Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
[via Dave Farber <farber@cis.upenn.edu>] It is a great privilege and we are excited to announce that at 13:25 GMT on 19-Oct-1997, we found the correct solution for RSA Labs' RC5-32/12/7 56-bit secret-key challenge. Confirmed by RSA Labs, the key 0x532B744CC20999 presented us with the plaintext message for which we have been searching these past 250 days. The unknown message is: It's time to move to a longer key length In undeniably the largest distributed-computing effort ever, the Bovine RC5 Cooperative (http://www.distributed.net/), under the leadership of distributed.net, managed to evaluate 47% of the keyspace, or 34 quadrillion keys, before finding the winning key. At the close of this contest our 4000 active teams were processing over 7 billion keys each second at an aggregate computing power equivalent to more than 26 thousand Pentium 200s or over 11 thousand PowerPC 604e/200s. Over the course of the project, we received block submissions from over 500 thousand unique IP addresses. The winning key was found by Peter Stuer <peter@dinf.vub.ac.be> with an Intel Pentium Pro 200 running Windows NT Workstation, working for the STARLab Bovine Team coordinated by Jo Hermans <Jo.Hermans@vub.ac.be> and centered in the Computer Science Department (DINF) of the Vrije Universiteit (VUB) in Brussels, Belgium. (http://dinf.vub.ac.be/bovine.html/). Jo's only comments were that "$1000 will buy a lot of beer" and that he wished that the solution had been found by a Macintosh, the platform that represented the largest portion of his team's cracking power. Congratulations Peter and Jo! Of the US$10000 prize from RSA Labs, they will receive US$1000 and plan to host an unforgettable party in celebration of our collective victory. If you're anywhere near Brussels, you might want to find out when the party will be held. US$8000, of course, is being donated to Project Gutenberg (http://www.promo.net/pg/) to assist them in their continuing efforts in converting literature into electronic format for the public use. The remaining US$1000 is being retained by distributed.net to assist in funding future projects. Equally important are the thanks, accolades, and congratulations due to all who participated and contributed to the Bovine RC5-56 Effort! The thousands of teams and tens of thousands of individuals who have diligently tested key after key are the reason we are so successful. The thrill of finding the key more than compensates for the sleep, food, and free time that we've sacrificed! Special thanks go to all the coders and developers, especially Tim Charron, who has graciously given his time and expertise since the earliest days of the Bovine effort. Thanks to all the coordinators and keyserver operators: Chris Chiapusio, Paul Chvostek, Peter Denitto, Peter Doubt, Mishari Muqbil, Steve Sether, and Chris Yarnell. Thanks to Andrew Meggs, Roderick Mann, and Kevyn Shortell for showing us the true power of the Macintosh and the strength of its users. We'd also like to thank Dave Avery for attempting to bridge the gap between Bovine and the other RC5 efforts. Once again, a heartfelt clap on the back goes out to all of us who have run the client. Celebrations are in order. I'd like to invite any and all to join us on the EFNet IRC network channel #rc5 for celebrations as we regroup and set our sights on the next task. Now that we've proven the limitations of a 56-bit key length, let's go one further and demonstrate the power of distributed computing! We are, all of us, the future of computing. Join the excitement as the world is forced to take notice of the power we've harnessed. Moo and a good hearty laugh. Adam L. Beberg - Client design and overall visionary Jeff Lawson - keymaster/server network design and morale booster David McNett - stats development and general busybody
In his book, ``Caging the Nuclear Genie'', Admiral Stansfield Turner, describes an incident that occurred on 3 June 1980 when he was President Carter's CIA director. Colonel William Odom alerted Zbigniew Brzezinski at 2:26 a.m. that the warning system was predicting a 220-missile nuclear attack on the U.S. It was revised shortly thereafter to be an all-out attack of 2200 missiles. Just before Brzezinski was about to wake up the President, it was learned that the ``attack'' was an illusion — which Turner says was caused by ``a computer error in the system.'' His book makes various suggestions that would greatly reduce the threats of accidental nuclear war. ``We have had thousands of false alarms of impending missile attacks on the United States, and a few could have spun out of control.'' [Source: Keay Davidson, *San Francisco Examiner*, in the *San Francisco Sunday Examiner and Chronicle*, 19 Oct 1997, p. A-17.]
