Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
On 9 Aug 1994, an attempt was made to rescue Dante II (see RISKS-16.31) from the Mt. Spurr crater. A helicopter tried to lift Dante II by its half-inch Kevlar-reinforced tether, but the tether snapped from the force of the attempted liftoff. The tether had survived earlier tests that demonstrated it had sufficient strength to lift the 1700-pound robot; however, the tether may have been wrapped around one of the VW-sized boulders as a result of Dante's earlier movements. (Tim Hegadorn, a CMU grad student, was injured in the process.) And, finally, on 12 Aug 1994, David Bares (civil engineer, and leader of the CMU robot development effort) and an Army ``pathfinder'' climbed into the Mt. Spurr volcano. David removed the computer and electronics module, which were then helicoptered out of the crater. They then hooked up a sling so that the robot itself could be hauled out. Six of the robot's legs had been ``badly dented'' --- but otherwise the robot appears ready for another mission. [From what may be the final article in this series, by Charles Petit in the *San Francisco Chronicle* on 16 Aug 1994, p. 2.]
This is from *New Scientist*, 2 Jul 1994. 'Tis just 40 years since North American TV stations started broadcasting in colour, using the NTSC system. Officially NTSC was named after the National Television System Committee which chose it. Unofficially NTSC has often been called Never Thrice the Same Colour. A journalist who used to cover the NTSC told us recently of a lighter moment at the laboratories of the record company RCA in Princeton, New Jersey, where the system was developed. Team leader George Brown laid on a final transmission test. A colour camera was focused on a bowl of colourful fruit in one lab, and the received signal was displayed in another lab on a prototype colour tube. Just before the test Brown took a banana from the bowl and painted it blue. For the rest of the day the engineers at the receiving end struggled desperately to find out how their new system was faithfully reproducing the colour of red apples, orange oranges and green grapes, but resolutely converting yellow into blue.
[Source: Address for Success: Internet Name Game; Individuals Snap Up Potentially Valuable Corporate E-Mail IDs, By Stewart Ugelow, *The Washington Post*, 11 Aug 1994, PGN abstracting from MK abstracting] Jim Cashel has registered at least 17 E-mail addresses, including esquire.com, hertz.com, trump.com. Registration applications are honored in the order of their requests. If YOUR name has already been taken, you can choose another name, or you can buy the rights, or you can try legal proceedings. Adam Curry is being sued for registering mtc.com. Also registered are names such as coke.com, nasdaq.com, and windows.com. However, the laws are as yet unclear on net addresses. [This RISKS item should not be construed as an invitation to run out and get into the name-registering lottery. PGN]
Saul Hansell, New breed of check forgers exploits desktop publishing, *The New York Times*, 15 August 1994, pages A1, C3. This article reports that it's easy to manufacture fake checks with widely available desktop publishing software. You need an original check, which you can get from the trash, from a paid insider (usually a low-level employee), or by standing outside check-cashing shops and paying people to let you photocopy their payroll checks. Then you need a scanner, and software to manipulate the image. Then you need check paper and a check printer (both of which are readily obtained). Finally, you need someone to pass the check — someone who'll take a cut to risk getting arrested. The forgers and the banks are engaged in a technological arms race. Tellers can run checks through scanners to make sure they've got the right kind of magnetic ink on them, but then magnetic-ink printers are widely available. Image manipulation programs allow for "authenticating" stamps and signatures to be forged as well. When forged checks are discovered, some banks fax the pertinent information to every other bank branch in the same region of the country, figuring that the forgers have made several copies of the check and are driving around cashing them as fast as they can before the alarm is sounded. And so on. This story illustrates one of the many subterranean interactions between computer technology and social institutions — the tendency of applied computing to change physical objects into hybrid things that have one foot planted in cyberspace. We've always relied on the relative immutability of physical objects to do various kinds of work for us. Computers make it easier to synthesize many kinds of objects, including mutated copies of