Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
This is rather amusing, but not particularly surprising: A Windows XP/Vista-style Blue Screen of Death projected onto an overhead display at the opening ceremonies to the 2008 Olympics in Beijing, courtesy of River Cool Forums. http://macenstein.com/default/archives/1562
Given the number of times RISKS has noted problems with automatic correction and translation systems, I thought you'd find this cute: http://adweek.blogs.com/adfreak/2008/07/then-well-grab.html [The sign says something in Chinese that would correctly translate to "... Restaurant". The supposed translation that appears on the sign says "Translate server error." The humorous caption on the photo is "Then we'll grab a bite at 404 Not Found." PGN-ed] firstname.lastname@example.org email@example.com victoria.tc.ca/techrev/rms.htm firstname.lastname@example.org blogs.securiteam.com/index.php/archives/author/p1/
From an Ohio (USA) Secretary of State press release www.sos.state.oh.us/PressReleases/2008%20Press%20Releases/2008-0806.aspx "These malfunctions resulted in dropped votes when memory cards were uploaded to the server. " "The office is also continuing to test Premier's undocumented contention that the sharing violation is because of virus protection software that had been certified by the Board of Voting Machine Examiners as part of the Premier system at the time it was introduced in Ohio." The xkcd web comic has a summary: http://xkcd.com/463/ [I find the contention that failures of a voting machine could be attributed to interactions with anti-virus software to be really outrageous. Premier (formerly Diebold) has developed an inherently untrustworthy application on top of an inadequately trustworthy and relatively huge operating system that anyone with access could compromise the application software or merely accidentally disrupt elections. Blaming the anti-virus software (which exists primarily because of the weaknesses of the operating system) seems totally fatuous. There should be no need for anti-virus software in a well-designed voting system. PGN]
Election Assistance Commission officials say they will not be able to certify that flawed machines are actually repaired in time for the November election — because of the backlog at testing labs. [Source: Ian Urbina, *The New York Times*, 16 Aug 2008; PGNed]
Apparently due to a programming error, ticket vending machines on the Long Island Railroad and Metro-North Railroad have been giving out free tickets whenever debit cards with inadequate balances were used, since 2001. The problem was discovered only recently, when an audit by the LIRR showed 990 such transactions. Although many people have gotten free travel without even realizing it, three people have been charged with acquiring about $800,000 worth of tickets — which they then sold. [Source: William Neuman, *The New York Times* 13 Aug 2008; PGN-ed] [I read the article over breakfast. George Mannes noted it online. http://www.nytimes.com/2008/08/13/nyregion/13scam.html?ref=nyregion PGN]
As a reader of comp.risks digest for at least 13 years I could now for the first time contribute a nice story, happened in my home town Stade, Lower Saxony, 35 miles west from Hamburg. Since the beginning of August 2008, the "Bundeszentralamt für Steuern" (Federal Central Tax Office) sends out letters to all 82 millions inhabitants of Germany, from newborns to old men, with information regarding their new Tax Identification Code, a mathematically spoken, eleven-digit hash value dereferencing information like title, surname, given names, birth name, sex, address, birthday, place of bird, country of birth. Whereas in other places there were no or only minor problems, in Stade near 100% of the information for the roundabout 46000 inhabitants contained errors with birth name, and country of birth. E.g. in my own family (14 year old boy, 11 year old girl, my wife, and me, all native german-born Germans) three of us have as country of birth "Kazakhstan", my daughter has "Italy", and all but my wife have false, entirely fictitious birth names. The registration office of Stade is overwhelmed with complaints, and no one has until now found out, where the errors do come from. As a Stade official said, the raw data of the registration office are correct, and the transport of the data to the Federal Central Tax Office was not done via Internet, but there was sent a CD containing the data (See (1)). Until now, nobody from the Federal Central Tax Office phoned back to enlighten the situation. They said, that a 1000 of errors in 80 Millions of data is not bad, either, and blamed Stade for the error. Against this speaks