The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 16 Issue 28

Friday 22 July 1994

Contents

o Hoods Hit the Highway
Jon Loeliger
o Dutch police victim of phone-tapping criminals
Ralph Moonen
o As the Worm Turns--Ant-icipating Problems
Mich Kabay
o It's a real world out there, and the Internet is part of it.
Phil Agre
o Automated mail listserver causes "Spamming" on the Internet
Jean Renard Ward
o Leahy Statement on Gore Statement on Clipper
Marc Rotenberg
o Privacy Journal this month
Robert Ellis Smith
o CFP: IEEE Symposium on Security and Privacy
Catherine A. Meadows
o Info on RISKS (comp.risks)

Hoods Hit the Highway

Jon Loeliger <jdl@healthcare.com>
Fri, 22 Jul 1994 09:49:25 -0500
From Jon Loeliger, Healthcare Communications Inc.  jdl@healthcare.com

Hoods Hit the Highway; Computer users warned of scams

By Charlotte Anne Lucas
Austin Bureau of The Dallas Morning News
Dallas Morning News, 1 July 1994,
REPRINTED WITH PERMISSION OF THE DALLAS MORNING NEWS

AUSTIN -- Computer users, beware: Driving on the information highway,
it's possible to get fleeced.

Scam artists have hit the cyberspace, offering high-tech ponzi schemes,
sending illegal electronic chain letters and hyping virtually worthless
stock, according to state securities regulators across the nation.

In Texas, regulators say an Austin retiree lost $10,000 in a fake mutual
fund deal sold by a man who promoted his "money managing" skills through
an on-line computer service.

"The danger here is that cyberspace, which could be a beneficial way for
consumers to do a better job of informing themselves, will instead be
discredited as a haven for fast-buck artists," said Denise Voigt
Crawford, the Texas Securities Commissioner.

In New Jersey and Missouri on Thursday, securities regulators filed
cease and desist orders against promoters who used computer links to
tout allegedly fraudulent deals.  Texas regulators say it is likely that
they will seek an indictment in the case of the nonexistent mutual fund.

But with nearly 4 million computer users nationwide linked into
commercial computer services and 20 million people on the internet,
a world-wide computer network, "it is almost too big to police
effectively," said Jared Silverman, chief of the New Jersey Bureau of
Securities and chairman of a multi-state team that investigates computer
fraud.

In response, regulators in all 50 states issued a bulletin to
investigators, describing the potential frauds and listing steps small
investors can take to protect themselves.  "We're trying to tell people
to be careful," said Ms. Crawford, "there is a new fraud on the
horizon."

Although regulators are concerned about the problem, Ms. Crawford
acknowledges enforcement will be a challenge.  Because electronic
conversations, or E-mail, are considered private, "we don't know what
difficulties we are going to have getting subpoenas enforced or what
kind of cooperation we will get from (commercial bulletin board
systems)." [sic]

Officials say promoters tend to advertise offers or stock tips on the
financial bulletin board sections of on-line computer services such as
CompuServe, America Online and Prodigy, or in the specialized discussion
forums in the Internet.

Regulators said that of 75,000 messages posted on one computer service
bulletin board during a recent two-week period, 5,600 were devoted to
investment topics.  While some commercial computer bulletin board
services try to control the publicly posted investment tips, most do not
try to control most communications on the service.

What begins as innocent E-mail can end with an unwary investor "getting
cleaned out by high-tech schemers," said Ms. Crawford.

In Texas, the case under investigation began when an Austin retiree
posted a public note in a commercial bulletin board system looking for
conversations about the stock market, according to John A. Peralta,
deputy director of enforcement at the Texas Securities Board.

"He was contacted.  It turned into a private E-mail conversation, a
telephone conversation and then exchanges through the mail," said
Mr. Peralta.  But the person who promoted himself on the computer as a
skilled money manager turned out to be unlicensed -- and the mutual fund
the retiree invested in turned out to be nonexistent.

