Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Due to the problems we have had in recent history both with manual voting, and the more recent electronic voting systems put into place, it became possible to "pre-vote" here in South Florida - most notably in Miami-Dade and Broward counties. Over the past few days the reported waiting times for "early voters" has steadily risen to today's peak of 2-3 hours. In spite of thousands of people waiting in lines and casting their votes, we apparently have not yet begun the "election." http://www.miami.com/mld/miami/4442229.htm As it turns out, there seem to be no lessons learned, as the same issues that caused problems with electronic voting in the primaries (lack of training, poor facilities, lack of equipment to name a few) are still in force during this early election period. I am wondering if SO many people have already voted now that there will be short lines on election day, or if the problems are going to be magnified by the even larger number of people who still have not voted. The voting manufacture seems to already be covering its tracks by explaining why voters should expect delays and voting times of up to 25 minutes per person. http://www.essvote.com/index.php?section=news_item&news_id=84 I certainly have some concerns regarding the integrity of the voting process and the votes themselves, especially those that are cast during this early voting period. During our primaries, we had episodes of votes tallied for a precinct being greater than the registered voters in that precinct, lower than expected votes (sometimes 0) were recorded for precincts with traditionally good voter turnout and poor accounting of individual voting machines [The Herald Saturday, September 14, 2002]. So now that this process is spread over a period of days, some new risks have been introduced : - retention of information by voting machines (e.g. does machine get accidentally reset from one day to the next) - influence of "early voting" polls have on the voting taking place on the "official" election day - duplicate voting (e.g. person votes on multiple days by registering with different workers) - memory capacity of individual machines (e.g. can votes get overwritten if volume is too high for an individual machine?) - the integrity of the counting votes from individual machines (I don't know whether this is taking place on a daily basis, or must be delayed until the end of election day) - and maybe an even higher than usual number of recounts and finger pointing which can be based on this unusual early voting practice, which will then expose further problems when results are overturned, etc. Charles P. Schultz, North Miami Beach, FL
Many contributors have pointed out the extremes of election counting requirements, from the British "1 or 2 contests per ballot, count by hand" from the US "Many contests per ballot, count electronically". This is a thread that could run and run but we can draw the various conclusions together and define the simple requirements for a good voting system. 1. A hand count, with observers from the contesting parties present, is the safest and fairest way to count ballots, especially close, or suspect ballots. 2. Where a simple, accurate, electronic system can be used, then it may be but is MUST be possible to back this up with a hand count, using the original ballot papers, in the event of any irregularities or concerns from the candidates or voters. 3. The method of indicating a choice on a ballot should be simple and the results immediately visible to, and correctable by, the voter. The voter indicating "OK", whether by depositing the ballot in a box or pressing a leaver or whatever, should have NO affect on the voting slip - for example this is NOT the time to punch out the holes indicating the selections because the act of punching could fail leaving the voter with no indication of their spoiled or incorrect vote. Note that I have deliberately not commented on the risks of voting for many contest (did somebody mention 45!) in one ballot. This is a matter for the residents of the ballot area to consider — do they want to vote at this degree of choice or are they happy to delegate to a representative? [The answers may well be No! and No! in many cases. PGN] I believe that pretty much covers the ideal voting system. All flaws in existing systems result because the system fails to address one or more of the three criteria above.
A friend of mine has a dual-boot PC running Windows 98 and Windows 2000. Last week, it was booted into Windows 98 when the daylight savings time changeover occurred. Windows 98 was smart enough to automatically adjust the clock back an hour. However, when he rebooted into Windows 2000, it adjusted the clock back a second hour. This could lead to many problems if not caught, including alarms going off at the wrong time, scheduled tasks running at inconvenient hours, incorrect email headers and much more destructive behaviour if used in a mission-critical situation.
Discovered today that a misbehaving program was due to a strange behaviour in Windows. (Can't find any reference to this on comp.risks.) When the computer clock changes due to Daylight Saving Time (we gained an hour a week ago in the UK), Windows also changes the time stamp of all its files by an hour. This came to light when synchronising files between a Unix webserver and a Windows copy of the website, using Dreamweaver. Microsoft discusses this behaviour in its Knowledge Base at http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q129574& but apparently sees nothing wrong in providing a time stamp that changes. One query: When Samba is used to make Unix files look like Windows ones, does it fiddle the time stamp to emulate this bizarre behaviour? Risks: On networks that mix Unix and Windows, this problem might screw up any utility that relies on timestamps such as incremental backups and source code control systems.
