Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Brian Krebs, *The Washington Post*, 5 Jun 2008 <http://www.washingtonpost.com/wp-dyn/content/article/2008/06/05/AR2008060501958_pf.html> A nuclear power plant in Georgia was recently forced into an emergency shutdown for 48 hours after a software update was installed on a single computer. The incident occurred on March 7 at Unit 2 of the Hatch nuclear power plant near Baxley, Georgia. The trouble started after an engineer from Southern Company, which manages the technology operations for the plant, installed a software update on a computer operating on the plant's business network. The computer in question was used to monitor chemical and diagnostic data from one of the facility's primary control systems, and the software update was designed to synchronize data on both systems. According to a report filed with the Nuclear Regulatory Commission, when the updated computer rebooted, it reset the data on the control system, causing safety systems to errantly interpret the lack of data as a drop in water reservoirs that cool the plant's radioactive nuclear fuel rods. As a result, automated safety systems at the plant triggered a shutdown. ...
[ouch! Reminds me of an early error with the Airbus fly-by-wire system that ended up with a controlled flight into terrain bec of a computer problem. -p] Forgotten Lesson Caused B-2 Crash, 6 Jun 2008 David A. Fulghum/Aerospace Daily & Defense Report Crews and maintainers never formally recorded information on a vulnerability involving the B-2's air pressure sensors and the simple workaround crews came up with to mitigate it, a crucial omission that set the stage for a Feb. 23 B-2 crash in Guam. Aircrews and maintenance teams learned about the sensors' susceptibility to moisture during a Guam deployment in 2006. They also discovered that turning on the 500-degree pitot heat would quickly evaporate the water and the flight computer would receive normal readings. But the information was not formally 'captured' in maintenance or lessons-learned publications, said Maj. Gen. Floyd Carpenter, president of the accident investigation board and vice commander of 8th Air Force. The result was that by the 2008 deployment, the information was passed on by word of mouth so that “some people knew about it and some people did not,'' he said during a Pentagon briefing June 5. Crews never encountered the problem at the bomber's home base of Whiteman Air Force Base, Mo. Earlier incident Earlier in the 2008 deployment, another B-2 had reached 70 knots in its takeoff roll when abnormal indications caused the pilot to abort. The aircraft taxied back to maintenance, the moisture was evaporated with pitot heat and the mission continued without incident. But on Feb. 23, calibration of the sensors was done without turning the sensor heaters on. The skewed information from three of the 24 air pressure sensors on the Spirit of Kansas fed distorted information into the flight control computer. When the aircraft reached 130 knots, the computer thought it was at the 140-knot takeoff speed and rotated for takeoff. The sensors also indicated the bomber was in a nose-down attitude so it commanded a rapid pitch up that reached 30-31 degrees before the pilots could correct and stop the climb at an altitude of about 80 feet. The effects of the low takeoff speed and high angle of attack caused the B-2's speed to deteriorate until the aircraft stalled and began a roll to the left, when its left wing tip struck the ground. At that point the pilots ejected (Aerospace DAILY, March 28). The aircraft's remains were boxed and will be sent to the U.S., where the cockpit, seats and hatches will be used for training. Additional information, including the crash investigators report and video, is posted on Air Combat Command's Web site at http://www.acc.af.mil/aibreports/ . http://www.aviationweek.com/aw/generic/story.jsp?id=3Dnews/B-2060608.xml&headline=3DForgotten%20Lesson%20Caused%20B-2%20Crash&channel=3Ddefense [Also noted by Gabe Goldberg. PGN]
The system in use by building societies* for some older types of account involves a "pass book" to record transactions. With computer systems universally in use, the counter clerk no longer writes each transaction into the book by hand, but inserts the book into a printer. The system keeps track of which line on the page the previous transaction was printed on and prints the next transaction immediately below it. Over the last 6 months or so I have found that the transactions in my pass book are frequently overprinted on top of the previous transaction (or transactions, if I made more than one on the previous visit). When this happened again today (6th June) I asked the clerk why. My building society (the Abbey: now a bank) merged last September with a Spanish financial institution which forced a new computer system onto it. I noticed that there was frequent chaos at the time with the system being down or running slowly. According to the clerk, the overprinting is a related problem, and is due to there being effectively two systems working in parallel, since the roll-out of the new system is not yet complete (or the merger of the two computer systems is not complete). Which system you get depends on which branch you visit, so the system at the Stevenage branch "remembers" the last transaction I made _in Stevenage_ and prints over any more recent transactions that I made at one of the branches in London, and vice versa! * I won't go into details about what a "building society" is, for non-UK readers. Suffice it to say that they are rather like banks, and over the past few years, most of them have actually turned themselves into banks. Peter Mellor <MellorPeter@aol.com> +44 (0)20 8459 7669
The US has a visa waiver scheme for visitors from a number of countries (including NZ). Citizens of those countries do not need to apply for a visa to visit the US up to 90 days. They currently complete an I94 form on the plane and are admitted (after screening) with appropriate visitor stamp in their passports. A new scheme has been announced that will require prospective visitors to register online. The website will be online from August and the system will be compulsory from January. There is a fuss in the media here (http://www.nzherald.co.nz/section/1/story.cfm?c_id=1&objectid=10514241) over the requirement to register 72 hours before travel, a problem for people making urgent business or family visits. A spokesperson on the radio today said that there will be mechanisms to address those situations, which is fine. Only one commentator has so far expressed anxiety about the greater risk which is that of security around personal information submitted to such a site. The spokesperson also said that people will be able to update their travel details online, only increasing my concerns about security. Bear in mind that the current I94 includes DOB, passport number etc. Risks self evident.
