Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
I'm sure there will be several submissions on this. The associated press story on it contains the following "... Avid Modjtabai, head of technology for the nation's fifth largest bank, said today that problems with the company's online banking services lasted less than two hours, and customers never lost the ability to make basic ATM transactions, including withdrawing cash and making deposits at Wells Fargo-branded ATMs." While I haven't been able to verify that is the reason, on Sunday I had my Wells Fargo credit ("check") card refused by a merchant's POS terminal with the code "card blocked." My account has plenty of money in it and there are no untoward transactions in it. (That I was able to check. Go figure). I tried calling calling WF off and on all day yesterday to see if they knew why the card was blocked and they couldn't find out — because their computers were down. Today I can't get through, presumably because of heavy call volume.
The Windows Genuine Disadvantage servers all went down. Result: All attempted OS installations were labeled as counterfeit. THAT means you get 'limp home' mode for the box.. <http://forums.microsoft.com/Genuine/ShowPost.aspx?PostID=2053834&SiteID=25> <http://www.boingboing.net/2007/08/25/microsoft_wga_server.html> The recovery procedure, once you know their server is again working, involves deleting some special files, and revisiting the WGA server. {Sigh; haven't we had this conversation before?} RISKS: Creating an artificial single-point-of-failure. Not making that single point robust/redundant enough to defend again all enemies, foreign and domestic [i.e. outsiders vs the more likely "we have met the enemy, and he is us..." errors.] Not having good recovery procedure when the Can't Happen Does Happen... [Can your mother find her data.dat file?] I wonder if the server farm has both geographic and network diversity. (There was a Jan 2001 failure of all Microsoft nameservice; then, they were in one place, on one segment.) I also worry about what happens if somehow, sometime, the MS database gets trashed, and it decides ALL copies of XP/VISTA/Win2009/whatever are pirated. So when every machine does its obligatory check-in, and gets castrated... [Will Debian be VERY popular overnight?]
[This looks like a RISKS story — not to mention being a reminder of how quaintly peaceful a place Tokyo is that allows them to treat this as news.] Subway train passes station after line switched to wrong track A subway train was forced to pass a station it was supposed to stop at on Monday evening because the line was switched to a track exclusively for trains passing the station, the subway operator said. At about 6:40 p.m., the driver of a local train on the Tokyo Metro Tozai Line slowed down his train to stop at Baraki-Nakayama Station in Funabashi, Chiba Prefecture, but noticed the train had gone onto the passing track, Tokyo Metro officials said. The train was forced to continue on to the following Nishi-Funabashi Station. About 840 passengers were aboard the train but the incident did not cause major confusion. Tokyo Metro officials pointed to the possibility that a computerized system controlling the line's railway switches had developed trouble. (Mainichi) 21 Aug 2007 http://mdn.mainichi-msn.co.jp/national/news/20070821p2a00m0na003000c.html
When the Boston Massachusetts Bay Transportation Authority updated its software to shut off about 13,000 lost, stolen, or expired cards, it also detected and disabled an unknown number of monthly passes that had been automatically reloaded without payment for up to the past seven months. [Source: Ryan Haggerty, Glitch allowed free rides with T passes; Audit to check scope of flaw; firm blamed, *The Boston Globe*, 23 Aug 2007; PGN-ed] http://www.boston.com/news/local/articles/2007/08/23/glitch_allowed_free_rides_with_t_passes/
For two days beginning on 16 Aug 2007, Skype's peer-to-peer network was critically unstable. This evidently resulted after Skype users all around the world rebooted their systems subsequent to getting a set of Microsoft patches via Windows Update. The flood of attempted Skype logins together with a lack of adequate Skype network resources at that time prompted a chain reaction. Although this had never happened before, it revealed a flaw in Skype's self-healing mechanism — which has now been fixed through retuning of the algorithms. This apparently had nothing to do with any particular MS patches. (Skype has something like 200 million users in total, although only 5 or 6 million are generally online at once. The peak usage reported was 9 million in January 2007.) [Thanks to Lauren Weinstein for pointing out the Skype source with commentary by Villu Arak, 20 Aug 2007 and clarification on 21 Aug: http://heartbeat.skype.com, The site also includes current Skype status along with a note yesterday on a presumably temporary problem that involves payments using either of two banks in Estonia. PGN-ed]
It is funny to see all the articles in Telecom magazines and blogs about how Skype is unreliable as proven by last week's outage. These people seem to forget that the vaunted PSTN has had many such outages. I posted here in RISKS back in 1993 about a Pacific Bell DACS software upgrade that went bad and knocked out most of Orange County, California for a day. How often has the PSTN been killed by radio contests and natural disasters? Any large scale system can and will suffered from such problems as it is growing. This is nothing new to most RISKS readers.
