The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 17 Issue 77

Tuesday 20 February 1996

Contents

o Re: Maryland train collision
Steve Bellovin
o Garbage truck worker wipes out telephone service
Andrew J Klossner
o Using better words to discuss WWW
Mark Seecof
o Acrobat quietly 'censors' text in missing TrueType fonts
Henry Baker
o Java security problems
Drew Dean
o Passwords and the Media
Eriks Ziemelis
o Non-standard use of ";" in file names
John Cigas
o Re: Risks of MS Word
Nicholas C. Weaver
o Re: Computer unmasks Anonymous?
Erann Gat
o Re: The Measurement of Risk
Arthur Byrnes
o Libel and censorship issues: misc.transport.air-industry
Brian A. Reynolds
o Info on RISKS (comp.risks)

Re: Maryland train collision (Lesher, RISKS-17.76)

Steve Bellovin <smb@research.att.com>
Mon, 19 Feb 1996 08:54:51 -0500

Although the investigation is far from complete, some facts that have come
to light (see *The New York Times*, 19 Feb 1996) point to the role of total
system design for safety.

The event recorder aboard the MARC train shows that the train was going
twice as fast as it should have been, just prior to the crash.  Why was
this?  The train passed a yellow signal, which should have told the engineer
to slow down.  But the signal was *before* a station; there is speculation
that during the station stop, the engineer forgot what the signal read, and
just accelerated to normal track speed.  (N.B.  Investigators have not yet
determined if that signal was truly yellow, or if it changed to yellow while
the train was in the station; these factors would obviously change the
hypothesis given here.)

The interesting part is that the signal used to be after the station,
as is common on passenger lines, precisely to avoid that problem.
But it was moved a few years ago to increase the passenger train
capacity of the line, which is primarily used for freight trains.
Signal spacing is correlated with the maximum speed and weight of
the trains; to increase speed, one should space the signals further
apart and/or add more signals.  (A recent New York subway accident
occurred because this was not done as the rolling stock changed.)

Numerous factors apparently interacted to cause this accident:

-       The line was used for both freight and passenger trains;
        these have different characteristics (weight, frequency,
        length of train, signal conventions).

-       Simply adding a repeater for the misplaced signal might
        have caused operational problems -- the rules on that line
        require engineers to radio an acknowledgement each time
        they pass a signal.  Another signal means more radio traffic.
        (The crew of the MARC train did make the required report,
        but the witnesses don't remember what signal aspect they
        reported.  Investigators are searching for audio tapes now.)

-       The line was set up for Centralized Traffic Control (CTC),
        permitting bidirectional operation on both tracks.  That
        provides flexibility -- it let the Amtrak train use to
        left-hand track to pass a stopped freight train -- but at
        the cost of complexity.  But it also led to the crash,
        which happened as the Amtrak train was about to switch back
        to the right-hand track.  (Btw -- it's worth noting that
        CTC is not a new system; according to the references I have
        on hand, it became economically feasible as early as 1930.
        ``Interlocking'' -- tying signals to switch track positions
        -- may date to as early as 1857.)

-       Train signals are normally set up so that only one train
        at a time can be in a ``block''.  If you want a lot of
        trains on a line, you need short blocks, but that also
        means you need more complex signal indications to tell the
        engineer when to slow down to prepare for a red signal
        several blocks ahead.  This in turn puts more demand on
        both the engineer and the signaling logic (though the
        latter, at least, does not seem to be implicated here).

-       Automatic train control equipment, which regulates the speed
        of trains per the signal equipment, would have helped, but
        such equipment is rare in the U.S.  (Again, this is not new
        technology; the Federal rule limiting track speeds to 79 mph
        in the absence of such gear dates to 1951.)  Why wasn't it
        used?  Well, it's expensive, commuter lines often don't run
        that fast anyway, because of their frequent stops, and this
        is primarily a freight line.  (MARC paid CSX (the freight line)
        for one signal system upgrade in 1993.)

