Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Dear Colleagues, This is exciting news for those committed to cultural sensitivity in the pursuit of science and technology. Mich M. E. Kabay, PhD, CISSP-ISSMP, CTO & Prog Dir, MSc in Info Assurance School of Graduate Studies, NORWICH UNIVERSITY +1.802.479.7937 -----Original Message----- From: Olga Koksharova [mailto:o.koksharova@elcomsoft.com] Sent: Wednesday, April 01, 2009 04:21 Subject: Press Release: ElcomSoft to Recover Passwords with a Tambourine 1 Apr, 2009 — ElcomSoft Co.Ltd. introduces Password Recovery Tambourine <http://tambourine.elcomsoft.com>, a supernatural amulet to recover lost passwords with a 100% guarantee. The new tambourine is produced with genuine deer skin and requires training supervised by a qualified Yakutsk shaman. By offering guaranteed, 100% password recovery rate, ElcomSoft leaves competition behind once and forever. Why Password Recovery Tambourine Passwords affect people's lives. Lost and forgotten passwords can cost a life or a job. Striv[ing] to provide a solution to improve peoples' lives, ElcomSoft makes software for helping its customers recover passwords <http://www.elcomsoft.com/products.html> they've lost or forgotten. The company's password recovery tools are extremely effective, and literally save lives and jobs every other day. However, not all types of encryption are created equal. Some companies make exceptionally good effort protecting information, and use really secure algorithms from time to time. If a really secure password is used with those algorithms, the protected data is as good as gone. Background Universal cryptanalysis methods do exist. Government agencies, intelligence services and, in some countries, even police have successfully used methods such as rubber-hose cryptanalysis <http://en.wikipedia.org/wiki/Rubber_hose_cryptanalysis> for years. Rubber-hose cryptanalysis allows passwords and keys to be discovered in a surprisingly short time. The method is quite computationally inexpensive. However, commercial use of this method is limited due to legal restrictions in most countries. ElcomSoft started a quest to develop a universal cryptanalysis method that is at least as effective as rubber-hose, but comes with no penalty of being inhumane or restricted to exclusive use by government agencies. Development History Several unsuccessful attempts were made to design the ultimate password recovery tool. Using a crystal ball seemed like a great idea at first, but was quickly rejected. Rabbit's foot seemed a better idea for some time, but subsequent tests demonstrated that the foot could only solve certain network problems with corporate LANs, and only when used by qualified system administrators. A voodoo doll was a total nightmare, doing anything but recovering passwords. The first ray of hope shined after one of ElcomSoft's employees was sent to Yakutia, a freezing province in Russia with real bears. He brought a shaman's tambourine that was used regularly by the local tribe's shaman to find missing things. ElcomSoft has conducted a full-scale scientific research of the new tool, spending endless hours chatting with Yakutia locals and shamans who use tambourines more often than we use our toothbrushes. Over than two hundred ritual dances have been performed, and today, ElcomSoft is proud to announce that the ultimate tool to recover lost passwords that cannot be recovered it in a traditional way has emerged. About Elcomsoft Password Recovery Tambourine Elcomsoft Password Recovery Tambourine is anything but easy to use. A special supervised training program must be completed, stunts and tricks have to be learned, and spells in Yakutian language must be mastered. The price is barely affordable. A variety of models is available. Standard model works for most users without special needs. Simple, reliable, not too expensive. Corporate model is based on the standard tambourine, and it can work with hundreds and thousands documents at the time. Special team training is required. Pocket version is easy to take on a trip, but it has some restrictions supporting less exotic formats than its bigger siblings. A comprehensive, 200-page manual is shipped with every tambourine. To order or get more information on Elcomsoft Password Recovery Tambourine visit http://tambourine.elcomsoft.com/ <http://tambourine.elcomsoft.com> [Info on ElcomSoft Co Ltd. legitimate, but truncated as inappropriate for RISKS. PGN]
> When there's a shared calendar infrastructure and it's buggy, everyone > ends up at the wrong time. Patrick Lincoln noted that if *everyone* used Google calendar, everyone else would have been on the telecon at the "wrong" time — which would have been the right time! So the risk is that not enough people are sharing the same calendar system. He proposed that we lobby for a federal law that requires everyone use Google calendar to avoid this risk. Jeremy responded to Pat that what may make things a bit easier is that the stimulus package allocated $3.2B to Google to move the calendar 15 minutes ahead, preserving America's technological lead (by 15 minutes). So those people who don't switch to Google calendar will be perennially 15 minutes late. Since the first 15 minutes of a meeting are frequently wasted with getting everyone into the room, on the phone, etc., this means that non-Google calendar users will have the advantage of being more efficient, possibly offsetting the job creation value of the stimulus spending. Is that close enough to your proposed federal law? Pat replied, ``That's an excellent first step, but doesn't achieve the entire aim of my proposed law. Also, since the entire Internet and everything it is attached to is going to be destroyed today by Conficker, one other important aspect is a key invention, a survivable carbon-based two-dimensional human-readable storage medium for Google calendar information.
