Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
The following appeared in Unigram.X (a UK newsletter) and Market Watch (an electronic news clippings service). On my request, permission has been granted to reproduce this item in RISKS provided that the full text, up to and including the line beginning with several = signs, is included. Clive D.W. Feather, IXI Ltd, Vision Park, Cambridge CB4 4ZR UK clive@x.co.uk Phone: +44 223 236 555 Fax: +44 223 236 466 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SUN MICROSYSTEMS INC KNOWS WHY BRAZIL IS KNOWN TO ITS NATIVE INHABITANTS AS THE KINGDOM OF THE ANTS Computergram via First! — Sun Microsystems Inc knows why Brazil is known to its native inhabitants as the kingdom of the ants - it got an electronic mail message from its local representative down there asking how to get rid of bugs - ants nests to be precise: seems a user had turned his workstation off for a few days and on returning to power the thing up was greeted by some nasty crunching and popping sounds; opening the lid he was greeted by an army of ants whose nest-building had been rudely interrupted by his machine's Sparc CPU and disk subsystem coming to life; pest control was hurriedly dispatched and the system was soon up and running - Sun knows its stuff when it comes to bug-fixing. [07-08-93 at 14:38 EDT, Copyright 1993, Apt Data Services., File: g0708183.437] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Entire contents (C) 1993 by INDIVIDUAL, Inc., 84 Sherman Street, Cambridge, MA 02140 - Phone: 617-354-2230, FAX: 617-864-4066. Unauthorized electronic redistribution without prior written approval of INDIVIDUAL, Inc. is prohibited by law. Any authorized copy must carry in full the copyright notice of the information source, if any, of First! and of INDIVIDUAL, Inc. ==============[The End - First! (TM) - Your Smart News Agent]===============
Recently I have been working with the "World Wide Web," a project
designed to unite the various data resources on the internet into
a common web of information. The Web began a few years ago at
CERN. I am working at CERN as well, and some people who saw my
work or articles thought I was an official web project member.
So, on my 'signature' page ( http://info.cern.ch/roeber/fgmr.html )
I included a disclaimer:
Please note: <b>I am <i>not</i> an official member ...</b>.
The lingua franca of the web is HTML, or hypertext markup language, which is
based on SGML. The codes in angle brackets above are SGML, and stand for bold
and italics.
I looked at my page with my whiz-bang X-based web browser (NCSA Mosaic), and
sure enough the line appeared with nice bold and italicised words.
A short time later, I got a call from a somewhat annoyed web project guy,
demanding to know why I was claiming to be an offical member. It seems that
on his NeXT browser, the word "not" was mysteriously absent.
The problem was that his browser didn't support italics.
Why? Well, when the Web began it was "hypertext" based. Everything was
supposed to be simple, plain text accessible by everybody. Though HTML was
based on SGML, this was more to be "standard" than to support fancy markups.
The core team had a nice plan as to how they would expand, slowly and in step.
Then the NCSA came along, with their elegant multimedia X-based browser.
Suddenly the web became "hypermedia," and (as it supported much more of SGML),
even plain text could be marked up in much fancier ways. So people started
writing documents depending on the capabilities of NCSA Mosaic, leaving the
earlier browsers behind. In this case, that lapse changed the entire meaning
of a rather important sentence.
There are a few points here:
1) In important sentences of electronic documents, don't put
important words (like "not") in other fonts or representations.
2) In fact, avoid needless font and representation twiddling.
3) Don't assume everybody has the same advanced tools you do.
4) If you're going to use a standard, use *all* of the standard.
HTML is based on SGML. The <i> code is legitimate SGML.
5) If you can't represent a requested font, for pete's sake don't
just ignore the text! Put it up however you can. In this
case, when I protested my innocence, the other guy loaded up
the page on the old line-mode browser on the VM system. This
browser ignores virtually all markup commands, so the unadorned
sentence — including the 'not' — appeared.
6) If you launch a project in to the public, be prepared for
someone to take the ball and outrun you. You can't stay
firmly in control. This emphasizes point 4 — the whole point of
"standards" is so that when this happens, things are still compatible.
