On Saturday morning, 25 Aug 2007, the nationwide Amtrak ticketing system failed. It wasn't restored to service until early Sunday afternoon. During that time, passengers couldn't buy tickets except (sometimes) at a ticket window, query or change reservations, or retrieve previously-purchased tickets. Some other web functions were also unavailable. The cause of the problem is unclear. More precisely, there have been two different, contradictory, explanations in the press. One version has it that they upgraded their software; the new version didn't work, and it took a long time to diagnose the problem and back out the changes. The other story is that a circuit breaker panel failed, and it took a day to obtain a replacement. There were good and bad aspects to how Amtrak handled. The most glaring failure was one of communications. Apart from the different stories about the cause, there was *no* mention on their web site about the problem. If you tried to buy tickets, you just received a "come back later" message. The bright side is that Amtrak did have a contingency plan for this situation, even though it had never happened before. Passengers with reservations were supposed to board the train the conductor came around collecting reservation numbers. (It remains to be seen if I will encounter any residual billing or accounting difficulties from this happening to me. ... When I got to the station for my return trip, the automated kiosks were unable to handle the situation (and gave a poor error messages); the clerk, though, had no trouble when I explained the situation.) On the other hand, because this was such a rare situation, passengers at some stations were told they had to purchase new, hand-written tickets. Presumably, they'll receive refunds. More details and press links in my blog entries: http://www.cs.columbia.edu/~smb/blog/2007-08/2007-08-26.html http://www.cs.columbia.edu/~smb/blog/2007-08/2007-08-28.html Steve Bellovin, http://www.cs.columbia.edu/~smb
FYI — You've heard of the demise of analogue TV's; now New Zealand is getting rid of analogue telephones. Aside from the issues of emergency access when electrical power is down, note the fact that the old dial-up "analog" modems will no longer work. While no one uses them much these days due to low bandwidth, they often provide the cheapest bit transmission around for email, and may be the last refuge of bit transmission still "net neutral". Hundreds of thousands of conventional telephones that do not require mains power and are instead powered off the phone network will not work once Telecom switches to its Next-Generation Network, Telecom has confirmed. Dial-up Internet access will also be withdrawn and analogue modems in personal computers may not work, Telecom says. The switch-over from the Public Switched Telephone Network (PSTN) to the NGN has been planned for several years and is scheduled to be finished by 2012, though there is growing speculation the completion date will be pushed back to 2015. From then, customers will require a "residential gateway" device in their home that will need mains power. ... [http://www.stuff.co.nz/4178345a28.html] [Backup? We don't need no steenking backup when power is out -- especially in areas where cell phones don't work. PGN]
After a shaky and expensive start, it seems as if the automatic toll-collection system for trucks on the German Autobahn (freeway or turnpike, depending on if you are a car or a truck) is more or less working. Unless you happen to be the Ferdinand Münnich Waste Disposal company in Lippstadt. Our local newspaper, the Neue Westfalische Zeitung, reported on the 10 July 2007 that their truck fleet was immobilised, pretty much from one second to the next, as the newspaper put it, at about 10 am on 19 March. At that point, the company received phone calls from six of its drivers who were somewhere in Germany on the Autobahn. Their on-board toll machines were turned off, because the company's credit limit was exceeded. The company performs its toll transactions using the "Log-Pay-System", as do many companies which are continuously underway. This system extends credit for tolls automatically through a bank called the DVD-Bank until specific payment dates. DVD-Bank works with a collection agency, Creditreform, to protect itself from insolvent companies. Apparently at Creditreform there was suddenly an "arrears advisory" concerning the firm. That