The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 17 Issue 74

Thursday 15 February 1996

Contents

o China requires registration of Internet access
Li Gong
o GM Plans to Plug Cadillacs into Communication System
Mark Anthony Beadles
o Boza virus: knee-jerk media response more hazardous to wallet
George Smith
o At-work Web browsing?
Sean Reifschneider
o Federal Court enjoins CDA provision
Marc Rotenberg from EPIC Alert 3.04
o Correction to CDA article
Stanton McCandlish
o A simple solution to the CDA risk
Russ Broomell
o Seatbelts and the CDA, history repeats?
A. Padgett Peterson
o Re: Wildcard inconsistencies in Windows 95
George C. Kaplan
o 100% not spent on hospitals by a long way
Philip Overy
o Re: Lack of Common Sense is Biggest Risk of All
George C. Kaplan
o Re: Possible future risk of virtual reality
Michael Brady
Mark Meuer
Barton C. Massey
Brad Davis
o Info on RISKS (comp.risks)

China requires registration of Internet access

Li Gong <gong@csl.sri.com>
Thu, 15 Feb 1996 11:16:52 -0800 (PST)

The (Chinese) People's Daily (overseas edition, Feb.15, page.4) relays a news report of Feb. 14 by the New China News Agency, which announces that the Chinese Ministry of Public Security (the police) has issued a regulation that requires any institutions and individuals connecting or disconnecting to the Internet must register with the local police authority within 30 days. Non-registration will lead to penalty.

The regulation is said to cover all direct and indirect network access to areas outside China (including Taiwan, Hong Kong, and Macau). The report says that as of July of 1995, China has more than 40,000 end-points that are networked [it is unclear if they are all connected to the Internet or just the domestic networks]. It says that the regulation is a first important step towards computer security enforcement, and more regulations are expected.

Li Gong, SRI International, http://www.csl.sri.com/~gong/
[Also noted by Al Stangenberger <forags@nature.Berkeley.EDU>. PGN]

GM Plans to Plug Cadillacs into Communication System

Mark Anthony Beadles <beadles@acm.org>
Thu, 15 Feb 96 16:54:58 -0500

Article: "GM Plans to Plug Cadillacs into Automatic Communication System" WSJ, February 9, 1996, Page B3, Column 1

In summary, GM is introducing a system in its high-end automobiles that will "automatically call for help" in an accident, including flashing lights and honking the horn. Called the OnStar system, it is scheduled to appear as an option in the 1997 front-wheel-drive Caddies. According to the article, it is activated by the air bag being deployed. In addition to honking and flashing, the system will transmit (to whom was not clear) the location of the car in event of accident, theft, or "other emergencies". The system also includes navigational assistance that works throughout the US, using the car telephone as the output device.

OnStar's managing director, Chet Huber, is attributed as saying, "the company has done extensive market research that says drivers want a greater sense of security and control." Tying the car into a nationwide communication system that can track your every move and control your car is evidently how they intend to accomplish this.

The RISKS here are numerous, in my mind:

  1. A `false alarm' condition could cause the emergency transmissions, flashing lights, and honking horns, when there is in fact no emergency. This is similar to the present risks associated with home alarms.
  2. Tracking the location of one's car can be a benefit (prevents you from getting lost in the Mojave), but it can also allow people to find you when you don't want them to. Cars have traditionally been seen as private havens in the US.
  3. The system could give wrong navigational information to the driver. Who will be verifying the nationwide database of road information? The driver could follow the system's recommendations and become lost. Come to think of it, I guess that's an argument for having item 2.
Mark Anthony Beadles beadles@acm.org - http://www.acm.org/~beadles

Boza virus: knee-jerk media response more hazardous to wallet

Crypt Newsletter <crypt@sun.soci.niu.edu>
Thu, 15 Feb 1996 15:46:29 -0600 (CST)

Recently, the Associated Press newswire triggered another round of ridiculous computer virus alarms with a story on the Boza/Bizatch computer virus, an admittedly barely infectious parasite on Win95 executables. Attributed to the VLAD Australian virus-writing group, due to the equivalent of a computer underground press release embedded in the virus extolling VLAD members and their technical virtuosity vis-a-vis writing them, Associated Press reporter Sue Leeman issued a news brief and it echoed internationally.

