The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 17 Issue 91

Tuesday 19 March 1996

Contents

o Hare Krsna chants trigger answering machine remote access
Dan Cross
o Medical Device Recalls: Heart monitor
PGN
o Jury-duty-pool selection-criteria risks
Varda Reisner Bruhin
o FTC Targets Internet Fraud
Edupage
o Iomega Stock Volatility Blamed on AOL Postings
Edupage
o Risks of onboard flight manuals
Hank Nussbacher
o Foreign CDA
Kurt Fredriksson
o Risks of assuming all computers are PCs
Timothy Panton
o PacBell ID Blocking [For California readers]
Henry Baker
o Response from Strassmann/Marlow illustrates further risk
Benjamin Bokich
o Flash Crowds
David M. Chess
o Re: Netscape's syntax checking
Matt Welsh
Max TenEyck Woodbury
o Internet Privacy and Security, Call for Papers
Joseph M. Reagle Jr.
o InfoWarCon V 1996: Call For Papers
Winn Schwartau
o Info on RISKS (comp.risks)

Hare Krsna chants trigger answering machine remote access

Dan Cross <cross@math.psu.edu>
Mon, 18 Mar 1996 10:35:10 -0500

I bought a CD by the hardcore group ``Shelter'' yesterday. They're a straight edge (that is, no drugs, alcohol, tobacco, etc) band who are also quite into Krsna consciousness.

Track number 11 of this CD is a 5 minute section of Hare Krsna chanting and music. I told my girlfriend this, and she thought that it sounded kind of ``interesting.'' So, when I called her up just a second ago and her answering machine picked up, I thought it would be humorous to play the chants REALLY loud so that it would be picked up over the phone. Thinking that she might be there but just not have answered, I was holding the receiver to my ear, when to my surprise, I heard the answering machine say, ``enter access code for remote operation...''!

I was quite amazed, and speculated that the chanting had had some sort of tone in it that triggered an attempt to use the remote operation facility present in most modern answering machines.

The risk? Things like this go to illustrate how far our modern technical society has come, and how it has grown in many different directions at once. It is possible to say that we have advanced to such a point in so many areas that seemingly innocuous things in one (such as a track of music on a CD) can trigger *very* unexpected results in another.

Dan C.

Medical Device Recalls: Heart monitor

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 15 Mar 96 8:49:54 PST

Here is an item reminding us of the pervasiveness of RISKS problems:

From Public Citizen's Health Research Group *Health Letter*
(HRG founded by Ralph Nader and Dr. Sidney Wolfe), Mar 1996, p.8:

Point of View Heart Rate and Blood Pressure Monitor (Class II Recall) Monitor resets itself causing information to be suspended, necessitating reprogramming.
Model #:0998-00-0105-01, 424 units distributed world-wide
Manufacturer: Datascope Corporation, Paramus NJ 800-288-2121
Recalled By: Manufacturer


Jury-duty-pool selection-criteria risks

Varda Reisner Bruhin <varda@varda.org>
Mon, 18 Mar 1996 07:07:11 -0500

Emily Green, of New Jersey, has been called to jury-duty -- but she will not be serving; she has what is being considered a "valid excuse": She needs to go to school... Emily is only 8 years old and, therefore, is not *eligible* for jury duty... So why was she even summoned in the first place? Because Governor Christine Whitman has banned all automatic exemptions from jury duty... [Source: WPVI-TV6, Philadelphia]

I think the RISKs here are obvious!

Varda Reisner Bruhin <varda@varda.org> <wordsmith@varda.org>

FTC Targets Internet Fraud (Edupage, 17 March 1996)

Educom <educom@elanor.oit.unc.edu>
Sun, 17 Mar 1996 19:56:44 -0500 (EST)

The Federal Trade Commission is conducting a "wholesale crackdown" on perpetrators of allegedly deceptive marketing schemes that are advertised in Internet news groups or on the World Wide Web. Charges were filed against nine individuals or companies accused of misleading the public, and agency officials say this is only the beginning: "The Internet opens a world of opportunities for consumers. Unfortunately, it also presents opportunities for scam artists. We intend to monitor the Internet rigorously and act decisively when we see deceptive and misleading marketing," says the director of the FTC's Bureau of Consumer Protection. (*Investor's Business Daily*, 15 Mar 1996, A4)


