The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 17 Issue 15

Weds 28 May 1995

Contents

o Prodigy Held Liable
Dave Banisar
o Stuyvesant High School Hackers
Mich Kabay
o J. Schwartz on Decency and Democracy
Mich Kabay
o Defamation by BBS
Mich Kabay
o Defying pitfalls of a cashless society
Brian Randell
o Flightdeck automation problems
Kenneth Funk
o A slightly more global look at time and date issues
Robert J Horn
o "Calling the Ahperator"
William Newman
o Denial of Service attack on ISP
Simon Lyall
o Drug-Addicted Geniuses Built Cyberspace
Daniel Frankowski
o Re: Positive-Ion Dangers: Computers and stress / depression
Lindsay F. Marshall
Jonathan I. Kamens
o Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc.

Prodigy Held Liable

"Dave Banisar" <banisar@epic.org>

26 May 1995 23:12:00 -0400

A New York state trial court ruled on 24 May 1995 that Prodigy is responsible for the libelous statements of its users because it exercises editorial control over their posts. In the case, an anonymous Prodigy user made statements against New York Investment firm Stratton Oakmont accusing it of criminal and fraudulent acts. Stratton Oakmont sued Prodigy and the volunteer moderator of the forum where the statements were published.

The Court found that Prodigy was acting as a publisher and therefore was responsible for the content of the posts. The Court distinguished the case from the earlier Cubby v. Compuserve decision, which found that Compuserve was subject to the standards of a bookstore or library. It that case, the US District court ruled that Compuserve had no editorial control over the text. According to the New York state court:

In contrast, here Prodigy has virtually created an editorial staff of Board Leaders who have the ability to continually monitor incoming transmissions and in fact do spend time censoring notes. Indeed, it could be said that Prodigy's current system of automatic scanning, guidelines, and Board Leaders may have a chilling effect on freedom of communications in Cyberspace, and it appears that this chilling effect is exactly what Prodigy wants, but for the legal liability that attaches to such censorship.

Let it be clear that this court is in full agreement with Cubby and Auvil. Computer bulletin boards should generally be regarded in the same context as bookstores, libraries and network affiliates...It is Prodigy's own policies, technology and staffing decisions which have altered the scenario and mandated the finding that it is a publisher.

The court also attempted to downplay the significance of its decision on the greater area of electronic networks:

Prodigy's conscious choice, to gain the benefits of editorial control, has opened it up to greater liability that Compuserve and other computer networks that make no such choice. For the record, the fear that this Court's finding of publisher status for Prodigy will compel all computer networks to abdicate control of their bulletin boards, incorrectly presumes that the market will refuse to compensate a network for its increased control and the resulting increased exposure.

The Court also found that the volunteer "Board Leader" of the Prodigy Bulletin Board was acting as an agent of the company. The Court found Prodigy exercised control over the Board Leaders though the the Bulletin Board Leader Agreement and the actions of Prodigy's employees.

Prodigy has said that it will consider appealing the decision. EPIC has materials on free speech available at http://epic.org/free_speech/ We will be making a copy of the decision available in the next few days.

David Banisar Electronic Privacy Information Center 666 Pennsylvania Ave,
SE, Suite 301 Washington, DC 20003 202-544-9240 HTTP://epic.digicash.com/epic


Stuyvesant High School Hackers

"Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>

29 May 95 15:38:14 EDT

From the Associated Press news wire via CompuServe's Executive News Service:

Hacker High, by RAYNER PIKE, Associated Press Writer

NEW YORK (AP) -- Some of New York's best and brightest set out to show that they can rush in where high schoolers are not supposed to tread -- the computer systems of Ivy League colleges. They succeeded. Their principal was not amused. Their victims were not impressed. The systems of Columbia and Princeton, as well as Bucknell University, were targeted by hackers from the elite Stuyvesant High School.

