Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
*The New York Times* reports today (10 Jan 1997) that Newt Gingrich was overheard in a telephone conference call to other House bigwigs on 21 Dec 1996 plotting strategy on how to deal with his ethics problems and possible attacks from opponents. This despite his promise, made the same day to the ethics subcommittee by his laywer, that he would not use his office or his allies to orchestrate a counter-attack to the charges. Big deal, you say? Politics as usual, you say? I agree, except for one hook... the call was intercepted by a Florida couple on a scanner radio, most probably from the cell phone connection of one of the participants. No fans of Newt, the couple reportedly recorded the conversation and passed it along to an anonymous Democratic Congressman, who released it to *The Times*. Some people never learn... and therein lie the RISKS...
David Salas, 34, worked last summer as a subcontractor on the development of a computer system for the California Department of Information Technology. He was fired after falling out with his business partner. He has now been arrested on three felony charges, for ``allegedly trying to destroy'' the system. He is suspected of having built a backdoor into the system so that he could access it remotely. [Source: *San Francisco Chronicle*, 9 Jan 1997, although the article is very short on details.]
Gears and relays of old-time mechanical computers have been known to inadvertently engulf various foreign objects, but Cabbage Patch Snack Time Kid dolls are designed to eat plastic food. These dolls were reportedly trying to ingest assorted children's hair and fingers during the recent holiday season, incurring some minor scrapes and bruises. [Source: *San Francisco Chronicle*, 31 Dec 1995, A2.] Mattel is offering $40 to anyone who returns a doll, according to an item I heard on the radio. Although this risk has no direct computer-related connection, the absence of an easily accessible off-switch does seems like a flaw in the design of the human-doll interface. On the other hand, the existence of a reverse-flow switch would probably be a bad influence on the eating habits of small children. Always look a gift doll in the mouth, but don't look too closely. The doll might have a ball, and it might be your (eye)ball.
Researchers at Princeton University have released a paper documenting ways that nefarious crackers could dupe unwitting Web browsers into divulging personal information, such as bank personal identification numbers or credit card numbers. One way to do this is to break into a legitimate Web server and alter the links to other sites, so that when users click to transfer, they're actually transported to the cracker's computer where the virtual hijacker can watch every move they make (such as entering credit card info when prompted). The researchers suggest that Web surfers take the following precautions: disabling JavaScript in their Web browsing software; keeping an eye on the software's location line, to ensure they know where they are; and paying close attention to the addresses they visit. (*Chronicle of Higher Education*, 10 Jan 1997, A25) <http://www.cs.princeton.edu/sip/pub/spoofing.html >
In the Finnish TV news on 9 Jan 1997, it was reported that the Finnish car registry had sent mail to 11 thousand car-owners stating that the registration of their cars would be dropped from the registry, "because the car has been out of use". The registry representative said this was caused by a "computer error" the exact cause of which is being investigated. The registry then sent out 11,000 apologie letters. What if the program had silently marked the 11,000 registration records as expired? Toomas Tamm, Department of Chemistry, FIN-00014 University of Helsinki FINLAND toomas@chem.helsinki.fi +358+9-191-40173 http://www.chem.helsinki.fi/~toomas/ [Also reported by Jouko Holopainen <jouko.holopainen@xnet.otm.fi>. PGN]
Today's front page of the *Wall Street Journal* hints of the apocalypse: ``A technical problem on the Skytel paging network led to a nationwide bout of beeper madness, as a digital deluge of erroneous call-me-back messages swept over more than 100,000 unwitting pager customers.'' What happened was an erroneous broadcast at 8 AM EST to over 100,000 Skytel pager customers, most of whom assumed it to be a local phone#. Thousands tried to return the call. The incident was then compounded by some 36 users who recognized the number for what it was, a PIN. They dialed Skytel, entered the PIN and their own phone numbers. ``The Skytel system then efficiently zapped those real phone numbers out: to the same 100,000 pager customers. Ever eager, thousands of them then returned calls to the diligent three dozen'' who got 300 calls an hour or more, still 40 an hour in the afternoon. At one time or another, we've all been grateful to a helpful customer service rep who has managed to overcome ``the system'' and correct some problem plaguing us. Evidently, that's exactly what a Skytel staffer was trying to do for a customer who wanted her pager service activated. But somehow ``a terribly wrong PIN'' was assigned, one that was linked to to a secret code Skytel uses to broadcast news to 100,000 users. The network computer saw the PIN was wrongly linked and rejected it, ``but the Skytel staff successfully overcame