In a pattern of action and reaction that has become standard for many computer virus stories reported in the mainstream press, the Boza piece generated countless questions from on-line users who thought they were in danger from it, although realistically they were statistically more likely to be hit by an automobile than the virus in their lifetime. The original Associated Press attributed Sophos' Paul Ducklin saying the Boza virus wasn't on the loose, but most subsequent news stories and fragments derived from it, including copycat press releases from other vendors, stripped this from the original. The Associated Press story wound up being printed in toto or in fragments in countless newspapers around the country that subscribe to the newswire.

A good example, but only one of many, was a prominently displayed bulletin mounted on the Compuserve "What's New" public announcement board. This board is displayed to callers everyday and it contained a warning about the Boza virus and a tip to head to Thunderbyte Anti-virus's spot on the service for a cure. However, the fact that the virus wasn't in circulation or even likely to be so, while present in the original seed AP piece, was gone.

The results were predictably confusing. Some PC users on Compuserve who did not even have Windows 95 installed on machines concluded they might have been exposed to Boza. I noted similar results on other networks like FIDO and in Usenet newsgroups.

The Boza mini-panic, coming as it does close to the Michelangelo virus anniversary on March 6, illustrated the need for consistent media criticism, particularly when it comes to certain varieties of technology stories, like those dealing with computer viruses. A few rules of thumb to keep in mind when dealing with this type of thing are:

  1. Computer virus stories are the best vehicle in which software developers selling cures can pimp for their products. Even if the virus is shown to be pathetic as a public menace, interest in those cited will always peak transiently during the run of the story. This amounts to software sales and on-line time spent through commercial services offering information or software fixes through download, even if it's unnecessary.
  2. Being the first vendor mentioned in a story like Boza throws competitors immediately on the defensive, scrambling to recover and fueling the story in the process. Even though competing companies may have known of a virus weeks previously and quietly written cures into software as the usual course of business, the average PC user - after reading this type of story - is given the impression everyone else was asleep at the wheel. This sets off a chain reaction in which competitors quickly release copycat press releases which drive developments and strip more information from the primary seed in an effort to maximize exposure. Those vendors who don't do this often face tons of witless support questions from those needlessly frightened by the news in on-line computer help forums. They also face a transient image that they've been caught flat-footed by competing vendors who've been more successful at generating publicity. From a consumer standpoint, this leads to counter-productive behavior in which some vendors, burned by the lack of exposure, gear up to generate even more press releases on potential future threats _before_ they materialize.
  3. It encourages some vendors to increase their contact with known active virus-writers and their groupies so that they will be the first to receive new viruses which, may or may not (more often "not"), work. This is a nasty spiral which tends to encourage virus-writers to produce more than they usually would for their "audience." Having written a book on virus-writers, I've seen this happen more than a few times since 1992.
George Smith, Crypt Newsletter

At-work Web browsing?

Sean Reifschneider <jafo@tummy.com>
Wed, 14 Feb 1996 23:40:31 -0600 (CST)

A company I'm working at has had a lot of growth recently on their WWW proxy servers. Last Friday evening I was finishing business just as a memo started its rounds... It seems that on a given day in January when they monitored the system, 1100+ connections to ESPNet were made, 800+ to Playboy, 600+ to Penthouse, etc...

It seems that now that they "have the new proxy servers in place which are able to log all transactions by source and destination address", they are going to start logging all "inappropriate" accesses with source destination IP address and send the appropriate log extracts to the persons boss.

The RISKS? Who says that an IP address maps to a person? "Click here to see technical specs on the XYZ Widgitifier" (points to Penthouse -- haha, fooled 'ya) I run a caching proxy server to increase my workgroups performance and reduce load on the company T1 and T3 lines. It's not really an official resource (in that the guys sending out this list don't know about it), so it looks like I spend a LOT of time browsing :-) Have someone you don't exactly like who's machine is turned off? Maybe they didn't get to the PC today. Maybe you just install a redirector on their machine... My NNTP redirector took about an hour to write. Did anyone actually believe their connections that were going through a central proxy were NOT being logged? Perhaps I've just run a proxy site for too long...

I'm sure there will be thoughts of "invasion of privacy", but (a) there are notices posted all over that personal use of company equipment is a no-no, and (b) this is a "regulated" industry -- you'd actually be using TAX dollars to do your web browsing. The company can get it BIG trouble for NOT doing everything they can to prevent it from happening.

It's a trend I see coming...