was automatically forwarded to DVB-Bank, which shut off credit immediately and that in turn led Toll Collect to shut off the on-board systems so that the trucks could not roll further. It took a day to clear up the problem; meanwhile the truckers had to wait in Autobahn rest areas. Apparently it was a mistake. However, Creditreform apparently doesn't (want to) take responsibility for the information it distributes. The bank is apparently saying that credit is a privilege, not a right, and trust in the customer (Münnich) was temporarily lost through the information from Creditreform until the problem was sorted out. The company Münnich is trying to recover costs. As the paper put it in its subtitle "the involved (organisations) are washing their hands in their innocence". Peter B. Ladkin Causalis Limited and the University of Bielefeld www.causalis.com www.rvs.uni-bielefeld.de
I have been reading "*Worst Case Reliability Prediction Based on a Prior Estimate of Residual Defects" by *P.G. Bishop and R.E. Bloomfield from the *Thirteenth International Symposium on Software Reliability Engineering (ISSRE '02)*, November 12-15, Annapolis, Maryland, USA, 2002(c) IEEE http://www.adelard.com/papers/issre02_34_bishop.pdf This paper and earlier work suggest that a software system failure rate can be bounded by N/et where N is the number of (residual) faults at T=0, e is e and t is the total usage time. The theory predicts (If I read it correctly) reliability growth where a system can be assumed to have a finite number of faults each with a constant failure rate. I then happened upon this report from Boeing regarding air craft accidents. http://www.boeing.com/news/techissues/pdf/statsum.pdf It contains a graph of accidents from 1959 to 2006. The graph looked similar to what would be predicted from a software system according to the theory. I wonder... The aircraft industry (any industry that is focused on safety) produces complex, multi-functional systems. The industry is based on standards, engineering methods, maintenance procedures, failure investigation and corrective action. This seems very like the software industry: requirements, coding standards, fault analysis and rectification. Software is, after all, a set of procedures - ordered instructions to perform some function. Could it be that industry failure rates are like software bugs? The industry has faulty standards, faulty engineering methods, faulty maintenance procedures, imperfect root cause analysis and incomplete corrective action. Over time these faults are exposed, identified and changes made to standards, designs or maintenance processes to eliminate or reduce the failure rate? The paper goes on to note that failure rates level out but can never be zero. Is this the situation the aircraft industry is presently in? Where failures are now so unbelievable that the number of possibilities are too large to predict or manage? An example is the El Al cargo crash on 4/10/1992 where one engine broke loose from the wing, accelerated ahead of the aircraft, turned and collided with another engine knocking it off the wing.
I read with interest at http://news.bbc.co.uk/1/hi/business/6970031.stm that a company in Davis, California called Moller International is planning to sell, very soon, a personal flying machine, capable of hovering 10 feet off the ground, for about US$90,000. On visiting their site at http://www.moller.com/ can discover Moller's attitude to safety at http://www.moller.com/safe.htm. I didn't spend much time on this page; I'm sure that the safety of the pilot has been well thought-out. There's lots of redundant engine power, it can "land almost anywhere", the software is presumably highly reliable (!), and anyway, there's only 10 feet to fall, at least with the M200X model. I found the most interesting aspect of the safety page to be the complete absence of any consideration of the 6-billion plus people who do not own or operate a "Skycar". Given that a large number of the initial owners will be rich people with bored teenagers in search of thrills and who may, on occasion, have access to mind-altering substances, I'll leave that as an exercise for the readers of RISKs. To get the ball rolling: how many commercial premises currently consider that an eight-foot high chain link fence topped with a foot of razor wire, provides them with adequate security against intrusion? Nick Brown, Strasbourg, France.
