Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
In a press conference today (1 April 2009), a spokesman for the U.S. Air Force GPS Wing has confirmed fears that a worldwide outage of GPS service is likely. The current system may reach peak capacity before the launch of the next-generation Global Positioning System Space Segment satellites, known as GPS Block III, in 2014. "The huge proliferation of civilian hand-held, cellphone, and vehicle-based GPS equipment has taxed available bandwidth on the existing satellite constellation beyond our expectations," said Major Stan Ford Parkinson. "We expect that the transceivers in the Block III satellites will handle the load through 2040. But there's a likelihood of a gap — a rolling worldwide GPS 'brown-out' — between now and the first launches." The Air Force is planning a competitive procurement to study the potentially catastrophic effects on transportation and other industries that could occur as early as 2011. This appears to be a good use of stimulus funds, especially if it stimulates some more far-sighted thinking. Mike Tashker
Ned Potter, Conficker Computer Worm Threatens Chaos Or Is It Just an April Fool's Joke? Security Groups Unite to Stop It ABC News <http://abcnews.go.com>, 25 Mar 2009 http://abcnews.go.com/Technology/story?id=7163685&page=1 [Thanks to Phil Porras for this one. PGN-ed] Somewhere out there, perhaps in Eastern Europe, perhaps next door to us, a very clever hacker is spreading a sophisticated little computer worm called Conficker <http://abcnews.go.com/Technology/PCWorld/story?id=6667364>. It could make an electronic mess as it spreads from one computer to another, taking over machines and commanding them to do things their users never intended. "We've got some bad guys out there who are extremely sophisticated," said Merrick Furst, a professor at Georgia Institute of Technology who also chairs an Internet security firm called Damballa. "There are a huge number of machines that might be able to be controlled by people other than the owners of those machines." Who is behind this computer attack? And what do they want from us? Are they trying to bring the world's computers to a halt? Or is the whole thing just some elaborate April Fool's joke? "It's not an April Fools prank," said Phillip Porras, a program director at SRI International, a major technology research firm. "We don't know much about how Conficker is being used. We are not sure why Conficker was built." [... Long item.] [Also note these, courtesy of Monty Solomon. PGN] Technical Cyber Security Alert TA09-088A http://www.us-cert.gov/cas/techalerts/TA09-088A.html Conficker Worm: Help Protect Windows from Conficker http://www.microsoft.com/conficker The 7 Most Important Things to Know About Conficker http://blogs.pcmag.com/securitywatch/2009/03/the_most_important_things_to_k.php Is 'Conficker' Solved? Researchers Develop Scan Tool http://www.pcmag.com/article2/0,2817,2344060,00.asp
According to *The Register*, a site called "Person Rating" has been launched. where you can - anonymously - enter a person's name and rate them against a set of criteria. http://www.theregister.co.uk/2009/03/11/person_rating/ The idea is that - as is supposed to happen with Wikipedia - a large number of contributors will even out any "extremes of opinion". Of course, there are a number of risks that regular readers of the forum will be all too familiar with — for example, * Mistaken identity (only identifying by name?) * Malicious updates (Wikipedia already has this problem with pages on politicians) * Invasion of Privacy/Libel *El Reg* is, of course, rather dismissive of the site: "The idea is that the crowd will weed out extremes of opinion and the result will be an accurate and impartial description of the person concerned - which is about as likely as Greenpeace developing an independent nuclear deterrent." "Unlike Wikipedia, PersonRatings is intending to make money though advertising, though it seems more likely the service will quietly disappear when the crowds decide they've got better things to do than rate their friends and colleagues for the benefit of targeted advertisers." At least the site has some sort of plan for making money. It will need it, if and when the libel cases start appearing.
