Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Denver's new high-tech airport appears finally ready for operation later this month, after four false delays caused primarily by a malfunctioning computerized baggage handling system. The system now seems to be working -- but a $50 million conventional baggage handling has been built as a backup, just in case the computerized systems should fail again. (_The New York Times_ 19 Feb 1995, p.12) [From Edupage 19 Feb 1995]
CommunicationsWeek International reports that computer crackers have been giving European network managers a hard time recently. Among their transgressions are stealing $150,000 worth of international phone calls from five U.K. companies and causing $400,000 in losses for a Dell Computer subsidiary that had to shut down a free customer service phone line because of fraud. (_Information Week_ 20 Feb 1995, p.63) [From Edupage 19 Feb 1995]
An annoying, and possibly serious, bug has surfaced in the recent release of Novell Perfect Office for Microsoft Windows. Temporary files may be left behind in the directory designated as TEMP in the user's autoexec.bat file. This is usually C:\TEMP or C:\WINDOWS\TEMP. Left unchecked, the files could eventually accumulate to the point where they clog the directory so that Windows applications will not run. The files take the form ~WT123B.TMP (where 123B is a unique identifier generated by the system) and are 5888 bytes long. Although Novell/WordPerfect installation help is "aware" of the bug and is "working on it," I was told that at present no user-notification program is being planned. You might think they'd learn from Intel's recent public relations fiasco.... Gary Gillard, Department of Math & Computer Science, Hood College Frederick, Maryland 21701 <gillard@nimue.hood.edu>
In RISKS-16.82, Rob Slade perceptively points out that behavior some have called `computer addiction' is part of wider patterns, and notes by his analogy that there aren't simple criteria. It may be helpful to distinguish rather than to conflate: firstly, between compulsive behavior and obsession. I would describe compulsive behavior as following an urge to do something, often repetitively, without concomitant reward other than that of appeasing the urge. We won't count the usual bodily functions...... but if you find yourself washing your hands a few hundred times a day, or the citizens of Koenigsberg set their watches by your daily walk to work, you're probably being compulsive. Obsession is when your thoughts, feelings, maybe actions orient narrowly towards one thing for a disproportionate time, whether it's rewarding or not. Sitting there with the same thought about Demi Moore buzzing round your head, you are obsessed, but not compelled (we hope). If getting rid of mother-in-law is your all-consuming hobby, you may try arsenic in the cake, running her over with the lawnmower, spiking her brandy, and rigging the breech of her shotgun. Your wife might leave you for failing at your single purpose in life, but no one would convict you of compulsive behavior. These descriptions are dependent on social variables. Nevertheless, excessive obsessive/compulsivity is regarded as one of the 15-20 diagnosable personality extremes in the DSM (the Diagnostic and Statistical Manual, Revision IV, of the American Psychiatric Association, is a helpful guide to the current US classification of human behaviors that may lead to social problems for individuals). Most successful academics, writers, musicians, cooks, winemakers, mathematicians, scientists and sportspeople are more obsessive than the general population. The way to be better than others is to do something with more enthusiasm and for longer - and it helps if this concentration jives with your personality. Addiction is a state of the organism, rather than predominantly a predisposition to certain behavior. A substance addict has highly goal-related behavior. Being drunk or high for these people is a relatively comfortable state of mind and body for *very* short periods of time. But it ruins their health, and causes self and others all sorts of problems. Addiction may be encouraged or even caused by compulsive behavior, but it is not itself a personality trait, according to the APA. If deleting email sends a thrilling tingle through your fingers, and tickles your corpus callosum until you can't let go, you may be addicted. But the boundaries are blurred. Whether you call heavy use of computers addictive, obsessive/compulsive, or simply morally virtuous may depend on the context, the evident goals of the behavior, and whether you're spouse or employer. So I won't be too surprised when some misguided soul tries to enroll all us academics, writers, musicians, cooks, winemakers, mathematicians, scientists and sportspeople in a twelve-step program. Peter Ladkin
It has happened to me several times now that I inadvertently knock the keyboard cable of the Sun SPARCstation 10 I work on these days. Most of the times, the result is a complete and instantaneous crash of the machine. So I tried and it seems that unplugging and plugging back in the keyboard cable at the base of the keyboard always crashes and reboots the host. This can obviously cause disks and user data to be lost. Other times only the X Window System dies. Maybe it is just this particular machine, but otherwise I can't think what is so critical about a keyboard's hardware that could cause the machine crash. No doubt a RISK in my book. -- Carlos Puchol -- http://www.cs.utexas.edu/users/cpg
