Welcome to The Funny/Alerts Newsletter. (Warning... soapbox coming out) Each day, it seems, we are asked to depend ever more on the Internet for our professional and personal well-being. Yet each week seems to introduce a new computer worm capable of boring into and through our networks, clogging pipes, corrupting data and, in the worst cases, destroying months or even years of hard work. But the very companies that tirelessly tell us that the Internet is fundamental to our future have done almost nothing to protect us from the very defects in their products that give hackers free rein. It's high time Microsoft, Sun Microsystems and other developers undertake an all-out commitment to eliminating buffer overflows. In fact, it borders on criminal that they have not done so already.
There could be no Code Red, or dozens of other worms that have plagued the Internet in recent years, if it were not for buffer overflows programming bugs that have been around since the dawn of computing, and that have long been recognized as a vulnerability that hackers can exploit to spread security nightmares through networks. And yet operating system developers in particular the very companies to which we entrust the fundamental safety of our systems and data have refused to invest the programming resources and time required to rid their code of these Achilles' heels.
There's a simple reason for this: It's hard, expensive work sifting through tens of millions of lines of code searching for buffer overflows. It's far cheaper to let hackers find and exploit unprotected buffers, then release a quick patch. The problem with that kind of reactive solution is that we all pay a heavy price in corrupted data, clogged bandwidth and sheer frustration by the time the problem is repaired. Even worse, the decentralized Internet provides no means of communicating newly discovered dangers to each user of a vulnerable program, so many users never discover they need a patch until it's too late.
Buffer overflows, or overruns, are easily exploited holes in otherwise secure programs. A buffer is a chunk of a computer's memory or disk drive, of limited size, in which data is stored temporarily. If a user or other source of input tries to shove more data into the buffer than it can hold, the data "overflows" into adjacent parts of the memory or disk. This would be a mere nuisance, except that the excess data can erase - and replace - programming code adjacent to the buffer, enabling a hacker to insert malicious code into the target software.
Programmers have known for decades how to prevent this kind of bug by checking the buffer size and then limiting or filtering input. In the grand scheme of things, it takes only a few lines of code to add buffer checking. Yet programmers often neglect this crucial safety feature, and the resulting vulnerabilities are frequently not caught in multiple stages of debugging.
Developers say new code routinely includes checks on all buffers. Hackers, they claim, are typically exploiting unchecked buffers in legacy portions of the code. Even if true, this excuse is ridiculous on its face. Microsoft and Sun, for example, think nothing of investing hundreds of millions of dollars to develop new bells and whistles for their products, yet they have failed to eliminate a simple bug that's been around for decades. If hackers can find and exploit unchecked buffers to make our lives miserable, clearly these giants must find and fix these buffers to protect us.
It is time for a proactive commitment on the part of the largest developers to eliminate this preventable plague if for no other reason than it would be a very wise investment. What's at stake is our basic faith in the Internet as a trusted platform for commerce, finance, personal information and entertainment. Only the largest developers can ensure the safe cyber neighborhoods that will attract us all to their products.
(putting soapbox away...)
GRINS & GIGGLES:
August 27, 2001
WASHINGTON -- In the second White House health scare in little more than a week, doctors Wednesday night implanted a sophisticated pacemaker in President Bush's brain. The device, known as an implantable cranial defibrillator, or ICD, continuously monitors and records the president's brain waves. When Mr. Bush's brain activity becomes dangerously slow for a chief executive, the device delivers a mild electric shock, jolting the president back to a relatively active mental state.
"I feel good," the president told reporters several hours after the operation. Bush then twitched noticeably. "I mean, I feel well," he said.
Doctors say the implant is performing flawlessly, although they're trying to limit the number of shocks Bush receives to fewer than 100 a day. The surgery came barely a week after Vice President Dick Cheney was fitted with a device to regulate his irregular heartbeat.
The White House portrayed last night's medical procedure as an "insurance policy" against further problems for the president. At a news conference at George Washington University Hospital, where the operation was performed, doctors downplayed the seriousness of Bush's condition. The periodic electric jolts from the implant, physicians say, will have minimal effect on the president.
"His hair is not going to stand on end," said chief surgeon Dr. Alan J. Thayer. "Well, maybe a little."
