Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Many parts of the Virginia state government suffered computer slowdowns and outages ranging from days to weeks, apparently due to a redundant storage device that had simultaneous failures. Virginia DMV was particularly hard-hit, being largely incapacitated for a week. (And 4000 drivers who had renewed their licenses just prior to the failure have to come back - the photos stored on the server were lost, so they can't issue the licenses.) And now a possibly silver lining: DMV has asked the state police not to ticket anyone for driving with an expired license (*) if the license expired between Aug 25 and Sep 30. And the new risk (or advantage, depending on your perspective): if you come in to get your license renewed "customers who renew licenses prior to the revised expiration date will not be required to provide documentation of their U. S. citizenship or legal presence in the country". So if someone wants to get a license but isn't a legal resident, now is the time to get it - while they're on sale! [The governor has promised an independent examination of what caused the spectacular failure. I hope there will be technical experts, and not just politicians, on the review board.] (*) On the other hand, if you're in another state or country, will you get off so easily - "honest officer, the DMV in my state was closed for a week, so I couldn't renew my license, and they've given an automatic extension". http://voices.washingtonpost.com/dr-gridlock/2010/09/thousands_asked_to_return_to_d.html http://www.washingtonpost.com/wp-dyn/content/article/2010/09/01/AR2010090106077.html http://www.washingtonpost.com/wp-dyn/content/article/2010/08/30/AR2010083004877.html http://www.washingtonpost.com/wp-dyn/content/article/2010/08/27/AR2010082705046.html http://voices.washingtonpost.com/virginiapolitics/2010/08/virginia_dmv_still_off-line_du.html http://voices.washingtonpost.com/virginiapolitics/2010/08/virginia_computer_problems_con.html https://www.dmv.virginia.gov/webdoc/general/news/news.asp?id=6037
Brian Knowlton, *The New York Times*, 25 Aug 2010 Report begins: "A top Pentagon official has confirmed a previously classified incident that he describes as 'the most significant breach of US military computers ever,' a 2008 episode in which a foreign intelligence agent used a flash drive to infect computers, including those used by the Central Command in overseeing combat zones in Iraq and Afghanistan." http://www.readersupportednews.org/off-site-news-section/157-157/2792-2008-attack-on-military-computers-is-confirmed [There was a somewhat similar quote from a top Pentagon official regarding the Cloverdale kids: the "most organized and systematic" attack (RISKS-19.60). Neither quote seems to realistically capture the depth and extent of the overall problems. PGN
Pauline Jelinek, Associated Press A foreign spy agency pulled off the most serious breach of Pentagon computer networks ever by inserting a flash drive into a U.S. military laptop, a top defense official said Wednesday. The previously classified incident, which took place in 2008 in the Middle East, was disclosed in a magazine article by Deputy Defense Secretary William J. Lynn and released by the Pentagon Wednesday. He said a "malicious code" on the flash drive spread undetected on both classified and unclassified Pentagon systems, "establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control." http://news.yahoo.com/s/ap/20100825/ap_on_hi_te/us_pentagon_cyber_attack I guess you can refer to this as a "man on the inside" attack. Jim Reisert AD1C, <firstname.lastname@example.org>, http://www.ad1c.us
I tried to log on to the AmEx site this morning (17 Sep, 9:15 am, left coast time). The first page told me to click "reload." I did. Here is a small part of what happened next. Oops! Prof. Tony Lima, Dept. of Economics, CSU, East Bay, email@example.com http://www.cbe.csueastbay.edu/~alima 1-510-885-3889 <HTML> <HEAD> <TITLE>American Express/Cards/We're Sorry - </TITLE> </HEAD> [...] <!-- Global Nav Changes start By Siva --> <!--Created by CMAX: Mon Jun 07 08:34:27 MST 2010 File: US_en_s_T1_DualRelationshipQuickWin.html DO NOT MODIFY--><link rel="stylesheet" href="https://secure.americanexpress.com/navigation/shared/nav/opt_nav_menu_styles_div.css" type="text/css" media="all"> [most of the rest of the html blather deleted by PGN] [<!-- Global Nav Changes start By Siva --> "Siva" must have been the outsourced Indian deity having REVENGE. Webster gives us this: Etymology: Sanskrit Siva, 1788 : the god of destruction and regeneration in the Hindu sacred triad PGN]
