CitationDownload as .RIS
Emerald Group Publishing Limited
Copyright © 2004, Emerald Group Publishing Limited
Keywords: Internet, Chemicals, Legislation, Computer viruses
From ghoulies and ghosties and long-leggety beastiesAnd things that go bump in the night, Good Lord, deliver us! 
As I write this, we have gone through two or three weeks of security hell on the Internet. I make no apology for bringing up the subject of security yet once more, because it seems clear that many people simply do not care.
Let's start with the usual problem of viruses. I have a friend who recently bought a brand new high-performance computer (even if he didn't need it for what he does, but that's another story!), running off Windows XP Home. He setup the modem for dial-up networking and tested it by downloading his e-mails. Fine! He then installed Norton Anti-Virus and was surprised that he couldn't download the essential updates. He was becoming frantic and asked my advice. I went along and noted that every time the computer went on the Internet, it worked fine to start with but, after a minute, it started to slow down and after a second minute, it blocked solid. I initially suspected an overheating component in the in-built modem, so I tried an external modem, to obtain similar results, but slower to react. I then became very suspicious. With the external modem, I logged onto www.symantec.com and it immediately responded that the computer had W32.Welchia.Worm. Before the Internet connection closed down, I managed to download the means for removing it. After that everything worked normally and we were able to update my friend's Anti-Virus software. This illustrates how easily it is to become infected. Just a single unprotected access to the Internet and Bang! Wham!
Several different viruses or their cousins have caused considerable damage over the Internet and through e-mails over recent weeks. Without doubt, one of the most serious was Blaster or MSBlaster. This was an insidious worm which could install itself on any computer which was running one of two specific, popular, versions of Microsoft Windows. It exploited a security hole in the operating system. Microsoft had issued a patch to close the hole a few weeks previously, but how many people update their operating systems on a regular basis? In actual fact, the patch was probably used by the authors of Blaster to identify and exploit this security lapse, knowing that few users would have updated their system. This particular worm tried to install itself on any computer, by accessing TCP port 135. On the day that it hit the world, I checked my firewall and found that there were 132 attempts to install it on my computer. Of course, the firewall stopped them all. At least as many attempts have been made since, and are still being made over two weeks later. As it so happens, even if the file had been loaded on to my computer, I would not have worried because a) the operating system and e-mail client I use are immune from it and b) the anti-virus system would have picked it up and deleted it. If it weren't so tragic that things like this can happen, the msblaster.exe file contains a non-displayed message in the compiled code, I just want to say LOVE YOU SAN!! billy gates why do you make this possible? Stop making money and fix your software!!. If only! However, Microsoft themselves were also targeted and were forced to close down their OS update site for a day. In fact, the W32.Welchia.Worm, mentioned in the previous paragraph is one of a number of variants of MSBlaster, also installed through port 135.
Another very nasty virus of recent date is Sobig.F. This is a complex worm which not only replicates itself from an infected computer, it installs its own Trojan Horse. This can be used for any number of nefarious purposes and can even transmit password information to third parties. Even worse, it can seek updated versions of itself, so that it can evolve faster than the anti-virus systems can take care of them. Like many others, the replication uses multiple spoof 'From' addresses, so that there is no way of knowing the origin, should you be careless enough to allow yourself to be infected. This means that innocent people may be seeing hundreds of messages from unknown people accusing them, wrongly, of propagating viruses. Even worse, it can use any one of a number of ports. Perhaps one of the more obvious manifestations is that the Trojan Horse transmits the infected site's IP number which becomes a magnet for spam mail: users apparently received many spams within a very short space of time, as well as infected attachments. The worst aspect is that Sobig.F has the fastest propagation rate of any virus, to date. What is amazing is that even organisations like the Swiss Federal Railways were taken down for over a day by this beastie.
Another one that has recently occurred is Swen. This is also quite wicked. The victim receives an e-mail, often purportedly from Microsoft, stating that the latest updates for Windows, with important security implications, are ready for downloading at a given URL. Of course, these updates are nothing of the sort, but an entry into your computer system.
What is a trifle worrying is that, after every major virus release, there are inevitably a number of copies, variants, mutations and simple wannabes. These sons often have a lifetime of a few weeks. With such a raft of new viruses, we must be particularly vigilant to make sure we are not lulled into a false sense of security, knowing we are fireproof against the father.
