Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Content protection features in Windows Vista are preventing customers from playing high-quality video and audio and harming system performance, even as Microsoft neglects security programs that could protect users, computer researcher Peter Gutmann argued at the USENIX Security Symposium in Boston [on 8 Aug 2007]. [Source: Content protection rules said to harm system performance, detract from security, Jon Brodkin, NetworkWorld.com, 9 Aug 2007] http://www.networkworld.com/news/2007/080907-vista-high-def.html
[Source: Wolfgang Gruener, *TGDaily* 20 Aug 2007] http://www.tgdaily.com/content/view/33452/103/ Skype today provided a few more information pieces about the reasons behind its massive network outage last week. According to the company, the network outage was initially caused by a "massive restart of [its] user's computers across the globe within a very short timeframe as they rebooted after receiving a routine software update." That high number of reboots was followed by an equally high number of log-in requests, which resulted in what Skype calls a "chain reaction." On the Skype blog, a company representative wrote that this event revealed a "previously unseen software bug within the network resource allocation algorithm" which prevented Skype's "self-healing function from working quickly. ... Skype has now identified and already introduced a number of improvements to its software to ensure that our users will not be similarly affected in the unlikely possibility of this combination of events recurring." The company said that there were no malicious activities that impacted Skype. [Also noted by Danny Burstein. PGN]
The Black Hat Conference Hacking The iPhone Andy Greenberg, 08.04.07, 2:02 PM ET Don't say you weren't warned, iPhone fans. Even when the prerelease fervor surrounding Mac's mobile messiah-phone was at its highest, security researchers were warning that it would be vulnerable to exploitations like data theft and hijacking. Last Thursday, Charlie Miller proved them right. In a presentation at the Black Hat conference in Las Vegas, a gathering of cyber-security researchers, Miller detailed how he had hacked and hijacked the iPhone by exploiting a vulnerability in its Web browser. For iPhone owners, the talk wasn't as foreboding as it might have been. Apple had released a patch for Miller's exploit just days before. But Miller, a researcher at Independent Security Evaluators, says Apple's patch was only possible because he had informed the company of the vulnerability weeks before he presented it to Black Hat's hacker audience. And, he says, it would only be a matter of time and effort to find an equally powerful backdoor into the phone. Though there has yet to be any documented criminal hijacking of the iPhone outside of a lab, Miller says his research shows the relative ease of hacking smart phones, as well as Macs in general. He spoke with Forbes.com about the iPhone's vulnerabilities, Apple's short-lived patch and the company's undeserved reputation for building secure computers. ... http://www.forbes.com/security/2007/08/04/iphone-apple-mac-tech-cx_ag_0804miller.html
Robert McMillan, IDG News Service, 08/08/07 Readers of Google's Custom Search Blog were handed a bit of a surprise Tuesday when the Web site was temporarily removed from the blogosphere and hijacked by someone unaffiliated with the company. The problem? Google had mistakenly identified its own blog as a spammer's site and handed it over to another person. ... http://www.networkworld.com/news/2007/080807-google-mistakes-own-blog-for.html
Broad new surveillance powers approved by Congress this month could allow the Bush administration to conduct spy operations that go well beyond wiretapping to include — without court approval — certain types of physical searches of American citizens and the collection of their business records. This offers a case study in how changing a few words in a complex piece of legislation has the potential to fundamentally alter the Foreign Intelligence Surveillance Act. [Source: James Risen and Eric Lichtblau, *The New York Times*, 19 Aug 2007; PGN-ed] http://www.nytimes.com/2007/08/19/washington/19fisa.html?ex=1345176000&en=2e7a7948ff52f9fe&ei=5090
Jim Weirich, a prominent developer noticed that on his machine numbers were coming out incorrectly: http://onestepback.org/index.cgi/Tech/Mac/MyMacCantCount.red It seems that a corrupted "font cache" was causing all the "7" glyphs in a single font (in all apps) to display as "9". Jim was doing web development. What would have happened if he were doing financial or life-critical systems work? [It's a real glyph-hanger! PGN]
Almost seven months after TJX Cos. revealed that at least 45.7 million credit and debit card numbers were compromised, some banks such as Citibank are still reissuing cards for customers whose information may have been exposed. ... [Source: Se Young Lee, *The Boston Globe*, 9 Aug 2007; PGN-ed] http://www.boston.com/business/personalfinance/articles/2007/08/09/credit_card_headaches_from_tjx_breach_remain/
The figure is more than 10 times the roughly $25 million TJX estimated just three months ago, though at the time it cautioned it didn't know the full extent of its exposure from the breach. The costs include fixing the company's computer system and dealing with lawsuits, investigations, and other claims stemming from the breach, which lasted more than a year before the company discovered the problem in December 2006. [Source: Ross Kerber, *The Boston Globe*, 15 Aug 2007; PGN-ed] http://www.boston.com/business/globe/articles/2007/08/15/cost_of_data_breach_at_tjx_soars_to_256m/
