The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 16 Issue 83

Tuesday 21 February 1995

Contents

o Denver's Computerized Baggage System Finally Works
NYT via Edupage
o Cyberbandits in Europe
CommunicationsWeek via Edupage
o Perfect (?) Office Bug can cause harm
Gary Gillard
o I can't help but say more about this addiction thing.
Peter Ladkin
o Sparc10 keyboards and resetting the CPU
Carlos M. Puchol
o Married by computer
Scott Sterner
o UPS not quite so uninterruptable after all
Mark Frank via Jerry Leichter
o Risks of generalized designs
Jim Griffith
o Stolen ATM Card nets $346,770
Rich Wells
o Re: JUDGES-L
Peter da Silva
o "PGP: Pretty Good Privacy" by Garfinkel
Rob Slade
o The Coming Plague
Peter Wayner
o Scan results
Frederick B. Cohen
o Symposium on medical records
Phil Agre
o NCSA Conference: Security on the I-Way
Mich Kabay
o Info on RISKS (comp.risks)

Denver's Computerized Baggage System Finally Works

Edupage <info@ivory.educom.edu>
Sun, 19 Feb 1995 20:11:21 -0500
Denver's new high-tech airport appears finally ready for operation later
this month, after four false delays caused primarily by a malfunctioning
computerized baggage handling system.  The system now seems to be working --
but a $50 million conventional baggage handling has been built as a backup,
just in case the computerized systems should fail again.  (_The New York
Times_ 19 Feb 1995, p.12) [From Edupage 19 Feb 1995]


Cyberbandits in Europe

Edupage <info@ivory.educom.edu>
Sun, 19 Feb 1995 20:11:21 -0500
CommunicationsWeek International reports that computer crackers have been
giving European network managers a hard time recently.  Among their
transgressions are stealing $150,000 worth of international phone calls
from five U.K. companies and causing $400,000 in losses for a Dell Computer
subsidiary that had to shut down a free customer service phone line because
of fraud.  (_Information Week_ 20 Feb 1995, p.63)  [From Edupage 19 Feb 1995]


Perfect (?) Office Bug can cause harm

<GILLARD@NIMUE.HOOD.EDU>
Tue, 21 Feb 1995 14:17:25 -0500 (EST)
An annoying, and possibly serious, bug has surfaced in the recent
release of Novell Perfect Office for Microsoft Windows.  Temporary
files may be left behind in the directory designated as TEMP in the
user's autoexec.bat file.  This is usually C:\TEMP or C:\WINDOWS\TEMP.
Left unchecked, the files could eventually accumulate to the point
where they clog the directory so that Windows applications will not run.
The files take the form ~WT123B.TMP (where 123B is a unique identifier
generated by the system) and are 5888 bytes long.

Although Novell/WordPerfect installation help is "aware" of the bug
and is "working on it," I was told that at present no user-notification
program is being planned.

You might think they'd learn from Intel's recent public relations fiasco....

Gary Gillard, Department of Math & Computer Science, Hood College
Frederick, Maryland  21701  <gillard@nimue.hood.edu>


I can't help but say more about this addiction thing. (Slade, 16.82)

<ladkin@techfak.uni-bielefeld.de>
Sat, 18 Feb 1995 20:29:50 +0100
In RISKS-16.82, Rob Slade perceptively points out that behavior
some have called `computer addiction' is part of wider patterns,
and notes by his analogy that there aren't simple criteria.

It may be helpful to distinguish rather than to conflate: firstly, between
compulsive behavior and obsession. I would describe compulsive behavior as
following an urge to do something, often repetitively, without concomitant
reward other than that of appeasing the urge.  We won't count the usual
bodily functions...... but if you find yourself washing your hands a few
hundred times a day, or the citizens of Koenigsberg set their watches by
your daily walk to work, you're probably being compulsive. Obsession is when
your thoughts, feelings, maybe actions orient narrowly towards one thing for
a disproportionate time, whether it's rewarding or not.  Sitting there with
the same thought about Demi Moore buzzing round your head, you are obsessed,
but not compelled (we hope).  If getting rid of mother-in-law is your
all-consuming hobby, you may try arsenic in the cake, running her over with
the lawnmower, spiking her brandy, and rigging the breech of her shotgun.
Your wife might leave you for failing at your single purpose in life, but
no one would convict you of compulsive behavior.

