Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Although the (in)famous technique of shrink-wrapping personal computer
software has been around for a long time, mainframe software has generally
been shipped with no seals other than those on the shipping box. A
frequently-proposed trojan horse technique (never used, as far as I know)
has been to send a computer center a box with media and documentation which
appears to have come from the operating system vendor, but in reality is
a trojan horse. A modification of that procedure involves intercepting
a legitimate shipment and changing the contents.
This may be changing. I recently received a shipment of IBM's RS/6000 AIX
system on tape cartridges. Each cartridge is enclosed in a heat-sealed
heavy plastic bag on which the IBM logo is printed, along with the legend:
This tamper evident bag ensures the integrity of your software. If
tamper is evident, please call the IBM software distribution center
(1-800-879-2755) to report problem and have center replace the
questioned software.
(Incidentally, the bad grammar in the above paragraph is correctly copied
from the text on the bag.)
The fact that I don't have an RS/6000 is irrelevent. Maybe one of these days
IBM will figure out how to fix the data base systems used to generate mailing
addresses for software shipments...although in this case I suspect that the
problem was bad data entry, unlike the dozen or so other RS/6000 packages I've
received over the past year which were addressed to me by name.
Joe Morris
A few press releases from IBM yesterday make the cracker-for-hire
business a little more serious. More interesting data will be available
in local offices soon, so instead of spying on co-workers in the same
office, the opportunity will exist to spy on vice-presidents. The
announcements cover products that will be available sometime next year.
* "Information Warehouse," intended to allow easy access to all data
owned by a large corporation from any desktop computer within the
company, in most popular formats (Lotus, DB/2, SQL, ...).
* a partnership with Aristacom, a company which makes telephone switch /
computer interfaces:
"With Aristacom's [earlier] applications a call is automatically
routed to the targeted service agent with the information
required to permit immediate service to the customer. This
eliminates the frustrating interaction between customer and agent
about the nature of the call and the identity of the customer."
* operating system enhancements and applications to assist in the development
of client/server applications between IBM mainframes and pc's running OS/2,
DOS, and Windows. They are also starting to support more interactions with Suns
and Macintoshes. Two of the new applications are described as follows:
— IBM SAA ImagePlus(a)/2, a new LAN-based application for
tracking and distributing image applications such as
insurance claims, loan applications and legal contracts.
— Financial Branch Systems Services, a client/server
software package that supports financial applications
such as those used in a banking branch office. Also
announced is support for DOS Windows users, which
supplements the OS/2 and DOS support already available.
Joan Eslinger / wombat@key.amdahl.com
>In the September 19th Rolling Stone at page 67 an article titled "Samurai >Hackers" by Lynda Edwards tells us that a: "new breed of hacker has been >finding a niche in the corporate world in the last two years. ... Having read this article, _The Cuckoo's Egg_, and _Cyberpunk_, I was struck by the "samurai hackers" referring to their customers and victims as "stupids". True, those people may not know a whole lot about computers, but these hackers don't seem to know that much more. What they do have is the persistence to sit in front of a machine for hours, trying passwords until they finally get one. The fact that they do seem to often guess a password is certainly a risks-related matter. But having someone sitting for hours in front of the console entering names should be picked up by almost anybody. "Hmmmm, Joe complained about the phone line being busy all weekend, but nobody logged in. I wonder if there's something wrong ..." would seem an unavoidable concern in such cases. These "hackers" seem the equivalent of the smash-and-grab bandit: they throw a brick through the window, grab what they can, then run. They're limited in effectiveness by the crudeness of their methods, but they can be effective nonetheless. Almost all of the sophisticated computer types seem more attracted to the "good side," but given a large enough dislocation in the economy, as we might see in a serious recession, the temptation to invade other computers might seem attractive to computer professionals. Another item was how willing people were to give out information over the phone. In _Cyberpunk_, the hackers in California were repeatedly able to impersonate someone at the phone company or in the military well enough to get information that they had no business having. "I'm General Shotfoot's aide, and he wants to know what his password is ..." seems to work fairly well. Elementary security would be to get the number of the person calling, and call them back. But as long as there are humans in the loop, computers will be vulnerable to this type of attack. One last thing that was interesting was how abusive most of the people using e-mail were of others. As shown by other articles on electronics communications, people have no hesitation saying things in e-mail that they wouldn't dream of doing face-to-face or on paper. One article I read talked about how two groups were assigned tasks; the group that met only in the flesh conducted their meetings without incident. The one that was conducted partly using electronic communications had people who had to be separated and sent out through different exits to keep them apart. Might one of the increasing risks of electronic communications be getting attacked by someone outraged by what you said about them electronically? Public Access UNIX at +1 503 644-8135 (1200/2400) Voice: +1 503 646-8257
Fred Cohen says in a number of his papers that (quoting from Computers &
Security, Vol. 6, # 1, PP. 22-23) "The term virus has also been used in
conjunction with an augmentation to APL in which the author places a generic
call at the beginning of each function which in turn invokes a preprocessor to
augment the default APL interpreter." (Although Fred always attributes the idea
to a paper by Gunn in "ACM" in 1974, the paper actually appeared in ACM Quote
Quad in 1984, in the Proceedings of a Helsinki conference.) What Gunn
described does not fit Fred's definition of a virus, but something that does
could serve the purpose Gunn described, as best I can remember. Note that APL
is a logical place to expect a useful virus because APL users may leave
functions vulnerable to modification in the hope of benefiting from
improvements that others make.
