The following appeared in Unigram.X (a UK newsletter) and Market Watch (an electronic news clippings service). On my request, permission has been granted to reproduce this item in RISKS provided that the full text, up to and including the line beginning with several = signs, is included. Clive D.W. Feather, IXI Ltd, Vision Park, Cambridge CB4 4ZR UK firstname.lastname@example.org Phone: +44 223 236 555 Fax: +44 223 236 466 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SUN MICROSYSTEMS INC KNOWS WHY BRAZIL IS KNOWN TO ITS NATIVE INHABITANTS AS THE KINGDOM OF THE ANTS Computergram via First! — Sun Microsystems Inc knows why Brazil is known to its native inhabitants as the kingdom of the ants - it got an electronic mail message from its local representative down there asking how to get rid of bugs - ants nests to be precise: seems a user had turned his workstation off for a few days and on returning to power the thing up was greeted by some nasty crunching and popping sounds; opening the lid he was greeted by an army of ants whose nest-building had been rudely interrupted by his machine's Sparc CPU and disk subsystem coming to life; pest control was hurriedly dispatched and the system was soon up and running - Sun knows its stuff when it comes to bug-fixing. [07-08-93 at 14:38 EDT, Copyright 1993, Apt Data Services., File: g0708183.437] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Entire contents (C) 1993 by INDIVIDUAL, Inc., 84 Sherman Street, Cambridge, MA 02140 - Phone: 617-354-2230, FAX: 617-864-4066. Unauthorized electronic redistribution without prior written approval of INDIVIDUAL, Inc. is prohibited by law. Any authorized copy must carry in full the copyright notice of the information source, if any, of First! and of INDIVIDUAL, Inc. ==============[The End - First! (TM) - Your Smart News Agent]===============
Recently I have been working with the "World Wide Web," a project designed to unite the various data resources on the internet into a common web of information. The Web began a few years ago at CERN. I am working at CERN as well, and some people who saw my work or articles thought I was an official web project member. So, on my 'signature' page ( http://info.cern.ch/roeber/fgmr.html ) I included a disclaimer: Please note: <b>I am <i>not</i> an official member ...</b>. The lingua franca of the web is HTML, or hypertext markup language, which is based on SGML. The codes in angle brackets above are SGML, and stand for bold and italics. I looked at my page with my whiz-bang X-based web browser (NCSA Mosaic), and sure enough the line appeared with nice bold and italicised words. A short time later, I got a call from a somewhat annoyed web project guy, demanding to know why I was claiming to be an offical member. It seems that on his NeXT browser, the word "not" was mysteriously absent. The problem was that his browser didn't support italics. Why? Well, when the Web began it was "hypertext" based. Everything was supposed to be simple, plain text accessible by everybody. Though HTML was based on SGML, this was more to be "standard" than to support fancy markups. The core team had a nice plan as to how they would expand, slowly and in step. Then the NCSA came along, with their elegant multimedia X-based browser. Suddenly the web became "hypermedia," and (as it supported much more of SGML), even plain text could be marked up in much fancier ways. So people started writing documents depending on the capabilities of NCSA Mosaic, leaving the earlier browsers behind. In this case, that lapse changed the entire meaning of a rather important sentence. There are a few points here: 1) In important sentences of electronic documents, don't put important words (like "not") in other fonts or representations. 2) In fact, avoid needless font and representation twiddling. 3) Don't assume everybody has the same advanced tools you do. 4) If you're going to use a standard, use *all* of the standard. HTML is based on SGML. The <i> code is legitimate SGML. 5) If you can't represent a requested font, for pete's sake don't just ignore the text! Put it up however you can. In this case, when I protested my innocence, the other guy loaded up the page on the old line-mode browser on the VM system. This browser ignores virtually all markup commands, so the unadorned sentence — including the 'not' — appeared. 6) If you launch a project in to the public, be prepared for someone to take the ball and outrun you. You can't stay firmly in control. This emphasizes point 4 — the whole point of "standards" is so that when this happens, things are still compatible. Frederick G. M. Roeber, CERN/PPE, 1211 Geneva 23, Switzerland email@example.com or firstname.lastname@example.org | work: +41 22 767 31 80
by Nancy G. Leveson, Professor of Computer Science and Engineering at University of Washington, and Clark S. Turner, doctoral student at University of California, Irvine. Pages 18 through 41 of the current (July 1993) issue of Computer. [The report from which this paper is drawn was noted in RISKS-14.04. PGN]
