Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
>From Electronic Telegraph: http://www.telegraph.co.uk/et ?ac=004299402432522&rtmo=k7bZ7bYp&atmo=rrrrrrrq&pg=/et/01/6/18/wfung18.html Scientist finds fungus that eats through compact discs By Robert Uhlig, Technology Correspondent FIRST there was the computer virus. Now scientists have found a fungus that eats compact discs. Victor Cardenes, of Spain's leading scientific research body, stumbled across the microscopic creature two years ago, while visiting Belize. Friends complained that in the hot and sticky Central American climate, a CD had stopped working and had developed an odd discoloration that left parts of it virtually transparent. Dr Cardenes and colleagues at the Superior Council for Scientific Research in Madrid discovered a fungus was steadily eating through the supposedly indestructible disc. The fungus had burrowed into the CD from the outer edge, then devoured the thin aluminium layer and some of the data-storing polycarbonate resin. Dr Cardenes said: "It completely destroys the aluminium. It leaves nothing behind." Biologists at the council had never seen this fungus, but concluded that it belonged to a common genus called geotrichum. Philips, the Dutch electronics company that invented the compact disc, said it believed the Belize case was probably a freak incident caused by extreme weather conditions. Gary Stock UnBlinking firstname.lastname@example.org http://unblinking.com/
Overhead on the MUNI this morning: "Hang on, please. The computer is taking over the train." A feeling of dread rippled through the train. "Finally," we all thought, "the war with the machines is beginning." http://www.kottke.org/notes/0107.html#010711 Hanan Cohen - http://www.info.org.il
Usually, I do my work-related travel between Boston and New York by plane, but I've been meaning to try train again, especially Amtrak's allegedly-faster Accela. So I call the company travel office to make reservations. (I already know which trains — whatever the rail equivalent of "flights" is -- I want.) An e-mail confirmation shows up a few minutes later, with a URL pointing to an itinerary. The itinerary showed the correct train numbers and arrival times. No departure times. And had me going between (something like, IIRC) Aptco Test, Texas and someplace in Arkansas. I called the travel group back; they called Amtrak. My reservation's correct, but when the AmTrak system passed info to the next system, it tried to parse City Codes as Airport Codes. More obvious than the "metric vs. English" glitch, but still shows that just because two programs _can_ talk to each other doesn't mean they've agreed on what they're saying... Fortunately, if I get on a southbound train from Boston (traveling at n miles an hour accompanied by a parrot with a balloon tied to one foot) it'll be hard to miss arriving in New York. Daniel Dern, Executive Editor, Byte.com <email@example.com>
Eli Lilly sent an announcement that it was discontinuing a mailing list, using CC instead of BCC. Some of the more than 600 recipients were unhappy about having their e-mail addresses and Prozac use disclosed, because the purpose of the list was to send out reminders to fill prescriptions for the anti-depressant drug. According to a *ComputerWorld* article, "Eli Lilly is preparing a code audit review and 'working on a program that would block all outbound e-mails with more than one address.'" The American Civil Liberties Union (ACLU) has asked the Federal Trade Commission (FTC) to investigate. A little bit of anonymity is a good thing, even if it's not totally anonymous (e.g., a Hotmail account).
This kind of error is made frequently by new users of e-mail software, but it is interesting (but perhaps not surprising) to see that corporations running large mailing lists occasionally making the same error. In either case, it's usually merely an annoyance, or a strategic embarrassment (i.e., effectively giving away your customer list to your competitors). However, in this case the desire of the patients to keep their medical condition private adds another more serious layer to the risk. Allan Noordvyk
On 11 Jul 2001, the power levels in Livermore, CA dropped to voltages so low that air conditioners and computers could no longer operate. Computers and air conditioning units went off and on moment by moment — some lighting systems ended up burnt out, and those without UPSs on their computers had significant data corruption. It is especially noteworthy that this area was NOT on the areas scheduled for blackouts. It turned out to be a set of changes they were making in the infrastructure -- half of our house became out of power, the other half still worked. We went to motor generator for the down half till we determined what was up, then switched over to a cross feed from the rest of the house. When power came back we switched back - thank you UPSs and motor generators... Fred Cohen at Sandia National Laboratories at tel:925-294-2087 fax:925-294-1225 Fred Cohen & Associates: http://all.net - firstname.lastname@example.org - tel/fax:925-454-0171 Fred Cohen - Practitioner in Residence - The University of New Haven
>From slashdot: http://slashdot.org/yro/01/06/19/2039216.shtml Myrv writes: "There is an interesting thread over at DSL Reports discussing Phoenix Technologies new BIOS. This BIOS contains the PhoenixNet Internet Launch System. ILS resides safely within ROM and is activated the first time a user launches a PhoenixNet-enabled PC with a Windows 98 Operating System. When the PhoenixNet ILS detects an Internet connection, it makes contact with the PhoenixNet server and delivers user-selectable services. These services are delivered to the user as hotlinks on the desktop and in the web browser or, as applications that PhoenixNet automatically packages, downloads and installs. It's 3 a.m., do you know who your motherboard's talking to????" Merlyn Kline = email@example.com
