The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 19 Issue 70

Tuesday 28 April 1998

Contents

o A new kind of "sin attack"?
Keith Bostic
o Pentagon break-ins and the release of classified information
Fred Cohen
o Yes, Virginia, no classified information is ever leaked...
Identity withheld
o Bill Gates' demo of Windows 98
PGN
o Software clandestinely uploading names and e-mail addresses
Valentin Pepelea
o The problems of no human verification
Iain "Kaos" Holmes
o Re: For want of a hyphen, you get porn
Identity withheld
o Shoulder-Surfing Automated
Mark Brader
o Re: Worried about Y2K? Now there's D10K!
Gregory Bond
o "Experimenting" with the net's generosity and gullibility
George Swan
o Re: 1/3 of Microsoft apps Y2K compliant
Li Gong
o REVIEW: "Beyond Calculation", Peter J. Denning/Robert M. Metcalf
Rob Slade
o Info on RISKS (comp.risks)

A new kind of "sin attack"?

Keith Bostic <bostic@bsdi.com>
Thu, 23 Apr 1998 12:34:22 -0400 (EDT)
Excerpted: WhiteBoard News for Wednesday, April 22, 1998
Forwarded-by: Joseph Harper <joeha@MICROSOFT.com> [Edited for RISKS.  PGN]

Polish Catholics can now plot graphs of their sins with a new computer
program designed to help them confess.  It is based on the prayer book and
poses 104 searching questions to help users track their fight against sin
and archive the results.  [See the Gazeta Wyborcza daily, 22 Apr 1998, with
the headline: "I sincerely repent.  Enter."]  Sins are listed under Biblical
commandments and according to their gravity, with a questionnaire asking
whether they have been committed or not.  [The creator of this program is
author Andrzej Urbanski.]  Sinners need not fear their darkest secrets
getting out, as files with intimate data are protected by password.

  [Sin-sation-seeking media folks will certainly try to crack the passwords
  or otherwise bypass the security controls.  Also, I suppose Special
  Prosecutor Starr will subpoena entries in the database for "Lewinski"
  along with any Poles in the left-half plane.  (Please excuse my adaptation
  of an old circuit-theory complex-analysis pun.  I guess it won't make much
  sense to novices (!), but then fixed passwords don't make much sense
  either if they fly around unencrypted.)  PGN]


Pentagon break-ins and the release of classified information

Fred Cohen <fc@all.net>
Wed, 22 Apr 1998 18:03:12 -0700 (PDT)
I saw on the news today that more "worst ever" computer breakins were
detected by the Pentagon today, and again we saw the claim that no
classified information was released.  I thought it would be worthwhile to
comment on this issue:

1) Specifics of any break-in to a classified system are classified, so it is
   unlikely that anyone would openly admit to any details of such a thing
   except in a classified forum.  The fact of breakins is not in itself
   classified (according to the classification people I have talked to) but
   many organizations view this as rather sensitive.

2) Even if no classified information were ever leaked, most the aggregate
   national harm that could result from information in unclassified systems
   far outweighs the total amount of classified information -- the last time
   I looked, by at least a hundred to one.

3) I saw a recent story in the news on the success of NSA red-teams against
   the national power grid, government systems, and command and control
   capabilities of DoD systems (as reported via the President's Commission
   on Critical Infrastructure Protection in something the news cited as
   "Eligible Receiver"). It is noteworthy that this likely involved no
   classified systems, and yet the claim by the media is that this
   demonstrated the ability to take down the whole country.

In my mind, these and other seemingly bizarre examples lead me to question
the whole way that we think about confidentiality (and certainly
classification).  In one risk-management talk I give, I present a range of
strategies, one of them being "run faster". It seems that in almost every
commercial audience I talk to, the "run faster" strategy is embraced as far
superior to all of the other protection options at their disposal.  Perhaps
it's time that the government learned to run faster as well.

Fred Cohen & Associates: http://all.net - fc@all.net - tel/fax:510-454-0171

  [Of course, a "run faster" is someone who fasts and runs to lose weight.
  A diet restricted to systems with better security would help.  PGN]


Yes, Virginia, no classified information is ever leaked...

<Identity withheld>
Wed, 22 Apr 1998
  [Serendipitously, the following came my way.  PGN]

United States Government, Department of Energy [memorandum]
DATE: April 10, 1998
SUBJECT:    E-Mail Concerns
To: [...]

Attached for your information and use is a statement from [...] expressing
concern relative to recent occurrences involving transmission of classified
information via unsecured e-mail systems.  As requested by [...], please
provide the widest possible dissemination of this information so that all
personnel using e-mail systems are aware of this issue.

