The RISKS Digest
Volume 18 Issue 13

Friday, 17th May 1996

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Netscape 2.02 RISK
Ed Felten
for Tom Cargill
Dirk Balfanz
Drew Dean
and Dan Wallach
Garfinkel/Spafford, Practical UNIX and Internet Security, 2nd ed.
Static hypertext links to dynamic data
John Light
Notebook theft
Denis Parslow
Post-divorce wage gap statistic turns out to be computer error
Mike Coleman
France ISP issues
Simson L. Garfinkel
WWW "Bandwidth Exceeded" signals
Simon Higgs
Re: Software piracy
Li Gong
Simon Arthur
Re: Troubleshooting ValuJet after the crash
James L. Coffey
Re: Morphing Character 217 in Macintosh Geneva Font
Eric Fischer
Re: "Call Girls" web site
Mike Rose
Info on RISKS (comp.risks)

Netscape 2.02 RISK

Ed Felten <felten@CS.Princeton.EDU>
Fri, 17 May 1996 17:11:34 -0400

We have discovered an attack that allows a Java applet running under
Netscape Navigator 2.02 to generate and execute arbitrary machine code.
The attack combines a new security bug found by Tom Cargill with some ideas
previously discovered by the Princeton team.  We have implemented a
demonstration applet that deletes a file.  We are not yet releasing
technical details.

For more information, contact Ed Felten (,
609-258-5906), or see

Tom Cargill
Independent Consultant

Dirk Balfanz, Drew Dean, Ed Felten, Dan Wallach
Dept. of Computer Science, Princeton University

Garfinkel/Spafford, Practical UNIX and Internet Security, 2nd ed.

"Peter G. Neumann" <>
Fri, 17 May 96 10:19:12 PDT
  Practical UNIX and Internet Security, Second Edition
  By Simson Garfinkel and Eugene Spafford
  O'Reilly & Associates, Inc., 1996
  1004 pages.  ISBN: 1-56592-148-8.  $39.95

This book is an extraordinarily successful effort to cram into a mere
thousand pages (971+xxix+ORAads) almost everything you need to know about
Unix and Internet security.  It is a complete rewrite of the First Edition
of 1991, and contains much new material.  In terms of pages per dollar or
cents per page, or much more important, the amount of money it can save you
by keeping you away from a horrendous array of potential security problems,
it is an incredible bargain.  This is a keeper — at least until the Third
Edition comes out, perhaps in 2001.  By then, the authors will be able to
write much more definitively about Java and web browsers, which are treated
only lightly in the Second Edition.  (Too much happening, too fast?)
Everything else, however, seems well covered and very nicely written.  This
is a very readable and very useful book, and deserves to be looked at by all
of you.

  [Note: Coincidentally, the first two errors I found in *PUIS2* relate to
  RISKS: (1) on p.897, the host name for the RISKS archive site (which has
  been since 1 Jan 1995) is listed as crvax (which lead me to
  discover that the old crvax *still* exists, and is what AltaVista picks
  up, but that it contains only issues through volume 16), and (2) on p.879,
  a typo!  One of the great advantages of on-line books will be that errors
  will disappear as rapidly as they are found.  For example, there are still
  a few copies of the first printing of my Computer-Related Risks book
  around with the crvax reference, whereas the third printing correctly has!  THIS PARAGRAPH IS FOR RISKS READERS.  Please truncate
  if this minireview gets redistributed elsewhere.  PGN]

static hypertext links to dynamic data

John Light <>
Thu, 16 May 96 12:42:00 PDT
I was reading the home page of a subsidiary of a *very* high profile WWW

On it was the phrase "bringing [top rated] ...... capabilities", where the
bracketed words were a hypertext link.  I followed the link to Stroud's
Consumate Winsock Applications (, directly
into the appropriate category, where I found that the original product is
*no longer top rated*!.  In fact it had disappeared from the list.  I was
glad this happened because I had not seen Stroud's site before, and the
updated list pointed me at several new products, which probably are better
than the original.

