Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Here's one paragraph of Erma Bombeck's humour column, The Kingston
Whig-Standard, 28 March 1994.
"I dropped by an airport washroom. In my stall, I wrestled
with my jumpsuit, and in doing so the belt fell into the
commode. Before I could retrieve it, the automatic flusher
sucked it away and into the sewers of San Jose. I held my
hands under the automatic water tap and went for a paper
towel. I turned in time to see my handbag fall into the
sink and activate the water. It proceeded to drown."
The column also enumerates many other more familiar problems with
automation.
- Paul Colley colley@qucis.queensu.ca +1 613 545 3807
[Beware of the automatic handwringer. PGN]
Cable company adds unexpected Spice to subscriber's dinner hour.
A problem with a pay-per-view system caused all customers of the Greater
Media Cable TV service in Worcester Massachusetts to receive the unscrambled
broadcast of an Adult cable cannel offered by the system. The Spice cable
channel was unscrambled for 90 minutes between 6:00pm and 7:30pm on Monday
March 28th.
According to a representative of the cable company, Ed Goldstien, the
cause of the glitch was not known and an investigation was in progress.
Goldstien presented the cable company's apology and promise that it would not
happen again to subscribers over the local radio station WXLO.
The Greater Media Cable system uses a call in voice response system to allow
customers to activate the pay-per-view stations offered by the system. The
activation code for the customer's cable box is broadcast over the cable
system to unscramble the selected pay-per-view offering. RISKS readers could
speculate that this incident is an indication that a universal activation
code must exist for all cable decoders in the system. We could further
speculate that the voice response system could have broadcast this code in
response to a pay-per-view request of a single subscriber if internal tables
were faulty.
The RISK here is dependence on an automatic system to save cost when the cost
of its failure is not taken into account.
Mike Carleton mcarleton@zendia.enet.dec.com
Washington Post Staff Writer John Schwartz has published a moving and insightful article entitled, "Game Boy." It explores the life and death of an eighteen year old man addicted to cyberspace role-playing. I have asked Mr Schwartz for permission to post the original article in its entirety. For the time being, here's a brief summary. <
Software theft statistics
"Mich Kabay [NCSA]" <75300.3232@CompuServe.COM> 29 Mar 94 12:59:16 EST>From the Associated Press newswire via Executive News Service on CompuServe (GO ENS): JEANNINE AVERSA, Associated Press Writer, reports on the Software Publishers Association's statistics concerning software theft. Key findings: o Worldwide losses of $7.4 billion for business software in 1993. o Rate is down 25% from $9.7 billion in 1992. o Business software (spreadsheets, electronic mail, accounting and data base programs) sales revenues in 1993 were $6.8 billion. o Companies whose employees make unauthorized copies or put single-copy programs on network servers account for the most frequent violations of software copyright. o The SPA audited or initiated lawsuits against 245 companies, all of which were resolved out of court. o Settlements totalled $3 million. o Manufacturers in the U.S. lost $1.57 billion; Japan lost $650 million; France lost $435 million. o Software theft grew fastest in India and Pakistan (up 95%); Korea and Brazil showed 89%, and Malaysia's theft grew 88%. Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn
Risks of spelling checkers
John Girard <jgirard@cix.compulink.co.uk> Tue, 29 Mar 94 23:32 BST-1I was recently quite shocked (UK: gob-smacked) to find that an event connected with my spell checker could have put me at risk of losing my job. I was editing a publication to be sent to several hundred of my client contacts, and had made a series of trivial spelling corrections, the last being a "replace". Sitting poised over the replace button, I was presented with the suggestion that the word "Goldman" (as in a large company we all know) should be replaced with "goddamn". The word processor involved was MS Word for the Macintosh. I then tested this on Word for Windows, and got the same result. (I have the `always suggest' option selected) This event scared me greatly, because it is easy to go unconscious in front of the mouse and press "replace" one too many times without realizing the result. I contacted my support agency and was told that "goddamn" is in the main dictionary, and that I could not delete it from the main dictionary. It was suggested that I program Goldman as a replacement to goddamn. Of course, defining a replacement in this one case does not assure me that the "bad" word will not be suggested in the future for other replacements. And, I have not yet encountered other unprofessional and undesirable word replacements which I would grudgingly agree that, in an academic sense, belong in the dictionary, but are a risk to my job. Yet, I wait in fear of these discoveries. My concern here is that products such as word processors that are sold for use in "business" applications should either not freely suggest profane words in the main dictionary, or should have an option to leave them out or supply an extra warning. Obviously, the problem is further complicated by words or phrases that have different meanings in different countries even when the language seems otherwise equivalent. Has anyone else had problems similar to this? Are there any alternative "business-oriented" main dictionaries which can be purchased to eliminate the risk? And, should I be obligated to live-with/fix this problem when purchasing a "business" product? John Girard New Science Associates, Ltd./ UK
Re: Risks of spelling checkers (Girard, RISKS-15.71)
"Peter G. Neumann" <neumann@csl.sri.com> Tue, 28 Mar 94 16:21:07 PSTThe RISKS archives are full of cases such as transforming a Mafia "enforcer" into an "informer", "payout" into "peyote", "back in the black" to "back in the AfroAmerican", and many other garbles. And I just happen to notice a note from Abhijit Chaudhari <abhijit@sware.com> in the YUCKS digest (from spaf@cs.purdue.edu) noting that NeXTSTEP 3.0 Webster's barfs on "UNIX", and offers "unfix" instead. That is not Unix-friendly, although I distinctly recall Steve Jobs suggesting at the San Francisco birth announcement for NeXT that NeXT was UNIX-emulatable and UNIX-friendly (but that nobody would care once they had seen NeXT!). I wonder what that spelling corrector does to NeXT? Maybe it gets turned into a NeWT.
