Emerald Group Publishing Limited
Copyright © 2004, Emerald Group Publishing Limited
REACH for your gun!
Keywords: Internet, Security, REACH
As I write this, we have gone through 2 or 3 weeks of security hell on the Internet. I make no apology for bringing up the subject of security yet once more, because it seems clear that many people simply do not care.
Certainly, the least publicised but most insidious example that has been perpetrated is one of "fishing". This has deprived a company of a large sum of money. How does it work? In order to protect the identity of the companies concerned, I will lay down a scenario with entirely fictitious names.
Joe Bloggs Manufacturing Company Inc.: a large company somewhere in the US Midwest.
James Smith: Chief Accountant for the JBMC, a slightly overweight person having worked his way up from a simple clerk, over 30 years of service. He is solid, reliable, methodical, unimaginative and a very dull person, but he knows the company's business inside out.
First International Midwest Bank: a large financial institution used by JBMC for its 120 years of existence.
John Doe: an Internet crook.
The First International Midwest Bank has, as most such institutions, a Web site offering the usual services with the URL of http://www.fimwbank.com. By negligence, it has not secured all possible domains with a similar name.
John Doe registers the domain www.fimwbank.net in his own name and address, which one could imagine as both fictitious. He sets up a Web site, using this domain, copying much of the bank's own Web site. He adds to this a questionnaire with a large number of questions, mostly innocent but, hidden amongst them are some more doubtful ones that we will look at in a minute.
Using the fimwbank.net domain, John Doe sends James Smith an e-mail worded as follows:
The First International Midwest Bank is conducting a survey of its major customers, to ensure that its operating records are totally up-to-date. This will enable us to ensure that you have the best personal service of any bank in the USA. You will find a simple questionnaire on the secure site http://www.fimwbank.net/servicesurvey.asp We request that you fill this out and submit it at your convenience.
Vice-President, Major Account Counsellor
Of course, the signature and title are those of the appropriate bank officer.
James Smith, perhaps a little naively, opens up the Web site page and notes that the little padlock on his browser is closed, showing that the site is secure. He starts filling out the form with the name and address of the company, telephone number and so on. This is followed by a section of each of the accounts which the bank holds on behalf of the company. He then gives the names of the executive directors, their functions, private addresses, telephone numbers and the number of their company credit cards issued by the bank, along with a couple of pages of other, anodyne, questions. The rest you can imagine! James Smith unsuspectingly submits the questionnaire and the damage is done. John Doe immediately goes on a beautiful spending spree over the Internet, with the information that he has learnt and it is not until a few days later that the credit card company questions the unusual spending of the executives, but the damage has been done and the credit card company will take no responsibility because the causal fault was within the JBMC.
This technique is called "fishing". There are many ways of doing this and the fictitious example which I have given, based on a real case, cost the company in question a sum well into the six figures. In reality, there are many other practices that the unscrupulous use to "fish" on the Internet. For example, one may be asked to register to visit a Web site; in most cases, this is quite innocent, although I detest doing it. If any of the questions that I am asked are indiscreet and beyond what would normally be necessary under the circumstances, then I baulk. However, I have been known to give a false name and address, such as MickeyMouse@Disney.com, if I do not expect a communication from the company! It should be pointed out that it is not necessarily for financial gain that many companies "fish". It could be for targeting e-mails and spam to the most appropriate places. It should be needless to say that one never gives credit card details over the Internet, except to known companies with secure sites that can be trusted. I can also give you a little tip: if your credit card company does not offer you fraud protection on Internet transactions, then obtain a second credit card account with a small limit, such as a few hundred pounds or dollars, so that if you meet a John Doe or similar, then the losses cannot amount to much. Remember that spyware may transmit your credit card number in clear to a third party, as you type it on a secure site (although this should never happen if you have followed my discourses on security)! I understand that some "free" pornographic sites ask for credit card numbers in lieu of proof of age; if this is so, then they may be less free than the surfer might hope for.