The president, looking tired but fit after his operation, said that the device will help him function better as a world leader.
"The American people need to know that their president is equipped to handle a trouble spot like Slovenia," Mr. Bush said. "Serbia, I mean Serbia," he added, his head jerking violently.
Bush has an extensive medical history of moderately impaired thinking and reasoning, dating back to the 1970s. Doctors have long noted that the president's thoughts easily become confused, and that his public pronouncements often deteriorate into a tangle of mispronunciations, faulty logic and bad grammar. Although Bush's condition wasn't serious enough to prevent him from running for president, or from winning the state of Florida, doctors say his condition has deteriorated significantly in recent months. The president's brain wave activity dipped dangerously low during his recent trip to Europe, and stopped altogether at one point during a meeting with Russian president Vladimir Putin. The Russian leader was unaware of any change in Mr. Bush's condition, officials say.
Yesterday, the president's doctors subjected him to a battery of mental tests to assess his risk of developing a potentially fatal "zero brain wave"
Once the risk was confirmed, surgeons decided to implant the electronic device, which acts both as a pacemaker and a defibrillator. The pacemaker component is programmed to speed up the president's thinking when it becomes abnormally slow. The defibrillator can shock his brain back to a normal state if Bush's thoughts become "too fast," although doctors say that the chances of that happening are remote.
The device that doctors sutured to the base of the president's cerebellum is known as a Medtronic Gem IV DR model. (There were some problems with an earlier model, which had to be recalled by the manufacturer.) Such devices, once the stuff of science fiction, have become an increasingly common tool in modern neurology. Hundreds of prominent Americans have been fitted with so-called mental pacemakers in recent years, including actor Adam Sandler, TV personality Mary Hart, Yankees owner George Steinbrenner, singer Britney Spears, Rep. Gary Condit, D-Calif., former vice president Dan Quayle, and the entire board of directors of the now- defunct Pets.com. Some of those who wear a mental pacemaker expressed hope that the president's condition would raise public awareness about their circumstance.
"This may turn out to be a blessing in the skies for all of us," said talk show host Maury Povich, who was fitted with one of the first Medtronic devices four years ago. Mr. Povich trembled violently from head to toe before adding, "I mean disguise, disguise, for God's sake, turn it off."
Bush has been advised to avoid deep thoughts for a few days to give the device a chance to settle in place. Doctors say the president so far has cooperated fully with the recommendation. Bush has also been told to alternate holding his cell phone against his right and left ear so the implant receives equal doses of radiation from each side. And the president will have to run at full speed whenever passing through White House metal detectors.
Several congressional leaders privately expressed concern about the president's medical procedure, coming barely a week after Cheney was fitted with a device to regulate his irregular heartbeat.
But Bush dismissed the worries, stating that the Bush- Cheney team is "more fit than ever" to lead the country.
"You'll find no healthier duo than Dick Cheney and I." Bush said. The president hesitated, as if waiting for a signal, and when none came, broke into a toothy grin.
[thanks to Richard Bergin for this one]
Offensive Trojan Horse Breaks Windows PCs
By Robert Lemos
A malicious program that masquerades as a Web page or HTML e-mail has dire consequences for those who fall for its ruse, antivirus experts said this week.
Known as Trojan.Offensive, the program takes advantage of a 10-month-old flaw in Microsoft's version of the Java Virtual Machine to overwrite critical system settings--called the registry--leaving Windows computers unusable. The operating system on the victimized PC must be reinstalled or repaired through an arduous process.
"No data loss actually occurs, but the computer is basically hosed," said Craig Schmugar, a virus researcher for security software maker Network Associates.
The flaw affects all versions of Windows running Microsoft's Internet Explorer 3.0 to 5.5sp1.
By changing almost 50 registry values, the malicious program disables all programs, prevents Windows from being shut down, and makes icons on the Windows desktop disappear. Because no programs will run--not even antivirus scanners--the Windows operating system on the PC cannot be automatically repaired.
While truly irksome, the program is not widespread.
Also known as JS/Offensive, the damaging code does not spread on its own like a virus--it must be forwarded manually. Although Network Associates has not seen any cases of the Trojan horse, antivirus company Symantec has had "a handful" of customers in Japan report incidents.