Certainly, the least publicised but most insidious example involving security that has been perpetrated is one of fishing. This has deprived a company of a large sum of money. How does it work? In order to protect the identity of the companies concerned, I'll lay down a scenario with entirely fictitious names.
Joe Bloggs Manufacturing Company Inc.: a large company somewhere in the US Midwest
James Smith: Chief Accountant for the JBMC, a slightly overweight person having worked his way up from a simple clerk, over 30 years' service. He is solid, reliable, methodical, unimaginative and a very dull person, but he knows the company's business inside out.
First International Midwest Bank: a large financial institution used by JBMC for its 120 years of existence
John Doe: an Internet crook.
The First International Midwest Bank has, as most such institutions, a Web site offering the usual services with the URL of http://www.fimwbank.com . By negligence, it has not secured all possible domains with a similar name.
John Doe registers the domain www.fimwbank.net in his own name and address, which one could imagine are both fictitious. He sets up a Web site, using this domain, copying much of the bank's own Web site. He adds to this a questionnaire with a large number of questions, mostly innocent but, hidden amongst them are some more doubtful ones that we will look at in a minute.
Using the fimwbank.net domain, John Doe sends James Smith an e-mail worded as follows:
The First International Midwest Bank is conducting a survey of its major customers, to ensure that its operating records are totally up-to-date. This will enable us to ensure that you have the best personal service of any bank in the USA. You will find a simple questionnaire on the secure site https://www.fimwbank.net/servicesurvey.asp. We request that you fill this out and submit it at your convenience.
Harry JonesVice-president, Major Account Counsellor
Of course, the signature and title are those of the appropriate bank officer.
James Smith, perhaps a little naively, opens up the Web site page and notes that the little padlock on his browser is closed, showing that the site is secure. He starts filling out the form with the name and address of the company, telephone number and so on. This is followed by a section of each of the accounts which the bank holds on behalf of the company. He then gives the names of the executive directors, their functions, private addresses, telephone numbers and the number of their company credit cards issued by the Bank, along with a couple of pages of other, anodyne, questions. The rest you can imagine! James Smith unsuspectingly submits the questionnaire and the damage is done. John Doe immediately goes on a beautiful spending spree over the Internet, with the information that he has learnt and it is not until a few days later that the credit card company questions the unusual spending of the executives, but the damage has been done and the credit card company will take no responsibility because the causal fault was within the JBMC.
This technique is called fishing. There are many ways of doing it and the fictitious example which I have given, based on a real case, cost the company in question a sum well into six figures. In reality, there are many other practices that the unscrupulous use to fish on the Internet. For example, one may be asked to register to visit a Web site; in most cases, this is quite innocent, although I detest doing it. If any of the questions that I am asked are indiscreet and beyond what would normally be necessary under the circumstances, then I baulk. However, I have been known to give a false name and address, such as MickeyMouse@Disney.com, if I do not expect a communication from the company! It should be pointed out that it is not necessarily for financial gain that many companies fish. It could be for targeting e-mails and spam to the most appropriate places. It should be needless to say that one never gives credit card details over the Internet, except to known companies with secure sites that can be trusted. I can also give you a little tip: if your credit card company does not offer you fraud protection on Internet transactions, then obtain a second credit card account with a small limit, such as a few hundred pounds or dollars, so that if you meet a John Doe or similar, then the losses cannot amount to much. Remember that spyware may transmit your credit card number in clear to a third party, as you type it on a secure site (although this should never happen if you have followed my discourses on security)! I'm given to understand that some free pornographic sites ask for credit card numbers in lieu of proof of age; if this is so, then they may be less free than the surfer might hope for.
By the way, have you thought about clearing all the junk from your cookie file lately? It's amazing how much accumulates there.
The UK and California have recently outlawed spam. What a load of codswallop! What it means is that anyone caught originating spam is liable to be punished. Now, I can just imagine the authorities reducing unemployment by hiring thousands of IT experts who do nothing, but examine the headers of each spam message to see whether it can be traced back to their own jurisdiction, cannot you? At the best, it means that spam authors will use an ISP in Outer Mongolia to send their rubbish, rather than one in California or the UK. There is only one way to totally stop spam and that is for it to be filtered out before the addressee can download it. If it is known that spam is never delivered, the authors will stop sending it. Currently, ISPs can filter out about 95% of it reliably, with almost no risk of false positives, if they so wish. Mine does just this, so I receive an average of about one or two per day, which my POPFile automatically takes care of, so I live in a spam-free environment.
