Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
The article "What are the real risks of cyberterrorism?" http://zdnet.com.com/2100-1105-955293.html plays down risks from hostile access through Internet connections. The conclusions seem to be based on a recent study by the Gartner Group and the US Navy War College. This study, however, is not referenced or included. Some statements from people apparently interviewed by the article's author or perhaps were part of the Gartner/Navy study seem like something right out of the RISKS archives: Ellen Vancko, a representative for the North American Electric Reliability Council, said such access [direct access by Internet or modem] should not always be considered unsafe. "All the electric companies are connected to the Web in one way or another," she said. "But that doesn't mean our control systems are hooked up to the public Net." I'd like to hear what other RISKS readers think of the real risks of "cyberterrorism" and poorly-protected supervisory control and data acquisition (SCADA) devices. [The report of the Clinton Administration's President's Commission on Critical Infrastructure Protection (The Marsh Commission) (RISKS-18.89, RISKS-19.43, RISKS-19.61) clearly indicated that essentially all of the critical infrastructures had serious potential vulnerabilities. PGN]
*Palm Beach Post*, 23 Aug 2002 (via Romensko's Obscure Room) http://www.gopbi.com/partners/pbpost/epaper/editions/friday/news_d3568ba0e56222b00057.html With the flick of the wrong switch, an unsupervised power-plant apprentice melted down a half-million-dollar transformer, blacking out the city for 40 minutes. Apparently, Coady [the apprentice] failed to follow procedures. Two circuit breakers — called the east and west buses — must be flipped in a particular order to avoid damaging equipment: the west bus first, then the east bus. The procedure was written for an important reason — because the west bus turns on the cooling system for the transformer. The switches are in separate rooms. Coady said he closed the east switch before Stephenson [the supervisor] closed the west one. They couldn't see each other when the [switches were closed and the] damage was done. The result was disastrous. "It was literally an explosion inside the transformer," Lake Worth Utilities Director Miller said. "The internal parts of the transformer reached such high temperatures that even the insulation inside the transformer was burned." Stephenson said Coady had no clue what had happened. "He was completely unaware," Stephenson wrote in a memo to Baker. "With his lack of knowledge of the plant electrical controls, it was not even possible to explain to him what he did. He would not have understood. His training did not include these advanced concepts." // Comment: Giant circuit breakers have to be flipped in a certain order blindly in different rooms? This was an accident waiting to happen. It is scary that systems like this can exist. Note that the poor trainee was blamed, of course, for not understanding the 'advanced concepts'.
This is a Rube Goldberg sort of story: Man damages cruiser. Police use pepper spray, restraints, place him in a cell. He jumps up and hits the cell light and microphone, destroying the light, tripping a circuit breaker, causing the dispatch room lights to go out and messing up the phone systems -- which still were not working properly the next day. [Source: Stacey Hart and Michael Wyner, *Sudbury Town Crier* (Massachusetts), 24 Jul 2002; heavily PGN-ed] http://www.townonline.com/metrowest/sudbury/38116472.htm
Canal Plus (a maker of smart cards) alleges a rival firm (NDS Group, a competing company largely owned by Rupert Murdoch's News Corp) broke its secret code, then gave it to counterfeiters. (In Italy, for example, 75% of premium-channel viewers are reportedly freeloaders using bogus cards.) Canal Plus is suing for a billion dollars in damages. NDS denies the charges, attributing the suit to "an attempt by an inept competitor to shift the blame for its incompetence." This situation has also played a role in the downfall of Vivendi's Jean-Marie Messier and the auctioning off of Vivendi's Italian satellite system — purchased by News Corp. "The case marks the biggest and most sensational accusation yet of corporate cybercrime, a shadowy, unsavory and increasingly popular activity." [Source: A very long and interesting article by David Streitfeld, *Los Angeles Times*, Column One, 29 Aug 2002; PGN-ed] Streitfeld's article also notes that "Seven years ago, Cadence Design Systems, a maker of design software for integrated circuits, sued Avant Corp., claiming it had stolen its programs. A subsequent criminal case, brought by a determined San Jose prosecutor, led to verdicts last year against seven current and former Avant employees, including the chief executive and three founders. Five received jail sentences." Also, "In 1999, Internet bookseller Alibris paid $250,000 to resolve federal charges that it had unlawfully intercepted thousands of e-mail messages to its customers from online bookseller Amazon.com."