Sean Reifschneider <jafo@tummy.com> URL: <http://www.tummy.com/xvscan>

Federal Court enjoins CDA provision (from EPIC Alert 3.04)

"Marc Rotenberg" <rotenberg@epic.org>
15 Feb 1996 20:11:57 -0500

FLASH: Federal Court Enjoins Internet "Indecency" Provision -- ACLU, EPIC, and Others Score Partial Victory in CDA Challenge

A federal judge in Philadelphia has issued a partial temporary restraining order prohibiting enforcement of the "indecency" provision of the Communications Decency Act (CDA). The judge declined to enjoin those provisions of the Act dealing with "patently offensive" communications.

The court agreed with the plaintiffs' claim that the CDA will have a chilling effect on free speech on the Internet and found that the CDA raises "serious, substantial, difficult and doubtful questions." The court further agreed that the CDA is "unconstitutionally vague" as to the prosecution for indecency. But the court left open the possibility that the government could prosecute under the "patently offensive" provisions

The court has recognized the critical problem with the CDA, which is the attempt to apply the indecency standard to on-line communications. Nonetheless, online speech remains at risk because of the sweeping nature of the CDA.

The entry of the court order is a strong indication that the "indecency" provision of the legislation that went into effect on February 8 will not survive constitutional scrutiny by a three- judge panel that has been empaneled in Philadelphia. The panel will fully evaluate the constitutional validity of the legislation and consider entry of a permanent injunction against enforcement of the new law.

The temporary restraining order (TRO) was issued in a lawsuit filed by the Electronic Privacy Information Center (EPIC), the American Civil Liberties Union and a broad coalition of organizations. EPIC is also participating as co-counsel in the litigation.

The court ruling comes in the wake of widespread denunciation of the CDA, which was included in the telecommunications reform bill signed into law last week.

According to EPIC Legal Counsel David Sobel, one of the attorneys representing the coalition, "The court's decision is a partial victory for free speech, but expression on the Internet remains at risk. This is destined to become a landmark case that will determine the future of the Internet." Looking ahead to proceedings before the three-judge panel, Sobel said "we are optimistic that further litigation of this case will demonstrate to the court that the CDA, in its entirety, does not pass constitutional muster."

EPIC has maintained since its introduction in Congress that the ban on "indecent" and "patently offensive" electronic speech is a clear violation of the free speech and privacy rights of millions of Internet users.

Comprehensive information on the CDA lawsuit, including plaintiffs' brief in support of the TRO, is available at:

http://www.epic.org/free_speech/censorship/lawsuit/


Correction to CDA article (RISKS-17.72)

Stanton McCandlish <mech@eff.org>
Wed, 14 Feb 1996 19:40:55 -0800 (PST)

Due to a mis-paste [mis-spaced!], I gave out misinformation on who voted against the CDA in my recent article. The correct version is:

Earl Hilliard (D-AL), Pete Stark (D-CA), Pat Schroeder (D-CO), Neil Abercrombie (D-HI), Lane Evans (D-IL), Sidney Yates (D-IL), Barney Frank (D-MA), John Conyers (D-MI), Collin Peterson (D-MN), Harold Volkmer (D-MO), Pat Williams (D-MT), Maurice Hinchey (D-NY), Jerrold Nadler (D-NY), Peter DeFazio (D-OR), Timothy Johnson (D-SD), Bernard Sanders (independent-VT)

Senators

Dianne Feinstein (D-CA), Patrick Leahy (D-VT), Paul Simon (D-IL), Paul Wellstone (D-MN), Russ Feingold (D-WI), and John McCain (R-AZ).

[As you'll note, the string "MN), Russ Feingold (D-" was some how left out, leaving out Feingold, and making it look as if Wellstone is D-WI! Many apologies for the error. SMcC] [Yes, it was also mis-spaced. PGN]

[Stanton's message in RISKS-17.74 was too polemic and slanted for some readers, who wondered about why I included it in RISKS. I had a similar reaction, but chose to include it anyway rather than try to censor it (!) -- because I had not seen any other appropriate submissions on this subject and felt that the subject itself was without doubt worthy of mention in RISKS. Had I written the analysis myself, it would have been quite different, but I try to keep RISKS as open a forum as possible within the posted guidelines, and very seldom try to edit for content -- apart from adding interstitial notes such as this one. PGN]

A simple solution to the CDA risk (McCandlish, RISKS-17.72)

"Broomell, Russ" <MARKETING/MARKETING/RUSS%Konica_Imaging@mcimail.com>
Thu, 15 Feb 96 09:45 EST

What we have in the CDA as has been said by many before is the consequence of non-technical people making decisions on technology without technical information. The internet itself is a complex technological system, but the content the CDA seeks to regulate is easily understood, with even the quickest training (i.e. Look, Senator, if you click here you get the Mona Lisa, but if you click here, you get the Moaning Lisa). It seems that our elected officials are too busy even for this brief glimpse.

