Attackers could gain control of water-treatment plants, natural-gas pipelines and other critical utilities because of a vulnerability in the software that runs some of those facilities. The bug has now been patched, but the vulnerability could have counterparts in other so-called supervisory control and data acquisition (SCADA) systems. http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2008/06/11/financial/f015433D06.DTL&type=printable
[Congress Daily, 11 Jun 1008, courtesy of Marcus H. Sachs] SPYWARE? SPY WHERE? Rep. Frank Wolf, R-Va., today said the FBI determined four of his government computers have been hacked by someone in China. Wolf, a longtime critic of the Chinese government's record on human rights, said computers in the offices of other lawmakers and at least one House committee have also been hacked and he is calling for hearings to investigate. Wolf said it seemed logical that Senate computers would also be compromised. [*USA Today* on 13 Jun 2008 warned about leaving any digital devices unattended for even a few minutes while in China for the Olympics.]
On May 29, UltimateBet.com, an online poker room, announced that it had discovered "unfair play" on its site. The press release at <http://www.ultimatebet.com/poker-news/2008/may/NioNio-Findings> discusses how they investigated the alleged cheating (a word they don't use) by certain players who worked for the previous ownership of UltimateBet and who exploited "unauthorized software". The paragraph of interest to Risks readers is: "The fraudulent activity was enabled by unauthorized software code that allowed the perpetrators to obtain hole card information during live play. The existence of this vulnerability was unknown to Tokwiro until February 2008 and existed prior to UltimateBet's acquisition by Tokwiro in October 2006. Our investigation has confirmed that the code was part of a legacy auditing system that was manipulated by the perpetrators. Gaming Associates, independent auditors hired by the KGC, have confirmed that the software code that provided the unfair advantage has been permanently removed." The individuals involved targeted the highest limit games and it is my understanding that some players were hit for 6 figures. UltimateBet is or is in the process of repaying those who were cheated.
A Washington Post story (http://www.washingtonpost.com/wp-dyn/content/article/2008/06/09/AR2008060901043.html?hpid=topnews) on new iPhone applications had this: Modality: An anatomy app for medical students. The app is filled with anatomy drawings and images linked to Google and Wikipedia for more detailed information. Would you trust a doctor whose knowledge of anatomy came from Wikipedia? Steve Bellovin, http://www.cs.columbia.edu/~smb [Of course, it depends on who provided the wikinformation—and who kept it up to date as knowledge changes. PGN]
This item in *New Scientist* reports on a letter in Nature by one David Thompson and three colleagues. (Long URL: you may have to join parts.) http://environment.newscientist.com/article/dn14006-buckets-to-blame-for-wartime-temperature-blip.html?DCMP=ILC-hmts&nsref=news7_head_dn14006 Fee-paying readers can access the Nature letter here: http://www.nature.com/nature/journal/v453/n7195/full/nature06982.html Thompson's group analyzed the data set of world temperatures commonly used in climate studies and found an unrecognized flaw in it, which could affect those studies' conclusions. What they realized was that after filtering out effects like El Nino years and volcanic eruptions, the record showed a marked dip of 0.3 degrees Celsius in 1945—but *not* if only temperatures taken on land were counted. Which suggested a measurement error, and they figured out what it was. What happened in 1945 was that as Britain's Royal Navy returned to peacetime duties, they had more time to report sea temperatures! So suddenly there were *more* of their measurements in comparison to those taken by the US Navy. And why did that matter? Because the seawater that the Americans actually measured was drawn from engine cooling-system intakes, while the British dipped a bucket into the sea. One method reads high, the other low.
[Source: The Chronicle of Higher Learning, 13 Jun 2008] http://chronicle.com/news/index.php?id=4674&utm_source=pm&utm_medium=en All colleges and universities entering into federal-government contracts will be required to use the Department of Homeland Security's E-Verify system to establish the immigration status of newly hired employees and all employees working on such contracts, under an executive order signed this week by President Bush. E-Verify is the federal governments automated system for allowing employers to verify job applicants eligibility to work as U.S. citizens, legal permanent residents, or authorized immigrants. When an employer submits an applicants name and personal information for eligibility verification, E-Verify checks that information against Social Security Administration and Homeland Security Department databases. [See the USACM website for testimony by PGN, Annie Anton, and most recently Gene Spafford (on EEVS, the Employee Eligibility Verification System, precursor of E-Verify). It is evident that the warnings of these testimonies were not heeded.
