[Thanks to Phil Porras for spotting this one.] As part of the Great Internet Mersenne Prime Search (GIMPS), UCLA mathematicians led by Edson Smith discovered (on 23 Aug 2008) the first verified Mersenne prime number with more than 10 million digits — indeed, 13-million digits long: p = 2^(43,112,609) - 1. The Electronic Frontier Foundation prize is $100,000. This is the eighth Mersenne prime "discovered" at UCLA, using spare cycles of many machines (as is also done with the SETI project — the search for extraterrestrial intelligence). [Source: Thomas H. Maugh II, *Los Angeles Times*, 27 Sep 2008; PGN-ed] http://www.latimes.com/news/science/la-sci-prime27-2008sep27,0,2746766.story [Note that this discovery does not greatly advance the quest for rapid factoring of arbitrary large prime products. However, it is once again a reminder of the potential power of highly distributed computing. The prize is on the order of eight-tenths of a penny per prime-number digit. The first multi-million-digit prime, 2^(6,972,593) - 1, had only 4,197,919 digits, and received $50K from EFF a decade ago: http://primes.utm.edu/notes/6972593/PressAnnouncement.html I wonder if EFF will now spring for the first 100-million-digit Mersenne prime to fall?]
Patrick Thibodeau and Todd R. Weiss, *Computerworld*, 26 Sep 2008 The recent collapse on Wall Street may make a career in computer science or IT more attractive to students, who largely left those fields following the dot-com bust of 2001. Stanford University computer science department chairman William Dally says students are returning to computer science because they like the field and not necessarily because it can make them rich. Boston College professor John Gallaugher says he has already seen a change in student interest, with many students contacting Gallaugher and expressing an interest in switching from finance. Following the dot-com bust, computer science enrollment declined until it reached a low of 8,021 last year, down from 14,185 in 2003-2004, according to the Computer Research Association (CRA). Meanwhile, offshore outsourcing also scared students into avoiding technology careers. Now, companies are suffering from a shortage of technology professionals, and the looming baby boomer retirements will only add to the problem. CRA analyst Jay Vegso says economic conditions appear to impact the choice that students make when choosing a major, and students currently choosing majors may be looking for safer alternatives. Stevens Institute of Technology's Howe School of Technology Management associate dean Jerry Luftman says the major difference between today and the late 1990s is the type of student that businesses need. While technical skills are important, Luftman says companies also want students with management and industry training, strong communications abilities, and marketing and negotiations skills. The U.S. Bureau of Labor Statistics reports that IT jobs are among the fastest growing; openings for networks systems and data communications analysts are expected to reach 402,000 this year, up from 262,000 in 2006. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9115616&intsrc=news_ts_head
This message is from Black Box Voting, a non-profit that monitors voting irregularities and fraud. Steve Kelem, Los Altos Hills, CA - ------- Original Message -------- Subject: From BBV: Two-Minute warning on voting machines Date: Thu, 11 Sep 2008 02:55:21 -0700 From: Black Box Voting <email@example.com> Reply-To: firstname.lastname@example.org TWO-MINUTE WARNING ON VOTING MACHINES: Welcome to "SPEED VOTING" Permission to reprint or excerpt granted, with link to blackboxvoting.org Diebold/Premier says it's too late to fix a new voting machine 2-minute warning and "time-out" feature, which can kick voters off the machine, forcing them to accept a provisional ballot. At least 15 voters were booted off the machine in Johnson County, Kansas recently, and Diebold/Premier says this is due to a software upgrade which sets a timer on voter inactivity. According to the company, the machines receiving the upgrade are used in 34 states and 1,700 jurisdictions.* *This seems inflated, though. Unless the optical scan machines are also outfitted with a 2-minute warning, which doesn't make sense, it would seem that this should only apply to the DRE states and locations. JOINING THIS PROBLEM TO MAKE IT BIGGER: A study on DRE allocation from Ohio indicates that it takes an average of four to nine minutes per voter to cast an average-length ballot, and ballots in many locations will be longer than average this fall. Each additional ballot question can add 30 seconds to the time a voter must monopolize the DRE. Diebold's 2-minute timeout kicks in when the voter does not make a selection quickly enough. (Welcome to 21st Century literacy tests.) According to a Sept. 10 Kansas City Star Article, Johnson County upgraded touchscreen voting machines with a new software release from Diebold subsidiary Premier Election Solutions Inc. Buried in the release notes was a mention of a new "time out" feature that makes the voting machine eject a voter card if there has been no activity for 150 seconds. The machine emits a warning sound at 120 seconds. You can read the full article here: http://primebuzz.kcstar.com/?q=node/14307 You can add your insights and ask questions here: http://www.bbvforums.org/forums/messages/7659/78057.html The Black Box Voting TOOL KIT 2008 ( http://www.blackboxvoting.org/toolkit2008.pdf ) recommends that citizens, like you, obtain the voting machine allocation plans for your jurisdiction. This is going to become critical for locations that use touch-screens, or DREs. Unlike optical scan voting machines, DREs require voters to monopolize a machine the whole time they are voting. The Ohio study linked below provides concrete guidelines for how many machines are needed: http://www.bbvdocs.org/OH/franklin/gen2008-voting-machine-allocation.pdf (3,023 KB) [See also: Wisconsin cheese more nimble than voting list. PGN] http://www.bbvforums.org/forums/messages/176/78042.html
