The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 17 Issue 13

Thursday 18 May 1995

Contents

o "Double your fun" (CA lottery woes)
Bruce Findlay
o AOL Used For Sting by Miami TV Station
David Tarabar
o Marketing use of medical DB
Mark Seecof
o Safeware: System Safety and Computers, Nancy Leveson
PGN
o Computers, Ethics, & Social Values, Johnson and Nissenbaum
PGN
o Building in Big Brother: The Cryptographic Policy Debate
Lance Hoffman
o Microsoft plans corporate espionage
Chris Norloff
o RISKS in Microsoft's Windows95
identity withheld
o Re: "Bob" passwords
Brian T. Schellenberger
o 30 February 1712
Tapani Tarvainen
o Re: Intuit's Macintax security lapse...
Don Faatz
o Re: "Nautilus foils wiretaps"
M. Vincent
o Re: Cellular disturbances
David Woolley
Frederick Roeber
o Re: Internet Addiction
Shawn Mamros
Rob Cunningham
o Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc.

"Double your fun" (CA lottery woes)

Bruce Findlay <brucef@teleport.com>
Tue, 16 May 1995 07:50:47 -0700

Excerpted from the local paper of record, the San Jose Mercury News
[probably on 15 May 1995, which is when a similar item appeared in the San Francisco Chronicle. PGN]:

Lottery computer gets ahead of itself

California Lottery officials scrambled Sunday to make amends for a computer glitch that unexpectedly halted sales three hours early for the weekend's $3 million jackpot. By mistake, the computer began issuing tickets for Wednesday's upcoming drawing instead - causing anger and confusion for lottery players and retailers around the state... Lottery officials decided Sunday that players affected by the mix-up will have their tickets honored in both contests... Lottery spokesman said an employee of Sacramento's GTECH, which runs the lottery computer, was conducting routine maintenance when he mistakenly entered a command that closed the draw pool for Saturday's drawing. ...it wasn't clear how many tickets were sold during the three hours but GTECH has promised to make up any losses to the state.

RISKS? Where do I start? Why was an employee able to disturb what is supposed to be an unriggable game? If GTECH does not know how many tickets were sold, how will the loss be made right? And since when does basic operator error mean the same thing as "computer glitch?"


AOL Used For Sting by Miami TV Station

David Tarabar <dtarabar@hstbme.mit.edu>
Tue, 16 May 95 11:23:26 -0400

A Miami TV Station (WPLG) set up a sting operation on America Online that resulted in the resignation of a VP at the Denver Post.

In an attempt to show how easily strangers can approach unsupervised children on online services, the TV station created an AOL user that pretended to be a 13 year old boy. A birthdate was clearly listed in a user profile and the 'boy' spoke like a 13 year old who liked swimming and skateboarding.

A user named 'Ken4boys' spoke with this 'boy' in private chats and said that he would be coming to Florida soon, and asked, "How about a hot-oil massage from an older guy". Ken4boys did meet an actor at an agreed upon place, but within seconds found himself facing a TV camera and an investigative reporter. When this news story made it's way back to Denver, Ken resigned his position as VP of Marketing at the Denver Post.

The anonymity of online personas seems a major risk here for all involved. The TV station was being fraudulent in its attempt to get a juicy sweeps week story. Still it is worrisome that they were able to find someone who appeared to use AOL to spice up his business trips. 'Ken4boys' also learned the danger of anonymity, but it is difficult to feel sympathy for him. I have been skeptical about the 'PCs are a danger to your kids' stories on local news, but this is an impressive example.

I don't think that AOL is too happy about any aspect of this.


Marketing use of medical DB

Mark Seecof <marks@news.latimes.com>
Thu, 11 May 1995 14:28:00 -0700

Under the headline "Eli Lilly Plans to Use PCS Unit's Database to Boost Drug Sales" the Wall Street Journal reported on page B6, May 11, 1995 that: "Eli Lilly & Co. sees big opportunities for expanding use of its Prozac antidepressant and other drugs by exploring the patient database it acquired with its $4 billion purchase of PCS Health Systems."