Addressing the Challenges of Identification and Authentication in American Society By Peter Swire, Cassandra Q. Butts, Center for American Progress, 2 Jun 2008 How individuals identify themselves in our country grows more complex by the year. Just last month, 12 nuns were turned away from voting booths during the Indiana presidential primary because they lacked state identification (none of them drives), a stark reminder that the recent Supreme Court ruling that upheld Indiana's voter ID law poses lasting consequences to our democracy. And two years ago last month the personal identification data of 26.5 million veterans were lost from a government laptop, the latest in a series of data breaches that threaten the integrity of everyone's identification. Those 12 nuns are among 20 million other voting age citizens without driver's licenses, and they join those 26.5 million veterans and many millions of other Americans who suddenly find themselves on the wrong side of what we call the ID Divide-Americans who lack official identification, suffer from identity theft, are improperly placed on watch lists, or otherwise face burdens when asked for identification. The problems of these uncredentialed people are largely invisible to credentialed Americans, many of whom have a wallet full of proofs of identity. Yet those on the wrong side of the ID Divide are finding themselves squeezed out of many parts of daily life, including finding a job, opening a bank account, flying on an airplane, and even exercising the right to vote. ... http://www.americanprogress.org/issues/2008/06/id_divide.html Full report (pdf) http://www.americanprogress.org/issues/2008/06/pdf/id_divide.pdf Identification and Authentication Resources page http://www.americanprogress.org/issues/2008/06/id_resources.html
The following is a link to document NIM39140 - National Insurance Numbers (NINOs): Format and Security: What to do if you suspect or discover fraud. (For non-UK readers, the NI number is the UK equivalent of the US Social Security number.) I am sure that we all appreciate this sound advice from HMRC! :-) http://www.hmrc.gov.uk/manuals/nimmanual/NIM39140.htm
Stanford University has notified tens of thousands of past and present employees that their personal information was on a university laptop that was stolen for people hired before 28 Sep 2007—possibly as many as 72,000. [Someday encrypting such data sets will become the default. PGN]
Here's a case where social engineering defeated an apparently correctly working automated security system and allowed a burglary: "An experienced jewelry thief may have hoodwinked the University of British Columbia's campus security by telling them to ignore security alarms on the night of last month's multi-million dollar heist at the Museum of Anthropology... Four hours before the break-in on May 23, two or three key surveillance cameras at the Museum of Anthropology mysteriously went off-line. Around the same time, a caller claiming to be from the alarm company phoned campus security, telling them there was a problem with the system and to ignore any alarms that might go off. Campus security fell for the ruse and ignored an automated computer alert sent to them, police sources told CBC News." Full article: http://www.cbc.ca/arts/story/2008/06/04/bc-ubc-security-ruse.html
Posted by Jeff Rosen, 3 Jun 2008, http://www.subchat.com/read.asp?Id=627920 Correction: Due to incorrect information received from the Clerk of Courts Office, Diane K Merchant was incorrectly listed as being fined for prostitution in Wednesday's paper. The charge should have been failure to stop at a railroad crossing. The Public Opinion apologies for the error. I don't know what happened here, but it's got to involve a computer, hasn't it? [Well, it could have been a typo in the officer entering the description code. Or the officer could have been on the wrong track himself. PGN]
Experts Revive Debate Over Cellphones and Cancer; What do brain surgeons know about cellphone safety that the rest of us don't? Tara Parker-Pope, *The New York Times*, 3 June 2008 Last week, three prominent neurosurgeons told the CNN interviewer Larry King that they did not hold cellphones next to their ears. "I think the safe practice," said Dr. Keith Black, a surgeon at Cedars-Sinai Medical Center in Los Angeles, "is to use an earpiece so you keep the microwave antenna away from your brain." Dr. Vini Khurana, an associate professor of neurosurgery at the Australian National University who is an outspoken critic of cellphones, said: "I use it on the speaker-phone mode. I do not hold it to my ear." And CNN's chief medical correspondent, Dr. Sanjay Gupta, a neurosurgeon at Emory University Hospital, said that like Dr. Black he used an earpiece. Along with Senator Edward M. Kennedy's recent diagnosis of a glioma, a type of tumor that critics have long associated with cellphone use, the doctors' remarks have helped reignite a long-simmering debate about cellphones and cancer. ... http://www.nytimes.com/2008/06/03/health/03well.html?partner=rssuserland&emc=rss&pagewanted=all