Mr. Peralta said at least one other person, not from Texas, invested
$90,000 in the same deal, "We are aware of two, but we don't really
know," he said.  "There may be dozens of victims."

Securities regulators began taking interest in on-line scams last fall,
after Mr. Silverman -- a computer junkie -- raised the issue at a
national meeting of regulators.  "I heard stories about things going on
on computer bulletin board services, and I have been monitoring these
things for close to a year," he said.

In fact, the New Jersey case came from Mr. Siverman's off-hours cruising
of an on-line service.  "I sit at a keyboard two hours a day -- to the
chagrin of my wife -- scanning these things," he said.

What he found was a promoter pushing an E-mail chain letter.  The
promoter, identified only as from San Antonio, claimed that in exchange
for $5, investors could earn $60,000 in three to six weeks.

Regulators said participants were told to send $1 to each of five people
on a list in the computer bulletin board, add their own name to the list
and post it on 10 different computer bulletin board sites.

That, regulators said in a statement, "amounted to a high-tech
variation on the old pyramid scam, which is barred by federal and state
laws."

In Missouri, regulators Thursday moved against an unlicensed stockbroker
for touting his services and "making duubious [sic] claims for stocks
not registered for sale in the state."  Among other things, regulators
said, the promoter falsely claimed that Donald Trump was a "major,
behind-the-scenes player in a tiny cruise line" whose stock he pitched.

Ms. Crawford said that while computer users may be sophisticated in some
ways, they still are attractive targets because they tend to have
discretionary income and frequently are looking for ways to invest their
money.

Some of the commercial services also allow users to use various aliases,
making it all the more difficult for investigators to figure out who
they are really communication with.


Dutch police victim of phone-tapping criminals

Ralph Moonen <ralph@inter.nl.net>
Fri, 22 Jul 1994 11:59:33 +0200
Usually law enforcement's arguments for regulated encryption center around
their ability to tap criminal's conversations. In the Netherlands this
discussion has taken a whole new twist when Dutch newspaper De Telegraaf
laid hands on phone-tap recordings not from the police, but from
criminals who had tapped various high police officials' home and work
phones. Needless to say the newspaper published transcripts of the
recordings which proved to be quite interesting. (Proving police used
several illegal means of gathering evidence and revealing a lot of
internal trouble in the police dept.)

Soon after publication police officials called for more funding to be
able to buy encryption  devices. Was this just naivety on the part of the
police to assume criminals couldn't wire-tap or was it an isolated
incident where the criminals got lucky? Evidence supports only the first
assumption. Hopefully this incident will lead to more discussion on
encryption technology. A while ago legislation was proposed to ban
encryption without having a permit for such devices. This proposal was
cut down in light of strong opposition from industry and commerce. After
that, no-one in the Netherlands really took up the issue, which I think
we all agree upon is one of the most important ones of the information age.

Oh, the RISK? I dunno, but I think it's obvious :-)

--Ralph


As the Worm Turns--Ant-icipating Problems

"Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>
22 Jul 94 08:47:44 EDT
>From the United Press International newswire (94.07.21 @ 12:17 EDST) via
CompuServe's Executive News Service (GO ENS):

Ants help BT improve computers

By SIMONA de LOGU

   "LONDON, July 21 (UPI) -- British Telecom scientists are exploring ways of
making computer programs more robust and adaptable by using ant colonies as
models for interactive programs that respond to changing conditions in computer
networks.
   A team of computer specialists based at BT's Martlesham Heath
laboratories in Ipswich, east England, has been studying research material
on ants for the past two years and using their findings on developing
programs."


