RISKS-LIST: Risks-Forum Digest Monday 31 January 2011 Volume 26 : Issue 33 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/26.33.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: China Blocks Chinese Word for 'Egypt' (Sam Waltz) Egypt: Risk for a Country (Gene Wirchenko) Re: Egypt's Internet shutdown (Bob Frankston) Re: Internet Society statement on Egypt's Internet shutdown (SMiller) Non-snailproofed traffic light proves fatal (Mark Brader) Public service announcement on Undigestifying (Jonathan Kamens) BBDB ran off with my Spacebar press (jidanni) Re: Cyberwar countermeasures a waste of money, says report (Joe Thompson) Re: Yet Another Risk: Not reading the package very carefully (Terje Mathisen, Steve Fenwick) CfP: CRiSIS 2011: Risks and Security of Internet and Systems (Marius Minea) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: January 30, 2011 3:12:14 PM ESTS From: Sam Waltz <samwaltz.groups_at_private> Subject: China Blocks Chinese Word for 'Egypt' It's interesting to see how the fragmentation of the Net continues. Imagine not being able to search for current events in Mexico, Europe, or elsewhere. Sam Waltz http://www.pcworld.com/businesscenter/article/218185/china_microblogs_block_chinese_word_for_egypt.html China's microblogs have blocked searches for the word "Egypt," a sign that the Chinese government is trying to limit public knowledge of the political unrest occurring in the Middle East. The blocking appeared to begin over the weekend on the Chinese Twitter-like services operated by Sina, Tencent and Sohu. Queries using the Chinese word for "Egypt" brought no results. "In accordance with the relevant laws, regulations and policies, the search result did not display," said the response on the Sina microblogging site. The English word for "Egypt," however, is still searchable across the sites. ------------------------------ Date: Mon, 31 Jan 2011 11:32:47 -0800 From: Gene Wirchenko <genew_at_private> Subject: Egypt: Risk for a Country Source: Patrick Thibodeau, Microsoft shifts some work out of Egypt; It is among some 120 companies located in Cairo's Smart Village IT office park *IT Business*, 31 Jan 2011 http://www.itbusiness.ca/it/client/en/cdn/News.asp?id=61100 Selected text: Egypt has been aggressively attracting tech companies to its wired office parks to help create jobs for its young, educated and often English-speaking workforce. But by cutting off Internet access last week in the wake of civil unrest, Egypt's government demonstrated just how quickly it can unwind its hi-tech goals. Egypt's move to block Internet access prompted Microsoft to respond. Asked about the situation in Egypt, Microsoft said in a written response to a query that it "is constantly assessing the impact of the unrest and Internet connection issues on our properties and services. What limited service the company as a whole provides to and through the region, mainly call-center service, has been largely distributed to other locations." Egypt's decision to cut Internet access was apparently intended to disrupt the ability of protestors to use social networks to organize. But hi-tech companies have similar flip-the-switch abilities and can shift services in response to a natural or manmade disaster. It is almost certain that tech companies in Egypt will respond to the current uncertainty much the same way Microsoft did -- if they haven't already. ------------------------------ Date: Sat, 29 Jan 2011 21:29:13 -0500 From: "Bob Frankston" <bob2-39_at_private> Subject: Re: Egypt's Internet shutdown (RISKS-26.32) The reason that it was so easy to disconnect a country from the rest of Internet is that today's Internet protocols are very much aligned with authority. You get your IP addresses from authorities (providers) and depend on a single backbone that requires we trust all providers. This is a point I make in http://rmf.vc/Demystify.risks. It is not sufficient to lament Egypt's actions -- we need to move beyond today's prototype architecture to one that honors the end-to-end principle by removing the dependency on a centralized authority by defining connectivity in terms of stable relationships apart from any network. We can then use whatever facilities are available to exchange bits. The presumed safety of today's DNS is an illusion that has consequences such as assuring the Net will unravel as our temporary hold on our own names expires. Skype gives a hint of what is possible but it relies on a central directory. The first step is removing the prime dependency -- the need to pay mere to exchange bits over a common infrastructure. We can then evolve to new protocols that aren't constrained to providers' pipes. ------------------------------ Date: Mon, 31 Jan 2011 10:21:22 -0500 From: SMiller_at_private Subject: Re: Internet Society statement on Egypt's Internet shutdown (R 26 32) "In the longer term, we are sure that the world will learn a lesson from this very unfortunate example, and come to understand that cutting off a nation's access to the Internet only serves to fuel dissent and does not address the underlying causes of dissatisfaction." It appears that the "lesson learning" statement therein is beamed at governments. Unfortunately, there seems to be ample and convincing evidence that "lesson learning" (at least of the benevolent variety) is not a skill generally within the capabilities of any government. However, it is true that this is a "learning moment", and the lesson that I have received is that any of us who value Internet freedom had better have a "Plan B" that is independent of government, whether that plan involves a darknet, archived DNS records, or some as yet unformulated solution. Jacob