Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Traffic greatly disturbed between Europe and Asia/Near East zone > From: France Telecom / Press <email@example.com> > To: France Telecom / Press <firstname.lastname@example.org> > Subject: Three undersea cables cut: traffic greatly disturbed > between Europe and Asia/Near East zone > Date: Fri, 19 Dec 2008 17:09:03 +0100 (CET) http://www.orange.com/en_EN/press/press_releases/cp081219en.html Paris, 19 Dec 2008 France Telecom Marine cable ship about to depart France Telecom observed today that 3 major underwater cables were cut: Sea Me We 4 at 7:28am, Sea Me We3 at 7:33am and FLAG at 8:06am. The causes of the cut, which is located in the Mediterranean between Sicily and Tunisia, on sections linking Sicily to Egypt, remain unclear. Most of the B to B traffic between Europe and Asia is rerouted through the USA. Traffic from Europe to Algeria and Tunisia is not affected, but traffic from Europe to the Near East and Asia is interrupted to a greater or lesser extent (see country list below). Part of the internet traffic towards Reunion is affected as well as 50% towards Jordan. A first appraisal at 7:44 am UTC gave an estimate of the following impact on the voice traffic (in percentage of out-of-service capacity): - Saudi Arabia: 55% - Djibouti: 71% - Egypt: 52% - United Arab Emirates: 68% - India: 82% - Lebanon: 16% - Malaysia: 42% - Maldives: 100% - Pakistan: 51% - Qatar: 73% - Syria: 36% - Taiwan: 39% - Yemen: 38% - Zambia: 62% France Telecom immediately alerted one of the two maintenance boats based in the Mediterranean area, the Raymond Croze. This France Telecom Marine cable ship based at Seyne-sur-Mer has received its mobilization order early this afternoon and will cast off tonight at 3:00 am with 20 kilometers spare cable on board. It should be on location on Monday morning for a relief mission. Priority will be given to the recovery of the Sea Me We4 cable, then on the Sea Me We3. By December 25th, Sea Me We4 could be operating. By December 31st, the situation should be back to normal.
The Homesick UAV, 29 Dec 2008, http://www.strategypage.com: In 2007, Ireland bought two Israeli Orbiter UAV systems, for $550,000 each. They had lost two of their six UAVs in Chad, where a battalion of Irish peacekeepers are operating. The second one UAV casualty apparently tried to fly back to Ireland, after it lost its communications link with the operator. The Orbiter is programmed to head back to the operator if it loses its comm link. But this Orbiter apparently still had a GPS location back in Ireland in its memory, and headed there. Since Ireland is 5,000 kilometers from Chad, the Orbiter ran out of juice and landed about 4,800 kilometers short of its goal. The designers were trying to provide some appropriate default behavior in case the UAV lost contact with its operator. This is good, and may not have been a big deal in Israel, because most of its UAVs are operated near its borders. No one thought about the possibility of using the UAV far outside a country's borders. It should have recorded the original operator's location in order to fly back to that location. John O Long * Process Architect - IBM Tivoli Unified Process 919-224-1446 t/l 687-1446 * email@example.com [Erin go blagh? Erin call home. PGN]
A British Government report, funded by money taken through tax, argues for speed limiting devices on cars. Argues it will reduce car accidents with injuries by 29%. http://news.bbc.co.uk/1/hi/uk/7803997.stm First questions; 29% of what? what's the period which is being used to compare against? is it representative? does it just include cars, or lorries? does it include all roads, everywhere, or just (say) cities? what about accidents with fatalities? what about the additional accidents which will happen now, where people previously managed to escape by accelerating out of danger? how do they figure that accidents would be reduced anyway? I'm kinda wondering if they just took existing car accident statistics (how accurate are they? on what basis are they calculated?), looked at those accidents which happened where speeding was involved, and applied some sort of reducing factor they constructed. What about accidents which would have happened anyway, even if they cars had been doing the local speed limit? presumably this was accounted for in their reducing factor? if so, by how much? how do you decide what reduction to use? It works like this; each car has a GPS unit. Each car has a speed-limiting unit, which contains a map of the roads in the UK and their speed limits and since GPS is there, knows where the car is, and prevents the car going faster than the speed limit. First thoughts; you know as well as I do that unit will record your journeys and that data will be available, by law, to the State, and that your car, sooner or later, will be legally obliged to carry that unit. All because powers are granted to a State by a democratic process does not mean the State will use them democratically. What about our right of privacy? of simply being left alone? Here's another thought; what if there's an emergency and you need to break the local speed limit? will there be an over-ride switch? if so, what's to stop it being permanently turned on? will it have a time-out? what if the time-out is too short or too long? and if your unit notices that you are persistently breaking the local speed limit, what's it going to do? will it report you to the police? will, next time you car is serviced, the record of all your journeys be checked for breaking the speed limit and then you'll be charged?
