The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 16 Issue 82

Friday 17 February 1995

Contents

o New York Parking Meters In Violation of Federal Law
A. Padgett Peterson
o Big Brother in the Big House
Peter Wayner
o Computer aids in predicting death
Lauren Wiener
o Hacker Mitnick arrested
Jim Griffith
o Computer addiction and the 6 O'Clock News
Rob Slade
o New Area Codes & PBX Programs
Mich Kabay
o E-mail risks
Vincent Gogan
o Re: Self-disabling software
Bruce Johnson
o Re: Invisible blue zone
David Stodolsky
o CERT Advisory CA-95:04.NCSA.http.daemon.for.unix.vulnerability
o Info on RISKS (comp.risks)

New York Parking Meters In Violation of Federal Law

A. Padgett Peterson <padgett@tccslr.dnet.mmc.com>
Wed, 15 Feb 95 15:32:24 -0500
Re: Notification on Self-Disabling Software (Jeremy Epstein)

This leads naturally to the following item:

  (1998): In a surprise move, federal marshals yesterday seized nearly nine
  million parking meters in New York City, citing violation of the Software
  Disability Act of 1996.  Consumer advocates praised the move, saying ``the
  meters all stopped working when the time ran out."  The Parking Violations
  Bureau issued protests that ``all motorists in NYC on were issued a notice
  on 1 April 1975, along with the courtesy windshield cleaning."  However,
  these protests were not accepted, because the majority of motorists
  ticketed were not old enough to have had licenses at the time.

     [I guess April comes early in 1995.  PGN]


Big Brother in the Big House

pcw@access.digex.com <Peter Wayner>
Wed, 15 Feb 95 21:55:36 PST
The WSJ has a big article on the prison phone call business on Wednesday,
February 15, 1995. The article discusses how the major long-distance
companies court prisons because prisoners have nothing better to do than
spend heavily on phone calls.

But supplying phone service to prisons is not a risky job, because convicts
have a habit of phone and credit card fraud. They'll call an outside phone
number at random, con the person who answers into giving out a credit card
number, and then use that number to order goodies for themselves.

So, many prisons require the phone-service providers to provide anti-fraud
measures, which include tape-recording equipment and voice-print
identification. Some prisoners have their access to phones restricted, and
they try to use someone else's access codes.  The voice print identification
can nab these guys.  The technology is now being deployed.

All of this avoids the question of just what is prison in a world where the
apartments are smaller and telecommuting is more popular.  If prisoners can
dial out, conduct business, and even access the net, the walls seem filled
with virtual loopholes.

   [This also gives new meaning to ``Reach out and touch someone."  PGN]


Computer aids in predicting death

Lauren Wiener <lauren@reed.edu>
Thu, 16 Feb 95 21:28:46 -0800
>From _The Oregonian_, 16 Feb 1995, p. D11:

Computer Aids in Predicting Death, by Mike Koller, AP, Philadelphia

[...] Using a new program, researchers say they are able to predict when a
terminally ill person will die with more accuracy than doctors using their
own judgment.  The study could help doctors determine which treatments
should be given to terminally ill patients and help decide when life-support
efforts should be stopped.  ``The computer remembers thousands and thousands
of cases and keeps the different risk factors in perspective," said Dr.
William A. Knaus of George Washington University.  Knaus led the study,
published in the Jan. 31 issue of the Annals of Internal Medicine.  ``And
when we included the survival estimate from the patient's own physician in
the model, the two together predicted time until death more accurately than
either alone," he said.  The program was developed from June 1989 to June
1991, using information from 4,301 patients.  It was tested from January
1992 to January 1994 on 4,028 patients, Knaus said.

The program, called SUPPORT (Study to Understand Prognoses and Preferences
for Outcomes and Risks of Treatments), focused on nine diseases and
conditions, such as liver disease, colon or lung cancer, heart or lung
disease and multiple organ failure.  Knaus said he was confident that
Support will prove reliable and eventually be expanded to predict death
rates for other diseases.  Seriously ill patients with a projected life
expectancy of six months were entered in the study when they were
hospitalized.  [...]

``Most adults say that if they are going to die within a year, they want
realistic estimates of their risks, both in the immediate future and during
the next few months," Knaus said.  ``This predictive tool is important for
its use for counseling very sick patients and their families."

However, not everyone agrees.  Toby Gordon, vice president for planning and
marketing at Johns Hopkins Hospital and Health Systems in Baltimore, said
the program raises questions.  ``Any information that helps us learn how to
better take care of patients -- in quality of care and quality of life --
makes a contribution," Gordon said.  ``But whether patients and their
families will want to use it is questionable."  He also questioned the
ramifications of being able to accurately predict death.  ``In the expansion
of computer-assisted technology we will see a proliferation of these
techniques, bringing into question ethics and rationing of care," he said.

