Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Nathaniel Popper, *The New York Times*, 22 Aug 2013 http://dealbook.nytimes.com/2013/08/22/nasdaq-market-halts-trading/ Trading in a wide array of stocks, including popular ones like Apple and Microsoft, ground to a halt on 22 Aug 2013 after a technology problem at the Nasdaq stock exchange. It was the latest prominent disruption in the markets caused by computer glitches.
The current New Zealand Inland Revenue Department is 40 million lines of
COBOL and DMSII and who-knows-what which has been stretched far past its
original design. I am by background and inclination in roughly the same
political camp as say I. F. Stone, but in the case of a computer system like
this it is hard to argue with small-government conservatives who claim that
the tax system should be simplified. A simpler system is not necessarily
one that is unfair to workers, after all.
“[The] system has been transformed over the years from a tax system
collecting only income and company tax, to one which covers child support,
... student loans, ... Kiwisaver [a retirement scheme], and Working for
Families.''
http://www.stuff.co.nz/national/politics/8619006/IRD-computer-systems-1-5b-overhaul
The Cabinet approved what has been described as a "major overhaul" but
sounds more like a total rewrite. The project is supposed to take 10 years,
and to cost a milliard dollars, although they're allowing for one and a half
milliard. To put this in perspective, the population of the country is
about 4.5 million, so the annual spend will be 22 to 34 dollars per man,
woman, and child per year.
Several people are freaking out about the big number, but
40,000,000 lines of code
* 20 lines of tested working documented code/day
= 2,000,000 programmer-days
* 200 work-days per year
= 10,000 programmer work-years
* $100,000 salary and overheads per programmer year
= $1,000,000,000 (one milliard)
equivalent must have been spent building the old system—using some very
crude estimates I don't care to justify—so the expected cost of the new
system is not out of line.
Nonetheless, slouching your way to Bedlam one new feature request at a time
is one thing, *intending* to go there is quite another. It would make a
huge amount of sense spending a full year of design trying to reduce the
size of the planned system (whatever they think the size will be), but it
will take a special miracle from St Thomas More to make _that_ happen.
Expect to hear interesting things about this.
The National Oceanic and Atmospheric Administration (NOAA) has operated a
nationwide network of radio transmitters providing full time weather reports
and forecasts for decades now, dating back to their "Weather Bureau" days.
As I wrote in my note to RISKS back in Oct 2005 [a], where I discussed the
lack of backup power to many of their facilities:
"These stations are part of the _real_ emergency network and are supposed
to stay up after anything short of a direct nuclear hit."
There are numerous radio receivers that can pick up these stations, with
many of them in a "silent/squelch mode" until activated.
In case of a local hazardous/emergency situation such as a hurricane,
tornado, flood, chemical spill, nuclear reactor plant breach, or.. national
events up to and including nuclear attack, the transmitters send out an
alert tone which "unlocks" the receivers and activates the loudspeakers.
Hence just about every "911 PSAP" (public safety answering position),
utility headquarters, transit operations center, many tv/radio stations,
and... thousands and thousands of people living in tornado/hurricane/flood
zones, have these radios. Hence it's critical that the system stay up.
Recently friends of mine in NYC noted that the local station, covering
perhaps 15 million people, was repeatedly off the air for the past two
months.
Finally, after many complaints to NOAA, they posted a note on their
"outages" web page confirming the problem. And then, a few days later, came
up with the startling reason that...
(quoting from the page [b]):
SPECIAL NOTICE
NEW YORK CITY, NY Transmitter (KWO35)
Frequency 162.550
Due to interference issues with the U.S. Coast Guard, the New York City
transmitter has been temporarily taken out of service while a solution is
being formulated.
Yes. Really.
The Big Problem here (aside from the lack of urgency by all the folk
involved) is that many, make that MANY, people and agencies are counting on
this working. Folk using the radios in "squelch" (silent) mode are relying
on them to "open up" in an emergency, yet have no way to know the system is
dead.
It's kind of like relying on your overhead sprinklers and not knowing that
the main water valve is off.
