The RISKS Digest
Volume 18 Issue 05

Friday, 19th April 1996

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

NYPD phone system cracked
Fernando Pereira
Judge: Computer encryption codes ruled protected speech
Jay J. Kahn
Euthanasia via computer
Pete Grooby
Internal Revenue Service browser
Dave Del Torto
Capitalizing on the Millennium
Steve Summit
Consumer risks on the Internet
Mike Wyman
Re: The joys of FAX [and other] machines
Greg Gomberg
Re: Daylight Savings Time problem: Netscape 2.*
Mark Phaedrus
Re: OS/2 TCP/IP security
Lionel B. Dyck
Re Microsoft Exchange e-mail aliases etc.
Chris Koenigsberg
More Microsoft Viruses
Edupage
Demise of the Web Predicted
Edupage
Web Called "Ultimate Act of Intellectual Colonialism"
Edupage
The RISKS of College Admissions
Maddi Sojourner
IEEE Symposium on Security and Privacy 1996
Dale M. Johnson
Safety Critical Systems Vacation School Announcement
Mike Brown
Info on RISKS (comp.risks)

NYPD phone system cracked

Fernando Pereira <pereira@research.att.com>
Fri, 19 Apr 1996 11:06:00 -0400
The AP reports today that, according to the *New York Post*, callers to New
York Police Department headquarters for 12 hours ending 6am Tuesday [16 Apr
1996] heard a bogus recording that included the following: ``You have
reached the New York City Police Department. For any real emergencies, dial
119. Anyone else — we're a little busy right now eating some donuts and
having coffee.'' It continued ``You can just hold the line. We'll get back
to you. We're a little slow, if you know what I mean. Thank you.'' The NYPD
had no immediate comment, but unnamed police sources believe hackers broke
access controls and changed the message.

Fernando Pereira, 2B-441, AT&T Bell Laboratories
600 Mountain Ave, Murray Hill, NJ 07974-0636  pereira@research.att.com

   [Also reported by  Steven Bellovin <smb@research.att.com>.  PGN]


Judge: Computer encryption codes ruled protected speech

Jay J. Kahn <jkahn@smiley.mitre.org>
Wed, 17 Apr 1996 10:49:58 -0500
Source: http://www.usatoday.com/news/nds19.htm [PGN Abstracting]

U.S. District Judge Marilyn Hall Patel released a ruling on 16 Apr 1996 that
mathematician Daniel Bernstein could try to prove that the U.S. export
controls on encryption technology are too broad and violate his right to
communicate with other scientists and computer buffs — a right protected by
freedom of speech.  (Bernstein's cryptographic programs are called Snuffle
and Unsnuffle.  The U.S. State Department decided in 1993 that Bernstein's
written article and programs required export licenses [because crypto
purveyors are considered as being international arms dealers under ITAR],
but later backed down on restricting the article; Bernstein then had sued
for release of the programs.)

David Banisar of the Electronic Privacy Information Center (EPIC) is quoted
in the news item: ``It's important to recognize that computerized
information has the same kind of legal protection that printed information
has.''

  [There are various news items on 18 Apr in the press.  The EFF EFFector
  Online 09.04 (see http://www.eff.org) provides useful background.  PGN]


Euthanasia via computer

Pete Grooby <Peter_Grooby@trimble.co.nz>
Fri, 19 Apr 96 09:57:40
I saw a news item last night about a euthanasia law which will soon be
passed in the Northern Territory of Australia.  During the article they
showed the system by which patients could terminate their own lives.

An automated syringe full of a lethal substance was hooked up to a laptop.
The patient was asked a series of questions about whether or not they really
wanted to kill themselves.  At the end of the questions they click on a
button to activate the injection and they die within 30 seconds afterwards.

This would seem to be the ultimate in mission-critical applications, and one
assumes that it has been tested thoroughly (with out anyone attached).

I also noted that the laptop was a Mac.  I shudder to think of the risks of
running such a system under Windows 3.1.

