The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 16 Issue 42

Friday 23 September 1994

Contents

o Power Outage in Russia?
Bradford Wetmore
o The Future of the Internet is Secure: Press Conference
Winn Schwartau
o Telephone background noise RISKS
Michael P. Gerlek
o Re: Uninterruptable Thought Patterns
A. Padgett Peterson
o Re: Computer disk crash causes misprinted ballots
Douglas W. Jones
o Re: Yet More daring tales of address disasters!
Steve Bellovin et al.
o Re: Address disasters
John Cantrell
Martin Ewing
o Re: Highest Quality Company Logos
Jim Prall
Gary Greene
Ray T. Stevens
o Call For Papers: 8th IEEE Computer Security Foundations Workshop 1994
Li Gong
o Info on RISKS (comp.risks)

Power Outage in Russia?

Brad R. Wetmore <Bradford.Wetmore@ebay.sun.com>
Fri, 23 Sep 1994 13:10:08 -0700
Did you hear about the plug getting pulled in Russia at a major missile site
not too long ago?  Apparently, the folks in charge didn't pay their electric
bill, so the company cut them off...backup generators took over.  One
wonders what happens if they also don't pay their rent...?  :)

It was in The New York Times not too long ago, and in the San Jose Murky News
this morning, Fri the 23rd.

Brad R. Wetmore, Computer Security Engineer, Sun Federal, Inc. MS UMIL06-94
2550 Garcia Ave., Mountain View, CA  94043-1100 (408) 276-5557 ext, x35557 int

  [The answer to Brad's wonder: rent asunder instead of rent us under.  PGN]


The Future of the Internet is Secure: Press Conference

"Winn Schwartau" <p00506@psilink.com>
Fri, 23 Sep 94 12:58:12 -0500
              The Future of the Internet is Secure!
          On October 11, 1994, The Internet Will Become
                  A Safe Place To Do Business.

                           Sidewinder:
               Internet Security That Strikes Back

The Internet is a dangerous place. Ask anyone.

     * Between 85-97% of all computer break-ins go undetected.
     * Industrial espionage is up 400% since the late 1980's.
     * Hacker attacks increase exponentially.
     * Over 1 million computer break-ins last year alone.
     * Theft of confidential information costs billions to
       America's financial infrastructure.
     * Privacy is almost nonexistent.

Yet, the Internet is the fastest growing segment of the National Information
Infrastructure.  Over 20 million users and businesses conduct global affairs
on the Internet today, and over 125 million will by the year 2000.

Join us to witness the technological breakthrough in internetworking that
finally makes the Internet a safe place to be.

              The future of the Internet is secure.
                          Come see how.


                        October 11, 1994
                            10:00 AM
                       National Press Club
                           Zenger Room
                          529 14St. NW
                      Washington, DC  20045
                     _Continental Breakfast_
                 RSVP

Presented by:
Secure Computing Corporation
2675 Long Lake Road
Roseville, MN  55112

For more information contact:

Interpact, Inc., Winn Schwartau, 813.393.6600  P00506@Psilink.Com

Secure Computing: Kevin Sorensen, 1.612.627.2800, 1.800.692.LOCK
Sorensen@Sctc.Com


telephone background noise RISKS

"Michael P. Gerlek" <gerlek@dat.cse.ogi.edu>
Thu, 22 Sep 1994 13:57:26 -0700
Just another horror story:

I called a major airline the other day to make reservations.  In the course of
my dialog with the agent she put me on hold for a minute or so while she
checked something, and I listened to the usual canned music interspersed with
promos for the airline.  Then, after more dialog with the agent, again she put
me on hold... but this time didn't switch on the music.

As I waited, I could clearly make out another reservations agent working in
the background: "yes, Mr. Smith, flight 234 from Portland to San Francisco..."


Re: Uninterruptable Thought Patterns (Agre, RISKS-16.41)

A. Padgett Peterson <padgett@tccslr.dnet.mmc.com>
Fri, 23 Sep 94 15:23:12 -0400
The falling ladder problem reminded me of something that happened at a
facility I was working at in Texas a number of years ago. Disaster planning
was taken very seriously and the facility had an emergency diesel generator
*and* backup battery supplies to hold the data center up in case the diesel
was hard to start.

Except for the dump truck that lost control while descending a rise, left the
road and slammed into the adjacent power pole.