As we get increasingly used to booking travel online - and also seeing bargain fare offers - this had to happen sometime. Of course - if it's too good to be true... Apparently the airline was altering the fares - the intended increase became the sale price. Normally NZ-Europe costs around NZ$2300. This from the *New Zealand Herald* is fairly self-explanatory: http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10534492 "More than 100 New Zealanders who snapped up extremely cheap airfares yesterday will have their money refunded and tickets voided. One-way tickets from Auckland to Europe through airline KLM started at just $50 on its website yesterday. Return business trips were priced at $500. But the fares were a result of a filing error, KLM spokeswoman Elizabeth Vangalen told the Weekend Herald from Amsterdam last night. "It's a filing mistake, a human error," she said. "The tariffs vary a lot from day to day, so there are a lot of chances for human error." The airline did not have the final number of tickets bought at the reduced price, but already more than 100 tickets had been identified. The number could rise to as high as 300, she said. Full refunds would be made "as soon as possible". The bookings had already been canceled, Ms Vangalen said, and the airline believed there was no chance any travelers wanting to have their tickets honoured would get their way. But simply voiding the tickets when it was realised a mistake had been made was not good enough, one angry traveler said last night. David Smith, who had been planning a trip to London with his partner for some time, bought two return tickets on his credit card yesterday. When taxes, surcharges and reservation fees were added the cost was $660. Mr Smith said he had given his employer the dates of his trip, and had booked accommodation in London. "I'm a professional myself and if I make a mistake I'm held accountable for it. I don't just say to a customer, 'I cocked up, now give me the money back'," he said." Don Mackie, Auckland, New Zealand
With users squirreling their data away in ever more obscure locations (this "disk drive" is an iPod, that "disk drive" is a cellphone, the other "disk drive" is an SD card, ...) it's necessary for backup software to be very methodical in what it backs up or face the risk of losing user data. So what happens when your software to uses a comprehensive backup policy? Here's one example, with identifying marks deleted: This programme, always running in the background, monitors files on your computer and notices when they have been modified. It then copies the files, compresses and encrypts them, and sends them through the net to a backup computer. This system reads and preserves ALL FILES on each computer. Users are not allowed to restrict files from being read and backed up. If you have a laptop, you may have noticed that this programme uses huge amounts of bandwidth initially, because it starts out by dumping all the files on your disk. I discovered this when most of my ISP monthly allocation was used up over one weekend, largely by this backup. I quickly learned to put the application on "pause" whenever it was plugged in at home. I don't always remember to "unpause" it when I am at work, and I'm having second thoughts about whether I even want to. After some consultation, I was assured that the bandwidth for uploading files would decline rapidly once all the files had been transferred, but the high upload rate continued for over a month. I was mystified why it should be taking so long to finish this initial task for an 80GB drive until I discovered that the programme is not simply monitoring the internal hard disk, but all memory devices accessible to the computer. So when I took it home, it was, among other things, backing up the 300MB drive I use for family and personal matters, and another 500MB drive that I used as a "hot backup". In fact, apparently, every time you drop a CD or DVD into a drive, or connect a memory stick, it also grabs those files and uploads them. Even connecting a camera, apparently will result in your pictures being uploaded and saved. I haven't yet been able to determine whether it is also accessing remote disks that are available to my computer at home through my network behind a firewall, where sharing is wide open, and other members of my family have information they definitely do not want uploaded. It seems the vendors are stuck between a rock and a hard place. If they miss some obscure storage location, then customers get upset. But if they do scour every piece of storage media, then other customers get upset. You can't even exclude "obvious" media like CDs/DVDs because with packet-writing software you don't know whether what's in there isn't being used as general R/W data storage and therefore in need of backup.