Europe's strict approach to consumer data protection is forcing many U.S.-based companies to follow suit in order to continue serving their European customers. "Europeans are extremely concerned about the use of data about people," says Rockwell Schnabel, the U.S. ambassador to the European Union. "The data privacy issue is a huge issue over there. American partners have to live with those rules, and they can't do with it what they can with American data." A case in point is Microsoft's Passport online ID service that enables users to log in once and then move from one secure Web site to another. Consumer and privacy groups had accused Microsoft of not taking adequate steps to protect consumers' personal information and in a settlement earlier this month, Microsoft admitted no wrongdoing, but agreed to government oversight of its consumer privacy policies for the next 20 years. A separate Passport investigation by the EU is still pending. "The EU directive raised the bar on the practices by U.S. companies for U.S. consumers," says Marc Rotenberg, head of the Electronic Privacy Information Center. "Passport is a good example of that, because Microsoft is very much aware that its products are going to have to meet EU privacy standards." EU standards specify that data may be collected only for "specified, explicit and legitimate purposes, and to be held only if it is relevant, accurate and up to date." Citizens may access any data about themselves, find out its source, correct inaccuracies, and pursue legal recourse for misuse. [*San Jose Mercury News*, 29 Aug 2002; NewsScan Daily, 30 August 2002] http://www.siliconvalley.com/mld/siliconvalley/news/local/3966648.htm
Monty Solomon (RISKS-22.21) drew our attention to the use of recorded information in airbag triggers for crash investigation. Notwithstanding the likelihood that extraction of such measurements doesn't constitute a legal measurement(*), such information extracted must be treated with extreme distrust because the operating environment is not trusted and has many potential modes of unpredictable and unforeseen behaviour. The recording device isn't measuring road speed at all; rather, it relies not only on its own sensors, but also on information provided by other subsystems in the car. Road speed is most easily (cheaply) obtained by measuring the rate of revolutions of the final drive gearing in the transmission. That speed depends on the speed of rotation of the driving wheels and not the road speed. One example where the indicated speed is nothing like the true road speed is when one or more drive wheels becomes airborne. Depending on the current driver demand and engine torque, a wide-open-throttle condition results in a very rapid acceleration of the airborne drive wheels, producing a "speed" as high as will be permitted by the engine management system. How much data are stored is another question. If the recording is only of a second or less of the end to a crash, then it's difficult to establish the sanity of individual data points. The records may be accurate, but how can you be sure that they reflect what happened in reality? (*) e.g. http://www.nsc.gov.au/PAGES/Nms/nms_metrology.html Bernd Felsche - Innovative Reckoning, Perth, Western Australia
A decision by federal election regulators to exempt text-based wireless ads from campaign disclosure rules has critics warning that consumers could find their mobile phones subject to a flood of political spam as campaign 2002 kicks into high gear. http://www.washingtonpost.com/wp-dyn/articles/A49356-2002Aug22.html
By Brian McWilliams, Wired.com, 28 Aug 2002 Ziff-Davis Media has agreed to revamp its Web site's security and pay affected customers $500 each after lax security exposed the personal data of thousands of subscribers last year. The settlement, announced on 28 Aug 2002 by New York's Attorney General, could spur other online companies to do a better job securing their sites ... http://www.wired.com/news/business/0,1367,54817,00.html
The US Transportation Security Administration is developing a mandatory identification card for every trucker, dock worker, airport employee, and mass-transit operator in the nation with access to secure corners of the country's transportation network. ... if implemented, it would be the first broad national identity-card system and could involve hundreds of thousands of people. [Source: Raphael Lewis, *The Boston Globe*, 24 Aug 2002; PGN-excerpted] http://www.boston.com/dailyglobe2/236/nation/Transport_worker_ID_in_works+.shtml
Reduced Vertical Separation Minima (RVSM) is a procedure by which the altitude separation between Flight Levels 290 and 410 (that is, between 29,000 ft pressure altitude and 41,000 ft pressure altitude) is reduced to 1,000 ft vertically instead of the previous 2,000 ft vertically. It has been in force in European airspace since early 2002, after trial periods since 1997 on the North Atlantic Track (NAT) and early introduction in Ireland, the UK, Germany and Austria, which was, however, not based on the procedures for the full EUR-RVSM implementation. However, the argument in the Pre-Implementation Safety Case for RVSM demonstrates at most that RVSM operations without ACAS meet Target Levels of Safety /TLS). It does not demonstrate that RVSM operations with ACAS-equipped aircraft meet Target Levels of Safety; neither can a correct argument for this assertion be reconstructed from the document. The document believes it derives the assertion that RVSM-with-ACAS-meets-TLS from the assertion that RVSM-without-ACAS-meets-TLS, but the reasoning is flawed and, as far as I can see, irreparable. Since most aircraft operating in RVSM are required to be ACAS-equipped, the safety case does therefore not establish the required safety level of RVSM operations as they are currently conducted and for the foreseeable future. The reasoning demonstrating the flaw is contained in the short note "The Pre-Implementation Safety Case for RVSM in European Airspace is Flawed", RVS-Occ-02-03, available from http://www.rvs.uni-bielefeld.de Peter B. Ladkin, University of Bielefeld, http://www.rvs.uni-bielefeld.de