Key points:

M.E.Kabay,Ph.D. / Dir. Education, Natl Computer Security Assn (Carlisle, PA)


J. Schwartz on Decency and Democracy

"Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>

30 May 95 14:47:07 EDT

From the Washington Post news wire via CompuServe's Executive News Service:

WP 05/29 NETWORKINGS

Making the On-Line Community Safe for Decency -- and Democracy
By John Schwartz
Washington Post Staff Writer

Sen. James Exon sounds for all the world like a man who's ready to make a deal. Sitting in his Capitol office, the Nebraska Democrat puffs amiably on his pipe and discusses the bill that has made him anathema to many people in the on-line community, the Communications Decency Act.

Exon's bill, part of the Senate version of a broad telecommunications bill, would impose jail terms and fines on those who create or solicit on-line material that is deemed "obscene, lewd, lascivious, filthy, or indecent."

Key points:

M.E.Kabay,Ph.D. / Dir. Education, Natl Computer Security Assn (Carlisle, PA)


Defamation by BBS

"Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>

30 May 95 14:47:33 EDT

[An example of Level I Information Warfare]

From the Australian Associated Press news wire via CompuServe's Executive News Service:

AAP 05/25 1443 QLD: CALL FOR CONTROLS ON DEFAMATION SUPERHIGHWAY

BRISBANE, May 25 AAP - A Labor MP whose name and address were posted on a computer billboard as the contact for buying stolen telephone cards, today urged the federal government to legislate to prevent high tech defamation.

MP Stephen Robertson was cleared of all wrong-doing or involvement in the scandal after investigation by the Criminal Justice Commission. The MP may nonetheless have suffered damage to his reputation.

M.E.Kabay,Ph.D. / Dir. Education, Natl Computer Security Assn (Carlisle, PA)


Defying pitfalls of a cashless society

Brian Randell <Brian.Randell@newcastle.ac.uk>

Tue, 30 May 1995 16:55:55 +0100

Defying pitfalls of a cashless society
Victor Keegan (The Guardian, Economics Notebook, 30 May 1995)

The kingdom of cash is starting to be attacked in a pincer movement: from in front, by electronic, or digital, cash, and from behind, by the growing popularity of the barter system Letts - artificial local currencies (rather like a baby-sitting points system), which people use instead of real money to pay each other for services rendered. [...]

The world's central banks -- including the Bank of England -- are beginning to wake up to the fact that digital money could pose a threat to their hegemony. This is particularly true of the so-called "electronic purses" (like Mondex, which Midland Bank and others are pioneering) and, much more so, the digital (and untraceable) cash being-pioneered by DigiCash, the Amsterdam-based company. [...] As long as these are issued by banks-like Midland's Mondex-then it is nothing more than another bank deposit, albeit in electronic form. [...]

Central banks have been sufficiently worried about the provision of electronic purses getting into the wrong hands to set up a working group of the European Monetary Institute. The conclusion was predictable: they are all right-so long as they are restricted to approved credit institutions (that is, banks), so that they can be properly monitored.

Enter DigiCash, whose founder, the proselytising David Chaum, wants to create a digital system which could assume a life of its own. He has even patented a process whereby a bank or a company could validate a secret number which could be used as a unit of currency even though the issuing authority could not trace it.

The place just waiting for such anonymous digital money (which would also be rather useful for kidnappers and launderers of drug money) is the Internet, the worldwide electronic cobweb of computer data bases. [...]

Should the Net be provided with its own currency, it would suddenly become not only a global market place, but a virtual economy as well. It could become the first economy without a government or even a central bank at the centre. But if there is no government, no one will pay taxes. [...]

We are not talking science fiction. Mr Chaum has already distributed a million digitised dollars to 5,000 pioneers taking part in a trial. Their Cybercash can be spent purchasing goods and services from 50 companies taking part in the trial.