Pete Grooby

  [This is in today's papers here.  It would be difficult to do a complete
  system test without a real person; all the components might work just fine
  individually without being properly integrated.  Worse yet would be having
  a specification that is concerned only with the system functioning
  correctly when the final YES confirmation is input, without worrying about
  accidental triggering, false positives, sneak paths, hazards, race
  conditions, malicious reprogramming to change the defaults or even
  have the program masquerade as a common icon such as file-delete instead
  of person-delete that might trap unsuspecting victims who happened to use
  the laptop, etc.  No jokes about poisoned apples, please.  PGN]


Dave Del Torto <ddt@lsd.com>
Tue, 16 Apr 1996 04:40:51 -0700
Subject: Internal Revenue Service browser

[from SF Examiner somewhere around 12-14 April 96]

"IRS Worker Took Peek at Celebrities' Records" [Associated Press]

  Memphis - A former IRS employee who said boredom had led him to peek at
  the tax records of President Clinton, Elvis Presley, and other famous
  people has been acquitted of federal charges.  Robert Patterson, 38, said
  it wasn't malicious - he was just trying to learn how to better use the
  Internal Revenue Service computers.  "I was sitting there bored, so I
  started punching up names," said Patterson.

Hmmm. _We_ do it, it's "malicious cracking/hacking" and they toss us in
the clink... _they_ do it, and it's "practice" (and they get acquitted).
And _these_ are the people who want to escrow _my_ keys? As IF!

Not only that, but also if the guy's so damn _bored_, why doesn't he spend
some time FIXING the damn computer systems at IRS (see current cover of
Information Week mag). Not that I particularly WANT them to fix the
infernal revenue suckers...

BTW, where do they _find_ these people? He's hacking around in Clinton's tax
records and he _doesn't_ expect Secret Service agents crawling up his
yin-yang within minutes? Obviously, "thinking too much" is _not_ this chap's
problem.


Capitalizing on the Millennium

Steve Summit <scs@eskimo.com>
Thu, 18 Apr 1996 14:10:12 -0700 (PDT)
I was intrigued by the subject of an article in the *Seattle Times* business
section, 17 Apr 1996, which needs no further comment for RISKS readers:

    [by Greg Heberlein, Seattle Times business reporter]

    A Bellevue company's stock has tripled in value in
    the past 12 trading sessions...

    Data Dimensions is a service company whose sole mission --
    since 1993 — has been to help companies reconfigure their
    computers so the years 2000 and beyond will not be recognized
    as 1900s.  There is believed to be a multimillion-dollar
    market for such a service.

And then, yesterday evening, I noticed a new book in the computer section of
my local technical bookstore:

    Jerome T. Murray and Marilyn J. Murray
    The Year 2000 Computing Crisis
    A Millennium Date Conversion Plan
    McGraw Hill, 1996
    ISBN 0-07-912945-5

It was full of suggested code for patching legacy systems.

Steve Summit  scs@eskimo.com

 [How many more such companies will go public before 1/1/00?
 And what will they do for their stockholders thereafter?  PGN]


Consumer risks on the Internet

Mike Wyman <wyman@tiac.net>
Thu, 18 Apr 1996 21:11:57 -0400
The most publicized risk associated with consumer commerce on the Internet
is that of one's credit card number being misappropriated. This risk pales
beside the one recently introduced by PC Flowers and Gifts, a joint venture
involving no-one less than IBM.

I attempted to use PC Flowers (http://www.pcgifts.ibm.com) to order (a
fairly extravagant) floral arrangement to celebrate my mother's 75th
birthday. To my chagrin (and embarrassment) the flowers never arrived. After
_two_ e-mail messages over three days inquiring as to the state of my
(ostensibly) confirmed order, I received the following response:

>Dear Mr. Wyman,
>
>Please accept our apology for the delay in messaging you back.
>
>PC Flowers & Gifts recently moved our web site servers and we have been
>experiencing some problems.  Unfortunately, we did not receive order number
>100061.  Since we have no record of the order, your credit card was never
>charged.  Our programmers are working on this matter and hopefully very soon
>the problem will be corrected.
>
>We are very sorry for any inconvenience this has caused.  Belinda @ PC
>Flowers & Gifts
>

I would have much preferred having my credit card stolen than having to
explain to my mom why she did not receive a gift on her 75th birthday.

Obviously, these folks leave a little bit to be desired when it comes to
testing the installation of new systems.

Mike Wyman  wyman@tiac.net  http://www.tiac.net/users/wyman/


Re: The joys of FAX [and other] machines (Dean, RISKS-18.04)

Gomberg Greg <GombergG@logica.com>
Tue, 16 Apr 96 10:35:00 bst
I expect you'll get a fair bit of "me too" follow up to Drew Dean's item on
margin losses in RISKS-18.04 on the "joys of FAX machines". Here's mine.

I have seen a lot of this sort of thing from attempts to pass documents
between US and European offices. Because of the difference in paper sizes we
lose material from margins on the long edge (US->European) or the short edge
(European->US). The differences are small and the affected areas are usually
blank, but occasionally ...