Stan
Brian Rice writes:
> ...all viruses are bad, because they take
> me out of control of my system and make me afraid to do things with it.
Novice users feel this same fear, until they learn how to get along with
the computer. Viruses, however, tend to make their computers unpredictable.
When something drastic happens because the user isn't knowledgeable, they
"chalk it up to experience" and go on. The damage done by a virus, though,
is entirely out of their control. The user feels violated because someone
came into their "territory" and damaged them in some way, even if the
"damage" was just to their confidence. (Administrators of large systems
have to be very careful during system maintenance to avoid invoking the
same territorial feelings in their "users" ;-).
Configuration management within a community of PCs presents many of the same
problems as system maintenance on large systems, and invokes the territorial
tendencies of most users ("Whaddaya mean, I can't use PD software on my
machine!?!?!"). It gets more important when all of these PCs are connected
through local area networks. In a previous job, we experimented with having
each PC automatically log into a central server, compare it's binaries with
the "distribution version", and automatically download anything new. We
discussed having this routine remove "unauthorized" software, but figured it
would be too easy to mess up and remove something valid by mistake.
More recently, I have learned of a product which loads a TSR when you boot each
workstation, which can give control of that machine to a central administrator
via the LAN. The administrator can then "poll" the workstation and perform
maintenance over the LAN - including making filesystem maintenance and even
copying new executables onto the PC. This sort of maintenance can happen
"in the background", invisible to the user (who has no idea his/her system
is being "maintained").
If you extend the idea, you could create a "configuration checker" virus that
wandered thru the network, reporting system configurations back to a central
authority. Is this a good idea? Depends on whether you're the user or the
administrator. It wouldn't be hard to add other "useful" features. Perhaps
it could find files that haven't been used in six months, archive them to tape,
and then delete them from the user's system. Where do you stop?
IMHO, any time "my" computer is changed without my knowledge, I have the right
to become upset - even if somebody else actually owns it. This includes
viruses, configuration management, maintenance, or whatever. The underlying
risk (the one which would lead to "good viruses") is what I call the "God
Syndrome" — "I know what's best for you because I'm [your_title_here]".
That risk is prevalent EVERYWHERE, not just in computers. We see the risk
more readily in other fields (such as government). Because most people don't
understand computers well (yet), the risk is not so clearly seen.
Bob Johnson, Control Data Corp (contractor to...) Tinker Air Force Base,
Oklahoma DSN: 339-5038, (405) 739-5038
No one has addressed the question of a 'beneficial' virus in terms of the
growing concern in business over the amount of trust that can be placed in the
results produced by computer systems. That concern is manifesting itself in
several ways:
1. An increasing amount of attention is being paid to configuration
control of support (engineering, manufacturing, etc.) systems. We
can't test everything and we can't test anything exhaustively, but we
want to know that what we're relying on has been tested to the extent
possible and necessary so we have an idea where we're at risk. This
breaks down if we can't pin software configurations down to the bit
level — any virus, beneficial or not, clearly compromises this effort.
2. We are seeking reasonable ways to hold vendors responsible for the
results produced by the software they deliver. As the public begins
to demand warranties (beyond the usefulness of media) for software,
vendors will increasingly have to protect themselves by carefully
specifying the system configurations for which warranties apply.