In a note which, inter alia, extols the merits of Probabilistic Risk Assessment (PRA) for assessing risks, Stephen Fairfax claims in RISKS-22.21 that: Guns in the cockpit represent an independent layer that does not automatically fail when screens fail. While there is heated debate about the possibilities of negative consequences, a dispassionate analysis of the probabilities of both success and failure offers rather overwhelming evidence that on balance, armed pilots will reduce both the likelihood and consequences of hijacking attempts. He claims to be able to assess the probabilities of success and failure (of what, he does not say). I think his assertion is bogus. But it takes advantage of what one might call sound-bite rhetoric. It takes one sentence to assert, but one page to refute, and many people don't have the patience or interest to read that page. Here it is, for those who do. A PRA works well with physical components. You have a thingummie which is supposed to do thisandthat. You make lots of them, put them on a test apparatus which makes them do thisandthat continuously, and assess a failure rate using well-founded statistical techniques. A physical system has lots of components; lots of different thingummies, so you arrange the failures and their consequences in a taxomony, plug in the failure rates you have, and do straightforward computations to assess the rates of different kinds of failures of the entire system. This system has worked well for half a century, mainly in the guise of Fault Tree Analysis, and is routine for many applications. Applying it to components that do not fail that way is rather more tricky. Software, for example. The assessment of SW reliability is a whole branch of statistical methods to itself. It is anything but routine: some very clever people have become famous through their ability to make it sort of work, sometimes. Then there is PRA applied to human negotiations. People interacting with each other. Dealing with hijacking is an almost pure negotiation situation. It is not like HW or SW assessment. PRA can be and is performed on negotiation situations, but one requires reliable data, as in the HW case. If you don't have data, whether for hardware, software or wetware, a PRA cannot work. And reliable data for human negotiation situations is very sensitive to environmental variables, many of which one cannot see (it is notoriously difficult to control for cultural dependencies, for example), let alone that infamous variable known to believers in it as free will. On hijackings in the US, there is no data, none, for the last, oh, thirty years until September 11 last year. The only way that Fairfax could gather data for any of his proposed models would be by simulation, or by patching together data from fragments of behavior inferred from other situations that someone considers relevantly similar. There is no data, for example, on facility of deployment of a firearm by cockpit crew. That includes the decision to deploy, not just the physical deployment. Second, deployment of a firearm changes the negotiating situation. There is no data on how this negotiating situation will be changed in a commercial airplane. One has to guess: will it be more like a hostage-taking situation, or more like a military firefight amongst civilians? Until September 11, 2001, the assumption was that it is a hostage situation and pilots were advised accordingly. Opinions have since changed. I emphasise the word "opinions". Those four examples constitute meagre data, as those warning us against "responding by preparing to fight the previous war" have pointed out. No data, though? Surely El Al's been doing it for years, one might think, and they haven't been hijacked. Exactly: there is no data. No data is not data. One could infer that if one takes over the whole El Al prophylactic package, including the cultural norms and expectations of most of its passengers, maybe one would not have big hijacking problems either, but that proposal is not what is being evaluated. Whatever the El Al example might tell us, it does not tell us anything *probabilistically* about the US domestic consequences of deploying firearms as cockpit equipment, so it's not input to a valid PRA on that issue. To summarise, I am not aware of any data on which to base a PRA concerning the deployment of firearms in US domestic airline cockpits that is not open to strong objections to its relevance to the situation. The most worrisome aspect of Fairfax's assertion may be that it is made by a presumed expert in PRA. That is the kind of phenomenon that has led and continues to lead this enormously powerful, essential, but sensitive set of techniques into disrepute. Fairfax is undoubtedly aware that not even the National Academy of Sciences, nor the Royal Society in Britain, recommends exclusive use of PRA methods as decision procedures for environmental or social policy issues, although they used to until the early 1990's. Whatever the wisdom or otherwise of deploying firearms on commercial aircraft, the issue should not be determined by arguments with bogus claims to objectivity. Peter B. Ladkin, University of Bielefeld, http://www.rvs.uni-bielefeld.de
