Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
During the Gulf War, computer vandals working from Eindhoven in the Netherlands cracked into U.S. government computers at 34 military sites to steal information about troop movements, missile capabilities, and other secret information; they then offered it to the Iraqis, but the Iraqis rejected it because they considered the information a hoax. Dr. Eugene Schultz, former head of computer security at the U.S. Department of Energy, has told the British Broadcasting Company: "We realized that these files should not have been stored on Internet-capable machines. They related to our military systems, they related to Operation Desert Shield at the time, and later Operation Desert Storm. This was a huge mistake." (*London Telegraph*, 23 Mar 1997; Edupage, 25 Mar 1997)
The Clinton administration will introduce more legislation on encryption technology export, in addition to the three bills already pending in Congress. The latest effort seeks to help develop an electronic key management infrastructure that would allow U.S. users to employ any encryption they want, and would, among other provisions, spell out the legal circumstances for handing over keys to law enforcement officials. The other bills pending are: the Security and Freedom Through Encryption Act, the Promotion of Commerce Online in the Digital Era bill, and the Encrypted Communications Privacy Act. (InfoWorld Electric 21 Mar 1997; Edupage, 25 Mar 1997)
Excuse me Sir, but would you watch my Golden Goose while I go get a cup of coffee? Published in the *Portland Oregonian*, 25 Mar 1997, p.2, Around the Nation: Thieves steal license machines MIAMI - Last year, Florida bought computers to make driver's licenses that are virtually impossible to counterfeit. But brazen South Florida thieves have been stealing the computers, sometimes later returning to the scene to pick up accessories. In seven burglaries at five virtually unprotected driver's license offices from Key Largo to Okeechobee, crooks have gathered the $15,000 computers, software and supplies for five complete systems -everything they would need to crank out the state's new high-tech, counterfeit-resistant licenses. Yup, only our high-tech systems can make our high-security, tamperproof, extremely valuable documents. And you can't just buy one of these system just anywhere... Gary Grossoehme, Oregon Electronics [Also commented on by Bob_Frankston@frankston.com, who notes that if the new licenses are considered "foolproof", it only increases their value! PGN]
Gregory Williamson was released from jail after his girlfriend Kim Starke faxed to jail officials a bogus letter supposedly from the Pennsylvania Governor's office, ordering his release. He was subsequently recaptured after he tried the same technique to get his former cellmate released, sending a fax that appeared to be from Florida Governor Lawton Chiles' office — someone had bothered to check with Chiles' office. Starke formerly worked for a printing company, and investigators found computers and disks containing official seals for various state offices in her apartment. [Source: AP US & World 26 Mar 1997, Associated Press via CompuServe's Executive News Service, PGN Abstracting] [DMK: Corel Draw 3, I wonder?] [For newer RISKS readers, we note that jail spoofing is of course old hat. William Londono (an alleged cocaine dealer) was released from Los Angeles County jail in 1987 based on a bogus e-mail message, and Jean Paul Barrett (a convicted forger) was released from a Tucson jail on the basis of a forged fax. Earlier, a Santa Clara inmate had gotten access to the prison computer and simply changed his own release date. PGN]
I understand, from discussions with public works departments and from glancing views of the insides of controllers, that traffic signals are controlled by software, now. A recent accident in San Francisco, in which both drivers and witnesses state they they had green lights caused me to remember some instances where I have seen modern signals go all green. (These were all stand-alone signals with no remote controls at all.) This is obviously a serious danger to traffic, if it occurs at all. It is made worse because no one seems to believe that it is possible. I have talked to public works people and police, who all have told me that it is impossible. Sure, it quite likely is, for old-style timer and stepper relay controlled signals, but what about the new types? Has anyone else seen signals go all green?