Four different viruses or their cousins have caused considerable damage over the Internet and through e-mails over recent weeks. Without doubt, one of the most serious was Blaster or MSBlaster. This was an insidious worm which could install itself on any computer which was using one of two specific, popular, versions of Microsoft Windows. It exploited a security hole in the operating system. Microsoft had issued a patch to close the hole a few weeks previously, but how many people update their operating systems on a regular basis? In actual fact, the patch was probably used by the authors of Blaster to identify and exploit this security lapse, knowing that few users would have updated their system. This particular worm tried to install itself on any computer, by accessing TCP port 135. On the day that it hit the world, I checked my firewall and found that there were 132 attempts to install it on my computer. Of course, the firewall stopped them all. At least as many attempts have been made since, and are still being made over 2 weeks later. As it so happens, even if the file had been loaded on to my computer, I would not have worried:
because the operating system and e-mail client I use are immune from it, and
the anti-virus system would have picked it up and deleted it.
If it were not so tragic that things like this can happen, the msblaster.exe file contains an undisplayed message in the compiled code, "I just want to say LOVE YOU SAN!! billy gates why do you make this possible? Stop making money and fix your software!!." If only! However, Microsoft was also targeted and forced to close down their OS update site for a day.
Slightly more amusingly, somebody thought that they should play a joke and issued a relatively harmless virus which was supposed to install the patch that would immunise the computer from Blaster! Of course, this was a hoax, but even a BBC commentator was taken in by it.
Another very nasty one of recent date is Sobig.F. This is a complex worm which not only replicates itself from an infected computer, but also installs its own Trojan Horse. This can be used for any number of nefarious purposes and can even transmit password information to third parties. Even worse, it can seek updated versions of itself, so that it can evolve faster than the anti-virus systems can take care of them. Like many others, the replication uses multiple spoof "From" addresses, so that there is no way of knowing the origin, should you be careless enough to allow yourself to be infected. This means that innocent people may be seeing hundreds of messages from unknown people accusing them, wrongly, of propagating viruses. Even worse, it can use any one of a number of ports. Perhaps one of the more obvious manifestations is that the Trojan Horse transmits the infected site's IP number which becomes a "magnet" for spam mail: users apparently received many spams within a very short period of time, as well as infected attachments. The worst aspect is that Sobig.F has the fastest propagation rate of any virus, to date. What is amazing is that even organisations like the Swiss Federal Railways were taken down for over a day by this beastie.
A less likely one to be encountered by readers of this journal, unless they are afficionados of MP3 music files downloaded from KaZaA, is HLLW.Lemur. This replicates itself through the file-sharing network in the form of any one of a number of .exe files.
What is a trifle worrying is that, after every major virus release, there are inevitably a number of copies, variants, mutations and simple "wannabes". These "sons" often have a lifetime of a few weeks. With such a raft of new viruses, we must be particularly vigilant to make sure that we are not lulled into a false sense of security, knowing we are fireproof against the "father".
By the way, have you thought about clearing all the junk from your cookie file lately? It is amazing how much accumulates there.
One of the great stories on the World-Wide Web is what is undoubtedly the most successful search engine, google. From a small beginning in September 1998 to today's giant, it has marked success all the way and it is rumoured to be going public in the near future. Do you know why it has been such a success when other dot-coms have been biting the dust or losing their market share (including rivals Alta Vista, Yahoo and so on)? Well, I have a theory: it is a combination of technical efficiency and one of the simplest Home Pages on the 'Net. They do not need fancy Flash or other such long-to-download trash, hefty graphics (their Home Page logo is only 87 kb), audio or video and they have limited their script to two short lines. They have eschewed graphics-intensive publicity for a page that downloads from a fast series of servers in 1s, even through a phone line modem. If only others would emulate this notion; their Web sites would be more popular and effective.
As is well known, the European Union is proposing to introduce a Directive that will require the registration, evaluation and authorisation of chemicals (REACH). If this comes into force as the draft stipulates, then it will probably be the last nail in the coffin of the European printed circuit manufacturer – and conceivably many assemblers, as well. When the draft was published, the EU gave 8 weeks, a very short period considering the size of the draft, divided into seven volumes and an introductory explanation, for consultation. This produced over 6,400 responses, an enormous number. The majority of these may be classed as negative, i.e. considering the proposal was utopian, impractical, economically prohibitive or made major suggestions to water down the impact. Of course, there were a number of responses that took the opposite view. These were mainly from eco-political NGOs that consider the project as largely insufficient and required even stronger measures to take us back into the dark ages. I did an Internet search using REACH chemicals and was surprised to see that there were about 737,000 responses. A quick glance through the first 100 showed about 90 per cent of these were relevant, judging from the summaries. Rather obviously, I can but give you a few commentaries on the more important sites. I may be wrong, but under all the responses received by the EU from trade associations and NGOs, and all the first 100 google answers, I saw almost nothing directly related to the European PCB Fab, Hybrid Fab and Electronics Assemblies Industries, unfortunately.
