Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Nasdaq once again was shut down by an energetic squirrel who apparently chomped on a power line near the stock market's computer center in Trumbull, Connecticut, yesterday. The system failed to perform the automatic switchover to the temporary backup power supply (designed to last until the backup system in Rockville, Maryland, could be brought up), and consequently the market was down for 34 minutes. A similar problem occurred in December 1987. (A 2.5-hour outage on 15 July was reported in RISKS-16.25, due to risky software upgrades.)
According to the Washington Post newswire (94.08.01 via CompuServe's Executive News Service), MCI's inbound Internet gateways were saturated last month, resulting in days of delay in delivery to MCI customers. M. E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn
I had a really interesting experience in one of our labs today, an electrician was adding a new outlet into an office and tied the outlet into a junction point in the dropped ceiling. While tying in the neutral line he let the 'home-run' neutral line (the one going back to the main 3-phase distribution I assume) come loose from the junction. After a minute he discovered this at reconnected it... he didn't notice a thing. All of us in our offices however were really charged up.... There was smoke, sparks and crackling belching from numerous PCs, X terminals, surge protectors and fluorescent lamps. One of our programmers who is an EE figured that when he dropped the main neutral the current instead started to flow between two branches of the three phase and that one office had very little equipment turned on and the other had great gobs of stuff powered up so that the office with everything turned on had almost the full 220V across its outlets. Total body count: 2 surge protectors, a fan, and one Gateway 2000 (which was spewing sparks out of the fan opening!) [I'm not a EE-minded person so hopefully I haven't botched this description too bad] Lessons: 1. Don't trust your surge protectors blindly, the Gateway that got fried was plugged into one. 2. Its worth the money to buy an autoswitching 110/220 power supply, the Gateway was right next to an RS/6000 that has an autoswitching supply. We figure the RS/6000 was running until the breakers blew... it just thought it had made a quick trip to Europe. Another IBM machine with an auto supply made it too. I would have thought that some type of automatic device could prevent these type of overvoltages, but given the electrician's actions I guess not. (This electrical contractor was *real* happy when we discovered the RS/6000 wasn't toast!) --Rob Rose OS/2 Development IBM Boca Raton
I lost my checkbook a couple of weeks ago. Despite turning the house inside out that evening, I couldn't find it. So, I called the bank and had them put a watch on the account. Yesterday, I found the checkbook. (Wedged behind the seat of the lawn mower, must have fallen when I was cleaning the garage.) I called the bank to cancel the watch, needing to tell them only the account number and my name (printed on the check, naturally). They didn't ask me my mother's maiden name or anything. Obviously, what's to stop a finder or thief from making the same call? I didn't raise this question then because I didn't want to raise suspicion and have to go through some trouble to get the watch lifted, but I will raise it with them on the next working day. Paul Dineen, pld@fc.hp.com
>From the Reuter newswire (94.07.31 @ 21:10 EDST) via CompuServe's Executive
News Service:
"FBI HUNTING FOR AGENT STEAL, FLASHY COMPUTER HACKER.
"LOS ANGELES, July 31 (Reuter) - The FBI is searching for a computer
hacker suspected of committing high-tech crimes at the same time he allegedly
worked undercover for the bureau catching other computer hackers, the Los
Angeles Times reported Sunday.
The hacker, who goes by the moniker "Agent Steal" and whose real name is
Justin Tanner Petersen, vanished last October and is on the run from the very
federal agency — the Federal Bureau of Investigation — he told friends was
paying his rent and flying him to computer conferences to spy on other
hackers, the paper said."
Key points from the article:
o Petersen admitted having committed computer crimes even while working
with federal prosecutors.
o He is alleged to have cracked federal computers and stolen information
from a credit card information bureau.
o He was involved in Kevin Poulson's fraudulent successes in radio
phone-in contests in L.A.
o Petersen claimed to have been responsible for "nailing" Kevin Mitnick,
the infamous criminal hacker who is sought by authorities for breaking into
police computers and impersonating a police officer.
o J. Michael Gibbons, an FBI computer crime specialist, is sceptical
that his agency ever hired Petersen: "It's not safe. Across the board, hackers
cannot be trusted to work — they play both sides against the middle."
o "Petersen was arrested in Texas in 1991, where a grand jury returned
an eight-count indictment accusing him of assuming false names, accessing a
computer without authorisation, possessing stolen mail and fraudulently
obtaining and using credit cards."
o Convicted of six counts after pleading guilty, Petersen faces
imprisonment for up to 40 years plus a fine of $1.5 million.
o "...[O]n Oct. 18, 1993, 15 months after entering his first guilty
plea, Petersen was confronted outside federal court by Assistant U.S. Attorney
David Schindler, who asked if Agent Steal had committed any crimes while free
on bail.