A few months ago I moved into a new apartment. I have since received a lot of junk mail for Mary Thompson, the former resident, whom I have never met. (Name changed to protect the innocent.) From conversations I have had with neighbors, I know that she lived alone. About a month ago, I started to receive credit card ads addressed to "Scott Thompson". I wrote this off as just a database entry error (e.g., only overwriting part of the new resident's name), until this past week. A few days ago I received two identical ads, with one addressed to "Scott Thompson" and the other addressed to "Mrs. Mary Thompson". Yikes! Married to someone I've never met! If only our names were confused (e.g., "Scott Thompson"), it would not be much of a risk. However, now that at least one database considers us husband and wife, what kinds of problems does this open? - Do I get a free ride on *her* credit card history, or does she get a free ride on *mine*? (Stated the opposite way, do I suffer for *her* credit card history, or does she suffer for *mine*?) - If I fill out the credit card applications listing my real name, but they issue the cards to me as "Scott Thompson", am I liable for fraud? - If I never reply to any of these ads, could this "false name" come back to hurt me? (In other words, do I have to *proactively* stop this name from circulating, or could it never cause me harm so long as I do not use it?) Scott Sterner
[Forwarded with permission of the author. Jerry] From: Mark Frank <frankmrk@u.washington.edu> Subject: Need UPS smarter than me. Date: Sat, 18 Feb 1995 09:11:00 -0800 (PST) To: Info-VAX@Mvb.Saic.Com I use a UPS on my PC at home. The power switch is on the front. UPS sits on the floor (the way it has to for the AC outlets to face the right way). The other day I bumped the front of the UPS with my foot and hit the power switch, power went off, and I lost my work. Now that really pissed me off... they SAID it was UNINTERRUPTABLE, but one little nudge of the power switch and off it went! Wouldn't honor the warranty, either. Ok...Ok... so I'm a moron. Moral to the story: If you are considering a UPS for a workstation-sized computer, be sure to get one with appropriate protection (like a hinged door) covering the power switch. Mark S. Frank, Department of Radiology, University of Washington, 325 9th Ave Seattle, WA 98104 frankmrk@u.washington.edu (206) 223-3561
I'm playing in a computer-moderated play-by-mail game with a not-to-be-named company out of Oregon, and I ran into an interesting software logic gap. In the game, players have locations with soldiers defending it. Locations can contain guilds (representing an organization supporting a certain skill or collection of skills). A location's owner may be different from the owners of the guilds within it. In addition to the location's soldiers, guilds' soldiers can be ordered to defend the location against attack if both the location's and guilds' owner agree. An amusing incident just occurred, when we captured a location from an enemy position. Capturing it required us destroying all of the location's soldiers. However, one of the location's guild owners tried to take the location back from us by putting soldiers in his guild and then trying to launch a "guild coup". Unfortunately, the guild which attacked the city was also ordered to defend the city against attack. The location's previous owner had set this up with the guild's owner, and the change in ownership from our conquering the location didn't affect the guild defense options. So the guild ended up fighting itself. Needless to say, it lost. And in another amusing result, it turned out that the defender's ending values from a battle are written to the database before the attacker's. So since the attacker had no troops left, the guild ended up with no troops left - even though the guild-as-defender had troops survive the battle. This kind of problem crops up all of the time in software dvelopment. At my previous company, I had a problem attempting to deal with real-time data when an application which was both a data consumer and a data producer attempted to request data from itself. The normal protocol would have been to send the request out to the network, have the network manager route the request back to the application, and have the application handle it in course. But the network manager was "smart" and told the consumer "you're requesting from yourself", and refused the request. This protocol forced anyone writing a producing/consuming application to create its own internal method for requesting data from itself, in addition to the normal method of requesting data from the network. Both cases come down to developers who pictured a very general model, without considering some of the specific exceptions to the model which may very well occur in day-to-day use. In the game company's defense, this flaw has existed for several years, and as far as they know this is the first time players have actually encountered it. Jim
In RISKS 16.81 "Whittle, Jerome SMSgt" <JWhittle@amclg.safb.af.mil> wrote: >5. Karen Smith isn't liable for the theft even though she left her card and > PIN number unsecured. I believe that she should shoulder some of the > blame and loss. I hope I'm not the only one who will speak out against this "blame the victim" mentality. Granted, the crime could and should have been prevented, but since it did happen, the blame for the crime falls squarely on the shoulders of the reprobates who committed it. The risk I see here is that if we continue to cut criminals some slack by placing some of the blame on the victim, we're only going to invite more crime of this sort. To me, this is only slightly more palatable than blaming a rape victim because of how she was dressed.