I wish this were specific to FAX machines; it affects photocopying and, most
irritating, documents published as Postscript - these are cropped by the
printer. The latter is most irritating because it is easily avoided by the
"publisher" and difficult for the recipient to fix (or even to notice). Even
documents sent as word processor or markup files are not immune because the
printed versions do not correspond - readers thinking they have identical
documents can be confused and, in bad cases, cross references are incorrect.

Greg Gomberg [Greg's disclaimer covered by RISKS standard disclaimer]


Re: Daylight Savings Time problem: Netscape 2.* (Whitehead, R 18 04)

Mark Phaedrus <phaedrus@halcyon.com>
Tue, 16 Apr 1996 10:23:50 -0700
     Actually, Netscape has publically announced that "We are preparing to
release Netscape Navigator 2.02 in the next two weeks to fix this problem."
(Source: <URL:http://home.netscape.com/misc/DST_err.html>.)  They also give
one other, rather unsatisfactory workaround (besides clearing or zeroing
your disk cache, or setting the time-zone variable correctly): set your
machine's clock back an hour...

  [Also noted by
     Prentiss Riddle <riddle@is.rice.edu> and
     "J. David Stanton, Jr." <jstanton@coin.state.pa.us>.  PGN]


Re: OS/2 TCP/IP security (Bentley, RISKS-18.04)

Talklink OS/2 BBS) 16 Apr 1996 17:56:58 EDT
I just read RISKS-18.04 and found the piece on OS/2's TCP/IP Telnet security
worthwhile but somewhat outdated. IBM provides the user the ability to
replace the existing (default) Telnet Login.exe with another (loginunx.exe)
that supports multiple userids with unique passwords that are maintained in
a file that is encrypted. The password file (PASSWD) is maintained in the
same manner as the Unix password file - unfortunately IBM doesn't supply a
tool to manage this file but you can ftp from various OS/2 ftp sites a file
called PASSWD.ZIP which provides a tool to maintain that file. Thus the OS/2
user who enables Telnet to their workstation can provide a reasonably secure
interface to only trusted users.

Lionel B. Dyck, OS/2 Advisor (Talklink OS/2 BBS)
syslbd@ncal.kaiperm.org


Re: Microsoft Exchange e-mail aliases etc. (RISKS-18.02)

Chris Koenigsberg, ckk@pobox.com <ckk@uchicago.edu>
Tue, 16 Apr 1996 20:39:59 GMT
Following up on the discussion begun in 18.02, here's another relevant
incident involving bad aliases (I think it was Microsoft Mail rather than
Exchange):

Just a few days ago, we suddenly started getting obviously internal,
confidential e-mail, from various members of some local law firm, addressed
to our Mailer-Daemon (which is forwarded to 3 responsible sysadmins here).

Repeated replies from me to the senders, warning them to stop including our
Mailer-Daemon in their internal replies, were unheeded. Finally, a day
later, I got a frantic phone call from one of them, who was taking on the
added volunteer duty of administering the Microsoft Mail system there. He
said that his colleagues were all asking what the hell was going on, why was
I replying to their internal confidential mail messages that they were
simply addressing to "All-Staff"?

Somehow he had literally added our Mailer-Daemon to an internal system-wide
MS-Mail "All-Staff" alias there. I assume that he, or someone else, had
previously tried to e-mail someone here, perhaps in our Law School, had made
a typo in the address, gotten a reply back from the infamous Mailer-Daemon,
and mistakenly pasted the Mailer-Daemon's address into their PERSONAL alias
book, and subsequently copied their PERSONAL aliases blindly into the SYSTEM
alias. (did I ever tell you about the fascinating love letters we get,
mistakenly addressed to the Mailer-Daemon? :-)

Their internal MS-Mail users would simply address their messages to
"All-Staff" and not even see the expansion of the alias, which is
reasonable (why should the users be bothered with the expansion for
every message to the whole staff?).

(in fact, the first of their puzzling messages leaked to us was from
this guy, saying "OK everyone, I've finally got the staff-wide alias
working! Fire away!" :-)

The problem is, no one was carefully auditing the results. Since no
one actually was paid to be a system administrator, no one bothered to
carefully examine the system-wide aliases. So their confidential mail,
about alternative possible strategies of argument before the judge in
a current pending case, were all forwarded to us!

Of course we offered to delete our copies for a very reasonable fee
:-) :-) (no, I'm kidding, we really did delete them, although perhaps
they made it onto a backup tape or two, maybe even a long-term
archival storage tape? hmm...)