I have been handling some of my elderly mother's bills after her recent hospitalization. Since she is in an HMO (Health Maintenance Organization), she should not have had any bills other than for personal incidentals (tv, etc.). Yet, she kept getting bills from one medical testing lab. When I made an inquiry, the lab told me that the bills should have been paid by the HMO and that I should notify them, which I did. Several more bills came from the lab and several more inquiry calls were made. Yesterday, a letter came indicating that the account is delinquent and that it will be turned over to a collection agency unless paid immediately. I called and was told that their records indicated that the bill had not been paid. After pushing them a lot to review their records, they suddenly discovered that the bill had been paid by the HMO s more than a month ago. The clerk told me that there had been a *number of cases* recently where the computer had not recognized that a payment had been made and bills were automatically sent out. He told me that the computer problem ws being worked on. When I complained that the lab continued to send out bills even though they knew that some of them were false, he told me that all people had to do was to call the accounts department (it was an 800 number) and any errors would be corrected. However, if I had not insisted several times that the HMO had been notified and that they had paid the bill, the money would be owed by my mother. The end result is that this lab knows that there is a billing problem and they have continued to send out bills, some of which are erroneous. Their solution is that (often ill) people will know that the bill has been paid, will contact the billing office, will fight to ensure that the correct information is in the computer, and all will be resolved. Unfortunately, what will really happen is that some people will pay the bill even if they do not owe the money and others will have their credit history threatened if they cannot afford to pay the money. While this does not seem to fall under the legal definition of fraud, it may be illegal if the lab is billing with knowledge of a computer problem of this sort. I suspect that this problem is more common than recognized and that the lab is only one of a number of organizations that have decided that orderly processing of accounts is more important than correct billing of people. Computer glitch has become an excuse for financial manipulation and harming of people.
CALL FOR PAPERS AND PARTICIPANTS The '93 International Software Safety Workshop November 18-19, 1993 Computer Science Department Mississippi State University MS State, MS 39762 Tentative Sponsors: The National Science Foundation (NSF) The Oak Ridge Associated Universities (ORAU) Mississippi State University (MSU) In Cooperation with: The American Society of Safety Engineers (ASSE) This workshop's goal is to bring together researchers and practitioners from academia, industry, and government in order to (1) enhance the transfer of technology and communication, (2) examine current problems relating to software safety research and practice, and (3) discuss and propose new directions for software safety research and practice. The workshop's organizers desire participation from all software-safety-impacted sectors such as aviation, medicine, transportation, manufacturing, the military, chemical processing, etc. The organizers also encourage participation by both industrial and governmental individuals who manage, specify, design, code, verify, or certify safety-critical software systems. Additionally, this workshop seeks papers and presentations relating specifically to software safety. A partial list of topics follows: * Standards for developing and certifying safety-critical software * Techniques for static and dynamic verification & validation * Managerial issues and methods * Case studies in software safety * Experience reports dealing with software safety * Tools, techniques, and methodologies * Technology transfer between researchers and practitioners * Improving cooperation and communication between researchers and practitioners * Software hazard analysis and safety-critical requirements * Safety-critical designs * Long-range goals and plans for software safety, and how best to achieve them * Preliminary results from recent research or practice Authors wishing to submit a manuscript for possible presentation and inclusion in the workshop's proceedings must submit five copies by 3-SEP-1993 of full-length papers (20 single-spaced pages maximum) or topics for presentation (2 single-spaced pages maximum) to the workshop's general chair at the address below: Lon D. Gowen, Ph.D. ISSW '93 Computer Science Department Mississippi State University P.O. Drawer CS MS State, MS 39762 Phone: (601) 325-7508 Fax: (601) 325-8997 E-mail: email@example.com In addition to the refereed papers and presentations, there will be several invited papers and presentations. The organizers anticipate presentations by the following organizations: FAA, FDA, FHWA, DoE, NASA, DLSF Systems, McKinlay and Associates, plus others. Additionally, there will be presentations by various academic researchers.