"There could be more reports of it and we just don't know about it, because the victims' computers don't work and so they can't send e-mail," said Motoaki Yamamura, senior development manager for Symantec. "But we don't think it's very widespread, because it's a Trojan, not a virus."
Trojan.Offensive is aptly named.
In addition to making the victim's PC unusable until the system registry is fixed or the operating system is reinstalled, the program spouts a slur against Japanese people when the computer is physically restarted.
"If you have any trouble, please email email@example.com," states a dialog box that appears upon start-up. "Note: Not for Japanese & dog & pig." 21cn.com is a Chinese-language Web site based in the Guangdong province of China. The administrative contact for the site could not be reached by e-mail.
Because the flaw in Microsoft's Java Virtual Machine is 10 months old and a patch has been available for some time, many computer users will not be vulnerable to the Trojan.
In addition, people have started to trust e-mail a lot less, said Symantec's Yamamura.
"I think a lot of consumers are better about practicing safe computing," he said. Surfers who disable ActiveX in the browser are also safe from the Trojan horse.
E-Theft: Who's Liable?
By Doug Brown
Watch out, online merchants: here comes the law. Legal challenges and legislation are poised to patch a key chink in the armor protecting people from identity theft: There are no legal consequences for companies that fail to protect personal information, such as credit card numbers.
Hackers and identity thieves can be prosecuted if they're caught. But while credit card companies pay up when swiped numbers are used, and victims of fraud suffer financially and emotionally, there is not yet a law covering how companies guard private customer data.
Meanwhile, private lawsuits brought against companies with security lapses will soon constitute a high-profile "new breed" of legal case, said an international legal expert on identity theft, and interest in federal and state laws is spreading.
"Any commercial entity that puts you in jeopardy because of their lack of keeping up with technology and because of their negligence I think they should be liable," said Mari Frank, a California attorney and author who testifies before state and federal lawmakers about identity theft. She lamented the legal vacuum surrounding data security, but predicted that in the absence of laws, people stung by security lapses will increasingly turn to private lawsuits.
The issue of data protection grows more urgent with each electronic break-in. One case this month involved conference registration service site RegWeb.com run by Cardinal Communications which had a hole that revealed more than 300 customers' credit card numbers.
States including California and Wisconsin are starting to address identity theft. Merchant liability in hacking cases is among the topics under discussion by lawmakers, said Allan Trosclair, executive director of the Coalition for the Prevention of Economic Crime, which represents banks, businesses and government agencies. And as states craft a hodgepodge of laws, a standard federal law "will be required to eventually protect consumers against inappropriate compromise of their information," he said.
Identity theft has become a "hot topic," he said, because of the booming popularity of online credit card data theft and other forms of identity theft. Trosclair's colleague monitors chat rooms daily, looking for stolen credit card numbers and reporting them to credit card companies. He's seeing roughly 3,000 stolen credit card numbers traded in chat rooms each month, Trosclair said.
Last week, federal regulators issued a proposed rule setting standards for how financial institutions protect private consumer information. The "Safeguards Rule," proposed under the 1999 Gramm-Leach-Bliley Act that forced financial institutions to deal more systematically with consumer privacy issues, will inject a strong dose of regulatory oversight into information security practices within financial institutions.
The definition of "financial institution" in the regulation is broad and includes, for example, retailers that issue in-house credit cards to shoppers. But it still leaves untouched the vast majority of institutions from online retailers to newspaper Web sites to Internet services like Micro soft's Passport that regularly collect and store credit card information.
Meanwhile, the three major credit card companies: American Express, MasterCard International and Visa International Service Association all have programs aimed at giving merchants more online security muscle.
This year, MasterCard unveiled its Site Data Protection Service, a set of security products and measures offered to its merchants. MasterCard also has rules for merchants to follow when processing and storing credit card information, said Stephen W. Orfei, an executive in the e-business division of MasterCard.
"There are penalties and there are consequences if you don't process properly. You can lose your license to process," among other things, he said. "Unfortunately, the incidents of hacking are on the rise. Our membership was looking for us to come up with a viable solution, and that's what we are delivering to the market right now."
Earlier this year, Visa launched its Cardholder Information Security Program, which requires vendors that collect and store credit card information remotely to meet a set of security standards, from installing firewalls to encrypting stored data.
