* Forwarded (from: netmail) by Roy J. Tellason using timEd 1.10.y2k.

Date: Thu, 17 Jul 2003 12:51:45 -0400
From: "Richard M. Smith" 
Subject: Reassembly of shredded documents

  Throughout the 1980s, Sascha Anderson, a poet, musician, and literary
  impresario, was one of the leading voices to speak out against the East
  German government and its dreaded secret police, the Stasi.  But his
  credibility gradually evaporated after the Communist government's collapse
  as rumors about him acquired the weight of proof: he had been informing on
  his dissident compatriots all along.

It turns out that his supposedly unretrievable Stasi file was *manually*
reconstructed from bags of papers that had been shredded during the final
days of the regime in 1989.  However, the German government is now planning
on reconstituting 16,000 bagsful from that era, using advanced scanning
technology.  [Source: Picking Up the Pieces, By Douglas Heingartner, *The
New York Times*, PGN-ed]

  http://www.nytimes.com/2003/07/17/technology/circuits/17shre.html
  ?pagewanted=all&position=

  [The programming effort is certainly an interesting application!]

--

Date: Wed, 9 Jul 2003 05:49:23 -0700 (PDT)
From: Thomas Dzubin 
Subject: SEVIS foreign students database

Under new United States homeland security laws, all U.S. schools have to
register their foreign students in the database, known as the Student and
Exchange Visitor Information System (SEVIS).  This system has all the
attributes of a big system rushed into production before sufficient testing
could take place.  In my mind, the RISK-iest thing about this story is that
the effects of the problems can cause life-changing situations for people
including being jailed and/or deported.

Many problems with this system are detailed in the story including files
being mysteriously deleted or "misplaced".  Some advisers are
telling students not to go back to their home countries on school breaks,
in case SEVIS accidentally deletes their records.  Students who are not in
the system cannot re-enter the country.  One quote from the story:
"Daily interactions with SEVIS have become a test of wit and
will"
 
Other bugs/glitches/problems reported:

- Unable to modify existing records which is a problem if a foreigner
  (or spouse) has a baby.
- extreme system slowness and random crashing
- insufficient or inadequate help desk technician support

One final quote from the story:

"The technical failings of SEVIS and the difficulty the government has
had in implementing it undermine its security potential, Cotten says. If
the American people feel safer because of SEVIS, then they are severely
misled, she says."

Source:
  http://www.govexec.com/dailyfed/0703/070303h1.htm

(Hopefully this link is still active.  If not, Government Executive
Magazine does keep old stories archived under a slightly different URL
naming convention...the title "Foreign student tracking system called
inefficient, intrusive" should stay the same.)



Date: Fri, 18 Jul 2003 12:41:33 +1000
From: Darryl Luff 
Subject: Italian naming problem

Hmm, the simple risk of your perfectly sensible domain name being
interpreted very differently in other languages.  [NOTE: text not mine.  DL]

  At least they should then have created a brilliant logo.....

    If you were a company called Powergen and you had a subsidiary that
    operated in Italy, what would you call that company's Web site?.

  Probably not http://www.powergenitalia.com

  But they really did.  ...

    [A high-strung multilingually interpretable literal string!  PGN]

--

Date: Fri, 18 Jul 2003 16:28:41 -0700
From: "Conrad Heiney" 
Subject: GPS-piloted tractors?

According to a Reuters report on CNN today, a University of Queensland
researcher is promoting an Australian technology for satellite-guided
tractors. These are said to be accurate to 2 cm.  Apparently advantages to
these are that the tractors are more accurate and do not crush the soil as
much as conventional people-driven equipment, allowing higher yield. As a
bonus, they could be run at night.
  http://www.cnn.com/2003/TECH/science/07/18/satellite.tractor.reut/index.html

The RISK of unmanned vehicles relying on GPS signals, with or without
rotating blades attached, is interesting to contemplate, especially at night!

Conrad Heiney  http://contentgoeshere.com/  http://fringehead.org

--

Date: Wed, 9 Jul 03 19:32:37 +1200
From: Don Mackie 
Subject: Health Commissioner's anonymised case reports not so anonymous

The New Zealand Health & Disability Commissioner has been dealing with
complaints about health care for almost ten years. As it says at the website
(www.hdc.org.nz) the purpose... is to promote and protect the rights of
health and disability consumers, and to facilitate the fair, simple, speedy,
and efficient resolution of complaints.

The Commissioner investigates complaints.  Often there are useful lessons to
be learned from the complaint and the findings, after removal of all
identifying features, are published so that others can benefit.  Some are
posted on the website in a range of formats: html, pdf and Word document.
Some of you will see where this is leading.

A colleague of mine was startled to be told by a patient that a Google
search on the doctor's name yielded the text of a HDC finding as the top
hit.  While my colleague acknowledges that there was a complaint about them
they have learned from it and believed that the publication was anonymous.
On opening the link from Google, I got a Word document.  Sure, the names of
the individuals had been removed from the text of the document, but when I
went Properties -> Summary, there they were.  Waiting to be found by a
search engine.  I looked at a few other .doc files and the same problem
existed.  I informed the HDC and they have now pulled the .doc opinions.