-       If the problem is indeed the placement of the signal before the
        station, cab signals (vintage: 1921) would have helped.  Again,
        though, this is expensive equipment.  The newspaper article was
        silent on this point.

-       If any of the equipment I mention here had been used, the cost
        would have been greater complexity, which in and of itself
        increases the likelihood of failure (though I should note that
        railroads have a pretty good record of using fail-safe or
        fail-soft equipment -- automatic block signaling wasn't adopted
        until a fail-safe design was developed).

Though computers were apparently not involved in this accident, the lesson
is the same:  many failures are caused by complex interactions.  There is
rarely a single cause.


Garbage truck worker wipes out telephone service

Andrew J Klossner <andrew@pogo.WV.TEK.COM>
Tue, 20 Feb 1996 07:58:27 PST

Even worse than errant squirrels ...

------- Forwarded Message (from a colleague)

I'd like to apologize if you've had trouble contacting me recently.  What
the floods here in Oregon were unable to do, a cowboy garbage truck driver
made up for.  It seems that they have this little game they like to play on
the way back into town after dumping their load called "swing the cables".
They raise the forks (used to lift the dumpsters up over the truck to empty
it into the back) to try to flick the big thick telephone cables stretched
across the highway.  One guy overdid it and ripped out the cable for service
to the entire west side of the telephone central office that serves my home
and office.  It took a lot of work to put that cable back into service
considering that it was shredded where it was torn from the shattered
telephone poles on both sides of the highway. Meanwhile, five lanes of
traffic were driving over the fallen corpse.  As I write this the telephone
guys are still up there in their little tents, high above the ground,
huddled against the rain, slowly splicing it all back together.

As a work-around I had the telephone company forward all calls to my
cellular phone but somebody made a typographical error setting it up and by
calls got forwarded to Timbuktu instead of to my cell phone.  Furthermore, I
hadn't seen any need to equip my cell phone with FAX or modem so I was
FAX-blind and isolated from my e-mail and other internet access.

So, if I haven't responded to something that you've sent me or you have been
unable to FAX me, please try again now.


Using better words to discuss WWW

Mark Seecof <Mark.Seecof@latimes.com>
Mon, 19 Feb 1996 12:38:46 -0800

If I were going to censor anything about the WWW it would be the use,
by those of us who should know better, of the term "publish" to
describe the act of making data available from a server.

I think much trouble comes from using this unfortunate word.
Most people do not understand that surfing the net is much more like
placing 'phone calls than reading a magazine found lying on a chair.
We have confused the public debate by using the term "publish" because
it connotes, to virtually all non-computer-geeks, communication
through materials which can be sent or delivered to people who have
not requested them.

All public discussions of the censorship issue have included
statements, sometimes maliciously uttered by activists who know
better, but more often repeated by the ignorant, to the effect that
evil people will send undesirable images or words to children.
Magazines may be mailed to non-subscribers; but only computer geeks
know that the images on the web-browser's screen appear only when the
user calls for them.

The word "broadcast" is even worse.  The mere invocation of this word
has been claimed to justify censorship precisely because it connotes
the possibility of unsolicited delivery.

When we use the terms "publish" or "broadcast" we invite the public
to misunderstand the 'net.  Even when some of us, with the best of
motives, demand to be treated "as publishers legally" the effect is
to shoot ourselves in the foot.  Publishers are required to register
with the government, for goodness' sake.  The correct legal treatment
to request is that accorded private citizens speaking freely to
anonymous telephone callers!  Links to other folks' pages are akin
to giving out a 'phone number--no one who does so should be thought
responsible for any message which may be heard by calling it.