Iomega Stock Volatility Blamed on AOL Postings (Edupage, 17 Mar 1996)

Educom <educom@elanor.oit.unc.edu>
Sun, 17 Mar 1996 19:56:44 -0500 (EST)

Iomega, maker of high-capacity removable disk drives, is the focus of controversy on America Online's Motley Fool bulletin board. Company officials have complained to the SEC that postings on Motley Fool and other BBSs have contained false information and may be contributing to the volatility of its stock. Online exposure has "raised the visibility of some stocks as well as the interest in those stocks," says an outside spokesman for Iomega. "At the same time, we're very concerned about how online services can be used to attempt to drive stock prices higher or lower through misinformation." Postings about Iomega escalated to flaming and physical threats last month, causing Motley Fool to pull some of the more offensive ones, but critics of online BBSs note Iomega's problems are a result of the practice of using "screen names" and the lack of verification of information that's posted. "You don't know if the person is a Ph.D. or in Sing Sing," says one critic. (*Wall Street Journal*, 15 Mar 1996, A5C)


Risks of onboard flight manuals

Hank Nussbacher <hank@ibm.net.il>
Sun, 17 Mar 96 10:02:08 UTC

A friend of mine is the general manager of a company called Excalibur that makes simulators of airline computers. He was recently sitting with a rep of a different company that happens to be a co-pilot of 747s. The guy wanted to buy some of Excalibur's processor cards to test out the system they are designing. What system? Turning all online airline manuals into an intelligent information system. Turns out that each 747 has a shelf of books the size of telephone books describing what to do and when to do it.

The pilot was describing that it is constantly being updated by Boeing or by a specific airline and that it is close to impossible to find anything or understand anything in these onboard manuals. As an example, he produced a page from Northwest Airlines updates to the B-747 Emergency/Abnormal Procedures when there is a fuel-line blockage (17 Oct 1995, page 2.28.13):

# 5. Scavenge center tank until empty.
# If, after the center tank is empty, the NO 2 MAIN tank quantity is greater
# than the NO 1 MAIN tank quantity plus the NO 1 RES and/or the NO 3 MAIN
# tank quantity is greater than and NO 4. MAIN tank quantity plus the NO 4
# RES: Accomplish the "Inboard Dual Boost Pump Failure or Inboard X-Feed
# Valve Failure Without Center Tank Fuel" procedure in this section.

The pilot said ``Imagine you are 30,000 feet up and you have a fuel blockage and the co-pilot starts reading this?'' He said this is a typical type of page. The risks are obvious.

Hank Nussbacher Israel

Foreign CDA

Kurt Fredriksson <etxkfrn@aom.ericsson.se>
Mon, 19 Feb 96 08:05:52 +0100

There are two aspects of the censorship of the Internet that haven't been published in the Risks-Forum yet:

  1. Even if most of the material found on the Internet is written in English, there exists material in other languages. If you are doing a search for English indecent words, I am pretty sure that you will get hits. But the word may not be indecent in the foreign language. (An innocent example: The Swedish for the digit six is "sex".)
  2. How much it must hurt the feelings of the inhabitants of the country who started it all: you can't control the net. It has grown out of the control of an individual country.
If every country in the world bans what they dislike, what will be left?
Kurt Fredriksson, Sweden

Risks of assuming all computers are PCs

Timothy Panton <tim@West.NL>
Tue, 19 Mar 1996 16:41:06 +0100

I gave a talk at Sun's Dutch JavaDay last Thursday. In keeping with the WWW atmosphere, I presented my slides from HTML pages, and (stupidly) without notes. Two unpleasant things happened to me whilst on stage. When I walked on, the previous speaker handed me a mouse and said "You will have to plug this in". He had used it to illustrate some of the basic problems Java has to overcome (1 button vs 3 button mice). Now whilst you can unplug a mouse from a PC with out much risk, Sparcs (which is what was sitting in front of me) tend to halt if they lose contact with their rodent. Fortunately this one didn't.