Ignorance of the hidden information in word processing files is, of course,
not new.  This one has had the potential to damage reputations when the HDC's
office has been careful, but not careful enough, to protect them in the
past.

--

Date: Sun, 13 Jul 2003 20:23:54 -0400
From: Monty Solomon 
Subject: Privacy rights under threat by lawmakers

Dan Gillmor, *San Jose Mercury News*, 13 Jul 2003

In the constant battle to preserve what's left of our privacy and roll back
some of the invasions we've already suffered, one reality is all too clear:
Elected officials are not on our side.  Last week brought the latest
perversion of the public will, the cowardly refusal of the California
Legislature to enact even modest improvements in financial privacy. The
voters will do it instead, in a ballot measure next year.

Meanwhile, state and federal lawmakers are almost totally oblivious to
future threats, including some that should be dealt with before they cause
trouble.  For example, retailers will soon be installing little identifying
radios, a technology known as RFID, into items they sell, enabling a host
of new privacy invasions that could make the status quo seem benign.

We all understand why lawmakers hold the public good, and will, in such
contempt.  They tend to vote on behalf of their financial benefactors.
Commercial interests see our privacy as a barrier to their business.

Game over? No. We have to care enough to take matters into our own hands.
Pressuring politicians is vital, but it's plainly not enough.  We'll need
to
do a little multitasking to retrieve our right to be left alone.  ...

http://www.siliconvalley.com/mld/siliconvalley/6293890.htm

--

Date: Thu, 17 Jul 2003 13:23:16 -0400
From: Jonathan Epstein 
Subject: Carjacker tracked and bugged by Tele-Aid operator

A quick-thinking bystander realized that police could track the movements of
a carjacker who sped off with two small children in the back seat.  The
police were able to indirectly both track and listen-in on the car, and
learn that the kids in the back seat were OK.
  http://www.washingtonpost.com/wp-dyn/articles/A2862-2003Jul16.html

Marc Fisher of the Washington Post writes:

That carjacking the other night raises some fascinating questions. I'm sure
the mom was tremendously relieved that the operators in Dallas were able to
listen in on her children as their kidnapper hurtled along Rt. 50 -- and
goodness knows what might have happened if the Mercedes version of OnStar,
called Tele-Aid, hadn't been tracking the thug's movements. But do any of
you have concerns about the ability of Tele-Aid and similar companies to
turn on the microphone remotely and listen in on the goings-on in your car?
Or does this case prove that such privacy fears are outweighed by the good
those devices can do?

--

Date: Mon, 7 Jul 2003 15:45:55 -0400
From: "Ferdinand John Reinke" 
Subject: Samsung Electronics bans camera phones from key factories

Samsung Electronics is restricting use of camera phones at key factories and
research centers to preclude industrial espionage.  (Camera phones have
become popular in South Korea.)  [Source: Yahoo News, 7 Jul 2003]
http://news.yahoo.com/news?tmpl=story2&cid=1509
  &u=/afp/20030707/tc_afp/skorea_samsung_it_company_030707080259&printer=1

  [I wonder if they remember that PDA's have camera capability? Wonder if
  financial institutions have thought about this "risk"? Not likely. JohnR]

--

Date: Fri, 18 Jul 2003 02:13:53 -0400
From: Monty Solomon 
Subject: Software helps police draw crime links

The Boston Police Department is rolling out a powerful new computer program
built to find hidden connections among people and events almost instantly,
allowing detectives to investigate murders, rapes, and other crimes far
faster than they can today.  Called ''Coplink,'' the program sifts through
tens of millions of police records, from 911 calls to homicide
investigations, to deliver a short list of potential leads in just seconds.
The same kind of searching currently takes hours or even days of a
detective's time -- when it is possible at all.  Designed in an Arizona AI
lab, Coplink searches through arrest records, incident reports, and
emergency phone calls to identify potential suspects and compile all
possible leads on them, including past addresses, weapons they have owned,
and even the arrest records of people with whom they have been stopped in a
car.  In Boston, it will search only through city police records, though it
could later be expanded to stretch far more broadly.  ... [Source: Gareth
Cook, *The Boston Globe*, 17 Jul 2003; PGN-ed]

  http://www.boston.com/dailyglobe2/198/nation/
  Software_helps_police_draw_crime_links+.shtml



Date: Fri, 18 Jul 2003 10:36:05 -0400
From: "Alice K. Whitfield" 
Subject: HighGroup Listing of SSN's

The risks of using social security numbers as personal identifiers in
the U.S. is better known to members of this community than perhaps any
other.  You may appreciate then, better than the Social Security
Administration apparently does, the increased risk that arises when the
SSA's own published list of valid (partial) numbers contains errors of
omission (http://www.ssa.gov/foia/highgroup.htm, as of 18 July 2003 at
1400 UT).