Frederick G. M. Roeber, CERN/PPE, 1211 Geneva 23, Switzerland
roeber@cern.ch or roeber@caltech.edu | work: +41 22 767 31 80
by Nancy G. Leveson, Professor of Computer Science and Engineering at University of Washington, and Clark S. Turner, doctoral student at University of California, Irvine. Pages 18 through 41 of the current (July 1993) issue of Computer. [The report from which this paper is drawn was noted in RISKS-14.04. PGN]
I have been handling some of my elderly mother's bills after her recent hospitalization. Since she is in an HMO (Health Maintenance Organization), she should not have had any bills other than for personal incidentals (tv, etc.). Yet, she kept getting bills from one medical testing lab. When I made an inquiry, the lab told me that the bills should have been paid by the HMO and that I should notify them, which I did. Several more bills came from the lab and several more inquiry calls were made. Yesterday, a letter came indicating that the account is delinquent and that it will be turned over to a collection agency unless paid immediately. I called and was told that their records indicated that the bill had not been paid. After pushing them a lot to review their records, they suddenly discovered that the bill had been paid by the HMO s more than a month ago. The clerk told me that there had been a *number of cases* recently where the computer had not recognized that a payment had been made and bills were automatically sent out. He told me that the computer problem ws being worked on. When I complained that the lab continued to send out bills even though they knew that some of them were false, he told me that all people had to do was to call the accounts department (it was an 800 number) and any errors would be corrected. However, if I had not insisted several times that the HMO had been notified and that they had paid the bill, the money would be owed by my mother. The end result is that this lab knows that there is a billing problem and they have continued to send out bills, some of which are erroneous. Their solution is that (often ill) people will know that the bill has been paid, will contact the billing office, will fight to ensure that the correct information is in the computer, and all will be resolved. Unfortunately, what will really happen is that some people will pay the bill even if they do not owe the money and others will have their credit history threatened if they cannot afford to pay the money. While this does not seem to fall under the legal definition of fraud, it may be illegal if the lab is billing with knowledge of a computer problem of this sort. I suspect that this problem is more common than recognized and that the lab is only one of a number of organizations that have decided that orderly processing of accounts is more important than correct billing of people. Computer glitch has become an excuse for financial manipulation and harming of people.
CALL FOR PAPERS AND PARTICIPANTS
The '93 International Software Safety Workshop
November 18-19, 1993
Computer Science Department
Mississippi State University
MS State, MS 39762
Tentative Sponsors:
The National Science Foundation (NSF)
The Oak Ridge Associated Universities (ORAU)
Mississippi State University (MSU)
In Cooperation with:
The American Society of Safety Engineers (ASSE)
This workshop's goal is to bring together researchers and practitioners from
academia, industry, and government in order to (1) enhance the transfer of
technology and communication, (2) examine current problems relating to
software safety research and practice, and (3) discuss and propose new
directions for software safety research and practice. The workshop's
organizers desire participation from all software-safety-impacted sectors
such as aviation, medicine, transportation, manufacturing, the military,
chemical processing, etc. The organizers also encourage participation by
both industrial and governmental individuals who manage, specify, design,
code, verify, or certify safety-critical software systems.
Additionally, this workshop seeks papers and presentations relating
specifically to software safety. A partial list of topics follows:
* Standards for developing and certifying safety-critical software
* Techniques for static and dynamic verification & validation
* Managerial issues and methods
* Case studies in software safety
* Experience reports dealing with software safety
* Tools, techniques, and methodologies
* Technology transfer between researchers and practitioners
* Improving cooperation and communication between researchers
and practitioners
* Software hazard analysis and safety-critical requirements
* Safety-critical designs
* Long-range goals and plans for software safety, and how best
to achieve them
* Preliminary results from recent research or practice
Authors wishing to submit a manuscript for possible presentation and
inclusion in the workshop's proceedings must submit five copies by
3-SEP-1993 of full-length papers (20 single-spaced pages maximum) or topics
for presentation (2 single-spaced pages maximum) to the workshop's general
chair at the address below:
Lon D. Gowen, Ph.D.
ISSW '93
Computer Science Department
Mississippi State University
P.O. Drawer CS
MS State, MS 39762
Phone: (601) 325-7508
Fax: (601) 325-8997
E-mail: gowen@cs.msstate.edu
In addition to the refereed papers and presentations, there will be
several invited papers and presentations. The organizers anticipate
presentations by the following organizations: FAA, FDA, FHWA, DoE, NASA, DLSF
Systems, McKinlay and Associates, plus others. Additionally, there will be
presentations by various academic researchers.