According to one news article, students are printing up fake license plates specifically in order to speed past speedcams. The person whose plate was printed then gets a bill for the fine. There's no reason it wouldn't work, as long as the speedcams don't also get pictures of the driver (as they do in England). However, the one story on it that I saw is not convincing. All of the reports of its occurrences seem to come from one unnamed source. One of the quotes may be correct regardless, though: "It will cause potential problems for the Speed Camera Program in terms of the confidence in it." *Montgomery [Maryland] County Sentinel*, 11 Dec 2008 http://www.thesentinel.com/302730670790449.php
Students Use Speed Cameras to Frame Innocent Drivers, Prank Teachers http://www.dailytech.com/Students+Use+Speed+Cameras+to+Frame+Innocent+Drivers+Prank+Teachers/article13749.htm "I've objected to the robotic menaces primarily on the grounds that they were fallible revenue machines for the state rather than legitimate means of protecting life and limb," said Examiner.com's J.D. Tucille. "It never occurred to me that the [speed cameras] were also handy tools for wreaking revenge on enemies and authority figures. That was clearly a lapse of imagination on my part." Aside from the pranking itself, a secondary effect may be to diminish trust in the legitimacy of valid tickets (particularly since it was reported some perpetrators used similar-looking cars to the victim's). Good quality and access to the data collected would help to address this (e.g., are the photos provided with the ticket? High or low res? Color or B&W? etc...) as better data should make it easier to prove there was fraud. But on whom does the burden of proof lie?
Maryland Students Use Speed Cameras for Revenge (via Dave Farber's IP) http://www.thenewspaper.com/news/26/2632.asp Maryland Students Use Speed Cameras for Revenge Students in Montgomery County, Maryland use fake license plates to send speed camera tickets to enemies. Maryland plate, photo by Amy the Nurse/FlickrHigh school students in Maryland are using speed cameras as a tool to fine innocent drivers in a game, according to the Montgomery County Sentinel newspaper. Because photo enforcement devices will automatically mail out a ticket to any registered vehicle owner based solely on a photograph of a license plate, any driver could receive a ticket if someone else creates a duplicate of his license plate and drives quickly past a speed camera. The private companies that mail out the tickets often do not bother to verify whether vehicle registration information for the accused vehicle matches the photographed vehicle. In the UK, this is known as number plate cloning, where thieves will find the license information of a vehicle similar in appearance to the one they wish to drive. They will use that information to purchase a real license plate from a private vendor using the other vehicle's numbers. This allows the "cloned" vehicle to avoid all automated punishment systems. According to the Sentinel, two Rockville, Maryland high schools call their version of cloning the "speed camera pimping game." A speed camera is located out in front of Wootton High School, providing a convenient location for generating the false tickets. Instead of purchasing license plates, students have ready access to laser printers that can create duplicate license plates using glossy paper using readily available fonts. For example, the state name of "Maryland" appears on plates in a font similar to Garamond Number 5 Swash Italic. Once the camera flashes, the driver can quickly pull over and remove the fake paper plate. The victim will receive a $40 ticket in the mail weeks later. According to the Sentinel, students at Richard Montgomery High School have also participated, although Montgomery County officials deny having seen any evidence of faked speed camera tickets. [Source: Local teens claim pranks on county's Speed Cams, *Montgomery County Sentinel* (MD), 11 Dec 2008] Archives: https://www.listbox.com/member/archive/247/=now
<http://www.win.tue.nl/hashclash/rogue-ca/> We have identified a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure websites. As a proof of concept we executed a practical attack scenario and successfully created a rogue Certification Authority (CA) certificate trusted by all common web browsers. This certificate allows us to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol.