This is a classic NIC fault. Without being in the know about LAX's specific failure, I suspect that all terminals are connected to large switches which simply act as relays to the backbone. On numerous occasions have I found NICs failing simply by either repeating any received packets, thus flooding the network, or worse still, not recognising potential collisions and therefore transmitting whilst other computers are transmitting at the same time. This results in a collision on each attempt. I've seen 100Mbit/s networks grind to a halt (0.1Mbit/s). As opposed to expensive backbone telecom equipment, computer NICs are often cheap and nasty $5 electronics. The solution? Don't put all your eggs in one basket. Don't put all your computers on one sub-network. Olivier Crepin-Leblond, PhD / Global Information Highway Ltd
What's happening at my place of employ is that the business are starting to query why we have duplicate systems "sat around doing nothing", so they start running production work on the DR kit. Then, when one site fails, the other can no longer cope with the workload.
The Minnesota case relies on a rather narrow foundation: the RFP to which CMI responded gave title to at least some of the code to the state, and required CMI's co-operation with defense attorney requests. In other words, the Minnesota Supreme Court's ruling is not based on a recognition of a fundamental right as opposed to the factual basis of this particular case. I wonder, in fact, if the prosecutors could secure a court order for the code under contract law, and enforce it with large civil damages. More details on this in my blog entry on the case: http://www.cs.columbia.edu/~smb/blog/2007-08/2007-08-10.html
> Seven of the 12 E-ZPass states in the U.S. Northeast and Midwest provide > toll records to court orders in criminal and civil cases. Four of those > states (including NJ and PA) allow release only in criminal cases. A) Do they require a court order? [Or just a request?] B) How do those states that do block civil demands accomplish same? [i.e. Do they have tested support in state law?] C) What does this portend for other tracking records: NYC's new access charge scheme, DC Metro {and others, inc NYC..} permanent fare cards, video recordings, and cell phone tracking records? Does the alleged protection mentioned extend to them? The obvious Risk: Mission Creep abounds. Will folks be required to archive all data just in case... How will the demand alter system design? Staffing?
The elimination of leap-seconds is being promoted by those who are too lazy or too incompetent to code time conversions correctly. This situation arose because the long-term slowing of the earth's rotation (which creates the need for leap-seconds) failed to occur for several years, eliminating the need for leap-seconds for 7 years. Previously, a leap-second had been required every year or two. From 1 January 1961 until 1 January 1972, UTC seconds varied in length relative to TAI seconds, leap-seconds were fractions of a second, and UTC clocks thus did not tick on the same instant as TAI clocks. I was a software test engineer on a project that handled this correctly. UTC was redefined starting 1 January 1972 to have a second exactly the same as the TAI second, to have leap-seconds exactly whole seconds, and thus UTC clocks thereafter indeed did tick on the exact same instant as TAI clocks. The old software did not need revision; it still handled this correctly. This was for a large software system for the command and control of military space satellites. Internal time was kept in TAI minutes from some base time because the mathematics required all minutes to be uniform in duration. External time, however, was reported in UTC (day, month, year, hour, minute, and seconds — to the nearest millisecond). UTC was also used as an intermediate step to getting actual solar time (not mean solar time) for determining the orientation of the surface of the earth relative to a fixed coordinate system based on the stars. When the software system was replaced in the mid-1980s, the developer (who had not worked on the previous system) did not really understand the difference between UTC and TAI. I repeatedly — and unsuccessfully -- warned both the developer and the US Air Force (the customer) that there would be problems for not doing time conversions correctly. In the end, the Air Force was required to suspend mission operations a minute before a leap-second and resume operations a minute after. This suspension was considered to be a cost-effective response to the lack of proper design because correcting the design would impact both software and hardware with a cost of several millions of dollars (partially a consequence of poor modularization of the software). A capability that existed in 1970 no longer existed in 1992. A historical tabulation of leap-seconds: http://hpiers.obspm.fr/eoppc/bul/bulc/UTC-TAI.history A history of the proposal to eliminate leap-seconds oriented against the proposal: http://www.ucolick.org/~sla/leapsecs/nc1985wp7a.html David E. Ross <http://www.rossde.com/>