I keep most of my scheduled appointments on Google Calendar (although it is a pain since I have to be careful not to put proprietary information in my appointment descriptions). I missed a teleconference today, because Google Calendar said it was at 4pm, and when I showed up no one was there. Going back through my notes I discovered the meeting was supposed to be at 3pm, and I had set it up as a recurring event. I then discovered from reading Google Help forums that there are known problems - when Daylight Savings Time started, recurring events got moved either an hour earlier or an hour later, depending on whether you were the originator of the meeting or an invitee. There was another symptom I noticed - my meeting was at 3pm (Standard time) which got shifted to 4pm (Savings) time. When I tried to change the time back to 3pm, it had no effect - presumably because it thought the meeting was already scheduled for 3pm (Standard). So to make it show up on my calendar at 3pm (Savings), I had to change the schedule to 2pm (Standard). Once Google fixes the problem, I have to remember to move the scheduled time back again, so I show up at the right time! RISK? When there's a shared calendar infrastructure and it's buggy, everyone ends up at the wrong time. Something similar happened last year when the US switched to Savings time earlier than in previous years - Microsoft and other vendors rushed out patches to handle the time change. [Along many other problems discussed here, this one seems to recur. PGN]
Interesting article about the way people interact with cars around the world: A quote: England has been particular aggressive about having all kinds of warning mechanisms for both drivers and pedestrians. "But sometimes drivers become so inured to this street 'furniture' they forget to look for people crossing - they forget what it's there for. And a 1970 study by the Institute of Transportation Engineers Journal looking at San Diego accidents found incidents were twice as likely at 'marked crossings' as unmarked crossings. Why? Pedestrians lose a sense of personal responsibility - they think that because they are at an official crossing, they don't need to look where they are going. And then they step out into oncoming traffic." http://news.bbc.co.uk/2/hi/uk_news/magazine/7939353.stm
While there are some legitimate digital music download sites in China - including 9Sky, Top100 and the recently launched Wawawa - digital music is proving to be a tough sell in the P.R.C, partly because of the market dominance of Baidu's free mp3 search. There are, however, people making decent profit in this as yet unmeasurable market: the hackers of Apple's iTunes store gift vouchers and their local agents. In China's biggest C2C online shopping site Taobao, $200USD iTunes gift cards are for sale at 17.9 RMB, roughly $2.6 USD. ... http://outdustry.com/2009/03/10/the-chinese-itunes-gift-voucher-trick/
The #09/#90 mobile phone warning has recently been making the rounds in New Zealand. Apparently some people don't routinely check Snopes.Com. The Sunday *Star Times* issue 8 March 2009 has an article about it on page A6. The point of interest to RISKS readers is this: the hoax's credibility was bolstered by the fact that it had been circulated by a police staff member ... and carried her New Zealand Police e-mail signature. ... the staff member had forwarded it ... in a personal capacity. So someone in the Police fell for it, didn't think to check it, and forwarded it to her friends just like anyone else might, but recipients took it as a police endorsement of the content. The same article quotes a spokesman saying Also, people should remember New Zealand police don't use chain e-mails as a way of putting forward information. Neither do banks or anybody else for that matter.
http://news.zdnet.co.uk/security/0,1000000189,39629479,00.htm "Under the EU Data Retention Directive, from 15 March 2009, all UK Internet service providers (ISPs) are required to store customer traffic data for a year." This means that right now, *today*, all ISPs in the UK must now store when and who you sent e-mail to or received e-mail from. The e-mail I sent earlier to a friend about this has been logged; that it came from me and when it was sent. In case he's a terrorist. I mean, he's a sixty-five year old retired patent agent, but you can't be too careful. He *does* have a huge beard. Lots of terrorists have huge beards. So if you're having an affair, best not to communicate via e-mail, because that evidence may be used against you in court. I wish I was kidding, but this is going to happen now. Divorce will occur, the house will be contested, the man or wife may suspect infidelity and the evidence — all e-mail, who they were sent to and when — *is now recorded*. Don't need a telescope to see this one coming. But what's being discussed now is deep packet inspection, which means actually recording the data content - what you actually wrote