Forum on Risks to the Public in Computers and Related Systems
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Volume 26: Issue 33
Monday 31 January 2011
Contents
China Blocks Chinese Word for 'Egypt'- Sam Waltz
-
Egypt: Risk for a Country
- Gene Wirchenko
-
Re: Egypt's Internet shutdown
- Bob Frankston
-
Re: Internet Society statement on Egypt's Internet shutdown
- SMiller
-
Non-snailproofed traffic light proves fatal
- Mark Brader
-
Public service announcement on Undigestifying
- Jonathan Kamens
-
BBDB ran off with my Spacebar press
- jidanni
-
Re: Cyberwar countermeasures a waste of money, says report
- Joe Thompson
-
Re: Yet Another Risk: Not reading the package very carefully
- Terje Mathisen
Steve Fenwick
-
CfP: CRiSIS 2011: Risks and Security of Internet and Systems
- Marius Minea
-
Info on RISKS (comp.risks)
China Blocks Chinese Word for 'Egypt'
Sam Waltz
<samwaltz.groups@gmail.com>
January 30, 2011 3:12:14 PM ESTSIt's interesting to see how the fragmentation of the Net continues. Imagine not being able to search for current events in Mexico, Europe, or elsewhere. Sam Waltz http://www.pcworld.com/businesscenter/article/218185/china_microblogs_block_chinese_word_for_egypt.html China's microblogs have blocked searches for the word "Egypt," a sign that the Chinese government is trying to limit public knowledge of the political unrest occurring in the Middle East. The blocking appeared to begin over the weekend on the Chinese Twitter-like services operated by Sina, Tencent and Sohu. Queries using the Chinese word for "Egypt" brought no results. "In accordance with the relevant laws, regulations and policies, the search result did not display," said the response on the Sina microblogging site. The English word for "Egypt," however, is still searchable across the sites.
Egypt: Risk for a Country
Gene Wirchenko
<genew@ocis.net>
Mon, 31 Jan 2011 11:32:47 -0800Source: Patrick Thibodeau, Microsoft shifts some work out of Egypt; It is among some 120 companies located in Cairo's Smart Village IT office park *IT Business*, 31 Jan 2011 http://www.itbusiness.ca/it/client/en/cdn/News.asp?id=61100 Selected text: Egypt has been aggressively attracting tech companies to its wired office parks to help create jobs for its young, educated and often English-speaking workforce. But by cutting off Internet access last week in the wake of civil unrest, Egypt's government demonstrated just how quickly it can unwind its hi-tech goals. Egypt's move to block Internet access prompted Microsoft to respond. Asked about the situation in Egypt, Microsoft said in a written response to a query that it "is constantly assessing the impact of the unrest and Internet connection issues on our properties and services. What limited service the company as a whole provides to and through the region, mainly call-center service, has been largely distributed to other locations." Egypt's decision to cut Internet access was apparently intended to disrupt the ability of protestors to use social networks to organize. But hi-tech companies have similar flip-the-switch abilities and can shift services in response to a natural or manmade disaster. It is almost certain that tech companies in Egypt will respond to the current uncertainty much the same way Microsoft did—if they haven't already.
Re: Egypt's Internet shutdown (RISKS-26.32)
"Bob Frankston"
<bob2-39@bobf.frankston.com>
Sat, 29 Jan 2011 21:29:13 -0500The reason that it was so easy to disconnect a country from the rest of Internet is that today's Internet protocols are very much aligned with authority. You get your IP addresses from authorities (providers) and depend on a single backbone that requires we trust all providers. This is a point I make in http://rmf.vc/Demystify.risks. It is not sufficient to lament Egypt's actions—we need to move beyond today's prototype architecture to one that honors the end-to-end principle by removing the dependency on a centralized authority by defining connectivity in terms of stable relationships apart from any network. We can then use whatever facilities are available to exchange bits. The presumed safety of today's DNS is an illusion that has consequences such as assuring the Net will unravel as our temporary hold on our own names expires. Skype gives a hint of what is possible but it relies on a central directory. The first step is removing the prime dependency—the need to pay mere to exchange bits over a common infrastructure. We can then evolve to new protocols that aren't constrained to providers' pipes.
Re: Internet Society statement on Egypt's Internet shutdown (R 26 32)
<SMiller@unimin.com>
Mon, 31 Jan 2011 10:21:22 -0500"In the longer term, we are sure that the world will learn a lesson from this very unfortunate example, and come to understand that cutting off a nation's access to the Internet only serves to fuel dissent and does not address the underlying causes of dissatisfaction." It appears that the "lesson learning" statement therein is beamed at governments. Unfortunately, there seems to be ample and convincing evidence that "lesson learning" (at least of the benevolent variety) is not a skill generally within the capabilities of any government. However, it is true that this is a "learning moment", and the lesson that I have received is that any of us who value Internet freedom had better have a "Plan B" that is independent of government, whether that plan involves a darknet, archived DNS records, or some as yet unformulated solution. Jacob Appelbaum and some associates have evidently provided some dial-up ISP connectivity to Egyptians, but while that is an admirable improvisation, it is also woefully inadequate as a functional solution. On the other hand, I think that I will refrain from tossing my very last US Robotics 56k modem just yet...