Busy-waiting woes
Darren Senn <sinster@scintilla.santa-clara.ca.us> Tue, 29 Mar 1994 00:19:48 -0800 (PST)A few years back, I was working as a student computer consultant at UC Santa Cruz. The San Diego Supercomputer Center was pulling itself up by its bootstraps, and a few of the researchers at UCSC had won grants of CPU time on SDSC's CRAY Y/MP. SDSC sent some of their tech. support staff up to Santa Cruz to give our researchers a quick introduction to UNICOS (CRAY's flavor of SYSV UNIX) and SDSC's special features. Needless to say, they didn't want to leave their tech support people in Santa Cruz, so they gave us a small grant for our consultants to use while learning their system. I was one of the lucky consultants who got to participate. So far so good. At the same time, one of my friends was finishing up his physics thesis (a weird little study of aerodynamic surfaces), and had written a small flight simulator to do some of his calculations. This study was weird enough that my friend was calling his programs 'funny', 'goofy', 'damgoofy', etc. It was a simple program which simulated the flight of a plane for a short duration, and the user couldn't adjust any control surfaces after the program started. As a favor to him and as a convenient way to learn more about the Y/MP, I ported his program over to UNICOS. The program normally asked the user for its parameters when it started up, printed the results to the terminal, and waited for the user to hit return before quitting. The program was almost entirely math, so all I had to do was convert it to batch processing. Simple: just change a few scanf()'s to fscanf()'s, tweak a few paths, and we're all set.... Or so I thought. (ominous background music, please). I ftp'd the files over to the cray, compiled them, and made a few short test runs. No problems. So I set it up to calculate 30 seconds of flight at 1ms intervals, and to print out the time when it started and stopped. Then I set it loose. It was truly impressive watching those columns of numbers scrolling by. But alas, my next class was starting, so I couldn't wait for it to finish. I was capturing the output to a file anyway, so I just disconnected and went to my class. That was Friday evening. Sunday morning rolls around, and I get rudely shaken from bed by a phone call at 7am! Imagine the nerve! hmph. It was SDSC's support staff calling. It seems that a renegade program had eaten up all the consultant's time grant by running continuously (100% CPU usage) for 35 hours in the interactive `batch` queue! Clearly this program was intended as some warped prank, considering it was called 'damgoofy'! Uh-oh. I was sure there was some kind of mistake, so I rushed up to campus to see what had happened. It turns out that I had forgotten to remove the program's last gets(): that's the line which made the simulator wait for the user to hit return before quitting. That shouldn't have been a problem in itself, since the function should've immediately returned with an error after it discovered it had lost it's terminal (when I logged out). It didn't. No problem, right? The program should've just stopped waiting for input, consuming no CPU resources. Nope. Under that version of UNICOS, the program was waiting in a busy-loop, uselessly using the CPU while it waited for input. :( Ooooops! Luckily SDSC was nice to us, and the Y/MP was underutilized back then anyway, so they just refunded the money, my friend got an impressive simulation, and I got an anecdote. :) Darren Senn Phone: (408) 988-2640 Snail: 620 Park View Drive #206 sinster@scintilla.santa-clara.ca.us Santa Clara, CA 95054
Recent useful newspaper pieces on crypto policy