Woman follows GPS, gets stuck in snowmobile trail, 1 Apr 2009 http://www.boston.com/news/odd/articles/2009/04/01/woman_follows_gps_gets_stuck_in_snowmobile_trail/ Deputy Keith Svoboda said it took a while to find her and much longer to get heavy equipment in to free the vehicle. Deputies dropped her at a motel for the night. Svoboda said the lesson is, "People shouldn't believe everything those things tell you." [Especially on April Fools' Day! PGN]
I am not sure if this is computer risk in the general sense, but I feel we
will see more of this type of problems (32-bit signed integer vs unsigned
integer) in embedded devices for consumer electronics and elsewhere for some
time to come, and so I am reporting it here.
First the public fact.
NEC, a large electronics company, and its subsidiary NEC Access Technica
have announced that their line of DSL routers with IP-phone feature which
are used by many Japanese ISPs including the giants NTT East and NTT West
has a software bug that after a continuous use of 2485 days, the router no
longer allows telephone functions. (Internet access is still usable,
though.)
The problem can be fixed by firmware upgrade, or for that matter, if power
recycling is done, the problem is shifted for another 2485 days into the
future.
(Actually, I saw somewhere that NEC and NEC Technica was looking into the
problems reported on different line of routers when they learned of the
potential of similar problems. And when they checked the firmware of other
products, they found the newly reported problems. I am not sure where I read
it. I can't locate it any more. Maybe I read it in the letter which was sent
by an ISP to notify the problem urging me to update my firmware of the said
affected router.)
The cause of the bug?
The various reports I read didn't mention what are the real cause of the
"software" problem, but I guessed that it must be related to the use of 32
bit integer for counting inside the firmware.
To wit, the problem interval in seconds is 214704000 [seconds] (= 2485
[days] * 24 [hours/day] * 3600 [s/h]).
One day shorter T' is 214617600 [seconds] = 2484 [days].
Also, 2 ** 32 = 4294967296
2 ** 31 = 2147483648
We can see the following holds:
(T' * 10) < 2**31 < (T * 10) < 2 ** 32
My conclusion:
A certain integer counter is incremented at 1/10 sec interval within the
software using 32 bits data starting from 0 after power-up.
Internally, the firmware code regards this data as "signed" and suddenly
somewhere between 2484th and 2485th day, this counter becomes "NEGATIVE" and
wreaking havoc within the code, and rendering phone function useless.
Observation:
When I was checking web pages to write this submission, I noticed a bug
report that different routers used for IP phones using optical fiber had a
similar problem after 249 days. This was found last summer. Obviously 294
days is much shorter than 2485 days and some people suffered from the bug
last year. In this case, I think the counter is incremented every 1/100
second. Maybe this discovery led to the massive review of the router
firmware.
I noticed that similar problems concerning integer size and its signedness
have occurred when
* file size has begun exceeding 2GB limit (again 31/32 bit boundary),
* address space has been extended to 64 bits from 32 bits.
I noticed the first file size problems starting around the time Solaris and
other Posix-based systems began offering large file size systems. Also, to
this day, unmaintained shareware on windows often have problems when we try
to handle a large file (2GB) like ISO image on windows. The symptoms are
many. But one symptom that suggests the use of signed integer to check for
the remaining file space is messages that say I don't have enough space
although I have more than enough (actually larger than 2GB of free space.) I
have checked that in many cases, if I create a very large dummy file to
shrink the remaining free file space to less than 2GB, then these
unmaintained programs proceeded without a hitch or ran into other
size-related problems later.
