Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
According to *Flight International*, 2-8 December 2003, p34, the U.S. FAA "has warned operators of Chelton Flight Systems FlightLogic [electronic flight information system] EFIS avionics that the equipment can provide misleading guidance under certain circumstances." The system is used on many aircraft in Alaska operating under Phase 2 of the FAA's general aviation Capstone program, which uses GPS to provide flight guidance and to track aircraft in flight. Apparently, the system indicates a uniform rate of climb of 300 ft/min for guidance in departure procedures, but some departure procedures require a higher climb rate for obstacle avoidance.
On 2 December, 2003, the U.S. National Transportation Safety Board issued Recommendations A-03-55 and A-03-56. The short document may be read at www.ntsb.gov/Recs/letters/2003/A03_55_56.pdf "On January 23, 2003, a Singapore Airlines (SIA) Boeing 747-400 experienced a complete loss of information on all six integrated display units (IDU) on the flight deck instrument panels while in cruise flight from Singapore to Sydney, Australia. The pilots flew the airplane for 45 minutes using standby flight instruments while they communicated with SIA maintenance personnel about the problem. SIA maintenance personnel advised the flight crew to pull out then push back in (or cycle) the circuit breakers for the EFIS/EICAS interface units (EIU), which returned the IDUs to normal operation. The flight continued to Sydney and landed without further incident." "A similar event occurred on another SIA B747-400 on November 6, 2001 ..." while on a Sydney to Singapore flight, during an emergency descent because of an cabin pressure warning. Maintenance personnel recycled the EIU circuit breakers on the ground and restored the IDUs to normal operation. "The six IDUs ... include the captain's Primary Flight Display (PFD) and Navigation Display (ND), the first officer's PFD and ND, and the main and auxiliary engine indicating and crew alerting system (EICAS) displays. The PFD and ND displays [sic] provide the pilots with attitude, altitude, airspeed, heading, and rate of climb and descent information. The EICAS displays provide the flight crew with the airplane's engine indicating information and annunciate advisories, cautions and warnings. Without these displays, the flight crew is required to use standby flight instruments, which consist of an altimeter, airspeed indicator, and artificial horizon/attitude indicator; the Boeing B747-400 does not have standby engine instruments. The loss of the IDUs would also eliminate the flight crew's access to data from the traffic alert and collision avoidance system, enhanced ground proximity warning system, and weather radar." The EIUs are apparently responsible for data display on all six IDUs and preliminary investigation has indicated that all six IDUs blanked because all three EIUs stopped transmitting data. The EIUs are identical devices; the architecture is triple-redundant. The cause of this loss of data has not been determined, and no countermeasures have yet been identified that could inhibit the loss of all six IDUs again. Boeing recommended cycling the EIU circuit breakers in such an event, and the NTSB recommended that this procedure be included in the quick-reference handbook used by the flight crew to access procedures in an emergency. The NTSB letter was also reported in *Flight International*, 9-15 December 2003, p13; and by Frances Fiorino on p31 of Aviation Week and Space Technology, December 15, 2003. A similar loss of data to displays on an Airbus A340 in 1994 has been reported in Risks (Hatton, RISKS-16.92; Ladkin, Rushby, RISKS-16.96), as also on a Boeing B767 in 1996 (Ladkin, RISKS-18.19). EFIS failure was also initially suspected in a turboprop accident in Zürich in 2000 (Ladkin, RISKS-20.78) but the final report fingers pilot error and not technical problems, according to the Neue Zürcher Zeitung, also 2 December 2003, www.nzz.ch/2003/12/02/english/page-synd4505738.html There are lots of things one could say about such flight information display system architectures. All of them rely on the mechanical principles of the older mechanical systems, but add a layer of electronic display technology that was not present in the older systems, which drove the displays directly. This extra layer, most obviously, introduces categories of failure that were not present in the original systems, such as the failures exhibited in these incidents. I shall not address here the question of whether the benefits of such systems outweigh the risks. The industry seems to be moving towards replacing the mechanical standby flight instruments, built to designs that have functioned well for upwards of a century now, by electronic displays. Electronic standby instrument displays are available and are being advertised for many business jets. Peter B. Ladkin, University of Bielefeld, www.rvs.uni-bielefeld.de
About 13 hours ago, the POSIX time_t counter exceeded 2**30, thus reaching half its useful positive range (which counts seconds since 1970) on traditional hosts with 32-bit signed integer time_t. Unfortunately, some software produced by Parametric Technology Corp. was using that 2**30 bit in time values, so today's milestone introduced timeout glitches into unpatched installations of PTC's Pro/ENGINEER, Pro/INTRALINK, and Windchill products. PTC has made patches available to all users, regardless of maintenance status; see <http://www.ptc.com/go/timeout/index.htm>. I still do much of my computing on hosts with 32-bit time_t. I expect this to change in the next few years as 64-bit hosts take over, but I wonder: how many applications will break in January 2038 when time_t exceeds 2**31, even though the underlying hardware and OS works correctly? Mark your calendars.