In what Kevin Poulsen reports are the first felony charges for hacking ATMs, two men in Lincoln, Nebraska used default passcodes to reprogram privately owned cash machines to believe they were dispensing ones instead of twenties. Kevin notes that a gas station cash machine in Virginia Beach VA had been similarly reprogrammed in 2006 to believe it was dispensing fives, using default administrative passcodes that were printed in owners' manuals by Tranax and Triton — whose newer ATMS require default passcodes to be changed on first use. [Source: Kevin Poulsen, Two Arrested in First Bust for ATM Reprogramming Scam, 23 Sep 2008; PGN-ed] http://blog.wired.com/27bstroke6/2008/09/two-arrested-in.html Some folks wonder why voting machines cannot be trustworthy if ATMs are secure. But ATMs have cameras, audit trails, printed receipts, money (which is evidently more important than votes), and constrained development and operation — and still aren't secure. Of course, all-electronic voting machines don't have those things, and are much less secure. PGN
An article in today's *Arkansas Democrat-Gazette* tells of 1500 gallons of gasoline stolen from a station. It seems the gasoline pumps are shipped with a default key-code and the station owners are failing to change the codes. "Thieves can sometimes purchase a key and the factory default codes on the Internet. If the station owner has not changed the default code, then the thief can manually enter the codes to put the machine in stand-alone mode and steal gasoline." Tells how after the particular station had closed for the night someone had reprogrammed it and the police discovered long lines of cars waiting there to fill their tanks for free. All but two got away.
Last week I was making a largish deposit using a touch-screen ATM (US; bank probably isn't relevant, since I assume they use COTS software). I started the transaction, including entering the amount, then signed the check and wrote my account number on it. Then I fed the check into the deposit envelope. By this time, the display was asking, "Do you need more time?" (an existential question if ever I saw one!). I either brushed the "No" button or hit "No" — I'm not sure which (I've noticed before that the buttons don't make good use of screen real estate -- they should be as widely separated as possible, and aren't). In any case, it said "Transaction canceled" and that was it. But meanwhile, it had happily eaten the envelope containing my check! I'm still waiting for the bank to find it. I had written the account number on the back, so hopefully that will do it. Turns out the branch doesn't process ATM deposits, so they can't help (I of course spoke with them immediately after it happened), and &bank Galactic keeps saying to wait another day. Meanwhile, I've filed a "dispute" with them; everyone agrees that it's not rational that whoever processed the deposits, finding an orphaned check *with an account number on the back that matches the payee's name*, wouldn't have just processed it. Actually, what I probably should have done, is redone the transaction, putting *an empty envelope* in the slot. Then things would have been much, much clearer to whoever processed the envelopes. In any case, this is clearly a software bug: as I pointed out to the bank, if it's going to let me cancel a deposit after it's accepted the envelope, it should let me cancel a withdrawal after it's dispensed the cash. They didn't seem to think that was funny.
"The M5 East tunnel is a 4-km tunnel on a major motorway leading into Sydney. On 22 Sep 2008 the tunnel was closed for 2 3/4 hours starting at about 0900, due to the failure of a backup computer." We have had systems fail because the backup system was not able to handle the peak load on the main system: in other words, the "backup" turned out to be unable to take over when most needed. So it wasn't a "backup" at all. Now we have a system which fails because the "backup" computer failed. So this "backup", instead of dealing with a single point of failure, adds another single point of failure to the system! email@example.com http://www.cse.dmu.ac.uk/~mward/
A woman planning to fly on Air Canada to Sydney, Australia would up in Sydney, Nova Scotia. [And it reportedly had happened to two other people, in 2002.] http://www.cbc.ca/canada/nova-scotia/story/2008/09/19/sydney-argentina.html Rick Gee, Chair, Computer Science, Okanagan College www.okanagan.bc.ca/cosc people.okanagan.bc.ca/rgee
In designing reliable systems, we generally try to identify and avoid any single points of failure: components that, if they fail, bring down the system. I haven't seen a lot of discussion about avoiding "too big to fail" components in our financial system. One is a comment by James Pinkerton (with whom I generally don't agree on much) in Politico's Arena: http://www.politico.com/arena/archive/25.html
There was a photo in a recent *San Francisco Chronicle* of workers piling up flooded computer equipment from one of the hospitals in the path of hurricane Ike. It got me to thinking of how much tracking there is of the IT equipment with data stored in them that goes astray in a scene like that. In many cases the power is out long before the equipment gets flooded. I'd bet that a large number of the hard drives have recoverable data in them. How many flooded systems are there in the disaster area? How many have sensitive data on them? How many workers toss the flooded machines in the trash thinking they are unrecoverable. Food for thought for the risks readers out there. Marty Brenneis, Kerner Studios, Making Chaos for the CG World
A holiday jet carrying 229 passengers narrowly avoided disaster when a wheelchair stored in the hold burst into flames shortly after landing at Manchester airport. The chair was removed from the Boeing 727-200 jet and placed on a vehicle - where it immediately burst into flames and was destroyed. http://www.timesonline.co.uk/tol/travel/news/article4810663.ece Further commentary is superfluous.