At the other end of the scale, the growth of Lett schemes is not yet a problem, if only because most of the schemes are small-scale and the people involved are probably earning below the threshold at which they would be required to pay tax. In a typical scheme one member might help another build a wall, thereby earning himself currency points, to be exchanged for work by someone else or for buying goods.

If such a scheme went nationwide and electronic (so that the participants carried their points on a micro-chip on a plastic card), this could quickly evolve into electronic money effectively outside the control of the banking system and on which the participants would be reluctant to pay tax. The transactions might even take place through the Internet.

Of course, central banks will move quickly if they feel their supervisory role and their divine right to print money is being challenged. The point is that the financial world is moving into uncharted waters. The change could be as far-reaching as the transition from metals to money in the last century.

[What I found interesting was the way this article tied together (hi-tech) developments related to digital cash and the rise in popularity, at least here in the UK, of (typically low-tech) barter schemes. BR]

Dept. of Computing Science, University of Newcastle, Newcastle upon Tyne,
NE1 7RU, UK Brian.Randell@newcastle.ac.uk +44 191 222 7923


Flightdeck automation problems

Kenneth Funk <funkk@ENGR.ORST.EDU>

Fri, 19 May 1995 11:09:47 -0700 (PDT)

With a grant from the US Federal Aviation Administration, scientists at Oregon State University, America West Airlines, and Honeywell have compiled over 2,300 citations of perceived problems with and concerns about commercial transport aircraft flightdeck automation. These citations are summarized in a paper available by anonymous FTP from engr.orst.edu. The paper (in ASCII) is in /pub/funkk/problems.txt.

Ken Funk, Asst. Prof., Ind. & Mfg. Engr., Oregon State Univ., Corvallis, OR 97331 503-737-2357 funkk@engr.orst.edu FAX: 503-737-5241

[Also forwarded by horning@pa.dec.com (Jim Horning). PGN]


A slightly more global look at time and date issues

Robert J Horn <rjh@world.std.com>

Sat, 20 May 1995 21:01:45 +0059 (EDT)

The date/time discussion illustrates two more global risks related issues.

  1. There is a risk from overconfidence and lack of proper analysis when the subject matter is something you have known "completely" since childhood. People often get very excited or upset when they realize that there is significant hidden complexity. Most of us have achieved our full understanding of time by the age of ten. It has no more mysteries (except perhaps time zones). Discovering just how much more there is to time and its measurement is a surprise.

    QUIZ: For a more timely example than 18th century calendars, when does Sunday become Monday? (See below)

  2. There is a significant misunderstanding around the relative merits of integer vs floating point notation in general.

    If your real world process can be represented as a finite field mapped onto the integers, then you can eliminate concerns regarding representation error. This makes an integer representation attractive because it reduces your error analysis problem to:

    1. Prove that the finite field mapping is correct.

      If your application involves division, you don't have a finite field. You also better be sure that the finite field mapping is understood the same way by all involved. It can be a big problem if well into your project you discover that you need additional resolution. So don't skip this step.

    2. Analyze the error characteristics of your algorithms in the confident knowledge that the errors have been reduced to:

      initial error = measurement error, and results error = numerically propagated measurement errors.

    Lots of people seem to think that you can skip the numerical analysis just because your operations are on a finite field. This is not the case. Measurement error is still present and it still propagates. I've seen too many instances where people omit the error analysis because "integer computations are error free". You may have a finite field, but measurement error must still be analyzed.

    Still, the analysis is simpler and integers are often an excellent representation for measured data.

    With floating point representation, you have different advantages:

    1. Much greater dynamic range
    2. Much more uniform error characteristics (always present, but lacking the sudden lurch that occurs when your finite field mapping fails.)
    3. The psychological pressure to analyze errors because some error is always present.
    The difficulty is that your error analysis is harder:

    initial error = measurement error + representation error results error = propagated measurement error + propagated representation error + representation error.

    This can be more work, although I have found that in most real world situations the measurement errors have dominated. Usually I could completely ignore representation error because the measurement errors were orders of magnitude larger.

