The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 18 Issue 21

Monday 17 June 1996

Contents

o Whitehouse Namechecks Glitch
David Kennedy
o UK government announces proposals for encryption on networks
Steve Kilbane
o Korea's Internet War
David Kennedy
o Health Risk from Dusty Computer Displays
Martin Minow
o Botched trademark search
George C. Kaplan
o "Child Molester Database" on the Web
Dave Brown
o Magellan 3000 GPS is `waterproof'?
Boyd Roberts
o Rounding errors and grammar checkers
Gabor Megyesi
o Re: Digital unreality
Lauren Weinstein
Luis Fernandes
o Re: Ariane-5 failures
Lauren Weinstein
o Physical barriers in the cockpit
Karl W. Reinsch
o French police raid leading ISPs
Jean-Bernard Condat
o Info on RISKS (comp.risks)

Whitehouse Namechecks Glitch

David Kennedy <76702.3557@CompuServe.COM>
13 Jun 96 14:02:48 EDT
Courtesy of Associated Press via CompuServe's Executive News Service:
AP US & World  12 Jun 1996

FBI Files
By PETE YOST

 Associated Press Writer
<>   WASHINGTON (AP) -- Whitewater prosecutors have questioned
<>before a grand jury the Army employee who led the White House
<>collection of FBI background files on a number of prominent
<>Republicans.  [...]

<>   FBI officials investigating how the White House obtained the
<>files have tentatively concluded that FBI procedures were not
<>adequate to prevent the improper disclosure of personnel
<>reports, The New York Times reported in today's editions,
<>quoting unnamed government officials.   [...]

<>   In addition, the newspaper quoted a senior career government
<>employee as saying the computer program the Secret Service used
<>in 1993 to track access to the White House was flawed,
<>producing an outdated list.  [...]

<>   "What is remarkable is that in this case an outdated list
<>was being used so unnecessary files were retrieved," said White
<>House spokesman Mark Fabiani.

[DMK: The computer did it!  It's not my fault!  (sigh)]

Dave Kennedy [CISSP] Information Security Analyst, National Computer Security
Assoc.

  [Lengthy articles in the *NY Times* and the *Washington Post* over the
  weekend noted the distinction between the "A" and "I" tags for active
  and inactive names on the list.  A Secret Service spokesman was quoted
  as saying that it was impossible for the I list to appear without the
  tags, although a query that did not request that field would omit them
  because it was indicated that both lists were in the same (relational?)
  database.  As usual in such cases, the "blame" may be distributed much
  more widely than folks like to admit, or alternatively may be attributed
  to a lack of understanding of the technology.  Stay tuned.  PGN]


UK government announces proposals for encryption on networks

<Steve_Kilbane@cegelecproj.co.uk>
Thu, 13 Jun 1996 09:54:39 +0100
On 10th June, the UK government announced a document which describes
a key-escrow system. The document is available at:

http://www.coi.gov.uk/coi/depts/GTI/coi9303b.ok

I'm not going to get into the usual arguments. I will quote the following,
however:

    "2.  The policy, which has been decided upon after detailed discussion
    between Government Departments, involves the licensing and regulation
    of Trusted Third Parties (hereafter called TTPs) which will provide a
    range of information security services to their clients, whether they
    are corporate users or individual citizens. The provision of such
    information security services will be welcomed by IT users"

Not by this one, they won't.


Korea's Internet War

David Kennedy <76702.3557@CompuServe.COM>
14 Jun 96 21:09:44 EDT
Courtesy of Associated Press via CompuServe's Executive News Service:
AP US & World  14 Jun 1996

Korea's Internet War
By SANG-HUN CHOE, Associated Press Writer

 <>  SEOUL, South Korea (AP) -- For a Canadian university student,
<>creating an Internet site on North Korea was simply opening a
<>small library on the reclusive nation. For South Korean
<>authorities, it was threat to national security.
<>  Last week, South Korea declared David Burgess' World Wide Web
<>site subversive and ordered 14 local computer networks with
<>Internet links to block public access to it.

o   Government plans to punish those accessing PRNK web sites.
o   About 0.5M South Koreans are plugged in.