Google has a set of tools for Webmasters at http://www.google.ca/webmasters/tour/tour1.html You have to sign up to use them, but you can, seemingly, get at some of the tools individually if you know the URL. One that is making the rounds is a diagnostic page for the safety of a URL, at: http://www.google.com/safebrowsing/diagnostic?site= (Actually, if you just put that in your browser you get a "Bed Request" page: you have to fill in a URL on the end.) I tried it out on an advertising site that has been used a lot, recently, for referrals/redirections to malware, and it got a clean bill of health. I've tried it with a site that has been serving a version of Nuwar for at least a week, and confirmed that the site was still serving the malware directly. (This is not a referral situation.) Google gave it a clean bill of health. I'd say the Google page was unreliable at the very best. firstname.lastname@example.org email@example.com firstname.lastname@example.org http://victoria.tc.ca/techrev/rms.htm
The gist of this report is that the "National Entitlement Card" contains a concealed chip with lots of personal information, and may be part of a scheme by the British Government to introduce identity cards by stealth. The author, Stuart Hill, who lives in the Shetland Isles, has done his research, and this should not be dismissed as just another paranoid conspiracy theory. http://www.idcardsexposed.com/ —Excerpt from start of report -- In Shetland a vulnerable section of the community is being used to pilot a scheme that threatens our fundamental freedoms. It is quite clear that the new 'National Entitlement Card' that provides access to free travel for the elderly and disabled, in fact marks the introduction of ID Cards by the back door. My research shows that: This is an EU scheme being carried out by the UK government and the Scottish Executive. The government is planning a stealth programme for ID cards, the steps for which are: - introduction, the current stage where we are offered the bribe of free travel - full coverage, everybody is required to have one - full compulsion sounds good in a free country - and finally - full identity services availability - in other words you can get no access to services without the card. [...] Recently I was denied free travel on the bus because I refused to submit my new 'smart' card to the card reader on the bus. Before the machines were fitted it was sufficient to show the card to the driver. This time it was apparently not enough that I could show my card—it had to go on the machine for data to be recorded. As far as I know, I have not given permission for my personal details to be collected in this way. —End of excerpt -- Peter Mellor <MellorPeter@aol.com> +44 (0)20 8459 7669
Recently, there has been a great deal of concern over the rise is prices of common staple food grains. A frequently cited cause for this price jump is international speculation in commodity markets, and the disproportionate aspect this can have on the price of the commodities themselves, quite apart from the usual cycles of supply and demand. What fewer people may know is that the UN declared 2008 as the international year of the potato. (They did this, of course, some time ago, so the contrast in notions becomes even more intriguing.) There is some irony in that, but it gets better. (Both from the perspective of irony, and from the point of view of useful analogies for infosec.) The potato (the "humble" potato, as it is frequently described) is suitable to a great many climatic conditions, and is generally more productive than grain crops (and *much* more productive than meats, etc.) It is also surprisingly nutritious. (Ah! I hear you cry, what about the Potato Famine? Well, in that case the potato was, oddly, a victim of its own success. We know, or should know, the dangers of the monoculture, which was what led to the famine. [And that topic has relevance to infosec as well, but it has been amply discussed elsewhere.] However, what is less well known is that the introduction of the potato, 250 years prior to the famine, led to a 5-8 fold increase in the population of Ireland over those twenty- five decades, due to an increase in both food source and in nutrition.) So, what about world food crops, commodities, and skyrocketing prices? If we convinced people to grow potatoes, wouldn't we just become dependent upon potatoes, and then there would be speculation in potato futures? Well, oddly, it seems not. Grain, when harvested, is fairly dry, and can easily be dried even more for storage and shipment. And, to pretty much anyone except a pasta maker, wheat flour is wheat flour. You can make any product you want out of basically any flour you can get. Potatoes are wet. They get used fresh, for the most part. (The technical advances in producing dried mashed potatoes seems to parallel that or artificial intelligence: there is a lot of interest, and a lot of work, but those who have tried the results can tell you that there is work yet to be done.) Also, people who use and eat potatoes tend to have preferences. (And there are a great many varieties of potatoes. Remember that monoculture bit?) It seems that potatoes are one of the few staple crops that are resistant to commodity markets (however susceptible it may be to the blight). So, what's the point for infosec? Remember the lessons of security architecture. Build your architecture based on resilient and resistant technologies, not on the most popular. It's not a new lesson: it rests on the foundation of risk management which should be foundational to all security. email@example.com firstname.lastname@example.org email@example.com http://victoria.tc.ca/techrev/rms.htm