These descriptions are dependent on social variables. Nevertheless,
excessive obsessive/compulsivity is regarded as one of the 15-20 diagnosable
personality extremes in the DSM (the Diagnostic and Statistical Manual,
Revision IV, of the American Psychiatric Association, is a helpful guide to
the current US classification of human behaviors that may lead to social
problems for individuals).  Most successful academics, writers, musicians,
cooks, winemakers, mathematicians, scientists and sportspeople are more
obsessive than the general population. The way to be better than others is
to do something with more enthusiasm and for longer - and it helps if this
concentration jives with your personality.

Addiction is a state of the organism, rather than predominantly a
predisposition to certain behavior. A substance addict has highly
goal-related behavior. Being drunk or high for these people is a relatively
comfortable state of mind and body for *very* short periods of time. But it
ruins their health, and causes self and others all sorts of problems.
Addiction may be encouraged or even caused by compulsive behavior, but it is
not itself a personality trait, according to the APA.  If deleting email
sends a thrilling tingle through your fingers, and tickles your corpus
callosum until you can't let go, you may be addicted.

But the boundaries are blurred.  Whether you call heavy use of computers
addictive, obsessive/compulsive, or simply morally virtuous may depend on
the context, the evident goals of the behavior, and whether you're spouse or
employer. So I won't be too surprised when some misguided soul tries to
enroll all us academics, writers, musicians, cooks, winemakers,
mathematicians, scientists and sportspeople in a twelve-step program.

Peter Ladkin


Sparc10 keyboards and resetting the CPU

Carlos M. Puchol <cpg@cs.utexas.edu>
19 Feb 1995 19:05:18 -0600
It has happened to me several times now that I inadvertently knock the
keyboard cable of the Sun SPARCstation 10 I work on these days. Most of the
times, the result is a complete and instantaneous crash of the machine. So I
tried and it seems that unplugging and plugging back in the keyboard cable
at the base of the keyboard always crashes and reboots the host. This can
obviously cause disks and user data to be lost. Other times only the X
Window System dies.

Maybe it is just this particular machine, but otherwise I can't
think what is so critical about a keyboard's hardware that
could cause the machine crash. No doubt a RISK in my book.

-- Carlos Puchol
-- http://www.cs.utexas.edu/users/cpg


Married by computer

<ssterner@BBN.COM>
Tue, 21 Feb 95 07:43:06 -0500
A few months ago I moved into a new apartment.  I have since received a lot
of junk mail for Mary Thompson, the former resident, whom I have never met.
(Name changed to protect the innocent.)  From conversations I have had with
neighbors, I know that she lived alone.  About a month ago, I started to
receive credit card ads addressed to "Scott Thompson".  I wrote this off
as just a database entry error (e.g., only overwriting part of the new
resident's name), until this past week.  A few days ago I received two
identical ads, with one addressed to "Scott Thompson" and the other
addressed to "Mrs. Mary Thompson".

Yikes!  Married to someone I've never met!

If only our names were confused (e.g., "Scott Thompson"), it would not be
much of a risk.  However, now that at least one database considers us
husband and wife, what kinds of problems does this open?

  - Do I get a free ride on *her* credit card history, or does she get
    a free ride on *mine*?  (Stated the opposite way, do I suffer for *her*
    credit card history, or does she suffer for *mine*?)

  - If I fill out the credit card applications listing my real name, but
    they issue the cards to me as "Scott Thompson", am I liable for fraud?

  - If I never reply to any of these ads, could this "false name" come back
    to hurt me?  (In other words, do I have to *proactively* stop this name
    from circulating, or could it never cause me harm so long as I do not
    use it?)

Scott Sterner


UPS not quite so uninterruptable after all

Jerry Leichter <leichter@lrw.com>
Mon, 20 Feb 95 08:33:20 EDT
  [Forwarded with permission of the author.   Jerry]

From: Mark Frank <frankmrk@u.washington.edu>
Subject: Need UPS smarter than me.
Date: Sat, 18 Feb 1995 09:11:00 -0800 (PST)
To: Info-VAX@Mvb.Saic.Com

I use a UPS on my PC at home.  The power switch is on the front.  UPS
sits on the floor (the way it has to for the AC outlets to face the right
way).  The other day I bumped the front of the UPS with my foot and hit
the power switch, power went off, and I lost my work.  Now that really
pissed me off... they SAID it was UNINTERRUPTABLE, but one little nudge
of the power switch and off it went!  Wouldn't honor the warranty, either.