[From Dave Farber's IP distribution. PGN-ed] [PGN prepends Lauren Weinstein had previously noted this item: HDCP/HDMI DRM master key reported cracked http://bit.ly/bI1WLI (rudd-o.com)] Tom Waldrop, a spokesman for Intel, confirms the HDCP Master Key for Blu-ray released online, is real. They have tested the code, and found it to work. Waldrop says they believe the code was generated using a computer system, and was not leaked by anyone internally. He says to rip Blu-rays using the code, hardware would have to be created. He says it is costly and he believes it is unlikely anyone will use it to rip Blu-rays. Waldrop says HDCP will continue to be used in Blu-ray discs and is still a secure way to keep people from pirating the movies. [Lindsey Mastis; PGN-ed] http://www.wusa9.com/news/local/story.aspx?storyid=3D111403&catid=3D158
http://www.itbusiness.ca/it/client/en/home/news.asp?id=59072 Robert McMillan, Spammers get the boot with Facebook's new remote logout IT Business, 7 Sep 2010 The social-networking company is rolling out a new security feature that lets users see which computers and devices are logged into their Facebook accounts, and allowing them to knock off spammers. Why could a spammer using a stolen account not regularly monitor for other logins under the account and knock them off?
Zeeya Merali, Hackers blind quantum cryptographers; Lasers crack commercial encryption systems, leaving no trace. *Nature*, 29 Aug 2010 doi:10.1038/news.2010.436 http://www.nature.com/news/2010/100829/full/news.2010.436.html
bright illumination Lars Lydersen, Carlos Wiechers, Christoffer Wittmann, Dominique Elser, Johannes Skaar & Vadim Makarov, Hacking commercial quantum cryptography systems by tailored bright illumination, *Nature Photonics*, online, 29 Aug 2010 | doi:10.1038/nphoton.2010.214 Abstract The peculiar properties of quantum mechanics allow two remote parties to communicate a private, secret key, which is protected from eavesdropping by the laws of physics. So-called quantum key distribution (QKD) implementations always rely on detectors to measure the relevant quantum property of single photons. Here we demonstrate experimentally that the detectors in two commercially available QKD systems can be fully remote-controlled using specially tailored bright illumination. This makes it possible to tracelessly acquire the full secret key; we propose an eavesdropping apparatus built from off-the-shelf components. The loophole is likely to be present in most QKD systems using avalanche photodiodes to detect single photons. We believe that our findings are crucial for strengthening the security of practical QKD, by identifying and patching technological deficiencies. http://dx.doi.org/10.1038/nphoton.2010.214 http://www.nature.com/nphoton/journal/vaop/ncurrent/abs/nphoton.2010.214.html
I've previously written about amazon.com putting someone else's packing slip in the box with my order. Yesterday I ordered a couple of books from them. Amazon.com has a new procedure that (supposedly) speeds up ordering. You enter a secret phrase and Amazon puts your order on the fast track to checkout. The payphrase worked well until I got my e-mail receipt. The unencrypted phrase was included with the message—in the subject line. As soon as I finish lunch I'm deleting that phrase from amazon.com. RISKS? Too obvious and numerous to list. - Tony Lima Prof. Tony Lima, Dept. of Economics, CSU, East Bay, firstname.lastname@example.org http://www.cbe.csueastbay.edu/~alima (510) 885-3889
A few days ago a Toronto woman woke up with itchy spots after seeing a movie at one of the city's larger cinemas. As this is about to be a venue for the Toronto International Film Festival, she was concerned about bedbugs and contacted the management. When she hadn't heard back after a couple of days, she mentioned it to a friend—who proceeded to assert on Twitter that the cinema *had* bedbugs. The management, meanwhile, had had the place inspected and found no bedbugs, and said so themselves on Twitter. But when they made it clear that they were taking the report seriously, this was promptly interpreted as confirmation that there *were* bedbugs... http://www.thestar.com/news/gta/article/855193--anykey http://www.cbc.ca/health/story/2010/08/31/tiff-bedbugs-investigate-scotiabank.html Mark Brader, Toronto, email@example.com | "Fast, cheap, good: choose any two."