We need to check our math here. We're adding leap-seconds at a rate of less that one second per year. With 86400 seconds in a day, turning day to night takes more than 43,200 years. That's not a few to me, that's five times recorded human history. Perhaps the time community will decide to add a leap-minute every 100 years or so. That's the sort of Y2K planning even Congress should be able to manage, and it only impacts folks who need to be within a minute of solar time. It would become the sort of once-in-a-lifetime event that century changes have been in the past. For a minute, about the time it took to read this "sky is falling" post. Randy Saunders, JHU Applied Physics Lab +1.240.228.3861 R.Saunders@IEEE.org
"Day into night" was poetic license to grab people's attention - apparently it worked. Your calculation assumes a linear effect. The first leap hour is estimated to occur in about 600 years. They accelerate quadratically after that - remember, we have leap seconds due to the tidal slowing that has already occurred. Future slowing will make leap seconds occur more frequently. There have been the equivalent of about 4 leap hours since Aristotle's time: http://www.ucolick.org/~sla/leapsecs/ancient.png As I said, the expected cost to the astronomical community is large. One independent estimate was $3M to remediate a single midsize telescope. The cost to other communities, as with Y2K, is unknown until an inventory is performed. This legislation guarantees, however, that researchers, government, and industry need to pay attention to UTC - now the law of the land. For instance, the impact of climate on our economy is ever more critically appreciated. Weather and tides, ocean currents and glaciers all respond to diurnal effects. The question isn't whether a static offset of a minute matters - the question is whether a residual secular slope of that magnitude matters. For many purposes, no. But is it prudent to assume that no risks possibly pertain? We're all the "time community", of course. Interested parties will find detailed, often entertaining, and sometimes repetitive discussion of these issues on the LEAPSECS mailing list: http://six.pairlist.net/mailman/listinfo/leapsecs Rob Seaman, National Optical Astronomy Observatory
Imagine paper ballots, with a separate slip for each office that is up for election. Voters coming into the polling place would be handed a set of slips. They could be color coded, but also marked by number. The voters would first check that they have a complete set of slips. The voters would then mark their choice of candidates on each slip, or write in any name wanted. They would put the slips into boxes for each color/number. (If a slip happens to go into the wrong box, that can be easily sorted out later by the poll counters.) At the close of voting hours, poll counters would take each box in turn and sort the slips into piles for each candidate. In many cases the winner will be immediately apparent when one pile is obviously larger than the others. But of course exact counts would be made and reported. Poll watchers would watch the counting to be sure no one removes or adds slips. After counting, the slips would be put into boxes and sealed. If a recount is called for later, the slips can simply be recounted. Would an electronic system offer less opportunity for fraud, or more reliable detection of fraud? Would an electronic system be cheaper to implement? If no, why do we want electronic systems? [This is of course a very old idea (used in many places more or less as proposed), but it keeps looking better and better when observing the mad feeding frenzy for all-electronic machines that have rushed in where even fools might fear to tread. PGN]
Go low tech on the counting side of the equation. By manually counting paper ballots, integrity and trust is restored. The time savings and convenience don't outweigh the costs when you factor in the distrust a closed, unverifiable system creates. For almost 200 years, most elections in the U.S. were handled this way. No, this doesn't alleviate fraud. It does potentially save billions of dollars to the taxpayer by eliminating unnecessary technology purchases while restoring accountability in the electoral system. Without accountability and transparency in our electoral system, technology additions do not provide any value no matter how persuasive are their advocates. http://www.lewrockwell.com/fisk/fisk9.html Even the political philosophy types understand that there's no confidence in any technology-based solution. So why should us technology types keep pounding our collective heads against the walls? Maybe the low tech solutions are really "the best" since they can be verified by the great unwashed ... ... and I include myself in that. Since the "kamikaze 1000", Dye boldly, or whatever isn't "my" platform of expertise, then I too am part of the great unwashed that doesn't understand it's particular version of "voo doo". Some times one can be too smart for one's own good. There's no doubt that smart people can figure out a technological solution. And, there is equally also no doubt that the people, who seek to rule over others, are just as smart and cunning as well. Humans can always find a hole that they can exploit. The old programming canard is so true, "you never find the last bug". At least, the manual "one - two - three" doesn't require detailed examination. Just a counter and two or three watchers. Ferdinand J. Reinke, Kendall Park, NJ 08824 http://www.reinke.cc/ blog => http://www.reinkefaceslife.com/
> attempting to contact search engine personnel Why aren't search engine companies responsive to little old you and me? Simple. Take why I dare not get hooked on their "gmail" product: How can one expect personal assistance when there are just too many users for the company to provide personal assistance to?