However, the UK does permit business-to- business spamming where the receiver is actually a client of the sender. This is downright stupid because it is just B2B spamming that is the most insidious and costly to the economy.
Away from security, one of the great stories on the world-wide web is what is undoubtedly the most successful search engine, Google. From a small beginning in September 1998 to today's giant, it has marked success all the way and it is rumoured to be going public in the near future. Do you know why it has been such a success when other dot-coms have been biting the dust or losing their market share (including rivals Alta Vista, Yahoo and so on)? Well, I've a theory: it is a combination of technical efficiency and one of the simplest Home Pages on the Internet. They don't need fancy Flash or other such long-to-download trash, hefty graphics (their Home Page logo is only 8 kb), audio or video and they have limited their script to two short lines. They have eschewed graphics-intensive publicity for a page that downloads from a fast series of servers in a second or two, even through a phone line modem. If only others would emulate this notion; their Web sites would be more popular and effective.
Have you thought how many chemicals are used in your factory? A typical large high-tech company employing SM or mixed technology may use:
adhesives for components
temporary solder masks
chip blob resins
conformal coating products
ion exchange resins
waste water treatment chemicals
and probably many others.
I invite you to do an inventory of every chemical that enters your factory. Then think about the EU REACH project. As is well known, the European Union is proposing to introduce a directive that will require the registration, evaluation and authorisation of chemicals (REACH). If this comes into force as the draft stipulates, then it will probably be the last nail in the coffin of many European printed circuit assemblers, and almost certainly of most PC FAB shops. When the draft was published the EU gave 8 weeks, a very short period considering the size of the draft, divided into 7 volumes and an introductory explanation for consultation. This produced over 6,400 responses, an enormous number. The majority of these may be classed as negative, i.e. considering the proposal was utopian, impractical, economically prohibitive or made major suggestions to water down the impact. Of course, there were a number of responses that took the opposite view. These were mainly from eco-political NGOs which consider the project was largely insufficient and required even stronger measures to take us back into the dark ages. I did an Internet search using REACH chemicals and was surprised to see there were about 737,000 responses. A quick glance through the first 100 showed about 90% of these were relevant, judging from the summaries. Rather obviously, I can but give you a few commentaries on the more important sites. I may be wrong, but from the responses received by the EU from trade associations and NGOs, and all the first 100 Google answers, I saw almost nothing directly related to the European PCB Fab, Hybrid Fab and Electronics Assemblies Industries, unfortunately.
Do we care so little that those of English Language who represent us – the IPC, the EIPC, SMART, the PCIF and many others – cannot make the effort to put forward a view on a subject that I firmly believe will deeply affect the future of our industry? (My apologies, if any of the above did but it escaped my attention.) I repeat, if this draft were promulgated, the European printed circuit industry is headed for disaster.
This page represents the most important one on the subject, as you can download the whole draft of the REACH project, various commentaries on it and find links to the 6,400 responses to the consultation from here. There are many days of solid reading available from this single page.
Not many will want to read through the hundreds of pages of the draft proposal. A seven-page summary of the salient points is available here. It should be noted that this may be slightly biased in favour of the drafts as it was written by an activist.
This is the first of a few comments received that I will discuss here. It is from no less than the US Government. As can be expected, it is couched in very diplomatic terms, but is also very blunt, in places: We are concerned, however, that the European Commission's draft ... appears to adopt a particularly costly, burdensome, and complex approach, which could prove unworkable in its implementation, adversely impact innovation and disrupt global trade. ... the Commission's proposed regulatory approach raises fundamental questions about its workability ... There are a number of key concerns that the United States has regarding the workability of the Commission's draft regulation ...: the proposal establishes a generally unworkable regulatory approach; departs from ongoing international regulatory cooperation efforts; imposes substantial costs with uncertain benefits; adversely impacts small and medium sized enterprises (SMEs); disrupts global trade; adversely impacts innovation; creates market uncertainties; provides unclear administrative coordination and consistency; and raises concerns regarding consortia and data sharing. This looks pretty damning, doesn't it?
Even some of the EU members are voicing similar concerns, such as the Republic of Ireland, albeit with slightly gentle language.
The Nordic countries are often seen as models in environmental and H&S matters and this comment, from a non EU country, is mildly supportive of the draft. It does however make a number of positive comments to improve it, especially with regard to bureaucratic matters. For example, it suggests that authorisation of use should be seen as the exception, not the rule.