Key points from the article:

o   "Our system is made up of small, autonomous, reactive, mobile
blocks of computer code that interact in a way derived from ant behavior,"
said scientist Simon Steward. "The control system that emerges from all of
these mobile software agents working together is inherently adaptable and
robust unlike normal computer programs."

o   The goal of the work is to prevent system crashes when an
unanticipated [PGN, please forbear] condition occurs.

o   The distributed computing model uses message-passing to coordinate
computation.

o   "The programs are mobile like ants, moving from one computer to
another, when needed."

o   After making software or parameter changes, the "mobile programs"
would "leave messages for other programs on how the system has been
adapted."

o   Modules will display "a certain amount of random behavior...."

o   The system will display heuristic, goal-seeking behaviour.


[Comments from MK follow:]

Programs that move from system to system are usually called worms.  The
work described above is related to Von Neumann's concepts of cellular
automata, and I guess would count as an example of "artificial life" or
a-life.  The idea that semi-autonomous computer programs would migrate
from place to place reminds one of the debate about "useful viruses."

I was getting antsy about this (the idea was really bugging me), so I
searched on "ant or ants" in the Ziff Computer Database Plus (GO COMPDB on
CompuServe) and located an article in Computergram International (June 10,
1994), p. 15 entitled, "British Telecom's research lab claims to have
found the fastest Travelling Salesman algorithm."  In this application,
which runs on a single RISC workstation, "The search algorithm is set in
motion on a problem to find the shortest travelling distance between
several cities, for example.  In effect a whole series of `ants' are
thrown on a map of the area and if the system doesn't find a destination
city, it dies, whereas if it does find a chosen destination city it `gives
birth' and grows."  A path is then established between cities.  The
algorithm is very fast--two seconds for a 100-point optimization problem
and 2.5 minutes for 1000 points.

All this is fascinating, and I naturally wondered about the implications
for system reliability.  Turning back to the UPI story, it seems to me
that there must be a lot of work to include quality assurance principles
into heuristic, semi-autonomous algorithms that change system or network
configuration.  The consequences of malfunction increase when the problems
occur in control structures e.g., a hole in your hose can swamp your lawn,
but a bug in your electronic shutoff valve that reverses inputs (off ->
on) can really put a bee in your bonnet.

One of the main objections to free-roaming software worms and viruses is
that they (themselves) offer no opportunity for a system manager or owner
to block their activity (one can usually do so with antivirus tools,
though).  When a system is seeded with these rogue programs, one never
knows what will flower.  Who wants untested software making changes in her
computer system?  Similarly, how do we cope with "genetic" algorithms that
spontaneously make changes in, say, operating system tables or even
executable code?  How does one test a real-time change in the operating
system?

It will be interesting to follow this work and see how concerns for reliability
are worked into this evolving field.

Michel E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn


It's a real world out there, and the Internet is part of it.

Phil Agre <pagre@weber.ucsd.edu>
Fri, 22 Jul 1994 14:21:17 -0700
Many denizens of the Internet think of it as a place of untrammeled free
speech and decentralized democracy.  Evidence is accumulating that it's
more complicated than that.  Writing in the liberal journal _The Nation_,
Jon Wiener (a historian at UC Irvine whose does a sort of investigative
journalism) outlines some of the complications.  The full reference is:

  Jon Wiener, Free Speech on the Internet, The Nation 258(23), 13 June
  1994, pages 825-828.

He describes the Karla Homolka trial in Canada, a group of Turks who swamp
newsgroups with automatic messages denying the Armenian genocide, gun
activists taking over alt.motherjones, libel suits provoked by on-line
statements, gender imbalances, abusive behavior by unreformed net-guys,
and more.  None of which means the net is bad; it just means the net is
part of reality.  At one level the Risk is computer-related: bad stuff can
happen on-line, just like in real life.  But the real Risk comes from
believing the hype: just because it's decentralized doesn't make it
democratic.  If we want democracy we have to actively make it.  Just like
in real life.