In the Welsh country borough known as Vale of Glamorgan, there have been several instances of foreign truck drivers following routings given by satellite navigation and apparently unable to understand signs reading "Unsuitable for heavy goods vehicles - Anaddas i gerbydau nwyddau trwm". They are now experimenting with a pictographic sign instead — showing a truck with a red slash through it, and a satellite overhead. To me this sign looks if heavy trucks whose drivers don't use satnav are now welcome... http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2007/08/28/nsatnav128.xml http://icwales.icnetwork.co.uk/0100news/0200wales/tm_headline=signs-to-warn-of-satnav-dangers&method=full&objectid=19695744&siteid=50082-name_page.html Mark Brader, Toronto, msb@vex.net
The Saskatchewan Party is outraged that as the words Privatization of the Crowns fades out in one part of the ad, the letters P,O, R, and N stay up a split second longer than the rest. http://www.ctv.ca/servlet/ArticleNews/print/CTVNews/20070828/sask_ad_070828/20070828/?hub=Politics&subhub=PrintStory
Thousands of names, phone numbers, and e-mail addresses stored by the Internet job-search site Monster.com have been stolen as part of a complex online fraud scheme. Symantec Corp., a security company, disclosed the breach over the weekend after one of its researchers found that a server computer in Ukraine held 1.6 million records stolen from Monster, a New York company whose US operations are based in Maynard. [Source: Hiawatha Bray, *The Boston Globe*, 22 Aug 2007: PGN-ed] http://www.boston.com/business/globe/articles/2007/08/22/data_thieves_hit_monstercom_site/
http://lauren.vortex.com/archive/000279.html I frequently make the assertion that it's impossible to successfully censor the Internet by trying to remove materials that have already been posted publicly after they've attracted attention. What's published is published, what's done is done. The genie won't just refuse to go back into the bottle, he'll stick his tongue out at you as well — or worse. You may recall the international brouhaha a couple of weeks ago over the Navy pulling from YouTube all copies of an (originally relatively obscure -- now infamous) amateur music video posted by a user named "PUMPIT01" and produced on the aircraft carrier Ronald Reagan (CVN76), as described in http://tinyurl.com/2tuzdz and many other stories. The video in question ("Women of CVN76") has been variously described as being removed due to security violations (brief shots of utterly innocuous reactor-related areas), "inappropriate use of safety equipment," and other explanations. The real reason for the Navy's "reaction" is clearly just plain old ordinary embarrassment, especially since the ship's CO has a cameo role in the amusing production. But my point here isn't to post a video review, but rather to emphasize that for all the noise about deleting the video, it of course remains easily available with but a minimum amount of effort. You may feel that the inability to effectively "recall" posted materials is a blow for freedom, or to the contrary an information control disaster. But either way, it's a fact — a reality that we can't escape. And perhaps the sooner we come to terms with this truth, the less time we'll be wasting at shadow boxing with useless Internet censorship attempts. There are far better ways that we can be spending our time. Excuse me? Oh, where's the video? Like I said, finding a copy is actually quite simple. Example: For the sake of the argument, let's say that you did a Google Search right now for the straightforward query of: cvn-76 women pumpit01 "click here" No magic words. No secret codes. Just pretty obvious stuff from the news stories about the video, plus a little common search sense. And while any given search results are often fairly ephemeral, and any particular copy of material found at any given time may still be removed, well, the Internet is a big place, and the Lords of Censorship remain essentially impotent, for better or worse, indeed. Lauren Weinstein +1 (818) 225-2800 http://www.pfir.org/lauren lauren@vortex.com
The 50 residents of the Chinese village Tianmeidong decided to change its name to one that would bring it better luck: Tianwei plus a third character that is rare enough that computers could not represent it. Even the Nanguo newspaper was forced to describe that character in its article because its computer could not write it. As a result, anything that involves the government is blocked, such as registering a marriage or the sale of property. [AP item, 21 Aug 2007, PGN-ed] http://www.guardian.co.uk/worldlatest/story/0,,-6865184,00.html Good luck with that character set!