<>   "South Korea has hypocritically committed the same actions
<>it criticizes North Korea for -- non-promotion of democratic
<>values and open choices," Burgess said in an electronic mail
<>message to The Associated Press.

o   Burgess visited PRNK and picked up some pamphlets, which he's now
        posted to his web server.

<>   North Korean pamphlets found on Burgess's home page are
<>sprinkled with references to the "Greatest Genius Mankind Has
<>Ever Known, Comrade Kim Jong Il," "U.S. imperialist warmaniacs"
<>and "South Korean puppet reactionaries."
<>   They might be laughed off as Cold War classics, but under
<>South Korea's strict national security law, it is a serious
<>crime to "manufacture, import, copy, possess or distribute data
<>that can benefit, eulogize or encourage the enemy."

o   ROK jams the PRNK's HF radio stations.
o   A ROK official admitted their regulations are not very effective and
        that, "(w)e need a new approach."

<>   The government has its own web sites promoting its policies
<>and chronicling the doings of President Kim Young-sam. But it
<>maintains a sweeping ban on communist propaganda.
<>   About 340 people are in prison for breaking the law,
<>according to human rights groups. None were arrested in
<>connection with Burgess's home page.

<>   EDITOR'S NOTE -- Burgess's North Korean Home Page address
<>is: <a href="http://duke.usask.ca/(tilde">http://duke.usask.ca/(tilde</a>)burgess/DPRK.html


Health Risk from Dusty Computer Displays

Martin Minow <minow@apple.com>
Fri, 14 Jun 1996 15:40:13 -0700
>From the electronic edition of the Swedish newspaper, Svenska Dagbladet
(14 Jun 1996) http://www.svd.se/svd/ettan/X0002_Damm_och_dator.html
(My rough translation and summary).

Workers using video display terminals in dusty and poorly cleaned offices
had increased risk for skin damage, as shown by a study by the Norwegian
"national work environment institute" (statens arbetsmilj=F6institut).
The study showed how dust particles in combination with static electricity
caused skin irritation in people working with computer displays. ...

By wiping the screens with a special ionic solution and, at the same time,
grounding the hard disk, the static electricity was led away from the
apparatus. The result was a noticeable lessening of skin irritation.  "There
were on average 20% fewer skin problems when the static electricity field
disappeared," said Dr. Knut Skulberg who, together with Dr. Knut Skyberg was
responsible for the project. In the control group where the ground lead was
not used, there was no noticable change.

A careful analysis of the indoor environment in the offices showed how a
number of additional factors were affected by static electricity.  -- If
there is a lot of dust, skin problems worsened. Less dust meant less skin
reaction.

The researchers also discovered that few displays had strong static
electricity fields directly in front of the screen. Instead, they
measured the greatest values along the side and above the displays.

Norwegian studies show that 16% of people who work frequently with computer
displays have had some form of skin irritation, primarily redness, itching,
and dry skin.

Martin Minow. minow@apple.com


Botched trademark search

"George C. Kaplan" <gckaplan@cea.Berkeley.EDU>
Wed, 12 Jun 1996 21:05:27 -0700 (PDT)
An article in the 12 June Wall Street Journal describes a major goof by
Warner Bros. in their new movie "Eraser."  In the movie, "Cyrex Corp." is
the major villain, which tries to kill the character played by Arnold
Schwarzenegger.

Unfortunately, the real-life "Cyrix Corp." was not amused, and threatened to
sue.  Warner Bros. is now busy deleting or changing all mentions of "Cyrex"
in the film.

How did this happen?  From the article:

    So how could a major Hollywood studio make such an oversight?
    "It wasn't an oversight," insisted a Warner Bros. spokesman.
    "The names are spelled differently, and when we did a legal
    search it didn't show up.  Sounding the same is a coincidence,
    that's all."

Even a rudimentary spell checker should detect that "Cyrex" and
"Cyrix" are close enough to take a second look.  Anyone want to bet
that the "legal search" was nothing more than a 'grep Cyrex'?