originals. The obvious solution — at least, the solution that's obvious within the conventions of computer design — is to give every check a digital "shadow". For example, when an employer issues a payroll check, the check number and amount might be registered digitally and made available on a server. When a check is presented for payment, the teller feeds the check into a scanner that recovers the check number and payment amount from the magnetic ink and then, rather like credit cards now, consults that server to see if the check has been presented yet. This is only one of the many social mechanisms through which people, places, and things acquire digital shadows. Each mechanism has a seemingly inexorable logic through which the shadows cast by human artifacts and activities grow more expansive and more detailed. This process might be planned out in advance or it might proceed through a reaction to unanticipated holes in the system. When the trends that precipitate further growth in the shadow system are bad, or at least stigmatized, little attention is paid to alternatives that might minimize the amount of personal information that is being gathered while still providing genuine benefits and helping to prevent genuine ills. What's your shadow like? Phil Agre, UCSD [The ability to cloud men's minds also helps. But sniffing out forgeries is itself an art: The Digital Shadow Nose! <Shadowy laugh> PGN]
From the "New England News In Brief" section of the August 10, 1994 edition of
*The Boston Globe*, here's a description of a situation in which a
technological innovation had a positive but unanticipated side-effect:
Suspects dial ahead, are caught
Naugatuck, Conn. - Telephone technology has helped nab two burglary suspects
who had allegedly called ahead to see if anyone was home. Police said one of
the suspects called Sunday and left a message on an answering machine asking
if anyone was there. The burglars rewound the answering machine when they
arrived at the home, but did not notice that their number was recorded on a
Caller ID device. Police traced the call to the apartment of Gregory Alves,
23, and his roommate, Gary Ingham, 19. (AP)
Jonathan Kamens | OpenVision Technologies, Inc. | jik@cam.ov.com
A software bug in the cutover to a new computer system at the Defense Finance and Accounting Center at Fort Benjamin Harrison in Indianapolis resulted in 900 Army National Guard members and over 7000 vendors suffering from almost $100 million in delayed payments for a year. The National Guard also wound up with excessive payments. No fraud implied. [Source: An Associated Press item by John Diamond, from Washington, D.C., 15 Aug 1994]
Given a class of data that it is unlawful to possess (e.g. child pornography in the US, government secrets almost anywhere), escrowed encryption keys can be forced out of escrow by simultaneously transmitting such data to a site (e.g. via e-mail or anonymous FTP), and asserting to the appropriate authorities that there is probable cause to believe that such data is present at the site. Even if evidence obtained in this way cannot be used in court, it still puts the victim through the (perhaps considerable) expense of replacing the compromised key (which may be embedded in hardware) and of tracking down anything else that may have been affected, as well as opening the door to a generalized fishing expedition that may well turn up something that *can* be used. A user at the site can easily be tricked into requesting the data, for example by means of a URL that simultaneously transmits the data to the user, and notifies the appropriate authorities. This attack can easily be used against a selected set of users, e.g. those on a mailing list or subscribers to a Usenet news group. Steve Savitzky \ http://www.crc.ricoh.com/people/steve/steve.html steve@crc.ricoh.COM \ Cyberspace: an alternate universe where magic works.
I came upon this excellent warning about the dangers of six-digit dates
(with the year represented by two decimal digits) recently on USENET and
have reproduced it here for the readers of RISKS digest with permission:
>From: Problem Reporting Service <PROBLEMS@TDR.COM>
>Newsgroups: tdr.problems
>Subject: 0026 - Exactly. What do we do? (Six Digit Dates)
>Date: Fri, 11 Aug 1994 23:00:58 -0500 (EST)
>Organization: Tansin A. Darcos & Company, Silver Spring MD
>Lines: 179
>Approved: PROBLEMS@TDR.COM
>Message-ID: <94-0026.PROBLEMS@TDR.COM>
>NNTP-Posting-Host: access3.digex.net
Please excuse the long delay between the prior posting and this one, I
have been busy with a number of very critical issues.
I've been trying to think of a way to solve the problem. I - and
probably many of you - have been trying to figure out what to do about it.