What many people have overlooked is a simple effective solution that almost everyone uses - passwords. While simple password protection is not enough to ward off a "high-tech" attack, it is usually enough to discourage your teenager from delving into the sometimes objectionable world of alt.*.* and some of those chat groups. I have an on-line service account on one of the major services, and at least once a week, my teenage son and I "surf the net" - the 1996 equivalent of "watch TV with your children". My son does not know my online password and I change it regularly. Can he defeat this code? Sure, but he can walk down to the corner store and pick up any one of a dozen "objectionable" publications much easier. This seems to me an acceptable risk. He has learned to be a responsible online citizen. I feel that I have handled the risk that the CDA sought to eliminate.


Seatbelts and the CDA, history repeats?

A. Padgett Peterson <padgett@tccslr.dnet.mmc.com>
Thu, 15 Feb 96 11:00:48 -0500

Over twenty years ago, Congress passed a resolution that required automobile manufacturers to restrict use of automobiles unless seatbelts were fastened and the seatbelt interlocks of 1974 ensued. Such a public outcry ensued that the requirement was removed in time for the next year's models. Fortunately for those with '74s (not a great year for cars in general) unplugging a single connection on each front seat disabled the mechanism. In its wake, a more rational system followed with a dashboard warning light and state laws mandating seat belt use to take the onus of compliance from the manufacturers, and placing it on the users of the automobiles in states where prodding was felt appropriate.

I predict a similar fate for the CDA: the US Gov getting out of the conflict, removing the onus from the service providers, while placing the bulk of the responsibility back onto users/parents and permitting definition of community standards *within the communities* and not for the entire net.

To accomplish this, some control mechanism is needed -- but, like the warning light on the dashboard, a flag could be placed on sites containing potentially offensive material, a flag for which the software vendors could provide a "parental control" switch. Not difficult to do just not done, yet.

In Florida, a parent is held responsible if a child gains access to a gun. Similarly only an adult can purchase a firearm and must show "proof of age".

Along the way we are going to need some sort of Internet "proof of age" - in the form of a cryptographic ID in which some agency verifies that the holder is of legal age in the state of residence. True, there will be screams from the rabid right but is necessary like a drivers license - you do not have to have one, but if you want to drive a car... Also suspect that since states have different ideas about what constitutes an adult, the mechanism should be driven by the states and not the federal government - this would again defuse many objections.

This prevents the customs peculiar to New York City from affecting the different cultures of Florida or Texas.

Similarly we need to prevent local mores of Memphis from affecting what works in San Francisco. (I suspect that some public health warnings I have seen on SF buses might be illegal in Memphis.)

I do expect good to come from the CDA in that the Supreme Court will have the opportunity to say "STOP THAT" to some of the more radical elements. It seems that in some things we must go overboard just to verify that we do not ever want to do that again. Somehow it works 8*).

Padgett

Re: Wildcard inconsistencies in Windows 95 (RISKS 17.73)

"George C. Kaplan" <gckaplan@cea.berkeley.edu>
Thu, 15 Feb 1996 10:17:36 -0800

I've never written a program for Windows, but my dimly remembered experience with MS-DOS indicates that programs get the raw command line parameters, and it's up to the program to expand the wildcards according to the rules. It's not surprising that sooner or later someone would get it wrong on one command or another.

In contrast, the Unix shell handles the wildcard expansion, and programs only see the expanded parameter list. Of course, there are risks here, too, since there are multiple shells available, each with slightly different wildcard rules.

George C. Kaplan gckaplan@cea.berkeley.edu 1-510-643-5651

100% not spent on hospitals by a long way (Zehr, RISKS-17.73)

Philip Overy <pjo33@mailbox.rl.ac.uk>
Thu, 15 Feb 1996 07:39:18 -0800 (PST)

There are some quaint ideas in "the measurement of risk" by tada@MIT.EDU - I got a good laugh out of the comment about priorities on health spending:

The following type of example should be borne in mind when comparing safety propaganda and safety spending with "common sense solutions": Asthma is generally reckoned to be a disease caused by vehicle pollution: In the UK last year 4m pounds was spent on asthma research 6m pounds was spent on POLICING demonstrations against the proposed new M11 road.