The pole broke off at the base and fell onto the generator building, doing
grievous damage to the generator. The broken engine cooling & fuel lines added
to broken water mains to flood the battery room with a noxious mess (the
engine bay had a fuel loss containment system but it was not designed to cope
with a water main). Along the way, the fire control system triggered adding to
the mayhem.

Needless to say, the data center lost power rather suddenly.

Padgett

   [Rube Goldberg Strikes Again!  PGN]


Re: Computer disk crash causes misprinted ballots

Douglas W. Jones <jones@pyrite.cs.uiowa.edu>
22 Sep 1994 19:10:18 GMT
Lani Teshima-Miller, writing on Tue, 13 Sep 1994, commented on a computer
crash that led to misprinted ballots.  I'm a member of the Iowa State
Commission on Electronic Voting Machines (actually, the name is longer)
-- we oversee the approval by the state of voting systems.  Anyway ...

Last night, as it happens, I was reading the Federal Election Commission
standards document for electronic voting machinery, and I note that these
standards are generally very well thought out.  There were a few places
where, if anything, they seemed to require excessively expensive solutions
to problems, but few places where they seemed to be open to failures.

The standards mandate considerable fault tolerance in the systems actually
installed in polling places, whether they be mark-sense machines, punched card
machines, or direct recording computerized voting systems.  These have a
serious real-time response requirement -- they must work on election day, all
day.

The standards do not mandate a similar degree of fault-tolerance in
off-line systems, such as those used to prepare ballots.  What they do
mandate is a clear audit trail and strong safeguards against tampering.
In addition, they mandate provisions for many manual checks.  It is in
the latter area where the system in Hawaii clearly failed!

On taking delivery of a shipment of printed ballots, they should have been
inspected -- this means examining a sample ballot from every press run,
preferably from both ends of the run!  (Different press runs may have required
different ballot layouts, for example, by permuting the orders of candidate
names, as required in some contexts).  Furthermore, the workers at the polling
places, at setup time, are required to perform certain inspection tasks, for
example, by assuring themselves that the voting machine counters are all reset
to zero.

The system seems to be designed well; this error in Hawaii seems to be a human
error.  The risk we face is complacency "it's all computerized, these checks
in the system are just bureaucratic requirements, nothing ever goes wrong, so
we can skip this".  One of the fundamental requirements of a democratic system
is a corps of election workers who take the requirements for running an honest
election very seriously!  I cannot imagine any way to use automation to
eliminate this requirement.

Doug Jones  jones@cs.uiowa.edu


Re: Yet More daring tales of address disasters!

<smb@research.att.com>
Thu, 22 Sep 94 13:46:14 EDT
   [...] He moved and sent an address correction to a company in which he
   holds some stock.  The company acknowledged his change of address, but sent
   it to his *old* address.  [...]

In fact, in this case the company did exactly the right thing.  This is their
mechanism for discovering forged address changes.  If the request is false,
the true owner will receive a notice, and can take corrective action.  If the
request is genuine, the Post Office will forward the acknowledgment to the
proper place.
        --Steve Bellovin

    [This was also noted by
        Jim Horning <horning@src.dec.com>,
        Alan Miller <millera@mcs.com>,
        Craig_Everhart@transarc.com,
        Martin Ewing <martin.ewing@yale.edu>,
        Robert.L.Drysdale@dartmouth.edu,
        Patricia Shanahan <pats@equalizer.cray.com>,
        Nevin Liber <nevin@cs.arizona.edu>,
        James E. Leinweber <jiml@stovall.slh.wisc.edu>,
        ROBINSON_PAUL@tandem.com,
        Crystal Linn Trexel <ct2f+@andrew.cmu.edu>,
        Clark <MERRILL@stsci.edu>,
        John Sullivan <sullivan@geom.umn.edu>,
        Jim Berets <jberets@bbn.com>,
        Geoff Kuenning <geoff@ficus.cs.ucla.edu>,
    and they are still coming in...  But thus far NO ONE remarked
    on the problem that a bogus Change of Address form previously sent
    to the local Post Office would result in the acknowledgment being
    forwarded to the imposter instead of the victim.  Correction:
    Just after I wrote the above lines, I found a note from
        Charles Reichley <creichley@VNET.IBM.COM>,
    who suggested that the acknowledgement should be sent to BOTH the
    OLD and NEW addresses.  Congratulations to Charles, who gets the
    RISKS-ALERTNESS prize for today.  PGN]


Re: Address disasters

John Cantrell <cantrell@sparky1.aero.org>
Thu, 22 Sep 94 12:21:31 PDT
After reading Paul T. Keener's comment about a friend's receiving a change of
address acknowledgement from a company that was sent to his *old* address, I
was overcome with deja vu.