Acrobat quietly 'censors' text in missing TrueType fonts

Henry Baker <hbaker@netcom.netcom.com>
Mon, 19 Feb 1996 08:04:35 -0800

Adobe Acrobat 2.1 on the Mac _quietly_ drops text for which it lacks
TrueType fonts.  In particular, if your Mac has bitmap fonts for the 'Times'
fonts, but no scalable TrueType fonts, then Acrobat 2.1 doesn't bother
displaying text in the 'Times' fonts at all.  This lossage is particularly
curious, since Acrobat has a very sophisticated font-substitution capability
using its 'generic' serif and sans-serif fonts for more obscure fonts.

Even more curious is the fact that on Adobe's own technical notes on
ftp.adobe.com, the following text _will not be displayed_ if your 'Times'
fonts are missing:

"...Adobe Systems Incorporated assumes no responsibility or liability for
any errors or inaccuracies, makes no warranty of any kind (express, implied
or statutory) with respect to this publication, and expressly disclaims any
and all warranties of merchantability, fitness for particular purposes and
noninfringement of third party rights."

If this text is missing from Adobe's _own_ documents, then such disclaimer
text could well be missing from _every_ document, whether from Adobe or some
third party, if this disclaimer is set in one of the 'Times' fonts.

Since many important manuals and forms -- including IRS tax forms and many
state tax forms -- are now being distributed in 'PDF' (Acrobat) format, the
risks should be obvious.

("All the text that's fit to print ??"  'Sign' of The Times.)

("The dog ate my font ??")

Henry Baker  ftp://ftp.netcom.com/pub/hb/hbaker/home.html


Java security problems

Drew Dean <ddean@CS.Princeton.EDU>
Sun, 18 Feb 1996 23:57:02 -0500

We have discovered a serious security problem with Netscape Navigator's 2.0
Java implementation.  (The problem is also present in the 1.0 release of the
Java Development Kit from Sun.)  An applet is normally allowed to connect
only to the host from which it was loaded.  However, this restriction is not
properly enforced.  A malicious applet can open a connection to an arbitrary
host on the Internet.  At this point, bugs in any TCP/IP-based network
service can be exploited.  We have implemented (as a proof of concept) an
exploitation of an old sendmail bug.

If the user viewing the applet is behind a firewall, this attack can
be used against any other machine behind the same firewall.  The
firewall will fail to defend against attacks on internal networks,
because the attack originates behind the firewall.

The immediate fix for this problem is to disable Java from Netscape's
"Security Preferences" dialog.  An HTTP proxy server could also
disable Java applets by refusing to fetch Java ".class" files.  We've
sent a more detailed description of this bug to CERT, Sun, and
Netscape.

A second, also serious, bug exists in javap, the bytecode
disassembler.  An overly long method name can overflow a stack
allocated buffer, potentially causing arbitrary native code to be
executed.  The problem is an unchecked sprintf() call, just like the
syslog(3) problem last year.  Many such bugs were in the alpha 3
release's runtime, but were carefully fixed in the beta release.  The
disassembler bug apparently slipped through.  This attack only works
on users who disassemble applets.  The fix is to not run javap until
Sun releases a patch.

Note that we've only had success in exploiting the first flaw on an SGI.
Windows 95 and DEC Alpha versions of Netscape have other bugs in their
socket implementations that make it harder (although not necessarily
impossible) to exploit the problem.  This is the second time that unrelated
implementation bugs have prevented us from demonstrating security problems
in Java.

http://www.cs.princeton.edu/~ddean/java will contain more information
soon, including a revised version of our paper, to appear in the 1996
IEEE Symposium on Security and Privacy.

Drew Dean       <ddean@cs.princeton.edu>
Ed Felten       <felten@cs.princeton.edu>
Dan Wallach     <dwallach@cs.princeton.edu>
  Department of Computer Science, Princeton University

For more information, please contact Ed Felten, 609-258-5906, FAX 609-258-1771.


Passwords and the Media

Eriks Ziemelis <eazy@hp7001.ecae.StorTek.COM>
Mon, 19 Feb 96 8:43:38 MST

The 5:00PM news broadcast on a local channel here in the Denver area ended
with a story on how the news anchors were a bit worried that they would not
be able to deliver the news that evening.