At the end of "The Andromeda Strain" the Senator asks Dr. Stone what they
can do if another biological emergency occurs. "What do we do then?" he
asks. "Exactly, " responds Dr. Stone, "What do we do?"
The problem is the issue of six-digit dates and the turn of the century,
now less than six years away.
The problem is probably not as bad as it was, because with the introduction of
IBM PCs which support dates past the year 2100, the issue isn't a problem
except to the extent of programs that still use six-digit dates.
Some of you might not understand why this is a serious issue. I'll explain.
Much software which is still in use - especially on mainframes - was written
ten, fifteen, even twenty years ago for use in the solving of current problems
at that time.
Some of that software survives, even twenty years later. As I once pointed
out in a posting on the newsgroup alt.cobol, a large company might have a
massive 2,000,000 line cobol program with 500 modules that requires 50
programmers for its constant maintenance, care and feeding, and that over the
years the company has probably spent in excess of fifteen million dollars.
These applications are the "bet the company" applications that are
used every day to keep it in business. They are the "crown jewels" that
if anything goes wrong with the application, the company might actually go
into Chapter 11 or suffer massive customer backlash.
These applications cannot be rewritten because it would be too expensive,
and the company can't afford to be without them. Thus, unless something
happens to encourage the company to change its systems, they will continue
running these old, maintenance-heavy applications.
In some cases, the program is so huge and so complicated nobody knows
everything it does; it is beyond the capacity of any one person to know
every function and interface and module.
Therefore it can't be said with certainty what the different sections are
doing with each other. Thus finding where things are happening can be
frustratingly difficult.
Which comes to the issue at hand. Many of these programs were written to
use dates which are six digits in length. Three days from now it will be
August 14, 1994. You can write that as 08/14/94 or 14/8/94 depending on
which way your system codes dates.
Figuring out the difference between 8/14/94 and 8/15/94 is no problem, and
figuring out that 8/13/95 is after 8/14/94 is also no problem.
The last date of this century is Friday, December 31, 1999. 12-31-99.
Want to tell me what the next date after that is? Saturday, January 1, 2000.
01-01-00.
Which date is earlier, 01/01/99 or 01/03/00? What is the difference
between 12/15/99 and 12/31/99? About two weeks. What is the difference
between 12/15/99 and 01/03/00? About 99 years.
Hypothetical Example #1. I use my Visa Card to charge $15.00 on December
15, 1999, and the bill is calculated on Monday, January 3, 2000.
99 years of 21% compounded interest on $15 can be over a billion dollars.
Depending on where the minus sign is, either the company is going to
think I haven't paid them for 99 years, and freeze my account, send me a
bill for $1 billion in interest, or roll over into positive numbers, and
tell me my account has $1 billion in available credit.
Or it simply dumps every account with outstanding balances for manual
handling as the numbers are outrageous, which effectively stops automatic
billing. Or the system simply crashes.
Scenario #2. A major petrochemical processing plant has a system that
cooks a batch of chemicals for a certain period of time, before pushing
that load out to the next process. The plant runs continuously, and
batches are cooked according to time.
A plant computer shoves a load in to cook for one hour beginning at 11:45
pm on December 31, 1999. At Midnight, one of these things happens:
(1) the system notices that the batch has been in the oven too long, and
pushes a batch of molten chemicals into the next process, where the
process of spraying them causes an explosion.
(2) the clock counter overflows and shuts down the whole system.
(3) the system counter overflows and the batch isn't released, so it
overcooks in the oven and perhaps explodes under high heat.
(4) the batch stays in the oven while a new batch is shoved in,
overloading the oven and causing an explosion.
(5) any of these explosions carries back through the utilities and
supplies, causing gas line explosions or power surges, as a plant that is
eating perhaps 2 megawatts of power suddenly drops off the grid, causing
an instant overflow and shutting down power for several areas.
Scenario #3. Several power plants go into maintenance shutdown because
they've been running continuously for 98 years and 7 months longer than
the maximum 90 day operating maximum. Some Nuclear Power plant goes
critical or shuts down because the system believes that the rods have
been installed too long.