The good news is that the computer systems of the major stock exchanges (notably NYSE and NASDAQ) seem to have held up superbly during the recent monster trading days on 27 and 28 October 1997. Yesterday, the NYSE and NASDAQ each handled over a billion shares for the first time ever, with the former at 175% of the previous blockbuster day. The bad news is that those folks who relied on the Internet to do their panic trading were in for a rough time. There were huge numbers of e-trades already queued up before opening, causing an early traffic jam. Joseph Konen of AmeriTrade Holding blamed some of the delays on limitations of its firewall technology. Many would-be Internet buyers and sellers simply could not get access, in part because their Internet service providers were saturated. Many customers were blocked out because others were tying up lines just to monitor the market. Illustrating the extent to which Internet trading has become a part of the markets, Schwab normally does 35 percent of its trading on-line; yesterday's trading of more than 300,000 on-line transactions more than doubled their Monday load and tripled their typical day. [Various sources, including a front-page item by Herb Greenberg in the *San Francisco Chronicle*, 29 Oct 1997.]
HUD Firing, By JENNIFER ROTHACKER, Associated Press Writer Courtesy of Associated Press via CompuServe's Executive News Service, AP US & World 21 Oct 1997 > WASHINGTON (AP) — A computing error the government says cost it $3.8 > million has led to the firing of the financial services firm accused of > making the mistake. The Department of Housing and Urban Development has > ordered Hamilton Securities Advisory Services Inc. to reimburse the money > and suggested it may order further retribution pending an investigation. > The Washington, D.C.-based firm defended its work for HUD, and claimed the > department owed it $1.6 million for work successfully completed. o Hamilton was engaged in '93. > An investigation ordered by HUD Secretary Andrew Cuomo to ferret out abuse > and fraud throughout HUD concluded that Hamilton "failed to provide > accurate financial advisory services to the mortgage note sales program" > since its contract started in 1992, HUD said in a news release. o Washington Times newspaper reported Monday, that the failure was in "erroneous instructions" to a computer model Hamilton used to evaluate the value of mortgage notes. HUD has not accused Hamilton of deliberate misconduct.
Courtesy of the COMTEX Newswire via CompuServe's Executive News Service: 24 Oct 1997 Hacker Threats To Defense Computer Systems > WASHINGTON, DC, U.S.A., 1997 OCT 24 (Newsbytes) — By Bill Pietrucha. The > US Defense Department's unclassified computer systems are as susceptible > to hacking as commercial and other civilian computer systems and networks, > according to the director of the National Security Agency (NSA), who > predicted the number of attacks will double this year from the more than > 250 break-ins in 1996. > NSA Director US Air Force Lt. Gen. Kenneth Minihan told the Association of > Former Intelligence Officers' annual convention that more than 250 > unclassified Defense Department computer systems were "penetrated" last > year, a number which could double in 1997. Minihan's remarks underscored > a classified report released to the White House this past Monday by the > President's Commission on Critical Infrastructure Protection (PCCIP), > warning that America's infrastructure is becoming increasingly vulnerable > to the risk of computer attack. ... > "We have evidence that our known network and computer communications > vulnerabilities are being exploited by real-world attackers," Minihan > said. Minihan did not elaborate, nor say who the attackers are or have > been. Dave Kennedy [CISSP] Director of Research, National Computer Security Assoc.
