does this surprise anyone:

A grisly slaying on a Greyhound bus has prompted calls for tighter security on Canadian bus lines, despite the company and Canada's transport agency calling the stabbing death a tragic but isolated incident.

Greyhound spokeswoman Abby Wambaugh said bus travel is the safest mode of transportation, even though bus stations do not have metal detectors and other security measures used at airports.

Despite editorials telling people not to overreact, it's easy to:

"Hearing about this incident really worries me," said Donna Ryder, 56, who was waiting Thursday at the bus depot in Toronto.

"I’m in a wheelchair and what would I be able to do to defend myself? Probably nothing. So that’s really scary."

Ryder, who was heading to Kitchener, Ont., said buses are essentially the only way she can get around the province, as her wheelchair won’t fit on Via Rail trains. As it is her main option for travel, a lack of security is troubling, she said.

"I guess we’re going to have to go the airline way, maybe have a search and baggage check, X-ray maybe," she said.

"Really, I don’t know what you can do about security anymore."

Of course, airplane security won't work on busses.

But -- more to the point -- this essay I wrote on overreacting to rare risks applies here:

People tend to base risk analysis more on personal story than on data, despite the old joke that "the plural of anecdote is not data." If a friend gets mugged in a foreign country, that story is more likely to affect how safe you feel traveling to that country than abstract crime statistics.

We give storytellers we have a relationship with more credibility than strangers, and stories that are close to us more weight than stories from foreign lands. In other words, proximity of relationship affects our risk assessment. And who is everyone's major storyteller these days? Television.

Which is why Canadians are talking about increasing security on long-haul busses, and not Americans.

Toronto Hydro has a very well-built network across 6 sq km that Novarum has rated the highest consistent bandwidth network in the U.S. In one square mile, the company had installed about 3 to 4 times the numbers of nodes of most city networks, and that showed. Affordable? Perhaps not. But the service worked. However, the network hasn't brought in enough subscribers to expand, and the capital restriction prevents that.

Cogeco, the fourth-largest Canadian cable system operator, will primarily be spending Cdn$200m on a 450 km fiber-optic network. The company passes 1.5m homes in Ontario and Quebec, although subscriber numbers aren't disclosed. (More detail here.)

The deal seems like a boon for Toronto, which will get Cdn$75m that's earmarked right now by the mayor for public housing, while the electrical utility will upgrade its distribution network with the remainder of the funds.

Damn these infernal mornings.

Click here to subscribe to Liquidmatrix Security Digest!

And now, the news…

1. 1st Source Bank replacing debit cards after security breach | Network World
2. Microsoft Warns Of Bug In Apple’s Safari | CRN
3. Going Back to Basics To Fight Botnets | Top Tech News
4. EU security agency warns over insecure printing | The Register
5. Information at thieves’ fingertips | Times Union
6. McAfee Names The Most Dangerous Domains | Information Week
7. IBM Complimentary Security Health Scan | Bitpipe
8. ‘Hacker’ left child porn images on computer, lawyer insists | The Toronto Star

Tags: News, Daily Links, Security Blog, Information Security, Security News

Name: CiscoWorks Arbitrary Code Execution Vulnerability
Release Date: 28 May 2008
Reference: LSD003-2008
Discover: Dave Lewis
CVE Number: CVE-2008-2054
Vendor: Cisco Systems
Systems Affected: CiscoWorks Common Services (various versions): Cisco Unified Operations Manager (CUOM), Cisco Unified Service Monitor (CUSM), CiscoWorks QoS Policy Manager (QPM), CiscoWorks LAN Management Solution (LMS), Cisco Security Manager (CSM), Cisco TelePresence Readiness Assessment Manager (CTRAM)

Risk: High
Status: Published (Vendor Confirmed, Patch Available)

Description

CiscoWorks Common Services versions 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.1, and 3.1.1 contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with elevated privileges.

This vulnerability exists due to an unspecified error in CiscoWorks Common Services. An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary code resulting in complete system compromise.

Impact: Arbitrary code execution with elevated privileges. Fire bad.

TimeLine

Discovered: 14 February 2008
Reported: 14 February 2008
Fixed: 22 April 2008
Patch Release: 28 May 2008
Published: 28 May 2008

Technical Details

The vulnerability exists due to an unspecified error in CiscoWorks Common Services when it processes attacker-supplied URLs. An unauthenticated, remote attacker could exploit this vulnerability through unspecified means to execute arbitrary code with elevated privileges.

Fix Information

This issue has now been resolved.

The patch may be obtained from:

http://www.cisco.com

Cisco Advisory
http://www.cisco.com/en/US/products/products_security_advisory09186a00809a1f14.shtml

I would like to thank Cisco for their professional response to this issue.

