Deval L. Patrick yesterday signed a bill designed to protect people against identity theft. The new law, which takes effect in 90 days, allows consumers to pay a $5 fee to block access to their credit reports, forces companies and government agencies to notify people if personal information is lost or stolen and mandates disposal of certain personal information on consumers. The law was approved following some highly-publicized thefts, including one reported in January by TJX Cos. in Framingham and another in May 2006 involving birth dates and Social Security numbers kept by the federal government of 26.5 million military veterans. ... http://www.masslive.com/hampfrank/republican/index.ssf?/base/news-10/1186212257204950.xml&coll=1 An Act Relative To Security Freezes And Notification Of Data Breaches http://www.mass.gov/legis/laws/seslaw07/sl070082.htm An Act Relative to the Protection of Personal Information http://www.mass.gov/legis/bills/house/185/ht04pdf/ht04144.pdf
President Bush signed into law on Sunday legislation that broadly expanded the government's authority to eavesdrop on the international telephone calls and e-mail messages of American citizens without warrants. [Source: James Risen, *The New York Times*, 6 Aug 2007; PGN-ed] Congressional aides and others familiar with the details of the law said that its impact went far beyond the small fixes that administration officials had said were needed to gather information about foreign terrorists. They said seemingly subtle changes in legislative language would sharply alter the legal limits on the government's ability to monitor millions of phone calls and e-mail messages going in and out of the United States. They also said that the new law for the first time provided a legal framework for much of the surveillance without warrants that was being conducted in secret by the National Security Agency and outside the Foreign Intelligence Surveillance Act, the 1978 law that is supposed to regulate the way the government can listen to the private communications of American citizens. ... http://www.nytimes.com/2007/08/06/washington/06nsa.html?ex=1344052800&en=5e759f53fc811cd7&ei=5090
I have had a problem involving use of someone else's credit card over the Internet. I want to post this because I want to advise people of a potential problem and/or risk and perhaps ask if someone else noticed this, or, in the alternative, make it known what happened so that people can be aware of it. Or maybe someone can tell me how this happened. Another roommate who stays at the house I rent a room in uses my computer to handle his business, basically for surfing the net and such. If I'm at the computer I'm willing to help him find things or enter details. On occasion, typically for his customers he will book airline tickets, and he uses one specific credit card for that purpose. On occasion he's had me enter his information into the computer. I do not know, and have never saved or captured his credit card information (I have my own cards). Well, what is weird is, there were two things I ordered which were charged to his card number. I haven't the slightest idea how. The last 4 digits of both cards are different, the issuers are not the same (the one I use belongs to a family member and is a major East-Coast bank, his has his name and is some small bank in the Midwest), and as I don't even know his number there's no way I could have used it intentionally. My ATM card is on the Visa network, and if I hit a website that refused debit cards, I have a regular credit card which is issued to a family member, so I did not need to use someone else's card. And if I did need a credit card and did not have one around, I would have asked him first if I didn't have a credit card available. I use Netscape version 7.2 "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)" on a Windows XP machine with Service Pack 2 for browsing because I do not trust Internet Explorer and its security holes. I have a hardware firewall between this computer and the Internet, so I can't argue some hacker broke in and switched one of my charges to his credit card. (Which is ridiculous to say the least.) The only possible answer I can think of is that on one of the form fields used by one of the airline websites, is using the same field name as the two companies I ordered things from, and somehow they are capturing the same values from each other. (One was Vista Print, where I ordered two rubber stamps, and the other was AAA where I ordered a membership. I think the tickets he ordered were from Southwest Airlines.) When I placed his legitimate order on Southwest, I typed in his number as he read it to me. I did not copy the number into the clipboard or otherwise save the number. Later when he saw his bill for two items he did not recognize and asked me about it, I discovered that the purchases he has on his bill exactly match the two I made, but should have gone on my credit card number. And I haven't the slightest idea how. I went to Vistaprint's website, and tried a fake transaction. When I got to the payment page, where it asks for credit card number, the field is blank. I double-clicked on the credit card number field, and the previous value came up, with the correct card number (the one I would have used). I don't know his number, didn't save it and did not attempt to use it. I couldn't have used his card number by mistake by typing in off of it if, I had, say, found it on the desk because he left it behind and I mistook it for one of the credit cards someone in my family has (first, the name would have been wrong and even if I didn't notice that, I would have spotted the credit cards as being wrong because I do not and have never used his bank.) But somehow I did use his card number and I haven't