Phil Agre, UCSD


Automated mail listserver causes "Spamming" on the Internet

Jean Renard Ward <jrward@midget.ptltd.com>
Fri, 22 Jul 94 08:49:50 EDT
The past week I have been getting filled-out copies of a survey form completed
by beta users of the netsurf.com services.  Each day up to a half-dozen of
these forms would show up in my Internet mailbox.

Evidently the problem caused by three factors: (1) the original survey form
had in the "cc:" field the listserv address for mailing to the entire beta
user group, (2) many of the beta users had "reply to all" set as the default
for their mailer software, and (3) the folks at netsurf.com hat configured
their listserver to remail the incoming Emails with the completed forms back
out to the addresses on their beta user list.

The only interesting thing about getting the completed survey forms is
that most of the respondents to the survey seemed to be middle-aged males
with "erotica" as one of their interests in using the Internet.  Netsurf's
questionnaire specifically stated that they had no interest in invading
anyone's privacy, so that the questionnaire would be effectively
confidential, even though they could not guarantee that formally.

Notes Emailed to netsurf.com had no effect.  Finally, out of frustration,
I did a "reply to all" on one of the incoming forms with a note about the
problem back out to the same listserver.  Although this was an act of
"spamming" on its own, it did get the people at netsurf.com to address
(intentional pun) the problem.

A last note: I got a note from netsurf.com blaming __me__ and all those users
who had set "reply to all" as the default in their mail software for spamming
their beta user list, rather than admitting that they had overlooked the
possible effects of their listserver and mailing configuration.

By the way -- this is being sent with a cc: to netsurf.com.


Marc Rotenberg <rotenberg@washofc.epic.org>
Fri, 22 Jul 1994 15:48:32 EST
Subject: Leahy Statement on Gore Statement on Clipper

                U.S. SENATOR PATRICK LEAHY, Vermont

                      STATEMENT OF PATRICK LEAHY ON
                VICE PRESIDENT GORE'S CLIPPER CHIP LETTER

                              July 21, 1994

     I have read the July 20th letter from the Vice President about the
Administration's current thinking on Clipper Chip and, to my mind, it
represents no change in policy.  In fact, when this letter was sent, I
would be surprised if the Administration even thought it was news.

     The letter makes clear to me that the Administration continues to
embrace key escrow encryption technology, and stands behind Clipper Chip
as a federal standard for telephone communications.  The official
standard makes clear that this standard applies to any communications
over telephone lines.  Those communications include not only voice, but
also low-speed computer data and facsimile messages.  The Administration
is working on encryption technologies for higher-speed transmissions,
such as for computer networks and video networks.

     The Vice President says that they want to work with industry to
design a key escrow system that could be implemented not just in
hardware, but also in software, that would be voluntary, exportable and
not rely upon a classified encoding formula.  The Administration said all
this last February when the federal standard was approved.  Yet, when
Administration witnesses were questioned about the progress they had made
in this effort at my Judiciary subcommittee hearing in early May, I
learned they had held only a few meetings.

     Last week, the Appropriations Committee accepted strong Report
language I suggested on Clipper Chip.  The Attorney General is directed
to report to Congress within four months on ten areas of concern about
Clipper Chip.

     I agree with the Vice President that balancing economic and privacy
needs with law enforcement and national security is not always an easy
task.  But we can do better than Clipper Chip.


Privacy Journal this month

Robert Ellis Smith <0005101719@mcimail.com>
Fri, 22 Jul 94 14:38 EST
Here are the headlines from the July 1994 PRIVACY JOURNAL:

DIVORCE LAWYERS FIND A SPOUSE'S PC A GOLD MINE

A TENTATIVE PROPOSAL FOR A NATIONAL ID CARD

AN ILLUSTRATION ON HOW MATT BLAZE DISCOVERED A HOLE IN CLIPPER

A NEW DATA BASE FOR BRADY GUN-CONTROL LAW

TWO PRIVACY CLEARINGHOUSES SEEK FUNDING

HOW VEGAS AND JERSEY KEEP A COMPUTERIZED EYE ON HIGH ROLLERS

A VICTIM OF E-MAIL PROFANITIES LOSES LAWSUIT

CALIFORNIA BEGINS NEW 'OPT-OUT' FOR CREDIT-CARD CUSTOMERS

Robert Ellis Smith/Publisher 401/274-7861, or 0005101719@mcimail.com

   [The all-caps format makes it begin to sound like a weekly tabloid.  PGN]