Cell phone users in Japan have already had to contend with spam and technical glitches, but that may seem like a breeze when hackers finally turn their attention to the wireless world. So far, no serious virus attacks have been reported in Japan--or anywhere else--but tech security companies say cell phones could become targets as they turn into sophisticated, high-tech devices like PCs, allowing people to send e-mail, surf the Internet and shop online. [...] [Source: Reuters, 26 Aug 2002] http://news.com.com/2100-1033-955294.html
On 22 Aug 2002, Microsoft announced that "critical" security lapses in its Office software and Internet Explorer Web browser put tens of millions of users at risk of having their files read and altered by online attackers. Using e-mail or a Web page, an attacker could use Internet related parts of Office to run programs, alter data, and wipe out a hard drive, as well as view file and clipboard contents on a user's system. ... [Reuters, 22 Aug 2002; PGN-ed] http://news.com.com/2100-1001-954973.html
Software security widely used for Internet banking and e-commerce can be easily circumvented, and customer accounts at several of Sweden's largest banks remain at risk as a result, a computer expert said on 26 Aug 2002. The Swedish hacking expert, who is well known in computer security circles, but asked not to be named, demonstrated to Reuters how it was possible within minutes to break through security on Web server SSL software from Microsoft Corp. He showed how to crack the security systems for Internet banking, breaking into three of Sweden's big four banks in quick succession. He was then able to show how to conceal his tracks, making detection difficult afterward. [Source: Peter Andersson, Reuters, 26 Aug 2002; PGN-ed] http://finance.lycos.com/home/news/story.asp?story=28447602
I'm a former spamcop user. I've switched to a tool called bogofilter (http://www.tuxedo.org/~esr/bogofilter/) which is based on Bayesian statistics and an article "A Plan for Spam" by Paul Graham (http://www.paulgraham.com/spam.html) the full article presents an interesting discussion of why keyword filters and block lists don't really work and suggests a better way based on real math (rather than hunches and suppositions). For me the statistical approach doing better than spamcop and razor ever did particularly with respect to false positives.
> ... The ISP was intimidated by SpamCop and seemed to be trying to show > that it was responsive to SpamCop complaints. Hence the quick shutoff of > my account. Your ISP did not respond appropriately to Spamcop. They did not even follow the directions. The ISP is required to address the issue, not shut down the site. Shut down the site is one way of addressing the issue, and is only appropriate if actual spamming occurred. > ... This refusal to reinstate my account is what convinced me that the ISP > was afraid of SpamCop. Sounds like a really bad ISP. > ... For me, the bottom line is this: if SpamCop didn't exist, my site > would not have been shut off. Near as I can tell from your response, "Blame the ISP, not SpamCop" still holds. So change hosting companies; it's not like there's a shortage of them. SpamCop is an immune response to invaders (spam). Like immune responses, it can be inconvenient at times. But SpamCop is not nearly so draconian as you make out: the draconian effects are all in your ISP's head. Tell us who the ISP is. They are far more to blame for this than SpamCop, and so far they've got off scot-free. Traceroute seems to indicate it is "netrail.net" but they do not have a responsive web site. Crispin Cowan, Ph.D., Chief Scientist, WireX http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org
Jay Ashworth (RISKS-22.13) reflects a commonly repeated misunderstanding of the Skywalker case, Campbell v. Acuff-Rose Music, 510 U.S. 569 (1994), as though it held that parody is not an infringement. The case held no such thing. The core holding of the opinion is that the lower court had made a mistake by presuming that, because the Campbell parody was a commercial work, its use of the original was presumptively not a fair use and therefore infringing. It then sent the case back down to the lower courts for further consideration in light of the market effect factor. The Court specifically rejected the argument that parody is inherently a non-infringing fair use. It said that parodies, like any other work, have to be judged on a case by case basis: Like a book review quoting the copyrighted material criticized, parody may or may not be fair use, and petitioner's suggestion that any parodic use is presumptively fair has no more justification in law or fact than the equally hopeful claim that any use for news reporting should be presumed fair, see [Harper & Row Publishers, Inc. v. Nation Enterprises, 471 U.S. 539, 561 (1985)]. The [Copyright] Act has no hint of an evidentiary preference for parodists over their victims, and no workable presumption for parody could take account of the fact that parody often shades into satire when society is lampooned through its creative artifacts, or that a work may contain both parodic and non parodic elements. Accordingly, parody, like any other use, has to work its way through the relevant [fair use] factors, and be judged case by case, in light of the ends of the copyright law. http://supct.law.cornell.edu/supct/html/92-1292.ZO.html Terry Carroll, Santa Clara, CA email@example.com
If such law will be passed, I expect RIAA and/or MPPA will start (maybe slowly but definitely) global cyberwar consisting of: a) many cracking attacks b) many DoS and DDoS attacks c) deployment of blocking mechanisms similar to those targeting SPAM ... and also leading to: a) many lawsuits (international too) b) demonstrations c) trade blockades and a lot of other consequences - maybe also full scale war (jumping point may be for example computerized war ship - it may answer electronic attack with real rockets - but possibilities are almost endless).
Please report problems with the web pages to the maintainer