Court staffers didn't realize that the ruling placed on their servers became public knowledge two hours early — even though it wasn't posted on their Web site. [Source: Patick Gray, *ZDNet Australia*, 4 Nov 2002; PGN-ed] http://zdnet.com.com/2100-1104-964415.html [Interesting competition of ideas: They want to put the file on the Web so that people will find it, but they think it will be safe until they release it if they put it on the Web because no one will be able to find it. Keith] [The judgment went up at 2:40pm EST Friday, prior to its intended release time of 4:30pm EST. The URL was fairly obvious, and the directory was freely browsable. PGN]
Georgetown Law Center lets students use their laptops on exams, IFF they have installed a package called "SofTest" from ExamSoft. It blocks other uses of the laptop, but allows the exam to be taken on it. Or so it sez.. Known problems include: * Only works on WinDoze systems; forget that Ti OSX PB, or any Linux laptop. * Requires the laptop have a floppy drive * Sometimes fails during exams. But with so many unemployed nerds headed back to grad schools, it's easy to imagine OTHER problems. What about VMware? What about a determined programmer who decides hacking code is easier than grok-ing Feist vs. Rural Telephone? Suppose she writes a Examsoft-specific virus that stay dormant until the middle of the exam....then bombs all the OTHER machines in the class. And most of all, who watches the watcher? Is this an indirect way to get more attorneys who can code?
A glitch in vendor software erroneously caused some University of Wisconsin-La Crosse room/board/tuition payments to be listed as charges from Taco Bell on credit-card statements. [Source: AP item, 10 Oct 2002; PGN-ed] http://dailynews.yahoo.com/news?tmpl=story2&u=/ap/20021010/ap_on_fe_st/_3
The Fast Lanes (like EZPass lanes) are not always in the same configuration in Massachusetts, sometimes on one side, sometimes in the middle, sometimes combined with exact-change lanes, sometimes right between two exact-change lanes. This seems to be resulting in long lines where they could be avoided by a more sensible layouts. "This results in vehicles switching lanes via the Fast Lane/exact change lane like crazed motorized salmon running upstream." [Source: Mac Daniel, *The Boston Globe*, 3 Nov 2002; PGN-ed] http://www.boston.com/dailyglobe2/307/metro/Pike_commuters_play_Where_s_the_Fast_Lane_+.shtml
[It seems that the old Nigerian scam is becoming more hi-tech (although Web site spoofing and e-mail scams are hardly news in RISKS). CL] As revealed by BBC Radio5Live, West African spam scammers used an unclaimed Web domain of a British bank's online service that looked genuine. and found still more gullible people. The UK National Criminal Intelligence Service notes that at least two Canadians had lost more than $100,000 after being gulled by the fake Web site. In response to letters, e-mail, and now Web sites (one has been shut down), this type of scam somehow continues to be profitable for the scammers. [Greed? Stupidity? ...] "One of the first companies to fall victim to website spoofing was net payment service Paypal. Con-men set up a fake site and asked people to visit and re-enter their account and credit-card details because Paypal had lost the information. The Web site link included in the e-mail looked legitimate but in fact directed people to a fake domain that gathered details for the con-men's personal use." [Source: BBC News Website; PGN-ed] http://news.bbc.co.uk/1/hi/technology/2308887.stm
On 30 Oct 2002, the General Accounting Office issued a report "Information Management: Selected Agencies' Handling Of Personal Information" finding that the Departments of Agriculture, Education, Labor, and State generally adhere to government privacy laws. "The report found that agencies' handling of information varies and that a wide range of government personnel have access to the information, but by and large, the agencies follow current privacy laws." (Information considered included names, phone numbers, addresses, SSNs, financial and legal data, and demographic information, provided for a specific purpose such as to receive benefits, obtain services or loans, or participate in a specific federal program.) [Source: Eric Chabrow, *InformationWeek*, 30 Oct 2002; PGN-ed] http://news.lycos.com/news/story.asp?section=Politics&storyId=556059 [RISKS always seeks positive items that do not represent horrible cases involving security, privacy, reliability, safety, survivability, financial losses, etc. It is always startling how few really constructive cases there are. On the other hand, the GAO report clearly does not imply that there are no potential problems in those four departments. PGN]
BKETHISS.RVW 20020831 "Ethical Issues of Information Systems", Ali Salehnia, 2002, 1-931777-15-2 %E Ali Salehnia %C 1331 E. Chocolate Ave., Hershey, PA 17033-1117 %D 2002 %G 1-931777-15-2 %I IRM Press/Idea Group %O U$ 800-345-432 717-533-8845 fax: 717-533-8661 email@example.com %P 301 p. %T "Ethical Issues of Information Systems" As with any collection of essays, there isn't much of a common thread between the pieces. However, in this case, there isn't even an attempt to set up a structure, or group the papers into subjects. In chapter one, Internet privacy is very poorly defined, and then we are told that an opinion poll and an unqualified panel have decided that there are five primary privacy concerns. Chapter two points out that some companies might not benefit from establishing their own global information network. There are some brief thoughts on uniform contract codes and jurisdiction in chapter three. A poorly documented study, in chapter four, indicates that neural nets do better than random chance