(Errors in the summary here may be Mark Seecof's fault). Lilly's CEO Randall L. Tobias said that patients, as well as Lilly, would benefit from Lilly's trolling the PCS database of prescriptions for 56 million patients to find (a) patients whose prescriptions suggest that they may suffer from depression manifested as several other minor illnesses--Lilly will try to get doctors to prescribe Prozac for those patients; (b) patients who may be taking inadvisable combinations of drugs--Lilly will warn its pharmacists or doctors; (c) drug-treated diabetic patients who might be persuaded to take to Lilly's Humulin insulin product.

(The story DOESN'T say) Lilly may find other ways to exploit the prescription billing data. For example, Lilly could use it to monitor other firms' pricing strategies. Or Lilly could match the data with other data--for example, Lilly could match prescription billing info against credit report or insurance (MIB) data then sell derivative information to people. (How many landlords will rent to tenants who have prescriptions for AZT?)

Various privacy laws may restrict some of the possible uses of the data. But none of them will protect the people whose medical condition can be estimated from the record of the drugs prescribed for them from unscrupulous marketers at Lilly or even faithless clerks at Lilly willing to take bribes from, say, skip tracers. I think that Lilly's plan to push Prozac on people with "backaches and sleeplessness" (direct quote from Tobias) is unethical and risky.

Mark Seecof <marks@latimes.com>

Safeware: System Safety and Computers, Nancy Leveson

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 17 May 95 19:10:38 PDT

If you have ever been seriously concerned with developing systems that must satisfy stringent safety requirements, or expect to be sometime in the future, you MUST read this book. Just published, it is immediately the definitive work on software safety, and has a system perspective that is really important. After careful consideration of the fundamentals, requirements analysis, hazard analysis (including models and techniques), and human interfaces are examined with loving care. Many cases familiar to RISKS readers (Therac-25, Apollo 13, the Challenger, Bhopal, Three Mile Island, Chernobyl, and others) are treated in considerable detail in the appendices, and much new information is revealed. The book is useful as a course text and as a guidebook for safety engineers. And it all fits in 680+xvii pp. Your Risks Moderator says check it out.

Author = {Nancy G. Leveson},
Title = {Safeware: System Safety and Computers},
Publisher = {Addison Wesley, Reading, Mass 01867-3999},
Year = {1995},
Note = {ISBN 0-201-11972-2}


Computers, Ethics, & Social Values, Johnson and Nissenbaum

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 17 May 95 18:58:16 PDT

Deborah G. Johnson and Helen Nissenbaum have come up with a superb book, collected from a bunch of friends and colleagues with long experience and interesting views on the titled subject. This book is absolutely essential for anyone concerned with ethical issues related to the use of computers, and should also be read by anyone not clear on the issues. I won't list all the chapters and contributors, but it is a fine selection.

Author = {Deborah G. Johnson and Helen Nissenbaum},
Title = {Computers, Ethics, & Social Values},
Publisher = {Prentice Hall, Englewood Cliffs, NJ 07632},
Year = {1995},
Note = {ISBN 0-13-103110-4}


Building in Big Brother: The Cryptographic Policy Debate

"Lance J. Hoffman" <hoffman@seas.gwu.edu>
Thu, 18 May 1995 04:48:10 -0400 (EDT)

A collection of readings with commentary by Prof. Lance J. Hoffman (The George Washington University) has now been published by Springer Verlag.

From a publisher's blurb:

"...This book presents the best readings on cryptographic policy and current cryptography trends. ... Detailed technological descriptions of promising new software schemes are included as well as analysis of the constitutional issues by legal scholars. Important government cost analyses appear here for the first time in any book. Other highlights include the text of the new US digital telephony law and the pending encryption regulation bill and a list of hundreds of cryptographic products available around the world. There is even a paper on how to commit the perfect crime electronically, using public key encryption.