Wasn't it here in RISKS that I read about the scam of changing the address
for your credit-card bills so a thief could run up $$$$ without your
ever knowing about it (until it was too late, that is)?

I would rather get the info at the old address and then forwarded by the post
office than run the risk of having to correct an "unauthorized" change of
address with the trouble that goes with it.

cantrell@aero.org


Postal address disasters

Martin Ewing <martin.ewing@yale.edu>
Thu, 22 Sep 1994 15:22:27 -0400
[...] We had a related problem recently, when the US Post Office decided on
its own to return all our mail with a yellow computer-printed sticker saying
"Addressee moved - no forwarding address".  We only found out when my parents
called up to ask where we had gone.  Of course, our mail box being empty for
several days was definitely suspicious.  Our credit card company thought we'd
absconded, when they got their statement back, and there were other unpleasant
effects.

The P.O. was non-repentant, saying only they had had a new man on the
route.  At least they didn't blame it on the computer.

-Martin Ewing  (martin.ewing@yale.edu)  Yale University


Re: Highest Quality Company Logos (Lawrence, RISKS-16.41)

Jim Prall <sq!trigraph!jimp@uunet.uu.net>
Fri, 16 Sep 1994 14:15:09 -0400
>What a wonderful gift for con artists!

Well, it's not as crazy as it sound.  Lots of stores use the logos and company
identities of their suppliers in advertising.  E.g. if WalMart sells, say,
Timex watches, their flyer uses the official Timex logo on ads on the watch
page.

Service bureaus can get a substantial amount of work creating good, clean,
accurate electronic versions of such corporate identities for such
advertisers. Once in a while a corporation actually supplies its corporate
identity in electronic form, but so far this is rare. More common is a printed
identity book with specs and samples for several fixed sizes, vertical and
horizontal arrangement, and the Pantone color specs for corporate colors. Also
common is trying to get by working from old output; this makes a lot harder to
get a clean electronic logo.

Heaven help the creative director who starts to get creative with a supplier's
corporate identity. This is greatly frowned upon. The one risk is not knowing
the trade standards. If you display another company's identity, you better
match it 100%.

Jim Prall, Trigraph, Inc., Toronto, CANADA jimp%trigraph.uucp@csri.utoronto.ca


Re: Digital Logos (Denning RISKS-16.41 on Lawrence, RISKS-16.40)

Gary Greene <garyg@unity.sj.unisys.com>
23 Sep 1994 17:11:02 GMT
Peter Denning writes:

> ...  If TigerDirect has the explicit permission of the owners of
>the logos, all is well.  If not, then not only they, but anyone else using
>the logo without authorization, is breaking the law.  Anyone who would use
>a logo, authorization or no, to commit a fraud is also breaking the law.

What Peter says is technically true but ignores the doctrine of "fair use."
I've been a graphic artist for over 25 years.  Throughout that time there have
been clip-art books, either print and lately digital that provide libraries of
such logos for use in authorized situations.  Virtually all such books I am
aware of get their material directly from the trademark owners and therefore
are authorized, but a few have not.

A company certainly may impose and require that their logo not be distributed
within the trade in this manner.  But what does that gain them?  Then they
must supply such clip art to the artist.  In practice, many people authorized
to let advertising or some other use do not have easy access to their
company's style sheets, or simply don't think to provide them.  When the
advertising is created in-house this is not a problem since the art department
always has access to the style sheets, but a great deal of advertising is
created by contractors and specialty houses.

When that happens the artist is reduced to drawing them from memory or
making a fuzzy copy from the yellow pages.  Drawing from memory is usually
unsatisfactory.  The yellow pages are hardly much better.  And I have often
done both in my time.  Inclusion of such logos in a library is usually
considered "fair use" under the copyright law unless the copyright owner
specifically objects to the publisher.  Only the subsequent unauthorized
reuse of the logo in a specific advertisement or other publication would
constitute a violation of copyright and/or trademark.  Further, there are
other "fair use" situations that are also excepted, such as news and
personal photography (Amtrak derails! ...accompanied by footage of an
Amtrak emblazoned passenger car on its side... News at 11).