A 17-year-old New Jersey resident has published instructions on how to unlock Apple's iPhone so it will work on some competing cellular networks. [Source: Brad Stone, *The New York Times*, 25 Aug 2007] http://www.nytimes.com/2007/08/25/technology/25iphone.html?th&emc=th
An explosion in calls from cellular phones has overwhelmed critical parts of California's 911 system, resulting in hundreds of thousands of lost calls and lengthy waits to reach dispatchers even as crimes or potentially deadly emergencies unfold. Wireless 911 calls statewide have jumped roughly tenfold since 1990, to more than 8 million last year. Cell calls now make up the majority of all 911 calls, and key emergency agencies are struggling to adapt. The problems are aggravated by call surges — such as when multiple motorists call in about the same accident — staffing shortages at 911 dispatch centers, and technological hurdles. Cell calls are more easily interrupted or lost and take longer to handle, officials say, reducing the number of calls each dispatcher can field. [Source: Robert J. Lopez and Rich Connell, Users are experiencing lost calls and lengthy waits; Officials say it's better to summon help on a land line. *Los Angeles Times*, 20 Aug 2007; PGN-ed] http://www.latimes.com/news/local/la-me-911cell26aug26,0,3741158.story?page=1&coll=la-home-center rich.connell@latimes.com and robert.lopez@latimes.com
Lauren Weinstein's Blog Update: Cable Industry Responds Regarding HD TiVo Incompatibilities August 25, 2007 http://lauren.vortex.com/archive/000275.html [...] a few days ago I reviewed the situation concerning incompatibilities between the new High Definition TiVo ("TiVo HD") and the Switched Digital Video (SDV) systems being rapidly deployed by cable systems. http://lauren.vortex.com/archive/000273.html That was last Wednesday. The following day, that blog item appeared on Slashdot http://www.slashdot.org and was as a result very widely referenced and discussed. So much for Thursday. Now comes word that the next day (yesterday), the cable industry trade association (NCTA - National Cable & Telecommunications Association) http://ibc.broadcastnewsroom.com/articles/viewarticle.jsp?id=175784 made a filing with the FCC offering to develop a workaround for the problem. As might be expected, NCTA is continuing to push the "OpenCable Application Platform" (OCAP) system that the Consumer Electronics Association has found to be unacceptable. However, NCTA reportedly says in their new FCC filing that they are now willing to develop a "tuning resolver" to work around the problem for existing devices like the new TiVo. This device would be a USB "dongle" to handle SDV tuning (the second of the probable options that I mentioned in my original blog item, as it happens). While this is obviously a welcome development, two obvious questions are "When?" and "How much will it cost?" Obviously cost is important. And if the device takes too long to appear, the associated host devices might already be obsolete! Still, a busy three days, and no doubt the timing of the NCTA filing vs. all of the Slashdot attention to the issue was just an amusing coincidence.