in your e-mail, the comment you typed on a web-site, etc. So basically EVERY communication you have on the net is recorded by the Government and stored for however many years it is. So when you write to your wife about the fantastic sex you had last night, it's recorded. When you e-mail a friend about your private sexual fantasies, it's recorded. When you discuss the abuse you experienced as a child from your parents, it's recorded. For anti-terrorism purposes. I mean, there's absolutely no evidence whatsoever that you are, or could ever be, under any circumstances WHATSOEVER, a danger to anyone. If there was enough evidence that you could be convicted in a court of law after due process, you would already be in that court of law. That evidence does not exist. But every detail, everything you write on-line, would be recorded by the State. Monitored. Read by software operated by a stranger, sometimes read by strangers, apparently to see if they can find people writing things which give them away as terrorists. On a related note, the "e-borders" scheme has stared rolling out in the UK. http://www.telegraph.co.uk/news/uknews/4987415/All-travel-plans-to-be-tracked-by-Government.html Every single person entering or leaving the UK must provide their travel plans. Where they're going, how long for, what for, who with, etc. Recorded, with complete unoriginality, in a huge database for however many years. I haven't read about the judicial violence to be used in the event of non-compliance; presumably you will not be allowed to enter the country. I'm wondering what will happen if you are *inside* and you want to get *out?* will you be refused exit from the country? or will you be fined? if you keep refusing, what happens then? thousands of pounds worth of fines? Coverage is expected to be about 60% by the end of this year. The Government uses judicial violence (fines, prison sentences) to compel obedience to their demands. I am *forced* to have my private affairs violated. On what basis is this done? the only ethical justification can be self-defence, of oneself or on behalf of others. There is no such justification for there is no reason whatsoever to think me a danger to anyone. To be sure, it may be there a very, very, *very* few (a couple of thousand, out of 61,000,000 people) who are a danger but it cannot be known who they are; but there is a certain level of risk which cannot practically be reduced whilst retaining liberty and freedom. It is possible to reduce that risk if you eliminate liberty and freedom. Watching everyone, all of the time, reduces that risk and eliminates liberty and freedom. Historically, we have had a police force and an intelligence service to deal with these problems and have chosen to retain liberty and freedom. Spending 1,200 million pounds to compel all 61 million people to expose their private affairs and have those affairs permanently stored in a database is both profoundly unfree and also profoundly inefficient. That money would achieve far better results going into the police and intelligence services. I have to say, I am throughly miserable and depressed by all of this. I have all the material needs and comforts in the world; and I am deeply unhappy. The Government, in my view, has missed the point of existence. As an aside, I left the UK (for Amsterdam) nine months ago. I will not be returning while these monstrous schemes exist.
IMCA Safety Flash 18/08 December 2008 These flashes summarise key safety matters and incidents, allowing wider dissemination of lessons learnt from them. The information below has been provided in good faith by members and should be reviewed individually by recipients, who will determine its relevance to their own operations. The effectiveness of the IMCA safety flash system depends on receiving reports from members in order to pass on information and avoid repeat incidents. Please consider adding the IMCA secretariat (email@example.com) to your internal distribution list for safety alerts and/or manually submitting information on specific incidents you consider may be relevant. All information will be anonymised or sanitised, as appropriate. A number of other organisations issue safety flashes and similar documents which may be of interest to IMCA members. Where these are particularly relevant, these may be summarised or highlighted here. Links to known relevant websites are provided at www.imca-int.com/links Additional links should be submitted to firstname.lastname@example.org Failure of Pipe Handling System Causes Injuries and Fatalities A member has reported an incident in which the failure of a J-lay pipe-handling system caused two pipes to be dropped, one of which caused injuries to eight people, four of whom died as a result. During pipe-laying operations, a system failure in the hydraulic pipe handling system of the J-lay tower (JLT) caused two quadruple joints being handled at the same time in two different areas of the