* Forwarded (from: netmail) by Roy J. Tellason using timEd 1.10.y2k.



Date: Sun, 06 Jul 2003 23:08:26 +0200
From: Debora Weber-Wulff 
Subject: The risks of assuming things: German payrolls

The German government has a little problem. Up until now all of the civil
servants have been paid according to a pay scale that is the same
throughout Germany.  The salaries are paid out by the states, but the
federal government determines the pay level. The company SAP has developed
payroll software for the civil service that many states in German use. 
When a new payscale goes into effect, they just issue a table update, and
everything is fine.

Now suddenly the states are rebelling: Berlin has left the fold, and just
this week concocted a wacky payment system. Certain extras are being cut,
others kept, pay is being cut either 8, 10 or 12 percent depending on what
scale people are in, the work week is to be decreased by 2 hours a week for
most of them, etc. etc. No one really understands it, except that Berlin is
broke and is trying to save money any way it can. The changes are to go
into effect immediately - except that there's the slight problem with the
payroll system. It assumes the same tariffs as everywhere.....

Looks like the folks down at SAP are going to have their vacations
canceled, as they try to whip up programs to institute this payment
schedule change.

Or as a colleague once said many, many years ago: No one can be *that*
crazy....  only to discover a few months later that there really was
someone with a really crazy schema for organizing stuff.

Prof. Dr. Debora Weber-Wulff, FHTW Berlin, FB 4, Internationale
Medieninformatik Treskowallee 8, 10313 Berlin  +49-30-5019-2320

--

Date: Thu, 3 Jul 2003 15:27:41 +0100
From: "Ian Chard" 
Subject: Radar operator's joke leads to fighter intercept

Avweb Newswire
(http://www.avweb.com/newswire/9_27b/complete/185253-1.html):

"In Europe last week, French fighter jets almost shot down a civilian
helicopter that wandered over Lake Geneva, after a Swiss controller
jokingly labelled the helicopter as 'al-Qaeda' on his radar screen."

Ian Chard  RHCE  Unix systems administrator      E: ichard{at}cadence.com
European IT, Cadence Design Systems Ltd          T: +44 (0)1506 595019
The Alba Campus, Livingston, Scotland  EH54 7HH  M: +44 (0)7901 855073

--

Date: Thu, 3 Jul 2003 10:17:29 -0500
From: Robotech_Master 
Subject: "Soft walls" will keep hijacked planes at bay

Article in *NewScientist* about an interesting new technique for
keeping airliners from crashing into skyscrapers:
  http://www.newscientist.com/news/news.jsp?id=ns99993893

The proposal suggests

  modifying the avionics in aircraft so that the plane would fight any
  efforts by the pilot to fly into restricted airspace. So if a plane
  was flying with a no-fly-zone to the left, and the pilot started
  banking left to enter the zone, the avionics would counter by banking
  right. Lee's system, called "soft walls", would first gently resist
  the pilot, and then become increasingly forceful until it prevailed.
  The risks of this technique I leave as an exercise to the reader.

Chris Meadows aka Robotech_Master robotech{at}eyrie.org  
http://www.eyrie.org/~robotech

--

Date: Mon, 7 Jul 2003 13:03:45 -0600
From: zowie{at}euterpe.boulder.swri.edu (Craig DeForest)
Subject: "Soft walls" = dangerous avionics?

Edward Lee, at U.C. Berkeley, is proposing to implement no-fly zones around
skyscrapers (and avoid a repeat of the 9/11 massacre) by using GPS to
override the controls of civilian aircraft.  Based on a database (in the
aircraft) of building locations, the on-board avionics would force the
controls of large airplanes to prevent them from flying into large
buildings (with presumably known locations).

There's an interesting article in this week's New Scientist
(http://www.newscientist.com/news/news.jsp?id=ns99993893) that talks about
Lee's system and relates it to other ideas for counter-terrorism. 
Interestingly, one advantage that Lee uses is that other systems require
radio links with the ground and therefore "can be jammed, or hacked
into" (while, presumably, GPS cannot?).

Not surprisingly, Lee says that pilots are "openly hostile" to the idea.

It seems to me that the system falls prey to a weakness that so many
pseudo-security systems do: it's in essence a cooperative system, rather
than a pre-emptive one (by analogy to multitasking in the computing world).
 Even assuming the avionics work flawlessly, it would be impossible to
install the "soft wall" system on every airplane in the country,
let alone the world -- and it only takes one airplane with the soft-wall
avionics missing or disabled, to defeat the purpose of the whole system.  



