Electronic Engineering Times, 14 Aug 95, has an article entitled "Neural VOR predicts illness." According to the article, "A complete model of the vestibular-ocular reflex (VOR) was demonstrated here at the World Congress on Neural Networks. The neural-network-based model accurate mimics not only the behavior of a VOR but the abnormal behavior of damaged VORs. Separately, the author estimates that at least two months' exposure to inaccurate virtual-reality simulations could damage health VORs."
Choose your interpretation... does this highlight a RISK of virtual reality, or a RISK of drawing real-world conclusions from computer modelling?Daniel P. B. Smith firstname.lastname@example.org
An article in the _Boston Globe_ 8 Sept 1995 mentioned that some Sony miniature satellite dishes have a problem, the nature of which is that the screen freezes and the audio drops for a second or two. What raised my eyebrows was a comment by a Sony official that the company is investigating the possibility of downloading a fix into the dishes (the problem is apparently software in nature, with the result being that the tuner doesn't lock properly). This would require no action on the part of users, and the TV set (in the words of the article) would not need to be on when the fix was downloaded for it to have effect.
If the official knew that this kind of remote reprogramming facility exists (as opposed to this person being a PR flack just blowing smoke), well, the possibilities may be left to the imaginations of my fellow RISKS readers.Robert Krawitz <email@example.com>, Member of the League for Programming Freedom
The following extract is from an advertisement for a program called WDPass:
Never lose your passwords again. For many organisations the major deterrent to using the security features in programs such as WordPerfect and Lotus 1-2-3 is the fear of rendering crucial files inaccessible by losing or forgetting passwords. It is logical to have an immediate solution to recovering passwords and enhancing security.
WDPass can immediately recover lost passwords and, thus access locked files allowing users to feel secure in using passwords to lock confidential files.
[Ingram Micro Services advertisement in September 1995 issue of Connectivity (a newsletter published by the PC User Group)]
The program claims to work for a variety of Wordperfect, Microsoft, Lotus and Borland file formats. I find it hard to believe that anyone could read this advert and think that buying a program that breaks the passwords on all of their files will make the confidentiality of their data more secure, but the risk is that out there are some senior executives gullible enough to think that this allows them to rely entirely on password protection of documents instead of more traditional locks and keys.Duncan Booth, RCP Consultants Ltd, Didcot, OXON UK firstname.lastname@example.org
If you're returning a hard disk to a data recovery firm, do make sure the couriers don't wind up having their van hijacked...
dude://steev@Almathera.Ltd.UK. Netsurf & Opticality. email@example.com http://www.thenet.co.uk/~almat/ [ photogenics ] [ windows '95 companion ]
[Yes, in case you are wondering. It REALLY happened. The details are being withheld because of forensics and legal processes. Stay tuned. Maybe we will hear some more later. PGN]
A strange virus is invading documents created with Microsoft's popular Word program. While it doesn't destroy files or cause serious damage, it changes files into templates, which can then be awkward to work with or transfer. Microsoft is distributing a fix that gets rid of the virus and inoculates against future contamination, available though help lines or at < http://www.microsoft.com >. (Wall Street Journal 30 Aug 95 B2) Meanwhile, some would-be Windows 95 users are complaining that they get stuck after the first disk. A Microsoft spokeswoman says that a virus already on the users' computers is at fault — when it's activated by the first Windows 95 disk, it prevents any other disks from being installed. Details on how to fix the problem will be forthcoming, but meanwhile, users who install the program via floppy disk should use a virus checker to scan their systems first and set the write-protect tab on their program disks before installing them. (Houston Chronicle 31 Aug 95 C1)Edupage is written by John Gehl (firstname.lastname@example.org) & Suzanne Douglas
In regard to the recent postings on the Word.Macro/WinWord.Concept virus by Paul Ducklin, Gene Spafford and others, there are some related developments of note.
As the postings have said, the concept of macro or interpreted viral "programs" has been known, experimented with and theorized for some time. A major factor in the success of such a virus is a "critical mass" of compatible systems. For a time the Rexx language appeared to be poised on the brink of "success" as a cross platform macro environment, and currently there is interest in MIME (Multi-purpose Internet Mail Extensions). Neither of those systems, however, has yet become a major player.
