The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 18 Issue 20

Weds 12 June 1996

Contents

o Federal Court KOs CDA
Marc Rotenberg
o The computer is always right - again
Richard S. MacDonald
o The Risks of *Zero Hour* by Joe Finder
Peter Wayner
o Re: L-vis Lives in Virtual TV
Barry L Gingrich
Eamonn McManus
o Digital photographic forgeries: nothing's ever new!
Scott Alastair
o Re: Digital unreality
Jason Eisner
Lauren Weinstein
o F-15 revisited again
David Damerell
o Ariane-5 failures
Bertrand Meyer
David Wadsworth
o RISKs of bogus FAQs
Tom Lane
o CFP: 1997 Symposium on Network and Distributed System Security
Matt Bishop
o Re: HTTP cookie privacy risk
Kenneth Albanowski
Rob Streno
Scott Hazen Mueller
o Info on RISKS (comp.risks)

Federal Court KOs CDA

"Marc Rotenberg" <rotenberg@epic.org>
12 Jun 1996 18:15:34 -0500
In a ruling likely to have a significant impact on the future of the
Internet, a special three-judge federal court today declared the
Communications Decency Act unconstitutional on its face.  The landmark
decision came in a legal challenge initiated by the ACLU, EPIC and 18 other
plaintiffs.  EPIC is both a plaintiff and co-counsel in the litigation.  The
ACLU/EPIC case was consolidated with a subsequent action filed by the
American Library Association and a broad coalition of co-plaintiffs.

Today's lengthy ruling consists of separate opinions authored by the three
members of the federal court panel.  While the three judges differed in
their approaches to the legal issues raised in the case, they were unanimous
in their strong conclusions that the CDA constitutes a clear violation of
the First Amendment.

A complete copy of the opinion, as well as selected excerpts and related
news items, can be found at http://www.epic.org/  .

Marc Rotenberg, EPIC


The computer is always right - again

"Richard S. MacDonald" <dickmac@ix.netcom.com>
Wed, 12 Jun 1996 12:03:51 -0600
A major computer chain recently tried to charge me an exorbitant price for
ZIP disks. The price was about 1.5 times what other stores are selling them
for and about the same amount higher than the price listed on the tag on the
shelf.

The manager was willing to sell me the disks at the shelf price but noted
that they would have to change that since the computer said it was higher.
I told her that their price tag was most likely to be right because of the
comparison to other chains but she insisted that the tag must be wrong
rather than the computer.

I wonder how many people paid $62.96 for the package instead of $45.96 or if
they simply don't sell as many as their competition. I also wonder if
computer stores are more or less likely than other stores to believe that
the computer is in error.

Fortunately in this case there is another chain right across the street...

Richard S. (Dick) MacDonald


The Risks of *Zero Hour* by Joe Finder

Peter Wayner <pcw@access.digex.net>
Mon, 10 Jun 1996 23:30:13 -0400
The dust jacket copy for _Primary Colors_ promises that the book will tell
the truth in a way that only fiction can do. RISKS readers might enjoy a
friend Joe Finder's novel _Zero Hour_ for the same reason. The book is a
crisp thriller that revolves around a high-tech hold up. Many of the plot
twists are modern day extensions of deus ex machina. The characters assume
that technology will do the right thing only to discover that they missed
one fatal detail. Time and time again the plot zigs because of a topic that
would be ripe for comp.risks if the book was only factual. Given that many
fiction writers are often just rogues who wanted a presentable day job, we
might be better off learning these lessons before the less law-abiding
discover them and the twists become fact.


Re: L-vis Lives in Virtual TV (RISKS-18.18)

Barry L Gingrich <gingrich@indra.com>
Mon, 10 Jun 1996 21:39:57 -0600 (MDT)
Think about the logical next step of combining L-Vis, Digital Cable, and
Direct Marketing. (It's the sort of thing you almost don't want to mention
because it just might come to pass... :-) In such a digital world,
micro-marketing is possible. For example, consider a can of soda in an
episode of the X-Files.  Scully's soda appears to be a can of SpiffyFizz
(tm) on my set ("Hey! My favorite!"), while my neighbor sees Diet Kumquat
Royale, and someone across town sees her drinking a can of Nietzsche Lite
Beer.

The possibilities are endless, of course. One effect could be the denial of
the (doctored?) video image as evidence in court, something that's been
predicted for quite some time now. Another could be the crumbling of the
public's faith in the media, something that's also been predicted for Quite
Some Time now.

