Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
[Source: James Oberg, Space Station: Internal NASA Reports Explain Origins of June Computer Crisis; Faulty computer design and corrosion of leads on the ISS. This is a useful article on lessons that need to be learned, even though the crisis was resolved. Read the article. PGN] http://www.spectrum.ieee.org/print/5598
I wondered why the station staff were directing the commuters through
the gates without showing their tickets or passes on Friday. The
reason is given here:
All of the automated gates were down due to programming fault in the system
that reads the RFID cards commonly used by commuters.
If the guard wanted to see my train pass I would have had to open up the
Java applet on my phone which handles the renewal of the pass. It's
possible that it would also have failed due to the ongoing problem. Also if
the phone's battery is dead there is no way to see details about the
commuter pass, so the only sensible thing to do was to let everyone ride for
free that morning.
http://search.japantimes.co.jp/cgi-bin/nn20071013a4.html
stuart@stuartwoodward.com jp mobile: 090-6166-7976 phone: jp 050-5534-5450
http://www.stuartwoodward.com/map IM: stuartcw on skype, yahoo, googletalk
[Stuart seems to support the MAX of five sentences for all e-mail:
http://five.sentenc.es
It would certainly not work for RISKS, even if we resorted to James
Joycean sentences. But it would certainly be a relief otherwise. PGN]
In order to keep customer satisfaction at the highest level possible, the Nederlandse Spoorwegen (dutch railway) have enabled several online profiling features for their subscription holders. Through this website customers can change their full personal details, look at their (payment) history, change bank account numbers, order new products, or ask for a refund. The registration process for this website uses a failed authentication scheme. The "register me as a new customer" process works as "I have lost my password". For registration the only thing the customer has to do is enter it's customer number, name and e-mail address, after which a confirmation e-mail will be sent to the address given. But there is no check if there has been a previous registration, and if so, if the e-mail addresses are the same. To make matters worse the customer number and name are clearly visible printed on letters, magazines and cards that the company sends to it's customers. Thousands of people every year lose their card, and with it the full credentials to their personal profile. In a reaction the dutch railway representative said they thought it was "a good service to their customers" and "we have no reports of any incidents." How this service relates to the strict dutch privacy laws the representative couldn't tell. In the meantime the registration process is offline and changed, so more details, like birthdate, are asked before access to a profile is granted. Noothoven van Goorstraat 14, 2806 RA, GOUDA http://leon.kuunders.info W: +31 641 164 995 P: +31 620 624 702
An article in the 9 Oct 2007 issue of the *Austin American Statesman* reports on drivers getting double billed on the relatively new toll roads in the Austin area. (I believe none have been in use for more then a year.) "The problem has occurred one of every 600 times a car passed one of the roads' tolling points. Agency officials say that they have made a number of equipment and software changes in the past few weeks to virtually eliminate the problem — the frequency would now be more like one in every 2,000 toll transactions ..." http://www.statesman.com/search/content/news/stories/local/10/09/1009tollglitch.html I was going to insert a funny comment about virtually eliminating the problem, but I can not come up with one that is funnier then the original wording above. The problem has to do with the "antennae on the overhead gantries" picking up the toll tag more then once as it pass through. I do not understand how this would be hard to fix in software. If the same toll tag is picked up more then once in a span of say 30-60 seconds, this be labeled as an error of some kind (as it would be impossible to drive through in that span of time).