Modification of underlying software by viruses, no matter what their
intent, would also be contrary to a vendor's ability to guarantee
results.
It seems apparent to me that we have to work towards the ability to completely
specify and audit the configuration of systems on demand in order to have a
chance of dealing with the legal and safety implications surrounding general
use of computer based systems by lay people. Much as a piece of digital
hardware refuses to be functional if it fails its own self test, software must
be able to identify its configuration and respond appropriately prior to
providing service in critical situations. We take this for granted in
ROM-based embedded systems, but their safety is due solely to their isolation
and resistance to alteration. Both of these conditions are rapidly
disappearing.
Chuck Royalty (206) 957-5197 chuck@helpful.ca.boeing.com
In RISKS-11.60, Jerry Leichter told us about the new struggle between airlines' load-management software and travel agents' computer programs which search for elusive low fare offerings. (I cannot do justice to Mr. Leichter's fine piece here). He pointed out a risk to consumers: > The computers battle it out--and anyone without computer > assistance is likely to be left on the ground. The next chapter in the saga is discussed in an L.A. Times article by Denise Gellene titled "Airlines Discourage Bargain Hunts" (9-10-'91, page D1). [Bracketed interjections and elisions mine -MS] The article: [...] Only a handful of travel agents use this new technology [automatic fare-finding software which "electronically scan[s] thousands of fares listed in an airline reservation system"], which can potentially save [individual] consumers hundreds of dollars. [...] Santa Ana-based Associated Travel Management says its computer program saves an average of $150 for one customer in four. But the new computer programs have drawn a strong reaction from the airlines. Sabre and Apollo, the reservation systems controlled by American Airlines and United Airlines, have socked the agencies with new fees to discourage extensive fare searches. Associated Travel said the new charges could cost it $300,000 a year. The conflict over the new software has important implications for travel agencies, airlines, and consumers. Travel agents need an edge to draw customers, but airlines make most of their profits from higher-priced tickets. Consumers are caught in the middle. The software helps travel agencies keep up with the thousands of fare changes airlines make daily. Working 30 times faster than a travel agent, the software can scan through a reservation system and snare customer-pleasing bargains that an agent might never spot. [...] The reservation systems say the new fees are justified because the new programs cause reservation networks to work harder. But agents and other industry experts say that the airlines are also concerned that the new technology finds low fares for business travellers [...] who normally pay full fare. ``I think the main intent is to limit the user of these programs,'' said Steve Ballinger, editor of Travel Management Daily, an industry newsletter. ``It seems the airlines are saying that just because there is a cheap fare out there doesn't mean you have an unlimited right to find it.'' The controversy comes at a time when both airlines and travel agents are doing poorly. Airline traffic fell in July and was expected to decline overall in August as recession-battered consumers cut back on travel. [...] [stuff about airlines trying to avoid selling low-priced tickets; and agents looking for ways to improve customer service by saving clients' money] [the reservation systems are imposing fees designed to penalize automated searching. Searches which appear to be manual based on pattern of keystrokes and number of records retrieved aren't surcharged.] The fees are likely to discourage small agencies from investing in the new [searching] software, which costs up to $150,000. ``There is no way a small agency can afford it,'' said USTravel's Nugent. [some more details] Not every agent finds the new limits easy to live with. Boston-based Woodside Travel said some agents in highly competitive markets, such as Los Angeles, exceed the new keystroke-thresholds manually because there are so many airlines to check. [various back and forth about the new fees] Travel agencies say they've taken steps to avoid hefty fees. Associated Travel developed what it calls a "steath" version of its original software that is capable of taking an electronic picture of the information in the airline reservation system. Associated's computer then scans the electronic copy for bargains. By using this technique, the agency immediately reduced the [usual] number of hits [per fare query] to 112 from 200. Though it may still pay a fee, it is less than the $300,000 it stood to pay without the revised software. Other agencies have taken different approaches. Woodside travel said it now looks for aisle or window seats less often. USTravel says it now conducts most of its searches at night, when fees are lower and most fare changes are made. ``We don't think American's Sabre is out to destroy our program,'' Woodside's Barros said. ``We think they would like to control how we use it.'' [-30-] [Begin Mark S.'s comments.] The tactic of caching replies from reservation systems to avoid repeating costly queries