"Petersen said he had, according to the federal prosecutor. Petersen fled
immediately after that meeting."
M. E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn
The Washington Post newswire (94.08.01; via CompuServe's Executive News Service) provides an analysis of PCMCIA card problems: "Add-In Card Standard: Good Plan, Bad Execution," by Brit Hume. Hume summarizes the situation when the Personal Computer Memory Card International Association (PCMCIA) was founded in 1990: lack of slot standards made it difficult for manufacturers and users to have economical add-in devices. The new association devised three standards, but unfortunately the bugs are not quite out yet. The author describes the problems trying to work with a new PCMCIA fax/modem card. It worked OK with PC-DOS 6.1 but the drivers failed with DOS 6.2. Even on 6.1, after resuming from both the "suspend" and "hibernate" operations, the operating system had lost track of its PCMCIA port. After extensive discussion with IBM support, the writer got function back after resuming from "suspend" but still lost the I/O port after "hibernate." M. E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn
>From the NIST UPDATE for 94.08.01:
ELECTROMAGNETIC FIELDS
Paper Details EMF Shielding Theory
In work supported by the Federal Aviation Administration, NIST
researchers have developed a mathematical model and theory for
predicting the electromagnetic field shielding effectiveness of large
metal enclosures with apertures and interior loading. The model also
should allow for estimations of the average field strength inside
enclosures such as electronic equipment cases and aircraft bodies. It
can be used for any enclosure regardless of size, shape, type of
material and number of apertures, as well as for any frequency above
a lower limit related to the dimensions of the enclosure. The model
was experimentally evaluated using a rectangular aluminum cavity of
about 0.57 cubic meter (approximately 20 cubic feet), with one
aperture, and for a microwave frequency range from 1 gigahertz to 18
gigahertz. The agreement between model and actual measurement was
within 20 percent after a number of additional sources of loss were
incorporated into the original model. A report, "Aperture Excitation
of Electrically Large, Lossy Cavities" (NIST Technical Note 1361), is
available from the National Technical Information Service,
Springfield, Va. 22161, (703) 487-4650, for $19.50 prepaid. Order by
PB 94-145711.
Media Contact: Collier Smith (Boulder), (303) 497-3198
smithcn@micf.nist.gov
M. E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn
The Associated Press newswire (94.07.28 and 29) via CompuServe's Executive News Service) reported on the recent conviction of Internet porn peddlers The following summary is based on reports by WOODY BAIRD and ELIZABETH WEISE, Associated Press Writers. The first, by Baird, deals with the legal issues. "MEMPHIS, Tenn. (AP) — A husband and wife were convicted of distributing pornography via computer Thursday in a case that raised questions about how to apply federal obscenity law to the information superhighway. Robert and Carleen Thomas, both 38, of Milpitas, Calif., were each convicted of 11 counts of transmitting obscenity through interstate phone lines via their members-only computer bulletin board. Each count carries up to five years in prison and $250,000 fine." Apparently the Thomases sold pornographic graphics files on their BBS. A Memphis postal inspector deliberately joined the BBS under an assumed name, downloaded some of the pics to his system and then complained to law enforcement authorities. There's discussion of just what it means to try someone on the Internet under local pornography laws which refer to "community standards." "The opinion was designed to let local citizens say whether they want X-rated bookstores or movie theaters in their communities and get judges out of the business of deciding what is obscene, said Stephen Bates, a senior fellow with the Annenberg Washington Program, a communications think tank." However, if this approach is applied to the Internet, "federal juries in the most conservative parts of the country could decide what sexually explicit images and words get on the information superhighway, Bates said." Weise's article covers reactions on the Internet: "SAN FRANCISCO (AP) — Hours after a couple were convicted of sending images of bestiality and sexual fetishes over a computer bulletin board, the Internet was humming with warnings and protests. "`If this case stands, you can bet there will be a hell of a lot more prosecutions on the same basis in extremely short order," Karl Denninger of Chicago wrote Friday on the computer network.'" The EFF's Mike Godwin is reported as saying, "This case ... has one community attempting to dictate standards for the whole country." At least one BBS operator has stated that he'll quit as a result of the ruling, although he didn't explain what kind of files his BBS stocks.... Michel E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn
Assume, that we need a 'balance' in the RISK Digest, the balance between
"benefits" of certain techniques against their "risks"
I have to react, as we are in a limbo on this issue. As a Dutchman, living in
Belgium, I follow the outcome of a weekly T.V. program, called "Opsporing
verzocht" (Help sought on Criminal Investigation), a program in which the
Police Forces try to get necessary input for solving serious crimes. In that
program, the presence of video-material from shopping malls and within shops
has proven to be a big help in getting required input, and so we have to
accept that we are "video-ed" when we are, for example, shopping; also for our
"own" protection.