The annual workshop of the Centre for Software Reliability will be held this year in Amsterdam from 29th September to 1st October, co-hosted with the Japanese Union of Scientists and Engineers. The theme is "The Application of Software Metrics and Quality Assurance in Industry". Keynote speakers are Vic Basili, University of Maryland, and Yoshinori Iizuka, University of Tokyo. Programme and application form can be supplied in paper or electronic form. Under the Human Capital and Mobility scheme of the Commission for the European Community, 100% support is available for up to 15 delegates to attend from those areas of the EC which qualify for special support (which include Greece and Portugal). Applications are therefore particularly invited from people in these areas (although naturally, all applicants are very welcome!). Please respond preferably by e-mail. If you happen to know of anyone in one of the supported areas of Europe who might be interested but who does not receive e-mail or read the relevant lists, please pass the information on and ask them to respond by fax or snail-mail. Peter Mellor, Centre for Software Reliability, City University, Northampton Sq., London EC1V 0HB, UK. Tel: +44(0)71-477-8422 (Direct line to P. Mellor), Tel: +44(0)71-477-8421 (Direct line to Ms. C.A. Allen, Centre Manager), Fax: +44(0)71-477-8585 p.mellor@csr.city.ac.uk, c.a.allen@csr.city.ac.uk
In addition to the announcements in Risk Forum 14.60 (May 12,1993), concerning
SECURITY AND CONTROL OF INFORMATION TECHNOLOGY IN SOCIETY
IFIP WG 9.6 Working Conference, August 12-17, 1993
Venue: the conference ship M/S Ilich between Stockholm and St.Petersburg
here is an updated program of the "Russian Day" (St.Petersburg, August
14,1993) To my knowledge, this is the first time where plans for "Russian
ITSEC" may be compared to other suggestions (ITSEC, FC/FIPS), eg in related
contributions of Marshall Abrams and one EEC speaker. Klaus Brunnstein (May
28, 1993)
Saturday August 14: "Russian Day"
Part I: "IT and Security in Russia. Experts view"
-------------------------------------------------
"IT and Security in Russia"
E.V. Evtyushin (Russian Agency for New Information)
"IT vs. Security in Russia"
E.A. Musaev (Russian Agency for New Information Technologies)
"Problems of information protection in the Northwestern region of Russia"
P.A. Kuznetsov (Association for Information Protection "Confident")
Part II: "IT and Security in Russia - Commercial sector"
--------------------------------------------------------
"Bank requirements for Information Security"
TBD (Sberbank of Russia)
"Insurance Companies and Information Security"
TBD (Representative of an insurance company)
Part III: "It and Security in Russia - Public Sector"
-----------------------------------------------------
"The current state of INFOSEC legislation development in Russia"
A.P. Kurilo (State Technical Committee of Russia)
"The legal aspects of Digital Signature standardisation in Russian
Federation"
V.V. Markelov (Federal Agency of Government Communications and
Information)
"The Russian IT Security Evaluation Criteria"
Y.A. Timofeev (National Sub-committee on IT Security Techniques
Standardisation)
Part IV: "Western Developments in IT-Security"
----------------------------------------------
R.Hackworth (U.K.): "The OECD Guidelines on IT Security"
M.Abrams (USA): "From Orange Book to new US Criteria"
P.White (U.K.): "Drafting Security Policies"
TBD "INFOSEC Security Issues in the EC"
PRELIMINARY AGENDA
5th Computer Security Incident Handling Workshop
Sponsored by the Forum of Incident Response and Security Teams (FIRST)
August 10-13, 1993
St. Louis, MO
TUESDAY, August 10, 1993 Full-day Tutorials
1. Creating a Security Policy, presented by Charles Cresson Wood:
[no abstract available at time of posting]
2. Vulnerabilities of the IBM PC Architecture: Virus, Worms, Trojan
Horses, and Things That Go Bump In The Night
presented by A. Padgett Peterson:
An intensive look into the architecture of the IBM-PC and MS/PC-DOS --
What it is and why it was designed that way. An understanding of
assembly language and the interrupt structure of the Intel 80x86
processor is helpful.
The day will begin with the BIOS and what makes the PC a fully
functional computer before any higher operating system is introduced.
Next will be a discussion of the various operating systems, what they
add and what is masked. Finally, the role and effects of the PC and
various LAN configurations (peer-peer and client server) will be
examined with emphasis on the potential protection afforded by login
scripting and RIGHTS.
At each step, vulnerabilities will be examined and demonstrations made
of how malicious software exploits them. Demonstrations may include
STONED, MICHELANGELO, AZUSA, FORM, JERUSALEM, SUNDAY, 4096, and EXEBUG
viruses depending on time and equipment available.