CFP: IEEE Symposium on Security and Privacy

Catherine A. Meadows <meadows@itd.nrl.navy.mil>
Fri, 22 Jul 94 17:27:46 EDT
                           CALL FOR PAPERS
1995 IEEE Symposium on                              May 8-10, 1995
Security and Privacy                        Oakland, California

                             sponsored by
  IEEE Computer Society Technical Committee on Security and Privacy
                         in cooperation with
    The International Association for Cryptologic Research (IACR)

The Symposium on Security and Privacy has for fifteen years been the
premier forum for the presentation of developments in computer security,
and for bringing together researchers and practitioners in the field.

This year, we seek to build on this tradition of excellence by
re-emphasizing work on engineering and applications as well as theoretical
advances.  We also seek to broaden the scope of the Symposium by
introducing new topics.  We want to hear not only about new theoretical
results, but also about work in the design and implementation of secure
systems and work on policy relating to system security.  We are
particularly interested in papers on policy and technical issues relating
to privacy in the context of the information infrastructure, papers that
relate software and system engineering technology to the design of secure
systems, and papers on hardware and architectural support for secure
systems.

The symposium will focus on technical aspects of security and privacy as
they arise in commercial and industrial applications, as well in
government and military systems.  It will address advances in the theory,
design, implementation, analysis, and application of secure computer
systems, and in the integration and reconciliation of security and privacy
with other critical system properties such as reliability and safety.
Topics in which papers and panel session proposals are invited include,
but are not limited to, the following:


Secure systems      Privacy Issues      Access controls
Security verification   Network security    Policy modeling
Information flow    Authentication      Database security
Data integrity      Security Protocols      Viruses and worms
Auditing            Biometrics      Smartcards
Commercial and industrial security      Intrusion Detection
Security and other critical system properties   Distributed systems

A new feature of the symposium this year will be a special session of
very brief (5-minute) talks.  Our goal is to make it possible for us to
hear from people who are advancing the field in the areas of system
design and implementation, and who would like to present their ideas to
the symposium audience but may lack the time and resources needed to
prepare a full paper.  Submissions for this session will be accepted
up to five weeks before the symposium, to permit us to hear of the most
recent developments. Abstracts of these talks will be distributed at
the conference.

INSTRUCTIONS TO AUTHORS:

Send six copies of your paper and/or proposal for a panel session to
Catherine Meadows, Program Co-Chair, at the address given below.  Papers and
panel proposals must be received by November 7, 1994.  Papers, which
should include an abstract, must not exceed 7500 words.  The names and
affiliations of the authors should appear on a separate cover page
only, as a ``blind'' refereeing process is used.  Authors must certify
prior to December 25, 1994 that any and all necessary clearances
for publication have been obtained.

Papers must report original work that has not been published
previously, and is not under consideration for publication elsewhere.
Abstracts, overlength papers, electronic submissions, late
submissions, and papers that cannot be published in the proceedings
will be rejected without review.  Authors will be notified of
acceptance by January 16 , 1995.  Camera-ready copies are due not later
than March 6, 1995.

Panel proposals should describe, in two pages or less, the objective of
the panel and the topic(s) to be addressed.  Names and addresses of
potential panelists (with position abstracts if possible) and of the
moderator should also be included.

Submitters of abstracts for the special session of five-minute talks
should submit one page abstracts to Catherine Meadows, program co-chair,
at the address given below.  Abstracts must be received by April 3, 1995.
Authors will be notified of acceptance or rejection of abstracts by April
17.  Submitted abstracts that are accepted will be distributed at the
conference.