- Would not you feel better, with a camera 'at your shoulder',
as e.g. a cashier in a petrol station at a highway ?
So: Benefits appear to outweigh risk !
Note: Apparently the Dutch Police Forces, and related Forces,
are still considered — in general — to be the "friends" of
the population by the Dutch population.
I thought that the same attitude towards the Police Forces
was true for the U.K.; the relation to the "Bobbie".
(As the original "risks message" originated in the U.K.,
I also refer to the "Bobbie")
I wish, this would be the case in other countries as
well; but the requirements for reaching such a
relation with the 'public' are:
- to be "of assistance to the public"
- to be trustworthy, accompanied by a free press
and political will
- to be supported by the judicial apparatus, for
the Forces to stay motivated
- a "quality of life" worth defending it
We will need a lot of "trustworthy" energy to protect us --
and our children — against the "criminal" energy.
Do NOT get me wrong:
- I also fell victim to injustice (in my opinion) in a case
versus an 'official'
- I even have been insulted in writing by a member of the Council
of Ministers
But, we have to trust (and at the same time: control) the forces which
should protect the "law-abiding" (or = sullen ?) citizen, and are paid by
that same citizen to do so ! Might the price of "democracy".
Nap van Zuuren, CompuServe 100042,3164
The July issue of Byte has a good technical review of systems for integrating PC's and telephones. The full reference is: Jon Udell, Computer telephony, Byte 19(7), 1994, pages 80-96. The applications are still pretty primitive, since the necessary capabilities within the phone system itself don't quite exist yet, are just coming on-line, or are just receiving regulatory approval. Still, enough stuff is just over the horizon that non-trivial architectures are being built. Many of them use Caller-ID, for which the FCC just set US national standards over the dead bodies of several state utilities commissions; and despite the strange idea that Caller-ID is mostly for residential use, the article makes clear that developers see a world of commercial applications. In general, as the article points out in the case of sales and collections systems, "As these tools find their way into the hands of smaller, more mainstream businesses, you can expect better service in some cases and more efficient harassment in others." Indeed. Phil Agre, UCSD
> [...] Setuid has hurt instead of helped. [...] While it is
> appropriate for my program to fail by returning ME to the operating
> system, my program should not fail by returning YOU to the operating
> system prompt with privileges that are different from those that you
> have on your own.
Mr. Murray's article on the behaviour of various historical systems is
interesting, but makes a rather bizarre claim about the behaviour of setuid
under Unix. In fact, a setuid program only has privileges in the process in
which it is running and any child processes that it creates without first
disabling the setuid privilege.
The problems we've seen on the Internet with setuid programs generally are the
result of poor coding which leaves loopholes in the executing setuid program
that a clever cracker can exploit. I don't see any reason to believe that
OS/400 setuid-like programs are any safer from this sort of exploitation. The
proper solution to this problem is probably either to program more carefully,
or to set up an environment in which it's harder to make mistakes like this.
_MelloN_
From his description, Mr. Murray appears to think that setuid was introduced
in order to restrict access rights, and has been abused by lazy programmers.