I dare say that many of us have a love/hate relationship with Fry's Electronics, and their massive, themed stores. There are several of them here in the L.A. area, and my favorite is the SciFi themed (the UFO crashed into the building!) site in Burbank (http://lauren.vortex.com/archive/000071.html — apologies for the horrid cell phone camera photo from more than four years ago). The store out here in the West San Fernando Valley is themed to "Alice in Wonderland" throughout. [Lauren's comment suggests he is a rabbit admirer? PGN] Fry's has always seemed to have a highly disciplined, very much top-down management style — to say the least. If you've been there, you know what I mean. Fry's has become the "go to" place for immediate access electronics parts for many years. Now comes word that the single individual reported to be ultimately responsible for all merchandise stocking at all Fry's has been arrested in a $65M embezzlement case, complete with gambling debts and jets to Vegas. http://www.latimes.com/business/la-fi-frys24-2008dec24,0,7762946.story And that's no white rabbit. firstname.lastname@example.org +1 (818) 225-2800 email@example.com http://lauren.vortex.com http://www.pfir.org/lauren Network Neutrality Squad - http://www.nnsquad.org [Do you want Fry's with that order instead of Fries? PGN]
Fired Fry's executive: 'Caught up in the game' in Vegas, Silicon Valley Lisa Fernandez and Julia Prodis Sulek, *San Jose Mercury News*, 28 Dec 2008 Abbi Vakil was hoping to strike a deal with Fry's Electronics to sell his company's iPhone battery when he first met Omar Siddiqui on the second floor of the company's headquarters on Brokaw Road. Siddiqui, Fry's vice president of merchandising, wasn't tall, but he looked like he stepped out of the pages of a men's fashion magazine with his sharp tailored suit - the gold chains around his neck notwithstanding. Just as Vakil began his sales pitch, Siddiqui grabbed the $15 battery and flung it "like a Frisbee" into the credenza. What happened next gives an indication of just how this high-level executive, the son of a Pakistani diplomat who was crazy about fast cars and blackjack tables, bullied his way over three years into $65 million in kickbacks from vendors for space on Fry's shelves to try to pay off his gargantuan gambling debts, according to federal authorities. It's an allegation the 42-year-old bachelor now faces in San Jose federal court. If Vakil's company wanted to do business with Fry's, Siddiqui glowered at him, Vakil would have to pay him $20,000. "It just didn't make any sense,'' Vakil, now vice president at FastMac.com, told the Mercury News of the 2006 encounter. "How many products would we have to sell to make a profit? We could have been selling horse manure. All he cared about was, 'What's in it for me?' ... http://www.mercurynews.com/ci_11322297 [Fired? Fried or Fryed! PGN]
Eric A. Taub, *The New York Times*, 22 Dec 2008 The Federal Communications Commission sponsored a Nascar race car as part of its effort to inform Americans that on Feb. 18, television signals transmitted over the air will be transmitted solely in digital format. Old TV sets will no longer work. It paid $350,000 to emblazon "The Digital TV Transition" and other phrases on a Ford driven by David Gilliland. So how's that going? In November, the car crashed during a Nascar race in Phoenix. It was the second crash in as many months. And how is the digital TV transition going? According to critics, about as well, despite a major marketing campaign that includes nightly ads on TV. According to surveys conducted by the Consumers Union, a consumer advocacy group that also publishes Consumer Reports magazine, while 90 percent of the nation is aware of the transition, 25 percent mistakenly believe that one must subscribe to cable or satellite after February, and 41 percent think that every TV in a house must have a new converter box, even those that are already connected to cable or satellite. ... http://www.nytimes.com/2008/12/22/technology/22digital.html
Geoff Duncan, VHS Rides Off Into The Sunset, 23 Dec 2008 http://news.digitaltrends.com/news-article/18730/vhs-rides-off-into-the-sunset The venerable VHS tape is finally vanishing in the rear-view mirror as the last major supplier stop distribution. VHS tape, the format that for better-and worse-brought video into untold millions of households around the world is finally going the way of the dinosaur — at least in the United States. After the 2008 holiday season, Distribution Audio Video-the last major distributor of VHS tapes in the United States-is finally calling it quits, and will stop distributing VHS tapes. Although Hollywood hasn't released a movie in VHS format since 2006, a number of bargain retailers were still stocking the format, and it's also lived on in a number of isolated markets like cruise ships, public libraries, military bases, and care facilities. "It's dead, this is it, this is the last Christmas, without a doubt," said Distribution Video Audio president Ryan J. Kugler, to the L.A. Times. "I was the last one buying VHS and the last one selling it, and I'm done. Anything left in warehouse we'll just give away or throw away." Consumers have long since indicated their preference for DVD over VHS tapes, and Distribution Audio Video is now in the DVD distribution business -- although it predicts DVDs are also on their way out, to be replaced by Blu-ray. Nonetheless, the shutdown of the last major VHS distributor in the United States doesn't mean the world has finally embraced digital video. Countless titles and content that have been available on VHS has yet to be released on DVD, whether it be classic films from pre-war Hollywood or simply performances by under-appreciated bands and artists, the amount of material available on DVD has yet to encompass everything that was available on VHS. And, of course, VHS will continue to live for some time in developing markets around the world.