(This press release is brief and direct, so rather than summarize I'll quote it in full. — SK) KeeLoq is a cipher used in several car anti-theft mechanisms distributed by Microchip Technology Inc. It may protect your car if you own a Chrysler, Daewoo, Fiat, General Motors, Honda, Toyota, Volvo, Volkswagen, or Jaguar. The cipher is included in the remote control device that opens and locks your car and that activates the anti-theft mechanism. Each device has a unique key that takes 18 billion billion values. With 100 computers, it would take several decades to find such a key. Therefore Keeloq was widely believed to be secure. In our research we have found a method to identify the key in less than a day. The attack requires access for about 1 hour to the remove control device (for example, while it is stored in your pocket). Once we have found the key, we can disactivate [sic] the alarm and drive away with your car. The attack has been extensively tested using software simulations. This research is the joint work between 3 research groups: the computer science department of the Technion, Israel, the research group COSIC of the Katholieke Universiteit Leuven (Belgium) and the Hebrew University, Israel. http://www.cs.technion.ac.il/news/2007/222/
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/10/13/MNJFSO1NM.DTL The *San Francisco Chronicle* just published an article about license plate scanners in police cars and traffic enforcement vehicles, systems which can scan "50 plates a second" and "do make mistakes". The system was used to apprehend an attempted child abduction suspect, and is used for a variety of parking enforcement measures related to increasing revenue. The enthusiasm for the systems in this article is tangible, and it contains a modicum of privacy-related concerns. There is a small discussion of the risks of thieves and others changing their behavior given that they know this system is in use, and claims that police officers tried to keep it secret for that reason. The opportunities for privacy violations as well as harassment are pretty easy to imagine, as are the unexpected side effects that its error rate may cause. The article briefly mentions that such systems are common in London and in casinos, with little discussion of any problems that may have come up.
Earlier this year the New Zealand government decided to extend the period of daylight saving by three weeks. http://www.nzherald.co.nz/section/1/story.cfm?c_id=1&objectid=10436995 This involved bringing the spring clock change forward by a week. There was some concern in the IT community prior to the change about the ability of systems to respond to the change. http://www.nzherald.co.nz/section/story.cfm?c_id=5&objectid=10465119 http://computerworld.co.nz/news.nsf/news/B7358C622F0F2D76CC25733A00056C73 http://www.geekzone.co.nz/content.asp?contentid=7254 http://www.microsoft.com/nz/msdn/timezone/default.mspx The clocks changed last Sunday. Unsurprisingly the fixes have been incomplete - though not entirely devastating. My own organisation uses Outlook and many of us have synchronised calendars on a mix of iMates, Blackberries and other phones (ie at least three downstream OSs). Most appointments on desktops were, thanks to the work Microsoft did, correct after the clock change. I only had one which was an hour out - the person who set this up has been on leave for a few weeks and I suspect their desktop hasn't been turned on in that time - thus not getting any fixing updates. The portable device calendars have been a different matter with most (but irritatingly not all) appointments at the wrong time. Efforts to fix the issue on individual portables seemed to add to the confusion. Events entered by the individual behaved differently to those made by someone else. The low point was a meeting yesterday that attendees came to at 1300, 1400 & 1500. It is hoped that things will come back to normal next week, the clock change would previously have happened next Sunday, the 1st Sunday in October. We'll see. Don Mackie, Auckland, New Zealand
A woman has had a double mastectomy, after seeking a second opinion confirming that she had cancer. She didn't — the second diagnosing doctor relied on the same mislabeled tissue sample. (For readers of RISKS, there must be a subtle lesson or two in this.) http://wcbstv.com/topstories/breast.cancer.mastectomy.2.312736.html http://www.msnbc.msn.com/id/21127917/
There is an implied *social risk* when technology is used to *block* access to the full range of Internet resources, i.e., ''censorship''. Ron Deibert is a Professor of Political Science and Director of the Citizen Lab at the University of Toronto. He just published a paper on ''By-Passing Internet Censorship''...: Everyone's Guide to By-Passing Internet Censorship for Citizens Worldwide http://deibert.citizenlab.org/Circ_guide.pdf His BIO:: http://deibert.citizenlab.org/blog/Info Some of techniques described in the text (or in the included URLs) were new to me. It is likely that many RISKS readers will find this paper interesting and informative, too.