The annual workshop of the Centre for Software Reliability will be held this year in Amsterdam from 29th September to 1st October, co-hosted with the Japanese Union of Scientists and Engineers. The theme is "The Application of Software Metrics and Quality Assurance in Industry". Keynote speakers are Vic Basili, University of Maryland, and Yoshinori Iizuka, University of Tokyo. Programme and application form can be supplied in paper or electronic form. Under the Human Capital and Mobility scheme of the Commission for the European Community, 100% support is available for up to 15 delegates to attend from those areas of the EC which qualify for special support (which include Greece and Portugal). Applications are therefore particularly invited from people in these areas (although naturally, all applicants are very welcome!). Please respond preferably by e-mail. If you happen to know of anyone in one of the supported areas of Europe who might be interested but who does not receive e-mail or read the relevant lists, please pass the information on and ask them to respond by fax or snail-mail. Peter Mellor, Centre for Software Reliability, City University, Northampton Sq., London EC1V 0HB, UK. Tel: +44(0)71-477-8422 (Direct line to P. Mellor), Tel: +44(0)71-477-8421 (Direct line to Ms. C.A. Allen, Centre Manager), Fax: +44(0)71-477-8585 firstname.lastname@example.org, email@example.com
In addition to the announcements in Risk Forum 14.60 (May 12,1993), concerning SECURITY AND CONTROL OF INFORMATION TECHNOLOGY IN SOCIETY IFIP WG 9.6 Working Conference, August 12-17, 1993 Venue: the conference ship M/S Ilich between Stockholm and St.Petersburg here is an updated program of the "Russian Day" (St.Petersburg, August 14,1993) To my knowledge, this is the first time where plans for "Russian ITSEC" may be compared to other suggestions (ITSEC, FC/FIPS), eg in related contributions of Marshall Abrams and one EEC speaker. Klaus Brunnstein (May 28, 1993) Saturday August 14: "Russian Day" Part I: "IT and Security in Russia. Experts view" ------------------------------------------------- "IT and Security in Russia" E.V. Evtyushin (Russian Agency for New Information) "IT vs. Security in Russia" E.A. Musaev (Russian Agency for New Information Technologies) "Problems of information protection in the Northwestern region of Russia" P.A. Kuznetsov (Association for Information Protection "Confident") Part II: "IT and Security in Russia - Commercial sector" -------------------------------------------------------- "Bank requirements for Information Security" TBD (Sberbank of Russia) "Insurance Companies and Information Security" TBD (Representative of an insurance company) Part III: "It and Security in Russia - Public Sector" ----------------------------------------------------- "The current state of INFOSEC legislation development in Russia" A.P. Kurilo (State Technical Committee of Russia) "The legal aspects of Digital Signature standardisation in Russian Federation" V.V. Markelov (Federal Agency of Government Communications and Information) "The Russian IT Security Evaluation Criteria" Y.A. Timofeev (National Sub-committee on IT Security Techniques Standardisation) Part IV: "Western Developments in IT-Security" ---------------------------------------------- R.Hackworth (U.K.): "The OECD Guidelines on IT Security" M.Abrams (USA): "From Orange Book to new US Criteria" P.White (U.K.): "Drafting Security Policies" TBD "INFOSEC Security Issues in the EC"
PRELIMINARY AGENDA 5th Computer Security Incident Handling Workshop Sponsored by the Forum of Incident Response and Security Teams (FIRST) August 10-13, 1993 St. Louis, MO TUESDAY, August 10, 1993 Full-day Tutorials 1. Creating a Security Policy, presented by Charles Cresson Wood: [no abstract available at time of posting] 2. Vulnerabilities of the IBM PC Architecture: Virus, Worms, Trojan Horses, and Things That Go Bump In The Night presented by A. Padgett Peterson: An intensive look into the architecture of the IBM-PC and MS/PC-DOS -- What it is and why it was designed that way. An understanding of assembly language and the interrupt structure of the Intel 80x86 processor is helpful. The day will begin with the BIOS and what makes the PC a fully functional computer before any higher operating system is introduced. Next will be a discussion of the various operating systems, what they add and what is masked. Finally, the role and effects of the PC and various LAN configurations (peer-peer and client server) will be examined with emphasis on the potential protection afforded