As T Bone Burnett said, "I have a feeling that once something appears in the
paper, it ceases to be true."

These are societal risks, not technical ones. They certainly are gloomy
predictions, but this technology could provide some benefits as well.  For
example, a filmmaker could correct problems with a particular scene (a la
what was done for a scene with Brandon Lee in "The Crow"), obviating the
need for a reshoot.  The technology has great potential for abuse, but the
people who would abuse it are *people*, and the risk lies with them. It's
much like the arguments over the 'net: Is it a pit of doom, a pillar of
hope, or a useful tool?

There are many things that could go wrong, of course, and I'm sure the
denizens of RISKS will collect ample examples of L-VIS wipeouts, screw-ups,
and wacky unexpected behaviors.

Barry L. Gingrich  gingrich@indra.com


Re: L-Vis Lives in Virtual TV (Ackeret, RISKS-18.19)

Eamonn McManus <emcmanus@gr.osf.org>
Tue, 11 Jun 96 11:00:23 -0400
In RISKS-18.19, Matt Ackeret says, of the electronic insertion of
advertisements into live video, that the system is "really lame" and
"jitters all over the place", and that it uses "regular old green screen
chroma key".  This is plainly not the same system that I saw a report on in
February on French TV.  In that report, they showed images from the Open Gaz
de France as broadcast in France and in Germany.  The French images were
untouched but in the German ones a French ad behind one of the players was
replaced by an equivalent German one.  The substitution was *absolutely
imperceptible*, and this even though the field being replaced was not a
simple green rectangle but an ad in black on white.

The report mentioned that the system had been developed by a French company,
so it is presumably not the same as the Princeton Video Image system
mentioned by PGN.  The image processing is done by a bank of equipment in a
small truck on site.  It may be that the TV standards (PAL and SECAM) used
in Europe lend themselves more easily to this kind of treatment than the US
standard.

Eamonn McManus    Grenoble, France   <emcmanus@gr.osf.org>


Digital photographic forgeries: nothing's ever new!

"Scott Alastair (Exchange)" <ScottA@logica.com>
Tue, 11 Jun 1996 09:27:58 +0100
Tampering with images has been done, I would suspect, ever since the
birth of photography: I can think, off the top of my head, of a number
of cases from well before the age of computer imaging:

(i) Retouching of facial features to make family members appear
villainous (1911);

(ii) Removal of Trotsky from a picture, plus many other similar
forgeries (1928);

(iii) Removal of Soviet astronauts from group photographs when they
fell out of favour (1950s and 1960s).

The first was part of a study by Goddard on the heredity of IQ and has
been exposed in Stephen Jay Gould's essays; the second is well-known (a
photo of Lenin haranguing a crowd from a lectern with Trotsky [not]
standing at the bottom of it); I wish I could get hold of the book
again in which I saw the third, where astronauts were replaced by
strategically-placed rose bushes, doors etc. etc.

This whole thread illustrates a common misattribution: evils attributed to
the baleful influence of computers were actually practiced well before
computers could help perpetuate them!

Come to think of it, the whole area of digital and "analogue" photographic
forgery is so interesting it almost demands to have a book written about it.


Re: Digital unreality (Asmis, RISKS-18.19)

Jason Eisner <jeisner@unagi.cis.upenn.edu>
Tue, 11 Jun 1996 12:51:02 -0400
> Now with digital camcorders, who will believe the next "Rodney King" video
> clip?  Not enough cops?  Add some more!  It will probably boil down to the
> integrity of the picture-taker.

Or the integrity of the camcorder.  Any digital camera -- certainly any
camera used for police work or journalism -- ought to sign its output with a
factory-installed private key.

(If the camera is not robustly tamper-proof, someone might extract the
private key by reverse engineering, or diddle the innards of the camera so
that the image is optically or digitally altered before being signed.
However, if each camera has a different private key, a court can check for
an unbroken seal on the one that purportedly shot and signed the picture.)

Jason Eisner    University of Pennsylvania


Re: Digital Unreality

Lauren Weinstein <lauren@vortex.com>
Tue, 11 Jun 96 10:54 PDT
It appears that image tinkering to create lies is now considered to be a
mass-market product selling point.  In a national television commercial from
a *major* PC manufacturer that seems to have just started airing, a "nerd"
who finishes a marathon long after everyone else (in over 9 hours), upon
learning that someone is coming over to visit, immediately scans the photo
of himself and the marathon clock, changes the leading "9" to a "2", and
prints it out.  He then proceeds to burn his mouth on a piece of pizza.

