Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
The attached article about a new digital phone service, about to be launched
in the UK, is from the Monday, Sept 6, 1993, issue of The Independent. Also in
this issue was a two page advertisement for the new service - the text of this
is also attached. My understanding is that the new equipment produces
emissions that have characteristics that were not considered when the
regulations and guidelines (under which existing devices such as hearing aids
were designed) were laid down. If this is right, then the statement by the
providers of the new service that the problems are the responsibility of the
manufacturers of such devices would seem to be highly questionable. I await
with interest RISKs readers' reactions to the article (and the advertisement).
Brian Randell, Dept. of Computing Science, University of Newcastle, Newcastle
upon Tyne, NE1 7RU, UK Brian.Randell@newcastle.ac.uk PHONE = +44 91 222 7923
===========
PHONES - THREAT TO HEARING AID USERS
Mary Fagan
More than two million people who are deaf or hard of hearing face distress and
discomfort with the launch this autumn of new digital mobile telephone
equipment that interferes with hearing aids, according to the Royal National
Institute for the Deaf. The telephones could also cause interference if used
close to computer screens, and there is speculation that they could cause
problems with other electronic equipment.
Last week, Vodafone launched a digital mobile telephone service and Mercury's
One-2-One digital service will be onstream within weeks. Cellnet hopes to
start a commercial service next year.
The new telephones send pulses of radio signal rather than the continuous
signal sent by existing analogue cellular telephones. According to the RNID,
when these pulsed signals are transmitted close to audio and video equipment
they are picked up in wiring, causing interference.
Mike Martin, the RNID's chief scientist, said hearing aid users standing up
to six feet from a handheld mobile phone could be affected. More powerful
car phones could affect pedestrians.
The telephones can cause people wearing hearing aids to hear a noise like a
bee buzzing. It can drown out other sound and cause pain and considerable
distress, a spokesman for the RNID said.
Cellnet and Vodafone admit there can be problems with hearing aids and
computer screens. But the companies say the problem is with the telephones
- which they do not manufacture - and with the equipment affected by them.
A spokesman for Vodafone said that the real problem was the standard of
hearing aids. In Germany, where there has been most experience with digital
telephony, no problems have been experienced.
A spokeswoman for Mercury One-2-One said that as the telephones used on
One-2-One were very low-power, only equipment very close by could be
affected.
-----
(Advt.)
LIBERTE'
The Freedom to make a call in total security
We have given you freedom. We have created a secure tomorrow for businessmen
and travellers both here and in Europe. New frontiers beckon. Vodafone
proudly announces EuroDigital. The most advanced and most secure mobile phone
network. So sophisticated that it can even be used to make and receive calls
in Europe in total security. EuroDigital represents a revolution in mobile
phone technology. A superior digital system that provides a top quality
service. A quality that doesn't falter, that doesn't break up. Line rental is
21.50 per month. UK call charges 25p per minute peak, 10p off peak. Only
Vodafone can offer this. Liberate yourself. Enjoy freedom of speech and
security. Rise above the rest. Call free, 0500 123 123 and ask for more
information. All prices are recommended and are exclusive of V.A.T.
VODAFONE
EuroDigital
Brussels, Belgium, September 8, 1993 (NB) — The Belgian office of Banque Nationale du Paris (BNP) has admitted it was the victim of a major computer fraud in June of this year, according to Belgian press sources. The AFP news agency reports that a total of BFr 245 million was taken in the computer fraud, although bank officials have now recovered the money and Police are holding two suspects. The two fraudsters used their direct computer access facilities to request debits from BNP accounts and switch the proceeds into their own bank accounts with other banks. According to BNP sources, auditors picked up the fraud when they carried out a routine series of checks on inter-bank transactions in June. As soon as the fraud was discovered, the third party banks were contacted and the money recovered. As a result of the fraud, BNP is carrying out an internal inquiry into how the frauds occurred and whether its security systems can be beefed up to prevent a recurrence.
I discovered (the hard way) that screen savers can be dangerous if you don't know what's running underneath them. Normally when you pop a disk into a Mac with a screen saver running, it stops the screen saver and presents you with whatever is running at the time. It so happened that when I stuck my disk into our Computer support person's machine, she had been running Apple's Disk Copy program, which once you get it started blindly accepts disks and makes a copy of the resident disk image. This is handy if you have lots of disks to make, but was fatal in my case, since my disk was completely erased. I did have copies on my hard disk, but... The moral of the story is don't stick your disk into a machine if you don't know what it's doing. Alan Munn <amunn@mizzou1.missouri.edu> Dept. of English University of Missouri, Columbia MO 65211 P.S. On a lighter note, windows without screens are also a risk. I swatted at a bug that came flying at me last night and my glasses flew out the window onto the grass (luckily) two stories below. Of course I couldn't look for them until I found them, so I had to call campus police to help out.