Peter G. Neumann* (RISKS-25.18) has missed the point of Arrow's Theorem by expressing it as identifying a problem with ranked preference systems. Arrow presumes that voters have a ranking of candidates; indeed the underlying assumption of Arrow is that voters' preference as between candidates is ordinal, not cardinal. [* Not really. The discussion of Arrow's Theorem should actually have been more clearly attributed to the review article by Peter Baker. PGN] Arrow's proof - that no election system can be simultaneously monotonic, deterministic, universal, unrestricted in domain and independent of irrelevant alternatives without being a dictatorship - applies not only to ranked preference systems, but to all elections without exception. Only by rejecting the assumption of ordinality of preference, or by rejecting one of criteria, can any voting system be established. Most real election systems - including simple plurality, instant runoff and conventional runoff - fail on the criterion of independence of irrelevant alternatives (IIA); that is, a (losing) candidate or candidates can be introduced into an election or removed from an election and that will change the winner. In many real-world elections, there is a "Condorcet" winner, ie someone who is preferred by a majority of the electorate to every other candidate (it may be a different majority in each case). If there is such a winner, then electing them fulfills Arrow's theorem. The problem is that in some elections, preferences are circular (ie A>B, B>C and C>A, where > represents 'is preferred to' rather than the usual 'is greater than'). Where this occurs, no system can fulfill Arrow's criteria - either the system will elect someone who would lose in a simple majority two candidate election (which fails Arrow's dictatorship criterion) or IIA will be breached, as any proposed winner can be defeated by the withdrawal of one of his opponents. A key corollary of Arrow's theorem is that voters always have an incentive to be insincere in how they cast their votes. For example, in the 2000 US Presidential election, voters whose true preference was Nader>Gore>Bush had a strong incentive to insincerely vote for Gore. Similar arguments can be applied to all electoral systems - even ones that elect a Condorcet winner, as they must have a (by definition manipulable) tie-breaker when there are circular preferences, and voters could vote insincerely to create a circularity and then manipulate the tie-breaker.
< [Power was restored on 2 Jun. PGN] Actually, things didn't go that smoothly and, in fact, it appears that some users (those whose hard drives were damaged by the initial power failure) are *still* having problems. The Planet forum (http://forums.theplanet.com/index.php?showtopic=90185) contains about 80 messages from the Planet, sent over the past week, on the status of their outage. It includes such highlights of the sort "now all the remaining servers are up on generators". "oops, the generator tripped its circut breakers, so those 3000 servers are down again." "We fixed the generator." "Oops, the fix to the generator didn't work and ...." you get the idea. I have no reason to doubt the competence of the Planet staff; it's not an easy problem to recover from.
Bashing Microsoft is fun-I've done it often enough myself-but in this case, EFF is barking up the wrong tree. Assuming, arguendo, that this wasn't just a dumb mistake, the party at fault is NBC. As the Microsoft spokesperson said, the Media Center code merely implements what was, at the time the code was written, an FCC requirement. The later court rejection of the broadcast flag rules didn't require changing the code, it prohibited broadcasters from implementing the flag. NBC broadcast a program with the flag set, which it should not have done, and the Media Center responded exactly the way it was supposed to, and, for the record, exactly the way Microsoft has always said it would. Steve Wildstrom, BusinessWeek, 1200 G St NW, Suite 1100, Washington, DC 20005 Technology & You <http://www.businessweek.com/technology/wildstrom.htm>
This scam sounded vaguely familiar, and I found this article, The Failure of Two-Factor Authentication, which was written by Bruce "Nostradamus" Schneier three years ago. http://www.schneier.com/blog/archives/2005/03/the_failure_of.html Besides the bank scam, Bruce discusses the inherent flaws in two-factor authentication, generally.