--Lauren--

P.S.  The pizza lends an air of authenticity, but would the nerd have even
run the marathon in the first place?


F-15 revisited again

David Damerell <djsd100@thor.cam.ac.uk>
Tue, 11 Jun 1996 10:53:15 +0100
>  - (To my disbelief) It was suggested some type of plastic cap be
>    placed on the main trigger during future training missions to
>    prevent pilots from triggering(!?).
>The last low-tech solution to the prevention of triggering the missile
>was almost comical.

Comical and low-tech, perhaps, but it would _work_.  Sometimes a visible
physical barrier is superior to any number of invisible things which
_should_ have been done right...


Ariane-5 failures

Bertrand Meyer <bertrand@vienna.eiffel.com>
Fri, 7 Jun 96 10:07:42 PDT
  [>From Le Monde, dated 8 June 1996, i.e. published on the 7th; on-line
  edition at http://www.lemonde.fr. Extracted and translated by BM.
  (Although ellipses are not marked, I have considerably abbreviated the
  text and removed some of the anthropomorphic comments, e.g. "the machine's
  brain" and the like. Comments in square brackets [] by BM.)]

THE MYSTERIES OF ARIANE'S CHAMBER, by Jean-Francois Augereau

Who [sic] caused the in-flight explosion of Ariane-5 on Tuesday, June 4?
After more than forty-eight hours of preliminary investigations, "witnesses"
are starting to talk. The propulsion system, which could have been
suspicious because of its novelty, has been cleared. The likely culprits are
elsewhere, "in the software or the hardware", that is to say the
computer-related parts. Only five of them are left, gathered in one "closed
room". [???]

According to Daniel Mugnier, head of the Launchers ("lanceurs") division at
the CNES (National Center for Aerospace Studies), the inquiry is focusing on
the "electrical and software system" which allows the various elements of
Ariane-5 to talk to each other. The launcher is loaded with sensors which
constantly monitor its moves and accelerations.

Our first suspect is an Inertial Reference System (IRS)*, the balancing
center of the launcher. The IRS, or its mate, is in charge of using these
data to compute the launcher's exact position, speed and acceleration. But
at this stage of the inquiry it seems that the sensors themselves have been
exonerated.

There is no alibi, however, for the IRS. Doubts remain, even though the
on-board computer and the backup unit show a record of having received
[litt. "claim to have received"] the same information. How could they have
failed at the same time and in the same way?

Hence the questions about the behavior of on-board computers. According to
Daniel Mugnier, "they ``claim'' to have received abnormal information from
the IRS. Whom [sic] should we believe? Daniel Mugnier is reluctant to
incriminate that component [i.e. the computers?].  Same thing with another
component, the "1553 bus". It is a kind of information highway [??!!]; all
navigation commands go through it. According to one of the investigators,
"it is a proven system, which has been used for a long time on all NATO
fighter planes".

This leaves two other suspects: the in-flight software program and the
coder.  Does the program, made of long lines [???] of computer writing,
include a "bug" or a fault? Did the converter**, which translates the
sensors' analog language into the computers' digital language, stutter? One
cannot exclude the possibility that the computer is denouncing errors that
it itself created.

The investigation continues. The report should be turned in by July 15.

[Notes:
    * I have translated "Centrale Inertielle (SRI)" by "Inertial
    Reference System (IRS)". I found the acronym in Jane's Defence
    Glossary at http://www.thomson.com/hanes/janesgloss. I don't
    believe it's directly connected to the Internal Revenue System.

    ** I used "converter" for the analog-to-digital "codeur".]

Bertrand Meyer
ISE Inc., Santa Barbara, <bertrand@eiffel.com>, http://www.eiffel.com


Ariane-5 failures

David Wadsworth <dwadsw@etna.demon.co.uk>
Fri, 07 Jun 96 17:40:28 GMT
An interesting feature of the Ariane 5 explosion, as seen on television, was
the commentary in French in the background.  As the fragments of the
destroyed rocket were coming down, the French voice was still saying the
equivalent of "All systems go", "All parameters normal" "course correct"
etc.  I suppose the risk of a commentator reading from a script describing
what *should* be happening is obvious. At least they could have given him a
window or a monitor to check that it loosely coincided with reality!