So with various estimates for the 20 Jan Inauguration turnout running from 1.5 to 5 million people, the cellular industry has been releasing PR about what they are doing to prepare. The usual approach is to add small portable cell-sites, often "COWs" [Cell On Wheels] with some kind of backhaul to the region's Mobile Telephone Switching Office [MTSO]. They are also pleading with customers to abstain from talking and sending pictures; instead please use SMS/texting. [Texting queues, unlike voice.] And they have more quietly mentioned pecking order control that gives precedence to specific phones, presumably the police chief, various coordinators, etc. But I have a different concern. Well before the talking stage, each carrier's MTSO must first recognize and register every phone it finds. I wonder how large the available registration tables are in the various CDMA/GSM/iDen/ MTSO's — can they even poll and hold all that respond?
A *Philadelphia Inquirer* article, when rendered for their website, has an interesting artifact of (I suspect) a simple-minded automatic URL recognition algorithm. Is it okay to assume that three consecutive w's won't occur in English, and need not be lexically distinct to start a URL? "Awwww," said the RISKs community. http://www.philly.com/inquirer/weekend/classical_music/20081211_Young_conductor__old_soul__eh_.html The concert, despite short rehearsal, was fabulous. [I presume they did not play anything by WaczslawWWieniawsky? PGN]
I'm a Big User of Gmail. I generally don't notice the targeted ads that appear alongside messages, but this one caught my eye: E-Mail Lists-Free Quotes Free Quotes from Multiple Brokers Compare & Save - 5000+ names only www.(domain-removed).com/email_lists Is Google trying to use up spare bandwidth & server resources? Google does have very big feet, though.
Yesterday, my wife tried to do some transactions on an ATM. Everything looked fine and so she fed her credit card into the appropriate slot. The machine pulled the card inside, the screen turned black and the machine stood still. Very annoyed, she pushed her finger against the dark touchscreen repeatedly. The screen remained dark, but an acoustic signal told her, that the computer still was alive. As she had some idea about where the Eject-"button" should be on the screen, she repeatedly pushed that position with her finger and after some 10 or 20 tries suddenly here credit card came out of the beast. One more victory of men over machines.. But - what would the system have done, if she had given up after some tries less? Worst: push out the card after a timeout. Best: dump the card to the safe after a timeout. Probably: hold the internal state, waiting for the next visitor (that would find the card slot full and then try - what?). Handling failures of signaling devices is not new to many technical domains, but in the case of a touchscreen the control device also becomes (nearly) useless and so does the idea of emergency action via the input device. The solution: a good old emergency pushbutton beneath the touchscreen?
UPX was a type of (obviously) lossless compression used on executable files, with the idea that on slow media like hard drives, it would be faster to load a program which was compressed, then uncompress it into memory. The UPX header in the front of the executable, I believe, decompresses itself as it's being loaded. It could also be used as a type of anti-reverse-engineering tool, since the actual program would not be on disk, only a compressed version would be, and if the compressed version were encrypted with an internal password (I don't know if UPX did this, but it is possible) then you'd need to use something like the software equivalent of a logic probe to watch where the executable was loaded in order to be able to figure out what it was doing. In the case of a piece of Malware, it would be a great idea because it would make it much, much harder to get a virus signature since you'd have to allow the header to load the program (in order to decompress it) but somehow stop it from fully loading before the payload was executed. Machines have gotten so much faster that compressing executables to save time loading off of disk is basically a deprecated practice. Also some of the software has gotten smarter, e.g. Borland's compilers would discard code that is never used when its linker built the program, so the executable might not even have extra unused code.
The incident may be exactly as described, but my paranoia level tends to rises when something that seems to perfectly match my sterotypical view of some group or individual crops up. If it sounds too perfect an incident to be true, then perhaps it isn't true and someone is hoping to have fun seeing what reaction they can generate. I hope that the HeliOS project member who responded to "Karen" checked the e-mail headers and applied other e-mail authentication strategies before responding. In addition to Joe-job spam, "jokes" mean that even non-bulk e-mail is not always what it purports to be. This might turn out to be an example of a different sort of computer related risk, assuming that e-mail came from the source shown in the visible From: line and that it was composed by them.
California Sciences Institute will be hosting a short course on "How to Become a Digital Forensic Evidence Expert" on Jan 19, 2009 in the Bay Area near San Francisco, CA. There will be a $40 charge for attendees, and the program will run from 6-9 PM. If you are interested in additional details, please look for them at: http://calsci.org/2008/2009-01-HowTo-Become-DFE-Expert.pdf
Please report problems with the web pages to the maintainer