I will reiterate what Peter very rightly points out: anyone using a company's
logo in a fraudulent manner is breaking the law.

Gary Greene                 Santa Clara, CA.


Re: Digital Logos (Peter J Denning, Risks 16.41)

"Ray T. Stevens" <74074.1746@compuserve.com>
22 Sep 94 20:06:22 EDT
It may very well be that the DISTRIBUTION of these logos without the owner's
permission is legal [although USE may not be].  It would take a lawyer to
figure it out (and most likely two lawyers to make a debate on the subject).
In the printing industry we get books of clip art, and some of these books
contain a large number of Logos.  I can't believe that the people putting out
the books really got permission from everyone.  In fact, all of these books
that contain trademarks contain a disclaimer that says in legal gibberish that
you and darn well better have permission from the trademark holder before
using them.

The real risk I see is to the user who may not realize what they need to do
in order to be legal.  This is another case where technology has brought a
tool, which in the past required a specialist, directly to the users without
bringing with it the knowledge of using it properly.

   [This interpretation may indeed violate copyright law.  However, we
   are drifting beyond the scope of RISKS...  PGN]


Call For Papers: 8th IEEE Computer Security Foundations Workshop 1994

Li Gong <gong@csl.sri.com>
Thu, 22 Sep 94 15:45:53 -0700
                   Call For Papers
      8th IEEE Computer Security Foundations Workshop
                   June 13-15, 1995
                 County Kerry, Ireland
         Sponsored by the IEEE Computer Society

This workshop series brings together researchers in computer science to
examine foundational issues in computer security.  We are interested both in
papers that describe new results in the theories of computer security and in
papers and panels that explore open questions and raise fundamental concerns
about existing theories.

Possible topics include, but are not limited to:
   access control       authentication     data and system integrity
   database security    network security   distributed systems security
   security protocols   security models    formal methods for security
as well as foundational issues relating to other critical system
properties and in emerging areas such as ubiquitous computing.

The proceedings are published by the IEEE Computer Society and will be
available at the workshop.  Selected papers will be invited for
submission to the Journal of Computer Security.

Instructions for Participants: Workshop attendance will be by invitation only
and limited to about 35 participants.  Prospective participants should send 5
copies of a paper (limit 7500 words) or proposal for panel discussion to Li
Gong at the address below.  Please clearly identify the contact author and
provide email addresses and telephone numbers (both voice and fax).

Important Dates: Author's submission:         February 3, 1995
                 Notification of acceptance:  March 14, 1995
                 Camera-ready final papers:   April 3, 1995

Workshop Location: The Computer Security Foundations Workshop is known for its
peaceful rural setting, and in 1995 the workshop will be held at Dromquinna
Manor, County Kerry, which is situated on the South West coast of Ireland.
Built in 1850, and located in quiet picturesque countryside about 3 miles from
Kenmare town, Dromquinna Manor has its own private grounds of woodland and
lawns that sweep down to the sea.  The South West coast of Ireland claims some
of the most varied and spectacular scenery in the country, and the coastline,
sculptured by the ice-age and influenced by the warm waters of the Gulf
Stream, is steeped in ancient history and folklore.  This mountainous area has
an abundance of natural beauty and is enriched by sub-tropical flora produced
by the unusually warm and temperate climate.

The nearest international airports are Shannon and Cork.  There are direct
flights from North America to Shannon and Dublin, and from major European
cities (for example, London and Amsterdam) to Cork.  Connections from many
other cities can be best made by using London or Amsterdam or by availing of
the scheduled services from Dublin to Cork.  There are also car/passenger
ferries from the United Kingdom and Europe to Cork, Dublin and Rosslare.

For further information contact:

General Chair             Program Chair             Publications Chair
Simon Foley               Li Gong                   Joshua Guttman
Dept of Computer Science  SRI Computer Science Lab  The MITRE Corp.
University College        333 Ravenswood Avenue     202 Burlington Road
Cork                      Menlo Park, CA 94025      Bedford, MA 01730-1420
Ireland                   U.S.A.                    U.S.A.
+353 21-276871 x2929      +1 415-859-3232           +1 617-271-2654
s.foley@cs.ucc.ie         gong@csl.sri.com          guttman@mitre.org

More information at http://www.csl.sri.com/ieee-csfw/csfw.html.

Please report problems with the web pages to the maintainer

Top