The authors warned that the project has not been tested outside the strictly
controlled settings of teaching hospitals.  Its reliability in conventional
hospitals settings has not been established, they said.


Hacker Mitnick arrested

Jim Griffith <griffith@netcom.com>
Thu, 16 Feb 1995 23:37:24 -0800
KCBS Radio (San Francisco) reported tonight that The Well and Netcom
combined efforts, resulting in the arrest of 31-year-old hacker Kevin
Mitnick in Raleigh North Carolina.  Both companies discovered large caches
of data being stored on their systems.  At the same time, "a well-known San
Diego consultant" discovered security breaches in his system.  This led to
vigorous efforts to track the hacker, and after 24-hour electronic
surveillance and at least one cellular phone trace, law enforcement
officials arrested Mitnick.  Mitnick's early escapades are chronicled in the
book _CYBERPUNK_ by Katie Hafner and NY Times reporter John Markoff, and, in
fact, Mitnick is accused of breaking into Markoff's computer.

Mitnick, a fugitive from justice, faces up to 30 years in prison for various
crimes, including allegedly breaking into NORAD computers.  Law enforcement
officials are now wrestling with jurisdictional issues, as Mitnick is wanted
for crimes in at least six different jurisdictions.

  [See excellent articles by John Markoff in *The New York Times*, 16 Feb
  (TWO) and 17 Feb 1995.  I could not begin to excerpt these three long
  articles, and of course cannot include them in their entirety.  But
  they are very well done.  PGN]


Computer addiction and the 6 O'Clock News

"Rob Slade, Social Convener to the Net" <roberts@mukluk.decus.ca>
Thu, 12 Jan 1995 15:09:02 EST {[TIMELY!} Yes, we are backlogged!\]
Hello, my name's Rob, and I'm a ... a ... Netaholic.

They tell me a lot of you have a story like mine.  It started out with a
committee and someone at the local university offered me an account, just to
keep in touch, you know?  Then, somebody introduced me to "Computers and
Society".  I could handle that: it only came every week or so.  Then I got
into RISKS-FORUM and the IBM-PC Digest.  That pretty much guaranteed
something every day!  I was really smokin', man!  I thought I was just King
Modem!

In order to feed my habit, I started pushing.  I was porting Info-Mac to
local bulletin boards for access.time.  I started doing unmoderated lists.
Then a friend turned me on to Usenet.  By this time, I was doing about a
half a meg a day.

I was hooked, but I wouldn't admit it.  I told myself it was all
job-related.  I only read VIRUS-L in order to flog my book.  But why did I
have alt.best-of- usenet in my .newsrc?  My wife took to asking, "Is that in
real time or computer time," when I said I'd be offline in ten minutes.

I didn't recognize the danger signs.  I could tell people the first
alt.adjective.noun.verb.verb.verb group.  My wife left me when I started
introducing myself at parties as, "Hi!  roberts@decus.ca.  What's your
group?"  I started talking familiarly about people that my friends in
Vancouver had never met.  I started hoarding accounts.  When I found out I
could never match Bill Murray's two full columns on a business card, it was
a real bad trip.  I crashed for a week.

Then, it all fell apart.  My access provider started to go flaky.  I tried
Fidonet, but it just wasn't the same.  I ... I ... started reviewing
Internet books.  It wasn't a pretty sight.  Soon, I had two bookshelves
completely full.  *And* that little pile behind the door where I thought no
one could see ...

I finally realized I needed help.  As part of the twelve-step process, I'm
telling my story in public.  And I'm going to bust up my modem ... as soon
as I do this one more posting ...

     ___

Yes, I'm sarcastic.  It's an addiction, OK?

Yes, I believe we can all admit that computers can be very addictive.
Programming, itself, is as "moreish" as salted peanuts--and often has a
similar effect on the waistline.  Computers are relatively inexpensive, give
results with minimal training, are completely under the control of the user
(why else call them "personal" computers?) and don't require any particular
considerations.  But do they *cause* addiction?

Our society seems to be not merely predisposed to, but actually encouraging
of, obsessive behaviour.  The evidence is not limited to lone psychopaths,
the drug culture, cults and tragedies such as anorexia nervosa.  Amateur
"athletes" who constantly require medical intervention are considered
normal.  We don't *really* believe that a workaholic is a problem.  We
expect scientists to have no idea of culture and artists to have no idea of
technology.