Non-snailproofed traffic light proves fatal
Mark Brader
Mon, 31 Jan 2011 06:20:40 -0500 (EST)One night last August in Tamworth (near Birmingham), England, two cars driven by teenagers collided head-on on a one-lane bridge, and one of them was killed. It has now been revealed that this happened because the traffic lights governing the one-lane bridge were short-circuited by a snail or slug crawling over the circuit board. The surviving driver said he saw the other car but did not realize what was happening in time. Most reports do not mention the state of the lights, so I suppose they were dark rather than showing green both ways. The failure had been automatically reported at a monitoring station, but the collision happened only 20 minutes later. http://www.thesun.co.uk/sol/homepage/news/3380011/any.html http://www.express.co.uk/posts/view/226236/any http://www.thisistamworth.co.uk/news/article-3149898-detail/article.html "Red lights are not my concern. I am a driver, not a policeman." --statement made after collision, 1853 [1953?] [Also noted by Stephen McCallister in the *Daily Mail*. PGN]
Public service announcement on Undigestifying
Jonathan Kamens
<jik@kamens.us>
Sun, 16 Jan 2011 22:13:12 -0500For those of you who use Thunderbird or Postbox to read your email, I've just released a new add-on called "Undigestify" at https://addons.mozilla.org/en-US/thunderbird/addon/undigestify/. If you install this add-on, then you can right-click on a Risks Digest and select "Undigestify", and the digest will be split into separate messages which you can then read and respond to individually. (For those of you who are old and nerdy enough to have used Emacs RMAIL to read your mail, this is equivalent to M-x undigestify.) Please feel free to forward this to any other digests whose readers might find it useful. RISKS is the only RFC 1153 digest I still read, so I don't know who else is out there who might benefit from it. Please also feel free to contact me with comments, questions or bug reports. [Jonathan, Many thanks! I occasionally still get a complaint about the the RISKS *digest* format, so I am happy to know of your undigestifier. PGN]
BBDB ran off with my Spacebar press
<jidanni@jidanni.org>
Sun, 30 Jan 2011 11:55:38 +0800There I was paging down with the spacebar, when I noticed something stuck. Way down in the emacs minibuffer the little snot "BBDB" program it turned out has been asking me a question, ever so happy to take the spacebar I had typed (intended to scroll down) as a "y". `Add address "bla@example.org" to "goo@nurd.example.com"? (y or n) y' Sort of like when you slip a piece of paper under a voter's pen before he notices it's too late, then run off in glee.
Re: Cyberwar countermeasures a waste of money, says report (R 26 31)
Joe Thompson
<joe@orion-com.com>
Mon, 31 Jan 2011 12:09:42 -0500Here in the DC area, one of the local online-learning institutions has long run an alarmist "cyber war" radio ad promoting their online certificate program in cybersecurity. The lead-in is a woman talking to someone on the phone about money suddenly disappearing from lots of bank accounts. Later in the ad we return to this conversation in time to hear "Now they're saying it's the cell networks too! ...Hello? Hello?" I wonder if they will move to a more moderate presentation now. (I'm not betting on it.)—Joe
Re: Yet Another Risk: Not reading the package very carefully (R 26 32)
Terje Mathisen
<"terje.mathisen at tmsw.no"@giganews.com>
Mon, 31 Jan 2011 09:17:34 +0100This was a long tale, in installments, about the need for personal backups of all data you want to keep: So far, so good. Paul then decides to "upgrade" from a DVD burner to a BD burner, when the only good backup these days is to have all your data on multiple independent disks, all of which are in regular use: My personal backup strategy for the laptop which carries everything I work on is to have at least two external USB drives, neither of which are normally plugged in. The laptop has a 640 GB 2.5" drive, so my main portable backup is a 750 GB 2.5" drive which runs on USB power. (I also carry my previous internal drive, a 500 GB model, as a backup.) A tiny batch file is sufficient to copy all updated files from a set of working directories onto the USB drive, then I disconnect it again. When at home I also have a larger 3.5" USB drive, this one requires external power as well as the USB cable. If I should suffer a total disk crash while on a longer trip, I can open the laptop, replace the disk with the previous main drive and be back in operation in an hour or two, including the time to install all the security updates and copy back recently updated files. The total cost of this backup strategy is around $100 every year or two when I buy one of the latest big laptop drives. The key idea here is that only media and disks that you regularly use/monitor/upgrade can be depended upon to last! Terje PS. I also use my Dreamhost-based personal server and an RSYNC account for real offsite backup of some really critical (encrypted) files. :-)
Re: Yet Another Risk: Not reading the package very carefully
Steve Fenwick
<steve@w0x0f.com>
Sun, 30 Jan 2011 20:01:48 -0800Paul Robinson <paul@paul-robinson.us> writes: For small backups, Robinson's suggestion is probably fine. As you start to fill up your new 2TB drive, the backup cost will rise substantially; worse, the time to backup will increase to the point at which you may become discouraged to do backups. As you noted, HDDs have gotten very, very inexpensive, and you can get external drive docks at under $50, so this is my preferred mechanism now for backups. Risk: staying in a paradigm after technology has passed it by.