George C. Kaplan   gckaplan@cea.berkeley.edu  1-510-643-5651


"Child Molester Database" on the Web

Dave Brown <dagbrown@calum.csclub.uwaterloo.ca>
Sat, 15 Jun 1996 04:39:51 -0400 (EDT)
Great World Internet Services has announced (in an off-topic posting to a
newsgroup I read, incidentally) that it is keeping an on-line database of
known child molesters at http://www.greatworld.com/public/--presumably for
someone's information.  Apart from the fact that the alleged molesters are
organized by name and not by location, there is a rather alarming touch.
The site invites people to add their own molesters.  What a wonderful way of
anonymously slandering someone.

Great World's disclaimer states that "The responsibility for accuracy
relies entirely with the persons posting the information." In other words,
they come right out and say that their information cannot be trusted.

They also maintain a list of "crooked cops"--presumably also for someone's
information.  Given their information-gathering methods, however, both the
list of crooked cops and child molesters are highly suspect, to say nothing
of being serious privacy concerns.

--Dave


Magellan 3000 GPS is `waterproof'?

Boyd Roberts <boyd@france3.fr>
Thu, 13 Jun 96 12:31:48 PST
I bought a Magellan 3000 GPS receiver at the weekend in London, after
reading up the doc I got from the Web, and some of the reasons I bought it
were because it's "rugged, durable and waterproof" and that it's housing is
a "waterproof construction".  Well, after it got dunked in a fountain for
about 20 seconds it was no longer "waterproof", but very wet.

I suspect there's a problem with the seal around the "scratchproof" LCD
display cover.  Several days later, it still hasn't dried out and the
construction prevents me from opening it (as does the warranty).

Risks:

    As my mate Shand <shand@pa.dec.com> commented:  it
    was better that I'd found out sooner than later and that at
    least I was in Trafalgar Square and I knew where I was.

    Admittedly, relying on one navigation instrument is fraught
    with peril, but something "designed specifically for boating"
    is going to get wet sooner or later.

Magellan have my fax (sent yesterday), but have so far not replied.
I shall be interested in their response.

[the quoted text comes from the User Guide and the box it comes in]

Boyd Roberts                                        boyd@france3.fr


Rounding errors and grammar checkers

Gabor Megyesi <G.Megyesi@pmms.cam.ac.uk>
Fri, 14 Jun 96 10:33 BST
I was reminded of the article on rounding errors on the electricity bill in
RISKS-18.17 when I used the grammar checker built into by MS Word, which
produces statistics like average number of words per sentence after checking
the text. I was surprised to see that my document had an average of 0
sentences per paragraph. On closer inspection, I noticed that the program
counted 12 sentences and 17 paragraphs (do not ask me how), and must have
rounded 12/17 down to 0.

This just goes to show that it is dangerous to put too much faith in
anything produced by a grammar checker. My favourite is the suggestion that
one should use "eye's" or "eyes'" in the sentence "The smoke makes my eyes
water." The bigger risk is that someone may decide that such a grammar
checker is the standard of correct English which all documents produced by
the company must pass.


Re: Digital unreality

Lauren Weinstein <lauren@vortex.com>
Thu, 13 Jun 96 18:38 PDT
Jason Eisner suggests that digital cameras (at least those used for police
or journalism work) be equipped with a "tamper-proof" digital signature.
There may be merit to this idea in the former case, but the concept of
digital signatures in video, if applied too broadly, could have serious
privacy implications, leading to concerns over making important video
available for fear of retribution or similar negative consequences.  Nor is
it clear how much assurance could be placed in the integrity of the video
itself after editing and other processing even if the original source
material were "securely" tagged.

This is an area that would have to be approached very carefully
and definitely not in an ad hoc manner.

--Lauren--  Moderator, PRIVACY Forum  http://www.vortex.com


Re: Digital unreality

Luis Fernandes <elf@mailhost.ee.ryerson.ca>
Thu, 13 Jun 1996 22:20:51 -0400
An article (AP newswire) on promotional product placement in the movies
relates a story about the movie _Demolition Man_ where in the North American
version of the movie, Sandra Bullock's character tells Sylvester Stallone's
character that only the Taco Bell franchise survived into the 2xth century.