The second thing was *much* worse. I was demonstrating an applet I've written that monitors the status of a UPS. Due to the weight of the UPS and the security restrictions in Java, I had chosen to leave the UPS in my office, attached to my Solaris-2.4-on-intel workstation, and also run a web server there to provide the slides and the application over the live internet link Sun provided.

So there I was on stage with no notes -- when the next slide refused to come up. I continued from memory and my colleague in the audience called back to the office to see what had happened. It was quickly fixed, and my talk finished ok -- but having aged me considerably.

So, what had happened? One of my colleagues was looking for a PC to do some windows work, and seeing my unoccupied work place decided to shutdown Solaris and reboot it into windows. Conclusions:

  1. buy post-it-notes and write "Keep off - beware of the OG" on them next time.
  2. People who work with PC's assume that all computers behave the same way.
Tim

PacBell ID Blocking [For California readers]

Henry Baker <hbaker@netcom.com>
Fri, 15 Mar 1996 12:50:34 -0800

PacBell will allow you to do `complete blocking' of caller ID for *free* -- but you have to call 1 (800) 298-5000 and specifically request this. You also have to listen to this 2-3 minute canned speech extolling the virtues of caller ID before they'll let you get complete blocking. This number supposedly works 24 hours/day, 7 days/week.

It's very irritating that `complete blocking' wasn't made the default, but perhaps these telecom dinosaurs will learn a lesson if most people sign up for complete blocking. Due to the number of busy signals, I gather that a lot of people aren't interested in caller ID.

BTW, even if you have `complete blocking', I think that you can make your ID available on a per-call basis by predialing `*82' before the number. I understand that even complete blocking does not block (800), (900) and 976- ID's. To do that, you have to call one of these `remailer'-type services, which charge you something like $3/minute.

www/ftp directory: ftp://ftp.netcom.com/pub/hb/hbaker/home.html


Response from Strassmann/Marlow illustrates further risk (17.90)

Benjamin Bokich <bokich@andrews.edu>
Sat, 16 Mar 1996 19:22:22 -0500 (EST)

Both Mr. Mayer-Schoenberger's original message as well as the response by Messers. Strassmann/Marlow point to an obvious, but often forgotten, risk regarding information on the Internet: Namely, the propensity to take anything posted or submitted at face-value and to trust someone else's words and report explicitly. (If we want to be truly cynical and doubting Thomases, we could also ask if e-mail from Dorothy Denning can be relied on to be Strassmann/Marlow's actual thoughts. I have no doubt, however, that our moderator did some checking of his own to ensure reliability.) Simply put, even in the absence of deliberate misrepresentation, any statement made on the net is subject to a certain degree of human bias.

Benjamin Bokich bokich@andrews.edu

Flash Crowds

"David M. Chess" <chess@watson.ibm.com>
Mon, 18 Mar 96 14:02:12 EST

For a taxonomy of risks that includes this very term, see

http://www.research.ibm.com/massive/bump.html

We've also got weeds, freeloaders, and Flying Dutchmen, as well as the usual Trojan horses, viruses, and worms...

David Chess, IBM T. J. Watson Research

Re: Netscape's syntax checking (Kamens, RISKS-17.89)

Matt Welsh <mdw@CS.Cornell.EDU>
13 Mar 1996 10:49:47 -0500

Welcome to the computer industry. Companies with a large market share in a particular area are always apt to ignore the "recognized" standardization process and implement features which are (a) great for their product, and (b) probably hard to duplicate in other products.

When applied to operating systems, APIs, and protocols, this can lead to serious problems, especially when those features are "proprietary". Need I cite examples?

All this amounts to is that "standards" are only as good as the company-centric market in which they are derived. Jonathan says that the HTML standardization process is "recognized" --- recognized by whom? Certainly not Netscape.
M. Welsh, mdw@cs.cornell.edu

Re: Netscape's syntax checking (Kamens, RISKS-17.89)

Max TenEyck Woodbury <mtew@cds.duke.edu>
Thu, 14 Mar 1996 13:52:51 -0500

While I do not particularly care for the way Netscape and its creators
treat syntax errors, Jonathan goes much too far in his condemnation. In my view a standard is a set of minimum requirements. There are many situations when a designer may want to go beyond the standard. As long as the person responsible for the design is aware the the standard is being broached, and what the consequence of that departure from the standard are, and is willing to take responsibility for those consequences, that person should be allowed to do what he or she wants.