the fact, that Bremerhaven, and two other towns in Lower Saxony, suffered from the same problem. And furthermore, a quick consistency check of the New Tax ID numbers with tax consultant standard transmission protocol software showed, that 70% of the IDs failed the consistency check (see also (1)). Until now it is unknown, who or what was responsible for the mess-up. The story made up to the tabloids (see (2)). The town of Stade recommends the inhabitants to do nothing and wait until the situation has cleared up. (see (3)). Appendix: Cited website information, unfortunately in German :-( (1) http://www.heise.de/newsticker/Kommunen-melden-grobe-Fehler-bei-Ausgabe-der-neuen-Steuernummer--/meldung/114161 (2) http://www.bild.de/BILD/hamburg/aktuell/2008/08/12/steuerdaten-chaos/behoerde-verschickt-bescheide-mit-falschen-namen.html (3) http://www.kreis-stade.de/default.cfm?DID=1207942 Dr. Ralf Fritzsch, Bundesanstalt fuer Wasserbau Federal Waterways Engineering and Research Dienststelle Kueste Tel. +49-40-81908-324 [Added by RF 19 Aug 2008:] The latest news, to be found (auf deutsch) under http://www.stadt-stade.info/default.cfm?did=1207884 "... Fest steht bisher nur, dass offenbar bei der Datenübermittlung vorhandene Leerfelder im Datensatz durch die EDV falsch interpretiert worden sind. Die technischen Gründe hierfür sind derzeit noch nicht geklärt." That is, "It seems definite, that obviously white spaces in the original data were misinterpreted during data transfer. Technical reasons remain until now unknown."
Study: State AGs Fail to Adequately Protect Online Consumers State attorneys general received thousands of complaints about online fraud and abuse in 2006 and 2007. Yet, with the exception of several notable standouts, few states brought significant cases in response to those complaints, according to a report released today from the Center for American Progress and the Center for Democracy and Technology. The study finds online fraud and abuse aren't given a high priority by most attorneys general. The report recommends several steps state attorneys general can take to protect online consumers, such as: assess the applicability and adequacy of state laws; develop computer forensic capabilities; train investigators and prosecutors to identify Internet fraud; and devote greater resources to enforcement efforts. Online Consumers at Risk and the Role of State Attorneys General By Reece Rushing, Ari Schwartz, Alissa Cooper | August 12, 2008 Center for American Progress, Center for Democracy and Technology http://www.americanprogress.org/issues/2008/08/online_consumers_report.html http://www.americanprogress.org/issues/2008/07/pdf/consumer_protection.pdf http://cdt.org/press/20080812press.php http://www.cdt.org/privacy/20080812_ag_consumer_risk.pdf
A ring of people spread across the globe hacked into nine major US companies and stole and sold more than 41 million credit and debit card numbers from 2003 to 2008, costing the companies and individuals hundreds of millions of dollars, federal law enforcement officials said yesterday. "So far as we know, this is the single largest and most complex identity theft case ever charged in this country," US Attorney General Michael Mukasey said at a news conference at the John Joseph Moakley US Courthouse in Boston. A grand jury indictment released yesterday charged that Albert "Segvec" Gonzalez of Miami and his 10 conspirators (one from Estonia, three from Ukraine, two from China, one from Belarus, and one of unknown origin) cruised around with a laptop computer and tapped into accessible wireless networks, allegedly concealed the data in encrypted computer servers they controlled. They then hacked into the networks of TJX, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Dave & Buster's, Sports Authority, Forever 21, and DSW. After gaining access to the systems, they installed programs that captured card numbers, passwords, and account information, officials said. [Source: David Abel and Jenn Abelson, *The Boston Globe*, 6 Aug 2008; PGN-ed] http://www.boston.com/business/articles/2008/08/06/11_charged_with_massive_id_theft/