As you may have read, there was a problem with the banks automatic clearing system earlier this week, and records for salary payment in the UK did not all get processed in time. With Easter this weekend, Good Friday a bank holiday and also Easter Monday, people whose salary was not paid, would find that the ATMs might not allow them money, because their accounts were out of funds. With two extra days when banks are closed making a period of four consecutive days, customers could well be placed in a difficult position. I checked with my bank today, once via the telephone banking service, once in the branch and once via an ATM. The first check showed no money, the second and third showed GW had paid the money and I would not be penniless over Easter, on account of the bank clearing problems in the press today. So everyone else in GW should be OK, but while using the ATM to query another account, it failed to make the transaction. I can only assume that the extra traffic levels because of the newspaper comment are resulting in overloads at the banks ATM computer centres. So we have at least two problems here. The first is the failure to process all the records through the clearing system in time. The exact reason has not been given as yet. The second problem is the long "weekend" and the impact on customers. Thirdly the press coverage nwo increasing the load on the ATM system, and you have a very interesting situation. One simple failure causes a series of consequences, which may trigger further failures, a domino effect. Now the press are saying that the banks won't charge for people overdrawn as a result. I guess that will be quite taxing for people to sort that out after the event. Even if as it has been said that only a small percentage of the transfers were not completed, it certainly is already having a wide impact. At least one of the TV News desks were trying to speak to "a bank" and not getting through this morning. so BT will finding its network is having extra loadings in unusual patterns. Of course the clocks go forward in the UK this weekend too ... on some computers, but we know the problems that often presents. ... and you think that the y2k problem is not really one ... Advanced Technology & Informatics, Glaxo Wellcome Medicines Research Centre +44 (0)1438 76 3222 lordjohn@dial.pipex.com lordjohn@lordjohn.demon.co.uk
An article in the Swedish newspaper, Svenska Dagbladet http://www.svd.se/svd/ettan/ettan_97-03-22/privatpersons.html describes proposed legislation that, if passed, would offer constitutional "Freedom of Speech," protection to Internet publications, equivalent to those granted to traditional paper publications. (Swedish constitutional protections are generally, but not totally, comparable to American practice — and I'm not qualified to discuss this in detail.) The "Media Committee" [the article wasn't clear as to whether this is a parliamentary committee or a non-governmental source] does not believe that the Internet itself should be covered by constitutional protection, due to the inability to maintain the principal of "ansvarig utgivare" [responsible editor — a known individual who has legal responsibility for what is written in the publication]. On the other hand, this does not mean that the Internet is totally beyond the law as, for example, threats against national groups can be prosecuted under existing criminal law. There is one interesting limitation in the legislative proposal: that an Internet publication would receive constitutional protection by ''requesting an "utgivnings bevis" [publication manifest] from the Radio and TV Commission.'' The limitation is that the reader shall not be permitted to modify the material. This would appear to exclude unedited chat rooms, list servers, or unmoderated news groups. Anonymity (on the part of the editor) would also be forbidden. [Note: this is more of a summary than a direct translation. Svenska Dagbladet is a major national newspaper. Articles on their web page generally disappear after a week, but can be retrieved for a fee. There are several terms of art, such as "ansvarig utgivare" that have very specific meaning in Swedish law, and my translations should not be trusted. The Swedish "grundlag" [constitution] is the basis for the Swedish legal system. Of interest here are (using American terms) the freedom of the press and freedom of expression laws. These grant citizens the right to publish without prior governmental hindrance. This freedom does not permit high treason, threat against national groups, illegal description of violence, and slander.] Martin Minow minow@apple.com
Excerpted from: EFFector Vol. 10, No. 04 Mar. 17, 1997 editor@eff.org A Publication of the Electronic Frontier Foundation ISSN 1062-9424 * Web Link Lawsuits Raise Serious Questions Comments of the Electronic Frontier Foundation on Web Content Linkage Lawsuits Mar 17 1996 In an action similar to a (settled) legal threat over "inlining" of copyrighted comic strip graphics in a third party web page, a host of publishing companies have filed suit in New York City federal district court against a company called TotalNews. TotalNews uses the experimental "frames" extension to Web code to point their site's visitors to various news sources around the Web. CNN, Washington Post, Dow Jones, Times Mirror and Reuters, who have filed the suit, allege that TotalNews' practice of displaying the content of the various companies' news sites within a "frame" with TotalNews' banner ads, is a violation of the companies' rights. [...] Dave Kennedy [CISSP] Research Team Chief, National Computer Security Assoc. [Recall the Shetland Times suit, RISKS-18.64 and 78. PGN]
Courtesy of the COMTEX Newswire via CompuServe's Executive News Service:
COMTEX Newswire 25 Mar 1997
****Hungary's Matav Admits Internet ID/Password Leak
> BUDAPEST, HUNGARY, 1997 MAR 25 (Newsbytes) — By Sylvia Dennis. Matav,
> the former state telco in Hungary, has been forced to admit that security
> in its Internet division is not all it could be. Following an anonymous
> post to several Hungarian mailing lists, the Internet service provider
> (ISP) has admitted that around 1,200 IDs and passwords for the MatavNet
> may have fallen into the wrong hands.
> The saga started last week when an anonymous set of messages started
> appearing in the Hungarian Usenet newsgroups, claiming that the poster had
> obtained a list of MatavNet IDs and passwords, and that the files had been
> leaked because of the ISP's security failures.
1200 subscribers were signed up for accounts in the second quarter of 1996
and were given accounts were the password was their billing ID number. The
ISP published the ID numbers a "few months ago ... with predictable
results." The ISP published the list to alert users to change their
passwords (DMK:?!?).
> The incident has similarities to a security problem caused in the
> mid-1980s by Telecom Gold, British Telecom's e-mail company, Newsbytes
> notes. Telecom Gold officials released 100's of IDs in the ICL001 to
> ICL999 ID group to ICL Computers, but allocated the IDs as passwords as
> well, and told ICL staff what they had done.