The Danish newspaper Politiken cites a Ritzau (Danish telegram bureau) telegram on Sun 4 Jan 2004 The Danish Prime Minister's Office has tightened IT Security with immediate effect following the disclosure of the origins of the document containing the New Year's speech of prime minister Anders Fogh Rasmussen. The speech had been written in a document originally authored by Christopher Arzrouni, head of the Trade and Industry Law section of the Association of Danish Industries ("Dansk Industri"). Till now, the ministry has distributed Anders Fogh Rasmussen's speeches to the press and others in word files but in two independent cases, just a few clicks on the computer did reveal the document's origin or which changes had been made. Therefore, the PM's office instituted a new procedure on Friday. "We will in the future distribute speeches as PDF files so that such things will not happen" says ministry spokesman Michael Kristiansen. At the same time, the ministry has begun checking its web site security. (my own translation) Since the said Arzrouni chairs a well-known ultraliberalist (in the european sense) discussion society and since the PM does his best to convince voters that he himself has left former ultraliberalist convictions alone, the disclosure is very interesting at least. One wonders what state secrets have been published by the government being blatantly ignorant to a very well-known MS word problem. And why an inappropriate word processor choice leads to a completely unrelated check of web site security. The RISK: Wrongly believing that the higher echelons of governments and their technical support has more than a faint idea of IT security. On the positive side: This may give some publicity to that infamous word problem.
The new federal anti-spam law went into effect Jan. 1, but consumers report their inboxes are more cluttered than ever — what's going on? Critics say the new law doesn't actually ban spam but rather provides guidelines for sending junk e-mail legally. "Now we have a green light for what would come to be called 'legal spam,'" says ePrivacy Group CEO Vincent Schiavone. John Levine, a board member of the Coalition Against Unsolicited Commercial E-Mail, concurs: "Basically, it's a bill of rights for companies that want to send junk e-mail." In addition, the federal law supercedes stricter laws recently passed in several states, such as California. "Everyone was planning for this California law, which was so draconian," says a California lawyer who defends accused spammers. "Once the federal government passed the federal law, everyone was kind of relieved." And while technology firms are eagerly pursuing new ways of blocking spam, skeptics say the ultimate solution won't be technological or legal, but will depend on developing more savvy users. Mary Youngblood, abuse team manager at EarthLink, suggests putting numbers in the middle of your e-mail address to make it more difficult to guess and using a separate address for online shopping and newsgroup postings. [AP, Jan 11 2004; NewsScan Daily, 12 Jan 2004] http://apnews.excite.com/article/20040111/D800O3P00.html
Weblog: A Chip for Your Hamburger: Can radiofrequency I.D. devices help stop the spread of beef tainted by mad cow disease? [MIT Technology Review blog item] Well, not quite, but this article in the RFID Journal indicates that both official[s] and the industry are now thinking of using RFID chips to enable greater tracking of meat through the food supply. This will help track things like infected beef (e.g., ground mad cows). What the article doesn't say is that this will also help protect against a terrorist attack --- or at least allow the tracking and faster recovery if terrorists go after the food supply. Simson Garfinkel [Topic: Security and Defense ] http://www.uptilt.com/c.html?rtr=on&s=5fo,4qkw,4rw,ij9s,j8tx,i328,m8yb> http://www.technologyreview.com/blog/blog.asp?blogID=1227&trk=nl [Might this require edible RFID microchips that survive meat grinders and wind up in each hamburger patty? PGN]
Rockwell, is suing a law firm that is currently suing Rockwell's customers. The law firm says that Rockwell has infringed on a patent. (I'm uncertain what relationship the law firm has to the patent holder.) The law firm appears to assume that suing Rockwell's customers will get more money than suing Rockwell. Rockwell sees this as blackmail/threat because the law firm has not — and cannot (without suing Rockwell) — prove that the patent is or is not infringed. So Rockwell is now suing the law firm. Rather nasty. In Rockwell Automation Inc. v. Schneider Automation Inc., 02-01195, Rockwell says its technology is not covered by the Solaia patent, and rather than battling that issue out in court, Niro Scavone and its clients have sought to "'shakedown' manufacturers through threats of potential business interruption or catastrophic damages." http://www.law.com/jsp/article.jsp?id=1039054478800