Another newswire report of computer addiction, therefore, adds no new
information to the study.  We all know computers can be attractive--but we
all know that there is a difference between the fellow (usually male, isn't
it?)  who runs up enormous bills on the Compuserve CB simulator, and those
of us whose work or study requires as much online correspondence as we can
afford to give.  In many cases, the computer is not a cause but merely a
means.  If it were not the computer, it would be something else.  Recently a
co-worker happened to drop the comment that he didn't watch much TV--only
about five hours a day.  If that is OK (or even "not much"!) can I spend
five hours a day with the modem?  (Can I add an hour for social utility?  As
long as I promise not to use Mosaic?)

I am *not* saying that computer addiction cannot be a problem.  If it is,
however, let us give some thought to isolate and identify the difference.

======================
DECUS Canada Communications, Desktop, Education and Security group newsletters
Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733


New Area Codes & PBX Programs

"Mich Kabay [NCSA Sys_Op]]" <75300.3232@compuserve.com>
17 Feb 95 15:11:06 EST
An AP item on 17 Feb 1995 reported that many businesses in Washington state
and Alabama are having trouble receiving phone calls since new area codes
were introduced last month.  The new area codes, 360 in western Washington
and 334 in Alabama, are the first in the country not to use a one or zero as
the middle digit.  The item reports that PBXs reject area codes that include
anything but a 0 or a 1 in the middle position.  The problem will worsen
when additional area codes are installed in, among other regions, Los
Angeles, Denver, and Tampa.

M.E.Kabay,Ph.D., Director of Education, Natl Computer Security Assn
(Carlisle, PA); Mgmt Consultant, LGS Group Inc. (Montreal, QC)


E-mail risks (risk of many mail programs)

Vincent Gogan <vincent@cs.toronto.edu>
Wed, 15 Feb 1995 14:54:36 -0500
Most mail programs that I have dealt with share a flaw... they don't
indicate to whom a message will be actually sent.

This became particularly evident this Valentine's Day when I received a very
warm personal note thanking me for some beautiful flowers and indicating how
I always knew how to make this women happy. This came as quite a surprise to
my wife (and myself)!

... Many a sitcom episode has started with a weaker premise than this.
Luckily, my wife would never have fit in with the Three's Company crowd
and all is well.

Still, this probably happened because of quite a simple error. This women
either typed in an alias/nickname that didn't work or just typed the first
name of her suitor instead of his account name. In either case, the mail
program should have indicated to whom the message would be sent. For local
addresses (as this was), the actual name of the recipient (as opposed to the
account name) should be indicated.

Vincent Gogan  vincent@cs.toronto.edu


Re: Self-disabling software (Leichter, RISKS-16.80)

"Bruce Johnson" <JOHNSON@tonic.pharm.arizona.edu>
Thu, 16 Feb 1995 11:40:28 MST
    If a third party triggers the disable feature, or, even under the
right circumstances, the owner of the software (ie: the client has paid, but
you disable it anyway) that is a felony in most states, theft by control; ie
: embezzling.  If you hold the software to ransom through such an act, it's
also a felony.

    As a side note...this was used as a plot device in the movie "Single
White Female" a few years back, as a revenge sub-plot.

Bruce Johnson, University of Arizona, College of Pharmacy
Information Technology Group


Re: Invisible blue zone (Jonas, RISKS-16.81)

David Stodolsky <david@arch.ping.dk>
Thu, 16 Feb 95 23:03:51 +0100 (CET)
> The cancelbots then cancel those postings and I'm essentially barred from
> the internet.

Cancelbots are not normally being used to cancel spams. The articles are
typically selectively cancelled, often one copy will be left in a newsgroup
in which it is "on-topic". Non-spam posts by the same sender are not
affected.

   [Also noted by roeber@vxcern.cern.ch (Frederick G.M. Roeber).  PGN]

However, there is now a Call for Discussion (CFD) about reorganization of
the news hierarchy. This could, among other things, create a moderated
newsgroup, news.admin.net-abuse.announce, for the posting of announcements,
etc., related to abuse. Opponents fear that a moderated group would give the
announcements a stamp of authority that would lead to attacks on the
apparent abusers.

Axel Boldt is maintaining an "Internet Advertisers Blacklist" To quote a
draft FAQ, "Administration of Cancel Messages": Axel Boldt
<boldt@math.ucsb.edu> should be notified about abusive advertisers, so they
can be added to his Internet Advertiser's Blacklist. Please use the word
"Blacklist" somewhere in the subject line. Make sure to check the last
version of the List first, so that he won't get multiple complaints about
incidents already covered. The newest version is always available over the
WWW at URL: http://math-www.uni-paderborn.de/~axel/blacklist.html.