Liquidmatrix Security Digest
http://www.liquidmatrix.org/blog/

2255B Queen Street East
suite 156
Toronto, Ontario
Canada
M4E 1G3

MetroFi was one of the three most prominent pure play metro-scale Wi-Fi firms, if you count EarthLink's municipal wireless division as a separate operation, and Kite Networks, which was a subsidiary of a larger telecom firm. Each company had made a unique network hardware choice--MetroFi, SkyPilot; Kite, Strix; and EarthLink Tropos plus Motorola--and each had a sort of specialty. Interestingly, a fifth firm, BelAir powers Toronto (a small but super-fast Wi-Fi network) and Minneapolis (the only putatively completed large-city Wi-Fi network), and will be behind Cablevision's nearly $350m New York Wi-Fi plan.

MetroFi was the only major firm to back ad-supported no-fee access, coupled with paid, no-ads service, and higher tiered commercial offerings. They built mostly smaller cities, with Portland being their only real big city win. The firm began with the notion of building Wi-Fi out gradually as a way to provide broadband in communities that lacked service, with no municipal involvement. That plan required sparser networks and typically a home signal booster designed by SkyPilot. (Kite mostly focused on the Southwest; EarthLink on big cities.)

EarthLink was in many ways largely responsible for the mess that all Wi-Fi providers found themselves in last year by offering to build Philadelphia's network back in 2005 at no cost to the city--in fact, paying the city and the local utility fees. That set the stage for nearly all the RFPs that followed where, if EarthLink were a bidder or the city was aware of the alternatives, the notion was that no city dollars would be spent, even if taxpayer money wasn't "at risk"--that is, even if a city could save money by switching current line items in their telecom and data budget to a wireless network.

Haas noted via email that MetroFi has been working towards anchor commitments by cities for nearly two years, but the inertia of those early networks led municipalities to reject those options. In Toledo, where MetroFi had negotiated an anchor commitment, a change in administration led a new mayor to retreat from the plan.

Is there a future for metro-scale Wi-Fi? Yes. With thoughtfully constructed, outdoor-focused deployments centered on municipal purposes, with public access a secondary issue, it seems like these networks could still provide an inexpensive way for relatively high bandwidth compared to the alternative of cell data networks.

However, that advantage is likely short lived in larger markets. The near-future certainty now that there will be multiple provides offering wired broadband speed service starting later this year with Sprint/Clearwire's WiMax, and continuing through into 2012 with significant network buildout by Verizon and AT&T in several bands (including their new 700 MHz holdings).

While Sprint/Clearwire is talking about 120m to 140m homes passed by 2010 with their network, obviously focusing only on major markets, many of the 700 MHz licenses purchased by AT&T and Verizon carry buildout requirements with penalties. So cities outside the top 100 population markets and rural areas will still see some benefit. In those mid-tier markets, there's also the 3.65 GHz band for shared licensed use, which is a model that Azulstar is pursuing with new WiMax deployments, as I wrote about recently.

Competition will likely push the cost of mobile broadband far below its $60 per month 2-year contract rate of today, which then would beg the question why a city or county with good commercial coverage would need to build its own Wi-Fi network. There are still plenty of reasons to build dedicated, first-responder 4.9 GHz public safety networks, of course.

I've always described Wi-Fi on a metropolitan scale as the best, worst technology. The best, because everyone has Wi-Fi in their laptops and increasingly in handhelds and gadgets. The worst, because the technology is absolutely not designed for the purpose, unlike CDMA and GSM evolved cell standards and mobile WiMax.

It's possible that in the long term, looking five years out, that Wi-Fi on a metro-scale will only be needed in small towns, odd markets, and for highly particular purposes. Or, perhaps in a bit of irony, where companies like Cablevision feel Wi-Fi is necessary to retain the loyalty of their highly wired customer base.

This op-ed recommends that the city buy the division, and have it build service, which they estimate at about $100 per household, which could save $300 to $400 per household per year for those with broadband. But that means that they prefer any market for broadband to be destroyed in favor of a publicly owned and operated network. Which, frankly, would scare me if such a thing were proposed in my city.

It's not so much that any given broadband firm is so marvelous that I wouldn't prefer another. (I am surprisingly happy with my DSL from incumbent Qwest, including their fantastically improved technical support.) But, rather, that cities seem to do best in ensuring that missing pieces of all kinds are provided to those least able to advocate for themselves. This, in my mind, extends to cities providing incentives for supermarkets to be built in disadvantaged areas. (There's always an irony that people least able to afford food must travel the furthest to obtain food at prices below that offered in their neighborhood, typically through convenience stores. That's changing.)

One prominent argument that I found myself agreeing with when the discussion of municipal Wi-Fi was in its infancy was the problem of building a broadband network that used taxpayer dollars to improve the lot of some citizens, often those who could afford a variety of broadband options. Plans that used city budgets to reduce costs for telecom or provide municipal services are more egalitarian, and seem to have won the day.

In this case, the op-ed writers are suggesting a course that would eliminate all competition. Can anyone trust their city well enough that they support starting a bureaucracy that would completely de facto (not de jure) prevent any better service from being installed? Or that would require you to pay as part of your taxes for service that you wouldn't use?

The columnists do more sagely suggest that a "city-wide fibre/wireless network could be an important boost to city departments and other civic services that have growing needs for networking, such as education, libraries, police and emergency health services."