And late last year, American Ex press started using VeriSign's Pay flow, which gives merchants the option to let American Express pro cess and store all American Express charges.
In the case this month, RegWeb was storing the numbers for 877Chicago. com, a site that's run for the Chicago Convention and Tourism Bureau by a third party called McCord Travel Management. A link to a hacker Web site listing the stolen credit card numbers was e-mailed to Inter active Week in early August.
Cardinal CEO Rodman Marymor said the company switched Web hosters and a file containing credit card numbers got left behind on the old server. When he learned of the security hole, Marymor said he immediately notified the credit card companies and later told the FBI. He said the credit card companies told him not to notify card holders directly, but to let them notify banks.
Cardinal is bringing in an outside security company to audit RegWeb's operations, Marymor added.
Notification should always occur, said Ray Bruce, president of the Consumer Protection Association of America. "If companies were doing what was right, they would notify the businesses and consumers that they're doing business with that there's a potential that their privacy has been violated."
Cases like RegWeb's also illustrate the need for "laws that hold [companies] accountable for exposing us to identity theft," attorney Frank said.
Merchant liability in such cases is "murky," said Alan Davidson, associate director of the Center for Democracy and Technology. "There is a big question mark out there: How does negligence apply in the computer security contexts? And we don't have an answer to that question."
WOULD YOU LIKE RAM WITH THAT?
In addition to the usual items at the McDonald's in Tel Aviv, Israel, you can get mice. No, not the four- legged kind, but a mouse for your computer. In addition, people can surf the Internet for $2 per 20 minutes while they eat their fries. "It reflects the lifestyle of youngsters in Israel and in the world -- to eat fast food and use the Internet at the same time," said a McDonald's Israel spokesman. The restaurant is also starting to offer software from Microsoft. (Reuters) ...With all the high tech mergers these days, is it really any surprise that Microsoft's next operating system will be dubbed McWindows?
OH WHAT A FEELING:
Jodee Berry, 26, was a waitress at the Hooters restaurant in Panama City, Fla., and won a contest when she sold the most beer. Berry participated with gusto because the prize, she was told, was a new Toyota. When she won, she was blindfolded and led into the restaurant's parking lot to see her prize. When they pulled off the blindfold, what she saw was not a Toyota, but a "Toy Yoda" -- a doll modeled after a "Star Wars" movie character. She says the manager laughed at her anger over being deceived, so she has quit and is suing the restaurant for breach of contract and fraudulent misrepresentation (AP) ...Sensing defeat, they have offered to settle for "a million doll-hairs".
AN EVEN BETTER FEELING:
Augusta, Ga., lawyer Sam G. Nicholson was tired of the advertising sent to his fax machine. "They're using your paper," he said. Particularly galling was one from the local "Hooters" restaurant sent six times to his machine, so he sued them under a 1991 federal law prohibiting unsolicited fax ads. It levies a $500 civil penalty per fax -- triple that if done "willfully and knowingly." Even better, the suit was given class-action status to represent at least 1,320 other recipients in the area. By multiplying out all the numbers, Hooters was found liable for $12 million, and the local restaurant had to close down. (New York Times) ...It's time to extend that law to cover e-mail "spam".
THE SLOW BUT SURE SPREAD OF AMERICAN IDEAS:
A student at a London, Ont., Canada, school threw a water balloon at other students but missed. He instead accidentally hit a teacher. The boy immediately confessed to the teacher and apologized, but the vice principal called the police per the school's "zero tolerance" violence policy and he was charged with assault with a weapon. The boy turned 18 just after the incident. If convicted as a juvenile, he faces two years in custody. If convicted as an adult, he faces 10 years in prison. "I offer absolutely no apology for having a zero tolerance policy," said London District Catholic School Board director Patrick Dunne, adding the school did the right thing in prosecuting the boy since "the person of that teacher was violated." (National Post)
"Hundreds Hurt During Annual Stone-throwing Festival" -- PA news headline
The Centre For The Easily Amused!
"Cathie Walker surfs hard so you don't have to. Get links to all kinds of diversions in categories from Random Silliness to Sites of Dubious Taste."