Appelbaum and some associates have evidently provided some dial-up ISP connectivity to Egyptians, but while that is an admirable improvisation, it is also woefully inadequate as a functional solution. On the other hand, I think that I will refrain from tossing my very last US Robotics 56k modem just yet... ------------------------------ Date: Mon, 31 Jan 2011 06:20:40 -0500 (EST) From: msb_at_private (Mark Brader) Subject: Non-snailproofed traffic light proves fatal One night last August in Tamworth (near Birmingham), England, two cars driven by teenagers collided head-on on a one-lane bridge, and one of them was killed. It has now been revealed that this happened because the traffic lights governing the one-lane bridge were short-circuited by a snail or slug crawling over the circuit board. The surviving driver said he saw the other car but did not realize what was happening in time. Most reports do not mention the state of the lights, so I suppose they were dark rather than showing green both ways. The failure had been automatically reported at a monitoring station, but the collision happened only 20 minutes later. http://www.thesun.co.uk/sol/homepage/news/3380011/any.html http://www.express.co.uk/posts/view/226236/any http://www.thisistamworth.co.uk/news/article-3149898-detail/article.html "Red lights are not my concern. I am a driver, not a policeman." --statement made after collision, 1853 [1953?] [Also noted by Stephen McCallister in the *Daily Mail*. PGN] ------------------------------ Date: Sun, 16 Jan 2011 22:13:12 -0500 From: Jonathan Kamens <jik_at_private> Subject: Public service announcement on Undigestifying For those of you who use Thunderbird or Postbox to read your email, I've just released a new add-on called "Undigestify" at https://addons.mozilla.org/en-US/thunderbird/addon/undigestify/. If you install this add-on, then you can right-click on a Risks Digest and select "Undigestify", and the digest will be split into separate messages which you can then read and respond to individually. (For those of you who are old and nerdy enough to have used Emacs RMAIL to read your mail, this is equivalent to M-x undigestify.) Please feel free to forward this to any other digests whose readers might find it useful. RISKS is the only RFC 1153 digest I still read, so I don't know who else is out there who might benefit from it. Please also feel free to contact me with comments, questions or bug reports. [Jonathan, Many thanks! I occasionally still get a complaint about the the RISKS *digest* format, so I am happy to know of your undigestifier. PGN] ------------------------------ Date: Sun, 30 Jan 2011 11:55:38 +0800 From: jidanni_at_private Subject: BBDB ran off with my Spacebar press There I was paging down with the spacebar, when I noticed something stuck. Way down in the emacs minibuffer the little snot "BBDB" program it turned out has been asking me a question, ever so happy to take the spacebar I had typed (intended to scroll down) as a "y". `Add address "bla_at_private" to "goo_at_private"? (y or n) y' Sort of like when you slip a piece of paper under a voter's pen before he notices it's too late, then run off in glee. ------------------------------ Date: Mon, 31 Jan 2011 12:09:42 -0500 From: Joe Thompson <joe_at_orion-com.com> Subject: Re: Cyberwar countermeasures a waste of money, says report (R 26 31) Here in the DC area, one of the local online-learning institutions has long run an alarmist "cyber war" radio ad promoting their online certificate program in cybersecurity. The lead-in is a woman talking to someone on the phone about money suddenly disappearing from lots of bank accounts. Later in the ad we return to this conversation in time to hear "Now they're saying it's the cell networks too! ...Hello? Hello?" I wonder if they will move to a more moderate presentation now. (I'm not betting on it.) -- Joe ------------------------------ Date: Mon, 31 Jan 2011 09:17:34 +0100 From: Terje Mathisen <"terje.mathisen at tmsw.no"@giganews.com> Subject: Re: Yet Another Risk: Not reading the package very carefully (R 26 32) This was a long tale, in installments, about the need for personal backups of all data you want to keep: So far, so good. Paul then decides to "upgrade" from a DVD burner to a BD burner, when the only good backup these days is to have all your data on multiple independent disks, all of which are in regular use: My personal backup strategy for the laptop which carries everything I work on is to have at least two external USB drives, neither of which are normally plugged in. The laptop has a 640 GB 2.5" drive, so my main portable backup is a 750 GB 2.5" drive which runs on USB power. (I also carry my previous internal drive, a 500 GB model, as a backup.) A tiny batch file is sufficient to copy all updated files from a set of working directories onto the USB drive, then I disconnect it again. When at home I also have a larger 3.5" USB drive, this one requires external power as well as the USB cable. If I should suffer a total disk crash while on a longer trip, I can open the laptop, replace the disk with the previous main drive and be back in operation in an hour or two, including the time to install all the security updates and copy back recently updated files. The total cost of this backup strategy is around $100 every year or two when I buy one of the latest big laptop drives. The key idea here is that only media and disks that you regularly use/monitor/upgrade can be depended upon to last! Terje PS. I also use my Dreamhost-based personal server and an RSYNC account for real offsite backup of some really critical (encrypted) files. :-) ------------------------------ Date: Sun, 30 Jan 2011 20:01:48 -0800 From: Steve Fenwick <steve_at_private> Subject: Re: Yet Another Risk: Not reading the package very carefully Paul Robinson <paul_at_paul-robinson.us> writes: For small backups, Robinson's suggestion is probably fine. As you start to fill up your new 2TB drive, the backup cost will rise substantially; worse, the time to backup will increase to the point at which you may become discouraged to do backups. As you noted, HDDs have gotten very, very inexpensive, and you can get external drive docks at under $50, so this is my preferred mechanism now for backups. Risk: staying in a paradigm after technology has passed it by. ------------------------------ Date: Mon, 31 Jan 2011 20:27:56 +0200 (EET) From: Marius Minea <marius_at_private> Subject: CfP: CRiSIS 2011: Risks and Security of Internet and Systems CALL FOR PAPERS [ PDF version at: http://crisis2011.cs.upt.ro/CRiSIS2011-CfP.pdf ] The Sixth International Conference on Risks and Security of Internet and Systems CRiSIS 2011 Timisoara, Romania, 26-28 September 2011 http://www.crisis-conference.org/ IEEE Computer Society technical co-sponsorship (expected) The International Conference on Risks and Security of Internet and Systems 2011 will be the 6th in a series dedicated to security issues in Internet-related applications, networks and systems. The CRiSIS conference offers an effective forum for computer and network security researchers from industry, academia and government to meet, exchange ideas and present recent advances on Internet-related security threats and vulnerabilities, and on the solutions that are needed to counter them. The topics addressed by CRiSIS range from the analysis of risks, attacks to networks and system survivability, passing through security models, security mechanisms and privacy enhancing technologies. Prospective authors are invited to submit research results as well as practical experiment or deployment reports. Industrial papers about applications and case studies, such as telemedicine, banking, e-government and critical infrastructure, are also welcome. The list of topics includes but is not limited to: * Analysis and management of risk * Attacks and defences * Attack data acquisition and network monitoring * Cryptography, Biometrics, Watermarking * Dependability and fault tolerance of Internet applications * Distributed systems security * Embedded system security * Intrusion detection and Prevention systems * Hardware-based security and Physical security * Trust management * Organizational, ethical and legal issues * Privacy protection and anonymization * Security and dependability of operating systems * Security and safety of critical infrastructures * Security and privacy of peer-to-peer system * Security and privacy of wireless networks * Security models and security policies * Security of new generation networks, security of VoIP and multimedia * Security of e-commerce, electronic voting and database systems * Traceability, metrology and forensics * Use of smartcards and personal devices for Internet applications * Web security IMPORTANT DATES Submission deadline : May 10, 2011 Notification to Authors : July 15, 2011 Camera-Ready Due : August 15, 2011 Submitted papers must not substantially overlap with papers that have been published or that are simultaneously submitted to a journal or a conference with proceedings. Papers must be written in English and must be submitted electronically in PDF format. Maximum paper length will be 8 printed pages for full papers or 4 pages for short papers, in IEEE 2-column style. Authors of accepted papers must guarantee that their papers will be presented at the conference. All papers selected for presentation at the conference will be published in the hard-copy proceedings distributed to all conference participants and will also be available on-line in IEEE Xplore: http://ieeexplore.ieee.org. The authors of the best conference papers will be invited to submit an extended version to a special issue of the International Journal of Information and Computer Security (IJICS). All paper submissions will be handled through the Easy Chair conference management system. Follow the instructions given here: http://www.easychair.org/conferences/?conf=crisis2011 CALL FOR TUTORIALS We solicit tutorials on state-of-the-art technologies relevant to the conference themes. We are particularly interested in tutorials that foster knowledge exchange among the different research communities present at the conference. The intended length of each tutorial is 2 to 3 hours. A tutorial proposal should include a brief summary and outline, specific goals and objectives, the intended audience and the expected background of the audience as well as a biographical sketch of the presenter(s). The length of tutorial proposals should not exceed 5 pages. Tutorial proposals should be submitted to the tutorial program chair: Anas Abou el Kalam by email: anas.abouelkalam_at_private before 10 May 2011. GENERAL CHAIR: Marius Minea, Politehnica University of Timisoara, Romania PC CHAIR: Frederic Cuppens, TELECOM Bretagne, France PC CO-CHAIR: Simon Foley, University College Cork, Ireland TUTORIAL CHAIR: Anas Abou ElKalam, Universite de Toulouse, IRIT-INP, France FINANCE CHAIR: Yannick Chevalier, Universite de Toulouse, IRIT, France PUBLICATIONS CHAIR: Bogdan Groza, Politehnica University of Timisoara ------------------------------ Date: Thu, 29 May 2008 07:53:46 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users should contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 26.33 ************************Received on Mon Jan 31 2011 - 15:32:04 PST
This archive was generated by hypermail 2.2.0 : Mon Jan 31 2011 - 17:24:04 PST