Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Alexander Stepanov and Paul McJones Elements of Programming Addison-Wesley 2009 ISBN 978-0-321-63537-2 What could be one of the most important books for developers of low-risk systems has come to my attention, and deserves your consideration if you are serious about understanding the mathematical foundations of programming and applying them sensibly to your practice. It is not an easy read, but it is a very compelling approach. To support its mathematically oriented crispness, the book includes the definition of a small but elegant C++ subset that has been crafted by Sean Parent and Bjarne Stroustrup for illustrative use in the book. I believe this material should be taught within all computer science curricula. A long quote and a short one on the back jacket give an idea of what is involved: Ask a mechanical, structural, or electrical engineer how far they would get without a heavy reliance on a firm mathematical foundation, and they will tell you, `not far.' Yet so-called software engineers often practice their art with little or no idea of the mathematical underpinnings of what they are doing. And then we wonder why software is notorious for being delivered late and full of bugs, while other engineers routinely deliver finished bridges, automobiles, electrical appliances, etc., on time and with only minor defects. This book sets out to redress this imbalance. Members of my advanced development team at Adobe who took the course based on the same material all benefited greatly from the time invested. It may appear as a highly technical text intended only for computer scientists, but it should be required reading for all practicing software engineers. — Martin Newell, Adobe Fellow The book contains some of the most beautiful code I have ever seen. — Bjarne Stroustrup The bottom of the inside cover suggests that through this book you will come to understand that mathematics is good for programming, and theory is good for practice. I applaud that sentiment.
IDG News Service: By some estimates there are 15 to 20 of these secret wiretapping rooms across the country. You're the only AT&T employee who has come forward and talked about them in detail. Why? Mark Klein: Fear. First of all it was a scary time. It still is a scary time, but during the Bush years it was sort of a witch hunt atmosphere and people were afraid. People are afraid of losing their jobs, and it's a rule of thumb that if you become a whistleblower you'll probably lose your job. And if you have a security clearance, you not only lose your job, but you probably will be prosecuted by the government. The Bush administration made that very clear in statements they made over and over again: 'Anybody who reveals anything about our secret programs will be prosecuted and we are running investigations to find out who leaked this to the New York Times.' Well that puts a fear in people. http://www.computerworld.com/s/article/9135645/The_NSA_wiretapping_story_nobody_wanted While campaigning against President George W. Bush, Barack Obama had pledged that there would be "no more wiretapping of American citizens," but President Obama's administration has continued to use many of his predecessor's arguments when it comes to warrantless wiretapping. http://www.computerworld.com/s/article/9135575/Obama_administration_defends_Bush_wiretapping
In George Orwell's "1984," government censors erase all traces of news articles embarrassing to Big Brother by sending them down an incineration chute called the "memory hole." On Friday, it was "1984" and another Orwell book, "Animal Farm," that were dropped down the memory hole - by Amazon.com. In a move that angered customers and generated waves of online pique, Amazon remotely deleted some digital editions of the books from the Kindle devices of readers who had bought them. An Amazon spokesman, Drew Herdener, said in an e-mail message that the books were added to the Kindle store by a company that did not have rights to them, using a self-service function. "When we were notified of this by the rights holder, we removed the illegal copies from our systems and from customers' devices, and refunded customers," he said. Amazon effectively acknowledged that the deletions were a bad idea. "We are changing our systems so that in the future we will not remove books from customers' devices in these circumstances," Mr. Herdener said. [...] [Source: Brad Stone, *The New York Times*, 18 Jul 2009] http://www.nytimes.com/2009/07/18/technology/companies/18amazon.html [Lots of media coverage on this one, especially the 1984 connection. See also an item from David Pogue's Posts: Some E-Books Are More Equal Than Others, 17 Jul 2009. PGN] http://pogue.blogs.nytimes.com/2009/07/17/some-e-books-are-more-equal-than-others/
I see two RISKS-related issues. One is that it undermines the whole e-book industry. The other is a good reminder of what can happen with closed ecosystems. It's been slashdotted and is in many online news sources and blogs. http://news.cnet.com/8301-13860_3-10289983-56.html
The July 7th, 2009 edition of "Ask Amy" (an advice columnist) tells the tale of an interesting RISK of using net filtering and online systems to control your children. Briefly, a high-school student's father was using the school's "check up on your kids" Web site to an excessive degree. The fed-up student used the family's parental control software to find out how often the dad was visiting the site (answer: three times daily) and in the process learned some unsavory details about Dad's browsing habits. http://www.chicagotribune.com/features/columnists/advice/chi-0707-ask-amyjul07,0,2095115.column I suppose the RISK lies in assuming you're smarter than your kids...and forgetting that most tools can be used in multiple ways. Geoff Kuenning email@example.com http://www.cs.hmc.edu/~geoff/ In any large population, there are some people who aren't very bright. That's not their fault, it's just in their genes. As an engineer, I have a responsibility to design things that won't kill off the slower ones, just as I have a responsibility to design things that won't harm my neighbor's dog.