So having looked at this issue, what can we do about it?
I got thinking about this. In some systems, there's little or no room to
expand their data files and the ability to remove running applications is
impossible. Therefore any method that changes the system must allow
their applications to continue running.
And I thought of a method.
By coding the date into a character field, effectively in base 32, it
would be possible to encode a larger date and still only use 6 characters.
By encoding the year to use the letters of the alphabet, e.g. AA through
ZZ plus A0 through Z0, it is possible to cover more than 900 years, e.g.
start counting with 1400 through 2300, thus covering any date that could
have occurred during civilization.
In fact, if one wants to encode the month and day - Month encoded to add
A,B and C and day encoded as 0-9 and A-U, it is possible to use 4 digits
for the year and still fit everything into 6 bytes. Or use both and fit
everything into 4 bytes.
This would also then work for places using packed decimal for the
six-digit year and thus only allowing 4 bytes.
One of the things that is necessary is to make programs expecting numbers
fail so that they can be changed. Programs that read these records will
have to expect both old and new format records, while programs that write
them should only output the new format.
The point is that with many sites having hundreds or even thousands of
programs, the effort could be equivalent to three full-time people over a
three year period at some sites. (Some companies have thousands or tens of
thousands of programs in their libraries.) This is extra and additional
maintenance on top of current maintenance. Expensive overhead that will
get worse in the future as it needs to be more urgently done.
What is needed are automated searching and checking facilities to find
programs that manipulate dates and change those programs to handle a new
date format.
If we do not make the changes, we could be looking at failed programs,
massive errors, disasters and setbacks that could produce serious,
perhaps even fatal problems. It can't be done in a hurry in the last 6
months of 1999.
Let us not forget the amount of time needed to do updates, which could be
days or weeks, depending on how good the automated tools are and how many
applications they have.
What do we need to do?
(1). If your site has in-house applications, and lots of source files,
you need to push for the acquisition of automated checking tools.
(2). You need to push for the manpower and resources necessary to do the
work now rather than later, because "later" won't be budgeted for.
(3). You need to push for the updating of databases to allow full
8-digit dates.
(4). Push for all reports to eliminate use of 6-digit dates, even in
display fields.
(5). Find out what your vendor is doing if you use canned applications.
If we work on the problem now while there is time, we can do this with
less error and better control, then trying to rush fixes in November of
1999 when errors could spell disaster.
If you have better ideas on how to solve the six-digit problem, please
write back.
----
To Reply to this message, write to <PROBLEMS@TDR.COM>; for private replies or
subscriptions use <problems-request@tdr.com>; or use newsgroup <tdr.problems>.
Please feel free to redistribute this article widely.
This message is file ftp.digex.net:/pub/access/tdarcos/0026
[This message was also forwarded by Monty Solomon <monty@roscom.com>.
By the way, I also am a subscriber to PROBLEMS.
Note that this topic has been the source of many discussions in RISKS,
an Inside Risks column (January 1991), and a more recent summary of the
most interesting RISKS cases that will appear in the RISKS book,
Computer-Related Risks, scheduled for publication in about five weeks.
Also, see the following item, which is "old" news to gray-RISKers. PGN]
The following was reported in the News of the Last Page section of the
German News regularly posted by germnews@vm.gmd.de:
Babies and young children need their check-ups. One Erna Schnoor
also received an invitation to the "U6" for her first birthday:
"Dear Erna, now you are already suuuuch a big girl..." was how
the letter from the insurance company AOK Marne of Schleswig
Holstein began. Unfortunately, the computer only saves the last
two digits of each person's birthday. Erna Schnoor, at 101 the
oldest city's oldest inhabitant, took it in good humor.
The poster adds that he is looking forward to the turn of the Millenium...