Burger King Customer being told they are too fat to order a Whopper by hackers into the wireless speaker system at the drive through window! http://www.ananova.com/news/story/sm_853744.html?menu=news.latestheadlines
The Associated Press sent out a list of 250 celebrities' phone numbers by mistake. Many of the numbers are old and some of the celebrities are dead, but you can see the potential annoyance. http://www.sltrib.com/2004/Jan/01092004/utah/127432.asp
The password used to "protect" a Microsoft Word form can be revealed with a simple text editor, according to a recent BugTraq article. The RISK in this case goes beyond the ability to edit a protected document (you can bypass this anyway with Edit > Select All > Copy, open a new document and Paste). The real RISK is that the user's password is so easy to discover. Ideally, users would protect a form with a password that is different from their network authentication password(s). But in the real word ... News Story http://news.zdnet.co.uk/software/windows/0,39020396,39118935,00.htm=20 BugTraq Article http://www.securityfocus.com/archive/1/348692/2004-01-02/2004-01-08/0
There's an interesting statement in the Volume 2, Number 1, January 4, VerifiedVoting.org newsletter regarding the VoteHere break-in. VoteHere's website says that they sell a product called RemoteVote (c) "an e-voting election system that supports the convenience, ease-of-use, and mobility of online voting. It's unique in delivering best-of-breed security and information technology practices, easy to administer and easy to use - and has been praised for its effect on voter turnout and overall voter satisfaction." But VerifiedVoting.org's news item says: "VoteHere, a Bellevue, Washington company developing security technology for electronic voting "suffered an embarrassing hacker break-in." The electronic intruder broke into the company's system last October and has now been identified, according to the company's CEO Jim Adler. This event got a lot of news coverage, but we're not sure of its significance, since VoteHere says they are going to release all their software." Wait a second, we're not sure of its significance? VoteHere is selling an Internet voting product but they apparently aren't capable of protecting their own network from attack and their sensitive files from theft. That certainly sounds significant to me, and this has absolutely nothing to do with whether their software is publicly accessible or not. The USA Today report quoted Adler as saying "the break-in did not affect the integrity of its voting technology." This certainly should reassure the "large and small corporations, professional associations, unions, cooperatives, universities, political organizations and government groups" that VoteHere is marketing RemoteVote that their product is not more vulnerable than the insecure platform it is running on top of. I know that I feel much better knowing that the hacker (and probably also his pals) has a copy of the source code.
Seems Palm Beach and Broward counties can't certify a recent election. The "winner" of the election won by 12 votes out of 10,844 cast. 137 votes were blank ballots. From the PalmBeachPost newspaper: "Florida law requires a manual or hand recount of all "under-votes" and "over-votes" in an election decided by less than 0.25 percent. But touch-screens leave behind nothing to count by hand. " Oops ! http://www.palmbeachpost.com/politics/ content/auto/epaper/editions/saturday/news_f3ff583cd1c3223d00af.html
I would like to correct some previous misinformation regarding the Australian electoral system. In Australia, the law requires every person on the electoral roll to submit a valid vote. Simply getting your name checked off and leaving may result in the Electoral Commission staff recording a failure to vote. Note that the staff do not examine the votes before they are placed in the ballot box - meaning there is no enforcement of the validity requirement. In the state of NSW, in my case, the penalty for not voting was a $120 fine. I intended to refuse to pay the fine on principle as I do not believe in compulsory voting. However, the alternative penalty in the case was canceling my driving license. Hence I voted 'donkey' - giving my preference by order on the ballot (which is determined randomly). Donkey votes are typically 5-10% of the Australian vote. The clear risk here is that attempting to enforce democratic principles increases the influence of random chance on the final results.