I've recently discovered an incoming number in my caller ID list that looks suspiciously as a hack. The number is listed as 212-555-1212, which is a long-distance directory assistance for New York, NY and, AFAIK, cannot be an originating number. I called Verizon Communications, which serves both my home code 201 and New York's 212, and their service representative confirmed that call could not have originated from this number, but refused to speculate on why I would see it on my caller ID. I wonder how long will it take for exploits of such hole in telecommunication infrastructure to invalidate law enforcement evidence as in, say, RISKS-21.50 article by <firstname.lastname@example.org> on Risks in inept election fraud, which mentions that > * Prosecutors say they traced the IP address back to an AT&T >WorldNet user who repeatedly used the "Katie Stevens" Hotmail >account by connecting from Gunhus' home number. (Guess they keep >Caller ID logs.) Alexandre Pechtchanski, Systems Manager, RUH, NY
Federal investigators have charged 53-year-old mid-westerner Donald A. English with perpetrating an Internet-based "Ponzi" scheme that bilked tens of thousands of small investors out of $50 million. In a Ponzi scheme, early investors are paid phony "profits" from the money taken from other investors who follow them, after hearing about the huge, fast profits. Since no money is really being earned, the pyramid eventually collapses, when the supply of new investors diminishes. Many of the investors in English's operation, which was called EE-Biz Ventures, were people who are elderly or sick. One of them wrote: "I need at the least a full refund of the $3,000 spent if you do not intend to pay anyone back. Remember, I have cancer and am unable to work for the next six months." [*The New York Times*, 3 Jul 2001, http://partners.nytimes.com/2001/07/03/business/03PONZ.html; NewsScan Daily, 3 July 2001]
Thousands of consumers' credit card details were leaked by a "flaw" on a (UK) Consumers' Association website, according to the BBC: http://news.bbc.co.uk/hi/english/business/newsid_1401000/1401648.stm The consumers affected were people who had bought tax calculation software from the Consumers' Association. The ironic thing is that as a watchdog organisation for consumers, the Consumers' Association is responsible for administering the Which? Web Trader scheme which aims to make online shopping "easy and safe". The Which? Web Trader Code of Practice at: http://whichwebtrader.which.net/webtrader/code_of_practice.html says of sites displaying the Which? Web Trader logo: "You must have an effective security policy that you review regularly. Your policy must include the following: - you must ensure that your web site is secure so that consumers' personal information and transactions remain confidential and cannot be interfered with" This incident will do more than most to make consumers aware of the RISKS of shopping on the Net, given the current level of security of Web traders' sites. Gaz email@example.com (Gary "Wolf" Barnes)
I had a strange experience with one of the mailing lists that I have subscribed a week ago. I am sure that this was mentioned in the past, if so perhaps it is time for a reminder... Basically what happened was that one of the subscribers to the mailing list decided to get a new e-mail address, and as a courtesy to those who still use the old e-mail address, set up an autoresponder on the old e-mail address that sends the following message: (you know what got changed to protect who) > From: guilty.oldaddy.com > To: you.youraddy.com > Subject: Re: current discussion topic > > Hello, > My new e-mail address is guilty.newaddy.com > Guilty Person Ok, so what happened? Well, someone decided to post a message to the mailing list which promptly sent a copy to all subscribers. The autoresponder picked it up and posted the above message to the sender which happened to be the mailing list. The mailing list then sent a copy of the autoresponder's e-mail to all subscribers including the sender. The autoresponder then sent another e-mail to remind the mailing list of the new address. Ad infinitum. I was surprised to see 15 such entries in my mailbox when I checked my e-mail before logging off that Sunday night. When I realized that this is what happened, I immediately notified via ICQ the owner of that mailing list who happened to be on-line and she was able to put a stop to it immediately. It isn't clear to me at this point whether she actually stopped it or the guilty person logged on at that time and put a stop to it. By the time it stopped, a total of 46 notifications were sent. This took up 100MB of my allotted 4000MB mailbox space at malaspina.com. So if this hadn't been stopped in time, a lot of mailboxes would have been full. So what went wrong? For starters: 1) Guilty Person forgot to change all mailing list subscription or more specifically, this particular one. 2) The autoresponder wasn't configured to send exactly one e-mail to any given user (or maximum of one per day). 3) The mailing list in question didn't have a mechanism that would recognize duplicate message body being sent over and over again and reject duplicate submissions. I notified the mailing list site with a copy of the offending e-mail explaining what happened and asked them to do what they can to prevent this from happening again. The mailing list owner deleted the duplicate entries from the archives and Guilty Person apologized.