[Reported by Lauren Weinstein in Network Neutrality Squad] Epic failures: 11 infamous software bugs http://bit.ly/cpmq9R (Matt Lake, *Infoworld*) Most of these bugs should be well-known to long-time RISKS readers: Mars Climate Orbiter doesn't orbit Mariner 1 five-minute flight Moth in the machine: Debugging the origins of `bug' [Grace Hopper] Forty seconds of Ariane-8 Pentium chips fail math [and more math bugs] Call waiting ... and waiting ... [the AT&T Martin Luther King Day fiasco] Windows Genuine Disadvantage Patriot missile mistiming Therac-25 Medical Accelerator disaster [multiple deaths] Multidata systems/Cobalt-80 overdoses Osprey aircraft choice End-of-the world bugs The bug that never was: Black Monday's dark secret  Matt includes 38 URLs for your convenience. Also, see the risks archives and my Illustrative Risks compendium index for background references. http://www.csl.sri.com/neumann/illustrative.html
(Wayner, RISKS-26.15) In RISKS-26.15, Peter Wayner refers to the article > http://www.usatoday.com/travel/flights/2010-08-31-1Acockpits31_ST_N.htm in *USA Today*, which claims to have shown > Flaws in flight simulator training helped trigger some of the worst airline > accidents in the past decade and that > More than half of the 522 fatalities in U.S. airline > accidents since 2000 have been linked to problems with simulators I like to think I keep well up to date with commercial aircraft accidents, their analyses and causes, and am aware of simulator strengths and weaknesses. This suggestion struck me as somewhat thin. But if one reads the sentences literally, with their main verbs "helped trigger" and "have been linked to", they do not speak of causes or causal factors. I can "help trigger" an accident if some *USA Today* journalist is so enraged by reading this note on hisher Blackberry that heshe runs a red light. And I can link *USA Today* with whom I wish simply by mentioning them in the same sentence in a RISKS note. I am sure the newspaper intends stronger links than this, but it would be good to know what and how, and the article gives no clue. The NTSB uses the words "probable cause" and "contributing factors" in their conclusions and these terms have more precise meanings. The article mentions three accidents: the 12 Nov 2001 American Airlines Airbus A300-600 loss of control on climb-out from New York; the 20 Dec 2008 Continental Airlines Boeing 737-500 takeoff loss of directional control at Denver; and the 12 Feb 2009 Colgan Air Bombardier Q400 loss of control on approach to landing at Buffalo. The abstracts and links to the full reports are, respectively, these: http://www.ntsb.gov/ntsb/brief.asp?ev_id=20011130X02321&key=1 http://www.ntsb.gov/publictn/2010/AAR1004.htm http://www.ntsb.gov/publictn/2010/AAR1001.htm I invite RISKS readers to take a quick look at these very short synopses. These three accidents total 315 deaths and the *USA Today* article does not say which other accidents it counts. Only the Denver accident causes and factors specifically mention simulators. The pilot flying lost directional control of the aircraft on the runway during takeoff, because of very high gusting crosswinds. The gust "exceeded the captain's training and experience", and according to the NTSB he failed effectively to use rudder to control the aircraft in the gust. The first contributing factor allows us to conclude that the crew did not receive timely and accurate info on the actual wind strength and direction. The second contributing factor is "inadequate crosswind training in the airline industry due to deficient simulator wind gust modeling". It is widely accepted in the industry that the most recurrent feature of most large-airplane commercial air accidents worldwide in the last few years has been loss of control. It used to be controlled flight into terrain, but it is now widely accepted that the Ground Proximity Warning System (GPWS) and its version Enhanced by terrain mapping using GPS and terrain maps (EGPWS) have reduced the incidence of such accidents considerably (although they still occur, as to an Airblue Airbus A321 on approach to Islamabad on 28 July, 2010 - see http://aviation-safety.net/database/record.php?id=20100728-0 ). The 2001 American Airlines accident was loss of control because of structural failure: the vertical fin separated from the aircraft. The NTSB found that the pilot flying had caused that separation by overstressing it through "rudder reversal" control inputs; contributing were the rudder control system design of Airbus, and American Airlines Advanced Aircraft Maneuvering [sic] Program AAMP. The NTSB heard both that AAMP discussed use of rudder to help recover from upsets, and that the FAA, Airbus