http://online.wsj.com/public/article/SB119074882854738970.html?mod=blog When Satomi Nakamura uses her cellphone, she has to be extra careful to take frequent breaks. That's because she isn't just chatting. The 22-year-old homemaker has recently finished writing a 200-page novel titled "To Love You Again" entirely on her tiny cellphone screen, using her right thumb to tap the keys and her pinkie to hold the phone steady. She got so carried away last month that she broke a blood vessel on her right little finger. ... [Source: Yukari Iwatani Kane, Ring! Ring! Ring! In Japan, Novelists Find a New Medium; Budding Scribes Peck Their Tales on Cellphones; Ms. Nakamura's Hurt Pinkie, *Wall Street Journal*, 26 Sep 2007; thanks to Charles C. Mann]
"A foolish consistency is the hobgoblin of little minds." Ralph Waldo Emerson Whether intended or not, one consequence of the widespread implementation of IEEE-754 floating point arithmetic is that almost every computer now gets _exactly_ the same answer, down to the last little bit. This "answer" may be far from the "correct" answer, but at least all of the computers will be consistent. In the "old" (pre-754) days, running the same Fortran program on several different computers could uncover potential sources of error. No longer. (This generic phenomenon of foolish consistency even has a technical name: "informational cascade" — if everyone agrees, then everyone must be correct. See http://en.wikipedia.org/wiki/Informational_cascade ) I realize that using multiple types of arithmetic to uncover bugs in floating point code may not be particularly efficient, but it sometimes works. IEEE-754 also provided for rounding modes that would allow for "range" arithmetic in order to achieve the same ends with much greater efficiency. Unfortunately, no one seems to implement or utilize those rounding modes anymore.
The problem of fake blogs is significant for me in two ways. I operate a blog on nuclear energy and nonproliferation topics. First, my content is being ripped off without attribution to attract ad clicks on other web sites and fake blogs. Aggregators of all kinds are taking blog content and using it to generate their own ad revenue. Good luck on that because in the past year I haven't made so much as lunch money from the ads on my blog served up by Google. Second, and the more relevant issue for this list, is my content is being used on fake web sites to drive clicks on links in search engine results sending unsuspecting users to fake blogs and via redirect to websites with NSFW content and malware. The fake blogs often have redirects embedded in them so that the fake blogspot site is never really seen. The user is taken directly to the malicious website. More than two-thirds of my blog visitors per month come in via unique search terms for one-time retrieval of archived material. People who search on the topics covered by my blog usually have industry or government expertise and know what they are looking for. It is pretty hard to confuse a search for a pop tart singer with one for spent nuclear fuel. I've seen that visitors don't get to my blog on the first try. It annoys them that a serious, work-related search has been diverted into a fake blog or website. There are additional problems for users who's employers have zero tolerance for hitting URLs with NSFW content. This phenomenon is due to the fact that fake blog sites contain the same search terms as mine because they copied the original. Search engines deliver their results indiscriminately and do not always help users separate the fake blogs from the real ones. For instance, a recent post on an planned environmental review by the Nuclear Regulatory Commission on uranium mining in Wyoming was picked up by another legitimate blog. My post and theirs both appeared subsequently in bogus blogs with redirects to NSFW content. I am not posting the fake blog URL here because it is unsafe. I have a niche subject blog which isn't a big site, but with traffic approaching 5,000 visitors a month this is getting to be a problem. I've assembled a few tips to avoid trouble, which may be obvious to readers, but here they are anyway. Fake blogs often have numbers in the web site name preceding 'blogspot.com. Also, fake blogs tend to show up further down in the search results, due in part to a smaller number of links to them, but not always. Another way around is to search blogs on Technorati and check the "authority" of a blog containing content of interest. The more links from other blogs with similar topics, the more likely it is legitimate, but that could change. Some search engines include a snippet from the content, and if the words are gibberish, that's a dead giveaway. Finally, search on the blog name itself and see how it shows up in search engine results and what kind of content is in the snippets. I have no way as an individual to stop the current problem. I'm certainly open to ideas for constructive group action. Also, please feel free to share with me authentication measures you use before clicking on a blog link in a set of search results. If there are enough of them that are useful, I'll assemble a blog post on it based on your contributions, with or without attribution as you wish, and post a link to it in a future message to this list. Dan Yurman djysrv@gmail.com, http://djysrv.blogspot.com 1-208-521-5726
It used to be that everyone wanted a Florida voting machine. {...} But now
that Florida is purging its precincts of 25,000 touch-screen voting machines
bought after the recount for up to $5,000 each, hailed as the way of the
future but deemed failures after five or six years, no one is biting. {...}
[Source: Abby Goodnough, Voting Machines Giving Florida New Headache, *The
New York Times*, 13 Oct 2007]
http://www.nytimes.com/2007/10/13/us/politics/13voting.html
Pre-RISKS-able story [i.e: one any regular RISK reader could see was coming
from $10E6 away...]:
Florida is now stuck with $millions of worthless DRE voting machines. Like
too many used car and overpriced condo owners; they still owe money on them.