The obvious risk is that pointing to any data *not* on your web site
requires a commitment to a higher level of vigilance and on-going support,
or you may be surprised by the consequences.

John Light

Notebook theft

"Denis Parslow (Almo Distributing)" <>
Mon, 13 May 1996 08:57:35 +0000
PC Week's latest issue (I unfortunately don't have it to quote from)
stated that last year 1 out of every 14 notebooks (sold?) was stolen.

I wish I could quote the rest.

The risks would certainly include the importance of password security, file
access, etc. if your data is *that* likely to be stolen/compromised.

Denis Parslow, Engineering Mgr, Almo Distributing, Trademark Computers

Post-divorce wage gap statistic turns out to be computer error

Mike Coleman <>
Fri, 17 May 96 01:56 CDT
An AP wire story reports that sociologist Lenore J. Weitzman has stated that
a widely publicized statistic in her study "The Divorce Revolution" was
incorrect.  (The statistic was that the standard of living for women's
households dropped 73% in the first year following a divorce, while men's
households rose 42%.)

According to the story, Weitzman "blames the loss of her original computer
data file, a weighting error or a mistake in the computer calculations
performed by a Stanford University research assistant."

Weitzman's data were examined by sociologist Richard R. Peterson, who
determined that the correct figures were 27% and 10%, respectively.

Without knowing more about the dataset and how it was processed, one can
only speculate as to exactly what sort of mistake was made.  The magnitude
of the error suggests, however, that in this case the error might have been
discovered with a rudimentary cross-check, e.g., a histogram of the data or
a manageable random subset.

(The article is currently available as

Mike Coleman, Ctr for Telecomputing Research,

France ISP issues

Simson L. Garfinkel <>
Thu, 16 May 1996 10:50:21 -0400
As a hobby, I run a small ISP on Martha's Vineyard. We have about 350
customers and have a Usenet feed. However, we specifically block the
alt.binaries groups. The principle reason that we do this is to conserve our
bandwidth: receiving alt.binaries would require that we triple our
off-island throughput.

However, even if we did have the alt.binaries groups, I do not think that we
would take a few particular groups. These groups are and  From my point of view, these groups
exist solely for the carriage of child pornography.

US law says that possession of child pornography is a crime. Usenet, unlike
the web, places a copy of every message on your server's hard drive. Any
organization that has these newsgroups within the United States (including
AOL) is in violation of federal law.

I do not by the argument that censoring the and newsgroups will make a provider
legally liable to any message that is sent over the Usenet because they are
now exercising some sort of editorial control. There is a big difference
between deleting individual messages for editorial purposes and the
wholesale deletion of groups.

Simson Garfinkel, President, Vineyard.NET, Inc.

WWW "Bandwidth Exceeded" signals

Simon Higgs <>
Thu, 16 May 1996 14:19:07 -0700
It finally happened. The web finally got it's busy signal. No, not the web
server saying it's busy, since it's happily serving out other pages. User
home-page bandwidth ran out.  Is this a sign of metering to come? Or a
result of refusing to meter user traffic?

Internet Direct have a policy of cutting off a user's web pages when they
have exceeded a predetermined amount of web server bandwidth. This creates
a substantial risk when renting web server space from an ISP for providing
time sensitive, or critical support information.

I'm really disappointed at seeing this kind of interference from an ISP.

--- begin forwarded text

Date: Wed, 15 May 1996 22:31:05 -0700
Subject: 4x4

Bandwidth Exceeded

Unfortunately, due to the extreme load on our user web server, we have been
forced to require each user to stay below a certain maximum daily bandwidth

User a4x4 has currently exceeded his or her bandwidth limit of 26214400
bytes for the day. This bandwidth limit will be reset and the pages will
become available again at 1600 MST.

If you are an Internet Direct customer with high web server bandwidth needs,
you may want to investigate our GoSite Internet Server product.

