Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
(From NRC handelsblad, Tuesday December 6, my translation) The fully automatic, unmanned public transport system Parkshuttle in Rotterdam and Capelle aan den Ijssel (in The Netherlands) has been suspended this morning. Two vehicles collided and were severely damaged. According to a spokesman of Connexxion no passengers were present in the shuttles. Connexxion does not have any clue about the cause of the collision. "As long as we don't know that, the shuttles won't ride", according the spokesman. The shuttles are unmanned. They ride on demand and bring passengers from the metrostation Kralingsezoom in Rotterdam to the business park Rivium in Capelle aan den Ijssel. Prime minister Balkenende formally started the system last Thursday. The system appeared to have a second youth after a trial period between 1999 and 2001. Gerrit Muller System Architecting http://www.gaudisite.nl/
http://blogs.siliconvalley.com/gmsv/2005/12/babababba_immac.html So by "independent" you mean "independent of any public oversight," right? North Carolina is being called to account for its decision to certify electronic voting machines made by three companies that refused to comply with the state's election transparency rules. The Electronic Frontier Foundation (EFF) on Thursday filed a complaint <http://www.siliconvalley.com/mld/siliconvalley/13361799.htm> against the North Carolina Board of Elections and the North Carolina Office of Information Technology Services, asking the Superior Court to void the recent "immaculate certifications" they awarded last week <http://www.eff.org/Activism/E-voting/EFF_Mandamus_Complaint_TRO_20051208140945.pdf>. North Carolina law requires the Board of Elections to rigorously review all voting system code "prior to certification." But last week the state's Board of Elections certified voting systems from Diebold Election Systems, Sequoia Voting Systems, and Election Systems and Software without bothering to do so (see "Election transparency law damn near invisible <http://blogs.siliconvalley.com/gmsv/2005/12/so_much_for_nor.html>"). "This is about the rule of law," said EFF Staff Attorney Matt Zimmerman <http://www.eff.org/news/archives/2005_12.php#004237>. "The Board of Elections has simply ignored its mandatory obligations under North Carolina election law. This statute was enacted to require election officials to investigate the quality and security of voting systems before approval, and only approve those that are safe and secure. By certifying without a full review of all relevant code, the Board of Elections has now opened the door for North Carolina counties to purchase untested and potentially insecure voting equipment." Keith Long, a North Carolina voting systems manager, defended the state's decision, telling News.com that reports from "independent testing authorities" were sufficient for certification. <http://news.com.com/EFF+moves+to+block+e-voting+system+certification/2100-1028_3-5988243.html?tag=nefd.top> But that comes as poor reassurance. Because if the "independent testing authorities" to which Mr. Long refers are as impartial as he is, North Carolina is in big trouble. Long, you see, worked for Diebold Election Systems as recently as Oct. 1, 2004. And between 1983 and 1992 he worked for Sequoia <http://www.news-record.com/apps/pbcs.dll/article?AID=/20051113/NEWSREC0101/511130328>. Posted by John Paczkowski on 06:46 AM December 09, 2005
John Seigenthaler Sr. (a former editor of *The Tennessean* in Nashville, and founder of the First Amendment Center) was startled to find an entry on himself in Wikipedia that included defamatory false personal information about him — for example, suggesting that Mr. Seigenthaler had been involved in the assassinations of John and Robert Kennedy. Mr. Seigenthaler then wrote an op-ed article in *USA Today*, noting among other things that he was especially annoyed that he could not track down the perpetrator because of Internet privacy laws. The culprit's IP address led to his employer by Daniel Brandt of San Antonio -- who has been a frequent critic of Wikipedia after reading false information about himself! See his www.wikipedia-watch.org. This led Brian Chase in Nashville to admit having written the offensive material as a joke, stating that he thought that Wikipedia was a "gag" Web site! [Source: Katharine Q. Seelye, *The New York Times*, 11 Dec 2005; PGN-ed] Coincidentally, that story broke on about the same day that the December 2005 issue of the *Communications of the ACM* came out, the inside back cover Inside Risks column of which is ``Wikipedia Risks'' http://www.csl.sri.com/neumann/insiderisks05.html — written by four long-time RISKS contributors, Peter Denning, Jim Horning, David Parnas, and Lauren Weinstein who are on my ACM Committee on Computers and Public Policy. This case points up just one of the risks associated with Wikipedia noted in the Inside Risks article, namely that of having an encyclopedia contributed by thousands of volunteers, with few controls on content. PGN
A U.S. Government Accountability Office (GAO) report in Nov 2005 says that there are roughly 2,310,000 Web addresses for which the owner or contact information is unknown. That represents 5% of all .com, .net, and .org domain names. This provides anonymity for spammers, scammers, phishers, and other illegal activities, and untraceability for malware-containing sites. [Source: Jim Wagner, *Internet News*, 8 Dec 2005; PGN-ed] http://www.internetnews.com/ent-news/article.php/3569521
Emerald Hills Golfland, in San Jose, California, is a theme park with two miniature golf courses. It was discovered by San Jose Police to be on a Homeland Security watch list (to prevent it from boarding planes?). Of course, the list is secret. [Source: AP item, 9 Dec 2005; PGN-ed] http://www.kron.com/Global/story.asp?S=4226663
A software glitch has interrupted the sweeping overhaul of city emergency communications, which could delay the upgrade of police car computer systems by up to two years, officials said Monday. News about the glitch in the city's $15 million contract with Northrop Grumman Information Technology drew a strong reaction from the City Council's Public Safety Committee. [Source: Dan Laidman, Glitch triggers outcry on panel; Woes may delay police car computer upgrade, *Los Angeles Daily News*, 29 Nov 2005; PGN-ed; thanks to Lauren Weinstein for contributing this item.]