I read a rather worrying criticism of Firefox 3.0 on RISKS the other day, which made me realize that perhaps there isn't a common agreement amongst the infosec industry about the threatscape and how we should prioritize our response to them. Specifically, the complaint against Firefox 3.0 is that the user experience has been deliberately crafted to make it hard to accept self-signed certificates. The argument is that there are times when simply establishing an encrypted tunnel (i.e. an SSL session) is all that's needed. I certainly wouldn't argue that encryption is unnecessary, just that the threat has changed. While our old "friend" Mallory isn't particularly busy these days, it's pretty clear that he'd be having a field day if he could easily penetrate communications across the Internet. The attacker however is no longer limited to passive eavesdropping. Modern attacks use active DNS spoofing, active MITM attacks and the like, on public networks. The main threats these days are against the weakest link in the chain - the end user. That's why phishing is such a popular method of e-crime - it's simple and it works. It relies completely on the gullibility of users in clicking on links in e-mails apparently from organizations with whom they have a relationship. However, it's equally clear that almost everyone who wants to communicate securely using a browser can afford an SSL certificate from CAs such as GoDaddy, Thawte, etc. The cost of single certificates from these sources can only be described as nominal. My company is a major target of phishing, and as such we've spent quite a bit of time researching what anti-phishing approaches work We published a whitepaper on this topic (which can be found on the company blog at www.thepaypalblog.com), which explains this in detail. However, a couple of relevant conclusions are that: 1) the vast majority of users simply want to be protected, 2) there's no single "silver bullet", and 3) that what we describe as "safer browsers" such as IE 7, and Firefox 3.0 are a significant part of the solution based on their improvements in user visible security indicators and secure-by-default behaviors. I conflated two or three separate ideas in that last sentence, and I should explain them. The general logic is that most users should never be presented with a security dialog that gives them a choice - if they are, there's typically at least a 50:50 chance that the wrong decision will be made. Instead, the browser should make the decision for them. However, in the case of self-signed certificates it's almost impossible to see how any technology can disambiguate between legitimate uses and criminal ones. When viewed through this lens, the changes to the Firefox user experience for self-signed certificates makes perfect sense. It's not that self-signed certificates are impossible to use - but for most users, the experience will be such that they won't accept them. In the unsafe world in which we live, that will be the right choice. For organizations which wish to use self-signed certs internally, it is still technically possible - but it will require either explicit user training, or deployment of pre-installed certificates on PCs. I should also add that the major security features which have been added into the most recent browser versions (and which we believe are necessary in order to be considered 'safer') are exactly those which impact this area. That is: support for Extended Validation certificates, which make it clear to end users whose web site they're on; and support for spoof-site black lists, so that users can't easily reach spoof-sites. While I'm personally a great supporter of RISKS, I think it's important that the Infosec industry speaks with good consensus about risks. In this case, I believe that the criticism of Firefox 3.0 was simply misguided and ill-informed. This is not helpful. This post is also at: http://www.thesecuritypractice.com/
> I know that I am not so smart that I have figured out something that all the > experts have overlooked, so I must be missing something critical. What have > I overlooked? Lets see... After a quick think you've missed... 1. Authentication... How does the issuing agency authenticate the border agent requesting the information? Passwords? Secure Certs? One time tokens? Each have their own down sides... 2. Assuming someone solves the problem of how to get all the border agencies to agree on a method of authentication, how do you keep it secure? Passwords get written down... The issuing agency has no control over the remote access devices so can't guarantee the security of any client certs... 3. Comms... Long time readers will be well aware of the risks of depending on long comms links to be up at inopportune times. 4. How much info would be required? I think this would bring in various privacy laws... Witness the debacle between the EU and the U.S. over passenger data... 5. What's to stop a border agency from just browsing someone else's database by just brute forcing all those passport ID's? Again, what faith can we have that the ID's used won't be easily guessable... And a myriad of others... Basically they boil down to Connectivity, Authentication of border agents and privacy... Count me out.
