Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Re: Notification on Self-Disabling Software (Jeremy Epstein)
This leads naturally to the following item:
(1998): In a surprise move, federal marshals yesterday seized nearly nine
million parking meters in New York City, citing violation of the Software
Disability Act of 1996. Consumer advocates praised the move, saying ``the
meters all stopped working when the time ran out." The Parking Violations
Bureau issued protests that ``all motorists in NYC on were issued a notice
on 1 April 1975, along with the courtesy windshield cleaning." However,
these protests were not accepted, because the majority of motorists
ticketed were not old enough to have had licenses at the time.
[I guess April comes early in 1995. PGN]
The WSJ has a big article on the prison phone call business on Wednesday, February 15, 1995. The article discusses how the major long-distance companies court prisons because prisoners have nothing better to do than spend heavily on phone calls. But supplying phone service to prisons is not a risky job, because convicts have a habit of phone and credit card fraud. They'll call an outside phone number at random, con the person who answers into giving out a credit card number, and then use that number to order goodies for themselves. So, many prisons require the phone-service providers to provide anti-fraud measures, which include tape-recording equipment and voice-print identification. Some prisoners have their access to phones restricted, and they try to use someone else's access codes. The voice print identification can nab these guys. The technology is now being deployed. All of this avoids the question of just what is prison in a world where the apartments are smaller and telecommuting is more popular. If prisoners can dial out, conduct business, and even access the net, the walls seem filled with virtual loopholes. [This also gives new meaning to ``Reach out and touch someone." PGN]
>From _The Oregonian_, 16 Feb 1995, p. D11: Computer Aids in Predicting Death, by Mike Koller, AP, Philadelphia [...] Using a new program, researchers say they are able to predict when a terminally ill person will die with more accuracy than doctors using their own judgment. The study could help doctors determine which treatments should be given to terminally ill patients and help decide when life-support efforts should be stopped. ``The computer remembers thousands and thousands of cases and keeps the different risk factors in perspective," said Dr. William A. Knaus of George Washington University. Knaus led the study, published in the Jan. 31 issue of the Annals of Internal Medicine. ``And when we included the survival estimate from the patient's own physician in the model, the two together predicted time until death more accurately than either alone," he said. The program was developed from June 1989 to June 1991, using information from 4,301 patients. It was tested from January 1992 to January 1994 on 4,028 patients, Knaus said. The program, called SUPPORT (Study to Understand Prognoses and Preferences for Outcomes and Risks of Treatments), focused on nine diseases and conditions, such as liver disease, colon or lung cancer, heart or lung disease and multiple organ failure. Knaus said he was confident that Support will prove reliable and eventually be expanded to predict death rates for other diseases. Seriously ill patients with a projected life expectancy of six months were entered in the study when they were hospitalized. [...] ``Most adults say that if they are going to die within a year, they want realistic estimates of their risks, both in the immediate future and during the next few months," Knaus said. ``This predictive tool is important for its use for counseling very sick patients and their families." However, not everyone agrees. Toby Gordon, vice president for planning and marketing at Johns Hopkins Hospital and Health Systems in Baltimore, said the program raises questions. ``Any information that helps us learn how to better take care of patients — in quality of care and quality of life -- makes a contribution," Gordon said. ``But whether patients and their families will want to use it is questionable." He also questioned the ramifications of being able to accurately predict death. ``In the expansion of computer-assisted technology we will see a proliferation of these techniques, bringing into question ethics and rationing of care," he said. The authors warned that the project has not been tested outside the strictly controlled settings of teaching hospitals. Its reliability in conventional hospitals settings has not been established, they said.
KCBS Radio (San Francisco) reported tonight that The Well and Netcom combined efforts, resulting in the arrest of 31-year-old hacker Kevin Mitnick in Raleigh North Carolina. Both companies discovered large caches of data being stored on their systems. At the same time, "a well-known San Diego consultant" discovered security breaches in his system. This led to vigorous efforts to track the hacker, and after 24-hour electronic surveillance and at least one cellular phone trace, law enforcement officials arrested Mitnick. Mitnick's early escapades are chronicled in the book _CYBERPUNK_ by Katie Hafner and NY Times reporter John Markoff, and, in fact, Mitnick is accused of breaking into Markoff's computer. Mitnick, a fugitive from justice, faces up to 30 years in prison for various crimes, including allegedly breaking into NORAD computers. Law enforcement officials are now wrestling with jurisdictional issues, as Mitnick is wanted for crimes in at least six different jurisdictions. [See excellent articles by John Markoff in *The New York Times*, 16 Feb (TWO) and 17 Feb 1995. I could not begin to excerpt these three long articles, and of course cannot include them in their entirety. But they are very well done. PGN]
Hello, my name's Rob, and I'm a ... a ... Netaholic.
They tell me a lot of you have a story like mine. It started out with a
committee and someone at the local university offered me an account, just to
keep in touch, you know? Then, somebody introduced me to "Computers and
Society". I could handle that: it only came every week or so. Then I got
into RISKS-FORUM and the IBM-PC Digest. That pretty much guaranteed
something every day! I was really smokin', man! I thought I was just King
Modem!
