[This one was stuck in my queueueueue. But it's more appropriate tonight anyway, on the eve of U.S. DST. PGN] Everyone gird your loins as it's March, so that means we're now entering "silly season": the bi-annual event of adjusting our time pieces by one hour. North America will be making the great leap forward on 14 Mar, while in Europe it's 28 Mar. Anyone want to start a pool on how many time incidents will make the news this time around?
It's been widely reported that some models of Sony's PS3 game console malfunctioned today, evidently because they thought the date was 29 Feb. Hard to believe that in this 21st century, programmers are still having trouble with this algorithm... http://news.cnet.com/8301-17938_105-10461881-1.html [PGN notes Mark Brader commented on this one: Well, maybe it's not the *same* programmers who had trouble with it in the 20th century...]
As noted on http://scitech.blogs.cnn.com/2010/03/01/playstation-network-down/ Sony's Playstation 3 was convinced that 2010 was a leap year and attempted to use Feb. 29, 2010. This kept gamers from connecting to the Playstation Network (http://blog.us.playstation.com/2010/03/playstation-network-service-restored/) It seems that the clock is a necessary part of the DRM scheme that Sony uses to make sure that people don't use bootleg copies of their games. It rather incensed some users to be locked out of using their perfectly legal copies because the programmers had a little trouble dividing by 4. Prof. Dr. Debora Weber-Wulff, Treskowallee 8, 10313 Berlin +49-30-5019-2320 email@example.com http://www.f4.htw-berlin.de/people/weberwu/
Japan may have experienced the problem due to timezone differences earlier than others. Sony Computer Entertainment announced on 2 Mar 2010 (and many users have complained on blogs and twitters) that old models of PS3 popular game console experienced failures such as failing to connect to network since its software miscalculated the year 2010 to be a leap year and its internal date was set to bogus 29 Feb on 1 Mar. The model sold after September of 2009 didn't experience this bug. As the date rolled to March 2nd (UCT), the problem disappeared. Every now and then I noticed this leap-year miscalculation occur in OS and other basic software, but please note 2010 is not even a multiple of four. I wonder what faulty calculation was done in the software. It could be a classic example that should be put in software engineering textbook if the faulty line is made public.
Jonathan de Boyne Pollard discusses software that ignores even quite recent experience and continues to use techniques - like 2-digit years - that have quite recently caused us much grief and expense. He asks why we don't seem to learn from this experience. I really hate to point this out but ... there are two reasons that, in other engineering and technological fields, we *do* manage to avoid repeating at least the reasonably common mistakes: 1. We develop standards and practices that have the force of law. Electrical circuitry in houses is subject to a variety of such standards. So is plumbing. You can't sell a house if it fails to meet code. In some cases, you'll be required to make modifications to come up to code even to remain in your own nose. If you're an electrician or a plumber and you do work that doesn't meet code, you'll lose your license and no longer be allowed to work in the field. You may be subject to criminal penalties. You can certainly be sued if someone is injured or property is damaged because you didn't follow the rules. 2. We require training and passing of exams *on those standards and practices*. We enforce this requirement by requiring licenses to work in many fields - and those licenses depend on passing the exams. Now, I know all the downsides of this approach - the technology that's frozen in place for years, the use of licensing to limit competition, the pointlessness of much of what's on those exams. But the fact is that we have indoor plumbing that (usually) doesn't leak water on us, and that only very rarely causes disease even as it pumps gallons of pure stuff we eat and drink right near gallons of contaminated stuff. And we have electrical systems in our houses that don't (usually) start fires or electrocute us. We're so used to this latter feature that we've forgotten that this doesn't happen automatically. At least 12 US soldiers died in Iraq - not due to battles, but electrocuted due to incorrect wiring, like improperly grounded pumps that killed several soldiers in their showers. We in the software industry have been leading charmed lives for many years. We've managed to avoid liability, avoid serious training in good practices, avoid any kind of standards - all by arguing that this would cramp our style and keep us from continuing to innovate. Maybe that's true - but we've been building up a massive debt side by side with all that innovation. Eventually, that debt's going to come due. If we don't clean up our own mess, the greater society will come along and do it for us - and the results won't be pleasant.