Many have commented that the Internet is like a shared long-term memory. For practical purposes, it is impossible to retrieve or suppress anything once it has been posted on a webpage or in a news group. Individuals have been cautioned to assume that anything they post will be reviewed by future employers. Enterprises should be aware that anything they post on a webpage can appear as evidence against them in court, and that measures they take to block archival of their webpages may fail and may not prevent use of the webpages as evidence. This may seem obvious, but at least 1 USA enterprise went to some lengths to attack a legal firm which used printouts of archived copies of enterprise public webpages as evidence in court. It seems bizarre that an enterprise could imagine that publicly accessible webpages could not be used as evidence in court cases, but Groklaw recently reported a decision where "Healthcare Advocates" did exactly that, claiming that accessing a webpage archive was "hacking" under the USA Digital Millennium Copyright Act, and that failing to preserve the content of a browser cache was "spoliating evidence". The judge quoted their own expert witness as saying that automatic purging of expired cache data was normal browser behaviour, and was not evidence of any deliberate act by the defendant law firm.
http://www.boston.com/news/nation/articles/2007/09/02/e_zpass_records_make_way_into_criminal_and_civil_trials/ E-ZPass records make way into criminal and civil trials; They show where a vehicle traveled at a specific time [Source: Madison Park, *Baltimore Sun*, 2 Sep 2007] A woman accused of killing her husband was convicted after New Jersey prosecutors reconstructed her movements. Examining E-ZPass records, investigators pieced together the driving route of a missing Baltimore federal prosecutor who later turned up dead. Prosecutors in a New York City murder trial discredited a suspect's alibi. [See also RISKS-24.79.]
While engaged recently in a discussion with a parent at our children's school whom I felt was being overly paranoid about sharing her home address with other parents, I googled her name, suspecting that I would be able to illustrate to her that the information she was trying to protect was already available on-line. I succeeded far more than I'd expected to. One of the first matches returned by google was her home's property listing in the on-line property assessment database for the town of Arlington, Massachusetts, where she lives. Her name, her husband's name, their address, a picture of the house, a floor-plan sketch, the date they bought the house, their purchase price, and all of the information used by the town to calculate the assessed value of the house were instantly available. Arlington's webmaster is guilty of two offenses: (1) providing an interface for searching the assessment database by name (i.e., if you go to <http://arlserver.town.arlington.ma.us/Property/>, you can search not only by address, but also by the owner's name); and (2) allowing its assessment database to be fully indexed by public search engines. This is not a small thing. Consider a domestic abuse victim who moves to a new house in a new town to get away from her abuser. She takes precautions to avoid being tracked down, e.g., ordering telephone service in a fake name and paying the telephone company extra for an unlisted number. Unfortunately, however, the town she has moved to is Arlington, which proceeds to publish her name and address on its Web site for the world to see and search. The discovery of Arlington's carelessness with its residents' privacy prompted me to check on Boston, where I live. Boston, too, allows its assessment database to be searched by name, but at least its database isn't indexed in Google. Someone with nefarious intent trying to locate a Boston resident must already know that s/he owns a house in Boston. That's bad, but not as bad as Arlington. I decided to check some other towns and cities in Massachusetts to see how they stack up. I checked 61 towns and cities, of which only 9 had their data sufficiently secured (i.e., not easy to view the entire assessment database, not searchable by name, not searchable in Google). I found one town besides Arlington, Ashburnham, whose records were searchable in Google, and four towns (including Ashburnham) where it was easy to view the entire assessment database without needing to perform individual searches. In addition, I discovered that independent of town and city records, the registries of deeds of most Massachusetts counties allow their land records to be searched by name, most of them from a single, convenient Web site. See below for the details. When assessment and land records were kept only on paper, they were organized by street name and number, not by owner name. When Massachusetts communities began to put these records on-line for public access, did they stop to think of the privacy, security and safety implications of allowing them