By a quirk of chance I have recently reviewed a number of books on Microsoft's Visual Basic. All of them have mentioned Microsoft's move towards Visual Basic for Applications, or VBA. This is to be a fully compatible programming/scripting/macro environment replacing and augmenting the various macro functions in Microsoft products. Once VBA is implemented, a macro virus word not merely be able to spread from WinWord to MacWord documents, but to Excel, Access, FoxPro and a host of other applications as well. Indeed, from the information in the books, Microsoft is interested in licensing VBA to other developers for inclusion in non-MS applications.
Perhaps it's time to turn off the macro "autoload" capabilities in all your applications?
ROBERTS@decus.ca email@example.com firstname.lastname@example.org Author "Robert Slade's Guide to Computer Viruses" 0-387-94311-0/3-540-94311-0
[Hey, folks, this is not really a virus. It is a Trojan horse, akin to the letter bombs of yore that contained squirreled nonprinting characters. As a reminder, we had a fine discussion in RISKS-16.55 and 56, begun by Mike Crawford, on the risks of Trojan horses in PostScript files. PGN]
My colleague, Chuck Weinstock, recently reported to this forum a terrible accident that happened here in Pittsburgh, PA, regarding a head-on collision between two vehicles travelling in opposite directions on a high occupancy vehicle (HOV) lane. Several people were killed in this accident, and two individuals remain hospitalized. This HOV lane is supposedly only open in one direction at a time.
There are three new developments in this incident, according to last night's news:
For example, in the nuclear power industry, estimates of human error (as a percentage of system failures) range from twenty to sixty-five percent [Moray88]. Within a particular type of system, operating power plants, 15 to 30% of reported events occurring during operation involved a human error component [Griffon-Fouco87]. Of these events:
Taken from these prior studies, procedure following in a control room is still far from perfect reliability--human error can still occur. I hope that PennDoT does more than just add in switches to manually control the HOV lane, and also incorporates appropriate interlocks into their control room.
Griffon-Fouco, M., & Ghertman, F. (1987). Data Collection on Human Factors. In J. Rasmussen, K. Duncan, & J. Leplat (eds.), New Technology and Human Error [Chap. 18]. (B. Wilpert, Series Ed.) (New Technologies and Work). (pp. 193-207). Chichester, UK: John Wiley & Sons.
Meclot, B., & Griffon-Fouco, M. (1988). L'Analyse des Incidents et L'Interface Homme-Machine. In Man-Machine Interface in the Nuclear Industry [IEAE-CN-49/34]. Tokyo, Japan. (IAEA Proceedings Series). (pp. 51-60). Vienna, Austria: International Atomic Energy Agency.
Moray, N. P., & Huey, B. M. (eds). (1988). Human Factors Research and Nuclear Safety. Washington, D. C.: National Academy Press.Bill Hefley - Senior MTS, Software Engineering Institute, Carnegie
[Note added on 8 Sept 1995: The fired worker has now been charged with involuntary manslaughter and faces as much as 31 years in prison. Not only did he open the gates in the wrong order, but he knew of the accident and failed to radio it in or offer assistance, his fire extinguisher, or any help. BH]
"Computers, Ethics & Social Values", Johnson/Nissenbaum, 1995, 0-13-103110-4
%A Deborah Johnson
%A Helen Nissenbaum
%C One Lake St., Upper Saddle River, NJ 07458
%I Prentice-Hall, Inc.
%O +1-201-236-7139 fax: +1-201-236-7131 email@example.com
%T "Computers, Ethics & Social Values"
Johnson's earlier book, "Computer Ethics" (cf. BKCMPETH.RVW), may be considered the preeminent work in the field. This collection of papers, co-edited with Nissenbaum, enhances, but does not extend, that prior work.
Ethical problems may be divided into a number of groups in the computer world. Three stand out in particular. Some dilemmas arise from a conflict of agreed "good" values. These are the situations described in moral scenarios: should the poor man steal the medicine necessary to cure his wife from the inventor who will not reduce his price. A second class have to do with unknown or unpredictable situations. In the non-computer world, an example would be megaprojects of unknown environmental impact. The third grouping would include situations where a vast majority hold to a certain standard of behaviour, while a minority act otherwise. Cults and certain brands of terrorism would fall into this category.
