Return-Path: <sentto-279987-3902-1006229262-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Mon, 19 Nov 2001 20:10:07 -0800 (PST) Received: (qmail 30928 invoked by uid 510); 20 Nov 2001 04:06:23 -0000 Received: from n14.groups.yahoo.com (216.115.96.64) by all.net with SMTP; 20 Nov 2001 04:06:23 -0000 X-eGroups-Return: sentto-279987-3902-1006229262-fc=all.net@returns.groups.yahoo.com Received: from [10.1.1.221] by n14.groups.yahoo.com with NNFMP; 20 Nov 2001 04:08:54 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 20 Nov 2001 04:07:42 -0000 Received: (qmail 53147 invoked from network); 20 Nov 2001 04:07:41 -0000 Received: from unknown (216.115.97.167) by m3.grp.snv.yahoo.com with QMQP; 20 Nov 2001 04:07:41 -0000 Received: from unknown (HELO red.all.net) (65.0.156.78) by mta1.grp.snv.yahoo.com with SMTP; 20 Nov 2001 04:07:40 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fAK48mm07977 for iwar@onelist.com; Mon, 19 Nov 2001 20:08:48 -0800 Message-Id: <200111200408.fAK48mm07977@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Mon, 19 Nov 2001 20:08:48 -0800 (PST) Reply-To: iwar@yahoogroups.com Subject: [iwar] [risks] Risks Digest 21.75 (fwd) Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Per the message sent by RISKS List Owner: Date: Tue, 13 Nov 2001 09:24:58 -0500 From: "Derek Ziglar" <dziglar@yahoo.com> Subject: Google freely giving out your phone number and home address If you are in the USA, try searching in Google for your name, followed by your city, state or zip code--such as: Bob Smith Alaska. The first results you get may well be your home phone number, home address, and a link to a map (in some cases with a satellite photo of your house, too). The RISKS are staggering that this type of personal information is being automatically given out to people that weren't even asking for it. Sure, they were looking for some information about you. But cross linking data across purposes (web search versus telephone lookup) is one of the biggest privacy risks of the modern connected database age. It rapidly becomes one-stop shopping for everything anyone would want to know about you--whether they were asking for all that detail or not! In addition, Google does not provide any obvious mechanism to request removal from this telephone listing. Derek Ziglar (city and state withheld for obvious reasons) dziglar@yahoo.com ------------------------------ Date: Thu, 15 Nov 2001 15:53:54 -0500 From: David Farber <dave@farber.net> Subject: Researchers probe Net's 'dark address space' (From Dave's IP) >From: Dewayne Hendricks <dewayne@warpspeed.com> Researchers probe Net's 'dark address space' By Kevin Poulsen Posted: 15/11/2001 at 02:30 GMT <http://www.theregister.co.uk/content/55/22850.html> Broadband customers and US military systems are the most common victims of an online phenomenon researchers have dubbed "dark address space," which leaves some 100 million hosts completely unreachable from portions of the Internet. For a variety of reasons ranging from contract disputes among network operators to simple router mis-configuration, over five percent of the Internet's routable address space lacks global connectivity, according to the results of a three-year study by researchers at Massachusetts-based Arbor Networks, to be released Tuesday. "Popular belief holds that the Internet represents a completely connected graph," says Craig Labovitz, Arbor Networks' director of network architecture. "It turns out that's just not true." Anecdotal evidence has long hinted at the existence of dark address space, but the researchers shed light on the subject by continuously gathering and analyzing core routing tables for three years. In the end, they found that for much of the Internet, the shortest path between two points doesn't exist. The most common factors contributing to dark address space: aggressive route filtering by network operators seeking to ease the load on equipment, and accidental mis-configuration. US military sites frequently fall into the shadow zone because they often occupy neglected 'Milnet' address blocks dating back to the Internet's stone age. Why cable modem customers also top the list remains one of the unsolved mysteries in the project, says Labovitz, who describes the research findings as preliminary. Murky Crime Despite the large number of hosts that fall into the partitioned space, the phenomenon is generally not noticeable to average Internet users because most Netizens only use a tiny portion of the Net. "Most people access five or ten web sites," Labovitz says. The study was conducted by Labovitz, Michael Bailey and Abha Ahuja. [...] [For IP archives see: http://www.interesting-people.org/archives/interesting-people/] ------------------------------ Date: Mon, 12 Nov 2001 09:58:12 -0500 From: Adam Shostack <adam@zeroknowledge.com> Subject: A large risk of national ID cards (In response to http://www.csl.sri.com/neumann/insiderisks.html) I believe that there is an important risk, that of reliance, that will accompany a high-tech national ID card. Every terrorist commits their first act of terrorism at some time in their life, and before that time, they cannot be any database of known terrorists. Once you start issuing