to be searched by name? Apparently, only 9 of the 62 communities I looked at did, and most of them are probably in counties which didn't. Is Massachusetts typical? Jonathan Kamens For those who are curious, here are the details of what I found: * *Cambridge* - not searchable by name, not searchable in Google (PASS) * *Abington* -* searchable by name,* *entire database can be viewed by sending an empty search,* not searchable in Google (FAIL) * *Adams* - *spreadsheet containing town's entire assessment database (last updated FY03) available on Web site, *not searchable in Google (FAIL) * *Amesbury* - * searchable by name with free registration,* *entire database can be viewed by sending an empty search,* not searchable in Google (FAIL) * *Amherst* - not searchable by name ("Owner Names are purposely not a part of the search interface"), not searchable in Google (PASS) * *Andover* - owner names don't appear in database (PASS) * *Ashburnham* - database available as PDFs on Web site, *searchable in Google* (FAIL) * *Ashby* - *searchable by name,* not searchable in Google (FAIL) * *Avon* - no on-line assessment database on-line, but links to* Norfolk County Registry of Deeds whose database is searchable by name for free, via "BROWNtech Document Management Systems"* (FAIL) * *Acton, Acushnet, Agawam, Aquinnah, Ashfield, Auburn* - assessment database doesn't appear to be on-line (PASS) The discovery of the link to the Norfolk County Registry of Deeds on Avon's Web site prompted me to check whether other counties' registries are also searchable by name. * *Barnstable *- yes, via BROWNtech (FAIL) * *Bristol-Fall River, Dukes, Franklin, Hampden, Hampshire, Middle Berkshire, Nantucket, North Berkshire, North Essex, North Middlesex, North Worcester, South Berkshire, South Essex, South Middlesex, South Worcester, Suffolk *- yes, via www.masslandrecords.com (FAIL) Note that Abington and Amesbury both appear to use a third-party service called Vision Appraisal Technology (http://www.visionappraisal.com/) to host their on-line assessment databases. Ashby uses software hosted by the Community Software Consortium (http://csc-ma.us/). This software also appears to be used by Alford, Ashland, Ayer, Bedford, Berkley, Bernardston, Bolton, Brookfield, Charlemont, Chester, Duxbury, East Brookfield, Egremont, Framingham, Gill, Grafton, Great Barrington, Hardwick, Heath, Hingham, Holliston, Lancaster, Lee, Lunenburg, Mattapoisett, Maynard, Monroe, Needham, New Braintree, North Andover, North Brookfield, Northborough, North Reading, Oakham, Richmond, Royalston, Saugus, Seekonk, Sheffield, Somerset, Southborough, Swansea, Tolland, Uxbridge, West Brookfield, and Windsor, all of which therefore FAIL, and furthermore, there's a single convenient interface that one could use to easily search for a particular person by name in all of these communities.
The German radio and television station SWR reports on September 7, 2007 http://www.swr.de/nachrichten/bw/-/id=1622/nid=1622/did=2561310/1x2s3xt/index.html that police in Friedrichshafen (near Lake Constance) mistakenly sent secret information about their investigations of "terrorists" to their press mailing list by email. The article says that they "recalled the mail" [no way of that happening, in my universe at least -dww]. The information included assessments of the current situation, lists of investigations and a list of endangered facilities. [just what your local terrorist needs -dww] There will, of course, be a thorough investigation, someone will be fired or sent to do hard labor down in the cellars of the archives, or whatever it is that one is sentenced to if you are found to be the person guilty of making your superiors look like idiots. The head of the police department apologized, but did note that perhaps this is just human error. [I think it is more likely a "helpful" email program, doing email-address completion. I've managed to send an email intended for my husband to a colleague (who discreetly destroyed it, thank goodness!) - dww]. Prof. Dr. Debora Weber-Wulff, FHTW Berlin, FB 4, Treskowallee 8, 10313 Berlin GERMANY +49-30-5019-2320 http://www.f4.fhtw-berlin.de/people/weberwu/
With Bluetooth & WiFi enabled on your laptop, go to an airport (or other public place) & open up iTunes. In many cases, you will see the sharable collections of tunes from a number of other people. It appears that this mechanism is completely outside the usual mechanisms of file sharing. Even if you don't see any tunes, you still get to see various computer names. Since a number of people tend to name their laptops after themselves ("Emily's PC", etc.), you can even find out their names. Between the phones you see on Bluetooth, and the laptops you see on WiFi, you get a pretty good idea of who is around you, what kinds of music/podcasts that they like, what kind of phone they use, etc. I assume that this is intended to be some sort of ad hoc social networking scheme, but one that many people joined unconsciously.