[I read this over breakfast on paper. Thanks to Lauren Weinstein for the URL.] Jonathan Zittrain, Lost in the Cloud, *The New York Times*, 20 Jul 2009 Earlier this month Google announced a new operating system called Chrome. It's meant to transform personal computers and handheld devices into single-purpose windows to the Web. This is part of a larger trend: Chrome moves us further away from running code and storing our information on our own PCs toward doing everything online - also known as in "the cloud" - using whatever device is at hand. Many people consider this development to be as sensible and inevitable as the move from answering machines to voicemail. With your stuff in the cloud, it's not a catastrophe to lose your laptop, any more than losing your glasses would permanently destroy your vision. In addition, as more and more of our information is gathered from and shared with others - through Facebook, MySpace or Twitter - having it all online can make a lot of sense. The cloud, however, comes with real dangers. [...] http://www.nytimes.com/2009/07/20/opinion/20zittrain.html
Cloud Computing certainly exposes one to the consequence of other people's actions, but law enforcement's lack of selectivity is nothing new. Consider the Secret Service raid on Steve Jackson Games years ago. http://www.sjgames.com/SS/
<http://www.sundayherald.com/news/heraldnews/display.var.2174801.0.scientists_crack_security_system_of_millions_of_cars.php> Ruhr University scientists say it is now relatively straightforward to clone the remote control devices that act as the electronic keys. They have overcome the KeeLoq security system, which is made by US-based Microchip Technology and is used by Honda, Toyota, Volvo, Volkswagen and other manufacturers to transmit access codes using radio frequency identification technology. The KeeLoq's security relies on poor key management, in which every key is derived from a master that's stored in the reading device. Moreover, it uses a proprietary algorithm that had already been shown to generate cryptographically-weak output.
Meanwhile, although experts say that some RFID technologies are quite secure, a University of Virginia security researcher's analysis of the NXP Mifare Classic (see Hack, November/December 2008), an RFID chip used in fare cards for the public-transit systems of Boston, London, and other cities, has shown that the security of smart cards can't be taken for granted. "I think we are in the growing-pains phase," says Johns Hopkins University computer science professor Avi Rubin, a security and privacy researcher. "This happens with a lot of technologies when they are first developed." ... [Source: Erica Naone, RFID's Security Problem: Are U.S. passport cards and new state driver's licenses with RFID truly secure? Technology Review, Jan/Feb 2009; PGN-ed] http://www.technologyreview.com/computing/21842/
(Todd Lewan) To protect against skimming and eavesdropping attacks, federal and state officials recommend that Americans keep their e-passports tightly shut and store their RFID-tagged passport cards and enhanced driver's licenses in "radio-opaque" sleeves. That's because experiments have shown that the e-passport begins transmitting some data when opened even a half inch, and chipped passport cards and EDLs can be read from varying distances depending on reader technology. [Source: Todd Lewan, The Associated Press, 12 Jul 2009; PGN-ed] http://www.washingtonpost.com/wp-dyn/content/article/2009/07/11/AR2009071101929.html
Now I've seen everything... Apparently, a leading South African bank has fitted 11 ATMs around the Cape Peninsula with pepper spray cans in an effort to prevent card skimming and ATM bombing. I guess the person who thought of this wasn't a reader of Risks Digest. According to the following Guardian article http://www.guardian.co.uk/world/2009/jul/12/south-africa-cash-machine-pepper-spray ...the mechanism backfired in one incident last week when pepper spray was inadvertently inhaled by three technicians who required treatment from paramedics. Patrick Wadula, spokesman for the Absa bank, which is piloting the scheme, told the Mail & Guardian Online: "During a routine maintenance check at an Absa ATM in Fish Hoek, the pepper spray device was accidentally activated. "At the time there were no customers using the ATM. However, the spray spread into the shopping centre where the ATMs are situated." What's next? PCs that pepper spray their users when they download a virus or malware? Hmmmm... perhaps not a bad idea :-) Thomas Dzubin, Calgary, Saskatoon, or Vancouver CANADA