I do have a few comments about this one: * The handhelds should be simple and cheap. They should be able to download their information to a computer via a common interface (e.g. wireless). How long they survive is dependent upon use and care. If using 10 year old computers seems strange to you, I know of many production plants that are still using 30 year old hardware. The key factor is whether it does what needs doing. If a device is damaged, it may be replaced with a new device (that is, in 12 years the Census Bureau may have another one designed, presumably for a lot less, and enough replacements built to last another 3 censuses). * I fail to see how anyone could spend $11B on such things. I mean, that's, what, $300 per capita? Engineering a small device should be in the single digit millions of dollars, shouldn't it (anyone know how much the Blackberry cost to design)? The device should use standard tech and interface easily with PCs. It should be cheap. Let's say $100 each for 1 million census workers =3D $100M. Where do they get $11B from?! * If there is significant waste and mismanagement, perhaps someone should consider decapitating the Census Bureau: a simple revocation of all posts pending review. * One thing I would note is that there should be a law requiring executives of public companies and their subsidiaries to be bondable. That is, in order to work as an executive for a company that is publicly held, or one in which the majority of the ownership is public, you must be trustable. * Ever notice how managers spend so much time trying to find ways to measure and improve output while there really is no solid criteria by which management itself can be measured? That is, why is executive X paid $8M/yr rather than $5M/yr or $2M/yr? Is said executive really more effective than having the business managed by a potted plant? If so, by how much? Note: end profit and/or share price, by which a lot of managers are measured, is too dependent upon market fluctuations and simple year-to-year sales. I'm sure that if we replaced the executive of any conglomerate by potted plants that the company would still continue to run for decades due to sheer inertia. Michael J. Lewchuk, Software Engineer (M.Sc., M.Eng. P.Eng.(Alberta Canada)) MatrikonOPC Technical Lead, Software Development 1-780-448-1010 x.4512
[From Dave Farber's IP distribution.] Year after year, I am incredibly surprised at the amount and types of companies and organizations that have a knee-jerk reaction to a vulnerability or security hole being presented at either the Black Hat or DEFCON security events. Do PR professionals, crisis response managers, or corporate image specialists do their homework? Why isn't there an industry case study that says the fastest way to HELP a vulnerability in your software or product get absolute full and fast disclosure before you have time to fix it, is to try and stop it being discussed at one of these two events? In the MBTA's case, they hit the absolute pinnacle by filing a lawsuit in Federal court setting off a trigger to both the cadre of journalists, security researchers, civil libertarian activists, and hackers to begin doing everything in their power to make sure the story gets heard and (in some of their minds), the vulnerability gets exposed. The Public Relations Society of America should send out a brief every year in mid-July to remind them of the forthcoming security conferences and how extremely public attempts to quash research that may appear to be harmful to an organization's image will backfire horribly. In some cases, even quiet attempts to stop it could be detrimental as well. It should serve to all companies and organizations across the country (and world) that maybe in the long run cooperation with these researchers very early on (or at least as soon as the talks are announced every year) is the best way to ensure proper lead time to put together patches while allowing for full disclosure of the vulnerabilities that may effect a product's userbase. Why does no one seem to be getting the hint until after it happens to them?