David Wadsworth  dwadsw@etna.demon.co.uk


RISKs of bogus FAQs (Boggio-Togna, RISKS-18.19)

Tom Lane <tgl@netcom.com>
Mon, 10 Jun 96 23:10:23 -0700
> This would seem to open up interesting possibilities for anyone objecting
> to the contents of a FAQ and wishing to have it removed from the archive.

I maintain another such FAQ article.  Most of the FAQ archive sites that I
know about will archive any article that comes by, if it (a) is crossposted
to news.answers and (b) contains the appropriate headers, such as the proper
Approved: line and Archive-Name: line.  Of course, these conditions are
trivially easy to forge for anyone familiar with the workings of netnews
transport software.  (In fact, the standard posting software most FAQ
authors use requires no special system privileges; you could say that we
*all* forge these headers.)  So far, there hasn't been any concerted attack
on FAQ archives, but I'm sure there will be one someday ... and that nothing
will be done to plug the security holes until an incident occurs :-(.  The
archive site Gianfranco describes seems to have laxer security than average,
but there isn't any trustworthy system in place.

My own FAQ is several posting cycles out of date in most of the FAQ archive
sites, and I think that Risks readers might be interested in the reasons
why.  I normally post my FAQ every other weekend.  Four weeks ago, the
posting got lost due to failure of the local netnews system at netcom.com.
Two weeks ago, it went out OK, but that weekend some self-appointed
vigilante decided to shut down the alt.binaries.* newsgroups by issuing
forged cancels for every article posted or crossposted to any alt.binaries.*
group.  My FAQ is crossposted to several .d (discussion) groups under
alt.binaries.*, and it got canceled before being archived at most sites.
The vigilante was toast a couple days later, of course, but the damage was
done.  The most recent posting is hung up in our outgoing news queue due to
another local news system failure.  Perhaps it will eventually get out, or
perhaps not.

Meanwhile, the single most popular FAQ archive site (ohio-state.edu's
WWW-accessible archive) has had ongoing reliability problems because
its volunteer founder and administrator left Ohio State over a year
ago, and everything is running on autopilot.  There are other regularly
posted FAQs that are more out of date in ohio-state's archive than mine.

The RISK: things you would think are bedrock Internet services may
actually be unfunded volunteer projects full of security holes.

Another example I've recently been reading about is that a couple of the
root DNS nameservers have been down for several days.  If they all go down,
the Internet as we know it comes to a stop.  Yet the administration of these
critical services is run on an ad-hoc, volunteer basis.  Sooner or later,
the net will have to grow up and take itself seriously.

Tom Lane


CFP: 1997 Symposium on Network and Distributed System Security

Matt Bishop <bishop@cs.ucdavis.edu>
Fri, 07 Jun 1996 13:13:36 -0700
CALL FOR PAPERS [abridged for RISKS]
The Internet Society Symposium on
Network and Distributed System Security

February 10-11, 1997, San Diego Princess Resort, San Diego, California
Submissions due: August 1, 1996

GOAL: The symposium will bring together people who are building hardware
and software to provide network and distributed system security services.
The symposium is intended for those interested in the practical aspects of
network and distributed system security, focusing on actual system design
and implementation, rather than theory.  We hope to foster the exchange of
technical information that will encourage and enable the Internet community
to apply, deploy, and advance the state of available security technology.
Symposium proceedings will be published by the IEEE Computer Society Press.
Topics for the symposium include, but are not limited to, the following:

* Design and implementation of communication security services:
  authentication, integrity, confidentiality, authorization, non-repudiation,
  and availability.
* Design and implementation of security mechanisms, services, and APIs to
  support communication security services, key management and certification
  infrastructures, audit, and intrusion detection.
* Requirements and designs for securing network information resources and
  tools -- WorldWide Web (WWW), Gopher, archie, and WAIS.
* Requirements and designs for systems supporting electronic commerce --
  payment services, fee-for-access, EDI, notary -- endorsement, licensing,
  bonding, and other forms of assurance.
* Design and implementation of measures for controlling network communication
  -- firewalls, packet filters, application gateways, and user/host
  authentication schemes.
* Requirements and designs for telecommunications security especially for
  emerging technologies -- very large systems like the Internet, high-speed
  systems like the gigabit testbeds, wireless systems, and personal
  communication systems.
* Special issues and problems in security architecture, such as interplay
  between security goals and other goals -- efficiency, reliability,
  interoperability, resource sharing, and cost.
* Integration of security services with system and application security
  facilities, and application protocols -- including but not limited to
  message handling, file transport, remote file access, directories, time
  synchronization, data base management, routing, voice and video multicast,
  network management, boot services, and mobile computing.