Much more detailed information and a table of contents is available by pointing your Web browser to

http://www.seas.gwu.edu/seas/instctsp/docs/book

560 pages, 19 illustrations, softcover $29.95 ISBN 0-387-94441-9

Call 1-800-SPRINGER to order, email orders to orders@springer-ny.com

Professor Lance J. Hoffman, Dept of Elec Eng and Comp Sci, The Geo Washington U, 801 22nd St NW, Wash DC 20052 (202) 994-4955

Microsoft plans corporate espionage

<cnorloff@tecnet1.jcte.jcs.mil>
Wed, 17 May 95 13:44:40 EDT

Microsoft officials confirm that beta versions of Windows 95 include a small viral routine called Registration Wizard. It interrogates every system on a network gathering intelligence on what software is being run on which machine. It then creates a complete listing of both Microsoft's and competitors' products by machine, which it reports to Microsoft when customers sign up for Microsoft's Network Services, due for launch later this year.

"In Short" column, page 88, _Information Week_ magazine, May 22, 1995

The implications of this action, and the attitude of Microsoft to plan such action, beggars the imagination.

Chris Norloff cnorloff@tecnet1.jcte.jcs.mil
[Also reported by jyoull@cs.bgsu.edu (Jim)" and herzog@uask4it.eng.sun.com (Brian Herzog - Sun Microsystems, Inc.). The following analysis was also sent to RISKS by a contributor who requested anonymity. PGN]

RISKS in Microsoft's Windows95

<[identity withheld at submitter's request]>
Wed, 17 May 95 12:22 xxT

Sometime in the latter part of the summer, Microsoft is planning to release their Windows95 follow-on for Windows 3.1 to the masses. Whether the effort required to keep things working after installing the release vs. the perceived benefits of Win95 makes the installation a sensible decision is quite an open question. Reports from beta testers are indicating that even for Windows experts, getting their system running again after the upgrade can be a bad experience, given the wide variety of complex hardware, drivers, and other components that have been integrated into Windows 3.1 environments over the years.

For Windows users who are less than experts, the problems risk being even more serious, with various applications (or even entire systems) effectively useless without various "tweaks", fixes, new drivers, new software, etc. In other words, the backwards compatibility of Win95 in the real world of people's existing Windows 3.1 installations should be an issue of grave concern, especially among users concerned about prolonged downtime.

We may be reaching a stage where the sheer complexity of PC application software and hardware is making the entire concept of major operating system upgrades being installed successfully by average users extremely problematical. It seems very likely that large numbers of Windows 3.1 users will (or at least should) be extremely cautious about being an early adopter of Win95.

Bya the way, here's a new feature announced for Win95 that carries new RISKS of its own. Called "AutoPlay" it is apparently a feature of the Win95 CD-ROM driver that allows CD-ROM authors to create a special init file on the disc that will automatically start running programs from the disc as soon as a disc is inserted into the CD-ROM drive. From the descriptions available so far, there doesn't seem to be a system-wide way to disable such a feature, you have to remember to hold down the shift key on your keyboard while inserting the disc to disable it for that particular insertion (apparently folks with remote keyboards might just be out of luck!)

What sorts of harm could come from autoloading of CD-ROMs? Outside of the obvious malicious applications (don't laugh, CD-ROMs are getting so cheap to produce that all manner of nasties could be planted on purpose or by accident), there's the obvious problem that most PC CD-ROM applications need considerable software and disk support, often involving significant use of disk space, changes to system-wide configuration and other driver data, etc. It is not unusual for these changes to conflict in some manner with other programs and installations, needing manual intervention. At least when you do the installation manually you can stop, look for README files, etc. before starting the guts of the install, but if the CD-ROM fires off on its own there's no telling what might happen.