This is IMHO a rather promising new development in security, mainly because it appears to promise more security without too much usability impact. And it may ruin Powerpoint presentations, another point in its favour :-). It neatly uses the fact that most modern laptops have a camera built in. Source: http://www.siliconvalley.com/ci_12743292 ======== Anderson calls it his "aha" moment — a flash of insight from which he drew a career-altering connection between decades-old research and his job as a computer security expert. Nearly two years ago, Anderson had a comfortable job as vice president at an established computer security company. But while reading "Consciousness Explained," a book by philosopher Daniel Dennett, Anderson learned about one scientist's research into variations in the way the human eye reads and processes text and images. "This obscure characteristic ... suddenly struck me as (a solution to) a security problem," said Anderson, 42, who has a doctorate in cryptology. "I said, 'Holy cow. No one has thought of using this to protect the contents of a screen.' It was just some obscure research." Anderson quit his job at SafeNet, raised $1.2 million in seed money from friends and family and plunged full time into developing his idea — a software program that allows only an authorized user to read text on the screen, while everyone else sees gibberish. [..] The private version of the product can already be bought from the company at http://oculislabs.com, at a price well below your average privacy screen. From their website it appears the "look, your mother is watching" Pro version is not yet released.
In 2003, researchers at a federal agency proposed a long-term study of 10,000 drivers to assess the safety risk posed by cellphone use behind the wheel. They sought the study based on evidence that such multitasking was a serious and growing threat on America's roadways. But such an ambitious study never happened. And the researchers' agency, the National Highway Traffic Safety Administration, decided not to make public hundreds of pages of research and warnings about the use of phones by drivers - in part, officials say, because of concerns about angering Congress. ... [Source: Matt Richtel, *The New York Times*, 21 Jul 2009; PGN-ed] http://www.nytimes.com/2009/07/21/technology/21distracted.html
Hello: Would you like to report a bug in an Adobe product? Here is the URL: https://www.adobe.com/cfusion/mmform/index.cfm?name=wishform They do have rather stringent terms. You have to affirm lots of things about interest in your bug report, oops, Idea. My favourite bit is "You represent and affirm that you are 18 years of age or older." Oh, to be 17 again. How many people take one look at that page and decide not to bother? Does this affect the quality of Adobe software?
Taiwan President Ma Ying-jeou was criticized after prerecorded Internet messages leaked out. Experienced Internet surfers found the messages due to be broadcast the next two weeks had already been recorded. The surfers only had to change the dates on the presidential website to see the new messages. Presidential Office Spokesman Wang Yu-chi said Ma had prerecorded the videos, which were supposed to address current affairs, adding that Ma would remake the videos, and asked the person who first discovered the messages to come forward and receive a "small prize" from the Presidential Office. http://www.taipeitimes.com/News/taiwan/archives/2009/07/20/2003449078 http://www.etaiwannews.com/etn/news_content.php?id07831
http://www.cbc.ca/canada/ottawa/story/2009/06/29/ottawa-mint-gold-missing.html Money is missing, and all they're saying is, "we'll look into it - we have one of the most secure facilities in the world". I can't believe how little uproar there has been. -Darryl Dueck, Winnipeg, MB CANADA The Royal Canadian Mint said Monday that $15.3 million worth of gold missing from its vaults could have been stolen. The gold was reported missing last fall, but officials at the mint said they had hoped they would find that an accounting error was responsible. A review conducted by auditors Deloitte and Touche, however, recently concluded that the gold wasn't simply forgotten during inventory. "The unaccounted for difference in gold does not appear to relate to an accounting error in the reconciliation process, an accounting error in the physical stock count schedules or an accounting error in the record keeping of transactions during the year," the company concluded in a report released Monday. Christine Aquino, director of communications with the mint, said that many possible scenarios are being considered. "We're not going to speculate on the cause just yet. We're not giving up on this. We're going to pursue this rather vigorously." Aquino said the mint asked the RCMP to look into the matter two weeks ago. She said in the meantime, the mint is prepared to follow three of Deloitte and Touche's recommendations concerning its accounting procedures and building security. "They've also asked that we go through our security measures for review. But it's just one of the avenues we're pursuing. We have one of the most secure facilities in Canada, if not the world." [Source: CBC News, 29 Jun 2009] http://www.cbc.ca/news/credit.html