I was gratified to receive some 30 responses to my post "worrying about online education" (RISKS-14.86). Most were sympathetic, and the majority of those that were critical still made a point of saying that the subject is well worth discussing in forums like RISKS. That poses a problem for moderators, however, for I have to admit that the tendency of such discussions is almost always to violate the (desirable) standards enforced by the moderator. Looking at the division among USENET discussion groups between those that "get real work done" and those that pursue "philosophy," one is tempted to conclude that it's in the very nature of the net to disallow the sensitive and constructive exploration of complex or deep issues. The system is more suited for what we like to call the exchange of "information." Perhaps that is one of the risks! Well, I don't have any particular solution to offer. I find myself unable to tolerate the philosophical groups, but am still driven to pursue issues that seem slightly out of place in the more business-like groups. One thing this dilemma has done, however, is to push me toward the formulation of the most concise (business-like!) statement I could manage regarding the question, "Where should we look for technological risks?" To offer a parallel: anyone speaking about the effects of television upon society would probably no longer be content merely to point at a set of good (or bad) TV programs. There are deeper questions that require us to penetrate the medium itself, as well as our own natures. Perhaps the following 4 paragraphs--representing my attempt to answer the question voiced above--will interest some members of this group. Obviously, such a statement can only be a preface to particular studies, but it seems to me worth keeping in mind. As always, I welcome critical comment. Steve Talbott stevet@ora.com ######################################################################### In assessing the complex "symbiosis" between man and machine, it will hardly do to look for external cause and effect. Every contrivance, from the plow to the hydrogen bomb, expresses something within *us*. If we extend ourselves in our mechanical tools, we also meet ourselves in them. At the same time, just as the corporation seems to gain a life and tendency of its own, independent of its employees, so too the machine can become almost willful in its reaction upon its creators. "To someone who possesses only a hammer, everything begins to look like a nail." It is important, nevertheless, to recognize ourselves in this willfulness, even if doing so requires a bit of painful psychological excavation. The machine's double existence as an expression of the human being and as an independent force is most fully realized in the computer. Just consider those several disciplines--psychology, linguistics, philosophy, artificial intelligence--whose natural confluence has given us the remarkable developments in cognitive science. Here the pressing question is not so much, "How are computers expressions of ourselves?" as it is the much balder, "Are computers selves?" We who produce such devices cannot escape our own most intimate responsibility for the planet's rapidly crystallizing, electromechanical nimbus, nor can we escape the prospect of its increasing--and potentially threatening--independence and self-will. All this is to say, in a nutshell, that if we cannot point to any simple determination of society by machines, neither can we claim straightforward human control of the effects of those machines. We and our mechanical offspring are bound together in an increasingly tight weave. This has one clear implication: to substantially modify the larger pattern--rather than simply be carried along by it--requires profound analysis of things not immediately evident, and a difficult effort to change things not easily changed. If it is only by a certain self-awareness and an inner adjustment that I can restrict the hammer in my hands to its proper role, I must multiply the effort a millionfold when dealing with a vastly more complex technology--one endowed in a much more powerful sense with its own willful tendencies. Steve Talbott stevet@ora.com ######################################################################## Copyright 1993 Stephen L. Talbott. You may freely redistribute these remarks on a not-for-profit basis so long as this notice and the remarks themselves are left fully intact and unedited. ########################################################################
> ...It seems to me that in designing a complex program that requires > privileges, the complex part and the privileged part should be separated... I agree with this statement, but find another conclusion/RISK. This is the risk of having security mechanisms that are too cumbersome to be used easily. Following the example given, classical UNIX provides only the setuid mechanism for increasing the access of a program, and setuid always applies to an entire program. Thus, if a program must run partially as root, the only way to avoid having it ALL run as root is to divide it up into communicating processes. Depending on the application, this is not always easy to do. If you want security, you have to make it easy to be secure. For example, if a setuid program had to explicitly enable and disable the setuid access (running otherwise as the user who invoked it), the body of code that needed to be carefully checked to verify security would be significantly diminished; a loophole in another part of the program could not compromise the entire system's security. - Geof
>Ideally, the worst the complex code can do to you is give you a core dump
Back in 1988 I was writing a program which connected to a finger server.