"Lance J. Hoffman" <hoffman@seas.gwu.edu> Tue, 29 Mar 1994 14:01:51 -0500 (EST)Two interesting newspaper articles on encryption policy recently appeared: In The Australian, an influential national newspaper similar to The Guardian in the U. K. or The New York Times in the U. S., a large article describes the Clipper chip controversy including a bit more technical detail than is common for U. S. newspapers. Professor Bill Caelli of Queensland University of Technology's School of Data Communications is quoted as saying "Is Clipper the start of a more onerous agenda? Does Clipper represent attempts to outlaw the use of encryption in any form by the public unless he or she uses an 'approved' (and breakable) cipher system such as Clipper? This last question is a far darker scenario and goes to the very heart of freedom and privacy in a democratic society." — All this in The Australian of 29 March 1994. In the New York Times of 26 March 1994, on the first page of the second section and wrapping around to page 26, there is an article "Collisions in Cyberspace on Data Encryption Plan" which starts "To paraphrase Oscar Wilde, the Clinton Administration threw a couple of its lions into a den of savage Daniels here this week" (now last week). That refers to the Fourth Conference on Computers, Freedom, and Privacy in Chicago, and the article appears under a wonderful photo of Emmanuel Goldstein, editor of 2600, clad in T-shirt, etc., taling with Frank Carey of Bell Labs, replete in coat and tie, but holding beer bottle. The article goes on to describe an arrest of a man in the conference hotel (actually a conference attendee) who fit the description of fugitive hacker Kevin Mitnick and the rough go Dave Lytel of the President's Office of Science and Technology Policy had as the keynote speaker trying to defend Clipper. Professor Lance J. Hoffman, Department of Electrical Eng. and Computer Science The George Washington University, Washington, D. C. 20052 (202) 994-4955
Re: L.A. Phone Fire (Weinstein, RISKS-15.67)
Nevin Liber <nevin@cs.arizona.edu> Tue, 29 Mar 1994 02:32:49 -0700 (MST)We felt the effects here in Tuscon, Arizona, 500 miles and another state away from Los Angeles. I went to the local grocery store to do some shopping and, you guessed it, they couldn't take my charge card because of that fire (they had notices posted throughout the store). I guess it's not just earthquakes anymore that have a rippling effect all the way to Arizona...
Re: The RISKs of Canadian Poodles using 911 (RISKS 15.70)
Shawn Mamros <mamros@ftp.com> Tue, 29 Mar 94 10:55:27 ESTJohn Oram <oramy92@halcyon.com>, in RISKS 15.70: >They had 911 on speed dial? Come on - that's inexcusable, given how easy it >is to accidentally hit the wrong button on a phone. Not when the phone manufacturer provides speed dial buttons explicitly labelled for that purpose. I own a General Electric phone (purchased about five years ago) that has three buttons on it labelled "Fire", "Police", and "Ambulance". There are other risks associated with such a phone, in addition to that of pets (or small children) accidentally hitting one of those buttons. The buttons need to be programmed with the correct number, since 911 is not (yet) universal in the US. If the owner of a phone does not set the numbers for those buttons - or worse, moves without changing the numbers (where one of the old or new locations does not have 911) - one could picture a scenario where a guest is present, the phone's owner is incapacitated, and the guest tries to use the "Ambulance" button to contact same... -Shawn Mamros mamros@ftp.com [RISKS received a large number of messages on this topic, including those Jay Schmidgall <jay@VNET.IBM.COM>, Jeff Nelson <jnelson@gauche.zko.dec.com>, Nevin Liber <nevin@cs.arizona.edu>, Tom Russ <tar@ISI.EDU>) Andrew Duane <duane@zk3.dec.com> who noted built-in emergency features. The risks therein seem quite widespread. Also, Bob Peterson <peterson@choctaw.csc.ti.com> noted the risks of defaults returning when batteries are replaced. PGN]
Banknotes and photocopiers
Mike Sullivan <74160.1134@CompuServe.COM> 29 Mar 94 00:12:24 ESTIn RISKS-15.70, Tom Standage noted that some color photocopiers prevent forgery by reacting to the color shift in the ink. This seems similar to how our Xerox black-and-white copiers react to an American Express card. The cards apparently use two different inks for the pattern filling the face of the card, one of which is invisible to the copier, although both inks look identical to the eye. When photocopied, the card image bears the word VOID all over its face (this is the green card; haven't tried it with a gold or platinum one). Perhaps a similar technology is involved in preventing copying of currency.