seems wise, but cache-consistency problems must come up. The reservation systems' argument--that a high query load is costly for them--is valid so far as it goes, but the reservation systems are deliberately organized so as to preclude direct searching for low fares. If they maintained methods (and indices) to permit searching for fares, then the number of queries necessary to find low ones would drop dramatically. Of course, this gets back to the "antitrust" problems with reservation systems owned by airlines. You-all know all about that stuff, but I'll remind you that the government is in the middle of hassling a bunch of airlines for allegedly conspiring to fix fares using the O.A.G. as a signalling channel, so an "independent" system for such flight/fare info may not be a total fix. The airline vs. agency computer wars would not be necessary if the airline systems supported the sorts of queries the agents want to process. The high price of fare-search software means that ordinary consumers are left at the mercy of the battling giants. One sure fix for all of this would be to force the airlines to provide low-fare searching. One big cost to that would be the blow it would surely deal to airline profits, and, I suggest, to the availability of low fares. The airlines have been amazingly successful at flying everyone for exactly the (maximum, it's true) price s/he can or will pay. If it looks like they'll have to let some people travel for less (than they can/will pay), the airlines'll just eliminate the lowest fares, leaving some impecunious would-be travellers on the ground. Is computer reservation system low-fare searching compatible with reasonable "load management" by airlines? Who should take the risks in reservation-system design, consumers looking for low fares or airlines looking for efficiency? Mark Seecof <marks@latimes.com>, Publishing Systems Dept., Los Angeles Times
[...] There are estimates that one good nuke, exploded in near-space over
Kansas could fry most of the missile controls, computers, radios, phone
switches, smart weapons, late-model automobile engine electronics, ...
I think this logic might be a little backwards. If the first shot really does
neutralize everything larger than a rifle, then (as many have pointed out in
other contexts) this is a strong motive for a first strike. This fact is in
turn a strong motive for a policy of launch-on-warning. The destabilizing
results, though, are proportionate to the state of knowledge about EMP, or
rather to our perception of the other folks' perception of ... . With any luck
the darn things will be scrapped soon.
Phil Agre, UCSD
Actually, I agree with Phil Agre that the initial reaction of the military mind
would be to go to a launch on warning policy, and that the military leader's
usual scenario is that he rides it out in the bunker while we take damage, but
manage to pound the enemy into the stone age. I didn't mention that most of our
subs would still be around to throw some weight in after the initial salvo,
making it potentially a long war.
What I think really scares the brass is the possibility that each side would
try a strike, fry a few missile sites, but also 95% of each other's consumer
electronics and military CCC (Command, Control, and Communication) circuits,
and face a completely hostile home population with a relatively impotent
military force, and a few subs capable of nuclear war only. I can see the
entire population of Denver, relatively unscathed but for their cars, TV's,
Walkmans and PCs walking out to "The Mountain" with shovels in hand, and a
couple of hemp ropes.
This is not the kind of scenario you can model on a wargame computer, but I'm
sure it's run through the generals minds at least once. The Soviets are getting
a version of this right now, except substitute "economic planning" for "nukes"
as the catalyst.
Phil's right though; the more we learn about nuclear war, it seems the less we
know; that realization is probably the biggest deterrent.
Tom Faller
Jeremy Grodberg may be correct in assailing my article, but he assails the wrong thing. I may have misused the term ``False positive rate.'' Roughly 10% of MSAFP tests are positive; very few of those tests are true positives. My source is the pamphlet on MSAFP passed out by our obstetrician, which does not use the phrase "false positive rate." I don't have it immediately to hand, but a paraphrase would go: ``1 in 10 MSAFP tests are positive. In the vast majority of cases, this means nothing. If you have a positive MSAFP, your doctor will recommend amniocentesis to make sure that your baby is healthy.'' Other phrases: MSAFP detects about 2/3 of neural tube defects and about 1/3 of cases of Down's syndrome. By the way, I also had my figures confirmed by my friendly genetic counsellor at Strong Hospital. Am I alone in feeling that phrases like ``False positive rate,'' although they may have unambiguous technical definitions, are misleading in normal use? Mark Fulk [You are not alone. There are some people who prefer TYPE ONE ERRORS and TYPE TWO ERRORS to False Positives and False Negatives. PGN]