Quite the contrary. The purpose of the `setuid' bit is to allow a program to
run with the permissions afforded to the program's owner, rather than those of
the user. To say that `setuid has hurt rather than helped' is like saying
`electricity has hurt rather than helped'. Setuid is *fundamental* to how Unix
operates and its invention by Dennis Ritchie has been described as the only
genuinely original idea in the Unix design (which is not to say it doesn't
have problems).
William> ... However, they do not permit the user to retain
William> those privileges across the failure of the application.
Neither does Unix. If my setuid program fails, I fall back to whatever
invoked it, usually a Shell. I do *not* retain setuid privileges.
Prof. Patrick O'Callaghan, Departamento de Computacion, Universidad Simon
Bolivar, Caracas, Venezuela poc@usb.ve +058 (2) 906-{3241,3242,3254}
I highly recommend a book entitled The Cult of Information: a Neo-Luddite Treatise on High-Tech, Artificial intelligence, and the True Art of Thinking, by Theodore Roszak (second edition, c1994). Roszak, in this book, is not attacking the idea of computerization, but he is warning our society against equating information with knowledge (the idea that if one can access information one, therefore, has knowledge on that given subject) and against over-computerization of our society. I found it to be a very readable book and quite illuminating. University of California Press, ISBN: 0-520-08584-1
**NEW INFO. SECURITY BOOK ON PUBLIC KEY LAW & POLICY**
TITLE: FEDERAL CERTIFICATION AUTHORITY LIABILITY AND POLICY --
Law and Policy of Certificate-Based Public Key and Digital Signatures
AUTHOR: MICHAEL S. BAUM, J.D., M.B.A.
Independent Monitoring
Report No. NIST-GCR-94-654
450+ pages, highly annotated; multiple appendices; indexed.
U.S. DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
Produced in support of the Federal Government's public key infrastructure
study, this book identifies diverse technical, legal and policy issues
affecting a certificate-based public key cryptographic infrastructure
utilizing digital signatures supported by "trusted entities." It examines
potential legal implications, surveys existing legal paradigms and the
structures and roles of relevant governmental agencies and presents various
institutional approaches to controlling liability. It considers the
underpinnings of a legal and policy framework which might serve as a
foundation for security policies and their implementation and concludes with
a series of recommendations, both general and specific concerning
certificate-based public key. Both public and private sector issues are
addressed.
This publication is the result of legal, business and security management
research, as well as interviews and analysis predominantly with public- and
private-sector lawyers, policy makers, managers and management information
system and security professionals in the United States and abroad.
SUMMARY OF CONTENTS:
- PREFACE
- ACKNOWLEDGMENTS
- TABLE OF CONTENTS
I. INTRODUCTION
II. SCOPE
III. DEFINITIONS
IV. ASSUMPTIONS
V. SURVEY OF FCA ACTIVITIES CREATING LIABILITY EXPOSURE
VI. LEGAL CONSIDERATIONS
VII. FCA INFRASTRUCTURE - PROPOSALS AND PARADIGMS
VIII. SURVEY OF, AND APPROACHES TO, TRUSTED ENTITY LIABILITY
IX. OTHER APPROACHES TO MITIGATE LIABILITY
X. CONCLUSIONS AND RECOMMENDATIONS
XI. APPENDICES
XII. GLOSSARY
XIII. INDEX
OBTAINING COPIES: Copies may be purchased through the National Technical
Information Service, Springfield, Virginia 22161, U.S.A., Phone +1 (703)
487-4650 or 1-800-553-6847. Request NTIS Document No: PB94-191-202. Cost:
$61.00
ABOUT THE AUTHOR: Michael S. Baum is Principal of Independent Monitoring, a
consultancy focused on electronic commerce and information security law. He
serves as a Delegate from the International Chamber of Commerce (ICC) to the
United Nations Commission on International Trade Law (UNCITRAL); Chair of the
EDI and Information Technology Division, Section of Science and Technology,
American Bar Association (ABA) and its Information Security Committee; and
Chairman of the ICC Working Party on Legal Aspects of Electronic Commerce.
Michael S. Baum, Independent Monitoring, Cambridge, Massachusetts baum@im.com
[RISKS normally does not run advertising for books. However, this is
a NIST/NTIS report. (Yes, NITS, ISN'T, SNIT are also anagrams.) It is
also fair game for a review, in case someone wants to submit one. PGN]
Please report problems with the web pages to the maintainer