I knew enough about UNIX at the time to go to the real documentation: the
source code for fingerd. I noticed a fixed size buffer, and verified that
sending a long string would make fingerd crash. Just a core dump, right?
And fingerd is restarted by inetd for each new request, so there is no
denial of service. I thought so, and didn't follow up.
A few months later everyone learned that there were worse side effects.
Think of a core dump as the best thing that can happen when your program goes
wrong, not the worst. If you want a program to dump core under certain
conditions, call abort(). Don't depend on memory corruption to do the job
right.
--John Carr (jfc@athena.mit.edu)
[On the other hand, getting a system to dump core can be
gold mine of information for a malicious attacker... P.]
Perhaps someone else has provided the reference, but there is a very well-written science fiction novel which explores vividly and in some detail the concept of "offshore data haven". This is "Islands in the Net", by Bruce Sterling, a well-known author in the "cyberpunk" genre. The point of the book is that an international "black market" in information about individuals is inevitable and unstoppable. I highly recommend the book. Don't let the foolish cover illustration put you off. Fred Baube (tm) GU/MSFS/88 baube@optiplan.fi
The interesting to me about this report is the nuance of ownership of the data. Presumably the "legitimate owners" of the data are wroth since only they are allowed to sell, or otherwise profit from, our privacy. We're already embroiled in a continuing dispute over a restricted form of data termed "intellectual property" and we've been unable to resolve even relatively simple issues in that regard. So it's interesting to contemplate how one "owner" of data would proceed against some other "owner" of data for "stealing" the former's data. Whose name is on the data? Owner #1, owner #2, or your name, or my name? What risks are we running here? Possibly 1) Financial loss to owner #1 2) Financial loss to owner #2 3) Loss of privacy to third party 4) Onerous litigation that burdens everybody 5) Foolish laws passed by Congress Given the noted ability of our courts to resolve current intellectual property imbroglios (microcode and program copyrights), a paraphrase of Mark Twain's comment is probably appropriate: no one's life or property is safe while court is in session. There are so many potential victims and litigants that circumscribing risks may defy our meager abilities. Maybe the best thing to do is just to ignore off-shore data havens, since the cures and the would-be doctors are all worse than the disease. And you can get the data for a price right now, anyway.
> I apologize for my son, he's 20 month old, yet he needed less than
> 20 second on the floor to break the UPS down...
Anyone else reminded of this entry in the Jargon File?
:molly-guard: /mol'ee-gard/ [University of Illinois] n. A shield
to prevent tripping of some {Big Red Switch} by clumsy or
ignorant hands. Originally used of the plexiglass covers
improvised for the BRS on an IBM 4341 after a programmer's toddler
daughter (named Molly) frobbed it twice in one day. Later
generalized to covers over stop/reset switches on disk drives and
networking equipment.
Mark Brader ...the scariest words of the afternoon:
SoftQuad Inc., Toronto "Hey, don't worry, I've read all about
utzoo!sq!msb, msb@sq.com doing this sort of thing!" — Vernor Vinge
Mary Shafer writes on Thu, 26 Aug 93 15:40:49 PDT (RISKS-14.89): >As far as I can tell, the real problem was control-surface rate limiting. >Cf. the YF-22 crash and the Space Shuttle ALT-5 multi-axis PIO. > >I've flown a rate-limited configuration in a variable-stability Learjet >and it looked a lot the same, just before the safety trips gave the plane >back to the safety pilot. My flight experience is minimal, but in a small plane the maximum rate at which control surfaces can be moved is limited only by the pilot's strength and desire not to damage the plane. More importantly, there is a direct connection between the position of the control surface and the stick. I believe this form of feedback exists even on large planes that have hydraulically assisted control surfaces. Apparently, in fly-by-wire aircraft, there may not be much of a correlation between the position of the stick and the control surfaces. What used to be a closed-loop control system is now more open-loop. The aviation community must have done some studies on how this lack of feedback can effect pilots, especially during critical situations (when a pilot reverts back to his or her most fundamental training). Or was it just assumed that pilots would adapt to the new ``user interface''? — Mark Mark Stalzer, Hughes Research Labs RL65, 3011 Malibu Canyon Rd, Malibu CA 90265 E-Mail: stalzer@macaw.hrl.hac.com Voice: 310-317-5581 FAX: 310-317-5483
Please report problems with the web pages to the maintainer