Date: Mon, 7 Jul 2003 01:38:16 -0400
From: Ed Ravin 
Subject: Dead-pregnant-men software failure

In a NY Times story about the effects of NY City budget cuts:

  http://www.nytimes.com/2003/07/07/nyregion/07BLOC.html?pagewanted=print

(link free until July 13 or so, after that they charge):

Is a discussion of yet another multi-million dollar software development failure:

 Eight years ago, at the urging of [...] funeral directors, the
 city agreed to develop a computerized registration system [for the
 filing of death certificates].  About $3.2 million was spent to
 design one, according to an audit released on June 23 by the city
 comptroller. Then the plans were abandoned when the prototype system
 developed serious problems, like registering some men as having
 been pregnant when they died. The city now plans to spend $1.8
 million more for project design. The comptroller's audit called
 the aborted plans "a monumental waste" of taxpayer dollars.

The NYC Comptroller's press release announcing the audit is at:

 http://www.comptroller.nyc.gov/press/2001_releases/01-08-055.shtm

Where it is mentioned that the city Health Department, in charge of the
software development, violated both City and State procurement procedures
in using an existing contract with IBM for "computer maintenance"
to develop the new software system.  The full bill for the system so far is
more like $9-$10 million.  The system still does not work, and the Health
Department has issued a new RFP for the project that does not contain any
references to the old system, so it appears they intend to throw it away.

The audit is available at:

 http://www.comptroller.nyc.gov/bureaus/audit/06-23-03_7A03-073.shtm

The Comptroller quickly reaches to the heart of the matter:

  "[...] the Department did not employ a formal systems development
  methodology or an independent software quality assurance consultant
  [as required by City rules, which] contributed to the apparent
  failure of this project."

Meanwhile, across the river in New Jersey, a similar project was completed
by leveraging an existing Sybase system from the New York State Department
of Health, taking only six months and $250,000.

--

Date: Mon, 30 Jun 2003 08:25:02 -0400
From: "Keith A Rhodes" 
Subject: Johnson Calls ATM Arrest Error 'Intolerable' (Re: RISKS-22.78)

http://www.washingtonpost.com/wp-dyn/articles/A33576-2003Jun25.html

Although this article is focusing more on the local Prince George's County
police force and detective function -- which has gotten a lot of bad press
here in the DC area for quite a long time -- I think the message that is
being missed is that technology can give the exact opposite result from
that intended. Photographs from ATM cameras linked with ATM card usage and
the system clocks are supposed to provide exact measures of events.
However, if the ones using the data do not carefully collect it and
interpret it correctly, then -- as this article states -- three apparently
innocent people are arrested and held for 22 days. Humans cannot be
completely removed from processes that have severe consequences, but the
humans that are left "in the loop" must understand that what they
do has severe consequences. They should, therefore, be very careful about
what the "system" is telling them. In this case, the detention of
the three innocent people has allowed a killer at least 22 days to get
away.

--

Date: Tue, 8 Jul 2003 02:08:36 -0400
From: Monty Solomon 
Subject: RFID Site Security Gaffe Uncovered by Consumer Group

CASPIAN asks, "How can we trust these people with our personal data?"

CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering) says
anyone can download revealing documents labeled "confidential"
from the home page of the MIT Auto-ID Center Web site in two mouse clicks. 
The Auto-ID Center is the organization entrusted with developing a global
Internet infrastructure for radio frequency identification (RFID). Their
plans are to tag all the objects manufactured on the planet with RFID chips
and track them via the Internet.  Privacy advocates are alarmed about the
Center's plans because RFID technology could enable businesses to collect
an unprecedented amount of information about consumers' possessions and
physical movements.  They point out that consumers might not even know
they're being surveilled since tiny RFID chips can be embedded in plastic,
sewn into the seams of garments, or otherwise hidden.  ...
  http://www.nocards.org/press/pressrelease07-07-03_1.shtml

--

Date: Sat, 5 Jul 2003 00:28:42 -0400
From: Monty Solomon 
Subject: Web site turns tables on government officials

Hiawatha Bray, *The Boston Globe*, 4 Jul 2003

Annoyed by the prospect of a massive new federal surveillance system, two
researchers at the Massachusetts Institute of Technology are celebrating
the Fourth of July with a new Internet service that will let citizens
create dossiers on government officials.  The system will start by offering
standard background information on politicians, but then go one bold step
further, by asking Internet users to submit their own intelligence reports
on government officials -- reports that will be published with no effort to
verify their accuracy.  ''It's sort of a citizen's intelligence agency,''
said Chris Csikszentmihalyi, assistant professor at the MIT Media Lab.  He
and graduate student Ryan McKinley created the Government Information
Awareness (GIA) project as a response to the US government's Total
Information Awareness program (TIA).  ...