I noticed the second address space problems when linux was ported to x86
architecture with 64bit address space: many device drivers as well as
applications began failing. Solaris for x86 also saw many third party
drivers facing similar problems when 64 bit address space was supported on
x86 architecture. (Solaris for Sparc supported 64 bits address space for
many years and I don't remember particular problems.)
We can now add the use of timers/counters to the causes that may trigger
careless errors in applications. We have already seen there have been cases
where a counter goes over the allocated bits and repeats again from 0, thus
causing some software problems in the past: I think the early version of
Windows NT had a problem of requiring reboot every 49 days or so for certain
applications. (Counters incremented every 1/50 sec?)
As more consumer devices (as well as industry machines) are equipped with 32
bit CPUs, and more programmers who are accustomed to the luxury of 32 bit
CPU programming under non-embedded OS have begun to develop software for
embedded devices, we may see similar problems in the embedded system space
more often. We have seen many already, but I am afraid that this trend will
continue.
BTW, routers are complex device and some have linux inside literally. I am
surprised somewhat recently to see GNU General Public License repeated
verbatim in print inside the manual of my Toshiba Hard Disk
recorder. Obviously, certain code used inside is based on GPL'ed code. When
I think about the growing pains that drivers and OS itself had to go through
when larger file sizes and address space extension were introduced, I have
an uncomfortable feeling to trust the complex operations on such products
unless software patches are readily available. But how are we supposed to
"patch" hard disk recorder software? If power cord is accidentally removed
during patching, what happens?! Does hard disk recorder store the "patch"
program in a separate place, preferably a ROM or something, so that
glitches during patching can not corrupt such software?
Embedded system programming requires certain different mindset, but I am
afraid that not many programmers are trained to develop such mindset in the
educational system and even in the industry in general. I feel this way
because the problems with NT don't seem to have been learned by the would-be
developers today.
I am reporting the problem here today so that at least someone can point out
that such a problem is a public knowledge for a long time when a similar
problem happens again in the future.
FYI — Regardless of the date, this technology appears to be genuine. I guess the ultimate use of this technology would be for medical devices like heart pacemakers and defibrillators... On a Gibbs family trip to Topeka, the littlest passenger wouldn't shut up. `Beep-beep-beep' recalled Michelle Gibbs, mimicking the palm-sized device installed by her used-car dealer under the dash of the Honda Accord. ``Try driving back for two hours with three kids in the car and that sound: Beep-beep-beep. It's very annoying, but for the most part, it's the best thing to happen to us.'' The beeping was a reminder that 24 hours remained before a car-loan payment had to be made — or else the vehicle would fail to start after that, courtesy of `electronic repossession'.. The Gibbses made it home to Blue Springs, punched in a one-time emergency code provided by the dealer to keep the car operable and then drove to the dealership to deliver the delinquent payment. It was the first time in five years they had been late on a payment. [Source: Rick Montgomery, *The Kansas City Star*, posted on 1 Apr 2009, PGN-ed] http://www.kansascity.com
Besides the issues of security & upload speed, when you use an off-site backup service; you assume that they are smart enough to not lose your data...and don't have problems of their own. But... Online backup service provider Carbonite is suing storage vendor Promise Technology, saying repeated failures of Promise gear have caused "significant data loss" at Carbonite. In the lawsuit, filed 20 Mar 2009 in Suffolk County Superior Court in Boston, Carbonite said it bought more than US$3-million worth of Promise VTrak Raid products beginning in 2006. In several incidents starting in January 2007, the service provider suffered data loss because the Promise gear failed to support recovery from physical drive errors and array errors. The data losses caused "substantial damage" to Carbonite's business, the company alleged. ... However, in a written statement following news reports on the case, Carbonite elaborated on the failures to say a smaller number of customers actually lost their own data. All customer backups involving the failed equipment were restored immediately and automatically, the company said. <http://www.pcworld.com/article/161819/backup_provider_carbonite_loses_data_sues_vendor.html?tk=rss_news> (Promises, Promises... or should I say Diamond, not Carbonite, is a bit's best friend?)