The attacks on web sites from Korea made the news, but there was at least one attack on email, at columbia.edu. More than 26,000 hosts in Korea connected to the columbia.edu mx pool, collectively 160,000 times an hour, and then just sat there. Our network monitoring showed that they sent some bytes that may have been a HELO string, but they did not send MAIL. Our system responds by forking a sendmail process for each connection, and even though they were mostly doing nothing waiting for data, the system load went up. However, it is summer at an edu, and we are pretty well provisioned anyway, so the effect was "hm, that's funny, wonder why the load is that high" rather than "OMG the sky is falling". We shortened the timeout waiting for MAIL, and rate-limited the worst-offending IP blocks, and got the load back to normal. The attack was not continuous throughout the weekend. Maybe the botnet had other missions part of the time. Like the http attacks, it stopped during the following week. Possibly the goal was that we would be forced to blackhole South Korean IP space in order to function. Columbia University has a significant number of people with personal and academic contacts in South Korea. Joseph Brennan, Lead E-mail Systems Engineer Columbia University Information Technology
The other day, for no good reason, I got misplaced on some local dirt roads. "No problem," I thought, because my car had a GPS and a map database that actually knew about all those dirt roads. But when I zoomed the display out far enough to see where the nearest paved road back to exurbia might be, all the dirt roads disappeared, and I was apparently driving through a void. So I couldn't figure out which road would take me back to pavement, because I couldn't display both the roads I was on and the one I wanted to get to at the same time. Obviously, I could have pulled over and used pan as well as zoom controls, or asked for directions to some known point (and hoped none of the dirt roads on the route was closed or washed out). But that would have required both presence of mind and a place to park where I could be sure of getting back on the road after figuring out location and route. I wonder whether such hierarchical displays contribute to some of the GPS-aided navigation debacles that sometimes grace this publication — a driver may have some idea that they're going the wrong way, but their display doesn't offer enough information to plan a new route easily, and the psychological pressure to keep moving forward can increase as conditions get worse.
There's a board game company called GMT Games (www.gmtgames.com). They have a "pre-order" system in place that lets you order a game before it is published (they call it the P500 system), and in order to participate you need to provide them with a credit card number. Recently, I and other customers received this e-mail from them: "Please Update Your Online Credit Card Information Ugh! Microsoft strikes again! As you probably know, we encrypt your credit card data, several times, to make sure that your data is always safe online. Well, a recent Windows update done by our service provider apparently modified the encryption key used to decrypt the data for us to read and use for charging. Please don't worry about your cc info. *There was absolutely no security issue here. In fact, it's quite the opposite. For any card that you entered into our system before July 4, neither we nor anyone else can read the card # (as the encryption key was changed).* There is no problem with cc #s entered after July 4. So we're asking you guys to please go into your online account in the next day or two and update the credit card # that is listed there (for many of you it will now look like a long string of alphanumerics) with your correct # so that we can charge the games slated to begin charging on Monday, July 13th. If you guys have any questions about this, or would prefer to do this by phone or online chat, please don't hesitate to contact our office ladies either on our website or at our toll-free number. They'll be happy to help you get the data re-entered if you'd like some help. We apologize for any inconvenience this may cause." It was nice that for a change no personal information was leaked, but I think this highlights the problems of applying OS updates without the ability to do a rollback or for that matter, having a backup of the original (suitably encrypted of course) data.
Every time I turn around, a bank website presents me with glaringly obvious RISKS about which one can only say "what _were_ they thinking? 1) When I click on "View My Account" at http://www.ingdirect.com , I am taken to a login screen headed by a bold blue notice: "Our site will be getting a minor facelift soon. So if you notice anything different after you sign in, don't freak out. You're in the right place." *That* should train customers to be vigilant. 2) I opened a bank account at a local bank, and went through all the silly rigamarole about picking a picture and so forth, and got to the idiotic "security questions." This site is one of the kind that forces you to select from a limited list of bad options, which usually manage to be both insecure yet difficult to remember (Let me think, did I enter the answer as "Main Street," "main street," or "Main st."?) But one made my jaw drop: one of the available choices was "How many children do you have?" What are the chances that a stranger could successfully guess *that* one? By comparison, my birthday is as strong as Fort Knox.
Please report problems with the web pages to the maintainer