But in versions of the movie released overseas, the franchise is
changed to Pizza Hut (while both chains owned by the same parent,
there are 4600 Taco Bell franchises in North America v.s. a few
overseas; there are 3300 Pizza Hut franchises overseas).

        "For the movie's international release, special effects
        experts digitally removed the Taco Bell logo from the film
        added a new restaurant and re-recorded Bullock's dialog. Now,
        when the movie is shown overseas, Taco Bell has
        failed... there's only Pizza Hut."


Re: Ariane-5 failures

Lauren Weinstein <lauren@vortex.com>
Thu, 13 Jun 96 18:29 PDT
David Wadsworth comments on the French commentary lagging behind events at
the Ariane-5 failure.  It may be remembered that exactly the same sort of
lag occurred at the Challenger explosion.  In both cases, the cause is
probably similar.  The person providing that running data commentary is
typically watching a telemetry readout, not looking out a window!  That
displayed telemetry tends to lag events by a significant amount, accounting
for the perceived effect.  It is extremely unlikely that David's assumption
that the "commentator" was "reading from a script" is the correct analysis
in this case.

--Lauren--


Physical barriers in the cockpit (RE: Damerell, F-15, RISKS-18.20)

"Karl W. Reinsch" <kreinsch@radix.net>
Fri, 14 Jun 1996 00:51:44 -0400 (EDT)
David Damerell <djsd100@thor.cam.ac.uk> posted to RISKS:
<> The last low-tech solution to the prevention of triggering the missile
<> was almost comical.

I would encourage RISKS readers to check out the writings of Donald A.
Norman. Particularly relevant to this is the chapter "Coffee Cups in the
Cockpit" from _Turn Signals Are the Facial Expressions of Automobiles_.
Norman lists the most common and effective cognitive aids in the cockpit.
Under "crew-provided devices" he lists "written notes, coffee cups, and
tape". He specifically mentions placing an empty coffee cup over a lever as
a reminder.

I believe something similar can also be seen in the film _Apollo 13_ with a
hard-written "Don't Touch" note placed over a switch.

-karl.  kreinsch@radix.net


French police raid leading ISPs

Jean-Bernard Condat <jeanbc@informix.com>
Fri, 14 Jun 1996 15:00:55 +0100
   Paris, 14 June 1996--As I have so far seen no reports in the obvious
Usenet newsgroups of the recent police raids on leading French Internet
service-providers, and I can no longer post contributions to them myself, I
send you the following English translations from the French newspaper
"Liberation", which may inspire you to report them there. Note that Mr.
Francois Fillon have propose one Conseil Superieur de la Telematique
depending of the Bourges' CSA (Conseil Superieur de l' Audiovisuel) that
will rapidly act like a high telematics authority like the new French
Internet Society (ISOC).

  ------------

>From the "Cahier Multimedia" of "Liberation", 3 May 1996

"Netiquette according to Mr Fillon" (La Netiquette de Fillon)

   Lacking the power to police the Internet, France will invite its G7
partners (at Lyons in June) to consider the co-ordinated introduction of a
"code of good conduct". A sort of "modus vivendi" which, as Francois Fillon
explained to his colleagues at their recent meeting in Bologna, would
guarantee a minimum degree of protection to network users. For, as the
French Telecoms Minister pointed out, "if the Internet constitutes an
extraordinary valuable collective resource (...), nevertheless it conceals
as many risks for its users."  To attempt to keep it locked up on the basis
of national regulations alone would be pointless with such an inherently
transnational network.  Hence, according to Mr Fillon, the need to establish
coordination at a European (OECD) level, with the aim of drafting an
agreement [une convention]. Its signatories would establish the principles
for legal collaboration, and a certain number of rules on ethics and on the
legal responsibility common to on-line publishers and ISPs.  And, in the
event of a breach, the Minister also proposes to establish, once and for
all,that "by default, the principle that the rules of the originating
country, so far as the signatories are concerned, and [those] of the
receiving country are applicable. "