Hackers responded predictably within days. It took weeks to discover the
problem, resulting in several thousand pounds lost.
Ameritech and Deutsche Telekom are major investors in MatavNet.
> MatavNet's Web pages are at http://www.datanet.hu .
You've probably heard about the infamous bug that lets people run code on your system. Well, really, it's quite a lot worse than that, and Microsoft is not telling you. Why aren't they telling you? I don't know. It is possible for someone to steal any file on your system. This includes your password files, your INI files - anything at all. I have informed Microsoft about this serious hole, and sent them instructions on how to duplicate it, but this has not caused them to escalate their warnings in any way. I think they're hoping nobody finds out about it. (Remove asterisks from my address if you would like to reply. Andre) [Ah, yes, by all means, avoid the aste-RISKS of being spammed! And if you have questions, please direct them to Andre, cc RISKS. PGN]
Forwarded from Edupage, 25 March 1997:
| SPAM BLOCK
| A California software engineer [Ron Guilmette] takes the annoyance
| caused by unsolicited e-mail messages seriously, and has developed an
| anti-spam weapon he plans to unveil next month. Dead Bolt allows
| online users to share their "blacklists" of spam purveyors so that they
| can more effectively filter offending e-mail. "The problem now is that
| everyone who is filtering is keeping their own blacklists and they're
| not working together to tie their lists together in a meaningful way,"
| says Dead Bolt's creator. "What I hope my package will do is allow
| people to work together over the Net and filter all this stuff out and
| finally put these people out of business....The problem is that it
| costs the sender virtually zero dollars to send out a million messages,
| and even if the response rate is minuscule by all standards — say .001
| percent — they've made money. So from an economic selfish point of
| view, it's in their interest to annoy the other 99.99 percent of the
| people." (Miami Herald 24 Mar 97)
The full Miami Herald article is available at:
http://www.herald.com/archive/cyber/techdocs/056735.htm
Some of the risks of automatic spam filtering which Deadbolt will have
to overcome in order to be successful include:
— The risk of false and malicious blacklisting of non-spammers.
— The risk of harm to innocent bystanders who happen to share
hostnames, ISPs, or other characteristics with targeted spammers.
— The possibility that spam messages will avoid detection by
varying return addresses and other signatures in each copy of
a message.
I find the first two particularly troubling — were an imperfect spam
filtering system in wide use, then triggering it against an innocent
party could become a handy form of denial-of-service attack.
Published details of Deadbolt are sketchy, but a Deja News or Alta
Vista search of Usenet for "Ron Guilmette" reveals some of its
designer's thinking on the subject. So far, I don't see enough to
convince me that he will be successful.
Prentiss Riddle riddle@rice.edu
The news is awash with stories of the Rancho Santa Fe (by some measures, the most affluent community in the US) apparent religious-cult mass suicide yesterday. [39 dead.] The reports mention that 4 or 5 of the victims were web programmers. Beyond the obvious Y2K risk of losing your programmers to Millennium cults, this may bring to the public consciousness the risk of a doomsday cult seeking to destroy the Net, which of course leads to the risk that the public may become paranoid about that risk. Paranoid nontechnical people may be a worse risk than malicious technical people. Joel Garry joelga@rossinc.com
In an article in the Swedish newspaper, Svenska Dagbladet, http://www.svd.se/svd/ettan/dagens/tusenarsskiftet.html Jan Freese, the general director of the Swedish PTT, estimated that that the total national cost [not just the PTT] for fixing the year 2000 problem will be roughly SKR 30,000 ($4,000) per Swedish citizen. He made his estimate based on a report by Capers Jones, "Global economic impact of the year 2,000 software software problem." That report estimates the total cost of fixing the problem as roughly comparable to the total Swedish GNP for the entire 1980's. One paragraph from a long, interesting, article, quickly summarized. The Capers Jones report (from Software Productivity Research of Burlington, Massachusetts) might be worth pursuing. Their web page is at http://www.spr.com/ and Capers Jones report is at http://www.spr.com/library/y2k00.htm (follow the link to the current version). Martin Minow minow@apple.com
> [I suppose it might add to the hypothetical risks if the ship were to > cross the equator for the first time precisely at the Y2K midnight! PGN] The most dangerous spot might be on the equator and on the international dateline at Y2K +/- 1 day. Martin Ewing, Science & Engineering Computing Facility, Yale University 73 de AA6E martin.ewing@yale.edu, 203-432-4243, http://www.yale.edu/secf/ [Also noted by Jason Yanowitz <yanowitz@jimi.hmm.com>. I should also have mentioned the international date line, but I was thinking primarily of the F-16 whose software simulation detected the bug that had caused the virtual plane to turn upside down when crossing the equator, because a programmer had forgotten the relevance of the latitude sign. PGN]
This is an amusing article. Having once worked in the marine industry, I have heard stories like this over and over. The level of computerization on many working boats continues to be low (outside of radar, GPS and the like) because of the number of stories like this that get told and retold. The technical problems of shipboard systems are fairly straightforward: you are dealing with mission-critical systems which are subject to heat, humidity, occasional quantities of salt water, inept workers and various permutations thereof (let me tell you about the one where a high-speed fish filleting line's automation system had the control door left open during the daily cleaning, and was subjected to 60PSI salt water). These sort of problems can be engineered around with backup systems, industrial- grade computers, and hosing down inept helpmeat with 60PSI salt water. The more common problems tend to be the same as those encountered on land. The non-technical owners of boats do not understand the intricacies of fault-tolerant systems or their associated costs. They understand that these systems are many times more expensive than systems without environmental protection or backups, and are very suspicious of suppliers screwing them (if you dealt with waterfront types on a regular basis, you would be too). ... Thus none-too-splendid seas.