Oh, and the answer to the quiz:

It depends upon what part of the world you are in. In some areas, the day ends at sunset. So during some parts of the year, 1730 (local) Sunday occurs before 1800 (local) Sunday, and in other parts of the year it occurs after. And you need to know the latitude and longitude to figure out when sunset occurs. Is it any wonder that people who care about time quickly end up using UTC for everything. But this is a lurking trap for the unwary who want to make a properly internationalized application that allows the use of local time.

R Horn rjh@world.std.com


"Calling the Ahperator"

<Newman@europarc.xerox.com>

Mon, 22 May 1995 05:53:30 PDT

My attempts to reach the long-distance operator from my Washington DC hotel instead connected me to a voice-activated interface instructing me to say "Operator" to get through, but my British pronunciation clearly didn't sound right. I found I could get through with a phony American "ahperader" but only on the second attempt, the first attempt always getting a lengthy recorded apology and a repeat of the (even lengthier) instructions. Out of frustration, I resorted to dialling the number direct, for which my hotel charged me $95 for a call that would otherwise have cost $52.

It seems strange to require long-distance callers from DC hotels, many of whom are presumably foreigners trying to reach overseas, to speak with an American accent. No alternative means of reaching the operator is offered, and this could be a source of risk in emergency situations. When I got through to the supervisor to point this out, she agreed, but said, "You could have dialled zero instead." Why didn't I think of trying this? But the recorded instructions say nothing about this option.

William Newman newman@europarc.xerox.com


Denial of Service attack on ISP

Simon Lyall <simon@darkmere.midland.co.nz>

Tue, 23 May 95 09:11 NZST

The following was posted to a Local (New Zealand) group. Both iprolink and Cybernet are ISP's servicing the Auckland market and targetting similar customers. Cybernet was in the papers a few weeks ago after someone there NFS mounted a disk (read & write) at Auckland University (This disk included /bin directories according to some reports). The mserve machine is the workstation of a Cybernet staff member.

From: Craig Anderson <craig@iprolink.co.nz>
Newsgroups: nz.netstatus
Subject: Network Attack Mars Internet Show
Date: 22 May 1995 13:51:29 GMT
Organization: Internet ProLink NZ, Auckland

Last week (15-20 May) Internet ProLink NZ, along with InfoTech Weekly, TUANZ, Megascreen, Atrium on Elliott, and Dymocks, sponsored a week long series of free Internet demonstrations at the Atrium in Auckland.

The event was marred by an attack on our system during the first three days of the show. The intent appears to have been to deny us the use of our Internet connection during the show.

This posting should serve as a warning to system administrators. Note that eliminating these types of attacks requires filtering at the site to whom you are connected, and that similar attacks with the traffic destined to routers can be difficult to monitor.

Monday:
Thousands of ICMP echo packets each minute from 202.36.227.10 (mserve.cybernet.co.nz) saturate our link in both directions. These high priority packets almost completely prevent us from using our link at all.

The packets initially were sent to iprolink.co.nz, but later to router1.iprolink.co.nz.

The attack lasted approximately two hours from about 2:15 pm and stopped when we unplugged our link for several minutes.

Tuesday:
ICMP packets sent to our router again completely saturate our link. Attack begins around noon and ends when the University of Auckland temporarily disconnects Cybernet's link.

Wednesday:
TCP packets (again from mserve.cybernet.co.nz) were sent to ports 7, 8, 2, 3, 4, 5, 6, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, and finally port 19 on iprolink.co.nz, where our outbound link was saturated with traffic for more than one hour. No further attacks were seen after Cybernet was contacted by the University of Auckland.

Our apologies to those who turned up for the show during these attacks only to find that the Internet link was too slow to be used.

Thanks to the University of Auckland Computer Center staff who did a tremendous job in helping to monitor and stop this attack.