On completion attendees will understand the vulnerabilities and how to
detect attempted exploitation using simple tools included with DOS
such as DEBUG and MEM.
3. Unix Security
presented by Matt Bishop:
Unix can be a secure operating system if the appropriate controls and
tools are used. However, it is difficult for even experienced system
administrators to know all the appropriate controls to use. This
tutorial covers the most important aspects of Unix security
administration, including internal and external controls, useful
tools, and administration techniques to develop better security.
Upon completion, Unix system administrators will have a better understanding
of vulnerabilities in Unix, and of methods to protect their systems.
WEDNESDAY, August 11, 1993
8:30 - 8:45 Opening Remarks - Rich Pethia (CERT/CC)
8:45 - 9:30 Keynote Speaker - Dr. Vinton Cerf (XXXX)
9:30 - 10:00 Break
10:00 - 12:00 International Issues - Computer networks and communication lines
span national borders. This session will focus on how computer
incidents may be handled in an international context, and on
some ways investigators can coordinate their efforts.
SPEAKERS:
Harry Onderwater (Dutch Federal Police)
John Austien (New Scotland Yard)
other speakers pending
12:00 - 1:30 Lunch with Presentations by various Response Teams
1:30 - 3:00 Professional Certification & Qualification - how do you know if
the people you hire for security work are qualified for the
job? How can we even know what the appropriate qualifications
are? The speakers in this session will discuss some approaches
to the problem for some segments of industry and government.
SPEAKERS:
Sally Meglathery ((ISC)2)
Lynn McNulty (NIST)
Genevieve Burns (ISSA)
3:00 - 3:30 Break
3:30 - 6:00 Incident Aftermath and Press Relations - What happens after an
incident has been discovered? What are some of the
consequences of dealing with law enforcement and the press?
This session will feature presentations on these issues, and
include a panel to answer audience questions.
SPEAKERS:
Laurie Sefton (Apple Computer)
Jeffrey Sebring (MITRE)
Terry McGillen (Software Engineering Institute)
John Markoff (NY Times)
Mike Alexander (InfoSecurity News)
7:00 - 9:00 Reception
THURSDAY August 12
8:30 - 10:00 Preserving Rights During an Investigation - During an
investigation, sometimes more damage is done by the
investigators than from the original incident. This session
reinforces the importance of respecting the rights of victims,
bystanders, and suspects while also gathering evidence that may
be used in legal or administrative actions.
SPEAKERS:
Mike Godwin (Electronic Frontiers Foundation)
Scott Charney (Department of Justice)
other speaker pending
10:00 - 10:30 Break
10:30 - 12:00 Coordinating an Investigation - What are the steps in an
investigation? When should law enforcement be called in? How
should evidence be preserved? Veteran investigators discuss
these questions. A panel will answer questions, time permitting.
SPEAKER:
Jim Settle (FBI)
other speakers pending
12:00 - 1:30 Special Interest Lunch
1:30 - 3:00 Liabilities and Insurance - You organize security measures but
a loss occurs. Can you somehow recover the cost of damages?
You investigate an incident, only to cause some incidental
damage. Can you be sued? This session examines these and
related questions.
SPEAKERS:
Mark Rasch (Arent Fox)
Bill Cook (Willian, Brinks, Olds, Hoffer, & Gibson)
Marr Haack (USF&G Insurance Companies)
3:00 - 3:15 Break
3:15 - 5:30 Incident Role Playing — An exercise by the attendees
to develop new insights into the process of
investigating a computer security incident.
Organized by Dr. Tom Longstaff of the CERT/CC.
7:30 - ? Birds of a Feather and Poster Sessions
FRIDAY August 13
8:30 - 10:00 Virus Incidents - How do you organize a successful virus
analysis and response group? The speakers in this session have
considerable experience ans success in doing exactly this. In
their talks, and subsequent panel, they will explain how to
organize computer virus response.
SPEAKERS:
Werner Uhrig (Macintosh Anti-virus Expert)
David Grisham (University of New Mexico)
Christoph Fischer (CARO)
Karen Picharczyk (LLNL/DoE CIAC)
Ken van Wyk (DISA/Virus-L)
10:00 - 10:15 Break
10:15 - 11:15 Databases - How do you store incident, suspect, and
vulnerability information safely, but still allow the
information to be used effectively? The speakers in this
session will share some of their insights and methods on this
topic.