In order to feed my habit, I started pushing. I was porting Info-Mac to
local bulletin boards for access.time. I started doing unmoderated lists.
Then a friend turned me on to Usenet. By this time, I was doing about a
half a meg a day.
I was hooked, but I wouldn't admit it. I told myself it was all
job-related. I only read VIRUS-L in order to flog my book. But why did I
have alt.best-of- usenet in my .newsrc? My wife took to asking, "Is that in
real time or computer time," when I said I'd be offline in ten minutes.
I didn't recognize the danger signs. I could tell people the first
alt.adjective.noun.verb.verb.verb group. My wife left me when I started
introducing myself at parties as, "Hi! roberts@decus.ca. What's your
group?" I started talking familiarly about people that my friends in
Vancouver had never met. I started hoarding accounts. When I found out I
could never match Bill Murray's two full columns on a business card, it was
a real bad trip. I crashed for a week.
Then, it all fell apart. My access provider started to go flaky. I tried
Fidonet, but it just wasn't the same. I ... I ... started reviewing
Internet books. It wasn't a pretty sight. Soon, I had two bookshelves
completely full. *And* that little pile behind the door where I thought no
one could see ...
I finally realized I needed help. As part of the twelve-step process, I'm
telling my story in public. And I'm going to bust up my modem ... as soon
as I do this one more posting ...
___
Yes, I'm sarcastic. It's an addiction, OK?
Yes, I believe we can all admit that computers can be very addictive.
Programming, itself, is as "moreish" as salted peanuts--and often has a
similar effect on the waistline. Computers are relatively inexpensive, give
results with minimal training, are completely under the control of the user
(why else call them "personal" computers?) and don't require any particular
considerations. But do they *cause* addiction?
Our society seems to be not merely predisposed to, but actually encouraging
of, obsessive behaviour. The evidence is not limited to lone psychopaths,
the drug culture, cults and tragedies such as anorexia nervosa. Amateur
"athletes" who constantly require medical intervention are considered
normal. We don't *really* believe that a workaholic is a problem. We
expect scientists to have no idea of culture and artists to have no idea of
technology.
Another newswire report of computer addiction, therefore, adds no new
information to the study. We all know computers can be attractive--but we
all know that there is a difference between the fellow (usually male, isn't
it?) who runs up enormous bills on the Compuserve CB simulator, and those
of us whose work or study requires as much online correspondence as we can
afford to give. In many cases, the computer is not a cause but merely a
means. If it were not the computer, it would be something else. Recently a
co-worker happened to drop the comment that he didn't watch much TV--only
about five hours a day. If that is OK (or even "not much"!) can I spend
five hours a day with the modem? (Can I add an hour for social utility? As
long as I promise not to use Mosaic?)
I am *not* saying that computer addiction cannot be a problem. If it is,
however, let us give some thought to isolate and identify the difference.
======================
DECUS Canada Communications, Desktop, Education and Security group newsletters
Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733
An AP item on 17 Feb 1995 reported that many businesses in Washington state and Alabama are having trouble receiving phone calls since new area codes were introduced last month. The new area codes, 360 in western Washington and 334 in Alabama, are the first in the country not to use a one or zero as the middle digit. The item reports that PBXs reject area codes that include anything but a 0 or a 1 in the middle position. The problem will worsen when additional area codes are installed in, among other regions, Los Angeles, Denver, and Tampa. M.E.Kabay,Ph.D., Director of Education, Natl Computer Security Assn (Carlisle, PA); Mgmt Consultant, LGS Group Inc. (Montreal, QC)
Most mail programs that I have dealt with share a flaw... they don't indicate to whom a message will be actually sent. This became particularly evident this Valentine's Day when I received a very warm personal note thanking me for some beautiful flowers and indicating how I always knew how to make this women happy. This came as quite a surprise to my wife (and myself)! ... Many a sitcom episode has started with a weaker premise than this. Luckily, my wife would never have fit in with the Three's Company crowd and all is well. Still, this probably happened because of quite a simple error. This women either typed in an alias/nickname that didn't work or just typed the first name of her suitor instead of his account name. In either case, the mail program should have indicated to whom the message would be sent. For local addresses (as this was), the actual name of the recipient (as opposed to the account name) should be indicated. Vincent Gogan vincent@cs.toronto.edu
If a third party triggers the disable feature, or, even under the
right circumstances, the owner of the software (ie: the client has paid, but
you disable it anyway) that is a felony in most states, theft by control; ie
: embezzling. If you hold the software to ransom through such an act, it's
also a felony.
As a side note...this was used as a plot device in the movie "Single
White Female" a few years back, as a revenge sub-plot.
Bruce Johnson, University of Arizona, College of Pharmacy
Information Technology Group
> The cancelbots then cancel those postings and I'm essentially barred from
> the internet.
Cancelbots are not normally being used to cancel spams. The articles are
typically selectively cancelled, often one copy will be left in a newsgroup
in which it is "on-topic". Non-spam posts by the same sender are not
affected.