Japanese financial-services firm Mizuho Securities Co. said Thursday it erroneously placed sell orders because of a simple human data-input mistake that apparently ignored an error warning. This cost Mizuho at least 27 billion yen ($225 million). The company mistakenly sold 610,000 shares of J-Com Co. at 1 yen (less than 1 cent) per share, instead of the request to sell just one share at 610,000 yen ($5,080). The mishap sent the benchmark Nikkei 225 index down 1.95 percent on the Tokyo Stock Exchange. Mizuho Financial Group dropped 3.4 percent to 890,000 yen ($7,416.67). [Source: AP item, 8 Dec 2005; PGN-ed] http://www.timesonline.co.uk/article/0,,3-1917093,00.html [Many thanks to Chuck Weinstock, George Mannes, FJReinke, and Tomas Uribe, all of whom sent in the full item. Tomas commented: One would think that "money-critical" systems would have more stringent safeguards against this type of thing. Also, someone must have made $225 million as well---who might have been the lucky ones who bought the discounted shares? PGN]
Seems that we don't learn from mistakes (as if that should be a revelation to readers of this list)! Trouble began Thursday morning, when Mizuho Securities tried to sell 610,000 shares at 1 yen (less than a penny) apiece in a job recruiting firm called J-Com Co., which was having its public debut on the exchange. It had actually intended to sell 1 share at 610,000 yen ($5,041). http://www.washingtonpost.com/wp-dyn/content/article/2005/12/09/AR2005120900 087.html Also at http://www.nytimes.com/aponline/business/AP-Japan-Botched-Trade.html and many other places. As this problem sounded rather familiar, I searched the RISKS archive, and found it in RISKS-21.81. That posting, almost exactly four years ago, included the following excerpt: Before the Tokyo market opened Friday, a UBS Warburg trader entered what was intended to be an order to sell 16 Dentsu shares at 610,000 yen ($4,924.53) each or above. Instead, the trader keyed in an order to sell 610,000 Dentsu shares at 16 yen apiece ... That was also on the day of a "public debut" (aka IPO). However, it was a bargain - it cost UBS Warburg about $100M vs. about $235M for Mizuho Securities. I assume it's just coincidence that these two failures were both on the Tokyo Stock market. [I knew the new case sounded familiar! Perhaps the 610,000 is a default number for an erroneous field? That's quite a coincidence. PGN]
Found on MacInTouch We received an unconfirmed report that Printer Setup Repair 5.0.3 incorporates a hidden and dangerous anti-copying mechanism, and the company responded to our follow-up with an explanation: [MacInTouch Reader] Printer Setup Repair, the widely-used utility for Mac OS X printers, has taken a malicious approach to combatting software piracy. With version 5.0.3 for Mac OS X Tiger, if the user enters a pirated serial number known to the program, the program will immediately and without any warning remove all user preferences and the user keychain, and possibly do other unknown damage to the user's system. [...] [John Goodchild, President, Fixamac Software, Inc] Thank you for bringing this to our attention. We have examined our code and discovered an error in the area that rejects pirated registration codes. The original objective was to delete the Printer Setup Repair preferences but a misplaced space in the code allowed the entire user preferences folder to be erased. This would only occur if a pirated code was used. The error was probably overlooked since there was a need to block a new batch of pirated codes quickly. There was no such error in the area that handles legitimate registration codes and in no way can occur if a legitimate registration code is entered incorrectly since the user name is also a part of our internal tests. We have fixed the problem and posted an update. This was not a malicious act on our part, rather an effort to protect our product from software pirates, and we regret any damage that may have been caused by the use of pirated registration codes. Anyone who downloaded Printer Setup Repair 5.0.3 between 11-05-05 and 12-06-05 should download the current release from our web site.