> Fears of this development have led to the organization of the NetNews > Judges (TM) List (this is a reformatted InterNIC resource entry): Note that the people who actually do the volunteer work that keep Usenet running, as well as most long time Usenet readers that know about it, consider Judges-L to be a crank list. It's a closed list, with rules about the dissemination of messages outside the official membership. It periodically produces informational postings that have no relationship to accepted net behaviour. Like any other "authority" on Usenet it has no power but what individuals grant it. Unlike "authorities" like David Lawrence, who is accepted by the majority of sites as being the authoritative source of new groups, Judges-L has no followers except for the people who are actually on the list... and even then some of the people on Judges-L are only there to keep an eye on them. [Also commented on by Kevin Blackburn Kevin@fairbruk.demon.co.uk]
BKPGPGAR.RVW 950116 "PGP: Pretty Good Privacy", Garfinkel, 1995, 1-56592-098-8 %A Simson Garfinkel simsong@next.cambridge.ma.us simsong@expert.com %C 103 Morris Street, Suite A, Sebastopol, CA 95472 %D 1995 %G 1-56592-098-8 %I O'Reilly & Associates, Inc. %O 800-998-9938 707-829-0515 fax: 707-829-0104 info@ora.com or nuts@ora.com %P 393 %T "PGP: Pretty Good Privacy" Part one of this guide to Phil Zimmermann's "Pretty Good Privacy" (universally known by its initials, PGP) contains two rather disjointed chapters introducing PGP, itself, and cryptography basics. After that rocky start, however, part two is both readable and rivetting. Chapters on the history of cryptography, the history and development of PGP, privacy, and patents gather both the technical and social aspects of PGP together in one place. The conceptual background for public key cryptography is presented both soundly and in a manner accessible for non-experts. The many controversies over PGP are presented in a very detailed manner. Part three, "Using PGP", has chapters on file encryption, key creation, key management, email encryption, digital signatures (authentication), key distribution and certification, and Internet key servers. The style of the nutshell books give a very "technical" look to the material, and in some cases the content is very terse in comparison to Stallings' "Protecting Your Privacy" (cf. BKPRTPRV.RVW). In others (such as key management), though, the text here is paradoxically clearer. In any case, the examples are straightforward and easily followed. (Readers may, however, be excused for failing to follow the explanation of Diffie-Hellman on page 356.) The appendices cover obtaining and installing PGP for MS-DOS, UNIX and Macintosh. copyright Robert M. Slade, 1995 BKPGPGAR.RVW 950116 Vancouver Institute for Research into User Security Canada V7K 2G6 ROBERTS@decus.ca Robert_Slade@sfu.ca rslade@cue.bc.ca p1@CyberStore.ca
While RISKS is ostensibly devoted to the foibles of computer generated bugs, readers of the list will probably enjoy _The Coming Plague_ by Laurie Garrett (Farrar Straus & Giroux). The book explores many of the battlefields between humans and microbes and then concludes that it is only a matter of time before the microbes score some dramatic victories. Many of the themes are familar to RISKS readers: the fix causes more pain than it solves; the bountiful commonweal often comes with a quicksilver lining; and there is no such thing as the last bug. The bestselling _Hot Zone_ covers a small part of the scope of this book and it is more a movie outline than a book on science. _The Coming Plague_ comes with copious footnotes and is filled with the technical details that scientists love. I've enjoyed it more and I suspect that others who read this list might feel the same. Given that some computer scientists talk of solving NP complete problems with DNA techniques, I guess that the fields are effectively merged and this is entirely appropriate for this list.