It seems that someone on the news staff had locked everyone out of the
system used to write-up the "copy".

The news anchor went on to say that if you are not careful while typing in
your name, and that your last name is "Lockheart", you might cause your
fellow workers some anxiety.

The usual "humorous anecdote anchor laugh" followed.

The obvious risks:

  o Be careful of the passwords you pick, especially where
    your "average" user has the potential to cause harm (that
    "!&wjl186" password is starting to look good...)

  o Don't let your "talking heads" blurt out what is in effect
    your systems root password over the air.

I just hope that the system administrators changed the password,
if not before the anchors gaffe then at least afterword.

Eriks A. Ziemelis               eriks_ziemelis@stortek.com


Non-standard use of ";" in file names

John Cigas <cigas@Cs.rockhurst.edu>
Mon, 19 Feb 1996 15:36:33 -0600 (CST)

Speaking of problems with filename globbing and the conventions on different
systems, I found out about encrypted files under DR DOS the hard way a few
years back.

I was trying to use sz to download several files from a VMS system to my PC,
on which I was newly using DR DOS. The VMS version of sz wouldn't allow wild
cards at all, so I issued a DIR command, saved the results in a file, then
used this file as input to a DCL command file to invoke sz. For those who
aren't familiar, VMS associates a version number with each file, as in
FOO.BAR;1

I'd never had any problems with VMS to MS DOS file name conversion before -
MS DOS just ignored the ;1 so I didn't pay any attention.

All my files downloaded just fine, but I couldn't access them. The file names
all looked right, but DR DOS kept telling me the files were password protected.
After several frustrating minutes of scrounging through the manuals, I found
that DR DOS uses the ";xxxxxx" syntax to specify a password to be associated
with a file. Sure enough, all my files had a password of "1","2", or "3".

It was hard learning to use a semicolon properly in writing class but I didn't
expect it to be that tricky in computing as well ;)

John Cigas, Rockhurst College, cigas@acm.org


Re: Risks of MS Word (Gebe, RISKS-17.76)

"Nicholas C. Weaver" <nweaver@CS.Berkeley.EDU>
Sat, 17 Feb 1996 18:51:38 -0800 (PST)

This is probably just a matter of sloppy programming at Microsoft, in that
the program simply acquires x blocks of disk space, but doesn't zero them
t(out before using them.  This way, gaps in the file or at the end are
occupied by old data from the disk.  (In your case, probably a piece of your
w{b-browser's history list).  Of course, it is also a file-system problem,
in that data is not zeroed-out when a disk block is freed.

        A similar discovery around 6-7 years ago nearly torpedoed Prodigy
(whether this would have been a good thing is open to debate. :).  In a
perfectly sensible manner, Prodigy created a cache file on the disk.  The
program grabbed a fairly large amount of space for this file, although it
did not fill up right away.  Somebody looking through this file discovered
bits and pieces of their own data, and rumors flew from there.

        I personally believe that this is a MUCH more severe problem then is
commonly realized.  Most file-systems do not overwrite old data, then many
programs compound this flaw by simply grab space.  I think the risks are
obvious, especially in a multi-user environment.  E.G., one could
conceivably write a program to grab a block on disk, search through them for
interesting data (eg the public key a security paranoid uses for his e-mail,
which happened to get swapped out to disk for a moment), mark the block as
read, and then free it.  Or who knows what interesting tidbits may have
inadvertently found their way into major ftp archives (now available on
CD-Rom).

Nicholas C. Weaver  nweaver@cs.berkeley.edu http://www.cs.berkeley.edu/~nweaver


Re: Computer unmasks Anonymous? (Wayner, RISKS-17.75)

Erann Gat <gat@aig.jpl.nasa.gov>
Mon, 19 Feb 1996 00:54:24 -0800 (PST)

>If Joe Klein, a well-known political writer, is indeed the author, it is
>clear that he didn't learn one of the first lessons of Washington.  If
>you're going to leak information or quotes to the world, make sure you use
>the diction of your enemy.