As could be expected, the Swedish National Institute of Public Health seems enthusiastic about REACH, to the extent that it seeks to change the threshold of small quantities from 1 tonne to 10 kilograms. This would seem far too severe, to my eyes, because it is estimated that the minimal costs for registering a new substance will be at least six figures. Even 1 tonne will have a minimal additional cost of A100/kg, which is already steep now. To multiply this by 100 will render it impossible and will certainly stifle development.
In the NGO section, I will choose just one comment, a combined Greenpeace, EEB, WWF and Friends of the Earth one, as being representative of the eco-political view. This is a long document, full of suggestions for improvements. If implemented, the current unworkable monster would become the totally impossible bureaucratic mega-nightmare. For example, at one point, they propose simply striking out the 1 tonne threshold, mentioned in the previous paragraph, meaning that importing, for example, a gram or two of a new substance would be subject to registration. They even have the brass neck to quote the WEEE and RoHS Directives as a successful case study!
Going on to the Industry Associations, the German Verband der Chemischen Industrie, as can be expected, is opposed to the draft, as it stands. This paper presents a long, well-reasoned, approach, retaining what is good and pointing out the real weaknesses – and they find many.
The Confederation of British Industry also finds the draft ill-conceived and unworkable. It is particularly concerned with the economic and bureaucratic impacts, especially for SMEs. It also estimates that 40% of chemicals currently used will simply disappear off the European market because the manufacturers will consider the administrative costs not worth the candle. Of course, they will continue to be used outside of Europe.
For the industrial comments, I will confine myself to those from a few companies connected to our industry. Degussa has made some severe criticisms of the draft, evoking many of the points I've mentioned earlier, but also the right of objection and legal actions with a suspensory effect.
Schering point out: The current draft of the REACH regulation is far too complicated and large. A legislation of 1,200 pages is not manageable, epecially [sic!] not by small and medium sized companies ... The regulation has to be modified towards more practicability, reasonable data requirements and simplified registration procedures with less bureaucracy. The regulation should be shortened and concentrated to a volume that can be managed by the industry, especially by small and medium sized companies.
At last, the views of an SME connected with the electronics industry. Mega Electronics, in the UK, has made many of the usual negative criticisms and points out that many household products, supplied without much data, become a bureaucratic burden when used in industry.
Loctite, a major player in the electronics assembly area, complains about the disclosure of their trade secrets to their customers and, inevitably to the competition. In addition, they are vociferous about the section concerning polymers, emphasising that polymers should be excluded provided that their starting materials are registered.
This is a file I found with the search engine, rather than on the EU site, although it may well be hidden there. It is a response to REACH by the US EIA, NEMA and some other organisations. It is more mildly set out than some of the other comments, but embodies many of the same ideas. At least this is one view of the electronics industry, as a whole, which is a lot better than whistling in the dark.
Finally, this is a US legal appreciation of REACH by what is conceivably a somewhat right-wing lobbying group. It is possibly one of the most interesting reads on the subject, because it highlights the differences between European and US law and outlook, especially regarding the precautionary principle.
This review of REACH has taken me two whole days to compile, having read hundreds of commentaries. I am shocked that the European PCB assembly industry has chosen to ignore what may be the death warrant of many SMT assemblers. This is something that will not go away. It is here and, sooner or later, in some form or another, it will affect us all. It is essential that our industry, in particular, must follow the next stages of this project and take action with their national governments if they wish to ensure their survival. Personally, I am sympathetic towards improvements in environmental and H&S risks and the precautionary principle, in particular. But my sympathy does not extend to a heavily bureaucratic and dangerous, unilateral, European approach. If some pragmatic version of this were promulgated world-wide, then everybody would be on the same footing: without this, then I can see yet one more law introduced that cannot be observed to the letter – and, as many comments have stated, will be directly opposed to the principles of the World Trade Organisation. Let us REACH for our guns and shoot it into a reasonable form that will not condemn our industry to death by a Brussels firing squad.
I apologise for the rather aggressively political form that this review has taken. Personally, I am glad I'm no longer directly concerned with the manufacturing industry!
1. Anon., The Cornish or West Country Litany, in Francis T. Nettleinghame Polperro Proverbs and Others (1926) Pokerwork Panels.2. At the time of writing, the URLs and domains in this fictitious account have not been registered and do not exist. I suppose that it is possible that they may be registered by the time this goes into print. If so, I ask the owners to accept my apologies for the unwitting coincidence.