  http://www.boston.com/dailyglobe2/185/business/
  Website_turns_tables_on_government_officials+.shtml

(RJT: *applause*  :-)

--

Date: Tue, 1 Jul 2003 00:28:13 -0400
From: Monty Solomon 
Subject: FTC Increases Focus on Privacy

Bob Tedeschi, *The New York Times*, 30 Jun 2003

What started more than a year ago as a California teenager's quest for blue
jeans ended this month with a warning shot from the Federal Trade
Commission, which is moving more aggressively against e-tailers seen as too
lax about protecting their customers' privacy.  Online merchants say they
can handle the commission's new scrutiny.  But some people, including the
young man who set off the FTC investigation in this case, are not so sure.
And given that the young man pointed out a security flaw in another
well-known online merchant last week, he may be right.

In February 2002, Jeremiah Jacks, then a 19-year-old computer programmer,
was set to buy a pair of jeans on the Web site of Guess Inc. But before
entering his credit card information, he took the unusual step of checking
the site's security - not the security pledge in Guess.com's privacy
policy, but the company's actual practices.  In the site's address bar he
entered a string of characters that, on an insecure site, would produce a
page listing the credit card numbers of the company's customers. The
vulnerability, he said, is well known within the programming community.

It worked. About 200,000 customer names and credit card numbers appeared in
Mr. Jacks's browser. In an interview last week, Mr. Jacks recalled that he
had immediately tried to inform Guess of its vulnerability to such a
break-in [an SQL injection].  Guess.com ignored his entreaties, he said,
and Mr. Jacks soon reported his discovery to SecurityFocus, an Internet
security news site owned by the Symantec Corporation, which then notified
Guess. Within hours, the company fixed the site.

http://www.nytimes.com/2003/06/30/technology/30ECOM.html

--

Date: Thu, 03 Jul 2003 09:30:59 -0700
From: "NewsScan" 
Subject: Web vandalism alert

Anonymous organizers of a Web-vandalizing contest this weekend say that the
goal will be to deface 6,000 Web sites in six hours, with winners to be
awarded prizes such as Web hosting space and Internet domain names. Pete
Allor of Internet Security Systems Inc., which runs a threat-detection
service, cautions Web operators: "The problem is now, and you
shouldn't wait until Sunday to address it." (Atlanta
Journal-Constitution 3 Jul 2003)
http://www.ajc.com/business/content/business/0703/03hacker.html NewsScan
Daily, 3 Jul 2003

  [Apparently mostly small sites were hit.  PGN]

  (RJT:  So?)



Date: Mon, 30 Jun 2003 09:04:13 -0400
From: "Richard M. Smith" 
Subject: Microsoft Word "bytes" Tony Blair in the butt

Microsoft Word documents are notorious for containing private information
in file headers which people would sometimes rather not share.  The British
government of Tony Blair just learned this lesson the hard way.

Last week, Alastair Campbell, Blair's Director of Communications and
Strategy, was in the hot seat in British Parliament hearings explaining
what roles four of his employees played in the creation of a plagiarized
dossier on Iraq which the UK government published in February 2003.  The
names of these four employees were found hidden inside of a Microsoft Word
file of the Iraq dossier which was posted on the 10 Downing Street Web site
for use by the press.  The "dodgy dossier" as it became known in
the British press raised serious questions about the quality of British
intelligence before the second
Iraq war.

I wrote an article for my Web site about how a bit computer forensics
Analysis played a role in this controversy:

   http://www.ComputerBytesMan.com/privacy/blair.htm

Richard M. Smith  http://www.ComputerBytesMan.com

--

Date: Thu, 3 Jul 2003 20:28:52 -0400
From: David Magda 
Subject: Dangers of MS Word, yet again

The British government learned the hard way about how Microsoft Word
documents keep a revision history:

http://www.wsws.org/articles/2003/feb2003/cnew-f10.shtml
http://www.computerbytesman.com/privacy/blair.htm
http://www.abc.net.au/pm/s779254.htm

The original analysis was supposedly this:

http://www.casi.org.uk/discuss/2003/msg00457.html

This is nothing new of course: see RISKS 20.83, 20.28, 17.76, 19.97,
18.46, 18.44, 18.41, etc.

This problem goes back to (at least) 1996 (RISKS 17.76) and yet
people are still bitten by this bug(?).

The more things change...