However, the existence of Netscape's or any other extensions to the HTML standard should NOT be subject to debate. Without an ability to try new things, a standard becomes an inescapable cage, and that which is confined to the cage will eventually die of starvation.

Jonathan, in condemning the Netscape extensions, is attacking the wrong problem. If he did succeed in getting what he wanted, we would all loose by it.

On the other hand, the creators of Netscape must recognize that it is one of the tools, and sometimes the only tool other than a simple text editor, used to design web pages and has to provide a mode where departures from the standard can be flagged. While I am not positive what the consequence of a failure to provide such a flag will be, I suspect that Netscape will loose some market share to any decent browser that does provide such a capability.

Max TenEyck Woodbury

Internet Privacy and Security, Call for Papers

"Joseph M. Reagle Jr." <reagle@mit.edu>
Fri, 15 Mar 1996 12:17:23 -0500

CALL FOR PAPERS
INTERNET PRIVACY AND SECURITY WORKSHOP
Haystack Observatory, MA
May 20-21, 1996
Privacy and Security Working Group
Federal Networking Council
Research Program on Communications Policy
Center for Technology, Policy, and Industrial Development
Massachusetts Institute of Technology

INVITATION

The Privacy and Security Working Group (PSWG) of the Federal Networking Council (FNC) and the Research Program on Communications Policy of the Center for Technology, Policy, and Industrial Development at the Massachusetts Institute of Technology will hold an invitational workshop at the Haystack Observatory outside of Boston, MA, on May 20-21, 1996. This workshop is intended to bring Federal, academic and private sector participants together in collaboration to develop strategies and potential solutions related to Internet privacy and security.

Though a principal focus of the workshop will be on the Federal portion of the Internet, the FNC recognizes that the Federal Internet is tightly coupled with the Global Internet, whose security policies, practices, and goals are complementary to those of the Federal Government. To define those practices, procedures and goals, the PSWG has undertaken two major initiatives:

These initiatives are intended to highlight the critical interface between Federal and commercial users and developers of Internet services and technologies.

OBJECTIVES

This workshop will bring together principal players in the Federal and overall Internet community to discuss the problems and challenges of privacy and security on the Internet, and will:

SUBMISSIONS

Abstracts or complete paper drafts related to the topics listed above are welcome. Accepted papers will be a part of the published record of the workshop. All points of view on Federal policies affecting Internet privacy and security are welcome. Please make all electronic submissions in ASCII format.

For further information or to submit an abstract or paper contact:

Internet Security and Privacy Workshop c/o Joseph Reagle
Research Program on Communications Policy
Massachusetts Institute of Technology
One Amherst St. (E40-218)
Cambridge, MA 02139
Voice: (617) 253-4138.
Fax: (617) 253-7326
papers@rpcp.mit.edu

SCHEDULE and DEADLINES

Call for papers - March 14, 1996
Abstracts Due - April 14, 1996
Invitations to Participants - April 20, 1996
Revised/Completed papers due - May 19, 1996
Workshop - May 20-21, 1996

PARTICIPANTS

Participation in the workshop is by invitation, based primarily on submitted papers and abstracts. Additional individuals may be invited to ensure that participation reflects a broad cross-section of the Internet community.

PROGRAM COMMITTEE

Dennis Branstad - Trusted Information Systems (TIS) Rich Pethia - Computer Emergency Response Team (CERT) Jeffrey Schiller - Massachusetts Institute of Technology (MIT) Richard Solomon - Massachusetts Institute of Technology (MIT) Rick Stevens - Department of Energy /Argonne National Labs (DOE)

STEERING COMMITTEE

Stephen Squires, DARPA (FNC/PSWG Co-Chair)
Dennis Steinauer, NIST (FNC/PSWG Co-Chair)
Tice DeYoung, NASA
Phillip Dykstra, Army Research Laboratory (ARL)
Mike Green, NSA
George Seweryniak, Department of Energy (DOE)
Walter Wiebe, Federal Networking Council (FNC)