The risks are old ones:
1. If you throw enough money at a bad problem; you can make it a REALLY bad
problem...that will need more money.
2. Legislators alas, never learned "primum non nocere" as MD's do.
3. Spending money first, then studying the problem & spec'ing the solution
later; is almost always a bad idea. While the failures are more
spectacular in building bridges than buying computing appliances; the
results are often similar.
The Election Law Program, a joint venture of the College of William and Mary School of Law and the National Center for State Courts has put some course material in the form of online video lectures on election issues online: http://icmeducation.org/electionlaw/ Here is a listing of the lectures available from their web site. The last 3 are lectures that I gave there. Segment 1: Why Election Law Cases Are Different Professor Richard Hasen Segment 2: Pre-Election Issues: An Overview Professor Richard Hasen Procedural Concerns Related to Pre-Election Litigation Professor Richard Hasen Substantive Concerns Related to Pre-Election Litigation Professor Richard Hasen Segment 3: Election Day issues Professor Ned Foley Segment 4: Post-Election Issues Professor Ned Foley Segment 5: Electronic Voting: Global Election Systems Professor Aviel Rubin Why Electronic Voting is Different Professor Aviel Rubin Electronic Voting Technologies: Strengths and Weaknesses Professor Aviel Rubin Avi Rubin, JOHNS HOPKINS UNIVERSITY, Computer Science; Technical Director, Information Security Institute 410-516-8177 http://www.cs.jhu.edu/~rubin/
CALL FOR PAPERS — SOUPS 2008 [Pruned for RISKS. PGN] Symposium On Usable Privacy and Security July 23-25, 2008 Carnegie Mellon University, Pittsburgh, PA USA http://cups.cs.cmu.edu/SOUPS/ The 2008 Symposium on Usable Privacy and Security (SOUPS) will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. The program will feature technical papers, a poster session, panels and invited talks, discussion sessions, and in-depth sessions (workshops and tutorials). Detailed information about technical paper submissions appears below. For information about other submissions please see the SOUPS web site http://cups.cs.cmu.edu/soups/2008/cfp.html. TECHNICAL PAPERS We invite authors to submit original papers describing research or experience in all areas of usable privacy and security. Topics include, but are not limited to: * innovative security or privacy functionality and design, * new applications of existing models or technology, * field studies of security or privacy technology, * usability evaluations of security or privacy features or security testing of usability features, and * lessons learned from deploying and using usable privacy and security features. Papers need to describe the purpose and goals of the work completed to date, cite related work, show how the work effectively integrates usability and security or privacy, and clearly indicate the innovative aspects of the work or lessons learned as well as the contribution of the work to the field. Submitted papers must not substantially overlap papers that have been published or that are simultaneously submitted to a journal or a conference with proceedings. Accepted papers will appear in the ACM Digital Library as part of the ACM International Conference Proceedings Series. The technical papers committee will select an accepted paper to receive the SOUPS 2008 best paper award. Papers may be up to 12 pages in length including bibliography, appendices, and figures, using the SOUPS proceedings template on the SOUPS web site. All submissions must be in PDF format and should not be blinded. In addition, you must cut and paste an abstract of no more than 300 words onto the submission form. Submit your paper using the electronic submissions page for the SOUPS 2008 conference (http://cups.cs.cmu.edu/soups/2008/submit.html). A successful submission will display a web page confirming it, and a confirmation email is sent to