Ohio's method of conducting elections with ES&S electronic voting machines appears to have created a true privacy nightmare for state residents: revealing who voted for which candidates. Time-stamped paper trails permit the reconstruction of an election's results — allowing voter names to be matched to their actual votes. [Source: Declan McCullagh, CNET News.com, 20 Aug 2007; PGN-ed from an interesting long article.] http://news.com.com/E-voting+predicament+Not-so-secret+ballots/2100-1014_3-6203323.html
The IEEE has a blog called "The Risk Factor" with the by-line "Software failures and successes dissected daily". Don't remember seeing it mentioned in RISKS, so I thought people might be interested: http://blogs.spectrum.ieee.org/riskfactor/
When two similar protocols interoperate, the results can be drastic and at other times humorous; fortunately, this falls into the latter category: http://support.microsoft.com/kb/276304 Looks like the response from the Kerberos server got mis-parsed by AD: If you log on to an MIT realm, press CTRL+ALT+DELETE, click Change Password, type your existing MIT password, and then type a new, simple password that does not pass the dictionary check in Kadmind, you may receive the following error message: Your password must be at least 18770 characters and cannot repeat any of your previous 30689 passwords. Please type a different password. Type a password that meets these requirements in both text boxes. Note that the number of required characters changes from 17,145 to 18,770 with the installation of SP1. NOTE: This is not a common case; it occurs only when you configure Windows 2000 to authenticate against an MIT Kerberos domain.
Lauren Weinstein's Blog Update: More Wikipedia "Gotcha" Silliness August 18, 2007 http://lauren.vortex.com/archive/000270.html My concerns regarding the Wikipedia operational model are fairly well known, e.g., "Wikipedia and Responsibility" http://lauren.vortex.com/archive/000257.html So it was with considerable interest that I've noted the controversy regarding a 24-year-old self-described "disruptive technologist," and his tool to more easily track the origin of Wikipedia changes (*The New York Times*, "Lifting Corporate Fingerprints From the Editing of Wikipedia"). http://www.nytimes.com/2007/08/19/technology/19wikipedia.html But even the title of that article tends to belie the underlying nature of a real problem — the lack of accountability for most of what's written or edited in Wikipedia. The "Corporate Fingerprints" bit is cute — but what about all of the other fingerprints smeared through virtually every byte of the Wikipedia database? Apparently it's one thing to snicker about corporate folks who want to correct what they perceive as errors (or, indeed, put their own positive spin on "the facts.") But there seems to be little interest in figuring out who purposely defaces pages, plants false or defaming information in the first place, or for that matter is responsible for the more mundane, probably factual minutiae, even just for the sake of establishing authenticity or expertise. Wikipedia seems to be turning into a gigantic "gotcha" machine -- increasingly contaminated like a chunk of "Silly Putty" that's been used once too often to pick up comic strip images. The single best thing that Wikipedia could do to lend itself genuine credibility would be to require that contributers identify themselves — by name, not by handles or childish aliases. Or, as an alternative, at the very least clearly indicate "in-line" when unauthenticated text dominates an entry. Ironically, our disruptive technologist's tracing mechanism will probably have ever less value moving forward from today. While it will continue to be useful for retrospective analysis up to this point in time, we can be sure that more and more of the primarily targeted corporate Wikipedia editors will learn their lesson. That lesson being, if you're going to edit your entry on Wikipedia, be sure to do it through a proxy or generic ISP account, not through your corporate network. So moving forward, we'll probably have even less meaningful transparency concerning Wikipedia changes, and that Silly Putty Syndrome will likely continue to escalate. Given what Wikipedia could aspire to be, that's really a shame.