tower to drop suddenly. Each piece of pipe was 50m long with a diameter of 24* and weighed approximately 20 tons. Just prior to the incident the pipe-laying operation was stopped. Operators reported a system failure and that the hydraulic power had been lost. Such an occurrence was not particularly unusual and, in line with company procedures, this was investigated immediately. A team of technicians led by the chief electrician tried without success to resolve the problems. After these attempts, a more in-depth analysis was made. It was decided, on the basis of input from the system diagnostics, to perform a memory reset. Following this the system appeared to be running correctly. This was the first time that a full memory reset was requested by the internal diagnostics of the control system during a project operational phase. Only after all indications that everything was in order and all systems were up and running again was the instruction given to the operator to restart the hydraulic packs. As soon as the hydraulic power packs were started, a loud bang was heard along with the noise of the hydraulic systems. One quadruple joint within the J-lay tower, held by the transfer system, was released and fell about a metre to the upper welding deck. At the same time, the quadruple joint held by the pipe elevator at the top of the J-lay tower was also released from its clamps and the hydraulic safety stop swung away, allowing the pipe to fall the full height of the tower, smashing through the access platform located outside the non-destructive testing/coating station to the lower deck below. All the people who were injured had been on the access platform which was destroyed. The force of impact caused some of the injured persons to fall down on to the lower deck at the base of the pipe-lay tower and some to be thrown overboard. Eight persons were injured, two seriously and two slightly. Four of the injured persons died as a result of their injuries. The primary causes of the incident were found to be: * Sudden release of the two quadruple joints was caused by a failure in conceptual design of the control system software. The program relevant to the JLT initialising instruction was pre-loaded in the erasable programmable read-only memory (EPROM) of the programmable logic controller (PLC) with the instruction to open all clamps. Members are recommended to investigate the possibility that this could happen to the PLC-based control systems on equipment on their vessels. * The unnecessary presence and uncontrolled access of working personnel on to the access platform destroyed by the falling pipe exposed personnel to suspended load/dropped object hazard. Following investigation of the incident, a number of corrective actions were put in place by the company: - The first primary cause was resolved with the removal of the EPROM memories from the system; - The second primary cause has been addressed by a revision of the vessel and JLT working methodologies; pipe handling activities have been reconsidered through a dropped object philosophy in order to identify mechanical and electrical barriers, additional controls, and new set of operational procedures; * Electrical controls: - a number of clamp opening operations were prevented by adding electrical circuit breakers - all critical sequences will be called by PLC and must be confirmed by operator via electrical push buttons; * Mechanical controls: - different systems have been and will be implemented to prevent the vertical pipe drop in any section of the JLT, to restrain lateral pipe movement and fall and to secure the pipe until the internal line up is completed in the upper welding station - an additional public address system was installed for use during quadruple joint loader lift, and audible and visible alarms for elevator movements - a safety net was installed underneath the J-Lay tower platforms to guarantee protection against persons falling overboard; * Procedures were revised in light of the incident, with the following points highlighted: - all pipe handling activities are to be considered as working under suspended loads - the immediate area around the JLT is restricted to essential personnel only - transit and from the JLT to be controlled by dedicated watchmen - no personnel at all allowed in certain areas during J-lay operation David H Smith MIET, MBCS, MACMm, Frazer-Nash Consultancy Ltd., Unit 11, Herringston Barn, Herringston, Dorchester, Dorset DT2 9PU, UK 01305 217910
There I was listening to the mosquitoes, when it dawned on me that just like mosquitoes, you just can't stamp out spam e-mail. And just like mosquitoes are a good indicator of environmental health, spam is a good indicator of network health, for the common man. If there was a Silent Spring spam-wise, you had better check to see if you are really getting all of your legitimate e-mail too! Likewise, spam phone calls are nature's way of helping you check the circuits.