[a] http://catless.ncl.ac.uk/Risks/24.07.html#subj4
[b] http://www.nws.noaa.gov/nwr/outages.php
- since the NOAA outage page is dynamic and, hopefully, real soon now, will
change when the system is finally fixed, I've mirrored that image up at:
http://www.dburstein.com/images/noaa-tx.png
A Palestinian researcher posted a message on Facebook CEO Mark
Zuckerberg's page last week after he says the site's security team didn't
take his warnings about a security flaw seriously. "First, sorry for
breaking your privacy and post(ing) to your wall," wrote Khalil
Shreateh. "I (have) no other choice to make after all the reports I sent
to (the) Facebook team." Shreateh, who describes himself as an unemployed
security researcher with a degree in information systems, said he found a
hole in Facebook's systems that let him post to any user's page, including
users not on his Friends list. Such an exploit would be a virtual gold
mine for spammers, scam artists and others seeking to take advantage of
the site's roughly 1 billion users worldwide.
http://j.mp/14PQL4t (CNN via NNSquad
[See also "Hacker: I pwned Zuckerberg; at least give me a stupid T-shirt"
(Robert X. Cringely), InfoWorld, 19 Aug 2013. PGN via GW]
http://www.infoworld.com/t/cringely/hacker-i-pwned-zuckerberg-least-give-me-stupid-t-shirt-225135
Matt Apuzzo, Associated Press, 27 Aug 2013 http://hosted.ap.org/dynamic/stories/U/US_FACEBOOK_LAW_ENFORCEMENT WASHINGTON (AP)—Government agents in 74 countries demanded information on about 38,000 Facebook users in the first half of this year, with about half the orders coming from authorities in the United States, the company said Tuesday. The social-networking giant is the latest technology company to release figures on how often governments seek information about its customers. Microsoft and Google have done the same. As with the other companies, it's hard to discern much from Facebook's data, besides the fact that, as users around the globe flocked to the world's largest social network, police and intelligence agencies followed. Facebook and Twitter have become organizing platforms for activists and, as such, have become targets for governments. During anti-government protests in Turkey in May and June, Turkish Prime Minister Recep Tayyip Erdogan called social media "the worst menace to society." At the time, Facebook denied it provided information about protest organizers to the Turkish government. Data released Tuesday show authorities in Turkey submitted 96 requests covering 173 users. Facebook said it provided some information in about 45 of those cases, but there's no information on what was turned over and why. "We fight many of these requests, pushing back when we find legal deficiencies and narrowing the scope of overly broad or vague requests," Colin Stretch, Facebook's general counsel company said in a blog post. "When we are required to comply with a particular request, we frequently share only basic user information, such as name." Facebook spokeswoman Sarah Feinberg said the company stands by its assertions that it gave no information regarding the Turkey protests. "The data included in the report related to Turkey is about child endangerment and emergency law enforcement requests," she said. ...
David Kravets, *WiReD*, 27 Aug 2013 [PGN-ed] http://www.wired.com/threatlevel/2013/08/forced-decryption-legal-battle/ Federal prosecutors have formally dropped demands that a child-porn suspect give up his encryption keys in a closely watched case, but experts warn the issue of forced decryption is very much alive and is likely to encompass a larger swath of Americans as crypto adoption becomes mainstream. ... The question of whether the government can force a suspect to decrypt hard drives was thrust into the limelight earlier this year when federal authorities suspected a Wisconsin man of downloading child pornography from the file-sharing network e-Donkey. One federal judge ordered the defendant to decrypt as many as nine hard drives seized from the suspect's suburban Milwaukee apartment. Another judge put that decision on hold to analyze the implications of whether the demand breached the Fifth Amendment right against compelled self incrimination. The hotly contested legal issue was mooted when prosecutors said the FBI cracked two of the suspect's drives—both Western Digital My Book Essentials. They announced they found kiddie-porn images and days ago dropped their forced-decryption legal battle. It's allegedly enough illicit porn to put Feldman away for decades, if he's found guilty. ... Wes McGrew, a Mississippi State professor of computer security and reverse engineering, suspected that authorities cracked Feldman's passwords, rather than the underlying encryption, to decrypt the Western Digital drives. ... For the moment, requiring suspects to decrypt data is rare, and has never been squarely addressed by the Supreme Court. ... Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/>
http://j.mp/143vBRf (ZDNet via NNSquad) "Many Chinese websites are down following what authorities are describing as the "largest denial-of-service attack" it has ever faced. But because of heavy Internet regulation and censorship, it's not clear to Western eyes how deep the attack went." Rumor is that the attack is being attributed to the "Pekingese Liberation Army."
Paul Venezia, InfoWorld, 26 Aug 2013 Make no mistake, abandoned scripts and other IT zombies can make for spirited problem solving http://www.infoworld.com/d/data-center/zombie-scripts-can-attack-any-time-225426 selected text: Lo and behold, I discovered more than 20,000 emails, the vast majority of which were returns from a cronjob that someone else had implemented years ago. This cronjob was now failing, and the report the cronjob created couldn't be delivered because the recipient domain no longer existed, and the mailer error came back to me, the postmaster.