A lot of people are dead because they depended upon obsolete testing to keep them safe. While there is probably a lot of blame to go around, the failure of knowledgeable experts to make bureaucrats and bean-counters do the "right thing" seems to be obvious all throughout this story. I submit any risk reader will find this fascinating, educational, and, if you fly, scared! What else is hidden, overlooked, or just lazily ignored. There is a hint of corruption as well (i.e., failure to come down hard on a local business); the possibility of politics or payoffs can't be overlooked. Even if unprovable, suspicion is warranted. Argh! In fact, the problem with the airspeed indicators lies far deeper. To this day, the relevant licensing bodies still only test pitot tubes down to temperatures of minus 40 degrees Celsius (minus 40 degrees Fahrenheit) and an altitude of about 9,000 meters (30,000 feet). These completely antiquated specifications date back to 1947 -- before the introduction of jet planes. What's more, most of the incidents of recent years, including that involving the ill-fated flight AF 447, occurred at altitudes above 10,000 meters (33,000 feet). (SPIEGEL ONLINE - News - International) http://www.spiegel.de/international/world/0,1518,679980-2,00.html Blog "Reinke Faces Life", http://krunchd.com/reinkefj
While Toyota CEO President Akio Toyoda insists that neither electronics nor software can be blamed for the rash of runaway Toyotas, others aren't so sure. [Source: Joab Jackson, *IT Business*, 4 Mar 2010] http://www.itbusiness.ca/it/client/en/home/news.asp?id=56648 Page 2 has discussion of an electronic control module (ECM) that supposedly has fail-safe, but "David Gilbert, a professor of automotive technology at Southern Illinois University Carbondale, found that the ETC is not foolproof, despite Toyota's claims. In tests, which he later described before last week's Congressional hearings, he found that the ETC did not detect certain types of short-circuit malfunctions that could occur with the pedal sensors. If the ETC did not detect the complete possible range of errors, then it could not enter into a fail-safe mode, he argued."
Toyota has for years blocked access to data stored in devices similar to airline "black boxes" that could explain crashes blamed on sudden unintended acceleration, according to an Associated Press review of lawsuits nationwide and interviews with auto crash experts. The AP investigation found that Toyota has been inconsistent -- and sometimes even contradictory -- in revealing exactly what the devices record and don't record, including critical data about whether the brake or accelerator pedals were depressed at the time of a crash. By contrast, most other automakers routinely allow much more open access to information from their event data recorders, commonly known as EDRs. AP also found that Toyota: * Has frequently refused to provide key information sought by crash victims and survivors. * Uses proprietary software in its EDRs. Until this week, there was only a single laptop in the U.S. containing the software needed to read the data following a crash. * In some lawsuits, when pressed to provide recorder information Toyota either settled or provided printouts with the key columns blank. [Source: Curt Anderson and Danny Robbins, Associated Press Writers, 4 Mar 2010] http://finance.yahoo.com/news/AP-IMPACT-Toyota-secretive-on-apf-1294427692.html?x=0&sec=topStories&pos=1&asset=&ccode= Gabriel Goldberg, 3401 Silver Maple Place, Falls Church, VA 22042 703-204-0433
[Noted by Bob Rosenberg in Dave Farber's IP distribution. PGN] Illustration showing optical beam splitter method and new method of controlling electron spin. Research allows control of a single electron without disturbing other nearby electrons. More: http://www.nsf.gov/discoveries/disc_summ.jsp?cntn_id=116456&WT.mc_id=USNSF_1
*The New York Times* (pp A6) 3 Mar 2010 "The country's highest court ruled Tuesday that a security law requiring the mass storage of telephone, e-mail, and Internet data violated a constitution provision on privacy and must be revised. The 2008 law required telecommunications carriers to retain customer usage data for six months so authorities could use it to track criminal networks." The citation to the actual law was not given in the small article. Mass retention of data without specific cause is a challenge. The retained data can be used for its intended purpose, but its mere existence presents a hazard for inappropriate use. I addressed similar issues in an item entitled "Will Long Term Dynamic Address Allocation Record Retention Help or Hurt?" in the context of the "Internet Stopping Adults Facilitating the Exploitation of Today's Youth Act of 2009" (S.436) introduced by Senator John Cornyn (R-Texas). http://www.rlgsc.com/blog/ruminations/retain-dynamic-address-allocation-logs.html Bob Gezelter, http://www.rlgsc.com