Most non-computer ethical discussion is directed at the first class of problems, and most works on morality in computing follow suit. The articles in this book go a bit further. Chapter five, and parts of six and seven, raise issues related to group two problems. The ethical analysis is, however, limited and tentative. The inclusion of articles by Stallman, and Dorothy Denning's interview with Frank Drake, would seem to be an attempt to discuss the third type of issues. The bulk of the work, though, speaks with a single voice from the position of conventional morality, yet fails to address realistically the problem of bringing outsiders into the fold.
The papers seem to have a fair distribution between academic and popular works. Be forewarned: some of the latter have a Saturday-magazine level of accuracy to the information. Non-American readers should note a heavy reliance on American case and constitutional law, although most discussions are sufficiently detailed as to raise common law issues.copyright © Robert M. Slade, 1995 BKCMETSV.RVW 950609
Richard E. Sclove, _Democracy and Technology_ (New York: Guilford Press, 1995). Paperback ISBN 0-89862-861-X; hardcover ISBN 0-89862-860-1.
The book develops a constructive agenda for democratizing all domains of technology--ranging from household to workplace, government, urban infrastructure, medicine, farming, etc.
[For further information, contact Dick Sclove, Executive Director, The Loka Institute, P.O. Box 355, Amherst, MA 01004-0355, USA 413 253-2828; Fax 413 253-4942 firstname.lastname@example.org World Wide Web: http://www.amherst.edu/~loka/ or email@example.com. PGN]
Book: Software Assessment: Reliability, Safety, Testability
Authors: Michael A. Friedman & Jeffrey M. Voas
Publisher: John Wiley & Sons, New York (1-800-225-5945)
ISBN 0-471-01009-X; Hardbound, $54.95
Is software quality testing really effective or just a waste of time? The skeptics conclude that it is an exercise in futility to try to measure the reliability and safety of these complex systems under all critical circumstances. They contend that quality assurance comes only through a strict adherence to rigorous development process models. In this groundbreaking book, Michael Friedman and Jeffrey Voas dispel that myth. They demonstrate that extremely accurate, cost-effective software quality testing can now be a reality, thanks to powerful new analytical tools. Central to the approach outlined in Software Assessment is an assessment optimization technique called testability analysis. Pioneered at the College of William and Mary and NASA by Jeffrey Voas, testability analysis predicts the likelihood that latent bugs will be detected through testing. Because no test oracle is required, testability analysis can be automated. The book offers a balanced presentation of theory and practice. Featuring exhaustive coverage of the foundations of reliability, safety, and testability, it uses real-world examples, illustrations, and clear descriptions to explore all of the latest techniques for assessing those qualities.
1. The Balls and Urn View of Software Testing
2. The PIE Assessment Model of Software Testability I
3. The PIE Assessment Model of Software Testability II
4. Designing Toward the Tester's Utopia
5. Software Safety
6. Assessment of Safety-Critical Software Units
7. Software Reliability Modeling
8. Software Reliability Growth Modeling
9. System Modeling
10. Software Reliability Prediction, Allocation and Demonstration Testing
11. Generating Test Cases
[You don't know what SANS is? The official message that I trimmed down for RISKS didn't say. The NS is presumably Network Security, but WITHOUT SANS (bad franglais pun) deacronymization, it is hard to tell. PGN]
The entire program lasts a week (November 13 - 18) with in-depth courses on Monday through Wednesday and on Saturday. The multi-track Technical Conference is on Wednesday and Thursday.
[Send E-mail to firstname.lastname@example.org or phone 719-599-4303 for full program and registration information. PGN]TECHNICAL CONFERENCE PROGRAM
Thursday, November 16, 1995
9:00 - 10:30 Keynote Address Keynote: "Early Insecurity" Peter Salus
Track 1: Remainder of Thursday
11:00 - 12:30 pm
Session 1-1: "Legal Issues of Computer Security"
2:00 - 3:30
Session 1-2: Intruder Profiles and Incident Response Experiences
"Current Trends in Intruder Methods", Moira West or Tom Longstaff, CERT "An Incident Response Case Study", Brent Mead, Jet Propulsion Laboratory
4:00 - 5:30
Session 1-3: Incident Response Case Studies, Randy Marchany, VPI
"Security in the Blacksburg Electronic Village"
"Email Harassment: the Aura of Anonymity"
11:00 - 12:30
Sessions 2-1: Intrusion Detection - Past, Present and Future
"Informal Methods of Intrusion Detection", Matt Bishop, Univ. California Davis
"An Introduction to Intrusion Detection Modeling", Karl Levitt, UCDavis
2:00 - 3:30 pm
Session 2-2: Current Intrusion Detection Systems and
Future Trends: A Panel, Moderated by Dorothy Denning, Georgetown University
Becky Bace, Department of Defense
Karl Levitt, University of California at Davis
Teresa Lunt, ARPA/ITO
4:00 -5:30 pm
Session 2-3: Encryption Alternatives: Overview and Applications
Dr. Robert Baldwin, RSA Data Security, Inc.