http://www.apdip.net/projects/igov/ICT4DSeries-iGov-Ch5.pdf The interlocking nature of technology and policy issues related to security are illustrated by the example of Pakistan. In 2000 the monopoly service provider had one point of entry and the international bandwidth was brought in via one undersea fibre with no redundancy. The ambition of the government to deploy pornographic content blocking on the core gateway router by putting up access control lists added to the vulnerability. The total bandwidth coming into Pakistan was less then 250 Mbps. Finally, the total lack of any security awareness and training in the staff manning the Internet Exchange set the stage for trouble. A childish exercise by Pakistan-based hackers to deface Indian sites was met by an equally immature response by the Indian hackers in devising the yaha virus. This was originally a Denial of Service (DoS) attack on all .gov sites. This rapidly escalated to a Distributed Denial of Service (DDoS) attack in different strains of the virus. This attack was accompanied by different varieties of attacks (fragmented packets, etc.) which coupled with the overloaded core router handling the pornographic access lists brought the complete network down. The attacks collapsed web servers, choked the domestic bandwidth, overloaded the router and consequently flooded the international bandwidth. These attacks continued intermittently for several months as the Pakistanis tried desperately to address the multiple threats. The national network went down for hours and days at a time.
The Monster hybrid attack (Infostealer.Monstres) has been discussed adequately [see RISKS-24.81]. What I haven't seen covered is that it apparently also affects anyone who applied for a US government job as well, according to an email my wife received from USAJOBS. According to that letter, "Monster Worldwide is the technology provider for the USAJOBS website and regrettably, some of the contact information captured came from USAJOBS job seekers. The information captured included name, address, telephone number, and email address. Monster Worldwide has assured the U.S. Office of Personnel Management that Social Security Numbers were NOT compromised because of IT security shields USAJOBS has in place." I wonder how many other organizations "private label" Monster.com, and hence their customers are also at risk.
My bank (Wells Fargo) in its infinite wisdom has decided to change the way it attempts to redact account numbers. In looking over the transactions for an infrequently used account (I only have it because my ex-wife is a signer, and who knows when I'll need to cash a check with her name on it!) I noticed that the method had changed from the July to August automatic transfers I have to keep the account active. In July, the account number is listed with THE LAST 3 digits as 'X'. In August, the method is now all 'X' EXCEPT FOR THE LAST 4 digits. I just looked and said to myself "what is wrong with this picture?". The risk: when you change methods of redacting, change ALL occurrences, not just the new ones. You may just totally unredact what you were attempting to hide. Fortunately in my case, I know the account number anyway, so TO ME it is no big deal (unless I print out something), but I'm aware, which is the the thing to be. I sent the bank a note as well. I don't hold out much hope for anything constructive in return, but we will see. [It seems pretty stupid to make such a change that completely exposes the account number to anyone with records before and after sanitization. PGN]
Andrew Koenig's story of a bank transaction he couldn't prove it occurred illustrates the need for keeping logs (including voting records) in a human-accessible format. I always print the transaction's final screen when I perform an electronic payment. I never analyzed why I needed to do that, it just seemed right to me. Banks, which have lot of experience in keeping track of money, keep a paper trail for all their transactions: they have me sign paper slips in duplicate at the teller, and even the ATM has a second printer in its housing logging all transactions on a paper roll. Reports regarding the demise of paper are greatly exaggerated. Diomidis Spinellis - http://www.dmst.aueb.gr/dds
If the Wikipedia entry (Tianweiban) on this story is correct, the character isn't even particularly obscure - it's just not in the PRC simplified set. It is, however, in the standard Hong-Kong set (Big5), and used in Cantonese rather than Mandarin. There are vastly more obscure characters!
Please report problems with the web pages to the maintainer