[From Dave Farber's IP list. PGN] US government rescinds 'leave Internet alone' policy Kieren McCarthy, Networks, 27 Feb 2010> http://www.theregister.co.uk/2010/02/27/internet_3_dot_0_policy/ The US government's policy of leaving the Internet alone is over, according to Obama's top official at the Department of Commerce. Instead, an Internet Policy 3.0 approach will see policy discussions between government agencies, foreign governments, and key Internet constituencies, according to Assistant Secretary Larry Strickling, with those discussions covering issues such as privacy, child protection, cybersecurity, copyright protection, and Internet governance. The outcomes of such discussions will be *flexible* but may result in recommendations for legislation or regulation, Strickling said in a speech at the Media Institute in Washington this week. (http://www.ntia.doc.gov/presentations/2010/MediaInstitute_02242010.html) The new approach is a far cry from a US government that consciously decided not to intrude into the Internet's functioning and growth and in so doing allowed an academic network to turn into a global communications phenomenon. Strickling referred to these roots arguing that it was ``the right policy for the United States in the early stages of the Internet, and the right message to send to the rest of the world.'' But, he continued, ``that was then and this is now. As we at NTIA approach a wide range of Internet policy issues, we take the view that we are now in the third generation of Internet policy making.'' Outlining three decades of Internet evolution - from transition to commercialization, from the garage to Main Street, and now, starting in 2010, the Policy 3.0 approach - Strickling argued that with the Internet is now a social network as well a business network. We must take rules more seriously. He cited a number of examples where this new approach was needed: end users worried about credit card transactions, content providers who want to prevent their copyright, companies concerned about hacking, network neutrality, and foreign governments worried about Internet governance systems. The decision to effectively end the policy that made the Internet what it is today is part of a wider global trend of governments looking to impose rules on use of the network by its citizens. In the UK, the Digital Economy Bill currently making its way through Parliament has been the subject of significant controversy for advocating strict rules on copyright infringement and threatening to ban people from the Internet if they are found to do so. The bill includes a wide variety of other measures, including giving regulator Ofcom a wider remit, forcing ISPs to monitor their customers' behavior, and allowing the government to take over the dot-uk registry. In New Zealand, a similar measure to the UK's cut-off provision has been proposed by revising the Copyright Act to allow a tribunal to fine those found guilty of infringing copyright online as well as suspend their Internet accounts for up to six months. And in Italy this week, three Google executives were sentenced to jail for allowing a video that was subsequently pulled down to be posted onto its YouTube video site. Internationally, the Internet Governance Forum -- set up by under a United Nations banner to deal with global governance issues -- is due to end its experimental run this year and become an acknowledged institution. However, there are signs that governments are increasingly dominating the IGF, with civil society and the Internet community sidelined in the decision-making process. In this broader context, the US government's newly stated policy more in line with the traditional laissez-faire Internet approach. Internet Policy 3.0 also offers a more global perspective than the isolationist approach taken by the previous Bush administration. In explicitly stating that foreign governments will be a part of the upcoming