As long as we are citing references to the crash of 1929, one may want to read: Garet Garrett, Ouroboros or The Mechanical Extension of Mankind, E.F. Hutton, 1926 http://mises.org/books/ouroboros.pdf The focus of Garrett's text expands on Horning's list, in particular the fourth "weakness": 4) The dubious state of the foreign balance [NOTE: For RISKS readers less inclined to mythology, ouroboros (literally, tail-eater, with numerous alternative spellings in its transliteration from Greek) refers to a serpent devouring its own tail, symbolizing cyclicity or cyclicality. Maybe the serpent inhabited the Cycladic Islands, one of which is Eschati — which might in turn be related to Eschatology but not E-scatology, which we find a lot of on the Internet. (See my treatise on the use and misuse of the hyphen, The Hyphenater's Handbook or The Hyphen-Haters Handbook, on why I prefer 'E-mail' to 'email' and related thoughts.) PGN]
Gotta call "bollocks" on this one, or at least make an accusation of information withheld. I "own" three Yahoo! email accounts, and I created a fourth in the interests of fact checking this claim (in case something had changed since I set up the other three). After testing, it does not appear to be possible to complete the Yahoo! password reset function without knowing either the Yahoo! ID or the alternate email address. No purported analysis of the alleged hack that I have seen (including the alleged description by the alleged hacker himself) has mentioned knowing either of those two items. So, has essential information been omitted from the description of the hack by all parties (and why?), is the claim entirely falsified, or is there a third possibility that escapes me at the moment?
My apologies for the factual error regarding check digits in Dutch bank account numbers. I obtained this information by phoning ABN AMRO and reaching what I believe in the end was third-line support. [I am always grateful to RISKS readers for incremental fact-checking! PGN]
My SRI colleague Ulf Lindqvist has just returned from Bergen, Norway, where he was a member of the examining committee for the defense of Andre Klingsheim's PhD thesis — which Ulf has shared with me. The thesis is a collection of eight of Klingsheim's published papers in English, ranging from analyses of the Norwegian national security infrastructure, their ATM system, potential man-in-the-middle attacks (why do women never get implicated?) and flawed authentication in Internet banking, mobile risks, vulnerabilities in E-governments, identity theft, and open wireless nets. Klingsheim's introduction to the thesis identifies various common threads that will be familiar to RISKS readers, particularly risks relating to security, privacy, and judicial matters. What is perhaps most worth noting here is the pervasive nature of the problems throughout so many application areas. Although this should be no surprise to you all, it is still a useful reminder of how far we need to go in the future. http://www.nowires.org/Thesis-PDF/AndreKlingsheim.pdf
RISKS readers may be interested to read details of a study just published by Fraunhofer SIT (Institute for Secure Information Technologies, SIT, situated in Darmstadt, Germany) addressing Security problems of several highly frequented social networks, including facebook, myspace, LinkedIn and Xing (plus 3 German platforms: studiVZ, wer-kennt-wen and lokalisten). The author Andreas Poller analysed acces protection, traffic protection using crypto (hardly available) as well as registration; with facebook being slighly less insecure than myspace, and LinkedIn (which supports pseudononymity which is though hardly useful in business applications) slightly better than Xing, no platform satisfies essential security requirements. The study which was developed for the German market, is presently only available in German but will be translated when sufficient international interest is experienced: German title: "Soziale Netzwerke gefaehrden Privatsphaere" http://www.sit.fraunhofer.de/fhg/Images/SocNetStudie_Deu_Final_tcm105-132111.pdf (engl): "Social Networks dangerous for private sphere" The study addresses technical issues only. In addition, it would be helpful not only requirements and availability of security functions but also the enforcement of privacy in related laws. In addition to the (technical) insecurity of globally operating social networks, differences in legal protection of privacy (e.g. between US and European laws) should be addressed. Klaus Brunnstein, Prof. em. University of Hamburg, Germany (9/26/2008)
The Estonian cyber security strategy document is now available online. I must say once again the concept of a national cyber security stance is quite interesting. Those who wish to download the document: http://www.mod.gov.ee/?op=body&id=518 My contact there specified she'd be happy to answer any questions. To avoid spam of her inbox, email me for her address.
Please report problems with the web pages to the maintainer