http://www.boston.com/news/odd/articles/2009/04/02/dominos_dishes_out_11000_free_pizzas_by_mistake/ AP, datelined Cincinnati, 2 Apr 2009 "Bailout" was the magic word as Domino's had to give away thousands of free pizzas because someone stumbled on an online promotion the company scrapped. Domino's Pizza Inc. spokesman Tim McIntyre said Wednesday that the company prepared an Internet coupon for an ad campaign that was considered in December but not approved. He says someone apparently typed "bailout" into a Domino's promo code window and found it was good for a free medium pizza. Word about the code spread quickly Monday night on the Web and 11,000 free pizzas were delivered before it was deactivated Tuesday morning. Cincinnati-area franchise owner John Glass says his 14 stores gave away more than 600 pies, but that Domino's promised to reimburse him. [Also noted by Max Power. PGN]
http://www.theage.com.au/articles/2009/03/30/1238261487308.html Australia has had quite a lot of DST rule changes in recent years. However this year the clocks are going back according to the same rule as last year (first Sunday in April, except Western Australia changed on the last Sunday in March). Even so, people are still having problems with incorrect automated timezone changes. The risks here include sophisticated mobile phone software that is difficult to update (I can't update my phone because I don't own a copy of Windows); a complicated service model in which it's unclear who is responsible for DST updates (my phone has an option to get its time from the network, even though it is tied to a network that doesn't provide the service, and its clock is accurate enough that the lack of synchronization isn't clear until there's a DST change), and of course pointless political fiddling with the DST schedule. f.anthony.n.finch <dot@dotat.at> http://dotat.at/
The Australian government is seeking to introduce a blacklist for ISPs to block the inappropriate sites about children before reaching the user. All the usual parallels to Chinese government, etc., and not actually educating the children or stopping the problem. http://www.news.com.au/couriermail/story/0,23739,25262805-952,00.html Mid-March 2009. In Queensland, Australia, at least 100 patients have their displayed their relevant medical history, current medications, as well as patient's next of kin, on a pathology company's website. They were meant to be made available to treating doctors, but became available to all. The CEO is reportedly to have been very defensive rather than seeking to resolve it and advise the relevant persons. It was also raised that there was no law requiring affected persons to be advised. http://www.news.com.au/couriermail/story/0,23739,25253159-3102,00.html http://www.news.com.au/couriermail/story/0,23739,25260243-3102,00.html
A classical encoder-mode Risk: Essentially what this means is that Adult Channels (and other sensitive content channels) in the UK are obliged to have redundant crypto encoders for the transmission of their content. The crypto itself is not at fault, but the crypto device oversight is. Often these devices are set into "test mode" or the "defeat switch" is on. If the network used 2nd party encoding (essentially outsourcing beyond the network transmission studio and switch) then the 2nd party may be obliged to pay or split the fine. British media regulator Ofcom has fined Playboy TV 22,500 pounds ($32,990) for airing sexually explicit images in breach of broadcasting rules, claiming Playboy One had broadcast unencrypted raunchy, and what the watchdog deemed offensive, material until September 2008. Ofcom had received five complaints relating to seven late night programs broadcast between September and December 2007. ``Depending on the individual breach, the explicitness, strength and, or, sustained nature of the sexual content and language was unacceptable for broadcast on an unencrypted free-to-air channel.'' Ofcom said Playboy TV UK/Benelux Ltd had failed to ensure adequate protection for viewers from `potentially harmful or offensive material'. [Source: Reuters item, 2 Apr 2009; PGN-ed] http://www.reuters.com/article/oddlyEnoughNews/idUSTRE5314IR20090402
"Ten years ago, the replacement of pencils and ballot papers by machines was seen as a badge of modernity. But technology was not sufficiently advanced to guarantee security of the new system." I disagree with this assertion. I think the technology is /too/ advanced to guarantee security of the system. I'm reminded of Clarke's 3rd law: "Any sufficiently advanced technology is indistinguishable from magic." We cannot have a trusted system of democracy if voting works by magic. Voting needs to work in a way that everyone can fully understand.
First, a little history about the competition: In 2005, the Open Security
Foundation launched the Oldest Vulnerability contest for one of our other
projects, the Open Source Vulnerability Database, and from it came
vulnerabilities dating back as far as 1965.