The size of the breach (number of records compromised) has not been confirmed, but is said to be "up to 38,000. Attackers gained access to customers' addresses and (worryingly) data used in "card not present" transactions. The report states: "Apacs, the trade association for the payment industry, said a specialist police force was investigating the case." There is a rumour (not mentioned in the report) that, although the breach occurred "earlier in the year", Apacs only informed the banks a few weeks ago and they are still dealing with it. For details, see http://news.bbc.co.uk/1/hi/technology/7446871.stm Peter Mellor <MellorPeter@aol.com> +44 (0)20 8459 7669
[From Network Neutrality Squad. PGN] Update on ISP Actions Regarding C-Porn and Usenet http://lauren.vortex.com/archive/000390.html Greetings. The related ISPs have been working to clarify aspects of the New York Times story that I discussed earlier today (http://lauren.vortex.com/archive/000389.html). The upshot is interesting. In contrast to the implications of the Times piece, it appears that U.S. ISPs (unlike a newly penned deal in France involving French ISPs) will not for the moment be actively blocking any "class" of Web content, but rather will work to remove c-porn sites from their servers (something most people apparently assumed they'd been doing anyway ... ). So the big to-do from the politicos about this aspect seems to best be filed under grandstanding. But there is a very disturbing additional element to this story. Time Warner Cable says that they are cutting off subscriber access to all Usenet newsgroups (child porn was found in 88 of the vast number of total newsgroups). Sprint is cutting off 10's of 1000's of alt.* newsgroups (and what a war it was back when those were created long, long ago!) Verizon plans "broad" newsgroup cutoffs. While Usenet newsgroups are certainly not the draw that they were many years ago, they still have an important role to play in the free exchange of legal information on the Internet today. Using the presence of illicit materials in some portion of a content stream as an excuse to abolish or decimate the legal content is inexcusable. In fact, that sort of "guilt by association" and "we can get away with this because most people don't know about it" action is the very essence of a particularly insidious form of censorship. Of course, the ISPs could argue that they're under no legal obligation to carry Usenet newsgroups in any form. This is true. But then, most ISPs aren't under a legal mandate to provide connectivity to any given Web sites, either. So one might wonder, given these ISPs' eagerness to hoist much or all of the completely legal content of Usenet on the petard of fettering out c-porn, which aspects of the Internet will be next to fall into the line-of-sight of their big red cutoff switch? Lauren Weinstein firstname.lastname@example.org +1 818 225-2800 http://www.pfir.org/lauren PFIR http://www.pfir.org Network Neutrality Squad - http://www.nnsquad.org PRIVACY Forum - http://www.vortex.com Lauren's Blog: http://lauren.vortex.com
Your correspondents on preferential voting systems rightly point out that no preferential or proportional voting system can ever faithfully reproduce the will of the people, because no such perfect measure of group-will exists. At best, an electoral system can only generally reproduce the expressed intentions of the voting public, and the preferential system probably does this best. While people vote for a candidate, they also vote against other candidates. So Richard Gladsen's statement: > For example, in the 2000 US Presidential election, voters whose true > preference was Nader>Gore>Bush had a strong incentive to insincerely vote > for Gore. can equally translate to ".... had a strong incentive to sincerely vote against Bush". A preferential system would have permitted the Nader voters to sincerely vote for Nader>Gore and against Bush, if that was their intention ... or, indeed, to vote for Nader>Bush and against Gore, if that was equally their intention. So the claim that "voters always have an incentive to be insincere in how they cast their votes" is not really valid. Behind this discussion is also the assumption that the only concern when choosing a voting system is that it closely reflects this idealistic expression of group-will. Of equal importance is that the system leads to a stable system of government, and that this stable government does not become entrenched. The electoral system should tend to err on the side of "overreflecting" the will of the people—and thereby giving the governing party a reasonable majority so that it is strong and stable enough to make some (possibly unpopular) changes to tax and other laws—yet allow for quick and clean changes of government when a swing in public attitudes against the governing party occurs. In other words, it needs to be a "toggle"—where a small change in public position, should on a regular basis, reflect a larger proportional change in political representation, and possibly a change of government. You often need this to overcome the advantage of incumbency. Proportional representation systems tend to create unstable governments for this reason. Lastly, stable