On the other hand, if Joe Klein is *not* the author, then it is clear
that the real author *did* learn that lesson.  That's the trouble with
Washington.  The people who are telling you that you are being lied to
might be lying.

Erann Gat         gat@jpl.nasa.gov       gat@power.net


Re: The Measurement of Risk (Overy, RISKS-17.74)

<byrnes@escmail.orl.mmc.com>
Mon, 19 Feb 96 14:42:34 EST

>pjo33@mailbox.rl.ac.uk (Philip Overy) says;

>The following type of example should be borne in mind when comparing safety
>propaganda and safety spending with "common sense solutions": Asthma is
>generally reckoned to be a disease caused by vehicle pollution: In the UK
>last year 4m pounds was spent on asthma research 6m pounds was spent on
>POLICING demonstrations against the proposed new M11 road.

Maybe this type of statement is the "Glaring Light" to show the problems
with "The Measurement of Risk".  People who have Asthma may be sensitive to
vehicle pollution, but Asthma existed long before the invention of the
automobile. And people with Asthma are often sensitive to lots of other
air borne items besides vehicle pollution, such as pollen, dander, etc.

So, Phillip, gives us a perfect example of a statement designed to enrage
and scare people to get more funding for his "pet disease". (And villify,
a technological item that he disagrees with, motor vehicles.)

>As for Telstra's radio emissions, well, I suppose...it was the technical
>world telling them that radioactivity was good for you...

The UK must be a really strange place, I don't remember hearing this in the US.
Even the old 50's movies show that exposure to radioactivity would create,
"The Amazing Colosso Man" or "The Incredible Shrinking Woman".

Arthur Byrnes


Libel and censorship issues: misc.transport.air-industry

"Brian A. Reynolds" <bareynol@cca.rockwell.com>
Mon, 19 Feb 96 11:20:26 -0600

The following thread is developing in misc.transport.air-industry.  Quite
frankly I have stopped reading the group because in the desire to engage in
enlightened discourse with other reasonable minds, the unreasonableness of
the legal system intrudes.

I see the risk as:  Any communication by an individual using a company
domain name is legally perceived as being a representative of that company
without regards to any efforts to distance the user from the provider.

I know of at least one case where this was true, and while the individual
included a disclaimer, the inclusion of the disclaimer was itself construed
as meaning that the individual was attempting to speak for the company.
Until this is actually tried in court, I think that the safe assumption has
to be that anything you say can, and will, be used against you.

 - - -  - - -  - - -  - - -

Subject: [ADMIN] CENSORSHIP OF MISC.TRANSPORT.AIR-INDUSTRY -
misc.transport.air-industry #6069

In article <4g2vmc$9a9@gsb-birr.Stanford.EDU>, rna@gsb-birr.Stanford.EDU
(Robert Ashcroft) wrote:

A few days ago, misc.transport.air-industry moderators received the
following message.  With the permission of the author, we repeat it
here.  All misc.transport.air-industry moderators have received a
copy of this message, and know who the author is.  We can tell you
the author is a long-time contributor to the newsgroup, not given to
extreme opinions, but we will not identify the author further for
obvious reasons.  We have no reason to doubt the veracity or
motivation of the author (this author has not been involved in the
debates on Airbus safety or subsidies so far as we know).

 >This may seem like a strange request, and I will understand if you cannot
 >comply with it.  Airbus Corporate Legal sent a Letter to my company's
 >corporate offices complaining about a posting of mine on an Internet
 >newsgroup.  I believe that it was this news group.  The posting was
 >really quite benign (it wasn't on the ever present safety issue).  It
 >was taken completely out of context, but that is really beside the point.
 >First of all, I have been asked (by my legal department) if that posting
 >and the entire thread is retrievable.  My guess was that it isn't, but I
 >told them I would ask.
 >
 >Thankfully, I work for a company which values free speech (as I do this on
 >my on time on my own computer), but I still find it somewhat chilling that
 >rather than participate in the discussion in this group; Airbus is looking
 >to silence people via threats to their companies.  If they are going to
 >come after me due to a benign third part[y] comment on performance, what
 >are they going to do to some of these other folks?