The errors in the July list are not numerous, and may affect mostly
elderly, former railroad workers.  In past instances, the errors were
more widespread but eventually fixed.  They show no sign of responding
to any communications about the current problems, however. Obviously,
the current list was not verified before the page went live.

Luckily, flunking a flawed social security number verification test 
under the current regime of Total Awareness, "is not a basis ... for ...
adverse action ... such as laying off, suspending, firing, or
discriminating against an individual..." So, according to the Social
Security Administration, no one should have to worry about those risks,
at least.

--

Date: Fri, 18 Jul 2003 09:26:46 -0700
From: "NewsScan" 
Subject: Why are spammers backing spam-control laws?  

Bigtime spam-mongers and junk-mail proponents like the Direct Marketing
Association are backing proposed antispam legislation, while consumer and
public-interest groups, almost without exception, oppose the bills. What's
going on? "It's a sign of who benefits from these bills and who doesn't,"
says a spokesman for the Coalition Against Unsolicited Commercial Email.
"When you see some of the biggest spammers in the country backing
legislation that is allegedly antispam, you really need to wonder about what
these bills actually do." The answer is that rather than banning all
unsolicited e-mail outright, as many consumer groups wish, they legitimize
spam, as long as the perpetrators adhere to certain rules, such as using
accurate subject lines and valid return addresses, and allowing recipients
to opt out of future mailings. Two bills are currently making their way
through Congress and a variant of thereof is expected to pass overwhelmingly
and be signed into law later this year.  [*Wall Street Journal*, 18 Jul
2003; NewsScan Daily, 18 Jul 2003] 

  http://online.wsj.com/article/0,,SB105848273351539900,00.html (sub req'd)

--

Date: Mon, 30 Jun 2003 23:07:18 -0400
From: Monty Solomon 
Subject: California court rules against Intel in spam case

The California Supreme Court on 30 Jun 2003 ruled spammers cannot be sued
under state law for property trespass for just sending e-mail -- a setback
for Intel Corp., which had sued a former engineer for sending e-mails to up
to 35,000 company workers.  The 4-3 ruling reversed a lower court order
prohibiting former Intel engineer Ken Hamidi from sending e-mails critical
of Intel to thousands of its employees.  Intel claimed the e-mails had
trespassed on its private network and had harmed the company by reducing
worker productivity.  But the California Supreme Court found that Intel's
computer system had not been damaged as a result of the e-mails and,
therefore, there was no trespass.  The court declined to expand state
common law covering property trespass to apply to e-mail whose contents may
be objectionable, but which is otherwise harmless.  ...  [Source: Elinor
Mills Abreu, Reuters, 30 Jun 2003]

  http://finance.lycos.com/home/news/story.asp?story=34677087



Date: Thu, 17 Jul 2003 07:45:56 +0200
From: John Sinteur 
Subject: Re: Virginia Identity Theft Passport (RISKS-22.80)

I can't help but wonder, how long until identity thieves won't just acquire
a driver's license, credit cards, etc, with their freshly stolen identity,
but one of these passports as well? Which will be relative unknown to the
cop on the street, so the first few yours you could hack something together
yourself in Photoshop as well...

If there's a bug in the way people use paperwork to assert and use
identities, how is more paperwork going to solve that?

  [Similar comment from Michael Hartley.  PGN]

--

Date: Thu, 17 Jul 2003 09:44:12 -0500
From: "Arthur Flatau" 
Subject: Re: David Nelson and CAPPS II? (Slade, RISKS-22.80)

There was a story on this in the *Austin American Statesman* (originally
from the *Chicago Tribune*).

  http://www.statesman.com/insight/content/auto/epaper/editions/
  sunday/insight_f3e0169a836a10f00085.html

There are at least two David Nelsons in the Austin area.  The articles states:

    The family [Dr. David and Cindy Nelson of Austin and their two young
    children] plans to fly to Canada in August, and this time they're
    planning countermeasures. They'll try buying David Nelson's airline
    ticket under D. Austin Nelson.

That is surely a tactic that the bad guys would never figure out!

Arthur Flatau, Texas Microprocessor Division, Advanced Micro Devices, 
5900 East Ben White Boulevard, Austin TX 78741 Arthur.Flatau{at}amd.com



Date: Thu, 17 Jul 2003 09:20:25 -0400
From: "Kevin G. Rhoads" 
Subject: Re: The nuking of RFID chips (Cowan, RISKS-22.80)

Most stun guns and cattle prods use current limited high voltage DC.  It is
easy to provide overload protection for this kind of electrical insult --
although I doubt that RFID manufacturers will include such protection in
the early designs.  However, if such deactivation becomes common and
problematic, it can be designed around.

Better to use a low output Tesla coil, which generates high voltage
splattered all over the RF spectrum.  Of course, a linear RF power amp
driven by an RF sweep generator should also work -- but that level of
equipment is not readily available.  Cheap Tesla coils can be easily
homebrewed and Edmund Scientific carries a model for about $120 that is
ideal.



---