We apologize for any inconvenience. We feel this new strategy will provide
all of our users with increased speed and better overall performance on
their web pages. If you have questions or concerns about this policy, please
send e-mail to

--- end forwarded text

Simon Higgs  e-mail:

Re: Software piracy (RISKS-18.12)

Li Gong <>
Thu, 16 May 1996 10:22:33 -0700 (PDT)
PGN in RISKS-18.12 quoted San Francisco Chronicle's report that "Pirated
software costs an estimated $12 billion annually worldwide."  I do not
support piracy and such, but would like to point out the grossly exaggerated
nature of such reports.  Use China as an example.

Suppose there is a total ban of illegal sales of pirated software.  The net
result is not that the US companies (or others) will immediately make a lot
more money on these "sold" software.  Instead, not many copies will be sold
for the simple, economic reason.  A case in point.  The Microsoft Visual C++
I bought last year was US$400+.  This translates into about Chinese Yen
Y3600, which is a decent gross annual salary of a university professor in
China.  Now how many copies of this software can you sell?

In the long run, a total ban may actually help the Chinese software industry
to obtain a breathing space and to develop its own software
standard/platform and all.  This would be extremely bad news for companies
such as Microsoft.  A reasonable strategy (e.g., for the US software
industry) would be to sell at heavily discounted prices that the local
market can bear and wait for the purchasing power to grow.

Thus, instead of screaming the piracy nonsense, the US (and other countries)
should see the reality and view the current situation as an extended battle
to retain market share, with its typical associated cost in lost revenue.

Li Gong, SRI Computer Science Laboratory,

Re: Software piracy (RISKS-18.12)

Thu, 16 May 1996 12:46:11 -0700 (PDT)
I am amazed that this figure continues to be printed without anyone
challenging it. This figure assumes that every person who pirates or
purchases a pirate copy of program X would have instead bought the program.
Obviously false.

> * Two CD-ROMs with more than 100 programs ... valued at $50,000

The industry counts this as $50,000 worth of losses. But in fact, I would
be very surprised if anybody who purchased this disk installed both Win95
and WinNT, let alone AutoCad, Notes, or Xing's Mpeg.


Re: Software piracy (RISKS-18.12)

Simon <>
Wed, 15 May 1996 00:31:47 EDT
Interesting. CD's cost about $US3 each to manufacture, last I heard.
With such a markup, the people manufacturing the CD's must be making
a fortune. No wonder they're so hard to stop.

> * Pirated software costs an estimated $12 billion annually worldwide.

You could also look at it like this: Businesses save about $12 billion
annually through flexible adherence to software license agreements.

> * "More than half of all software in existence today is lost to piracy."

Where'd it disappear to? :-)

> according to a chart attributed to Glenco Engineering, Inc.

Glenco Engineering, Inc. manufactures and sells copy protection devices.
See for details and the chart.

Not that I think their numbers are too high. In fact, it seems that in small
businesses in the US about 60% of all software is pirated. In large
corporations, compliance is probably well above 90%. For home users, I'd say
that maybe 90% has not been paid for. These are just my estimates from my
work as a consultant, having visited many businesses.

>     [No one seems to mention the devious opportunity for
>     Trojan horses being added inside the pirate shrinkwrap.]

Far be it from me to provide potential warning to software pirates, but
a person less honest and law-abiding than me might suggest that the greater
danger lies in being swindled by a hot-dog cart guy selling defective disks.

If you need it cheap / Don't buy from that creep.
If Hong Kong won't cut it / But it can't be legit
Think of how much money you'll save / When your software's from Burma (shave).

Simon Arthur

Re: Troubleshooting ValuJet after the crash (Reed, RISKS-18.12)

"James L. Coffey" <>
Wed, 15 May 1996 16:15:31 -0700
My experience (as an evaluator of nuclear power plant operators), is people
tend to quickly forget that an observer is present, if the observer just
watches and doesn't interrupt the operators as they carry out their tasks.
Even if they try to do things in a different manner than they normally do,
they also tend to lapse back into their normal operating mode after a while.
In addition, it is generally pretty obvious to a trained observer when a
crew is trying to "put on a show."