Cyber Allegations (AP US & World 21 Oct 1997) > PONTIAC, Mich. (AP) — A woman who said she was sexually assaulted by a > man she met through an on-line "chat room" has been ordered to turn over > her computer for examination by the defendant's lawyer. Circuit Judge > Alice Gilbert issued the order Oct. 8 after the defendant said another > computer user told him that the woman had bragged on-line — in a chat > room called "Man Haters" — about making up the story. The woman was > also ordered to reveal her password and on-line aliases. o The accused, a 26-year old is alleged to have pulled a knife and attacked the victim after a date on Feb 28th. Prosecutors have said they will appeal. > "In my view, turning over somebody's computer these days is the same as > asking to go through their diary or mail," said prosecutor John > Pietrofesa. Inspecting computer records from the opposing side, while > relatively new in criminal cases, has become common in civil cases, said > Michigan lawyer and computer law expert Robert A. Dunn. In civil cases, a > judge will institute safeguards such as making both sides sign a > confidentiality agreement that information gleaned from computer records > will not be disclosed outside of court, he said. Dave Kennedy CISSP, National Computer Security Assoc
We noted in RISKS-19.12 that there are serious development difficulties in connection with SACSS, the California Statewide Automated Child Support System. The California Assembly continues to get inadequate answers on whether the system will ever work and how much more it will cost beyond the current 200% overrun. The technical problems include human interface woes -- the system has 357 screens and 57 ways of opening and closing them; data disappears, and sometimes migrates from one case to another; payments are miscalculated; and there are difficulties in communicating with other agencies. One risk is that if the system is not working adequately by the October deadline, California could lose 5% of its federal welfare funding. [Consequently, cynics might expect the system will be declared a success, even if it does not work.] Lockheed-Martin IMS is the developer of SACCS. On the up side, Lockheed also developed a smaller system for Los Angeles (with 28% of the state's cases), and that system has been running successfully since early 1995. [Source: AP item in the *San Francisco Chronicle*, 21 Oct 1995, p. A21.]
This was a banner year for corn, wheat, and soybean crops. However, the Union Pacific tie-ups noted in RISKS-19.41 have caused massive backlogs and storage problems. Grain elevators are full. Empty railroad cars are also in short supply, because with train movements in many cases running a month late, many cars are in essence being used as storage, waiting for locomotives. [Source: USA Today, 26 Oct 1997] [It may sound *corny*, but *rye* humor is not funny in *oat cuisine*, especially if we do not have *enuf wheat* in *neuf huit* (98). PGN]
Security flaw found in Wave, by Geoffrey Rowan (*The Globe And Mail* News Wire) Everybody wants to move fast on the Internet, but some users of the high-speed access service called the Wave have inadvertently given up privacy and security to get their fast connection. Jim Carroll, co-author of The Canadian Internet Handbook and a user of the Wave, a service provided by Toronto-based Rogers Cablesystems Ltd., said he discovered the security flaw by accident and has published the details in the 1998 version of his book. He fired up his computer, checked his network connections, and found that he could look into, copy, change, delete and print files from the computers of some of his neighbours who are also Wave customers. Rogers, which knows about the problem and has been trying to warn its customers, said the computers of susceptible Wave users can also be infiltrated by other non-Wave Internet users. (Only customers who have connected more than one computer together and are sharing files are vulnerable.) "One fellow's [Toronto-Dominion] bank folder, for on-line banking, was right there," Mr. Carroll said. Another machine the author found open to him belonged to a Mississauga lawyer. "These were very confidential, very sensitive documents sitting there, wide open to the world," Mr. Carroll said. "It's as if you're browsing your own machine." Mr. Carroll said he called the lawyer, leaving him a detailed message warning of the security breach, but received no acknowledgment. "One fellow who I called said he was aware of the problem and was trying to figure out how to close it off." The security problem affects Wave customers who have hooked up more than one computer to their cable modem, creating their own computer network. When these customers turn on features in their computers' software that allows them to share files, they become vulnerable. There are only about 8,000 Wave customers, but the service is being rolled out gradually across Canada and is now available to 1.1 million households. Wave's security problem wasn't that tough for Mr. Carroll to discover. Wave officials are aware of it and warn customers at every opportunity to protect themselves. But few computer users read all the documentation. "It's on our Web site, in our end-user agreement, in the manual and in the quick reference card," said Frank Kotter, general manager of the Wave service. A quick search of Wave's World Wide Web site produced a detailed warning of the problem, examples of how it might arise and ways to fix it. [ Ed.: see www.wave.ca/HelpSec.html ] "We clearly recognize it's a problem and it's in our best interests to make sure [subscribers] are aware of the risk," Mr. Kotter said. The Wave agreement also states that when customers subscribe, they are only paying to link one computer to the service. Customers who connect more than one computer into a network and then use the Wave for Internet access, including Mr. Carroll, are in violation of that agreement.