Ok...Ok... so I'm a moron.  Moral to the story:  If you are considering a
UPS for a workstation-sized computer, be sure to get one with appropriate
protection (like a hinged door) covering the power switch.

Mark S. Frank, Department of Radiology, University of Washington, 325 9th Ave
Seattle, WA  98104  frankmrk@u.washington.edu  (206) 223-3561


Risks of generalized designs

Jim Griffith <griffith@netcom.com>
Tue, 21 Feb 1995 11:19:15 -0800
I'm playing in a computer-moderated play-by-mail game with a not-to-be-named
company out of Oregon, and I ran into an interesting software logic gap.
In the game, players have locations with soldiers defending it.  Locations
can contain guilds (representing an organization supporting a certain
skill or collection of skills).  A location's owner may be different from
the owners of the guilds within it.  In addition to the location's soldiers,
guilds' soldiers can be ordered to defend the location against attack if both
the location's and guilds' owner agree.

An amusing incident just occurred, when we captured a location from an enemy
position.  Capturing it required us destroying all of the location's soldiers.
However, one of the location's guild owners tried to take the location back
from us by putting soldiers in his guild and then trying to launch a "guild
coup".

Unfortunately, the guild which attacked the city was also ordered to defend
the city against attack.  The location's previous owner had set this up with
the guild's owner, and the change in ownership from our conquering the location
didn't affect the guild defense options.  So the guild ended up fighting
itself.  Needless to say, it lost.

And in another amusing result, it turned out that the defender's ending values
from a battle are written to the database before the attacker's.  So since
the attacker had no troops left, the guild ended up with no troops left -
even though the guild-as-defender had troops survive the battle.

This kind of problem crops up all of the time in software dvelopment.  At
my previous company, I had a problem attempting to deal with real-time data
when an application which was both a data consumer and a data producer
attempted to request data from itself.  The normal protocol would have been
to send the request out to the network, have the network manager route the
request back to the application, and have the application handle it in course.
But the network manager was "smart" and told the consumer "you're requesting
from yourself", and refused the request.  This protocol forced anyone writing
a producing/consuming application to create its own internal method for
requesting data from itself, in addition to the normal method of requesting
data from the network.

Both cases come down to developers who pictured a very general model,
without considering some of the specific exceptions to the model which may
very well occur in day-to-day use.  In the game company's defense, this flaw
has existed for several years, and as far as they know this is the first
time players have actually encountered it.

Jim


Stolen ATM Card nets $346,770

<RichWells@aol.com>
Fri, 17 Feb 1995 22:25:16 -0500
In RISKS 16.81 "Whittle, Jerome SMSgt" <JWhittle@amclg.safb.af.mil> wrote:
>5. Karen Smith isn't liable for the theft even though she left her card and
>   PIN number unsecured.  I believe that she should shoulder some of the
>      blame and loss.

I hope I'm not the only one who will speak out against this "blame the
victim" mentality.  Granted, the crime could and should have been prevented,
but since it did happen, the blame for the crime falls squarely on the
shoulders of the reprobates who committed it.

The risk I see here is that if we continue to cut criminals some slack by
placing some of the blame on the victim, we're only going to invite more
crime of this sort.  To me, this is only slightly more palatable than
blaming a rape victim because of how she was dressed.


Re: JUDGES-L (Stodolsky, RISKS-16.82)

Peter da Silva <peter@nmti.com>
Mon, 20 Feb 1995 11:17:43 -0600
> Fears of this development have led to the organization of the NetNews
> Judges (TM) List (this is a reformatted InterNIC resource entry):

Note that the people who actually do the volunteer work that keep Usenet
running, as well as most long time Usenet readers that know about it,
consider Judges-L to be a crank list. It's a closed list, with rules
about the dissemination of messages outside the official membership. It
periodically produces informational postings that have no relationship
to accepted net behaviour.

Like any other "authority" on Usenet it has no power but what individuals
grant it. Unlike "authorities" like David Lawrence, who is accepted by the
majority of sites as being the authoritative source of new groups, Judges-L
has no followers except for the people who are actually on the list... and
even then some of the people on Judges-L are only there to keep an eye on
them.