I own a CRV 4WD. The way out in a situation such as this is probably through the rear window. Unlike the side windows, this is not electric. It is released by a button under the dash that connects to the window lock via a cable. Once released, the window can be pushed open from the inside. This completely mechanical system would presumably still function even when underwater, although if totally submerged it may be necessary for the water inside the vehicle to reach a certain level before the pressure can be overcome and the window opened.
[PGN note: I messed up my PGN-ed version of the item with Subject line "Bank of England falls victim as e-mail scams rise by 400%" It might more accurately have been titled "Visa customers hit by phishing expedition seemingly from Bank of England" Oops! PGN] As I'm sure many of the RISKs readers are aware, the Bank of England is a Central Bank and hence does not issue its own Visa (or any other credit cards) at least for consumers. Similarly, it doesn't operate consumer bank accounts. I suppose you could say that the Bank of England is equivalent to the Federal Reserve, *not* Bank of America. Therefore the BoE is unlikely to be a 'victim' in the ordinary sense of the word. Therefore, I thought there was something a bit fishy with the PGN version saying that the "This was reportedly the first time BoE was victimized by a "phishing" expedition that apparently fooled about 5% of their Visa customers into divulging their card and PIN numbers." Looking at the original news story the 'phishing' quote apparently relates to a different episode, "A campaign that targeted Visa credit card holders was said to have fooled one in 20 victims into divulging their personal details, including their card and pin numbers" *i.e. not the BoE e-mail itself*. The point of the story is to say that lots of people were sent an e-mail with an executable attachment with the message "Please install our special software, that will remove all the keyloggers and backdoors from your computer." The implication (for the sender the hopeful implication) was that since the e-mail was apparently from the BoE, the software was in some way 'official'. Imagine the same e-mail in the US from firstname.lastname@example.org. I think the problem here is wider than a standard someone@aConsumerBank.com e-mail since it is apparently from a 'trusted' central bank (the one who controls the 'normal' banks) but it doesn't cause any direct 'damage' to the apparent sending agency. So, three apparent risks; 1. Mis- / Dis-information (scaremongering?), accidental or otherwise, caused by incorrect summary of other news stories. 2. E-Mails apparently from a trusted source (common / usual RISKs here, but the 'trusted source' in this case is a 'super-trusted source'). 3. For me the most worrying RISK is that the UK's "National High-Tech Crime Unit" came out with the very enlightening statement "We have opened the attachment, but we have so far not been able to find out what it does, if anything." How many programmers does it need to be able to analyse a piece of code to be able to work out what it does? Anti-virus labs are pretty good at this, so why not the Government-funded anti-crime 'specialists'? At least they are apparently being honest here(!).
http://www.cs.cityu.edu.hk/~ytyu COMPSAC 2004 The 28th IEEE Annual International Computer Software and Applications Conference September 27-30, 2OO4, HONG KONG http://rachel.utdallas.edu/compsac Major theme: DEVELOPING TRUSTWORTHY SOFTWARE SYSTEMS 15 Jan 2004: Deadline for WORKSHOP and PANEL PROPOSALS 15 Mar 2004: Deadline for REGULAR and WORKSHOP PAPERS PROGRAM CO-CHAIRS: W. Eric Wong, University of Texas at Dallas, USA, Email: email@example.com Karama Kanoun,LAAS-CNRS, France, Email: Karama.Kanoun@laas.fr
EuSpRIG 2004: Spreadsheet Risks, Development and Audit Methods Theme: Risk Reduction in End-User Computing Best practice for spreadsheet users in the new Europe Thursday July 15th - Friday July 16th 2004 Klagenfurt University, Klagenfurt, AUSTRIA For submission instructions, details of formatting, handling of illustrations etc. download guidelines from www.eusprig.org Patrick O'Beirne, European Spreadsheet Risks Interest Group
Please report problems with the web pages to the maintainer