GENERAL CHAIR:
    David Balenson, Trusted Information Systems
PROGRAM CHAIRS:
    Clifford Neuman, University of Southern California
    Matt Bishop, University of California at Davis

  All submissions and program related correspondence (only) should be
directed to the program chair: Clifford Neuman, University of Southern
California, Information Sciences Institute, 4676 Admiralty Way, Marina del
Rey, California 90292-6695, Phone: +1 (310) 822-1511, FAX: +1 (310)
823-6714, e-mail: sndss97-submissions@isi.edu.  Dates, final call for
papers, advance program, and registration information will be available at
the URL: http://www.isoc.org/conferences/ndss97.


Re: HTTP cookie privacy risk (Goldstein, RISKS-18.19)

Kenneth Albanowski <kjahds@kjahds.com>
Tue, 11 Jun 1996 16:18:20 -0400 (EDT)
This site makes very interesting reading, as does an AltaVista search for
"ad.doubleclick.net", as does my ~/.netscape/cookies file, which contains
a reference to ad.doubleclick.net.

It appears that anyone can set up with "DoubleClick.net" (for a fee) so that
access to their own web pages goes through DC.net. DC.net then returns the
original web page, with targeted advertising added, based on the information
that some web browsers hand out on every fetch operation.

It's unclear exactly how the cookies come into this, but they undoubtedly
let DC.net try and target individual preferences, probably based on what
pages they read that go through DC.net.

The interesting thing is that this is all completely invisible, unless you
happen to notice having a cookie for ad.DC.net, or have a habit of reading
through HTML code and see an odd URL that points to ad.DC.net.  Most
people would never see these.

Thus does modern marketing come to the WWW. The risks here are enormous.
The solutions, to some extent, are simple -- no hidden cookies, and no
personal information getting sent out without approval. You can't very well
hide your domain, however, and that lets people guess all sorts of fun
things. The solution to that is not so simple.

Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126)


Re: HTTP cookie privacy risk (Goldstein, RISKS-18.19)

Rob Streno <rstreno@dayton.csc.com>
Tue, 11 Jun 1996 16:18:28 -0400
You've been visiting commercially sponsored sites, haven't you.  Doubleclick
is responsible for the ads that you see on pages such as the DejaNews search
engine (http://www.dejanews.com) are linked via DoubleClick to the
destination site.

As far as privacy risks go, if I remember, the Netscape documentation about
the cookie file indicates that it is a file to be used to hold information
from one page to the next. . . i.e., one page writes the cookie, and another
page reads it.  This keeps from having long, convoluted URL lines which
contain all of the information you need to pass from page to page.

As far as gathering marketing information, I can't fault DejaNews,
Doubleclick, or any other company for gathering marketing information.  My
guess is that they'll use that information to tailor which ads are most
effective to display on a page like DejaNews.  I doubt that they'll use that
information to direct market you via e-mail.

Robert M. Streno  rstreno@dayton.csc.com  (513) 890-7700 x2455
rstreno@csc.com  xinc@ix.netcom.com   xinc@delphi.com


Re: HTTP cookie privacy risk

Scott Hazen Mueller <scott@zorch.sf-bay.org>
Tue, 11 Jun 1996 22:18:17 GMT
DoubleClick is a Web advertising agency.  They buy space on Web sites (Yahoo,
Netscape, Travelocity, etc.) and sell impressions ("eyeballs") to advertisers.

While they may or may not actually care about your particulars (and your
browser/OS information is available to any Web site that cares to gather it,
regardless of cookies), it's much more likely they're just tagging you, like
a biologist tags wild birds.

Ideally, it's a trade-off, you see.  In exchange for free information (quid),
you give a little information on your Web usage (pro quo).  In a RISKy world,
the concern is that you give up too much for too little.  As a person who
cares about privacy, I have to applaud Netscape for putting a little alert
about cookies on the users screen.  As a Web site maintainer, I have to wonder
if this is going to affect my ability to deliver advanced forms of content.

Scott Hazen Mueller | scott@zorch.SF-Bay.ORG or tandem!zorch!scott

Please report problems with the web pages to the maintainer

Top