the computers recalcitrance'' and then tested the new customer's PIN by zapping the 7-digit number over the network so it would show up on her display. Scott Hamilton, Mtel (Skytels parent company) spokesman: ``with any kind of computer system, from time to time, numbers have to be jiggled, and they were attempting to jiggle. It was just a mistake.'' Who of us hasn't ``jiggled'' a computer or been profusely grateful to someone who did it for us and solved some nasty problem. One RISK is that many people who have to work with computers "know" how dumb they really are and have found end-around plays in order to get the job done. But, of course, sometimes the computer 'recalcitrance' is deliberate. Norm deCarteret [Also noted by Scott Call <scall@ccnet.com> and George C. Kaplan <gckaplan@cea.berkeley.edu>. PGN]
Don't duck bill analysis for reservations made on 17 Dec 1996 at the San Diego Princess — for example, for attending SNDSS on 10-11 Feb 1997 (see RISKS-18.20). ALL CHARGED DEPOSITS on that day were double billed because of a human/computer screwup. (However, you may duck billed platypuses while in San Diego.)
A Defense Department panel, in an unusually strident report, recommended $3 billion of additional spending over the next five years to improve the security of the nation's telecommunications and computing infrastructure. Warning of a possible ``electronic Pearl Harbor,'' the task force appointed by the Defense Science Board also said the Pentagon should seek the legal authority to launch counterattacks against computer hackers. ``There is a need for extraordinary action,'' the board's task force on ``Information Warfare-Defense" stated in a report that was quietly released on Friday. Current practices and assumptions, it said, "are ingredients in a recipe for a national security disaster." The report also predicts that by the year 2005, attacks on U.S. information systems by terrorist groups, organized criminals and foreign espionage agencies are likely to be ``widespread.'' [The full article is entitled REPORT OF THE DEFENSE SCIENCE BOARD TASK FORCE ON INFORMATION WARFARE - DEFENSE (IW-D), By Thomas E. Ricks, *The Wall Street Journal*, 10 Jan 1997. PGN Excerpting. Also contributed by "Betty G. O'Hearn" <betty@infowar.com>. PGN]
For RISKS participants struggling to convince their managers of the possibility of information warfare level II (inter-corporate conflict via information), here is a useful case. Canada's _Globe and Mail_ 97.01.10 pA1: Letter drive linked to Shoppers employee: Owner of Meditrust says he believes campaign scared investors away from mail-order pharmacy. By Jane Coutts and John Saunders, _The Globe and Mail_ A letter campaign attacking a mail-order pharmacy company has been traced to a mailbox rented by the secretary of a vice-president of Shoppers Drug Mart. The [C]$11-a-month box is home to the Society of Concerned Pharmacists, whose listed address, Suite 142, 2671 Eglinton Ave. E., is in fact Box 142 at Mail Boxes Etc., a private postal outlet. Key points from the article: * No evidence yet of the legitimate existence of the SCP. * SCP accused of sending out 6,000 copies of a letter highly critical of the mail-order pharmacy business proposed by Meditrust Healthcare Inc. * Letter said SCP represented 6,000 pharmacists; now claimed to be typographical error (should have been 600 but no proof of any members at all). * Letter written by Larry Rosen, independent pharmacist partly funded in the past by Shoppers Drug Mart. . . * ... but letter was signed by another person described as a practising pharmacist — of whom the College of Pharmacists of Ontario has no record whatever. * Letter may account for failure of initial public offering of shares. * Private Investigator searched garbage of mail drop and found record showing that secretary rented box. This minor case demonstrates the risks of (1) breaching authenticity by fraudulent misrepresentation; (2) the effects of breaches of integrity of data in the real world, including especially the investment community; and (3) the risks of breaches of confidentiality such as throwing out confidential information in plain garbage. Extensions of these lessons to purely electronic data are clear: verify authenticity and integrity of data before acting on any information from untrusted sources; obliterate data remnants. MEK M.E. Kabay, Ph.D. / Director of Education National Computer Security Association http://www.ncsa.com
Jack Kapica reports on cyberspace every Friday in _The Globe and Mail_. He points out today (Cyberia column, 97.01.10 p.A6) that despite the enthusiasm expressed by the likes of _The Washington Post,_ _The Economist_ and _The New Yorker_, AMAZON.COM does not, in fact, have more than 1,100,000 titles in stock as claimed. They actually have only 200 titles in stock in their warehouse. They just order the rest from distributors and wholesalers -- just like all other bookstores. See http://www.slate.com/features/amazon/amazon.asp for an article by Jonathan Chait and Stephen Glass. Caveat lector. M. E. Kabay, Ph.D. / Director of Education National Computer Security Association http://www.ncsa.com
The new US crypto export regulations control the export of most if not all
data-security software. Regardless if the software uses cryptography or
not. Many software archives seem to be in violation of the new regs.