political systems appear to depend on the country having two, or possibly three (at most) major parties—not dozens. This means that the parties will go into an election with clearly established and reasonably-defined policies on display. Alternative systems, like that of Italy, produce a multiplicity of small parties which then must form unstable coalitions through backroom deals in order to govern. So priorities and policies are largely set after the election, and governments can be blackmailed by a small party in the coalition. Preferential systems tend to encourage voters to select a major party as their favourite, while also allowing them to give support and encouragement to individuals/small parties like Nader in America, and the Green/Democratic parties elsewhere. These individuals can then sometimes challenge the majors for the swinging vote—and, in effect, create the "toggle"—which has the effect of "keeping the bastards honest" (the slogan of Australia's small third party). Stewart Fist, 70 Middle Harbour Rd, LINDFIELD, NSW 2070 Australia Ph +61 2 9416 7458 email@example.com
Richard Gladsen claims that Arrow's Theorem proves that every election system gives voters a reason to vote insincerely. I remember reading an article many years ago, probably by Martin Gardner, that claims that under approval voting, there is never a reason to vote insincerely. Approval voting is very simple: Each voter can cast zero or one votes for each candidate; all votes counts equally. The candidate with the largest number of votes wins. Note that voting for every candidate is equivalent to not voting at all, and that approval voting degenerates to traditional voting if there are only two candidates. It should be clear that approval voting will elect the candidate that the largest number of voters find acceptable (as defined by their willingness to vote for that candidate), and that this candidate might not be the favorite of the largest number of voters. We can argue separately about that property of approval voting. But I think my recollection is correct that under approval voting, there is never any reason to vote insincerely.
> [Someday encrypting such data sets will become the default. PGN] Then we'll just have a different set of RISKs, and Murphy says they will be harder to understand and explain. Do you think people will use good passwords? Do you think they will write them down? I'll bet companies would try to wiggle out of notifying victims when a laptop is stolen: Your data is safely encrypted. Why should we worry everybody? I was going to suggest that sensitive data shouldn't be stored on laptops. I'll bet the alternatives are worse, or at least more complicated to analyze and explain.
I queried HMRC for further information and received the following explanation of that web page. At 10:50 AM +0100 6/11/08, Storey, Michael (CustCon Online Services) wrote: >Thank you for your e-mail. The text on this page has been withheld from >the general public due to exemptions in the Freedom of Information Act >2000. >The manuals used by Her Majesty's Revenue & Customs (HMRC) are written for >internal instructional purposes and because of that we have to withhold >certain information when these manuals are published to the website as it's >not intended for public consumption. These manuals are published in line >with the Code of Practice on Access to Government Information. >Michael Storey, HMRC Web Team
My physician was trying to enter a diagnosis into his computer, during an office visit. The computer insisted on entering Prostitute for me; he was trying to put in Prost ate. He did an end-run. PS. I'm no prostitute, although some people think that most faculty members are (intellectually).
Max Power seems to have overlooked the selection "Provide iTunes Feedback" from the "Help" menu" or his search seemed to have not included anything as obvious as entering "itunes bug report" into a search engine like Google. I guess the risk here software defects can exist by users failing to tell the software publisher when the software fails to meet their needs, and that users will choose inappropriate avenues to vent their frustration. [This and related comments were received from many readers. For example, try http://bugreport.apple.com/. PGN]
Michael Piatek, Tadayoshi Kohno, Arvind Krishnamurthy University of Washington, Department of Computer Science & Engineering Overview As people increasingly rely on the Internet to deliver downloadable music, movies, and television, content producers are faced with the problem of increasing Internet piracy. To protect their content, copyright holders police the Internet, searching for unauthorized distribution of their work on websites like YouTube or peer-to-peer networks such as BitTorrent. When infringement is (allegedly) discovered, formal complaints are issued to network operators that may result in websites being taken down or home Internet connections being disabled. Although the implications of being accused of copyright infringement are significant, very little is known about the methods used by enforcement agencies to detect it, particularly in P2P networks. We have conducted the first scientific, experimental study of monitoring and copyright enforcement on P2P networks and have made several discoveries which we find surprising. ... http://dmca.cs.washington.edu/ FAQ http://dmca.cs.washington.edu/faq.html
Please report problems with the web pages to the maintainer