Like everybody else, I was determined to keep my date and place of birth a secret to prevent identity theft — until one day I discovered someone had written a Wikipedia entry on me, http://zh.wikipedia.org/wiki/%E7%A9%8D%E4%B8%B9%E5%B0%BC Mom will be proud! — but only if I untwisted one fact first. Everything on Wikipedia is a battle, for me at least. To establish that I was BORN in Philadelphia, but GREW UP in Chicago, just saying "I was there, I ought to know", is not enough. They need reliable references. Something they can quote. I.e., it all spelled out on my personal website, which I then did. And of course all proper famous people have a date of birth listed (which I dare not cheat on as you never know what database they'll be using at Heaven's Gate on Judgment Day :-) By the way, one's Taiwan temporary Tax ID is date of birth + first two letters of surname: 19601216JA. Good thing I don't have a twin. So I'm now "living in a glass house". Well, plastic: http://jidanni.org/me/home/images/
Actually, there's a third question that can be asked: if you randomly choose a particular person at your party, what is the probability that that person shares your birthday? Obviously, it's one in 365.25, or about 0.3%, and the probability is independent of the number of people at the party. The problem is that during criminal investigations, investigators can ask either question 2 or question 3, but evidence presented to the jury quite consistently gives the probabilities from question 3, and in a number of cases judges have prevented defense attorneys from pointing out that the wrong calculation has been used. (Question 3 gets asked when the police have identified a suspect through other means, and the DNA match is used to confirm or reject the hypothesis. Question 2 gets asked when there is no suspect, and a statewide DNA database is searched. If you have a big enough database--and some states do--you're almost guaranteed to get a hit.) Geoff Kuenning email@example.com http://www.cs.hmc.edu/~geoff/
I mostly agree with this interpretation but the asterisk note at the end is more a hope a truth. In a number of investigations an entire community is asked to provide DNA "to exclude them" and there is also a lot of "nothing to hide, nothing to fear" innuendo. The DNA evidence in such cases is tainted with the birthday paradox, family relationships (and in many communities secret relationships). An alternative view, from Medical research, is that a multi-variate study needs to adjust its correlation significance threshold downward to take account of the number of variables. For example, the significance of finding a correlation between behaviour A and disease D in a study of the available evidence is much stronger than that of finding a correlation between one of A, B, C, and one of the diseases D, E, F.
Michael Black's analysis of DNA forensics likens a genetic fingerprint to a binary numeral of nine to thirteen digits. In effect, Black assumes that each genetic locus has just two possible forms, or alleles, which occur with equal probability. In fact, the markers commonly used in DNA forensics have dozens of alleles. Thus the number of possible 13-locus matches is not 2^13 but N^13 where N has a value somewhere in the neighborhood of 10 or 15 or even 25. The number is reduced somewhat (and the calculation is made more complicated) by the fact that not all the alleles are equally likely, but the number of variants is well above 8,192. There's a good explanation of all this in a 1992 report from the National Research Council, The Evaluation of Forensic DNA Evidence (see especially pp. 14-15). The report is available on Google Books at http://books.google.com/books?id=SnHYMZXAkQEC There's plenty of reason to be skeptical of overwrought claims that DNA never lies, but the numerical counter-evidence isn't quite as stark as Black suggests.
Steve's analogy to the Birthday Problem/Paradox can be extended further in considering the DNA question. The birthday problem probabilities contain a number of assumptions: - We know the number of days in the year - Births are evenly distributed across the year - Party invites are random If we find at my party there are lots of people with a common birthday or more than two with my birthday we have to ask whether: - This is perfectly normal and likely event based on the probabilities - It is a rare, but still normal 'fluke' - The interpretation of the probabilities was incorrect. - The calculation of the probabilities was incorrect - There is a flaw in the underlying assumptions. I am neither a genetics or statistical expert but it seems that Troyer found a result that didn't match the expected results for the first part of the birthday problem. You can't tell much from a single sample but if you get similar results from multiple samples you have a better basis for questioning the underlying assumptions and by modifying them provide a far better estimate of the true probability of an actual genetic match from a profile. With DNA I am not even sure we are confident with knowing the number of day in a year It seems to me that the FBI in their attempts to prevent lawyers using/misusing statistical data to induce confusion in mathematically naive juries by casting doubt on Troyer's work and blocking attempts to conduct further analysis are actually preventing legitimate research which could ultimately provide a proper basis for the uniqueness statistics.
Please report problems with the web pages to the maintainer