Re: IRS persistence (Methvin, RISKS-15.70)
Robin Kenny <robink@hatchet.aus.hp.com> Wed, 30 Mar 94 10:16:25 +1000This is not a good idea. What happened to me, basically, was that I closed my old VISA account with the State Bank Victoria (Australia) with 4 cents credit, <CREDIT, not debit>, believing I was a good guy for not trying to get the money out - after all, it probably costs VISA $x per transaction. Some years later I had occasion to apply for another VISA card... When trying to use my bank DEBIT card to pay for petrol a security alert was flashed to the operator and my card was seized. Using my ATM card showed no funds and my ATM card was seized. My PASSBOOK account had a security trigger fire when I presented it at the local branch... It was all caused by the previous VISA account; the four cents was never allowed to be reabsorbed by the bank and my application for a new card found a bug in the validation software that said "there is a problem with this applicant". This automatically put a hold on all my finances! Even the home loan joint account was frozen. It took TEN WORKING DAYS for a human to finally backtrack to the root cause (the security re-asserted itself each night) I did get an official letter of explanation (I was beyond accepting apologies) on letter-head so future repercussions could be minimised. What may happen to "dwm" could be something bizarre like being arrested by the IRS for undisclosed income, not so improbable as a friend had his 1987 tax refund assessed as income for 1988! (Did I read in RISKS about a person having $1M accidentally transferred into their savings account, now fighting it out with the bank over the $50,000 funds-transfer tax?) [The original item was in RISKS-15.60. I don't recall seeing the transfer-tax item before. PGN] Robin Kenny (robink@hparc0.aus.hp.com)
Preliminary Program: 7th IEEE Computer Security Foundations Workshop
Li Gong <gong@csl.sri.com> Tue, 29 Mar 94 10:33:56 -0800[This workshop is by invitation of the General Chair only. To participate, please contact Professor Ravi Sandhu at sandhu@isse.gmu.edu as early as possible since the number of spaces is very limited.] 7th IEEE Computer Security Foundations Workshop (CSFW-7) (Preliminary Program) Franconia, New Hampshire, June 14-16, 1994 Tuesday, June 14 8:50-9:00am — Welcoming Remarks Ravi Sandhu (George Mason University, General Chair) Li Gong (SRI, Program Chair) 9:00-10:30am — Non-Interference and Composability Session chair: Jose Meseguer (SRI) * Unwinding Forward Correctability Jonathan Millen (MITRE) * A State-Based Approach to Non-Interference William Young and William Bevier (Computational Logic, Inc.) * Combining Components and Policies George Dinolt, Lee Benzinger and Mark Yatabe (Loral) 11:00-12:00pm — Formal Methods and Semantics Session chair: Simon Foley (University College Cork) * Formal Methods for the Informal World Carol Muehrcke (Secure Computing Corporation) * Formal Semantics of Rights and Confidentiality in Deductive Databases with General Integrity Constraints Adrian Spalka (University of Bonn) 12:00-2:00pm — Lunch Break and Croquet Tournament 2:00-3:00pm — Modeling Session chair: Stewart Lee (University of Toronto) * Confidentiality in a Replicated Architecture Trusted Database System: A Formal Model Oliver Costich, John McLean and John McDermott (Naval Research Lab) * Conceptual Foundations for a Model of Task-based Authorizations Ravi Sandhu and Roshan Thomas (George Mason University) 3:30-5:00pm — Panel on "The General Write-Up Problem" Panel moderator: John McDermott (Naval Research Lab) Panelists: to be confirmed Wensdesday, June 15 9:00-10:30am — Cryptographic Protocol Analysis Session chair: Virgil Gligor (University of Maryland) * A Model of Computation for the NRL Protocol Analyzer Catherine Meadows (Naval Research Lab) * AUTLOG — An Advanced Logic of Authentication Volker Kessler and Gabriele Riemer (Siemens, AG) * Nonmonotonic Cryptographic Protocols Aviel Rubin and Peter Honeyman (University of Michigan) 11:00-12:00pm — Security Policies Session chair: John McLean (Naval Research Lab) * Formal Specification of Information Flow Security Policies and Their Enforcement in Security Critical Systems Ramesh Peri and William Wulf (University of Virginia) * A Taxonomy of Security Properties for CCS Roberto Gorrieri and Riccardo Focardi (Universita di Bologna) 12:00-2:00pm — Lunch Break and Croquet Tournament 2:00-3:00pm — Access Control Session chair: Joshua Guttman (MITRE) * One-Representative Safety Analysis in the Non-Monotonic Transform Model Ravi Sandhu and Paul Ammann (George Mason University) * Reasoning about Confidentiality Requirements Simon Foley (University College Cork, Ireland) 3:30-5:00pm — Panel on "Reconsidering the Role of the Reference Monitor" * Redrawing the Security Perimeter of a Trusted System Dan Sterne and Glen Benson (Trusted Information Systems) Panel moderator: Dan Sterne Panelists: Len LaPadula (MITRE), Ravi Sandhu (GMU), Carl Landwehr (NRL), and Glenn Benson (TIS) Thursday, June 16 9:00-10:30am — Protocol Security Session chair: Michael Merritt (AT&T Bell Labs) * Development of Authentication Protocols: Some Misconceptions and a New Approach Wenbo Mao and Colin Boyd (University of Manchester) * A Taxonomy of Replay Attacks Paul Syverson (Naval Research Lab) * Cryptographic Protocols Flaws Ulf Carlsen (Telecom Bretagne, France) 11:00-12:00pm — Workshop Business Meeting 12:00pm — Workshop AdjournsPlease report problems with the web pages to the maintainer
xTop