> ...  I have no way to know to appeal (let alone to whom) and I must get

Fears of this development have led to the organization of the NetNews
Judges (TM) List (this is a reformatted InterNIC resource entry):

===========================================================================

              Judges-L - NetNews Judges List
              Resource Type:  Mailing list

Description:  The Judges' List distributes messages to a panel of
              Judges who cancel multiple posts to NetNews immediately.
              The List is used to help Judges organize themselves,
              finalize policy, and set procedures to enforce rules. It
              is primarily directed to those who issue cancels.
              Secondarily, to those who survey cancels issued, in
              order to ensure that the cancel facility is not being
              abused. The protection of the NetNews system from overload
              by posts to multiple newsgroups is the focus of activity.

Access: Messages go to: Judges-L@UBVM.cc.buffalo.edu.
        Subscriptions go to: LISTSERV@UBVM.cc.buffalo.edu.

Services:       Dispute Resolution:

                Complaints are primarily about spam, multiple off-topic
                posts. Posters may also complain about inappropriate
                cancels. An opinion is reached via a consensus
                decision-making procedure based upon private deliberations
                in which all parties may participate.

                Preparation of Periodic Posts:

                Frequently Asked Question (FAQ) lists are prepared to inform
                users about appropriate use of cancel messages, how to file
                complaints, how the List processes complaints, etc.

Keywords:  posting software, law, security mechanism, control message,
           freedom of speech, censorship, due process, advertisement,
           chain letter, rumor, conflict resolution, forgery, infection,
           news administration, kill file

David S. Stodolsky, PhD  * Social *   Internet: david@arch.ping.dk
Tornskadestien 2, st. th.   * Research *    Tel.: + 45 38 33 03 30
DK-2400 Copenhagen NV, Denmark  * Methods *  Fax: + 45 38 33 88 80


CERT Advisory CA-95:04.NCSA.http.daemon.for.unix.vulnerability

CERT Advisory <cert-advisory@cert.org>
Fri, 17 Feb 1995 17:36:01 -0500
   [Also, see CA-95:03, February 16, 1995, Telnet Encryption Vulnerability,
   if you are using Berkeley Telnet with the experimental Telnet encryption
   option using the Kerberos V4 authentication.  PGN]


CA-95:04                         CERT Advisory
                               February 17, 1995
                     NCSA HTTP Daemon for UNIX Vulnerability


The CERT Coordination Center has received reports that there is a
vulnerability in the NCSA HTTP Daemon V.1.3 for UNIX. Because of this
vulnerability, the daemon can be tricked into executing shell commands.

If you have any questions regarding this vulnerability, please send
e-mail to Beth Frank at the NCSA, efrank@ncsa.uiuc.edu.

I.   Description

     A vulnerability in the NCSA HTTP Daemon allows it to be tricked into
     executing shell commands.

II.  Impact

     Remote users may gain unauthorized access to the account (uid) under
     which the httpd process is running.

III. Solution

     The following solution was provided by the HTTPD Team at SDG at
     NCSA.

     Step 1:

       In the file httpd.h, change the string length definitions
       from:
                /* The default string lengths */
                #define MAX_STRING_LEN 256
                #define HUGE_STRING_LEN 8192
        to:
                /* The default string lengths */
                #define HUGE_STRING_LEN 8192
                #define MAX_STRING_LEN  HUGE_STRING_LEN

     Step 2:

        Install the following patch, which performs the functionality of
        strsubfirst (i.e., copy src followed by dest[start] into dest) without
        the use of a temporary buffer.

   ----[Lengthy patch deleted for RISKS.  Contact CERT FOLKS.  PGN]----

After you apply this patch, recompile httpd, kill the current running process,
and restart the new httpd.

  [The CERT Coordination Center thanks Steve Weeber, Carlos Varela, and
  Beth Frank for their support in responding to this problem.]

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in Forum of Incident Response and
Security Teams (FIRST).

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise that the e-mail be encrypted.
The CERT Coordination Center can support a shared DES key, PGP (public key
available via anonymous FTP on info.cert.org), or PEM (contact CERT staff
for details).

Internet E-mail: cert@cert.org
Telephone: +1 412-268-7090 (24-hour hotline)
           CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
           and are on call for emergencies during other hours.
Fax: +1 412-268-6989

Postal address:  CERT Coordination Center
                 Software Engineering Institute
                 Carnegie Mellon University
                 Pittsburgh, PA 15213-3890
                 USA

CERT advisories and bulletins are posted on the USENET newsgroup
comp.security.announce. If you would like to have future advisories and
bulletins mailed to you or to a mail exploder at your site, please send mail
to cert-advisory-request@cert.org.

Past advisories, CERT bulletins, information about FIRST representatives, and
other information related to computer security are available for anonymous FTP
from info.cert.org.

CERT is a service mark of Carnegie Mellon University.

Please report problems with the web pages to the maintainer

Top