Do we care so little that those of English language who represent us – the IPC, EIPC, SMART, PCIF and many others–cannot make the effort to put forward a view on a subject that I firmly believe will deeply affect the future of our industry? (My apologies, if any of the above did but it escaped my attention.) I repeat, if this draft were promulgated, the European printed circuit industry is headed for disaster.
http://europa.eu.int/comm/enterprise/chemicals/chempol/whitepaper/reach.htmThis page represents the most important one on the subject, as you can download the whole draft of the REACH project, various commentaries on it and find links to the 6,400 responses to the consultation from here. There are many days of solid reading available from this single page.
http://www.nca-nl.org/English/Lnews/REACH%20summary.pdfNot many will want to read through the hundreds of pages of the draft proposal. A seven-page summary of the salient points is available here. It should be noted that this may be slightly biased in favour of the drafts as it was written by an activist.
http://europa.eu.int/comm/enterprise/chemicals/chempol/contributions/public/usa_gvnt_public.pdfThis is the first of a few comments received that I will discuss here. It is from no less than the US Government. As can be expected, it is couched in very diplomatic terms, but is also very blunt, in places: "We are concerned, however, that the European Commission's draft... appears to adopt a particularly costly, burdensome, and complex approach, which could prove unworkable in its implementation, adversely impact innovation and disrupt global trade.... the Commission's proposed regulatory approach raises fundamental questions about its workability... There are a number of key concerns that the United States has regarding the workability of the Commission's draft regulation... the proposal establishes a generally unworkable regulatory approach; departs from ongoing international regulatory cooperation efforts; imposes substantial costs with uncertain benefits; adversely impacts small and medium sized enterprises (SMEs); disrupts global trade; adversely impacts innovation; creates market uncertainties; provides unclear administrative coordination and consistency; and raises concerns regarding consortia and data sharing." This looks pretty damn, does not it?
http://europa.eu.int/comm/enterprise/chemicals/chempol/contributions/public/public_gv nt_irl.pdfEven some of the EU members are voicing similar concerns, such as the Republic of Ireland, albeit with slightly milder language.
http://europa.eu.int/comm/enterprise/chemicals/chempol/contributions/public/public_gv nt_norway.pdfThe Nordic countries are often seen as models in environmental and H&S matters and this comment, from a non-EU country, is mildly supportive of the draft. It does however make a number of positive comments to improve it, especially with regard to bureaucratic matters. For example, it suggests that authorisation of use should be seen as the exception, not the rule.
http://europa.eu.int/comm/enterprise/chemicals/chempol/contributions/public/niph_pub lic_s.pdfAs could be expected, the Swedish National Institute of Public Health seems enthusiastic about REACH, to the extent that it seeks to change the threshold of small quantities from 1 tonne to 10 kg. This would seem far too severe, to my eyes, because it is estimated that the minimal costs for registering a new substance will be at least six figures. Even 1 tonne will have a minimal additional cost of 100 per kg, which is already steep. Multiplying this by 100 will render it impossible and will certainly stifle development.
http://europa.eu.int/comm/enterprise/chemicals/chempol/contributions/ngo/ngo_349_4n gos_eu.pdfIn the NGO section, I will choose just one comment, a combined Greenpeace, EEB, WWF and Friends of the Earth one, as being representative of the eco-political view. This is a long document, full of suggestions for "improvements". If implemented, the current unworkable monster would become the totally impossible bureaucratic mega-nightmare. For example, at one point, they propose simply striking out the 1 tonne threshold, mentioned in the previous paragraph, meaning that importing, for example, a gram or two of a new substance would be subject to registration. They even have the brass neck to quote the WEEE and RoHS Directives as a successful case study!