The winner, Ryan Russell, found a password file disclosure vulnerability
from January of 1965, and helped OSVDB nail down several other old
vulnerabilities. That contest resurfaced in our memories recently, and we've
decided to do the same thing for DataLossDB.
What is the oldest documented data loss? As far as what is currently in
DataLossDB, it is from January 10, 2000 when a hacker claimed to have stolen
300,000 credit card numbers from CD Universe.
We believe there are plenty of data-loss incidents that happened prior to CD
Universe. Does anyone have an older incident they can submit to DataLossDB?
We want it, and we'll reward you for it!
Find us the oldest documented Data Loss Incident. The oldest three
submissions will receive prizes from our wonderful sponsors. In addition,
you'll be able to bask in the fame of being the researcher, or Data Loss
Archaeologist, who uncovered the oldest documented Data Loss Incident.
Incidents submitted don't have to be older than the CD Universe breach. For
instance, the oldest Stolen Computer breach in the database occurred in
2003. So, submit what you find! You might find the oldest stolen laptop
breach, or the oldest accidental web exposure breach. ...
http://datalossdb.org/oldest_incidents_contest
[If you are going to submit, you might look though the RISKS archives,
beginning in 1976 with the ACM SIGSOFT Software Engineering Notes (SEN),
well BEFORE the Risks Forum started. My historical index for SEN and
RISKS is online. Although I've been struggling to keep it up to date
recently, it is fine for old stuff in pre-RISKS SEN issues — which Will
Tracz now has the old online. PGN]
http://www.csl.sri.com/neumann/illustrative.html
This is a reminder that the early registration deadline for the conference is approaching (20 Apr 2009). Some useful information of the conference is listed below. Please visit conference webpage at http://oakland09.cs.virginia.edu/ if you need more information. Hope to see you in the conference at Oakland, California again from May 17th to 20th. David Du, General Chair 30th IEEE Symposium on Security & Privacy The 2009 symposium marks the 30th annual meeting of this flagship conference. Since 1980, the IEEE Symposium on Security and Privacy has been the premier forum for presenting developments in computer security and electronic privacy, and for bringing together researchers and practitioners in the field. The 2009 symposium will be held May 17-20 at the <http://www.claremontresort.com/> Claremont Resort in Oakland, California. <http://oakland09.cs.virginia.edu/papers.html> Accepted Papers <http://oakland09.cs.virginia.edu/program.html> Program Upcoming Deadlines Travel Grants Deadline: 15 April 2009 [ <http://oakland09.cs.virginia.edu/grants.html> Travel Grant Information] Poster Submission Deadline: 15 April 2009 [ <http://oakland09.cs.virginia.edu/posters.html> Call for Posters] Short Talks Early Deadline: 15 April 2009 [ <http://oakland09.cs.virginia.edu/shorttalks.html> Call for Short Talks] Early Registration Deadline: 20 April 2009 [ <http://www.regonline.com/Checkin.asp?EventId=707709> Registration Information] Hotel Registration Deadline: 24 April 2009 [ <http://oakland09.cs.virginia.edu/travel.html> Hotel Information] Travel Grants <http://oakland09.cs.virginia.edu/grants.html> Travel Grants information is now posted. Applications are requested by 15 April 2009. Registration Open <http://www.regonline.com/Checkin.asp?EventId=707709> Registration is now open. The early registration deadline is 20 April 2009. Call for Short Talks The <http://oakland09.cs.virginia.edu/shorttalks.html> Call for Short Talks is now posted. Advance Program <http://oakland09.cs.virginia.edu/program.html> Advance Program released. Workshops and Tutorials Information on <http://oakland09.cs.virginia.edu/workshops.html> Workshops and <http://oakland09.cs.virginia.edu/tutorials.html> Tutorials is now available. Call for Posters The <http://oakland09.cs.virginia.edu/posters.html> Call for Posters is now posted. Poster submissions are due 15 April 2009. Accepted Papers Posted <http://oakland09.cs.virginia.edu/papers.html> 26 papers have been accepted to the symposium. [Check it out if you are into research in security and privacy and have never been there before. This is the 30th year at the Claremont, and it is always a worthwhile meeting and certainly a lovely venue overlooking San Francisco. PGN]
Please report problems with the web pages to the maintainer