the slightest idea how. The only possible explanation I have is that some how form fields used on three different web sites are somehow cross-collecting information by pre-populating them, or something. The two transactions together come to less than $90, so it wasn't a huge issue, but it frightens me because I haven't the slightest idea how it happened or how I could have prevented it. The solution I am going to use is that if I ever do anything for him that involves ordering something, I will use Internet Explorer (for accessing a specific known and trusted website, it is okay), and I will not use Netscape for anything he's using, as I only use Netscape for anything I order. The only possible answer I can come up with is some form of cross-website contamination, which I do not believe could happen if I'm not using the same browser for any of his transactions, so I think this will solve the problem. I've also suggested he get his bank to issue him a new card with a different number. This kind of thing scares me; if it wasn't for the fact he was understanding about it, I could technically have been looking at charges for credit card fraud! The thing that bothers me most is that I'll be damned if I can figure out how the hell this happened.
Call For Search Engine Issues, Complaints, Concerns http://lauren.vortex.com/archive/000266.html Greetings. As part of my continuing research and an upcoming white paper focusing on policy and related technical issues associated with search engines and their impacts, I'd very much appreciate any examples of relevant specific situations, concerns, and any other positive or negative experiences with search engine operations and support personnel, with a particular emphasis on (but not limited to) the following categories: — Attempts to remove or deemphasize from search engine listings any data perceived to promote Web sites containing seriously incorrect, defamatory, misleading, privacy-invasive, or otherwise highly damaging or problematic materials — Search engine issues or problems related to "public record" (e.g. government) data, particularly with negative impacts on privacy or individuals' personal lives — Issues of "obsolete" or superseded data being promoted by search engine listings, without any indication that such data is no longer current and/or correct — Any problems related to search engine caches exacerbating the sorts of issues listed above or other related problems — And so on ... I am particularly interested in any experiences you may have had while attempting to contact search engine personnel (either through provided Web forms or other means) with concerns or problems, and the dispositions of those communications. For this round, I am specifically *not* soliciting issues related to "Search Engine Optimization" (SEO) concerns (e.g., "How come my Web site always ranks lower than that other Web site on Google?") For any sagas you relate to me, please be as specific as possible (within whatever bounds that you feel comfortable) — but at the very least please identify the particular search engine of concern and the approximate time period of the issue. Unless you specify otherwise, I will assume that I may note the issue (on an anonymous basis) in my reports on this subject. If you'd prefer that I don't reference your issue in any form, or if you don't mind being quoted non-anonymously for attribution, please let me know. Please send any information that you can provide as soon as possible to: firstname.lastname@example.org For some recent background on the issues of concern, please see: Search Engine Dispute Notifications: Request For Comments http://lauren.vortex.com/archive/000253.html Extending Google Blacklists for Dispute Resolutions http://lauren.vortex.com/archive/000254.html A Most Remarkable Google Page: Toward Search Dispute Resolutions http://lauren.vortex.com/archive/000255.html Benefits and Risks in Google's Public Records Access Project http://lauren.vortex.com/archive/000228.html Thanks very much! Lauren Weinstein email@example.com or firstname.lastname@example.org +1 (818) 225-2800 http://www.pfir.org/lauren Blog: http://lauren.vortex.com
The official Hawkeye website is a bit coy about details, but from http://jtsang.blogspot.com/2006/07/technology-in-tennis-hawk-eye.html it looks as though 6 cameras are used - plus a /lot/ of processing power and no doubt many unpublished assumptions about ball dynamics (and some errorless code? :-) ). It's a very high-tech solution, and vulnerable to all sorts of problems (calibration comes to mind; the claimed accuracy may be quoted as 3mm - but one wonders what the error distribution looks like). I've been racking my brains since my original submission to RISKS, and still can't see what would be wrong with a simple set of video cameras (about 10 needed?) monitoring the various lines along with some simple recording gear with action replay, re-showing the real thing if needed. The simulation is very nice for TV to show details of players contact with the ball - but why is it necessary for line-call judgment? Technology for profit's sake, perhaps, plus the "king's new clothes" syndrome? Mike Scott (unet <at> scottsonline.org.uk) Harlow Essex England
I suspect that we have misunderstood the process involved. On serves, Hawkeye is used exclusively and to override it would be quite unusual. You do not generally see challenges on serves. On other shots, by default, a human judge makes the call. If the player challenges that call, Hawkeye is used to adjudicate. No information about the accuracy of Hawkeye can be determined from the situation. In fact, the process assumes Hawkeye is 100% accurate and makes no attempt to verify it. (Exactly how any verification might be conducted is not immediately obvious.)