BACKGROUND

Federal Internet Security Plan: In September 1995, the PSWG published the draft Federal Internet Security Plan (FISP). The FISP is oriented toward a scalable, continual improvement process, based on common principles and mechanisms compatible with Internet community values and needs. See <http://www.fnc.gov/SWG.html>. The plan addresses Internet security
requirements, including interoperability, from the perspective of the goals and objectives outlined in the National Performance Review (NPR), http://www.npr.gov/. The Federal Networking Council developed this framework in conjunction with its Advisory Committee which represents industry, academia, and non-profit sectors.

Action Items, from the FISP, to be addressed during the Workshop:

Internet Security Policy and Policy Support Activities

Internet Security and Technology Development Internet Security Infrastructure Education and Awareness Collaborations in Internet Security: With the Federal government's ever-increasing dependency on computers and distributed systems, there is great urgency for it to develop and employ enhanced information system security technologies and practices. At the same time, these Federal technologies must interoperate with those of the broader Internet community (encompassing the private and academic sectors, along with the Federal sector).

In recognition of these needs, the Federal Networking Council's Privacy & Security Working Group (FNC/PSWG) has been awarded a National Performance Review (NPR) Innovation Fund grant to compare and validate agency approaches to security. This Collaborations in Internet Security (CIS) project aims to test the strength of these technologies beyond individual agency networking environments, emphasizing the inter-agency and agency-commercial sector communications. The CIS will result in the development of a new and sustainable process for developing, integrating, and deploying security technology that is interoperable at all levels of the Federal Government and within the commercial and academic sectors.

The governing principles behind the Security Testbeds include: employment of an open process (with the activities and results open to participation and comment by both public and private sector participants); a focus on multivendor technologies; an emphasis on testing and experimentally deploying security technologies emerging from research and private sectors as well as security technologies currently in use in the commercial environment; and an underlying objective to ensure interoperability among the broad Internet community (federal, private, and academic). Initial tests will include demonstrations of Kerberos v.5, testing of single-use passwords, and digital signatures. For more information, please see (http://www.fnc.gov/cis_page.html)


InfoWarCon V 1996: Call For Papers

<winn@Infowar.Com>
Sat, 16 Mar 1996 23:01:35 -0500

InfoWarCon 5, 1996
Fifth International Information Warfare Conference
"Dominating the Battlefields of Business and War"
September 5-6, 1996
Washington, DC

Sponsored by:
Winn Schwartau, Interpact, Inc.
National Computer Security Association
Robert Steele, Open Source Solutions, Inc.

Information Warfare represents a global challenge that faces all late-industrial and information age nation states. It also represents the easiest and cheapest way for less developed nation-states and religious or political movements to anonymously and grievously attack major nations and international corporations.

This Fifth International Conference on Information Warfare is an unclassified, open source conference, and will examine US and global perspectives on all three classes of Information Warfare:

Class One: Personal Privacy: In Cyberspace You Are Guilty Until Proven Innocent
Class Two: Industrial and Economic Spying and Warfare
Class Three: Global Conflict, Terrorism and the Military

The three planned tracks will be:

We are seeking forward-thinking papers, demonstrations and interactive concepts for presentation to an audience of 1000+, representing civilian and military from more than 20 countries, all branches of the US government and the top US corporations.

The papers should offer new perspectives, attitudes, studies, and technologies that can be used for the advancement of the field. You are free to submit on any subject matter, including, but not limited to:

Please submit your 1-2 page concept white papers no later than May 5, 1996. The evaluation committee will let you know the results by May 15, at which point we will need your complete submission no later than July 15, 1996. Send you papers to Betty@Infowar.Com

For sponsorship opportunities and registration information at InfoWarCon V 1996, please contact: National Computer Security Association
1.800.488.4595 pgates@ncsa.com or infowar96@ncsa.com

Winn Schwartau - Interpact, Inc., Information Warfare and InfoSec
V: 813.393.6600 / F: 813.393.6361 Winn@InfoWar.Com

Please report problems with the web pages to the maintainer

Top