cards, people will start relying on 'identity verification' rather than threat management. We'll see people relying on background checks [1] rather than xrays. We'll see special lines for frequent fliers, who are 'known trustworthy.' They differ from pilots and flight crew in that they don't run into co-workers who can notice and react to strange behavior before the flight. If you want to keep knives and guns off of planes, the answer lies in xrays, magnetometers, and other searching technology, not in believing that you know who's who. Many of the national id card risks come from a layer of indirection from the real problem, which is not "Is Alice trusted," but, "Is the person in front of me trusted?" National ID cards not only do nothing to solve this problem, they distract us from attempting to solve it. [1] See the last para of http://www.spectrum.ieee.org/WEBONLY/special/sept01/idcards.html ------------------------------ Date: Mon, 12 Nov 2001 14:37:21 +0000 From: Hamish Marson <hamish@travellingkiwi.com> Subject: Re: Programming error scrambles election results (RISKS-21.74) The question remains. why oh why do companies insist on believing that the programmer is the best person to check, test and validate a piece of software that THEY have written. Not withstanding blatant bugs in the implementation of the logic, a tester will only test (Baring bugs in their testing of course :) what they anticipate the inputs to be. If the same people do the testing that did the programming, you are potentially missing out on whole swathes of input, because the same person doesn't realise they should be testing something they never thought of in the first place... Personally I like to think that anything I written isn't ready for prime time until at least one other person who UNDERSTANDS THE PROBLEM BEING SOLVED has had a chance to throw their data at it & verify if valid data comes out the other end. ------------------------------ Date: Fri, 16 Nov 2001 18:20:02 -0800 From: Phil Kos <PhilK@solthree.com> Subject: Re: Programming error scrambles election results (RISKS-21.74) > .... a veteran county employee claimed to have tested his code, but > apparently had not actually done so. Is it just me, or has anyone else noted that the two primary RISKs here are developers "testing" their own code and managers who think that software development is that trivial? I don't care how experienced a developer is, nobody (not even I! ;) can be relied on to find their own bugs. I would have certainly chastised the developer for not doing his job well enough, but I wouldn't had fired him. Instead I would have fired the people above him in the county bureaucracy who feel that critical software doesn't need to be tested--they're the truly dangerous ones here, and they're presumably still conducting business as usual now that they've sacrificed their scapegoat. [Testing by other folks is of course not sufficient. But even more critical, design and code reviews are also useful in trying to detect Trojan horses, trapdoors, etc., placed intentionally by developers with the expectation that they would facilitate rigging elections. PGN] ------------------------------ Date: Thu, 15 Nov 2001 08:03:15 -0800 From: Rob Slade <rslade@sprint.ca> Subject: REVIEW: "Internet and Computer Ethics for Kids", Winn Schwartau BKINCMEK.RVW 20010815 "Internet and Computer Ethics for Kids", Winn Schwartau, 2001, 0-9628700-5-6, U$15.95/C$24.95 %A Winn Schwartau www.nicekids.net winns@gte.net %C 11511 Pine St. N., Seminole, FL 33772 %D 2001 %G 0-9628700-5-6 %I Inter.Pact Press %O U$15.95/C$24.95 727-393-6600 fax: 727-393-6361 %P ~150 p. %T "Internet and Computer Ethics for Kids" Computer ethics can be a very frustrating field. Professional organizations appear to have abandoned the area: they seem to have given up on the idea of "codes of ethics" and now prefer to write "codes of conduct." "Values education" has progressed very little in the last thirty years. All of us seem to be the disciples of Kohlberg, and assume that by sitting around discussing ethics, moral dilemmas, and scenarios, we will all somehow become moral individuals. And that's for the adults. For kids, the task is even more important, and much more difficult. Maybe it's impossible. But it is good to see that someone has at least given it a try. I don't agree with everything Winn has done, but he has produced a valuable and helpful tool. I hope that a great many people try it out, and, if it needs tuning, feed ideas back to improve it. This volume is a tool, and must be seen as such to be valued. Schwartau has, probably wisely, not attempted to provide a full examination of ethical theories or systems. The chapters are all very short: they are introductions, not expositions. (As Blaise Pascal famously noted, it takes much longer, and much more work, to write a short piece than a long one.) The text is generally possible for the sixth grade reader, and is backed up with a short section on relevant ideas from the law, topics to think about and discuss, and resources for further study and research. Unfortunately, the work starts out weakly. The introduction is vague. Seemingly the book is addressed to everyone. The preface also