and Boeing had expressed concern about this in a letter to American Airlines four years before. The pilot flying had been observed on a previous flight using rudder to control unwanted aircraft movement from environmental disturbance, and the captain on that flight, who gave evidence to the inquiry, had discussed it with him then. I refer Risks readers interested in more to the report, as well as to my paper: http://www.rvs.uni-bielefeld.de/publications/Reports/CrashOfAA587.pdf The AAMP does involve simulator work, but a simulator cannot be known accurately to represent what would happen during unusual piloting rudder-reversal behavior because, well, until the accident nobody knew at what point airframe structure would fail (it turned out to be some one-third stronger than required by certification regulations)! The pilot flying the Colgan Air accident aircraft reacted inappropriately to a stall warning, by pulling on the stick, and holding it back against the attempts of the automatic "stick pusher" system to push it forward. This resulted in the aircraft stalling at low altitude. Pushing the stick forward is the appropriate response. There was considerable discussion of the pilot's aptitude, his level of awareness (relating to possible fatigue), and his overall Q400 training at Colgan Air. The NTSB remarked on features of that airline's training program, which of course involves simulator work. But I don't think it would be appropriate to conclude that there is anything much wrong with the simulators themselves. Simulators do not necessarily accurately represent the behavior of aircraft close to the "edge" of their "flight envelope", and they cannot be taken to do so for flight outside the envelope. Aerodynamicists study these "out of envelope" characteristics by use of wind tunnel models, but actual aircraft are not flown in flight test "out of envelope" except for certain restricted manoeuvres prescribed in the certification regulations (such as flying at "maximum operating airspeed" and initiating a 7.5° nose-down dive for 20 seconds, to mimic an overspeed excursion from cruise). For most "out of envelope" flight, aerodynamicists can make very well-educated guesses (from their wind-tunnel modeling) as to what might happen, but they are the first people to say that they are not at all certain. Nobody goes out to flight-test Boeing 747 aircraft in partially-inverted almost-vertical semi-spins, such as what happened to a China Air Lines Boeing 747 over the Pacific near San Francisco in 1985: http://www.rvs.uni-bielefeld.de/publications/compendium/incidents_and_accidents/1985_b747.html So there are limits to what simulators can achieve, and it is a matter for research how much "out of envelope" behavior can be usefully and veridically simulated. Since loss of control is now prominent amongst probable causal factors of accidents, it seems to me obviously worthwhile to perform this research. Where it will lead is anybody's guess, as with most research. However, the NTSB's concern in the Denver report is with situations that could be veridically modeled in flight simulators but currently are not. That could be, and probably should be, fixed. Peter Bernard Ladkin, Causalis Limited and University of Bielefeld, www.causalis.com www.rvs.uni-bielefeld.de
By way of trying to keep RISKS content accurate, I have previously not included in RISKS a lot of discussion relating a new report on the 2008 Spanair crash that killed all but 18 of 172 people aboard the plane. Various people submitted and commented on the report that purportedly claimed that a malware infection in the aircraft software was implicated in the fatal Spanair plane crash because it had prevented three technical problems from being detected. More recently, this claim may have been the result of a faulty translation from Spanish to English. The cause is now suspected to have been the pilot's failure to check flaps before takeoff. [I hesitate to suggest that the mistake might have been more obvious if the pilot's name had been Mal Ware. But the flap that resulted over the misleading article was quite prolonged, until the subsequent rebuttal. PGN]