Bad variable names and poor documentation are a problem in ANY computer language, and their risks have been well known for quite a while. It should not be forgotten that some compiler implementations of yesteryear had limits on how many characters identifier names could be; I recall from some 20 years ago on the Honeywell Model 58 that had 2 different COBOL compilers- a 'MiniCOBOL' compiler which had 5 phases (and only recognized 4 characters in variable names) to the ANS 68 COBOL compiler, which used 21 phases - and up to six times longer to compile the same code for the same function. Many of the commercial packages today that I have seen and worked with (those that are delivered with source-good luck with OCO applications) do have meaningful identifier names and adequate documentation-but as with anything else, its value will be variable to the programmer assigned. Randy Holcomb (randyh@ibm.net)
I haven't seen any comments on this in recent RISKS articles, so I thought I'd mention it. On 15 Mar 1997, David Lawrence warned in news.admin.announce that control messages had been posted in his name which exploited a bug in versions of innd prior to 1.5.1. The deviant messages mailed passwd and inetd configuration information to a number of addresses. CERT has issued an advisory (CA-97.08.innd) concerning this. What I find interesting about this is the comparison between this attack and RTM's 1988 Internet Worm. The original worm expended a lot of effort to move from one machine to another, propagating itself. The design of the USENET control system does exactly that. Usenet control messages *are* worms, performing a usually benign task. For more information, see: ftp://info.cert.org/pub/cert_advisories/CA-97.08.innd. I'd give a reference to David Lawrence's message too, but our news system has undergone a sudden complete re-install, and we no longer have the article available. :-) steve
I recall a similar story in the news. The recipient of an ``impossible'' erroneous deposit withdrew it as a bank cashiers' check and locked it in his safe deposit box at the same bank. He demanded and received a public apology in exchange for the return of the check. About 20 years ago, a bank gave me a $32,000 check in exchange for a $320 withdrawal. The teller erred in keying the amount into the imprinter. The bank teller supervisor agreed that I could have cashed it (with a raised eyebrow, no doubt) at the other local bank where I held an account. Since then, I've noticed that the banks have imposed a one-day hold on cashiers' checks. That is insufficient for them to actually receive the funds, but is probably adequate for a few basic fraud safeguards.
In RISKS-18.93, Stefak Zaba writes that random-number servers on the
Internet should not just PGP-sign but also encrypt their data, if such data
is to be used for trusted applications.
Numerous attacks are known against many different cryptographic algorithms,
including RSA, which allow statistical information to be gained about
certain bits or the combination of certain bits in the plaintext message.
In order to prevent any of this statistical information about the random
numbers from being stolen en route to the consumer, the consumer would have
to use only "hard core" bits of the message. That is, bits which have been
proven such that gaining any statistical information about them is
equivalent to breaking the cryptographic algorithm.
This situations demonstrates the risks inherent in trusting a
tool/technology which has proven excellent at solving one problem to solve
other related problems, when the tool may or may not actually have the
required properties.
Ref. Advances in cryptology, {EUROCRYPT} '95: Kouichi Sakurai
and Hiroki Shizuya. Universal hash functions and hard core bits.
Jeff Nelson <corba@acm.org> See also http://www.dialogosweb.com
I wonder how many people looked into the random number generator
incorporated into Linux kernel. It tallies the random events happening in a
running system (various interrupt intervals---keystroke, disk access, etc),
and constructs random bits based on them. It is written to block if you try
to read too many bits ('entropy pool' emptied out).
I haven't looked into the implementation, but I'm sure there are people on
this list who can pass a judgement on the strengths/weaknesses of this
approach.
przemek klosowski, Reactor Division, National Institute of Standards and
Technology Gaithersburg, MD 20899 1-301-975-6249 <przemek@nist.gov>
Please report problems with the web pages to the maintainer