BKCOSERM.RVW 20070506 "COSO Enterprise Risk Management", Robert R. Moeller, 2007, 0-471-74115-9 %A Robert R. Moeller %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2007 %G 0-471-74115-9 978-0-471-74115-2 %I John Wiley & Sons, Inc. %O 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0471741159/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0471741159/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0471741159/robsladesin03-20 %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 367 p. %T "COSO Enterprise Risk Management" The inclusion of "COSO" (the Committee Of Sponsoring Organizations of the Treadway Commission) in the title indicates that this work takes a corporate, and particularly financial, perspective with respect to risk management. The fact that the first paragraph of the preface makes reference to the key (if rather vague) phrase "internal controls" reinforces this idea. It is, therefore, somewhat ironic that the introduction complains that risk management is poorly defined and understood. The concept of internal control is similarly nebulous, and a badly understood abstraction can hardly be expected to result in advice likely to lead to solid implementations by the readers of the book. Chapter one is a general introduction to the perceived need for COSO and internal controls. With yet more unintentional incongruity there is heavy emphasis on ethics and philosophy within the organization. (An ethical enterprise would presumably have no need for internal controls.) A traditional risk management process is outlined in chapter two. (There is a great deal of consideration given to surveys, but little to either hard facts or statistics.) Chapter three's review of "enterprise" risk management reiterates a good deal of the previous material. The COSO risk management components are noted, mostly in regard to the highest corporate levels. The additional COSO dimensions of objectives and entity levels are covered in chapter four. Chapter five repeats content on roles, responsibilities, and process aspects of risk management. The history of the initial (1992 version) COSO structure is given in chapter six. Chapter seven provides background on the Sarbanes-Oxley law, and some relations to the COSO framework. Audit is discussed in both chapters eight and nine, first with respect to the board, and then in regard to internal audit activities. The project management cycle is reviewed in chapter ten: unlike most similar pieces in risk management books, this one at least addresses specific functions regarding risk management. Chapter eleven purportedly ties enterprise risk management to information technology, but the topics are limited to application development, business continuity, and malware. Chapter twelve's suggestions on building a risk culture follow the usual advice on creating a security awareness program. Various national financial standards and regulations are noted in chapter thirteen. In chapter fourteen the author ruminates on what should happen with risk management in the future. This book is almost identical in content and style to numerous others on similar topics, such as Marchetti's "Beyond Sarbanes-Oxley Compliance" (cf. BKBYNSOX.RVW), "Security Controls for Sarbanes-Oxley Section 404 IT Compliance" by Brewer (cf. BKSCSOXC.RVW), Lahti and Peterson's "Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools" (cf. BKSOITCU.RVW), and the rather better "Beyond COSO", by Steven J. Root (cf. BKBECOSO.RVW). The writing and material may provide some assistance with a risk management process, but the central points could have been provided in a clearer and more concise form. copyright Robert M. Slade, 2007 BKCOSERM.RVW 20070506 email@example.com firstname.lastname@example.org email@example.com http://victoria.tc.ca/techrev/rms.htm
Please report problems with the web pages to the maintainer