-Craig


Drug-Addicted Geniuses Built Cyberspace

Daniel Frankowski <dfrankow@winternet.com>

Mon, 22 May 1995 17:49:15 -0500 (CDT)

I have the pleasure of presenting one of the most absurd claims I've read in the mainstream press in a long time.

In the Minneapolis Star Tribune, Monday, May 22, 1995, on page 10A, yet another inflammatory article about the Internet appeared, titled ``Cyberstoned''. The article is adapted from Boston Magazine, written by Stephen Rodrick at Boston Magazine and Vladimir Edelman, a Boston-based freelance writer.

The point of the article was that there is drug dealing on the net, and that there are net-specific problems for law enforcement. I agreed with parts of the article, e.g. that law enforcement needs to learn about the net, that freedom of information and anonymity make law enforcement more difficult, etc. The writers give away their position when they report that ``after Internet zealots howled about the loss of privacy, the fate of the Clipper chip remains in doubt,'' but I forgive them.

Then they make an absurd pronouncement backed up by scant evidence:

In fact, much of the cyberspace revolution of virtual reality, the Internet and other high-speed technology burst out of the minds of computer geniuses spaced out on drugs such as acid and ecstasy. In his book *Cyberia: Life in the Trenches of Hyperspace*, Douglas Rushkoff traces the creation of the drug culture's special place on the Internet.

`Developments in the computer industry and on the Internet are being made by the same people who made the counterculture of the '60s possible. Those willing to explore hallucinatory dreamlike realms that didn't exist before -- never-before-navigated turf of consciousness,' Rushkoff says.

I have a master's degree in computer science from the University of Minnesota, and I read newspapers with regularity if not often. I cannot recall a single story about the arrest for drug possession of a computer scientist familiar to me from their academic work. Abramson, Tannenbaum, Liskov, Stonebraker, Lazowska, not to mention my own professors and numerous others have all thus far managed to hide their dirty little secret.

The risks? Reporters who are not knowledgeable about computer science. This risk generalizes easily: lawyers who are not knowledgeable about computer science, patent clerks, politicians, bureaucrats, ..

If the two quoted paragraphs about "much of the cyberspace revolution" coming from druggies annoyed you as much as it did me, please email the Op-Ed page of the Minneapolis Star Tribune at opinion@startribune.com. Ptooie!

Dan Frankowski dfrankow@winternet.com http://www.winternet.com/~dfrankow


Re: Positive-Ion Dangers: Computers and stress / depression

"Lindsay F. Marshall" <Lindsay.Marshall@newcastle.ac.uk>

Mon, 22 May 95 09:58:43 0100

Using a negative ion source is definitely beneficial, however be careful. I cannot use an ioniser in my office as whenever it I switch it on I get SCSI errors that result in me not being able to access the external disc on my Sun. (Could this be a plot by intelligent silicon to keep the world depressed?)

Lindsay Dept. of Comp. Science, U of Newcastle, Newcastle upon Tyne, UK NE1 7RU UK +44-191-222-8267 http://catless.ncl.ac.uk/Lindsay.html

Re: Positive-Ion Dangers: Computers and stress / depression

"Jonathan I. Kamens" <jik@cam.ov.com>

Mon, 22 May 1995 14:18:31 -0400

It appears that PGN was duped in RISKS-17.14 by what one poster in news.admin.net-abuse.misc calls "the slow spammer." The user who submitted the message about "positive-ion dangers" was not doing it out of the goodness of his heart or because he felt it was an appropriate, current topic for RISKS. He was doing it, I believe, because he sells negative-ion emitters. He has been slowly spamming his message to many newsgroups for some time now.

Jonathan Kamens | OpenVision Technologies, Inc. | jik@cam.ov.com

[... and to think that all these years we have put up with SpammoVision. There is also some moron who has been spamming usenet readers of comp.risks. I have no control over that, but apologize anyway. PGN]

Please report problems with the web pages to the maintainer

Top