The real RISK is that someone like tada@MIT.EDU works for the risk assessor who decides whether your local hospital stays open! - tada forgets that when the individual decides whether to spend all of his or her income on health, the taxman grabs the Star Wars, the road, the import surcharge/export subsidy and the MP/congressmen's salary increases before minor problems like literacy in the local secondary schools are even debated. I am afraid that example stopped me so dead in my tracks, I was unable to focus on a line of the remaining eMail, so there's a risk of making statements of "obvious facts" early on in a technical presentation.

I should think that the size of the drug problem in our two countries demonstrates that quite a large chunk of the population have no respect whatsoever for their personal safety, although I am sure their representatives in congress/the Commons think they have.

As for Telstra's radio emissions, well, I suppose the main problem is that the last time the electorate read about something with the string "radio" in it, it was the technical world telling them that radioactivity was good for you, so it's more a case of "once bitten, twice shy" than "Us vs. Them".

Phil Overy

Re: Lack of Common Sense is Biggest Risk of All (Gunderson, -17.73)

"George C. Kaplan" <gckaplan@cea.berkeley.edu>
Thu, 15 Feb 1996 10:34:26 -0800

> Amazing. I wonder how many people are out there, right now, trying to be
> the first to drive a NASA satellite from home. [...]

I suppose continued "security through obscurity" is better? Contrary to what "name deleted" said, I'm sure there are people who have already tried to hack into a satellite control system, even before these remarks were published. Better to sound a public alarm; it might shake people who can do something about the problem into action.

George C. Kaplan gckaplan@cea.berkeley.edu 1-510-643-5651

Re: Possible future risk of virtual reality (Cohen, RISKS-17.73)

Michael Brady <michaelb@gemsbok.corp.sgi.com>
15 Feb 1996 18:19:07 GMT

It seems to me that if we take credit for the good habits developed while training in VR, we have to consider that bad habits can be developed there too. As habits are developed through repetition it seems reasonable that compulsive video-gamers would be much more susceptible to such a phenomenon.

Some time ago I read (Scientific American? Wired?) that military aviators were not allowed to operate real aircraft for some interval after using a VR simulator.

Michael Brady -- michaelb@corp.sgi.com -- "We are what we do."

Re: Possible future risk of virtual reality (Cohen, RISKS-17.73)

Mark Meuer <markm@endo.com>
Thu, 15 Feb 1996 10:11:39 -0600

This is related to a more generic risk relating to trained reflexes. I once heard an airline pilot give a talk where he said that he always has his wife drive him home from the airport when he is done flying for the day. The reason for this was that when a plane is on the ground, the rudder controls (which are foot pedals) are used for steering, and the "steering wheel" of the plane is not used at all. This pilot said that on more than one occasion he came close to having an accident in his car because he instinctively tried to steer with his feet.

Mark Meuer <>< |Endocardial Solutions, Inc.|(612) 644-7890| markm@endo.com

Re: Possible future risk of virtual reality (Cohen, RISKS-17.73)

"Barton C. Massey" <bart@cirl.uoregon.edu>
Thu, 15 Feb 1996 11:49:34 -0800 (PST)

Sad to admit, this has almost happened to me already. My institution of higher education got an SGI Power Challenge a couple of years ago. Lovely machine, which includes a very good flight simulator/dogfight game. A couple of times, driving home after 4 hour sessions, I found myself reflexively flooring the gas pedal, crossing three lanes of traffic, and cutting in front of a car: there was "obviously" room, as my simulator-trained perceptions would have it. I no longer play that game.

Bart Massey bart@cs.uoregon.edu

Re: Possible future risk of virtual reality (Cohen, RISKS-17.73)

Brad Davis <b-davis@zinc.com>
Thu, 15 Feb 1996 15:46:36 -0700 (MST)

This risk has already happened. A few years ago one of the branches of of the US Military created computerized training material using video, computer graphics overlays, and a touch screen to train technicians how to repair a piece of radio equipment. The actual equipment was shown by video and a "fault" generated with the graphical overlay. The student would then "touch" (using the touch screen) a part to test or remove. The training software was changed and the touch screen removed after a number of graduates were injured (shocked/burned) while touching the real (live) radio.

Brad Davis, Zinc Software Inc., 405 S 100 E #201, Pleasant Grove, UT 84062 bdavis@zinc.com Voice: 1 (801) 785-8900 Fax: 1 (801) 785-8996

Please report problems with the web pages to the maintainer

Top