Dr Bruce Scott Max-Planck-Institut fuer Plasmaphysik bds@ipp-garching.mpg.de
A friend told me I should mention this bug here, so here goes.... In some ircII (Internet Relay Chat) clients (v2.2.9, I believe but possibly other versions as well), there is a bug called the GROK or JUKE bug which allows other people to take over your client. Irc clients have functions built in by default that allow access to an account, most notably the ability to run shell commands and such, and as long as the only person accessing the client is the one whose account it is, these commands have their uses. When someone with malicious intent gets control of a client, they can cause major troubles such as deleting the entire account or compromising system security. This bug seems to have been in copies of the code that was available last spring. Personally, I got a client compiled through the auto-compiler at sci.dixie.edu sometime last April or early May, I believe, and that client had the bug. I believe that since then however, they have fixed their code as have the people at cs.bu.edu and the bug no longer appears. To determine if the bug is present in your client, login to irc and then type: /ctcphttp://caligari.dartmouth.edu/~tinkha/andy.html
ANNOUNCEMENT: TECHNOLOGIES OF SURVEILLANCE, TECHNOLOGIES OF PROTECTION
Sponsored by Privacy International, The University of Eindhoven, and
The Electronic Privacy Information Center
Friday, September 9, 1994
Nieuws Poort International Press Centre, The Hague, The Netherlands
The conference will bring together experts in law, privacy, human rights,
telecommunications and technology to discuss new technological developments
that affect personal privacy. The sessions will be interactive, starting with
introductions to the subjects by leading experts, followed by questions and
discussion led by the moderators.
8:45 Introduction
Simon Davies, Chairman, Privacy International
9:00 Information Infrastructures
Marc Rotenberg, Electronic Privacy Information Center (US), Stephanie
Perrin, Industry Canada
10:00 Euopean Government Information Sharing Networks
Jos Dumatier, professor of law and director of the Interdisciplinary
Centre for Law and Information Technology (ICRI) at K.U.Leuven
11:00 Cryptography Policy
David Banisar, Electronic Privacy Information Center, Jan Smiths,
University of Eindhoven
12:00 Lunch
1:00 Smart Cards and Anonymous Digital Transactions
David Chaum, Digicash
2:00 Wrap up
[SPACE IS LIMITED. For the application form or more information,
contact David Banisar, 1+202-544-9240(voice), 1+202-547-5482(fax)
banisar@epic.org (email) or
Privacy International, Washington Office, Attn: Conference Registration
666 Pennsylvania Ave, SE, Suite 301, Washington, DC 20003]
I am writing to invite you to attend a one-day workshop on intrusion detection
to be held at the Baltimore Convention Center in Baltimore MD on
Thursday,October 13, 1994, in conjunction with the 17th National Computer
Security Conference. Because of your interest in this field, your ideas and
experience will be valuable to the discussion.
The NCS Conference organizers have kindly provided us with a room at the
convention center. We need know if you and/or your colleagues will attend by
returning the attached reply form. For other questions, please call Liz
Luntzel at 415-859-3285 or send us a fax at 415-859-2844 or email at
luntzel@csl.sri.com.
The workshop will consist of several short presentations as well as discussion
periods. To help me in preparing the agenda, I would be interested in knowing
whether you have any progress to report on an intrusion-detection project or
some related work that would be appropriate for a brief presentation. If so,
please indicate the title and a paragraph describing your proposed talk on the
attached form. Please also indicate there your suggestions for discussion
topics.
Please respond to me, debra@csl.sri.com
Debra Anderson, Room EL-223
SRI International
Computer Science Laboratory
333 Ravenswood Avenue
Menlo Park, California 94025
There will be no charge for the workshop, and meals will not be included.
There are numerous places in the surrounding Baltimore Harbor area for
breakfast and lunch. The workshop will begin at 9am and will conclude at 4pm.
I look forward to seeing you at the workshop!
Fourteenth Intrusion-Detection Workshop
Yes! I will attend the Intrusion-Detection Workshop October 13 at the
Baltimore Convention Center.
Please complete the following:
Name:
Title:
Affiliation:
Address:
Check one:
I am interested in presenting a talk. [ ]
I am not interested in presenting a talk. [ ]
Title of Talk:
Abstract:
Suggestions for Discussion Topics:
Please report problems with the web pages to the maintainer