[Federal Register: December 30, 1996 (Volume 61, Number 251)]
[makes it illegal to export without a license:]
c.3. ``Software'' designed or modified to protect against malicious
computer damage, e.g., viruses;
[For the full text, see
http://www.epic.org/crypto/export_controls/interim_regs_12_96.html]
This certainly controls virus checkers, firewalls, and other security
software. There are substantial penalties involved in violating the EAR.
The US can assess daily penalties and block all exports of a company's
non-violating products. Criminal penalties apply as well.
"Export", as defined in the new regs, includes making software available on
the web or via ftp.
If you have a virus checker or similar software available for ftp inside
the US and the software can be downloaded from outside the US, you are most
likely in violation of the new EAR which took effect on 12/30/1996.
If you do not wish to go to prison, you may want to consult an attorney
immediately and remove all data security software from your server.
IANAL --Lucky Green <mailto:shamrock@netcom.com>
On Wednesday 8 Jan 1997, the entire US Coast Guard discovered that its standard Spreadsheet no longer runs on Wednesdays (or Saturdays), and refuses to print files on Tuesdays and Thursdays! Mondays and Fridays are OK, though. The Coast Guard uses a proprietary Operating System called CTOS, marketed by Unisys. Although most of the software was specifically built for the CTOS environment, some of it was ported over from other operating systems. A program called Ofis Spreadsheet is an amazing clone of Lotus 1-2-3 v2.2, for example. On the above date, everyone noticed that their spreadsheet program no longer worked, giving what amounts to a Windows' General Protection Fault error at start-up. It turns out that the hexadecimal codes that CTOS uses to represent the date added an extra digit with the new year. Apparently, they went from FFFFFFF to 10000000 at some point after New Year's Day. Unfortunately, some of the non-native applications (the 1-2-3 clone and the Progress db's seem to be the ones in question) can't handle this change elegantly. Interestingly, although no word has yet been spread on how to solve the anecdotal Progress problems (of which I've seen no sign myself), the solution to the spreadsheet conundrum is to change the date format. Even though the spreadsheet file may not access any date functions, the application *does*, and it doesn't like MM/DD/YY formats from 1997 onwards. But if you change the startup files to indicate a DD/MM/YY format, the problem goes away... RISKS: You may be concentrating on a problem (Y2K, which is a major effort in the Coast Guard just now) that is not *quite* as timely as another that is sneaking up on you. Watch out! This sort of embarrassment just might undermine your Y2K efforts. Perhaps, from this time forward, it might be smart to run test systems with clocks set a month or more ahead of schedule. Just in case. I know that I will be.