The Symposium will also include informal poster sessions where preliminary
or speculative material, and descriptions or demonstrations of software,
may be presented.  Send one copy of your poster session paper to Carl
Landwehr, at the address given below, by January 31, 1995, together with
certification that any and all necessary clearances for presentation have
been obtained.

Also for the first time this year, we will attempt to counsel prospective
authors.  If you have questions about whether or how to present your work
to the symposium, please send e-mail to the Chair
(landwehr@itd.nrl.navy.mil), and we will do our best to assist you.

Information about this conference will be also be available by anonymous
ftp from chacs.itd.nrl.navy.mil in directory /pub/SP95, by World Wide Web from
http://www.itd.nrl.navy.mil/ITD/5540/announce/SP95.html,
or by sending email to sp95@itd.nrl.navy.mil.

PROGRAM COMMITTEE

Ross Anderson, Cambridge University, UK
Steve Bellovin, AT&T, USA
Tom Berson, Anagram Laboratories, USA
Oliver Costich, Independent Consultant, USA
George Dinolt, Loral, USA
Cristi Garvey, TRW, USA
Li Gong, SRI, USA
Sushil Jajodia, GMU, USA
Steve Kent, BBN, USA
Steve Lipner, TIS, USA
Teresa Lunt, ARPA/CSTO, USA
John McLean, NRL, USA
Jonathan Millen, Mitre, USA
Birgit Pfitzmann, Universit"at Hildesheim, Germany
Sylvan Pinsky, DoD, USA
Michael Reiter, AT&T, USA
Jaisook Rho, TIS, USA
Peter Ryan, DRA, UK
Tom Schubert, Portland State University, USA
Paul Syverson, NRL, USA
Vijay Varadharajan, HP, UK
Raphael Yahalom, Hebrew University, Israel

For further information concerning the symposium, contact:

  Carl Landwehr, General Chair       Catherine Meadows, Program Co-Chair
  Naval Research Lab., Code 5542     Naval Research Laboratory, Code 5543
  4555 Overlook Ave., SW             4555 Overlook Ave., SW
  Washington DC 20375, USA           Washington DC 20375, USA
  Tel: +1 (202) 404-8888             Tel: +1 (202) 767-3490
  FAX: +1 (202) 404-7942             FAX: +1 (202) 404-7942
  landwehr@itd.nrl.navy.mil          meadows@itd.nrl.navy.mil

  Dale Johnson, Vice Chair       John McHugh, Program Co-Chair
  The MITRE Corporation          Computer Science Department
  Mailstop A156              Portland State University
  202 Burlington Rd          P.O. Box 751
  Bedford, MA 01730-1420, USA        Portland OR 97207-0751, USA
  Tel: +1 617-271-8894           Tel: +1 (503) 725-5842
  Fax: +1 617-271-3816           Fax: +1 (503) 725-3211
  dmj@mitre.org                  mchugh@cs.pdx.edu

  Charles Payne, Treasurer
  Naval Research Lab., Code 5542
  4555 Overlook Ave., SW
  Washington DC 20375, USA
  Tel: +1 (202) 404-8763
  FAX: +1 (202) 404-7942
  payne@itd.nrl.navy.mil

  Peter Ryan, European Contact       Jim Gray, Asia/Pacific Contact
  Defence Research Agency        Department of Computer Science
  Room NX17              Hong Kong Univ. of Science & Technology
  St Andrew's Rd             Clear Water Bay, Kowloon, Hong Kong
  Malvern                Tel: +852 358-7012
  Worcs WR14 3PS,UK          Fax: +852 358-1477
  Tel +44 (0684) 895845          gray@cs.ust.hk
  Fax +44 (0684) 894303
  ryan@rivers.dra.hmg.gb

Please report problems with the web pages to the maintainer