CfP: CRiSIS 2011: Risks and Security of Internet and Systems
Marius Minea
<marius@cs.upt.ro>
Mon, 31 Jan 2011 20:27:56 +0200 (EET)
CALL FOR PAPERS
[ PDF version at: http://crisis2011.cs.upt.ro/CRiSIS2011-CfP.pdf ]
The Sixth International Conference on
Risks and Security of Internet and Systems
CRiSIS 2011
Timisoara, Romania, 26-28 September 2011
http://www.crisis-conference.org/
IEEE Computer Society technical co-sponsorship (expected)
The International Conference on Risks and Security of Internet and Systems
2011 will be the 6th in a series dedicated to security issues in
Internet-related applications, networks and systems. The CRiSIS conference
offers an effective forum for computer and network security researchers from
industry, academia and government to meet, exchange ideas and present recent
advances on Internet-related security threats and vulnerabilities, and on
the solutions that are needed to counter them.
The topics addressed by CRiSIS range from the analysis of risks, attacks to
networks and system survivability, passing through security models, security
mechanisms and privacy enhancing technologies. Prospective authors are
invited to submit research results as well as practical experiment or
deployment reports. Industrial papers about applications and case studies,
such as telemedicine, banking, e-government and critical infrastructure, are
also welcome. The list of topics includes but is not limited to:
* Analysis and management of risk
* Attacks and defences
* Attack data acquisition and network monitoring
* Cryptography, Biometrics, Watermarking
* Dependability and fault tolerance of Internet applications
* Distributed systems security
* Embedded system security
* Intrusion detection and Prevention systems
* Hardware-based security and Physical security
* Trust management
* Organizational, ethical and legal issues
* Privacy protection and anonymization
* Security and dependability of operating systems
* Security and safety of critical infrastructures
* Security and privacy of peer-to-peer system
* Security and privacy of wireless networks
* Security models and security policies
* Security of new generation networks, security of VoIP and multimedia
* Security of e-commerce, electronic voting and database systems
* Traceability, metrology and forensics
* Use of smartcards and personal devices for Internet applications
* Web security
IMPORTANT DATES
Submission deadline : May 10, 2011
Notification to Authors : July 15, 2011
Camera-Ready Due : August 15, 2011
Submitted papers must not substantially overlap with papers that have been
published or that are simultaneously submitted to a journal or a conference
with proceedings. Papers must be written in English and must be submitted
electronically in PDF format. Maximum paper length will be 8 printed pages
for full papers or 4 pages for short papers, in IEEE 2-column style.
Authors of accepted papers must guarantee that their papers will be
presented at the conference. All papers selected for presentation at the
conference will be published in the hard-copy proceedings distributed to all
conference participants and will also be available on-line in IEEE Xplore:
http://ieeexplore.ieee.org.
The authors of the best conference papers will be invited to submit an
extended version to a special issue of the International Journal of
Information and Computer Security (IJICS).
All paper submissions will be handled through the Easy Chair conference
management system. Follow the instructions given here:
http://www.easychair.org/conferences/?conf=crisis2011
CALL FOR TUTORIALS
We solicit tutorials on state-of-the-art technologies relevant to the
conference themes. We are particularly interested in tutorials that foster
knowledge exchange among the different research communities present at the
conference. The intended length of each tutorial is 2 to 3 hours.
A tutorial proposal should include a brief summary and outline, specific
goals and objectives, the intended audience and the expected background of
the audience as well as a biographical sketch of the presenter(s). The
length of tutorial proposals should not exceed 5 pages.
Tutorial proposals should be submitted to the tutorial program chair: Anas
Abou el Kalam by email: anas.abouelkalam@enseeiht.fr before 10 May 2011.
GENERAL CHAIR: Marius Minea, Politehnica University of Timisoara, Romania
PC CHAIR: Frederic Cuppens, TELECOM Bretagne, France
PC CO-CHAIR: Simon Foley, University College Cork, Ireland
TUTORIAL CHAIR: Anas Abou ElKalam, Universite de Toulouse, IRIT-INP, France
FINANCE CHAIR: Yannick Chevalier, Universite de Toulouse, IRIT, France
PUBLICATIONS CHAIR: Bogdan Groza, Politehnica University of Timisoara
Report problems with the web pages to the maintainer