Chris Koenigsberg  ckk@uchicago.edu, ckk@pobox.com
http://www2.uchicago.edu/ns-acs/ckk/index.html (also http://www.pobox.com/~ckk)


More Microsoft Viruses (Edupage, 16 Apr 1996)

Edupage Editors <educom@elanor.oit.unc.edu>
Tue, 16 Apr 1996 17:10:07 -0400 (EDT)
First there was the Word virus — now there's a Word Prank Macro Virus,
located in a document on ActiveVRML, Microsoft's software tool for
developing 3-D Web sites.  But what's worse, is that Microsoft had to inform
the programmers who attended its Professional Developers Conference last
month that one of the CD-ROMs it distributed was infected.  A cure is posted
on Microsoft's Web site < http://www.microsoft.com/ >  (*Investor's Business
Daily*, 15 Apr 1996, A8)


Demise of the Web Predicted (Edupage, 16 Apr 1996)

Edupage Editors <educom@elanor.oit.unc.edu>
Tue, 16 Apr 1996 17:10:07 -0400 (EDT)
Mark Stahlman, president of New Media Associates, predicts the death of the
Web this year:  "Advertisers will dump the Web, and businesses that depend
on ad support will become uneconomic.  But the cause won't be the poor
performance caused by `clogged pipes';...  it's more fundamental.  The Web
is a terrible place to manipulate people's unconscious fears, which is the
aim of consumer advertising...  Advertising on the Web has to be
information, not manipulation.  This is because the medium doesn't permit
the psychological games that `impact' a modern audience....  unless the Web
becomes television, as @Home and others hope.  If the Web could readily
deliver video-server-based moving images, then the manipulative techniques
of TV ads could also be Web-delivered.  But the bandwidth just isn't
available, and probably won't be for as long as 10 years...  But there's
still a chance something quite new could happen.  The Web is a medium for
information and education — not unconscious mental manipulation.  What if
the Web's real capability is taken seriously and it becomes the world's
largest adult education system?"  (*Information Week*, 8 Apr 1996, p. 100)


Web Called "Ultimate Act of Intellectual Colonialism" (16 Apr 1996)

Edupage Editors <educom@elanor.oit.unc.edu>
Tue, 16 Apr 1996 17:10:07 -0400 (EDT)
Anatoly Voronov, the director of Glasnet, an Internet service provider in
Russia, says:  "It is just incredible when I hear people talking about how
open the Web is.  It is the ultimate act of intellectual colonialism.  The
product comes from America so we either must adapt to English or stop using
it.  That is the right of any business.  But if you re talking about a
technology that is supposed to open the world to hundreds of millions of
people you are joking.  This just makes the world into new sorts of haves
and have nots."  (*The New York Times*, 14 Apr 1996, Sec.4 p1; in Edupage)


The RISKS of College Admissions

Maddi Sojourner <maddi@genmagic.com>
Wed, 17 Apr 1996 13:57:58 +0000
It's April, which brings us Daylight Savings Time, tax returns, and big, fat
envelopes (or small, thin ones).  Now is the time that high-school seniors
[SEE NOTE 1, below] around the U.S. get responses from the college of their
choice and discover whether the feeling was mutual.

I am an alumna of a university that depends on volunteers to contact and
interview the applicants.  Let's call it Eastern Elitist University (EEU)
[SEE NOTE 2, below], as it is very selective (11%) and expensive.  The
interviews are useful for the students, who have questions about the school
or the admissions process, and to the admissions office, which gets a
personal assessment of the candidate.  The process is particularly important
for candidates who live too far away to schedule a visit to EEU (those
willing to travel usually do so after getting acceptances).

Anyway, I have interviewed a few candidates a year for several years.  This
year, the person in charge of my geographic area, Silicon Valley/South Bay,
handled a lot of the communications by e-mail for those of us who had
access.  All important communications were also sent by US Postal Service.
On Monday, April 8, I received an e-mail message with a list of admitted
candidates, and one of them was a student I had interviewed.  We were
instructed to contact our admits no earlier than Tuesday at 5 PM (to allow
for the accept/reject letter to have arrived first).  We were supposed to
encourage "our" candidates to attend local receptions, visit EEU, and we
were to answer any additional questions, with the goal of encouraging them
to accept the admission offer.

On Tuesday, April 9, I contacted the student, whom I will call "Walter
Williams."  I introduced myself and congratulated him on admission.  It
turned out that Walter had already received another call from someone else
who read the e-mail message, so he was not surprised to hear from me.  But
there was a problem: Walter had received a rejection letter from EEU.

A call to the South Bay chair unearthed where the process went awry: EEU
sent a printout, via Federal Express, of the area's admitted students to the
Northern California chair.  He communicated these results to each regional
chair by telephone.  Each of the regional folks had to contact the
interviewers.