True, a reasonable CD-ROM author would query the user about this process rather than running off and starting the install without user input, but it's probable that many authors who want things to look "slick" won't bother with this. In fact, Microsoft seems to be encouraging the "slick" attitude in their description of this feature.

Another point. You're about to start seeing music CDs that carry CD-ROM programs and data on the initial part of the disc before music track 1. If such discs tried to make use of the Win95 AutoPlay feature, an unsuspecting user who stuck the music disc into his or her CD-ROM player planning to hear only music (lots of PC users play music CDs on their CD-ROM drives these days) could end up getting a lot more than bargained for.


Re: "Bob" passwords (Epstein, RISKS-17.12)

Brian T. Schellenberger <bts@unx.sas.com>
Tue, 16 May 1995 13:36:02 GMT

|if you mistype your password three times in a row, it concludes that you've |forgotten it, and asks if you want to change it.

It's easy to make fun of this scheme, but *I* think it's a pretty good approach. This is equivalent of the foil on your vitamins: Not tamperproof protection, but tamper-*evident* protection.

This avoids the problems of users who aren't accustomed to password forgetting them and getting locked out, saving Microsoft technical support a lot of hassle. It is intended for home computers, which as a rule are not widely accessible to the public, and don't have any password protection currently. And it's part of a program whose "job" is not security, but user assistance; it would be inappropriate to add security in such a program that might lock people out of their computer.

On the other hand, a scheme that makes it evident if somebody has been mucking around on the computer is a handy feature, and that's just what has been achieved here. (Whether or not the product manager and/or development team realizes it.)

I think there is a RISK in assuming that all security must be maximal.

(Not to downplay the RISK in not advertising this for what it is, if that's what Microsoft is doing.)

Brian T. Schellenberger SAS Institute Inc. R2266 919-677-8000 x7783
[It also provides a seeming denial of service opportunity, enabling an attacker to change EVERYONE's password. But then even that would not matter. This is almost as good as having NO passwords. Chances are no one would ever bother to look at the audit trail anyway, because in the absence of meaningful authentication, the accountability is next to worthless. PGN]

30 February 1712 (Re: Wicklund, RISKS-17.12)

Tapani Tarvainen <tt@tarzan.math.jyu.fi>
14 May 1995 17:42:30 GMT

>There's an additional risk from the fact that different nations
>switched calendars at different times.

Indeed. Sweden adopted the leap-year rule of the Gregorian calendar in 1700, making it a non-leap year, but without adjusting the calendar otherwise, so that after that Sweden was out of sync with both Julian and Gregorian calendars. After a while they discovered it was not such a great idea, and in 1712 Sweden moved back to Julian calendar by adding an extra day to February, resulting in the unusual date of 30 February 1712. One should be careful in rejecting "impossible" dates...

Tapani Tarvainen

Re: Intuit's Macintax security lapse...

Don Faatz <don_faatz@rpi.edu>
10 May 1995 01:11:42 GMT

Unfortunately, it doesn't take a software screw-up to mess up electronic income taxes.

My boss has had a Compuserve account for a few years. Each year at tax time, he receives several people's tax returns in his Compuserve e-mail. His Compuserve E-mail address is one character different than the address of some company that offers an electronic filing service via Compuserve.

He has contacted both Compuserve and the vendor - neither were interested in trying to solve the problem.

The returns are encrypted in some way ...


Re: "Nautilus foils wiretaps" (Garfinkel, RISKS-17.12)

"(aardvark)" <M.Vincent@queens-belfast.ac.uk>
Tue, 16 May 1995 11:01:57 +0100 (BST)

Simson points out that the software is only available to the US. Now I may not be the cleverest person in Europe, but I do have an account on a FreeNet site in the US which for the moment will remain nameless. Now really, what is to prevent me downloading nautilus to my free-net and from thence to home.

Note that I am NOT indicating that I am about to do this, but it's a valid RISK - isn't it!