[Source: Ross Kerber, *The Boston Globe*, 21 Aug 2007; PGN-ed] Authorities have arrested Maksym Yastremskiy, a Ukrainian man, whom they suspect played a key role in the sale of many credit card numbers stolen from TJX Cos., in what is considered the biggest corporate data breach to date. "Prices ranged from $20 to $100 per stolen card, and the cards were sold in batches of up to 10,000, depending on factors like the credit limits of the consumer accounts being traded." http://www.boston.com/business/personalfinance/articles/2007/08/21/suspect_named_in_tjx_credit_card_probe/
One of the risks of replacing frequent leap-seconds and thus the frequent need to handle them with infrequent leap-hours is that handling them becomes an unusual task. We're never as good with unusual tasks as we are with the usual tasks. Practice makes perfect! With the requirement to add a leap second every few years systems have to be designed to handle them as part of their normal operation. If we have to add a leap hour every 100 years or so, we'll have Y2K date problems every time. The same old excuses will be rolled out : We never expected this system to have to handle leap hours when we built it. Since leap seconds come around every few years any system that is to keep accurate time has to deal with them head on as part of the basic design. Guy Dawson, I.T. Manager, Crossflight Ltd guy@crossflight.co.uk
This story is hilarious: The opening paragraph: "A Linux user who was jailed for uploading a film onto a peer-to-peer service has been told he will have to switch to Windows if he wants to use a computer again." It seems that the monitoring software he is now required to have does not run under Linux. Also amusing is the closing remark about being *given* two felonies. http://news.com.com/Linux+felon+forced+to+install+Windows/2100-1030_3-6204348.html?tag=nefd.pulse
But wasn't the only issue the *display* of the underlying data? From the linked post, "copying and pasting what looks to be '0123456989' into a text editor will still give '0123456789'". [Typo in original linked post corrected. PGN] From that I'd assume that internal calculations would still be correct and that only the displaying of results would be corrupt. It is still a problem, no doubt, but at least it wasn't as bad as it could have been. Mike Hogsett
BKSECMTR.RVW 20070612 "Security Metrics", Andrew Jaquith, 2007, 0-321-34998-9, U$49.99/C$61.99 %A Andrew Jaquith %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2007 %G 0-321-34998-9 978-0-321-34998-9 %I Addison-Wesley Publishing Co. %O U$49.99/C$61.99 fax: 416-443-0948 800-822-6339 bkexpress@aw.com %O http://www.amazon.com/exec/obidos/ASIN/0321349989/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0321349989/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0321349989/robsladesin03-20 %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 306 p. %T "Security Metrics: Replacing Fear, Uncertainty, and Doubt" In the Foreword, Dan Geer states that the book is not about selling the idea of metrics. Which makes the initial chapters a bit problematic: if they aren't about selling the idea of metrics, what are they about? Chapter one is supposed to be an introduction, but seems primarily focused on the idea that metrics are not about risk management. (There is also an assertion that proper metrics are "well understood across industries, and consistently measured," which is interesting because much of what follows appears to contradict this statement.) The definition of security metrics, in chapter two, addresses metrics from fields other than security, and emphasizes the position that metrics are important (and that the current "metrics," such as checklist frameworks and annualized loss expectancy, are inadequate). Chapter three divides metrics into four general areas, dealing with perimeter security, control, availability, and applications development. Brief examples of collections of metrics related to these fields are given in the text, although the lists can't be expected to be comprehensive, due to the huge scope of security as a whole. The second of these topics, control, is probably the subject of chapter four, although it is entitled "Measuring Program Effectiveness." Basic concepts from statistics, such as the difference between mean (average) and median (midpoint of a set of elements), are presented in chapter five. Chapter six talks about demonstrating data in a visual manner. Most of the material consists of suggestions for graphics and examples are given "redrawing" the displays of commercial programs. Aspects of automating the calculations of security metrics are outlined in chapter seven. In chapter eight, Jaquith recommends the use of a security scorecard based on the Balanced Scorecard management assessment model. Security can be difficult to define, let alone measure, and, in general, too little attention is paid to numeric assessments that can assist in determining how well we are performing at the task. This book does go somewhat beyond a mere exhortation to create and use metrics for security, but it still leaves an awful lot of work for the practitioner or manager. copyright Robert M. Slade, 2007 BKSECMTR.RVW 20070612 rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org http://victoria.tc.ca/techrev/rms.htm [The need for incisive security metrics has been with us for a long time. On the other hand, the metrics that have emerged tend to be local rather than system-wide, and these local metrics are not easily composed into system-wide metrics. Even the metrics for algorithmic crypto strength are relatively unsatisfying when the crypto is poorly implemented or embedded in systems that are easily compromised — whether by insiders or outsiders. Thus, the quest for meaningful system-level security metrics that can be derived from lower-layer metrics remains an enormously difficult challenge. PGN]
Please report problems with the web pages to the maintainer