at predicting moral attitudes from sets of disjoint questions. A study in chapter five finds that when you ask people ethical questions, and then ask why they decided the way they did, morals are a strong factor. Chapter six is much more detailed than most of the other papers, and uses stories of the automation of stock markets in China, Russia, and Chile to point out benefits and problems with electronic auction systems. Poor people, and countries, have less technology with which to advance themselves, we are told in chapter seven. Chapter eight points out that we should do a proper risk management analysis if we are relying on e-commerce. After careful study and analysis, chapter nine finds (from self-reports) that people who have more opportunities to pirate software are more inclined to think that the practice is OK. Chapter ten tells us that there are problems with the quality of software. There is a brief, but not bad, introduction to information warfare in chapter eleven. Chapter twelve is a fictional "conversation" on the ethics of teachers and researchers. People who copy or pirate software tend to think that it is OK to hurt a big guy (a corporation) because hurting a big guy helps the little guy (individual), we are told in chapter thirteen. Chapter fourteen asserts the need for public policy in relation to e-commerce. Soren Kierkegaard theorized that remote information keeps people from forming local relationships, and chapter fifteen relates this to the Internet. There are some interesting stories in chapter sixteen about competitive intelligence or industrial espionage. The examination of the ethics of outsourcing, in chapter seventeen, is actually more about fraud. Chapter eighteen looks at the Nietzschean concept of authenticity; that moral choices need to come from within the individual; but does not examine the problems that have been analyzed in regard to the very similar concepts involved in Kohlberg's level six of ethical development. A variety of views of ethics are listed in chapter nineteen. A compilation of the arguments for and against the Australian Internet censorship bill is given in chapter twenty. Chapter twenty tells us that a couple of researchers asked for an opinion survey on whether or not using genetic tests for finding genetic diseases was ethical. Aside from the lack of structure and depth, this book has a number of problems. Some are technical: the proofreading is a definite problem, with famous names being spelled incorrectly and punctuation appearing in bizarre places. As demonstrated by the bibliographies attached to each paper, the authors are attempting to deal with issues involving technology without having read standard technical references. (An additional bothersome point is that all of these papers seem to have been collected from a very limited pool of resources: all have appeared in Idea Group books or periodicals.) While the individual papers may raise some issues that might be interesting for discussion, ultimately the book does not contribute to the computer ethics debate. Pretty much everything in the book is either glaringly obvious, or has been discussed to death in other works. copyright Robert M. Slade, 2002 BKETHISS.RVW 20020831 firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
BKCMSCHB.RVW 20020911 "Computer Security Handbook", 2002, Seymour Bosworth/M. E. Kabay, 0-471-41258-9 %E Seymour Bosworth firstname.lastname@example.org %E M. E. Kabay email@example.com %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2002 %G 0-471-41258-9 %I John Wiley & Sons, Inc. %O U$75.00 416-236-4433 fax: 416-236-4448 %P 1224 p. %T "Computer Security Handbook, Fourth Edition" There are many recognizable (and a lot more not so recognizable) names in the list of contributors. Authors such as Rebecca Bace, Donn Parker, and William Stallings stand out as people who have something worth saying, and can say it well. Other names are associated with less worthy works. Chapter one states that the purpose of the handbook is to describe information system security risks, the measures for mitigating those risks, and the techniques for managing security risks. In a sense, it does that, but risk management is not the whole of computer security. Even if the title of the book were to confine itself to risk management, one would still have to say that, overall, there are other works that cover the field more completely, with less wasted verbiage. There has been an attempt to remove the limiting of previous editions to topics relevant to "big iron." However, new technologies still seem to get short shrift. Part one looks at foundations of computer security, with papers examining the history and mission of security (actually just history of computers), law and computer forensics (random collection of legal issues, almost nothing on forensics), common language for computer incident information (proposal with no proof that it will either cover all incidents or assist with dealing with incidents), surveys of computer crime (lots of material on how studies should be conducted, and uncritical reports of some studies), and new framework for security (Donn Parker says we are missing pieces of security). Threats and vulnerabilities are reviewed in part two, including essays on the psychology of computer criminals (mostly good but some questionable observations and theories about black hats), information warfare (information systems can be attacked--surprise!), penetrating systems and networks (there are different ways to get unauthorized access), malicious code (traditional models and some recent examples of viruses), mobile code (some aspects of ActiveX and scripting), denial of service attacks (reasonable overview of various types--and some unrelated