discussions, Strickling recognizes the United States' unique position as the country that gives final approval for changes made to the Internet's Croot zone. Currently the global Internet is dependent on an address book whose contents are changed through a contract that the US government has granted to the Internet Corporation for Assigned Names and Number (ICANN), based in Los Angeles. [long item truncated for RISKS, with considerable subsequent discussion in IP. PGN] [Dan Lynch added: It was good while it lasted. The cat is out of the bag and now all the watchdogs of our morals are descending for good reasons. We have foisted communications anarchy on the world quite successfully. Let's see how they route around their paranoia.] IP Archives: https://www.listbox.com/member/archive/247/
Chris Crego, of Lockport, New York, pleaded guilty to assault but fled the state before sentencing. However, he then put up Facebook and MySpace pages under his real name, showing his photo, his place and hours of employment, and -- in case there was any doubt -- the police "wanted" poster of him. He was arrested and returned to Lockport, and police posted a "thank you" notice on his page. http://www.cbsnews.com/blogs/2010/02/08/crimesider/entry6186573.shtml http://www.buffalonews.com/2010/03/02/974619/crego-back-in-lockport-held-on.html
I bought a new car a couple of weeks ago, though for obvious reasons  I didn't collect it until Monday. As soon as I knew the new registration number, I contacted my insurance company to alter the details. The paperwork finally arrived yesterday. At one point it reads: It has been owned by, and registered to you or your partner, for approximately - 1 year(s) 11 month(s). This puzzled me, so I phoned them, to be told "it always does that for new cars". Then I realized what had happened; the clue was that the previous paperwork did *not* have the dash in this text. The computer must have done something like "now = Feb 2010, bought Mar 2010, therefore owned for -1 months". Then it converted months to years by dividing by 12 and determining the remainder. There are two sensible answers for "-1 div/rem 12" (0 remainder -1 and -1 remainder 11) and which gets used depends on what properties you want to preserve. Or, in this case, because nobody had thought about negative inputs! The only remaining problem: how on earth do I get this information past the call centre and to the people who actually maintain this code? Perhaps they read RISKS.  Well, obvious to UK readers - it gives the car a "10" registration rather than a "59" one, affecting the resale value. Clive D.W. Feather <firstname.lastname@example.org> http://www.davros.org +44 7973 377646
Foreign states and terrorist groups are regularly launching cyber-attacks on the UK's computer systems with the potential to cause widespread damage, according to the government's security tsar. Lord West of Spithead, who is parliamentary under-secretary for security and counter-terrorism, told the *Observer* that the UK was under daily cyber attack, often from agencies working on behalf of foreign governments. He said there had been "300 significant attacks" on the government's core computer networks in the last year and warned of chaotic scenes if one successfully targeted infrastructure such as the UK's communications systems... http://www.guardian.co.uk/technology/2010/mar/07/britain-fends-off-cyber-attacks
A little while ago the Ontario Privacy Commissioner released a report on the privacy implication of electrical smart grids (RISKS-25.84: "Your smart meter is watching"). Well, it turns out water pressure is another way that "traffic analysis" can be done on people's activities: > The water utility in Edmonton, EPCOR, published the most incredible graph > of water consumption last week. By now you've probably heard that up to > 80% of Canadians were watching last Sunday's gold medal Olympic hockey > game. So I guess it stands to reason that they'd all go pee between > periods. http://tinyurl.com/yedz5jt http://www.patspapers.com/blog/item/what_if_everybody_flushed_at_once_Edmonton_water_gold_medal_hockey_game/ Via: http://www.boingboing.net/2010/03/11/the-effects-of-gold-.html Not so much a technological RISK, but more of a reminder that as chips and sensors are placed in more places, we get more data. The more data we have, the more it can be linked with other data, and that can lead to unforeseen consequences.