Is there something in the Uniform Fire Code that addresses electronic switches on exit doors? I work in a building that has two sets of doors towards the exit that both have electronic switches that have failed in several instances. The first set of doors has a capacitance touch switch which won't work if one is wearing gloves or has a prosthesis. The second set of doors uses a motion detector, which fails if you stand too close to the doors for more than five seconds (you have to subsequently wave at the detector to trigger it). This seems fundamentally flawed and hazardous. I've just learned that my employer was informed by the Austin Fire Department that touch switches are specifically allowed and they're preferred over motion sensors (which are no longer allowed in new installations). It doesn't seem to me that someone would naturally know that they need to actually touch a metal bar with their skin in order to exit a door and there have been several instances of fellow employees stalled at the door waiting from someone else to come along and "magically" open the door.
Privacy implications of Microsoft's Windows Live Local David Pescovitz, 9 Dec 2005 Mike Liebhold, my colleague at the Institute for the Future, is deep into the geohacking scene. He just took a look at Microsoft's new Virtual Earth incarnation, Windows Live Local and found some big privacy concerns [Mike's entire post to the Geowanking listserv on Microsoft's "Location Finder" is online: http://www.boingboing.net/2005/12/09/privacy_implications.html PGN]
(Matt Richtel) Cellular operators know, within about 300 yards, the location of their subscribers whenever a phone is turned on. The operators have said that they turn over location information when presented with a court order to do so. However, in the last four months, three federal judges have denied prosecutors the right to get cellphone tracking information from wireless companies without first showing "probable cause" to believe that a crime has been or is being committed. That is the same standard applied to requests for search warrants. [Source: Matt Richtel, *The New York Times*, 10 Dec 2005; PGN-ed] http://www.nytimes.com/2005/12/10/technology/10phone.html?ei=5094&en=4dace02ac3105d11&hp=&ex=1134190800&partner=homepage&pagewanted=print [Note: Missouri has granted a contract for statewide cell-phone tracking.]
My teenaged-daughter works at a Meijer store (http://www.meijer.com/ — they have retail superstores in Ohio, Illinois, Indiana, Michigan and Kentucky) near us, and she'd waived any health insurance benefits, because she's covered under my plan. Recently, she received a letter about the benefit's choices that she'd made. On the first side of the letter is a standard form letter with her name and address and employee number. On the other side of the letter is a detailed accounting of her benefits package. The only problem is that the name on this other side is not hers, and it lists the benefits chosen by another employee from another state with an employee number two digits before hers. The benefits side of the letter listed the other person's name, address, employee number, home phone, and date of birth, but not a social security number. Because the other person had waived his benefits like my daughter had, there was little information. But, if the person had chosen a benefits package and had decided to cover their dependents, then the following information for the dependents would have been listed: names, relationship, birth date, sex, and social security number. I called the 1-800 number on the letter about the mistake, and the person that answered immediately said that there's a message about that. I was transferred to a pre-recording. It said that the company was aware that this had affected a lot of their employees, and that employees who'd receive someone else's information are asked to destroy the letters. I hope their employees do the right and honorable thing, and do not use the identifying information for nefarious purposes, but we all know that the lamp of Diogenes would go out when within a mile of a few people...the ones we all worry about. Jim Bauman, S-K Lotus Notes Group, 1-847-468-3014 firstname.lastname@example.org
The GPS algorithms include measures of the accuracy and reliability of the current solution. These should be displayed, for instance with an appropriately large fuzz ball on a map display.
I would conjecture that the list of dates you present are poorly formatted, but correct. Given the rising sequence in the last 2 digits and selective set in the first digit, I would surmise that these represent some sort of quarter data. So, 98Q4 through 05Q3. [...] Any possibility the second position 0s are actually Qs? > 4098 3099 2000 1001 4001 4002 2003 1004 4004 3005 [Jim responded: Paul, What sharp eyes you have! You could see those Qs even when I transcribed the data by hand. I can barely see them as Qs on the original, even given your helpful suggestion, but I do believe that you are correct. Jim H.] [Also noted by Amos Shapir, who observed that the date labels are placed three quarters apart. But that still does not explain the "4002", which looks as if it should have been "3002". Before running Jim's item in RISKS-24.11, I explicitly asked him to check whether the "4002" was accurately represented by him, and he did verify that. So, I suspect that the "4002" may have been a recording error in the original, or else a lapse in the reporting schedule. PGN]
Please report problems with the web pages to the maintainer