Stephen Joyce issued the "Novopay Technical Review - Terms of Reference"
An anonymous report was issued on 19 Mar 2013. The review was done by
Deloitte, under the direction of Murray Jack in his role as chairman of
Deloitte. The subsequent Ministerial Inquiry into Novopay was headed by
Murray Jack in his role as a private individual.
http://www.minedu.govt.nz/~/media/MinEdu/Files/TheMinistry/NovopayProject/MinisterialInquiry/TechnicalReviewTermsOfReference.pdf
http://www.minedu.govt.nz/~/media/MinEdu/Files/TheMinistry/NovopayProject/MinisterialInquiry/TechnicalReviewFinalReport.pdf
According to the National Business Review, Deloite recently bought Asparona,
a development-on-Oracle company, and one of the subcontractors that did
software development work on Novopay. In fairness to Asparona, the Novopay
shambles is a project management shambles, not a programming shambles as
such, and Asparona "were brought onboard ... *after* the Ministry of
Education" noticed things were going badly.
http://www.nbr.co.nz/article/deloitte-buys-novopay-subcontractor-no-open-ck-p-144414
Still:
(1) The government paid Deloitte to examine Novopay.
(2) Deloitte said it can be fixed and recommended throwing more money and
people at it.
(3) The government says "OK boss".
(4) Deloitte bought the subcontractor.
I'm sure that this was all done according to the highest of business ethics
complete with Chinese walls, but at a minimum it seems as if Deloitte had a
taxpayer-subsidized opportunity to inspect Asparona that other conceivable
purchasers did not have.
The press seem to be reporting this just as an endorsement of how good
Asparona were. Maybe I'm crazy to find this just a touch on the nose.
John Cox, Network World, 19 Aug 2013 Like a Transformer robot, malicious Apple iOS app re-assembles itself into an aggressive attacker running inside the iOS 'sandbox' http://www.infoworld.com/d/security/jekyll-test-attack-sneaks-through-apple-app-store-wreaks-havoc-ios-225107
This is a resubmittal. This item appeared in 27.42, but you did not include the URL. GW [Ooooops! PGN] Robert L. Mitchell, Computerworld, 13 Aug 2013 The devil is in the subscription-licensing details The transition to cloud-based services is ratcheting up traditional enterprise software costs and adding layers of complexity http://www.infoworld.com/t/applications/the-devil-in-the-subscription-licensing-details-224737
Chris Paoli, *Redmond Magazine*, 21 Aug 2013 Ramnit Financial Malware Now Aimed at Steam Gamers A variant of the popular "money in the bank" malware is now targeting the largest online game distributor. http://redmondmag.com/articles/2013/08/21/ramnit-financial-malware.aspx
Roger A. Grimes, InfoWorld, 20 Aug 2013 If your website accepts links from third parties—such as ad networks—make sure they don't lead to malicious sites http://www.infoworld.com/d/security/dont-fall-prey-ad-networks-peddling-dicey-links-225216
http://redmondmag.com/blogs/the-schwartz-report/2013/08/cloud-surveillance.aspx
Decades ago, I recall the monster IBM 3800 laser printer on NASA-LeRC's 3033 had another subtle firmware/hardware bug. The 3800 served the entire lab, and thanks to robust home-grown utilities [some written in Fortran..] did almost everything you needed, from correspondence on letterhead to memos to graphs/charts. But sometime it would, seemingly randomly, drop a whole line of text. When Legal found out, they went into orbit. Thereafter, all legal documents had to use the PRINT-90 utility; the theory being a missing column of text would be far more obvious than a missing line.
Already done, some 30 years ago. We had a document system that altered the dot matrix definition of characters according to the user printing the doc. Subtle, invisible to the naked eye... Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
Paul Schreiber <paulschreiber@gmail.com> wrote to me: > In my experience, you can only press the wrench button immediately > after returning a bicycle. That may have (finally) been fixed but it was definitely not the case when they started. They claimed they were going to fix it, perhaps they did.
> The US National Weather Service's website <www.weather.gov> returns a > forecast for Manhattan when the location "evil" is searched. ... The > risks? ... introduction of incorrect behavior into critical code, probably > for the sake of a very bad taste "joke". The result is puzzling and obscure, but perhaps not the result of a database error or a joke. The URL after the search is <http://forecast.weather.gov/MapClick.php?lat@.764477&lon=-73.999121&site=all&smap=1&searchresult=Intrepid%20Sea%2C%20Air%20%26%20Space%20Museum%2C%20New%20York%2C%20NY%2010036%2C%20USA#.UhFWGVzTzUk>, indicating the "Intrepid Sea, Air & Space Museum, New York, NY 10036, USA". After further web searches, I see the museum features the USS Intrepid, known as "the Evil I". <http://www.homeandabroad.com/browse/details/sites.ha?mainInfoId 337>.
Please report problems with the web pages to the maintainer