Are they tracking us (a/k/a Paranoia 101) - Or, What I'd do if I was "one of 'them'". OK, Let's do an update 1. How many "Smart Cards" are you carrying? 2. How about your "New, Improved" Passport? 3. EZ Pass (or equivalent)? 4. How about those Tire Pressure things in your tires (4 and the spare!)- they're RFID's 5. Y'know, that "keyless entry" thingie in your pocket/key - RFID, again. 6. Oh, that ON-Star like thing in your car, can you turn it off? (Are you sure?) 7. About that cellphone, You want Paranoia - 8. Um, about the remote diagnostic capability of my Mom's pacemaker 9. The implanted ID chip in your pet 10. Do those "security" bags really protect RFID's from concerted reading devices? 11. "They" could easily record the serial numbers of the cash you get from the ATM 12. While they're doing facial recognition of everyone within range of the camera. How many of these things can be read from how far away? [Quite a few. PGN]
http://www.mpi-sws.org/~gummadi/papers/inferring_profiles.pdf This paper discusses an interesting phenomenon for privacy. If a user has turned on privacy in either LinkedIn or Facebook such that their friends list is accessible but nothing else, the researchers were able to infer with 80% accuracy the values of the hidden attributes based solely upon 20% of those friends revealing their own value for those attributes. The article states that 95% of Facebook users expose their friends list to strangers, which means that for most people their privacy may be effectively compromised by a relatively small percentage of their friends. To me, this is a difficult tradeoff for Facebook users. Hiding your friends list means that people you know but with whom you have not connected will have difficulty deciding if that's really you, or another John Smith. The "N mutual friends" link is an incredibly useful one for finding people you might want to reconnect with.
This came through via slashdot: http://www.gearlog.com/2010/03/hands_on_fake_intel_core_i7-92_1.php Apparently the computer core you thought you were purchasing is now the risk. Robert Schaefer, Atmospheric Sciences Group, MIT Haystack Observatory Westford MA 01886 781-981-5767 http://www.haystack.mit.edu email@example.com
4th International Conference on Network and System Security (NSS 2010) September 1-3, 2010, Melbourne, Australia http://www.anss.org.au/nss2010 In technical co-sponsorship with the IEEE and the IEEE Computer Society Technical Committee on Scalable Computing Workshop proposal due: March 31, 2010 Paper submission due: March 31, 2010
IEEE Symposium on Security and Privacy, May 16-19, 2010 The Claremont Resort, Oakland, California, USA Sponsored by the IEEE Computer Society Technical Committee on Security and Privacy, in cooperation with the International Association for Cryptologic Research (IACR) It is my pleasure to announce the 2010 IEEE Symposium on Security and Privacy, to be held at the Claremont Resort 30 years after the very first symposium in this series. Please visit http://oakland31.cs.virginia.edu/ for information about the symposium and the co-located workshops. [The SSP 2010 program is also in RISKS-25.95. PGN] *Important Highlights:* * Register <http://www.regonline.com/Checkin.asp?EventId=810837> before April 18 to take advantage of the early registration rates * Reserve your hotel room <http://oakland31.cs.virginia.edu/travel.html> early, especially if you require and qualify for the government rate * The 30th anniversary of Security and Privacy welcomes all in the security research community to a light-hearted *awards dinner* on May 17. Registered symposium attendees and registered guests are welcome at this retrospective event with Master of Ceremonies Peter G. Neumann. The ceremonies will include the presentation of the National Computer Systems Security Award for 2010 by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA). * The advance program <http://oakland31.cs.virginia.edu/program.html> is available * Student travel grants <http://oakland31.cs.virginia.edu/grants.html> are available, and applications are due by April 2 * The Call for Posters <http://oakland31.cs.virginia.edu/posters.html> is now open, and poster abstracts are due by April 8 * Three co-located workshops <http://oakland31.cs.virginia.edu/workshops.html> will be held in conjunction with the symposium on May 20: o Systematic Approaches to Digital Forensic Engineering (SADFE) o Web 2.0 Security and Privacy (W2SP) o Workshop on Security and Privacy in Social Networks I hope to see you at the symposium on May 16-19! Ulf Lindqvist, General Chair
Please report problems with the web pages to the maintainer