The RISK there is that they will make mistakes they normally wouldn't
because they are not operating like they are used to and that causes
communication and coordination problems and increases the chances of
making an error.

: The RISK is that the FAA will waste a lot of time and energy looking at
: something that won't give them useful information. Perhaps it's time for
: video cameras in the cockpit?

Video cameras, while a useful tool for review and debriefing, will often
miss crucial actions.  The RISK  (or RULE) is that they always point to
the wrong spot.

Re: Morphing Character 217 in Macintosh Geneva Font (Robinson, 18.12)

eric fischer <>
Wed, 15 May 1996 19:32:06 -0500 (CDT)
Paul Robinson reported the surprising behaviour of a Macintosh character
which appears as Y-umlaut in most fonts but as symbols which vary with the
font size in a few others.

The full range of these secret characters was documented in great detail in
Volume I, Issue 2 of _Macworld_ (May/June 1984), as a "treasure" that "only
luck and wild fingers on the keyboard would have unearthed."  The set of
characters in current Macintosh fonts is larger than in the ones that were
available in 1984 (so the special characters were not taking the spot
reserved for Y-umlaut, but were in a location that would otherwise be empty,
but happened to be typable with Option-Shift-Tilde) and, since all the fonts
were bitmapped rather than scalable, and the only output device, the
Imagewriter, matched the screen resolution exactly, there was no confusion
caused by rescaling the fonts to match different output devices.  So the
risk of accidentally misusing these characters didn't come into being when
they were placed into the fonts, but was instead when "legacy" fonts weren't
updated to match newer notions of what Mac fonts should contain.

For the record, here are all the special symbols hidden in the original Mac
fonts, not all of which are still shipped with current Macintosh software:

  New York                Toronto               Chicago, London,
    hearts: 9, 18pt         boxes: 9, 18pt      Monaco:
    robots: 12, 24pt        vines: 12, 24pt       undefined
    musical notes: 14pt     apples: 14pt

  Geneva:                 all sizes:
    sheep: 9, 18pt          Venice: chains
    rabbits: 12, 24pt       San Francisco: cars
    birds: 14pt             Athens: footprints


Re: "Call Girls" web site (RISKS-18.12)

Mike Rose <>
Thu, 16 May 96 12:29:27 EDT
The risk that call-back phone-sex will bring censorship to the net seems
far-fetched.  For starters, I'd bet a big bottle of crisco that those sexy
voices won't be saying anything until they've got a credit card number.

Why would a politician receiving such a call, assuming he or she objects,
blame the internet?  The recipient doesn't know how the transaction to the
call-back service was initiated and, even if they do know, does it really
matter?  Any legal restrictions should be placed on the actual service, not
the ordering mechanism.


Re: Internet in danger (RISKS-18.11)

Mike Crawford <>
Fri, 17 May 1996 12:26:41 -0700
There were two things that happened in Germany.  In one case a local
prosecutor got CompuServe to censor a couple hundred newsgroups.

In the other case, Web Communication's entire web server has been censored
by Germany.  I think they use packet filters to drop packets with's IP address.  This was done because a Canadian customer of
Webcom's is a historical revisionist - his web page argues that the
Holocaust never happened, and promotes Nazi politics, etc.  Germany does not
have complete freedom of speech - promoting Nazism is illegal there.

Germany's effort largely backfired because a number of other sites
immediately provided mirrors for the Nazi.  Webcom's other customers, mostly
ordinary businesses, are blocked out from the whole nation of Germany.

Mike Crawford

   [This is an old story, but has not run in RISKS before.  PGN]

Re: Internet in danger

"Jim Carroll" <>
Thu, 16 May 1996 15:37:39 -0400
Since my comment questioning the 80% figure attributed to hate literature
originating in Canada, I'd like to make some further comments in the hope of
stifling further e-mail.

Has nobody but me stopped to consider what 80% means?  To me, at least, this
implies that out of 


Please report problems with the web pages to the maintainer