Gerber Hoax, By MARY R. SANDOK, Associated Press Writer, Courtesy of Associated Press via CompuServe's Executive News Service, 22 Oct 1997 > MINNEAPOLIS (AP) — On a single day this week, 15,000 pieces of mail from > across the nation poured in to a defunct post office box in response to > what the U.S. Postal Service calls the "Gerber Myth." The deluge, which > has plagued a Minneapolis post office for months, stems from a rumor > circulating on the Internet that the baby-food company is giving away $500 > savings bonds as part of a lawsuit settlement. To share in the > settlement, parents are told to send copies of their child's birth > certificate and Social Security card to the Minneapolis post-office > box. ... > Van Hindes, a spokesman for Fremont, Mich.-based Gerber, said the hoax has > been circulating since January and it appeared to peak about three weeks > ago. He doesn't blame the Internet alone. "It's more a product of the > ease of electronic information generally now," he said. "The Internet, > e-mail, the prevalence of fax and copy machines all have contributed." ... > A corollary accompanies the "Gerber Myth": that it is the work of people > gathering Social Security numbers and birth certificates for such things > as creating false IDs for illegal aliens. (The story notes that the Postal Service has detected no malicious or fraudulent intent in this particular instance. [DMK: Yet!]) Dave Kennedy CISSP, National Computer Security Assoc
While certainly not a risk, it is the cause of frustration. My VCR has a smart clock; it knows how many days to count for February, when to set the clocks back and, presumably, when to set them forward. (I haven't had it long enough to have noticed the problem before.) I could hear it happening in my half-sleep while the machine did its job. I was aware that at some point (let's say 2 am) it stopped recording, later on (oh, about a half hour later) starting up again. Not a great loss, especially since the show in question is repeated later in the day. Although this data drifted out of my head by the time I woke up, it was sucked back in at that moment when, during playback, my show was replaced by an infomercial. It was quite obvious to my VCR what happened. It was supposed to record a show from 1:25 am to 2:35 am. One second after 1:59:59 it became 1-o'clock again. Not time to record yet; stop tape. This surprised me. I would have expected it to keep recording for an extra hour. Of course, at the new appropriate time, the VCR restarted its task. It gives me a warm feeling inside to KNOW that this could never happen in a crucial computer system.
This morning in the early AM hours, I attempted to withdraw cash from a a cash dispenser using the Interac Network. To my surprise, I received a cryptic error message that the transaction could not be completed and that I should contact my branch. I wanted to buy cigarettes so I went back home, and pulled enough coins from the piggy bank to be able to pay for my purchase. The account I am using is over 12 years old and it is in good standing, so obviously I was dazzled as to what was wrong. This afternoon I phoned my bank and they were very apologetic and explained that their network went down in the time period I was trying to use the ATM. This was the night when our time zone reverted back to EST, and it appears that they experienced problems due to the time change. Obviously, the error message at the ATM machine contained no reference to network errors. There are two problems, as I see it: 1. If the Interac network crashes due to a predictable time zone change and needs to be reset or taken off-line while the clocks are updated, it is not a very robust system as far as time scheduling is concerned. 2. The error message at the ATM terminal is not granular enough to point out what is really wrong, and it appears to blame the customer when there is something wrong with completing a network transaction.