As reported in last weeks' NTK digest (http://www.ntk.net), auto-generated banner ads (particularly when appearing in news pages) can generate significant embarrassment. NTK illustrates it at http://www.ntk.net/2001/07/06/dohburn.gif however they are not certain as to its authenticity. At any rate, having a banner ad titled "Burn baby, burn" (a reference to a CD ROM burner) above a story titled, "One toddler dead, another critical after house fire", certainly brings home the point. With mindless automation, the embarrassment possibilities are infinite.
Bowing to a wave of criticism, Microsoft says it will kill plans to include a Smart Tag feature in its forthcoming Windows XP operating system. The feature would have allowed Internet Explorer to turn any word on any Web site into a link to Microsoft's own sites and services, or to a site of Microsoft's choosing. The company continues to defend Smart Tags in principle, and plans to work toward including it in a future version of Windows or Internet Explorer, but group VP Jim Allchin said the decision was made to remove the Smart Tags because "we got way more feedback than we ever expected." Although many people view the public reaction against Smart Tags as excessive, Wall Street Journal columnist Walter Mossberg says, "...Microsoft's dominant Internet Explorer browser is like a television set, or a digital printing press, for the Web. Its function is to render -- accurately and neutrally — all Web pages that follow standard programming... Microsoft has a perfect right to produce and sell its own Web content with its own points of view. But it is just plain wrong for the company to use the browser to seize editorial control and to steal readers from other sites." [*Wall Street Journal*, 28 Jun 2001 http://interactive.wsj.com/archive/retrieve.cgi?id=SB993679289461737795.djm (sub req'd); NewsScan Daily, 28 June 2001]
On 6 June 2001, 12:00, 12:05 and 12:10 were targeted for the siren test in the Netherlands. The sirens are used to warn people if a catastrophe has happened (remember Enschede, fireworks factory), or war has started. In the past, when sirens were still mechanical, these tests occurred once every month (first Monday of the month). Now, everything is computerised, and 'they' have decided to test only once a year. Well, after the test this time, a lot of sirens did not work at all, or some started to late. In Limburg, a province in the south, 6 sirens refused work, due to a software glitch. In Groningen, in the North, also. Other areas were also 'silent'. Because the new sirens have high-tone 'woops', the sound doesn't travel nearly as far as the old sirens. If one fails, there's little chance of hearing another for people living close to the 'silent' siren. The Risk? Only your life... Marco Frissen CryptoWorks
One person, one vote? NO. And Florida was not the worst state. According to the Caltech/MIT study, Illinois, South Carolina, Idaho, Wyoming, and Georgia had even higher rates of uncounted ballots. In all, up to 2 million ballots were discarded because of faulty/aged equipment or poorly designed ballots; up to 3 million due to registration foul-ups; up to another million or so because of polling-place screwups; and an unknown number of absentee ballots discarded. http://www.cnn.com/2001/ALLPOLITICS/07/16/voting.problems/index.html And the 15 Jul 2001 issue of *The New York Times* had several articles documenting widespread irregularities in the counting of absentee ballots in Florida.
The US Federal Election Commission (FEC) has made available for public comment an updated version of their Voting Systems Standards (VSS). The original US VSS were published in 1990. They have gone un-revised until now. The draft for the updated "Volume 1: Voting System Performance Standards" is currently available. The draft for the updated "Volume 2: Voting System Test Standards" is scheduled to be released for public comment in late 2001. The FEC press release is at http://www.fec.gov/press/062801nvra.html An overview of the Voting Systems Standards is at http://www.fec.gov/pages/standardsoverview.htm The current draft of VSS Volume 1 is at http://fecweb1.fec.gov/pages/vss/062801vss.html Comments may be submitted to the FEC at firstname.lastname@example.org.