"When people want to waste time on the Internet, the last thing they want is to waste time finding new ways to waste time. Enter the Centre for the Easily Amused, a Web site devoted in roughly equal parts to off-kilter humour, time-wasting, and semi-thought-provoking ephemera."
"Notorious Web time-waster."
New York Times
"The single best guide to all the wackiness and inanity on the Web."
"The folks at the CEA have a knack for picking the wackiest sites ... a great place to look for a quick laugh."
Yahoo! Internet Life
"Visiting the Centre for the Easily Amused is like sneaking a comic book into the bathroom at work, just to escape it all for a few minutes."
New Orleans Times-Picayune
"If you're the type who gets seriously side-tracked while surfing for a research site or becomes engrossed in the TV Guide articles while looking for a particular show, you'll definitely want to check out the CEA, Centre for the Easily Amused."
"Everyone needs a laugh now and again, and some of the best comic relief is on the Net. Given the sheer glut of comedy pages online, it's best to start your search from one of the many large directories such as the Centre for the Easily Amused."
ZDNet's Internet Tonight
This week we'll cover some of the things that you might take for granted on an average day of internet surfing.
2) Don't talk to strangers: protect your home address, phone numbers and the names & ages of your children.
Many are the times that I've wanted something from an internet site only to be confronted by a myriad of forms requesting everything from my marital status and type of work I do to what my yearly income is. Everyone, it seems, is gathering information about you.
Although most of us are unwilling to give our Social Security number to just anyone, we are often not suspicious enough of other little tidbits. One of the things that seem to easily slip out is our address. If you've ever joined one of those "classmates" web sites or put your name into the "White pages" somewhere you are a prime target for stalking. In the wrong hands, this personal information could be used against you.
Try looking yourself up online at any of the "people finder" sites (such as Info Space, Switchboard, Who Where, Yahoo! People Search, Telephone Directories On The Web and/or Classmates). Then take this information and plug it into MapQuest, Yahoo! Maps or Excite! Maps and Directions.
Anyone in the world could drive right up to your front door. Now put your self at work and your latch-key kids home after school. Alone. Scary, huh?
The good news is that most of these sites will allow you to "update" your information. The trick is that you usually must be a member. Join only if necessary and even then give as little accurate info as possible. Otherwise, try sending them an email asking that they correct (read REMOVE) your information. Then make something up. I sometimes use SCHENECTADY NY because the Zip Code is easy: 12345. Just remember that the Area Code is 518.
Of course, if they push you tell them that you're "between locations" right now and you'll update again in the future. They don't need to know that this "update" may be so far into the future that it may come in the form of an obituary notice. Hahaha...
There's a new trend on the web that could turn out to be just as dangerous. This is the sharing of family pictures. Your children are your pride and joy! You rightly should want to show them off to the rest of your family and friends. The problem is that posting them to an open web site means that ANYONE can see how many kids you have and what they're approximate ages are.
A better solution is to use email or set up a special site that requires a password for access. Then you have control of those that you want visiting your site. Others that just want to "peruse" can look at your wallet photos.
Just remember to check the size of the file attachments because there are still a lot of people that only have dial-up access. Large pictures, although beautiful to gaze upon, take too long to download with a modem. Try converting them to .jpg ("J-peg") format and compressing them down to 75% or even 50% of original size. This can be done easily with most imaging software. If necessary, you can d/l the great L-View Pro from http://www.lview.com/ and use it on a "trial" basis.
Previously, I've ranted about Radio Shack needing my telephone number to sell be a 9v battery and how I refuse to carry the local store "club" cards. This, for me, is an easy habit to carry over into cyberspace. If they won't give me what I want without a copious amount of info attached to it, I walk away. There are plenty of other places that don't play that game.
Often, if you look carefully, you'll find that there may be some minimum amount of information that you are "required" to give and that the rest of the form can be left blank. Again, depending on how much they "need" I may or may not oblige.
Again, as always, try and consider how this information might be mis-used and weigh that against how badly you want whatever they're offering. I'm sure that you'll find sometimes it's just not worth the risk. If you haven't already, read the E-Theft article above and then go see the SSA web site on Identity Theft at http://www.ssa.gov/pubs/10064.html
Live in a way that leaves no regrets.