This is probably nothing new, but I thought I'd report my Daylight Savings problem for this year. I happened to be using my PC at 2:00 a.m. PDT, casually minding my own business, wrapped up in a game of Heroes II, and what should happen, but Win95 dumps me out of my game to tell me that it's set my clock back an hour for me. I thought that was mighty nice of it, until I discovered that not only could I not resume my game (any attempt said that the game had to be terminated), but my sound card freaked out with a weird strobe effect. [Sigh.] So I shut down my computer as cleanly as possible (which wasn't very clean at all), rebooted, noted that everything is OK, and continued my game from where I happened to save it last, a few turns back of when I got booted. And sure enough, the entire process repeats itself at 2:00 PST. You would think that for $650 million in profit a quarter, they could get a concept as basic as Daylight Savings correct. Jim [Actually, no. If that were the case, RISKS would not be able to report on such sagas TWICE EVERY YEAR, and actually more often because of the assorted switch-over dates around the world. PGN]
I watched Windows 95 attempt to adjust itself for the change from daylight savings to standard time. At 2:00 AM, the OS set the time back to 1:00 AM and presented an alert box notifying me of the change which I acknowledged. And when it was 2:00 AM again, it changed the time back to 1:00 AM again. Left unattended, this cycle may have just continued. The Windows NT server sitting next to the Windows 95 workstation seemed to handle everything properly. The risk to software dependent on time-based events is obvious.
John Long brought up the issue of screen savers consuming all available CPU bandwidth in DoD's COE. I have run into a similar problem with Windows NT, although not quite as dramatic. NT ships with a number of Open GL based screen savers that can consume the CPU. It appears that the screen savers run at full application priority, so they can have a dramatic impact on the performance of processes that don't involve user interaction, such as remote controlled apps and server jobs. The good news is that Microsoft did two things right along with the unfortunate setting of the screen saver's priority (which apparently cannot be adjusted down): 1. The default screen saver is "none". 2. There is a "blank" screen saver available which seems harmless. The Risk is that an idle user will pick the most visually interesting screen saver while putzing with the machine, not realizing that by doing so he has thrown away about 50% of the machine's CPU capacity. It might be interesting for NT admins to have a look around their server room with this in mind. Bill Elswick, Entertainment Technology Associates, Inc.
I don't know much about electronics in modern cars, but as an additional data point there was an incident here in Stockholm, Sweden just the other week: A policeman sitting in his car with a handheld digital radio pressed the send button, which triggered the airbag and threw the radio unit at him. The policeman wasn't badly hurt, but a directive has been issued by the Police Dept to not use these radios while in the front seat. Conclusion: Even with Europe's rather high standards for EMC (electromagnetic compatibility), there are insufficiently shielded electronics on the market. Stefan Lindstrom, Sylog AB stefan.lindstrom@sylog.se Tel: +46 70 833 06 26 stefan.anna-karin@swipnet.se [The "o" in Lindstrom is ISO \366, altered because of complaints that the entire issue would otherwise be blocked by noncompliant hosts.]
I hope the appropriate authorities in San Francisco read RISKS-19.42 when it was released on 24 Oct 1997, so they would know in advance of the blackout, reported there as happening on the morning of 25 Oct 1997. Ken Hayman hayman@dg-rtp.dg.com [TNX. I fixed it (23 Oct 1997) in the archive copy. PGN]
11th IEEE Computer Security Foundations Workshop
Rockport, Massachusetts, USA, 9-11 June, 1998
This workshop brings together researchers in computer science to examine
foundational issues in computer security. We are interested both in papers
that describe new results in the theories of computer security and in papers
and panels that explore open questions and raise fundamental concerns about
existing theories. The paper submission deadline is February 6, 1997.
General Chair Program Chair Publications Chair
Jonathan Millen Simon Foley Joshua Guttman
Computer Science Laboratory CCSR, The MITRE Corporation
SRI International, University of Cambridge, 202 Burlington Road
333 Ravenswood Ave. 10 Downing Street, Bedford, MA 01730-1420,
Menlo Park, CA 94025, USA Cambridge CB2 3DS, UK USA
+1 650-859-2358 +44 1223 740100 +1 617-271-2654
millen@csl.sri.com snf22@ccsr.cam.ac.uk guttman@mitre.org
More on-line information at <URL:http://www.csl.sri.com/~millen/csfw/.>.
Please report problems with the web pages to the maintainer