One of the admitted students, who went to the same high school as Walter
Williams, was named "Warner Wilkins."  And somehow, both Warner and Walter
got on the South Bay chair's list.  Since the e-mail message had all the
information nicely formatted (candidate, high school, interviewer, status,
etc.), it made the information look official.  But it wasn't transmitted
that way.  And how did Walter get on the list?  Well, either Mr. Northern
California said the wrong name, or Mr. Silicon Valley heard it.  [See
NOTE 3, below.]

But I'd hate to be at the Walter Williams household that evening, dealing
with the rejection letter, two acceptance phone calls, and finally, two
abject apologies (from myself and Mr. Silicon Valley).

The RISKS?  What seemed like a modern, efficient way to distribute
information was really an old-fashioned game of telephone.  EEU sent the
data out as hard-copy, and the results were distributed as each level saw
fit.  The twist on this old problem was the high-tech delivery at the final
link.  If the whole process had been electronic, then the human error of
confusing "Walter Williams" and "Warner Wilkins" would not have occurred.
But we can't go all-electronic until all the volunteers are willing to, and
that's how we ended up with this "hybrid" data.

  [NOTE 1: hyphenation (not hypenation!) by PGN, who did not want to
           encourage those school seniors who are high all the time.
   NOTE 2: Eli-tist?  That might just refer to Yale and its namesake!
   NOTE 3: In California, chili con carne might become Siliconcarny!  PGN]


IEEE Symposium on Security and Privacy 1996

"Dale M. Johnson" <dmj@linus.mitre.org>
Thu, 18 Apr 1996 09:00:12 -0400
Current topics on risks and computer security will be covered at the
upcoming IEEE Symposium on Security and Privacy to be held 6-8 May 1996 at
the Claremont Resort in Oakland, California.  Since 1980, the Symposium on
Security and Privacy has been the premier forum for presenting developments
in computer security and for bringing together researchers and practitioners
in the field.  This year topics will range from security flaws in Java and
HotJava, presented by Drew Dean, Ed Felten, and Dan S. Wallach from
Princeton University, to covert channels and to security standards for the
OMG's CORBA.  The discussions should be very interesting.  For further
information see http://www.cs.pdx.edu/SP96/ or contact me at dmj@mitre.org.

Dale Johnson, Chair


Safety Critical Systems Vacation School Announcement

Mike Brown <mjdb@dorevale.demon.co.uk>
Wed, 17 Apr 1996 16:49:37 GMT
                   THE INSTITUTION OF ELECTRICAL ENGINEERS
                         Savoy Place London WC2R 0BL
            The Fifth Vacation School on Safety Critical Systems
             Robinson College Cambridge 15 - 18 September 1996
              (Co-sponsored by the British Computer Society)

Since 1992 the Institution of Electrical Engineers has organised an annual
vacation school aimed at providing participants with a broad understanding
of the principles of safety critical systems engineering, with particular
emphasis on the theory and practice of current techniques for defining and
managing the risk potential of computer-based systems.  The fifth in this
series of intensive short residential courses will be held this year at
Robinson College, Cambridge, from Sunday 15th September until Wednesday 18th
September.

The field of safety critical systems includes those processes, products,
and services where a breakdown or design fault is likely to result in death
or injury or damage to property.  Added emphasis is given to the problem of
protecting against such consequences by the development of new legal codes
of product liability.  It is likely to become increasingly difficult for
companies that have not employed explicit risk minimization and management
techniques to argue successfully that they have exercised proper legal care
for the safety of their products and services.

The structure of the vacation school is designed to provide a comprehensive
survey of the issues involved in safety critical systems engineering at a
professional but non-specialist level.  The goal is to provide a framework
of common understanding to link people working in the requirements capture,
architectural design, risk and hazard assessment, reliability, software,
quality assurance, human factors, and project management functions; and to
provide a good foundation for their future professional development.

The vacation school lecture programme is based on the "safety lifecycle"
concept embodied in International Standard IEC 1508, (Functional Safety of
Safety-Related Systems), supplemented by a closely coordinated case study to
provide learning reinforcement and a thematic linkage between the lecture
sessions.

For full details of the vacation school programme and a registration form,
please send e-mail to SEvans@iee.org.uk or write to Miss Sarah Evans at the
address given at the head of this announcement.

Mike (M J D Brown: Newhaven, Peterchurch, Herefordshire HR2 0RT, England)

Please report problems with the web pages to the maintainer

x
Top