[Also noted by roeber@vxcern.cern.ch (Frederick G.M. Roeber). PGN]
However, there is now a Call for Discussion (CFD) about reorganization of
the news hierarchy. This could, among other things, create a moderated
newsgroup, news.admin.net-abuse.announce, for the posting of announcements,
etc., related to abuse. Opponents fear that a moderated group would give the
announcements a stamp of authority that would lead to attacks on the
apparent abusers.
Axel Boldt is maintaining an "Internet Advertisers Blacklist" To quote a
draft FAQ, "Administration of Cancel Messages": Axel Boldt
<boldt@math.ucsb.edu> should be notified about abusive advertisers, so they
can be added to his Internet Advertiser's Blacklist. Please use the word
"Blacklist" somewhere in the subject line. Make sure to check the last
version of the List first, so that he won't get multiple complaints about
incidents already covered. The newest version is always available over the
WWW at URL: http://math-www.uni-paderborn.de/~axel/blacklist.html.
> ... I have no way to know to appeal (let alone to whom) and I must get
Fears of this development have led to the organization of the NetNews
Judges (TM) List (this is a reformatted InterNIC resource entry):
===========================================================================
Judges-L - NetNews Judges List
Resource Type: Mailing list
Description: The Judges' List distributes messages to a panel of
Judges who cancel multiple posts to NetNews immediately.
The List is used to help Judges organize themselves,
finalize policy, and set procedures to enforce rules. It
is primarily directed to those who issue cancels.
Secondarily, to those who survey cancels issued, in
order to ensure that the cancel facility is not being
abused. The protection of the NetNews system from overload
by posts to multiple newsgroups is the focus of activity.
Access: Messages go to: Judges-L@UBVM.cc.buffalo.edu.
Subscriptions go to: LISTSERV@UBVM.cc.buffalo.edu.
Services: Dispute Resolution:
Complaints are primarily about spam, multiple off-topic
posts. Posters may also complain about inappropriate
cancels. An opinion is reached via a consensus
decision-making procedure based upon private deliberations
in which all parties may participate.
Preparation of Periodic Posts:
Frequently Asked Question (FAQ) lists are prepared to inform
users about appropriate use of cancel messages, how to file
complaints, how the List processes complaints, etc.
Keywords: posting software, law, security mechanism, control message,
freedom of speech, censorship, due process, advertisement,
chain letter, rumor, conflict resolution, forgery, infection,
news administration, kill file
David S. Stodolsky, PhD * Social * Internet: david@arch.ping.dk
Tornskadestien 2, st. th. * Research * Tel.: + 45 38 33 03 30
DK-2400 Copenhagen NV, Denmark * Methods * Fax: + 45 38 33 88 80
[Also, see CA-95:03, February 16, 1995, Telnet Encryption Vulnerability,
if you are using Berkeley Telnet with the experimental Telnet encryption
option using the Kerberos V4 authentication. PGN]
CA-95:04 CERT Advisory
February 17, 1995
NCSA HTTP Daemon for UNIX Vulnerability
The CERT Coordination Center has received reports that there is a
vulnerability in the NCSA HTTP Daemon V.1.3 for UNIX. Because of this
vulnerability, the daemon can be tricked into executing shell commands.
If you have any questions regarding this vulnerability, please send
e-mail to Beth Frank at the NCSA, efrank@ncsa.uiuc.edu.
I. Description
A vulnerability in the NCSA HTTP Daemon allows it to be tricked into
executing shell commands.
II. Impact
Remote users may gain unauthorized access to the account (uid) under
which the httpd process is running.
III. Solution
The following solution was provided by the HTTPD Team at SDG at
NCSA.
Step 1:
In the file httpd.h, change the string length definitions
from:
/* The default string lengths */
#define MAX_STRING_LEN 256
#define HUGE_STRING_LEN 8192
to:
/* The default string lengths */
#define HUGE_STRING_LEN 8192
#define MAX_STRING_LEN HUGE_STRING_LEN
Step 2:
Install the following patch, which performs the functionality of
strsubfirst (i.e., copy src followed by dest[start] into dest) without
the use of a temporary buffer.
----[Lengthy patch deleted for RISKS. Contact CERT FOLKS. PGN]----
After you apply this patch, recompile httpd, kill the current running process,
and restart the new httpd.
[The CERT Coordination Center thanks Steve Weeber, Carlos Varela, and
Beth Frank for their support in responding to this problem.]
If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in Forum of Incident Response and
Security Teams (FIRST).
If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise that the e-mail be encrypted.
The CERT Coordination Center can support a shared DES key, PGP (public key
available via anonymous FTP on info.cert.org), or PEM (contact CERT staff
for details).
Internet E-mail: cert@cert.org
Telephone: +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
and are on call for emergencies during other hours.
Fax: +1 412-268-6989
Postal address: CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
USA
CERT advisories and bulletins are posted on the USENET newsgroup
comp.security.announce. If you would like to have future advisories and
bulletins mailed to you or to a mail exploder at your site, please send mail
to cert-advisory-request@cert.org.
Past advisories, CERT bulletins, information about FIRST representatives, and
other information related to computer security are available for anonymous FTP
from info.cert.org.
CERT is a service mark of Carnegie Mellon University.
Please report problems with the web pages to the maintainer