  ------------

But in "Liberation" of 8 May 1996:

"Police raid on the Internet" (Descente des gendarmes sur l'Internet)

Two Information Service Providers (ISPs) arrested for distributing
pornographic pictures of children, by Franck Johannes

   The police are very proud of themselves, and say prudently that "as far
as they are aware" this is a world premiere: the first time that the police
have intervened in the Internet. Without perhaps realising what a storm they
have produced, if not in legal circles then on the Network. The chief
executives of two ISPs have been detained for questioning on allegations
that they have been distributing pornographic pictures of children.

   "We keep hearing that there is a legal vacuum", explained
Lieutenant-Colonel Gerard Browne. "But that's not in fact the case;
distributing such pictures is prohibited by Art. 227-23 of the Penal Code,
that's all". The gendarmes, who are apparently unwilling to provide
background details, were tipped-off at the end of January 1996. It seems
that a regular Net-user came across the pictures in question via FranceNet
and World-Net, both of which claim to be the leading providers of access to
the Internet. (...)

   The Parisian research service immediately began exploring the services
with the support of the informatics branch of the criminal research
institute of the national gendarmerie (IRCGN). They took copies of the
various newsgroups, in other words the thousands of messages giving
information on all sorts of themes, from fly-fishing to vegetable gardening,
ultimately arriving at that with the children.  This could scarcely be by
accident; it is necessary to look, for example, in a list which has the
advantage of being clear, for "alt.binary.pictures.erotic.pedophilia", to
find a prohibited picture. According to the police, some 5 to 10% of the
contents of the thousands of newsgroups accessible in this way every day are
illegal.

   The dossier was transferred to the Parisian prosecuting authorities,
which in March opened an investigation entrusted to Christine Berkani, the
principal investigating magistrate in cases involving minors. On Monday [6
May] the police seized piles of floppy disks in the offices of the two ISPs,
and then the manager of WorldNet, Sebastian Sochard, and his counterpart
from FranceNet, Raffi Haladjian, were arrested and held in custody on
charges of "having distributed, fixed, recorded or transmitted a
pornographic picture of a minor", contrary to the provisions of Art. 227-23
of the Penal Code. They risk being sentenced to up to three years in prison
and fined up to half a million francs, because children under 15 years old
are involved.

   At WorldNet, this came as "a bolt from the blue" and his colleagues were
astonished that Sebastian Socchard, 27, had been detained in custody on
Monday.  Last year, the young man had set up the SCT Sarl company (for
Security, Concept and Technology) before becoming active as an ISP at his
clients' request. Today, WorldNet has some 30 employees and claims 9000
clients, each of whom pay FF 99.00 monthly for access to the Internet.

   "This affair merely illustrates the legal vacuum", protested Isabelle
Perichon of WorldNet. "We don't produce any pictures, we just store them.
Every day, we receive between 50,000 and 100,000 news-messages from the
University at Jussieu: Jussieu sends them to France Telecom, which forwards
them to us automatically."  Jussieu was slightly upset by this.
"France-Telecom doesn't normally get its data from us", explained an
engineer from the University. "We get our news from the United States, they
must be doing the same. In any case, there has never been anything like that
on our server. A lot of people are anxious to prevent the network from
degenerating, and if any of them found it they would let us know within a
couple of hours." The Gendarmes have plenty to keep them busy; the
investigators now have to identify the source of the pictures, which "come
from just about everywhere", sighed Lieutenant-Colonel Browne.

  ------------

Liberation, 9 Mai 1996: "Net: si on avait su, on aurait filtre" ("If we had
known, we would have filtered the Internet") - the director of WorldNet [Mr.
Sebastien Socchard, an old student of the well knowned EPITA computer school
in paris] under investigation, denies all responsibility

(report by Laurent Mauriac)

   In their desire to comply with French law, the ISPs are cutting off their
noses in order to spite their faces. In reaction to the arrest of the
managers of WorldNet and FranceNet "for simply doing their job", the four
members of the French Association of Internet Professionals (AFPI) -
Calvacom, FranceNet, Imaginet and Internet-way - have announced that they
have cut off their subscribers' access to *all* Usenet newsgroups.