SPEAKERS:
John Carr (CCTA)
Michael Higgins (DISA)
speaker pending
11:15 - 12:15 Threats - Part of incidence response is to anticipate riska and
threats. This session will focus on some likely trends and
possible new problems to be faced in computer security.
SPEAKERS:
Karl A. Seeger
speakers pending
12:15 - 12:30 Closing Remarks - Dennis Steinauer (NIST/FIRST)
12:30 - 2:00 Lunch
2:00 - 3:00 FIRST General Meeting and the Steering Committee Elections
3:00 - 4:00 FIRST Steering Committee Meeting
^^^^^^^^^^^^^^^^^^^^^Registration Information/Form Follows^^^^^^^^^^^^^^^^^^^^^
INQUIRES:
Direct questions concerning registration and payment to: Events at 412-268-6531
Direct general questions concerning the workshop to: Mary Alice "Sam" Toocheck
at 214-268-6933
Return to: Helen E. Joyce
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
Facsimile: 412-268-7401
TERMS:
Please make checks or purchase orders payable to SEI/CMU. Credit cards are not
accepted. No refunds will be issued, substitutions are encouraged.
The registrations fee includes materials, continental breakfast, lunches (not
included on August 13), morning and afternoon breaks and an evening reception
on August 11. Completed registration materials must be received by the SEI no
later than July 10, 1993.
A minimum of 7 attendees are needed for each tutorial and there will be limit
of 50 attendees. You MUST indicate which tutorial you would like to attend and
an alternate if your first choice is full.
GOVERNMENT TERMS:
If your organization has not made prior arrangements for reimbursement of
workshop expenses, please provide authorization (1556) from your agency at the
time of registration.
GENERAL REGISTRATION INFORMATION:
Workshop................................. ..............$300.00
All registrations received after July 10, 1993..........$350.00
Tutorials (Must be registered by July, 10, 1993)........$190.00
[Yes, I know ... If you call today, tell them a RISKS issue with
this info did not come out until today. Maybe they can bend. PGN]
NAME:
TITLE:
COMPANY:
DIVISION:
ADDRESS:
CITY:
STATE:
ZIP:
BUSINESS PHONE:
EMERGENCY PHONE:
FACSIMILE NUMBER:
E-MAIL ADDRESS:
DIETARY/ACCESS REQUIREMENTS:
CITIZENSHIP: Are you a U.S. Citizen? YES/NO
Identify country where citizenship is held if not the U.S.:
(Note: there will be no classified information disclosed at this workshop.
There is no attendance restriction based on citizenship or other criteria.)
GENERAL HOTEL INFORMATION:
RATES: A block of rooms has been reserved at the Hyatt Regency at Union
Station, One St. Louis Union Station, St. Louis, Missouri 63103. The hotel
will hold these rooms until July 10, 1993. Hotel arrangements should be made
directly with the Hyatt, 314-231-1234. To receive the special rate of $65.00
per night, please mention the Fifth Computer Security Incident Handling
Workshop when making your hotel arrangements.
ACCOMMODATIONS: Six-story hotel featuring 540 guest rooms, including 20
suites. All rooms have individual climate control, direct-dial telephone with
message alert, color TV with cable and optional pay movies. Suites available
with wet bar. Hotel offers three floors of Regency accommodations, along with
a Hyatt Good Passport floor, and a special floor for women travelers.
LOCATION/TRANSPORTATION FACTS: Downtown hotel located in historic Union
Station one mile from Cervantes Convention Center and St. Louis Convention
Center and St. Louis Arch. Fifteen miles (30 minutes) from St. Louis Zoo.
DINING/ENTERTAINMENT: Italian Cuisine is features at Aldo's, the hotel's
full-service restaurant. Enjoy afternoon cocktails in the Grand Hall, an
open-air, six-story area featuring filigree work, fresco and stained glass
windows. The station Grille offers a chop house and seafood menu.
RECREATIONAL/AMUSEMENT FACILITIES: Seasonal outdoor swimming pool. Full
health club; sauna in both men's and women's locker rooms. Jogging maps are
available at the hotel front desk.
SERVICES/FACILITIES/SHOPS: Over 100 specialty shops throughout the hotel,
including men's and women's boutiques, children's toy shops and train stores.
Gene Spafford, COAST Project Director
Software Engineering Research Center & Dept. of Computer Sciences
Purdue University, W. Lafayette IN 47907-1398
Internet: spaf@cs.purdue.edu phone: (317) 494-7825
Please report problems with the web pages to the maintainer