Both tracks: 5:45 - 6:45 pm
Special Bonus Session and Contest:
The Best Security Stories of 1995 Contest Winners
E-mail (before September 12) your abstract and complete contact information (name, title, organization, address, telephone, fax, email address to email@example.com.
Evening: BOFs 8:00 to 10:00
Friday November 17
9:00 - 10:30 am
Session 1-4: Intruders and Incident Response
"Network Intruder Profiles", Gene Shultz, SRI
"Building An Incident Response Team for Your Organization", Gene Shultz, SRI
10:45 am - 12:15 pm
Session 1-5 Firewalls - Design Issues and Case Studies, Part I
"An Overview of Firewall Design and Selection Criteria", Marcus Ranum
"Case Study: A Winding Road To Security", Marcus Ranum
1:15 to 2:45
Session 1-6 Firewalls - Design Issues and Case Studies, Part II
"Case Study: A Secure Firewall Implementation", Paul Vixie, Vixie Enterprises
"Firewalls Into the 20th Century - Where Do We Go From Here", Fred Avolio, Trusted Information Systems
3:00 - 3:45
Session 1-7: "Case Study: Experiences In Implementing A Network
Authentication System In A Large Commercial Site", Bryan Koch, Norwest Technical Services
9:00 - 10:30
Session 2-4: "Surviving the Battlefield of Security Policy
Design and Implementation", Michele D. Crabb, Sterling/NASA Ames, Todd Welch, Sterling/NASA Ames, plus one other speaker to be announced
10:45 - 12:15
Session 2-5: "Insecurity in the PC-UNIX Realm",
Kenneth R. van Wyk, Defense Information Systems Agency and two associates to be named at the conference
1:15 - 2:45
Session 2-6: Potpourri One - Real World Experiences
"Case Study: Whom Shall I Say is Calling?", Hal Pomeranz - The NetMarket Co.
"Four Short Case Studies: Variations On A Theme", Darren Reed, Cybersource Software Services (Australia)
3:00 - 3:45
Session 2-7: Potpourri Two - Real World Experiences
"Augmenting Security in a UNIX Environment", Steve Lutz, Chase Manhattan
3:45 - 4:30
Session 8: Plenary Session
"The Taking of Clark", Bill Cheswick, AT&T Bell Labs
4:30 - 4:45 Summing Up: The Conference Chairpersons
List of Full-Day Intensive Courses:
COURSE M1: UNIX Security Threats and Solutions (Basic)
Dr. Matt Bishop (Univ. of California at Davis)
(NEW and UNIQUE) COURSE M2: Firewalls: Principles, Six Key Pitfalls, and Finding The Right Solution, Bruce D. Wilner
(NEW AND UNIQUE) COURSE T8: Building a Successful Security Infrastructure
Michele Crabb, Sterling Software Inc. for NASA Ames Research Center
COURSE T9: Advanced Topics in UNIX Security
Dr. Matt Bishop, University of California at Davis
(EXPANDED) COURSE W16: UNIX Security Tools: Use and Comparison
Dr. Matt Bishop (Univ. of California at Davis)
COURSE W17: Network Security, the Kerberos Approach
Dan Geer, Open Vision
Four Half-Day Post Conference Workshops
(NEW) Security and the World Wide Web, John Stewart, Cisco
(New and Unique)Workshop on Security Policy Design and Implementation, Michele Crabb, Sterling at NASA Ames
Survival Strategies: Ten Keys To Giving Winning Technical Presentations
Alan Paller, President, The CIO Institute
Survival Strategies: Great Technical Writing Made Easy, Carolyn Sherman
Please report problems with the web pages to the maintainer