David Magda , http://www.magda.ca/



Date: Tue, 1 Jul 2003 16:13:09 -0400
From: Jonathan Kamens 
Subject: Re: Phantom voting in Israeli Knesset (Ravin, RISKS 22.76)

It is worth noting that the computerized voting system used by the Israeli
Knesset has, as far as I know, no security whatsoever.  It consists solely
of a station of buttons at each Member of Knesset's (MK's) seat for him/her
to use to register his/her vote.  No authentication is required for casting
a vote.  All an MK has to do to cast someone else's vote is to lean over
and push the desired button at the other MK's station.

In contrast, the electronic voting stations in the US House of
Representatives require a "Vote-ID" card to be inserted before a
Congressman can vote.  Furthermore, there are many fewer stations than
seats (Congressman line up to vote at the stations), so I suspect that the
stations all have cameras trained on them throughout each vote, such that
if there is suspicion of wrong-doing after a vote, it is straightforward to
replay the video to find out who voted twice.

The US Senate has no electronic voting equipment -- counted votes are
conducted by roll-call or paper ballot.

This is surely far from the first time that MK's have voted for each other.
 In fact, I find myself wondering not how this could be allowed to happen,
but rather why a fuss is being made about this particular instance of it. 
If the Knesset really wanted to prevent it, they could do so, so it seems
to me that they haven't seen it as a problem. Perhaps the culture within
Israel's government is changing, such that what was previously acceptable
behavior is becoming unacceptable.



Date: Tue, 1 Jul 2003 00:47:31 -0400
From: Monty Solomon 
Subject: Glitches hit FTC 'do-not-call' list

Nearly one-fourth of the consumers who tried to sign up for the Federal
Trade Commission's Do Not Call database haven't completed the process, the
agency said Monday. The agency blames in part a series of technological
glitches, including aggressive spam filtering by e-mail providers that
accidentally deleted some confirmation e-mails sent by the FTC. But many
consumers just haven't replied to the FTC e-mail, which is the final step
in the sign-up process, said FTC attorney Eileen Harrington.  [Source: Bob
Sullivan, Three million consumers didn't finish sign-up process, MSNBC, 30
Jun 2003]
  http://www.msnbc.com/news/933138.asp

--

Date: Tue, 01 Jul 2003 13:27:04 -0400
From: "Dawn Cohen" 
Subject: Do not do not call?

I found my way to the Web site for the national Do Not Call registry,
through the CDT Web site.  

With great cheerfulness, I registered my two phone numbers.  I followed the
instructions:  I entered my phone numbers and one of my e-mail addresses. 
I received the automatic e-mails generated by the registry Web site, and
followed their instructions, which were simply to click on a link in the
e-mail and print out the confirmation on the linked Web page.

"How simple!" thought I to myself.  "What a blessing!  With
no effort at all, I am relieved of countless nuisance calls that interrupt
my otherwise hectic dinner!"

"But wait a bit!  How does it know that the e-mail address I entered
corresponds to someone who legitimately has the rights to put my number on
the Do Not Call registry?  Oh well...I guess it doesn't matter...suppose I
go out of my way to take someone else off the list...are they going to cry
because they don't get a lot of telemarketing calls?  I guess not.  No
problem!"

"Oh, but wait...I think I saw a 'delete registration' button..."

Yup.  It works the same way.  Type in a phone number and your favorite
e-mail address, and you can make sure that that number is not on the do not
call registry!

--

Date: Mon, 30 Jun 2003 14:51:12 -0700
From: Doug Sojourner 
Subject: Risk of appropriating technology you don't understand

Like many other people, I registered at www.donotcall.gov the other day. It
seems like they are using a "validation" technique that is often
used for e-mail lists: contact the e-mail given to see if it really belongs
to the person trying to subscribe.

Alas, this does no good when you contact an e-mail to validate a phone number.

--

Date: Sun, 29 Jun 2003 11:40:09 -0700
From: Mark Siegel 
Subject: About Do-Not-Call Lists

Assume for a moment, that do not call/do not spam lists are found to be
invalid/unenforceable/unconstitutional. 'They', now, have all the valid
e-mail addresses and phone numbers anyone could want.

--

Date: Sat, 28 Jun 2003 19:07:44 -1000
From: Don Colton 
Subject: Re: New State Laws on Privacy (RESmith, 22.78)

What are the RISKs of a do-not-call (or do-not-e-mail) list?  How does this
process work?  Does a telemarketer purchase a copy of the do-not-call list,
or does the telemarketer submit his own copy and get back a list of
rejections?  Since conducting surveys is apparently still allowed under the
new law, will telemarketers use the do-not-call list but employ a
pseudo-survey marketing tactic?  Or will the free market dictate that
calling the unwilling is not a
money-making proposition?  Or is the list seeded with honey pots to
facilitate catching violators?  I find myself afraid to sign up.



---