On Sun, 5 Sep 2010 09:09:33 -0400, Monty Solomon <firstname.lastname@example.org> discussed Randall Stross' article in the 4 Sep 2010 New York Times, "A Strong Password Isn't the Strongest Security." This included classic quotes such as Make your password strong, with a unique jumble of letters, numbers and punctuation marks. But memorize it - never write it down. And, oh yes, change it every few months. Just add the advice to use a different password for every account you use (including websites) and you're all set never to be able to log in again. As Monty correctly points out: "These instructions are supposed to protect us. But they don't." Now here I'm going to reiterate something probably everybody reading this list is aware of: Stross has fallen into the classic security misapprehension error: the idea either you're "secure" or you're not. The real question, as we all know, should be, "against what sort of attacks am I vulnerable?" Here I was going to make a few more notes directly contradicting Stross. For example, I write down all of my web site passwords. Why? Because it's more important, in my threat model, to have a different password for every site than it is to be able to memorize them. (Not to mention the additional bonus of being able to use 12-16 character passwords that contain both cases, numbers and punctuation--at least where the web site admins allow me to do so.) But clearly I'm preaching to the converted in this forum, which made me think for a moment, and realize the real problem, which we also probably all know about: how do we educate "the rest of us" (i.e., those who are not good risk managers and/or who don't have adequate domain knowledge) about how to chose "good" passwords, or even what the definition of "good" is in any particular circumstance? Should somebody write *Passwords for Dummies* and distribute it widely for free? Is that going to be too long? Will anybody but Rob Slade read it in detail? How about a summary document? A FAQ? A campaign to chase down the media when they publish articles such as Stross' and push for corrections and pointers to good information? I'm open to suggestions on this one. It's clearly something that, as security professionals we should be trying to address, yet the evidence appears to be that we've failed for at least a decade now. Is it addressable? Is our lack of success here our fault or humanity's? Curt Sampson <email@example.com> +81 90 7737 2974
I think the answer is pretty simple: the other people involved uploaded *their* address books to Facebook, and you were in them. Many mail clients have what I consider a horrible misfeature: anybody you correspond with is automatically added to your address book. So your one e-mail from John Smith permanently records you in his mail client; when he uploaded his address list, Facebook now had the connection. The obvious RISK of this design is that your privacy is dependent on John Smith's decisions, not yours. A secondary RISK, which I have observed, is that typos and unwanted alternate e-mail addresses get put into address books and are difficult or impossible to purge. (When my wife types "geoff", she gets several autocompletion addresses for me, and had to be trained which one to use.) Geoff Kuenning firstname.lastname@example.org http://www.cs.hmc.edu/~geoff/ [Also noted by Dave Holland, who noted that "Ironically, giving one's Facebook password to a third party is against the Facebook terms of service..." PGN]
[Jacket blurb] Jeffrey Hunker, Creeping Failure: How We Broke the Internet and What We Can Do to Fix It, McClelland, 2010 http://www.randomhouse.com/catalog/display.pperl?isbn=9780771041488 http://www.mcclelland.com/catalog/display.pperl?isbn=9780771041488 Like the burgeoning cities of the early Industrial Revolution, the Internet is teeming with energy but also with new and previously unimagined dangers, and lacking the technical and political infrastructure to deal with these problems. In a world where change of our own making has led to unexpected consequences, why have we failed, at our own peril, to address these consequences? In *Creeping Failure: How We Broke the Internet and What We Can Do to Fix It *, Hunker, drawing on his experience as a top expert in information security, provides an entertaining and lucid account of the threats facing the Internet, discusses the failure of the national cyber security policies of the US, Canada, and the G-7, and puts forward thought provoking and revolutionary proposals for how we could fix it. Hunker illustrates how cyber security is an issue for everyone, and outlines new roles for government and the private sector in devising a solution. Hunker takes a close look at the 'creeping failures' that have kept us in a state of cyber insecurity: how and why they happened, and most crucially how they can be fixed. And he arrives at some stunning conclusions about the dramatic measures that we will need to accomplish this. *Creeping Failure* is a must read for anyone interested in current affairs and the Internet because, in describing the challenges facing the cyber world, it also describes the challenges and trade-offs we all face in contemporary society.
Please report problems with the web pages to the maintainer