  [Also commented on by Kevin Blackburn Kevin@fairbruk.demon.co.uk]


"PGP: Pretty Good Privacy" by Garfinkel

"Rob Slade, Social Convener to the Net" <roberts@mukluk.decus.ca>
Sat, 18 Feb 1995 15:54:54 EST
BKPGPGAR.RVW   950116

"PGP: Pretty Good Privacy", Garfinkel, 1995, 1-56592-098-8
%A   Simson Garfinkel simsong@next.cambridge.ma.us simsong@expert.com
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   1995
%G   1-56592-098-8
%I   O'Reilly & Associates, Inc.
%O   800-998-9938 707-829-0515 fax: 707-829-0104 info@ora.com or nuts@ora.com
%P   393
%T   "PGP: Pretty Good Privacy"

Part one of this guide to Phil Zimmermann's "Pretty Good Privacy" (universally
known by its initials, PGP) contains two rather disjointed chapters introducing
PGP, itself, and cryptography basics.  After that rocky start, however, part
two is both readable and rivetting.  Chapters on the history of cryptography,
the history and development of PGP, privacy, and patents gather both the
technical and social aspects of PGP together in one place.  The conceptual
background for public key cryptography is presented both soundly and in a
manner accessible for non-experts.  The many controversies over PGP are
presented in a very detailed manner.

Part three, "Using PGP", has chapters on file encryption, key creation, key
management, email encryption, digital signatures (authentication), key
distribution and certification, and Internet key servers.  The style of the
nutshell books give a very "technical" look to the material, and in some cases
the content is very terse in comparison to Stallings' "Protecting Your Privacy"
(cf. BKPRTPRV.RVW).  In others (such as key management), though, the text here
is paradoxically clearer.  In any case, the examples are straightforward and
easily followed.  (Readers may, however, be excused for failing to follow the
explanation of Diffie-Hellman on page 356.)

The appendices cover obtaining and installing PGP for MS-DOS, UNIX and
Macintosh.

copyright Robert M. Slade, 1995   BKPGPGAR.RVW   950116
Vancouver Institute for Research into User Security  Canada V7K 2G6
ROBERTS@decus.ca  Robert_Slade@sfu.ca  rslade@cue.bc.ca  p1@CyberStore.ca


The Coming Plague

Peter Wayner <pcw@access.digex.com>
Mon, 20 Feb 1995 09:31:37 -0500
While RISKS is ostensibly devoted to the foibles of computer generated bugs,
readers of the list will probably enjoy _The Coming Plague_ by Laurie
Garrett (Farrar Straus & Giroux). The book explores many of the battlefields
between humans and microbes and then concludes that it is only a matter of
time before the microbes score some dramatic victories. Many of the themes
are familar to RISKS readers: the fix causes more pain than it solves; the
bountiful commonweal often comes with a quicksilver lining; and there is no
such thing as the last bug.

The bestselling _Hot Zone_ covers a small part of the scope of this book
and it is more a movie outline than a book on science. _The Coming Plague_
comes with copious footnotes and is filled with the technical details that
scientists love. I've enjoyed it more and I suspect that others who read
this list might feel the same.  Given that some computer scientists talk of
solving NP complete problems with DNA techniques, I guess that the fields
are effectively merged and this is entirely appropriate for this list.


Scan results

"Dr. Frederick B. Cohen" <fc@all.net>
Sat, 18 Feb 1995 07:24:56 -0500 (EST)
Since announcing the on-line over-the-wire security scanning service
(http://all.net:8080) on the risks forum, over 350 sites have performed
scans.  I am interested in finding out some things about the results of
these scans.  Any answers would be welcomed:

1) Did the service detect anything you did not expect?
2) Was the range of tests interesting enough to warrant keeping the service?
3) Is the service genuinely helpful or just a waste of time?
4) Did your defense detect the attempted attacks/defend against them?

Thank you in advance for your replies (email to fc@all.net).  Also, I
would like to note that scans performed over the last few days, only 20
or so failed to be delivered to the tester because of mail failures.

FC


symposium on medical records

Phil Agre <pagre@weber.ucsd.edu>
Sat, 18 Feb 1995 18:28:29 -0800
A symposium is coming up that has tremendous consequences for the privacy of
sensitive personal medical records -- Toward an Electronic Patient Record
'95, 14-19 March 1995 in Orlando, Florida.  The basic idea is to put all of
your medical records on-line in a centralized repository, accessible to any
medical professional who needs them.  This is great when the folks in the
emergency room need your records in a hurry, but it's not so great when your
records are also available to insurance companies and marketers, not to
mention private investigators who are willing to push the law a little bit.
Right now the outlook for serious privacy protections on computerized
medical records is not so good.  As a result, I think it would be excellent
if any net citizens were to attend this symposium and report back to the net
community.