the corresponding author. Please make sure you receive that confirmation email when you submit, and follow the directions in that email if you require any follow up. Technical paper submissions will close at midnight, US East Coast time, the evening of Friday, 29 Feb 2007. General Chair: Lorrie Cranor, Carnegie Mellon University Interactive and In-Depth Session Chairs: Andrew Patrick, National Research Council Canada Konstantin Beznosov, University of British Columbia Posters Co-Chairs: Rob Miller, MIT and Jaime Montemayor, The Johns Hopkins University Applied Physics Laboratory Technical Papers Co-chairs: Jason Hong, Carnegie Mellon University and Simson L. Garfinkel, Naval Postgraduate School
BKAFDRFC.RVW 20070814 "The Complete April Fools' Day RFCs", Thomas A. Limoncelli/Peter H. Salus, 2007, 978-1-57398-042-5 %A Thomas A. Limoncelli funnybook@rfc-humor.com %A Peter H. Salus http://www.rfc-humor.com peter@usenix.org %C P.O. Box 640218, San Jose, CA 95164-0218 %D 2007 %G 978-1-57398-042-5 %I Peer-to-Peer Communications, Inc. %O U$19.95 800-420-2677 fax: 408-435-0895 info@peer-to-peer.com %O http://www.amazon.com/exec/obidos/ASIN/1573980420/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1573980420/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1573980420/robsladesin03-20 %O Audience a+ Tech 2 Writing 2 (see revfaq.htm for explanation) %P 390 p. %T "The Complete April Fools' Day RFCs" For those in the know, the designation "RFC" is a bit of a joke in itself. As a "Request For Comment," there is an implication of a proposal, as opposed to a standard. In fact, the RFCs are the "official" documents of the Internet protocols, and are part of a formal process. Given the nature of the Internet, and the people involved, it should come as no surprise that embedded in this library are jokes, making fun of the process as much as anything else. (Just to make things clear, this is far from a compendium of all of the jokes flying around the net, or even all of the jokes about network standards. The April Fools' RFCs are a specific class of net jokes, and are the material of this volume.) The RFCs themselves present a kind of technical history of the Internet. In a similar way, the April Fools' RFCs are a history of aspects of the Internet. Some of them document technical concerns and emphasis, such as the 1990s attempts to implement the Internet on any base physical transport (RFC 1149, dealing with avian carriers) or 2002's efforts to run all utilities over the Internet (RFC 3251, for providing electricity over Internet Protocol). Others reflect more general social concerns. The RFCs are all freely available. This book collects all the April Fools' documents, and the authors have even made the collection available on the Internet. However, the print version contains additional commentary, structure, and supplementary background information about the RFC authors. And it's handy to have the dead trees edition for those times when the avian carriers aren't flying to your particular hotspot. copyright Robert M. Slade, 2007 BKAFDRFC.RVW 20070814 rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org http://victoria.tc.ca/techrev/rms.htm [Steve Bellovin's Evil Bit (and Drew Dean's Angelic Bit), both of which appeared in RISKS-22.66 are both worthy, although only the first one was a "real" RFC. The "IP over Avian Carriers" is a real classic. The material is highly recommended for humor-loving RISKS readers. Limoncelli and Salus deserve many thanks for making this material so easily accessible. Of course many other non-RFC April Fools' spoofs are also worthy, such as Chernenko@MOSKVAX (Piet Beertema, 1 April 1984, pre-RISKS, but reproduced in my book, Computer-Related Risks, pp. 146-148) and the April Fools' warning message attributed to Gene Spafford (RISKS-6.52) come immediately to mind, even though the day of wreckoning is still half a year away. PGN]
Please report problems with the web pages to the maintainer