exploits), intellectual property (random legislation and thoughts), e-commerce vulnerabilities (various weaknesses), and physical threats (generic disaster recovery). Part three covers preventive technical defenses, containing topics such as protecting information infrastructure (generic security, mostly physical), identification and authentication (brief introduction), operating system security (good introduction to access control), local area networks (random thoughts), e-commerce safeguards (legal protections and vague ideas), firewalls (confused grab bag), protecting Internet systems (basic concepts), protecting web sites (broad but not deep), public key infrastructure (basic components, but no more), antivirus technology (simplistic look at scanning), software development (simplistic look at the software development life cycle), and piracy (piracy is going on and we have to find some way to stop it). Human factors, in part four, looks at standards for security products (verbose description of the Common Criteria components), security policy guidelines (miscellaneous related documents), security awareness (do interesting seminars), ethics (vague), employment policies (grab bag), operations security (and another), Internet use policies (yet again), working with law enforcement (generic and poorly structured), social psychology (redoing the security awareness article with extra psychological jargon), and auditing computer security (a checklist). Part five's look at detection is brief, with intrusion detection (excellent introduction), monitoring (you should log stuff), and application controls (database integrity). Remediation reviews computer emergency response teams (generic), backups (pedestrian), business continuity planning (have a plan), disaster recovery (repeat previous), and insurance (get some) in part six. Part seven examines management's role, including management responsibilities (you could be liable), developing policies (generic), risk assessment (assess risks), and Y2K (management is now onside-- yeah, right). Other considerations, such as medical records (good introduction and discussion of the issues), using encryption internationally (laws differ), censorship (random thoughts), privacy (various laws), anonymity (psychological ponderings), and the future (various thoughts) make up part eight. There is useful material in the work, but it is difficult to abstract the good from the mundane unless you are already quite expert in the field. The newcomer would be advised to get some basic training or reading before attempting to deal with this work, but the expert will be able to find some useful nuggets. copyright Robert M. Slade, 2001, 2002 BKCMSCHB.RVW 20020911 firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
5th Smart Card Research and Advanced Application Conference San Jose, CA, 21-22 Nov 2002 http://www.usenix.org/events/cardis02/ Keynote speaker Vincent Cordonnier, LIFL; 14 refereed papers; panel discussions; Work-In-Progress reports as well as ample opportunities to informally interact with fellow attendees and speakers. Unlike events devoted to commercial and application aspects of smart cards, the CARDIS conferences bring together researchers who are active in all aspects of the design, validation, and application of smart cards. The breadth of smart card research stimulates a synergy among disparate research communities, making CARDIS an ideal opportunity to explore and learn from the latest research advances. Peter Honeyman, CITI, University of Michigan CARDIS '02 Program Chair Alex Walker, Production Editor, USENIX Association 2560 Ninth Street, Suite 215, Berkeley, CA 94710 1-510/528-8649 x33
FM 2003: the 12th International FME Symposium Pisa, Italy -September 8-14, 2003 Papers must be submitted electronically by 7 Mar 2003. http://fme03.isti.cnr.it/fme-cfp.htm FM 2003 is the twelfth in a series of symposia organized by Formal Methods Europe, an independent association whose aim is to stimulate the use of, and research on, formal methods for software development. These symposia have been notably successful in bringing together a community of users, researchers, and developers of precise mathematical methods for software development as well as industrial users. Formal methods have been controversial throughout their history, and the realisation of their full potential remains, in the eyes of many practitioners, merely a promise. Have they been successful in industry? If so, under which conditions? Has any progress been made in dispelling the scepticism that surrounds them? Are they worth the effort? Which aspects of formal methods have become so well established in industrial practice that they have lost the "formal method" label in the meanwhile? FM 2003 aims to answer these questions, by seeking contributions not only from the Formal Method community but also from outsiders and even from skeptical people who are most welcome to explain, document, and motivate the source of their reluctance. We are confident that a wide spectrum of experiences and a loyal contrasting of opinions will foster a better and deeper understanding, if not a wider adoption of Formal Methods. Far from restricting the focus of the conference, however, FM 2003 also welcomes papers with strong theoretical content that establish a connection with the practice of formal methods. [PGN-ed] Dott. Diego Latella, Consiglio Nazionale delle Ricerche Area della Ricerca di Pisa - Ist. di Scienze e Tecnologia dell'Informazione - ISTI Via G. Moruzzi, 1 - I56124 Pisa, ITALY phone: +39 0503152982 or +39 348 8283101 fax: +39 0503138091 or +39 0503138092 email: Diego.Latella@cnuce.cnr.it http://www.cnuce.pi.cnr.it/people/D.Latella
Please report problems with the web pages to the maintainer