While not disagreeing that fraud in UK Elections has been made easier by easing restrictions on postal votes, things are not as bad as Tony Finch implies. The procedure is as reported - I can phone and ask for as many forms as I wish. But I can't just sit and fill them all in. To obtain a postal vote, it is necessary to be on the electoral register to start with. If you are on the register, then you can fill in one form for a postal vote, and receive your postal vote. In the past, you were expected to vote in person unless there was a good reason not to do so. Now, anyone may obtain a postal vote. The voting papers are then sent to your address for you to fill in and return by post. You are blocked from voting in person. Filling in a second form (for the same voter) does not acquire an extra vote! The system is open to fraud. To get on the electoral register is easy. All there is to do is list the people who live at an address on a particular date and who are eligible to vote. It is presumably easy to add a few names at this stage. It is also not unknown for impostors to vote, especially for dead people. It is extremely rare, however, for an impostor to vote instead of a living person. There is now an extra potential for fraud. In the past, postal votes could only be obtained for one vote at time. Now it is possible to obtain a postal vote for life, no matter what changes of address occur. I can also assure Tony that many Brits are happy to criticise the US "banana republic election" and don't feel pillocks for doing so. I am happy that (a) my [postal] vote was counted, (b) I was not barred from voting because I lived in a black neighbourhood and/or may have once had a conviction, (c) the voting process and checking of electoral lists is not in the hands of a political party, (d) the judges who rule on the validity of the voting are not appointees of a political party. And, of course, the party with the most votes won the election. David Hedley
Tony Finch describes the process for getting postal vote in the UK. His description does not match my experience at all. Yes, I had to phone a number, but I was then sent an *application* form which I had to fill in and return. There was never any opportunity a) for saying how many votes I wanted or b) for geting more vote forms. (I should also add that there was never any opportunity for me to vote either as the post office managed to take over a week to deliver my application and so I missed the closing date for applications so I never even got to see a postal vote form) http://catless.ncl.ac.uk/Lindsay
Nick Laflamme <email@example.com> wrote in comp.risks 21.49: > WashingtonPost.com, in association with a local real estate agency, has put > up a database of home sale prices and property tax appraisal values. I had to check the price for the most famous address in the DC area, 2600 Pennsylvania Ave NW. According to the database, it is owned by the Exxon Corporation, has zero bathrooms and was assessed at US$1.3M. My screenshot of the listing is available here: http://www.swcp.com/~hudson/whitehouse.html The risks are obvious... firstname.lastname@example.org email@example.com http://www.swcp.com/~hudson/ W 505.986.60.75 KC5RNF @ N5YYF.NM.AMPR.ORG [NOTE: This item would be interesting were the White House at 2600 instead of 1600 Pennsylvania. Indeed EXXON owns 2600. Your moderator apologizes for letting this one slip by. PGN]
> Anyone compiling programs with MSVC may want to examine the output closely > for data that shouldn't be there. Well, it's not really MSVC's fault - it is definitely the operating system's job to make sure that no sensitive data is leaked from one process to another, in any way whatsoever. If MSVC exhibits this behaviour then it could just as easily happen to Word or any other application, and I bet your company sends out far more Office documents than finished executables. You didn't mention what OS or filesystem you were running. If it was Windows 95/98/ME or NT on a FAT filesystem, then it would still be a seriously bad defect, but one I wouldn't be *too* surprised to see existing. If it was NT on an NTFS filesystem, then it is absolutely unforgivable because that's exactly the sort of leak it claims to prevent. And don't forget that even if your OS doesn't leak sensitive information via disk or memory allocations, most compilers *deliberately* leak small amounts of information identifying the build environment - for example gcc puts dummy symbols "gcc2_compiled." in all object files which you have to be careful to strip out if that's important to you. Not that I imagine it's too hard to identify a compiler without such blatant clues.
It's not the compiler's fault, it's the operating system's fault. Application programs should never have a mechanism that lets them look at the contents of unallocated blocks. Actually, it may not even be the operating system's fault. I suspect your "clearspace" program overwrote some blocks the OS thought were already cleared. If they use a "block clearing daemon" to clear unallocated blocks in the background, your program could have caught them after the daemon had passed them by. Still, I can't think of any reason for the OS to actually read cleared blocks off disk. They should hand out a freshly zeroed block of memory and write it to disk later. . . possibly it did do that, then since the compiler never modified those blocks it didn't write them back to disk since they were already clear. A risk of using third-party utilities that modify things without informing the OS?
chi-rho sounds rather like Cairo. I don't follow Microsoft all that closely but wasn't this one of their codenames? [also noted by Craig Cottingham. PGN]
10th USENIX Security Symposium August 13-17, 2001, Washington, D.C. For more information and to register, visit: http://www.usenix.org/events/sec01 REGISTER BY JULY 20, 2001 AND SAVE UP TO $200! The 2001 10th Security Symposium is sponsored by USENIX, the Advanced Computing Systems Association. www.usenix.org
Please report problems with the web pages to the maintainer