Alistair, This iTunes file retention bug happens to me all the time. When audio podcasts are deleted in iTunes, the underlying file is deleted. However, when video podcasts are deleted in iTunes, the underlying file isn't deleted—there's no error message or anything. I've gotten to playing video podcasts directly from the underlying file system & deleting the files behind iTunes's back, just to make sure that the file really gets deleted. Since video files are typically much larger than audio files, the inadvertent retention of video files can quickly fill up your disk. I haven't tried this on Mac iTunes, but I suspect that the same thing happens there, so I don't think this is an OS-specific bug. I've given up reporting bugs to large corporations, because they don't even bother to acknowledge the email. They're too busy putting in additional misfeatures to have time to fix the ones they already have.
I ASSURE YOU THAT THE iTunes 'disk usage' bug IS REAL. NOTE * iTunes (across all OSes it runs on) offers [or has access to] a built in update program [offers: Win; access: OSX] * Most people use that update program most of the time. Most people have the current version of iTunes * Apple has no obvious way to submit bugs for the software it writes. There may be ways, but I don't know what they are. * I am a telecommunications consultant: if I can't find a way to submit iTunes bugs to Apple, it is probable no one can. * UNLESS there is an outstanding telecommunications issue that makes updating Apple software more difficult or impossible [like the user living on Pitcairn, with a 56kbs link] it would reason that 90% of iTunes users are up to date. * It is impossible [or not highly likely] for this disk usage problem to affect older versions of iTunes. * I don't know where this bug originated in the iTunes version tree. Known or Suspected 'problem areas' Operating systems affected: ALL (Windows family 100%, OSX assumed 100% pending proof) TCP / IP version issues: NONE that I know of, this is a File System issue (?) not an IP issue User Interfaces affected: ALL CURRENT iTunes Versions affected [addendum] * It is probable that all versions since the introduction of Podcasts and Vodcasts are affected by this FS or UI problem. * I don't know where to find an adequately detailed Apple iTunes version tree, iTunes is not Winamp. * This lack of traceability makes it extremely difficult to track down where this disk space issue started, much less submit a bug report. Will Apple ever fix the problem? Since the transmission of my original "Comp.Risks" submission I have not received a single e-mail or postal letter from Apple [asking me for clarifications of the iTunes disk usage problem]. My suspecting that Apple may never fix this is based on a total lack of contact from Apple. It would be nice if Apple would toss one of their mini PCs my way for my BOINC distributed computing project [for uncovering such a fundamental software design flaw] ... but Apple is an American corporation so I don't see this ever happening. As corrupt as Microsoft is [as a corporation] and as vast as its' labyrinthine bureaucracy is ... Microsoft is more responsive to bug reports. Where is the program problem finding itself? Is this a User Interface (UI) bug and not a File System (FS) usage tracking bug? I don't know. I believe it is clearly a UI problem, but it may be a side effect of the way that iTunes interacts with the host OS file systems. Further use at my end implies it is a Vodcast problem, at least on my hardware and software platform. Podcasts seem to delete cleanly and their existence seems to be reported correctly, but I have not experimented with 20 gb+ of MP3 podcasts with this software to see if the same phenomena is at work. MORAL: No matter what * You should not be able to "delete all Vodcasts" (when disk use = 99%) and not have the podcasts continue to reside on your HD eating up space. * There should only be mechanisms for moving or deleting podcasts on a PC's file system for programs like iTunes. * RSS feed displays (be they Podcasts or Vodcasts) need to have a 1 to 1 correspondence with the files represented on the drive. * Programs that use [and manage] a lot of disk space need to be truthful about how the disk space is being used to the user. * All high profile programs need to have a clearing house for submitting bugs. I am still working on figuring out the extent of the bug, but I don't expect it to be fixed before 2009 or 2010. Max Power, CEO, Power Broadcasting http://HireMe.geek.nz/ Adelade / Wellington / Vancouver / Seattle
Please report problems with the web pages to the maintainer