by login scripting and RIGHTS. At each step, vulnerabilities will be examined and demonstrations made of how malicious software exploits them. Demonstrations may include STONED, MICHELANGELO, AZUSA, FORM, JERUSALEM, SUNDAY, 4096, and EXEBUG viruses depending on time and equipment available. On completion attendees will understand the vulnerabilities and how to detect attempted exploitation using simple tools included with DOS such as DEBUG and MEM. 3. Unix Security presented by Matt Bishop: Unix can be a secure operating system if the appropriate controls and tools are used. However, it is difficult for even experienced system administrators to know all the appropriate controls to use. This tutorial covers the most important aspects of Unix security administration, including internal and external controls, useful tools, and administration techniques to develop better security. Upon completion, Unix system administrators will have a better understanding of vulnerabilities in Unix, and of methods to protect their systems. WEDNESDAY, August 11, 1993 8:30 - 8:45 Opening Remarks - Rich Pethia (CERT/CC) 8:45 - 9:30 Keynote Speaker - Dr. Vinton Cerf (XXXX) 9:30 - 10:00 Break 10:00 - 12:00 International Issues - Computer networks and communication lines span national borders. This session will focus on how computer incidents may be handled in an international context, and on some ways investigators can coordinate their efforts. SPEAKERS: Harry Onderwater (Dutch Federal Police) John Austien (New Scotland Yard) other speakers pending 12:00 - 1:30 Lunch with Presentations by various Response Teams 1:30 - 3:00 Professional Certification & Qualification - how do you know if the people you hire for security work are qualified for the job? How can we even know what the appropriate qualifications are? The speakers in this session will discuss some approaches to the problem for some segments of industry and government. SPEAKERS: Sally Meglathery ((ISC)2) Lynn McNulty (NIST) Genevieve Burns (ISSA) 3:00 - 3:30 Break 3:30 - 6:00 Incident Aftermath and Press Relations - What happens after an incident has been discovered? What are some of the consequences of dealing with law enforcement and the press? This session will feature presentations on these issues, and include a panel to answer audience questions. SPEAKERS: Laurie Sefton (Apple Computer) Jeffrey Sebring (MITRE) Terry McGillen (Software Engineering Institute) John Markoff (NY Times) Mike Alexander (InfoSecurity News) 7:00 - 9:00 Reception THURSDAY August 12 8:30 - 10:00 Preserving Rights During an Investigation - During an investigation, sometimes more damage is done by the investigators than from the original incident. This session reinforces the importance of respecting the rights of victims, bystanders, and suspects while also gathering evidence that may be used in legal or administrative actions. SPEAKERS: Mike Godwin (Electronic Frontiers Foundation) Scott Charney (Department of Justice) other speaker pending 10:00 - 10:30 Break 10:30 - 12:00 Coordinating an Investigation - What are the steps in an investigation? When should law enforcement be called in? How should evidence be preserved? Veteran investigators discuss these questions. A panel will answer questions, time permitting. SPEAKER: Jim Settle (FBI) other speakers pending 12:00 - 1:30 Special Interest Lunch 1:30 - 3:00 Liabilities and Insurance - You organize security measures but a loss occurs. Can you somehow recover the cost of damages? You investigate an incident, only to cause some incidental damage. Can you be sued? This session examines these and related questions. SPEAKERS: Mark Rasch (Arent Fox) Bill Cook (Willian, Brinks, Olds, Hoffer, & Gibson) Marr Haack (USF&G Insurance Companies) 3:00 - 3:15 Break 3:15 - 5:30 Incident Role Playing — An exercise by the attendees to develop new insights into the process of investigating a computer security incident. Organized by Dr. Tom Longstaff of the CERT/CC. 7:30 - ? Birds of a Feather and Poster Sessions FRIDAY August 13 8:30 - 10:00 Virus Incidents - How do you organize a successful virus analysis and response group? The speakers in this session have considerable experience ans success in doing exactly this. In their talks, and subsequent panel, they will explain how to organize computer virus response. SPEAKERS: Werner Uhrig (Macintosh Anti-virus Expert) David Grisham (University of New Mexico) Christoph Fischer (CARO) Karen Picharczyk (LLNL/DoE CIAC) Ken van Wyk (DISA/Virus-L) 10:00 - 10:15 Break 10:15 - 11:15 Databases - How do you store