   "That is the only way to apply the law", according to the director of
Imaginet, Patrick Robin, who claims it would be impossible to monitor
everything that is routed via his hard disks. Most ISPs carry more than 120
thousand messages every day, and any of them potentially contain pictures
among which a few might be prohibited by French law.

   No doubt fewer than 5% of them, according to AFPI; the whole problem is
that of identifying this 5% within the great flow of continually-renewed
data.  That is why Patrick Robin is calling for the creation of a committee
"similar to the Press's Committee for the protection of youth" and having
the resources it would need to be able to inspect newsgroups regularly. The
AFPI is also calling for the status of ISPs to be defined clearly: as
carriers, not distributors.  Making the same distinction, World-Net's
director, Sebastian Socchard, commented as follows on his dealings with the
law-enforcement authorities:

   You could have filtered out the "outlawed" newsgroups - why didn't you
do so?

   [SS]: We could have removed certain newsgroups, but we didn't know
which ones, or how to filter their contents. If we had know that that kind
of thing was present, we would have acted.

   Weren't you responsible for the distribution of the contents of everything
stored on your servers?

   [SS]: No, and I'm not happy with the expression "stored"; it doesn't
correspond to the situation. Our equipment merely passes on pictures, it
doesn't really store them. They do indeed transit via our hard disks, but
that is merely part of our job of carrying them, a means to enable the users
to access them more quickly. We would be equally responsible if our users
obtained the pictures directly from other servers on the Web (whereas the
contents of newsgroups are stored temporarily on every ISP's server, Web
pages are generally stored only on one server, and accessed directly from it
when required by a user). I am not legally responsible for publishing the
contents of our server.

   All the same, don't you have a duty to keep an eye on the data that can be
accessed through your servers? Is WorldNet responsible for everything that
can be found on the Internet?

   [SS]: There are 6300 newsgroups, and it would take about an hour to inspect
the contents of one of them. So to check all of them in 24 hours you would
need 270 people. And if we had to do that for the newsgroups, why not do it
for the Web and e-mail too?

   What do you think the solution is?

   [SS]: I fully agree that whatever is forbidden in France ought to be
filtered out, things like racism and child-pornography, for example. But
it's not an easy thing to do. If one newsgroup is excluded, it can change
its name or put its contents into another one. We want the government to
define precisely what must be censored, as has been done for the Minitel and
audiovisual services.

   A lot of legal experts are saying that there is no legal vacuum; all
that's needed is to apply the existing law...?

   [SS]: They are assuming that the Internet is no different from other
transmission systems. In that case, we are a carrier like the rest of them,
and we should be treated as such.

   Do you think that you are the victim of injustice?

   [SS]: If we are deemed to be responsible, then so should France Telecom
or Transpac [its specialised network-operating subsidiary]. The pictures are
carried through France Telecom's lines, and it is Transpac that supplies
them to us automatically from its server. As the head of the Gendarmerie
admitted: by attacking the two main French ISPs, they hope that the other 98
will also stop whatever they are doing wrong.

   What happened when you were taken in for investigation?

   [SS]: The gendarmes arrived without warning. They were well-behaved; they
knew that we weren't gangsters. They said that they were simply carrying out
routine procedures. It was obvious that they knew nothing about the
Internet.  I didn't see any experts. I suspect that the Gendarmerie wanted a
high-profile operation to catch the media's attention, possibly to launch
the debate.  They could easily have sent us registered letters, but in that
case nobody would have heard about it. Even if all this is out of all
proportion for five miserable pictures, as operators we are quite happy that
the debate has now begun.

Jean-bernard Condat, Senior Consultant, Smart Card Business Unit, Informix, La
Grande Arche, 92044 La Defense Cedex, France +331 46963770 jeanbc@informix.com

Please report problems with the web pages to the maintainer

Top