I would particularly direct your attention to a meeting of the Standards
Subcommittee on Access, Privacy and Confidentiality of Medical Records,
which is to be held on Sunday March 12th and will be open to the public.
It isn't good enough for privacy to be protected by vague principles and
guidelines after the systems have been designed.  Privacy capabilities such
as patients' control over their personal information must be built into the
technical standards, and if you can be in Florida in March then you can help
out by informing the net community about the progress of those standards.

More generally, the standards for a whole generation of privacy-sensitive
systems are being set right now -- Intelligent Transportation Systems are
another example -- and I think it's important for the net community to
track the standard-setting process, publicizing problems and intervening
to make sure that the new generation of standards makes full use of the
new generation of privacy technologies -- especially technologies such as
digital cash that are based on public-key cryptography.  In the case of
medical records, some of the people designing the systems actually are aware
of the existence of these new privacy technologies.  The hard part is making
sure that real privacy protection is actually built into the standards
despite the probable pressure of various economic interests to the contrary.

The symposium is organized by the Medical Records Institute.  MRI is on
the Web at http://www.nfic.com/mri/mri.html   But I particularly recommend
the 36-page paper version of the conference announcement since it includes
information about the exhibitors -- valuable raw material for research by
privacy advocates.  MRI's e-mail address is 71431.2030@compuserve.com and
their paper address is 567 Walnut Street, PO Box 289, Newton MA 02160 USA.

Phil Agre, UCSD


NCSA Conference: Security on the I-Way

"Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>
19 Feb 95 22:16:52 EST
                SECURITY ON THE I-WAY
            NCSA's 1995 Technical Symposium
                  April 10-11, 1995
              Stouffer Concourse Hotel
                    Arlington, VA

NCSA is pleased to announce Security on the I-WAY '95, a technical
symposium addressing two key security issues:  Internet/NII Security
and Computer Viruses.  Our speakers this year include many of the
world's leading experts in these two key areas.

For further information or to register for the conference, please
send e-mail to 74774.1326@compuserve.com requesting the registration form.

CONFERENCE PROGRAM:

April 10/Monday:
08:30  Keynote Address
       NCSA: New Directions
       Dr. Peter Tippett,  President, NCSA

TRACK 1:  Computer Viruses
Track Chairman:  Charles Rutstein

April 10/Monday:
09:00  Real World Anti-Virus Review and Evaluation
       Richard Ford, Editor, Virus Bulletin
       Sarah Gordon, Command Software
10:30  Virus Metrics
       Joe Wells, IBM Watson Research Center
13:00  Viruses and the Internet
       Fridrik Skulason, FRISK Software
14:30  Virus Writing: High-tech InfoSecurity Warfare
       Frans Veldman, ESaSS

April 11/Tuesday:
09:00  Viruses in the 32-bit Operating Environment
       Shane Coursen, Symantec
10:30  Viruses and Windows NT
       Charles Rutstein, Price Waterhouse
13:00  The Good, the Bad and the Polymorphic
       Alan Solomon, S&S International

TRACK 2:  Internet/Infrastructure Security
Track Chairman:  Ted Phillips

April 10/Monday:
09:00  The Electronic Intrusion Risks to the NII
       Ted Phillips,  Booz-Allen Hamilton
10:30  Public Key Infrastructure Issues
       Warwick Ford,  Bell Northern Research
13:00  Internet Security Strategies
       Jim Litchko, TIS
14:30  Security Applications for Smartcard Technologies
       Jim Dray,  NIST

April 11/Tuesday:
09:00  Wireless System Security
       Robert McKosky,  GTE Laboratories
10:30  Broadband Network Security Issues
       John Kimmins,  Bellcore
13:00  NII Network Reliability Issues
       Mel Sobotka,  Booz-Allen Hamilton
14:30  Law Enforcement Perspectives on NII Security
       Hal Hendershot,  FBI

M.E.Kabay,Ph.D., Director of Education, Natl Computer Security Assn
(Carlisle, PA); Mgmt Consultant, LGS Group Inc. (Montreal, QC)

Please report problems with the web pages to the maintainer

Top