Since announcing the on-line over-the-wire security scanning service (http://all.net:8080) on the risks forum, over 350 sites have performed scans. I am interested in finding out some things about the results of these scans. Any answers would be welcomed: 1) Did the service detect anything you did not expect? 2) Was the range of tests interesting enough to warrant keeping the service? 3) Is the service genuinely helpful or just a waste of time? 4) Did your defense detect the attempted attacks/defend against them? Thank you in advance for your replies (email to fc@all.net). Also, I would like to note that scans performed over the last few days, only 20 or so failed to be delivered to the tester because of mail failures. FC
A symposium is coming up that has tremendous consequences for the privacy of sensitive personal medical records — Toward an Electronic Patient Record '95, 14-19 March 1995 in Orlando, Florida. The basic idea is to put all of your medical records on-line in a centralized repository, accessible to any medical professional who needs them. This is great when the folks in the emergency room need your records in a hurry, but it's not so great when your records are also available to insurance companies and marketers, not to mention private investigators who are willing to push the law a little bit. Right now the outlook for serious privacy protections on computerized medical records is not so good. As a result, I think it would be excellent if any net citizens were to attend this symposium and report back to the net community. I would particularly direct your attention to a meeting of the Standards Subcommittee on Access, Privacy and Confidentiality of Medical Records, which is to be held on Sunday March 12th and will be open to the public. It isn't good enough for privacy to be protected by vague principles and guidelines after the systems have been designed. Privacy capabilities such as patients' control over their personal information must be built into the technical standards, and if you can be in Florida in March then you can help out by informing the net community about the progress of those standards. More generally, the standards for a whole generation of privacy-sensitive systems are being set right now — Intelligent Transportation Systems are another example — and I think it's important for the net community to track the standard-setting process, publicizing problems and intervening to make sure that the new generation of standards makes full use of the new generation of privacy technologies — especially technologies such as digital cash that are based on public-key cryptography. In the case of medical records, some of the people designing the systems actually are aware of the existence of these new privacy technologies. The hard part is making sure that real privacy protection is actually built into the standards despite the probable pressure of various economic interests to the contrary. The symposium is organized by the Medical Records Institute. MRI is on the Web at http://www.nfic.com/mri/mri.html But I particularly recommend the 36-page paper version of the conference announcement since it includes information about the exhibitors — valuable raw material for research by privacy advocates. MRI's e-mail address is 71431.2030@compuserve.com and their paper address is 567 Walnut Street, PO Box 289, Newton MA 02160 USA. Phil Agre, UCSD
SECURITY ON THE I-WAY NCSA's 1995 Technical Symposium April 10-11, 1995 Stouffer Concourse Hotel Arlington, VA NCSA is pleased to announce Security on the I-WAY '95, a technical symposium addressing two key security issues: Internet/NII Security and Computer Viruses. Our speakers this year include many of the world's leading experts in these two key areas. For further information or to register for the conference, please send e-mail to 74774.1326@compuserve.com requesting the registration form. CONFERENCE PROGRAM: April 10/Monday: 08:30 Keynote Address NCSA: New Directions Dr. Peter Tippett, President, NCSA TRACK 1: Computer Viruses Track Chairman: Charles Rutstein April 10/Monday: 09:00 Real World Anti-Virus Review and Evaluation Richard Ford, Editor, Virus Bulletin Sarah Gordon, Command Software 10:30 Virus Metrics Joe Wells, IBM Watson Research Center 13:00 Viruses and the Internet Fridrik Skulason, FRISK Software 14:30 Virus Writing: High-tech InfoSecurity Warfare Frans Veldman, ESaSS April 11/Tuesday: 09:00 Viruses in the 32-bit Operating Environment Shane Coursen, Symantec 10:30 Viruses and Windows NT Charles Rutstein, Price Waterhouse 13:00 The Good, the Bad and the Polymorphic Alan Solomon, S&S International TRACK 2: Internet/Infrastructure Security Track Chairman: Ted Phillips April 10/Monday: 09:00 The Electronic Intrusion Risks to the NII Ted Phillips, Booz-Allen Hamilton 10:30 Public Key Infrastructure Issues Warwick Ford, Bell Northern Research 13:00 Internet Security Strategies Jim Litchko, TIS 14:30 Security Applications for Smartcard Technologies Jim Dray, NIST April 11/Tuesday: 09:00 Wireless System Security Robert McKosky, GTE Laboratories 10:30 Broadband Network Security Issues John Kimmins, Bellcore 13:00 NII Network Reliability Issues Mel Sobotka, Booz-Allen Hamilton 14:30 Law Enforcement Perspectives on NII Security Hal Hendershot, FBI M.E.Kabay,Ph.D., Director of Education, Natl Computer Security Assn (Carlisle, PA); Mgmt Consultant, LGS Group Inc. (Montreal, QC)
Please report problems with the web pages to the maintainer