states that the book has questions, but no answers. A second introduction is more personal, but no clearer as to the intent of the text. Chapter one states that there are no rules, and then lays out some rules. Aside from the contradiction, which may be too subtle for the younger end of the audience, but which will probably be picked up by the later teens, relativism makes it difficult to discuss ethics at all. To the question of what ethics are, chapter two has little explanation except to say that they are the "little voices." A brief Internet history is probably supposed to point out that the Internet has grown too fast for formal regulation, in chapter three. Chapter four starts out by raging against stereotypes of all kinds, and then stereotypes the media. The text also tersely outlines various types of hackers. Chapter five is a scenario, a rather simplistic story of a young person who is very clearly dealt with unfairly by "the Establishment," whose only possible recourse is to make unauthorized alteration of data on a computer. The material starts to get stronger as it becomes more specific. Passwords, and the needs for strong ones, are discussed in chapter six. Graffiti is equated with web page defacement in chapter seven. Phone phreaking, war dialing, and anonymity are defined in eight to ten. Malware, viruses and trojan horse programs, are covered in chapters eleven and twelve. Chapters thirteen and fourteen deal with spoofing and spam. Chapter fifteen points out that you have no idea whether what is said on the net is true, which leads to discussions of scams, online business, and rumours in sixteen to eighteen. Stealing, in chapter nineteen, leads to examinations of software piracy and plagiarism. Chapters twenty two to twenty five look at the more ambiguous topics of social engineering, flaming, meeting people, and stalking. Technical subjects, digital special effects and eavesdropping, get a brief look in chapters twenty six and twenty seven. The topics get harder as chapter twenty eight deals with pornography, then two chapters on privacy, another on monitoring, and ratting on others. Although the topics could be presented in various sequences, it might have been better to place chapter thirty three, discussing ethics and the law, closer to chapter two. But it is also a good lead-in to civil disobedience and hacktivism, in chapter thirty four. The review of personal responsibility, in chapter thirty five, is very good. "Computer Police," in thirty six, deals mostly with law enforcement concerns, with a brief mention of vigilantism. An interesting juxtaposition with chapter thirty seven, on getting caught. Chapter thirty eight, asks who makes the rules, but deals primarily with the home and who is in charge. Again, making ethical decisions, in thirty nine, is good, but should be related to two and thirty three. Although it finishes off the book, chapter forty, and cyber-parenting, is the introduction for parents and teachers. It is quite realistic and balanced. A final set of pages is probably an important part of the book. A set of lined pages, they are important exercises for self-examination, headed with "My Personal CyberEthics," "My Family's CyberRules," "My Friends' CyberEthics," "CyberRules at My Friends' House," "CyberRules at School," "What My Parents Need to Learn," "What My Teachers Need to Learn," "My Company's CyberEthics and Rules," and "What I think I Need to Learn." I won't give this book to my grandchildren, even though the oldest would probably be able to read a good part of it. But I will give it to their mothers. Not being a marketroid, I will not say that this book is a "must have" for anyone with kids. Unlike many other books, and like many computer technologies, it must be used to be of any value. Parents can't simply present it to their children and forget it: to do so would be to teach that ethics are not important. If you want to get anything out of this work, you will have to read it with your kids, or give it to them to read, and discuss it with them. It can be read in an afternoon, but shouldn't be. The material should be taken a chapter at a time, perhaps once a week, perhaps at even longer intervals. It may take years to finish this slim volume (by which time all the URLs may be 404). As the adult you will have to be patient, and accept that the discussions may not proceed in straight lines, as you think they should. The end result, though, should be worth it. You'll have ethical kids. copyright Robert M. Slade, 2001 BKINCMEK.RVW 20010815 rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade [FC - Here here - an excellent book and I advise anyone to buy it] --This communication is confidential to the parties it is intended to serve-- Fred Cohen Fred Cohen & Associates.........tel/fax:925-454-0171 fc@all.net The University of New Haven.....http://www.unhca.com/ http://all.net/ Sandia National Laboratories....tel:925-294-2087 ------------------------ Yahoo! Groups Sponsor ---------------------~--> Universal Inkjet Refill Kit $29.95 Refill any ink cartridge for less! Includes black and color ink. http://us.click.yahoo.com/r9F0cB/MkNDAA/ySSFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:59 PST