Obviously the moderators of misc.transport.air-industry are concerned about
any attempt at censorship of this newsgroup.  It's unclear exactly what this
group should or can do about it, and we welcome your suggestions.  We all
have an interest in keeping debate both open and lively in
misc.transport.air-industry (and more generally, on the net as a whole).

RNA  misc.transport.air-industry comoderator, for the m.t.a-i moderators

 - - -  - - -  - - -  - - -

In article <1996Feb16.222312.1@eisner.decus.org>, mezei_jf@eisner.decus.org
(Jean-Francois Mezei) wrote:
  In article <4g2vmc$9a9@gsb-birr.Stanford.EDU>, rna@gsb-birr.Stanford.EDU
  (Robert Ashcroft) writes: [...]

If a poster has a signature file that makes reference to whom his employer
is, even if there is a "my opinions are mine and not my employers" type of
statement, and that employer has contractual ties to the plaintif (Airbus),
then I can -understand- why the plaintif would send a complaint to the
employer since one of its employees made public statements *possibly*
containing information that was obtained under non-disclosure etc.

However, no matter how slanderous a statement is posted by an individual
without any reference to an employer, there should never be any legal
retributions possible.

The issue is not of censorship but that of representation. When an employer is
mentioned, the poster is linked (like it or not, disclaimer or not) to that
company and represents it in some way. When the employer's name is posted to
give credibility to the poster, the link is all that much stronger.

So, if an individual (or his employer) has problems with another entity
(individual, corporation, government), the problem is not at the
Internet/newsgroup level and moderators should not worry.

 - - -  - - -  - - -  - - -

In article <4g5fgj$h31@bronze.coil.com>, ebright@coil.com (Jim Ebright) writes:
>In article <4g2vmc$9a9@gsb-birr.Stanford.EDU>,
>Robert Ashcroft <rna@gsb-pound.stanford.edu> wrote:
 > ...
 >Obviously the moderators of misc.transport.air-industry are concerned
 >about any attempt at censorship of this newsgroup.  It's unclear
 >exactly what this group should or can do about it, and we welcome
 >your suggestions.  We all have an interest in keeping debate both open
 >and lively in misc.transport.air-industry (and more generally, on the
 >net as a whole).

Avoiding obviously libelous statements is almost certainly an obligation of
both posters and moderators.  But what is libel?

_Sullivan vs The New York Times_ set the standard for libel of `public
figures' in the USofA.  I suspect newsworthy corporations fall under this
umbrella ... but I have not researched this.  (Consult your favorite lawyer
for paid research :)

Three tests must ALL be passed for a statement (posting) to be libelous:

1) the statement must be false.

2) the poster must have known the statement was false at the time he/she
made it.

3) the statement must have been made with malicious intent by the poster.

With these criteria, I know of no postings in the mentioned newsgroups that
are libelous.  (Beware, standards are much more strict for non-public
figures...but this probably isn't operative in this case.)

Of course, most other countries have less protection for free speech.
But if you don't go there, they can't do anything to you :)

'moo2u from osu'   Jim Ebright   ebright@bronze.coil.com

Internet/newsgroup level and moderators should not worry.

   [Variant spellings of "libelous" unified by PGN.  By the way, PLEASE
   note that I almost always routinely remove the disclaimers at the end
   of each submitted message, relying on the blanket disclaimer at the
   end of each issue.  Submitters must assume that all contributions
   become public statements, and you should be intellectually accountable
   for what you write -- irrespective of any legal implications thereof. PGN]

Please report problems with the web pages to the maintainer

Top