First, if we consider only the risk of Down Syndrome and not other conditions which alter MSAFP, approximately 1 in 800 term deliveries have the disease. The age-specific risk (=incidence) at birth ranges from 1:1700 at age 20 to about 1:30 at age 45. The risk of spontaneous abortion with amniocentesis is generally estimated between 0.5% and 1%. Second, MSAFP is used as a screening test, not a diagnostic test. Roughly speaking, a screening test is used to obtain a more accurate person-specific risk estimate. The MSAFP results can affect the risk estimate by a factor of four in either direction. Third, Mr Grodberg takes Mr Fulk to task for incorrectly interpreting the term "False positive rate". Unfortunately, the term has *no* unambiguous meaning, and is routinely used to refer to either of two rates, depending on which is more appropriate to the setting. I have seen standard books in epidemiology define the term differently, and th only safe course is to avoid the term altogether or to be careful in defining it. "False positives" (N+) are people without the disease (N) with a positive test (+). As such, they are a subset of people without the disease. They are also a subset of the people who will have a positive test result. If we are interested in the effect of screening on a population, we are interested in FPR1 = (N+)/(N), the fraction of normals who will falsely be screened positive. On the other hand, if we are interested in how much credence to give to a positive result, we are interested in the FPR2 = (N+)/(+) = 1 - Positive Predictive Value. The second formulation concerns the diagnostic value of the test, when applied in a particular population. The greater the prevalence of the disease in this population, the greater the fraction of positive testers who actually have the disease. In the case of MSAFP, the a "positive" result occurs when the risk, adjusted for age and MSAFP level, exceeds some threshold (1:250 is often used). Individual physicians and patients may well select other thresholds. Using the typical value for the threshold, about 5% of normals will screen positive, and about 30% of Down cases would be detected. In point of fact, then, Mr Fulk's assumption was closer to the truth than Mr Grodberg's. But the point is similar: (1) Bad data may result in less than optimal decisions (2) Bad statistics may result in less than optimal decisions (3) It helps to make damn certain that the other guy is actually saying what you think he is. Ron Thisted Department of Statistics/The University of Chicago
<>Incidentally, the designers of ASCII wrought better than we might think. The ESCAPE character is supposedly intended to allow a system to insert non-ASCII characters (to "escape" from the ASCII set). Pity it's never used that way.<< What, you've never heard of ANSI? What of the attempt at international chrs in THAT set? Dose this count for nothing? I know of damn few DOS systems that do not have an ANSI driver mounted at all times....
The moldy political odor rising from some of the remarks about ASCII and limited character sets recently published in RISKS bothers me a lot. ASCII is not some poison forced down non-English speakers' throats at gunpoint. It is not an evil scheme to enforce American cultural hegemony on long-suffering Europeans, or Asians, or anybody. Dammit, people did and do buy all that ASCII-based software and firmware of their own free will. When it doesn't suit them, they buy something else or roll their own. We're lucky we've got 8-bit 8859 and 7-bit ASCII instead of a 6-bit code like CDC used to use (ever look at Jensen+Wirth, the "Pascal User Manual and Report"?). Soon we'll have wider codes. The falling price of computer storage, both core and secondary (e.g., disk), alleviates the pressure to keep character representations small (in terms of bits). It would not have been rational to use 16- or 32-bit chars on a machine like the 1401 or PDP-8; so how many of those fancy latin-characters-with-diacriticals (of little use in the States) would you have expected U.S. developers to support on yesterday's hardware? And you can forget other alphabets or ideographic systems. The risk here lies in imputing political meaning to technical decisions taken long ago which were quite rationally based upon the technical constraints felt at the time. People tend to think of a computer as some magic thing; if it doesn't do what they want they suppose that the system developers were wicked or subject to sinister influences. It just isn't so... As customers demand and are willing to PAY FOR computer stuff which works with more characters, various writing directions, context-dependent writing schemes, etc., the world's vendors are making it available. Don't dismiss the cost factor--a developer in the U.S. might have to demand a lot of money from a client in Yemen to make it worthwhile diverting his scarce manpower and short time into making an Arabic version of some software. Some people whine about the fact that one package or another which they want to use isn't "internationalized" but those people are rarely willing to pay the cost of "internationalizing" (or merely "other-nationalizing") the stuff just for them. Vendors looking to do well in markets outside the U.S. and the British Commonwealth do make efforts to accomodate their customers. As the problem of data interchange across linguistic or orthographic boundaries grows with improved data communications, people work on schemes like DPIS10646 for characters and other, fancier schemes for non-English orthographies and to support message translation. Mark Seecof <marks@latimes.com>
Please report problems with the web pages to the maintainer