Between us, my wife and I have four credit cards, which you might think of as "hers," "mine," "ours," and "business expenses." All four of those cards are with Citibank, three in the guise of AT&T Universal Cards, and the fourth directly. The fourth card has significantly different properties from the other three, despite being with the same bank. For one thing, it gives rebates on various kinds of purchases, which can be spent (only) on buying or maintaining an automobile. For another, the due date for payments is a week before the statement date; on the other three cards, the two dates are the same. Every month, a few days after statements become available, I go online and schedule electronic payments for all four cards. Although I am nervous about the possibility that a payment might wind up being credited for much more than I had requested, that is a possibility with paper checks also, and now that we don't get original checks back anyway, all such transactions come down to "he said, they said" anyway. So...In the middle of last month, I scheduled payments for three credit cards (the fourth had a zero balance). A few days ago, I went back to check that the payments were in the queue as requested. To my surprise, (1) One of them had vanished, and (2) Even though the next statements had not yet been prepared, it was already past the due date. I immediately scheduled another payment, which went through that day. Nevertheless, when the next statement came out, it included both a $39 late fee and finance charges for all outstanding charges--even those that were to recent to appear on the statement. I was able to get them to reverse those charges, based on their observation that I had paid the other cards at the same time. I still don't know what happened to this payment. Did I really forget one of the cards? Did I enter the transaction only to have it go awry somehow? I doubt I will ever know. But I do know that this would not have happened if, after seeing the final confirmation screen, I had simply saved the date and confirmation number. Yes, it is always possible for them to deny that the confirmation number exists, just as it is possible to deny that a canceled check exists. But it is much harder to do so, especially if they do not offer any alternative means of proof.
Here is the text from a confirmation E-mail that I got from Wendy's Restaurant: You are receiving this email because you (or someone pretending to be you) has entered the WENDY'S KICK FOR A MILLION CONTEST. If you did not enter this contest, please ignore this email. This email confirms we have received your WENDY'S KICK FOR A MILLION CONTEST entry information. For your records, here is the password you used to register: XXXXXXXXX [I changed the password in paragraph three. (sigh)]
> I use Netscape version 7.2 "Mozilla/5.0 (Windows; U; Windows NT 5.1; > en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)" on a Windows XP machine > with Service Pack 2 for browsing because I do not trust Internet Explorer > and its security holes. You could actually claim that Internet Explorer 7.x (IE7) is better than Netscape 7.x (N7) for security. Like anything with statistics it possible to interpret the numbers several ways. For checking browser security I would recommend http://secunia.com/ So N7 has 31 security issues against 15 with IE7. So N7 actually has more security holes than IE7 however on the bright side they are better at patching the security holes than Microsoft, N7 only has 4 outstanding security issues against IE7 with 9 still to fix, one of which is considered highly critical. In fact if you want the most secure browsing then the latest version of Opera, www.opera.com is my recommendation, all 8 security issue have been patched by the vendor. From the website "There are no unpatched Secunia advisories affecting this product". IE7 : http://secunia.com/product/12366 Unpatched 60% (9 of 15 Secunia advisories) N7 : http://secunia.com/product/85 Unpatched 13% (4 of 31 Secunia advisories) Opera 9 : http://secunia.com/product/10615 Unpatched 0% (0 of 8 Secunia advisories)
(Re: Horning, RISKS-24.68) The abstract of the report titled in the above Subject line was included in RISKS-24.68, http://catless.ncl.ac.uk/Risks/24.68.html#subj15. This report is now available from the National Academies Press, in hardcover or pdf download: http://books.nap.edu/catalog.php?record_id=11896 [This report was in the works for about five years. Jim's blog entry on it is online: http://horning.blogspot.com/2007/08/privacy-is-not-simple.html PGN]
Please report problems with the web pages to the maintainer