BT recently merged with MCI to form Concert; will MCI be following suit? Is the 18-week grace period long enough for previously complacent suppliers to rectify their systems? [*Electronic Telegraph*, City News, 9 January 1997] [The 'red card' references are to a game called football, played here in the UK, where a red card signifies that a player is sent off the pitch for an offence such as kneecapping an opponent or beating up a spectator. This game has nothing whatsoever to do with American football or Australian-rules football, and is *not* called soccer. L.] <URL:http://www.telegraph.co.uk:80/et?ac=000111464113065&pg=/et/97/1/9/cbt09.html> includes links to related resources and previous articles on the millennium bug. BT IN 'RED CARD' ALERT TO SUPPLIERS OVER 2000 By Roland Gribben BRITISH Telecom is warning suppliers that they will be shown the ``red card'' and be sacked if they cannot produce evidence that they are working to change their computer and information technology systems to cope with the year 2000 date change. The group has written to its 1,800 suppliers and drawn up a green, amber and red coding system to detail the state of preparedness. ``Red'' suppliers are in danger of being removed from the list of suppliers. More than half BT's suppliers have yet to answer inquiries about the change, according to the latest edition of Computer Weekly. Milli Lewis, BT's year 2000 project manager, said: ``We are starting an escalation process which will leading to BT not trading with suppliers after an 18-week warning.'' BT has already started planning for changes in its computer network and aims to have everything in place by the end of next year, but along with other major groups also deeply involved in the exercise, it is worried that other companies down the supply chain will not be ready. The telecommunications group is ready to step up the pressure on suppliers it feels are failing to demonstrate they are taking the change seriously and could start weeding out the laggards by March. It has a team of managers available to help companies tackle the problem. <URL:http://www.sat-net.com/L.Wood/><L.Wood@ieee.org>+44-1483-300800x3435
In response, Michael C Voorhis wrote, > Actually, it appears, you don't need to register in order to use that URL. > It already has my "user code" attached to it. >http://www.the-times.co.uk/news/pages/tim/97/01/06/timbizbiz01012.html?1297596 > The correct URL for the web page is included above, everything to the > right of the question-mark in the URL above specifies that I'm reading > the article I would imagine. > > Hmm. I suppose as a RISKS reader I might have checked this, but I did not. > A risk associated with passing URL's to other people, via e-mail? Good question. Other people can now pretend to be you to the site, and browse the site without registering, giving false reading preference information to the site. This is arguably good for web users as a whole, many of whom dislike having their preferences tracked, but bad for the content provider and for the user allocated the URL if the URL owner attempts to do customised profiling, page output or secure transactions based on the supplied data. The registration could be made more secure, with name and password required each time for access instead of a bookmarkable identifier-in-URL - but many sites have gone away from that model, since it discourages casual use. Here in the UK, the Electronic Telegraph, which I'm more familiar with, uses a similar identifier-in-cgi-for-state-machine URL. <URL:http://www.telegraph.co.uk/> They've completely redone their identifier system, requiring that people reregister, three times since going online in 1994, presumably due to running out of allocation numbers (new URLs are considerably longer) and/or wanting to purge 'old' users from their database. I don't know what data is generated or how the ET plans to move to a payment system for searching their archives, which have been on a 'free trial' basis for the last couple of years. Open, easily-subverted registration systems like these provide a risk to the overall quality of the provider's tracking data and a risk to the individual registered, but it's probably an acceptable risk to society as a whole, IMO, since it's convenient and makes the content referrable. For the user so inclined, it's a great way of increasing your privacy by providing inaccurate data and fudging the data generated to track your reading interest. Anyway, when you registered the only true information you provided was a valid e-mail address for automatic verification - right? The online newspapers are starting from a mass of unverified information, and the tracking information can't make it any better. Entropy goes one way, and (in this case) I can't see the ET easily moving to a payments model for their search engine any time soon. <URL:http://www.sat-net.com/L.Wood/><L.Wood@ieee.org>+44-1483-300800x3435
Recently, there was a message posted in this forum of data collection
services and a list contacts to have yourself removed from them. I contacted
several of those services and was surprised by the response from
Bigfoot. Apparently, their database is one-way although I can subscribe to
their service and *modify* my profile.
> From: Admin@Bigfoot.com (Bigfoot Admin)
> Subject: Re: REMOVE
> Date: Fri, 03 Jan 1997 09:08:26 -0500
>
...