http://europa.eu.int/comm/enterprise/chemicals/chempol/contributions/industry/associations/assoc_471_vci_en_d.pdfGoing on to the Industry Associations, the German Verband der Chemischen Industrie, as can be expected, is opposed to the draft, as it stands. This paper presents a long, well-reasoned, approach, retaining what is good and pointing out the real weaknesses – and they find many.
http://europa.eu.int/comm/enterprise/chemicals/chempol/contributions/industry/associations/assoc_494_cbi_uk.pdfThe Confederation of British Industry also finds the draft ill-conceived and unworkable. It is particularly concerned with the economic and bureaucratic impacts, especially for SMEs. It also estimates that 40 per cent of chemicals used currently will simply disappear off the European market because the manufacturers will consider the administrative costs not worth the candle. Of course, they will continue to be used outside Europe.
http://europa.eu.int/comm/enterprise/chemicals/chempol/contributions/industry/946_firm.docFor the industrial comments, I will confine myself to those from a few companies connected to our industry. Degussa has made some severe criticisms of the draft, evoking many of the points that I have already mentioned, but also the right of objection and legal actions with a suspensory effect.
http://europa.eu.int/comm/enterprise/chemicals/chempol/contributions/industry/1529_firm.docSchering point out: "The current draft of the REACH regulation is far too complicated and large. A legislation of 1,200 pages is not manageable, epecially [sic!] not by small and medium sized companies... The regulation has to be modified towards more practicability, reasonable data requirements and simplified registration procedures with less bureaucracy. The regulation should be shortened and concentrated to a volume that can be managed by the industry, especially by small and medium sized companies".
http://europa.eu.int/comm/enterprise/chemicals/chempol/contributions/industry/2323_firm.docAt last, the views of an SME are connected with the electronics industry. Mega Electronics, in the UK, has made many of the usual negative criticisms and points out that many household products, supplied without much data, become a bureaucratic burden when used in industry.
http://europa.eu.int/comm/enterprise/chemicals/chempol/contributions/industry/2603_firm.docLoctite, a major player in the electronics assembly area, complains about the disclosure of their trade secrets to their customers and, inevitably to the competition. In addition, they are vociferous about the section concerning polymers, emphasising that polymers should be excluded provided that their starting materials are registered.
http://www.americanchemistry.com/cmawebsite.nsf/dac3c5bb8f8774a18525680b005a531e/e6b2e215ce045d5b85256d8800472f2a/$FILE/EIA.pdf This is a file I found with the search engine, rather than on the EU site, although it may well be hidden there. It is a response to REACH by the US EIA, NEMA and some other organisations. It is more mildly set out than some of the other comments, but embodies many of the same ideas. At least this is one view of the electronics industry, as a whole, which is a lot better than whistling in the dark. Nothing specific, applicable to the PCB Fab industry, is included, though.
http://www.kslaw.com/library/pdf/reachpaper.pdfFinally, this is a US legal appreciation of REACH by what is possibly a somewhat right-wing lobbying group. It is possibly one of the most interesting reads on the subject, because it highlights the differences between European and US law and outlook, especially regarding the precautionary principle.
This review of REACH has taken me two whole days to compile, having read hundreds of commentaries. I am shocked that the European PCB manufacturing industries have chosen to ignore what may be their own death warrant. This is something that will not go away. It is here and, sooner or later, in some form or another, it will affect us all. It is essential that the PCB Fab industry, in particular, must follow the next stages of this project and take action with their national governments if they wish to ensure their survival. Personally, I am sympathetic towards improvements in environmental and H&S risks and the precautionary principle, in particular. But my sympathy does not extend to a heavily bureaucratic and dangerous, unilateral, European approach. If some pragmatic version of this were promulgated worldwide, then everybody would be on the same footing: without this, then I can see yet one more law introduced that cannot be observed to the letter – and, as many comments have stated, will be directly opposed to the principles of the World Trade Organisation. Let us REACH for our guns and shoot it into a reasonable form that will not condemn our industry to death by a Brussels firing squad.
I apologise for the rather aggressively political form that this review has taken. Personally, I am glad that I am no longer directly concerned with the manufacturing industry!
Traditional phrase in old western films, usually when the sheriff confronted the baddy.
At the time of writing, the URLs and domains in this fictitious account have not been registered and do not exist. I suppose that it is possible that they may be registered by the time this goes into print. If so, I ask the owners to accept my apologies for the unwitting coincidence.