I've been using Apple's MobileMe synchronised online services for contacts, calendar and file sharing on a number of Macs of varying ages, as well as my iPhone. It works fine under OS X 10.5 (Leopard), but has always seemed a little wobbly under 10.4 (Tiger): contacts occasionally not showing up, bits of the calendar not appearing, to-do items vanishing, that kind of thing. Nothing too worrying, since it's always seemed to be a local display problem under Tiger, and MobileMe's "cloud" has always had a complete set of data. A couple of days ago, the synchronisation process on an old PowerBook running Tiger went a bit off the rails, and it complained about data clashes, offered options to merge, and so on. I clicked the "overwrite this computer with contents of MobileMe" button, and before I knew it, my entire contact database had been wiped - *poof*. (Well, all except a single contact in Australia.) In a state of some annoyance, I checked my iPhone. Contact database gone - *poof*. I checked MobileMe online at www.me.com. Contacts - *poof*. Well, I will say this for MobileMe: their over-the-air synchronisation does indeed seem to be fast and efficient. Faced with a Plan A recovery procedure of waiting on hold for a MobileMe Support chat session with Apple (whilst needing to get out to a client site, ideally with a non-empty iPhone), I opted for Plan B: rush upstairs, pull the ethernet cable from the (Leopard) Mac mini, fire up Address Book and export contacts to a file, plug in ethernet, synchronise, re-import contacts, synchronise again. So, the obvious risks: (i) a rogue client can quickly and efficiently wipe out a dataset in a high-speed, wireless network service, and some devices (like the iPhone) are always linked to it. (ii) A cloud is not a backup. Wipe the data in a cloud, and the wipe will propagate everywhere just like you told it to - there isn't an accessible "previous version" to go back to. See also: "A RAID Device is Not a Backup." (Luckily, I had an inadvertent backup on the Mac mini.) "But," my inner newbie says, "I'm running the Time Machine backup software on the MacBook Pro. Why don't I just roll back to an earlier Address Book?" Well, despite Apple's claims that Time Machine "backs up everything", it really is just a file backup program, and the contacts and calendar information lives in some invisible database somewhere, out of the backup regime.(*) So, risk (iii): assuming that a backup program will work on important data which is not obviously file-based. (*) While I think about it, this might also be due to the fact that I run Apple's FileVault encryption on my home directory, and Time Machine has trouble with this as well: FileVault maps a directory structure to a sparse disk image, so Time Machine can only back up the image when I log out (infrequently), and can only roll back the entire image, not its contents. So, risk (iv): assuming that a transparent piece of technology (on-the-fly encryption) is also transparent to the other tools that you rely on. Nick Rothwell / Cassiel.com Limited www.cassiel.com
I purchased a domain name with the longest expiry period available, 10 years. But I am quite sure that at that time I'll be running around like a chicken with its head cut off. Any longer than two years and if you're like me or Maxwell Smart, you'll say "The old 'Domain Name Expiring Soon' reminder spam e-mail trick? I'm not falling for that again! Ha, and here's another, purporting to be sent from my very own cron job. Meet the Delete key!" Any longer than five years and well, the guy who sold you the domain had better still be in the phone book, because I can't navigate the renewal interface or find the contact form. Any longer than ten years well he and his company had better be in good health because I forgot the password. Any longer and ... pass the Geritol. Sure, transfers among users or registration companies would be fine. Those are all initiated by people who know what they are doing. But just as the hardware and software of 10 years ago may likely not be plugged in, don't expect the user to be either. Thus domain name registration should only be allowed for 1,2 and 100 years. OK, I mean lifetime.
There are a few other problems with the ESTA website — which should have been sorted out well before making the system mandatory prior to travel. My experiences are that it only takes a few minutes to return an authorisation - BUT that it takes more than a few minutes to enter all of the info required. AND the system doesn't seem to remember anything. Recently I obtained authorisation to visit the USA on Visa Waiver to spend my hard earned credit crunch tourist dollars there. At an Internet Cafe I spent an inordinate amount of time entering all of the info. required by ESTA. However I could not print anything out at the time. So when I visited a friend's house who had a printer I opened up the ESTA record only to find that it had 'forgotten' ALL of my info. and that I had to re-enter it all. As an airline employee I sometimes have to fly to the USA on 'wait-listed' standby. If I am denied boarding for my listed flight I can list on the next one, but then I have to update my APIS record, and also the ESTA record. The APIS system remembers all my details and it is easy to update them to the new flight. BUT ESTA does not remember anything and I then have to type ALL of the info. back in. It would also help if all of the scam ESTA websites were closed down - they charge outrageous fees for what is a free service.
Please report problems with the web pages to the maintainer