Malcolm Vincent (m.vincent@qub.ac.uk)

Re: Cellular disturbances (Lif, RISKS-17.12)

David Woolley <david@djwhome.demon.co.uk>
Wed, 17 May 95 23:53 BST

>The new (European) digital "GSM" cellular standard produces lots of
>interference as can be heard on any radio or even HiFi amplifier

The risks here are of confusing the behaviour of faulty equipment of one type with there being a fault in another piece of equipment, and of generalising that to the behaviour of faulty equipment of a third type. Also there is a risk of only seeing one side of a two sided problem.

The fault resulting in the "interference" here is in the amplifier, which is acting as a radio receiver, or the radio receiver which is receiving on a completely wrong frequency. (The chances are that the radio isn't even receiving the interfering signal through its aerial.) The transmitter can be transmitting a signal which is perfectly contained within its allocated band, and still generate this effect.

A lot of modern electronics could be made radio immune, but isn't, to save a small fraction on the price. The complex digital logic in a GSM mobile is immune to its signals from only a few inches away.

The generalisation is the assumption that audio frequency interference in an AC coupled device will have the same impact on a DC coupled device working at 1000s of times the frequency. In fact, a radio signal which produced no audible effect at all, might still cause misoperation of a computer.

The other side of the coin is that computers which are susceptible to radio transmissions, are usually very good radio transmitters themselves. Even PCs, which are designed for domestic use, can cause severe interference to shortwave receivers, which cannot be cured by modifications to the receiver (remote aerials apart). The Sun in this case, probably wasn't designed to the same standard, so would generate even more interference.

It is possible that GSM transmissions are more likely to jam susceptible electronics, but this is not directly related to the audible effect on faulty amplifiers, but might be the result of using higher peak powers, although both may be the consequence of using time division multiplexing.

David Woolley, London, England david@djwhome.demon.co.uk

Re: Cellular disturbances (Lif, RISKS-17.12)

<roeber@cern.ch>
Mon, 15 May 1995 21:53:09 +0200

Oh, wonderful! At CERN we're replacing our beeper system with GSM phones. This has some nice side effects, especially when you drive in merely to discover a machine needs rebooting.

But of course, most of the folks with beepers or phones are going to be the ones on piquet duty -- the ones who have to go in and fix the balky computers, networks, delicate equipment, or (best of all) those enormous, incredibly sensitive, bleeding-edge particle detectors.

And of course there's always some idiot who calls you up half an hour into a tricky procedure to ask, "How's it going?"

"Well, it *was* going great, but now that you ask..."

Frederick Roeber roeber@cern.ch

Re: Internet Addiction (Goldberg, RISKS-17.12)

Shawn Mamros <mamros@ftp.com>
Sun, 14 May 95 20:50:45 EDT

If one admits to the existence of "Internet addiction" as a real problem (and it very well might be for some people), it would seem to me that putting together a support group using an *Internet mailing list* (thus encouraging continued use of the 'net, as opposed to therapy involving spending time *away* from the 'net) would be precisely the *wrong* way to help these people out...

-Shawn Mamros mamros@ftp.com

Re: Internet Addiction (Goldberg, RISKS-17.12)

<rkc@xn.ll.mit.edu>
Mon, 15 May 95 09:28:10 EDT

In the most recent RISKS-17.12, Dr. Ivan Goldberg helpfully announced a support group for Internet Addiction. Am I the only one who finds it ironic that one needs access to the Internet to participate in this support group? It seems that even if this group is successful in reducing other Internet use, the user will continue to use the Internet via e-mail to this account.

Is this similar to announcing a support group that gets together to drink beers and discuss their addiction to alchohol?

-Rob
[merlyn@stonehenge.com (Randal L. Schwartz) and "F. Barry Mulligan" <MULLIGAN@ACM.ORG> both likened it to holding an AA meeting in a bar. PGN]

Please report problems with the web pages to the maintainer

Top