> Currently, we can not delete listings that have already been
> entered in our database. However, you may edit your profile to
> become unlisted and therefore have no information visible to
> anyone searching for you on our directory. Just follow the
> following steps to change your status:
I do not know how Bigfoot collected my e-mail addresses (they have collected
both past and present e-mail addresses) but spammers tend to collect
addresses by scanning the USENET. To battle the onslaught of spam I no
longer use a valid return address in my news postings. I wish that were not
necessary.
The risks? First, unknown to the people, companies collect information on
them and freely advertise it. Imagine the repercussions of battered women
hiding from their spouse. Two, you may or may not have any rights regarding
the information about you they make available. Lastly, to protect ourselves
we are being forced into an anonymous society.
-dpg
I was looking through the logs of our HTTP server and saw a large block of accesses from widener.archive.org. It looked like they were sequentially downloading each page on our server, but I didn't recognize the address as being one of usual search services. I checked out their web site (www.archive.org) and it looks like they are systematically making and storing copies of everything the can access over the Internet. Their pages talk about what a great research tool their database will be for future 'net historians, but also says that it will be a treasure-trove for marketers and entrepreneurs. I didn't find a discussion of their position on the copyright issues their project brings up, but I doubt that whole-scale copying of entire sites without any human intervention or commentary is 'fair use', especially considering the American Geophysical Union v. Texaco case (RISKS 16.68). At more than 1 TB of text and images copied off of the 'net (and 100GB more each week), they could have the largest archive of violated copyrights in the world. Giving them the benefit of the doubt (that they aren't maliciously copying other people's work for profit), a risk is that one's enthusiasm for a new medium or technology can blind one to the existing legal guidelines that apply to one's project. I don't really have the interest or resources to pursue an infringement suit, but I bet someone else (like an artist, publisher, or software company) will, especially if the Internet Archive starts allowing access to their data. Another risk for people with Web pages is that every rant or embarrassing picture that you publish on the Web (and later think better of and remove) could now be accessed by future generations without your control. It could be argued that posting to Usenet implies a certain loss of rights to control the fate of your message, given the nature of Usenet distribution. I wouldn't think the same is true for Web pages (but I have no qualifications in IP law). Tim Slagle, slagle@colorado.edu, http://optics.colorado.edu/~slagle
The Seventh Conference on Computers, Freedom, and Privacy
CFP'97 : Commerce & Community, 11-14 March 1997
San Francisco Airport Hyatt Regency; Burlingame, California
CFP'97 will assemble experts, advocates, and interested people from a broad
spectrum of disciplines and backgrounds in a balanced public forum to
address the impact of new technologies on society. This year's theme
addresses two of the main drivers of social and technological
transformation: How is private enterprise changing cyberspace? How are
traditional and virtual communities reacting?
Topics in the wide-ranging main-track program will include:
Perspectives on Controversial Speech
The Commercial Development of the Net
Governmental & Social Implications of Digital Money
International Perspectives on Cryptography
Cypherpunks & Cybercops
Regulation of ISPs
Spamming
Infowar
Intellectual Property and Info-Property
The 1996 Elections: Creating a New Democracy
The Coming Collapse of the Net
In addition, there will be parallel-track lunch-time workshops:
The Case Against Privacy How a Skiptracer Operates
Cyberbanking How the Architecture Regulates
Rights in Avatar Cyberspace National I.D. Cards
Public Key Infrastructures European IP Law
Sexual Harassment in Cyberspace Virtual Communities
Domain Names Archives, Indexes & Privacy
Government Regulation of E-cash Crypto and the 1st Amendment
and tutorials:
The Economics of the Internet
Regulation of Internet Service Providers
The Latest in Cryptography
The Constitution in Cyberspace
Info War: The Day After
Personal Information and Advertising on the Net
Transborder Data Flows and the Coming European Union
Intellectual Property Rights on the Net: A Primer
A complete conference brochure and registration information are
available on our web site at: http://www.cfp.org
For an ASCII version of the conference brochure and registration
information, send e-mail to: cfpinfo@cfp.org
For additional information or questions, call: 415-548-2424
Please report problems with the web pages to the maintainer