incident, suspect, and vulnerability information safely, but still allow the information to be used effectively? The speakers in this session will share some of their insights and methods on this topic. SPEAKERS: John Carr (CCTA) Michael Higgins (DISA) speaker pending 11:15 - 12:15 Threats - Part of incidence response is to anticipate riska and threats. This session will focus on some likely trends and possible new problems to be faced in computer security. SPEAKERS: Karl A. Seeger speakers pending 12:15 - 12:30 Closing Remarks - Dennis Steinauer (NIST/FIRST) 12:30 - 2:00 Lunch 2:00 - 3:00 FIRST General Meeting and the Steering Committee Elections 3:00 - 4:00 FIRST Steering Committee Meeting ^^^^^^^^^^^^^^^^^^^^^Registration Information/Form Follows^^^^^^^^^^^^^^^^^^^^^ INQUIRES: Direct questions concerning registration and payment to: Events at 412-268-6531 Direct general questions concerning the workshop to: Mary Alice "Sam" Toocheck at 214-268-6933 Return to: Helen E. Joyce Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Facsimile: 412-268-7401 TERMS: Please make checks or purchase orders payable to SEI/CMU. Credit cards are not accepted. No refunds will be issued, substitutions are encouraged. The registrations fee includes materials, continental breakfast, lunches (not included on August 13), morning and afternoon breaks and an evening reception on August 11. Completed registration materials must be received by the SEI no later than July 10, 1993. A minimum of 7 attendees are needed for each tutorial and there will be limit of 50 attendees. You MUST indicate which tutorial you would like to attend and an alternate if your first choice is full. GOVERNMENT TERMS: If your organization has not made prior arrangements for reimbursement of workshop expenses, please provide authorization (1556) from your agency at the time of registration. GENERAL REGISTRATION INFORMATION: Workshop................................. ..............$300.00 All registrations received after July 10, 1993..........$350.00 Tutorials (Must be registered by July, 10, 1993)........$190.00 [Yes, I know ... If you call today, tell them a RISKS issue with this info did not come out until today. Maybe they can bend. PGN] NAME: TITLE: COMPANY: DIVISION: ADDRESS: CITY: STATE: ZIP: BUSINESS PHONE: EMERGENCY PHONE: FACSIMILE NUMBER: E-MAIL ADDRESS: DIETARY/ACCESS REQUIREMENTS: CITIZENSHIP: Are you a U.S. Citizen? YES/NO Identify country where citizenship is held if not the U.S.: (Note: there will be no classified information disclosed at this workshop. There is no attendance restriction based on citizenship or other criteria.) GENERAL HOTEL INFORMATION: RATES: A block of rooms has been reserved at the Hyatt Regency at Union Station, One St. Louis Union Station, St. Louis, Missouri 63103. The hotel will hold these rooms until July 10, 1993. Hotel arrangements should be made directly with the Hyatt, 314-231-1234. To receive the special rate of $65.00 per night, please mention the Fifth Computer Security Incident Handling Workshop when making your hotel arrangements. ACCOMMODATIONS: Six-story hotel featuring 540 guest rooms, including 20 suites. All rooms have individual climate control, direct-dial telephone with message alert, color TV with cable and optional pay movies. Suites available with wet bar. Hotel offers three floors of Regency accommodations, along with a Hyatt Good Passport floor, and a special floor for women travelers. LOCATION/TRANSPORTATION FACTS: Downtown hotel located in historic Union Station one mile from Cervantes Convention Center and St. Louis Convention Center and St. Louis Arch. Fifteen miles (30 minutes) from St. Louis Zoo. DINING/ENTERTAINMENT: Italian Cuisine is features at Aldo's, the hotel's full-service restaurant. Enjoy afternoon cocktails in the Grand Hall, an open-air, six-story area featuring filigree work, fresco and stained glass windows. The station Grille offers a chop house and seafood menu. RECREATIONAL/AMUSEMENT FACILITIES: Seasonal outdoor swimming pool. Full health club; sauna in both men's and women's locker rooms. Jogging maps are available at the hotel front desk. SERVICES/FACILITIES/SHOPS: Over 100 specialty shops throughout the hotel, including men's and women's boutiques, children's toy shops and train stores. Gene Spafford, COAST Project Director Software Engineering Research Center & Dept. of Computer Sciences Purdue University, W. Lafayette IN 47907-1398 Internet: firstname.lastname@example.org phone: (317) 494-7825
Please report problems with the web pages to the maintainer