Personnel should be aware of and cautioned on the ease in which information
can be compromised through the use of e-mail; the extensive damage which can
result; and the significant impact placed on resources to resolve such
incidents.  In addition, all personnel should be reminded of their
continuing individual responsibility to always protect classified or
sensitive information in any form from potential or actual compromise,
including through the use of e-mail systems.

If you have any questions or need additional information regarding this
correspondence, please contact [...]

Attachment

United States Government, Department of Energy [memorandum]

DATE: FEB 24 1998
SUBJECT: E-Mail Concerns
[...]

Recently, it has come to my attention that there has been an increase in the
number of instances where classified information is being transmitted
through the use of our e-mail systems.  This situation is unacceptable;
action must be taken to heighten awareness regarding the potential for loss
or compromise of classified information.  In most cases, our e-mail
correspondence enjoys no protection from electronic "snooping."  The
messages are being transmitted, in clear text, across the Internet.  In some
cases, the original e-mail message has contained classified information.  In
others, as individuals modified a draft document, the aggregate of
information caused the entire document to be classified.

It is each supervisor's responsibility to that his /her personnel use good
judgment prior to sending information electronically.  It is DOE policy, and
policy at all [...] sites, that information be reviewed for classification
prior to dissemination.  This is not happening when individuals are sending
e-mail messages.  Individuals must take the time to ensure that information
being sent by e-mail is ONLY of an unclassified nature.  If necessary,
messages must be checked by an Authorized Derivative Classifier prior to
being sent.

In addition, it has been noted that the Infraction Program has been
inconsistently applied.  Appropriate disciplinary action must be taken for
all instances of this type.

Please provide this memorandum the widest possible dissemination, to ensure
that all personnel are aware of this issue.  Any questions may be addressed
to the [...] Information Systems Security Operations Manager, [...].

  [An internal Daily News web site contained the following message,
  Tuesday, April 21, 1998:]

  On the home front: Yesterday someone e-mailed classified info to a
  [YYY] colleague.  Says computer security manager [BBB], "Unless we can
  rely on [ZZZ]'s good judgment, we'll be forced to funnel all e-mail
  messages through a 'text filter' that looks for key words and phrases and
  kicks out suspect messages for review by classifiers. Even the most
  sophisticated filters will slow our e-mail correspondence, internal and
  external, to snail-mail pace.  PLEASE don't assume that, because some fact
  is intuitively obvious to you, it's non-sensitive or unclassified!"


Bill Gates' demo of Windows 98

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 23 Apr 98 16:59:39 PDT
Bill Gates was giving a demo of Windows 98 (scheduled to be released in
June) at the Comdex trade show in Chicago earlier this week.  The system
crashed when a scanner was plugged in during the demo.  He had to switch to
another system.

There have been frequent comments about how Bill Gates won't worry about
something until it bites him personally (where typical values of "something"
are reliability, availability, system survivability, and SECURITY).


Software clandestinely uploading names and e-mail addresses

Valentin Pepelea <valentin@netcom.com>
Fri, 24 Apr 1998 07:48:03 GMT
TWO ITEMS:

1. NEWS.COM reports [23 Apr 1998] that Blizzard Entertainment, developer of
the popular online-playable Starcraft game has been uploading the names and
e-mail addresses of its users without their knowledge or consent.  According
to Blizzard, those names were uploaded only when the users failed to
successfully connect to their game servers, so that Blizzard employees may
call them back to help them out.  The company has come under fire from
privacy advocates, and users have complained on Blizzard's technical support
forums.  Blizzard spokeswoman Susan Wooley said today that the company would
not collect names without consent again.

2. Virgin Entertainment Inc. has published an on-line game called Subspace.
The game underwent a 2-year beta cycle, during which thousands of people
played the game for free.  Virgin finally started selling the game
commercially in December 1998.  In a recent update of the game, (required
and downloadable) the CD-ROM disk must be present in the CD-ROM drive for
the game to work.  Some inventive users have hacked the game to avoid the
CD-ROM check.  This subject was discussed on VIE's technical help bulletin
board, and the reaction of Rob Keir, an employee of VIE and developer of the
game, was frightening:

  "I added code to 1.34 to defeat this kind of crack (essentially it patches
  the DLL import table at runtime) and now, unsurprisingly, I see they have
  brought out an almost identical crack for 1.34 (which again
  works). However, we now detect this crack but have not implemented kicking
  people out for using it.  Instead, we are gathering a nice list of people
  who are abusing our game by using this crack!  Simply by playing the game
  when using this crack you are now on our blacklist!  It will be up to our
  bosses to decide what to do from hereon. Don't blame me for the
  consequences."

As far as I know, this is the first time that a company collects information
clandestinely from users sent through the Internet with the explicit
intention of hurting those users.  About half of the users of this game are
under 18.  Players are located throughout the world, so it is possible that
VIE's action is illegal in at least one country.

As a software developer, I'm not sure which risks I fear most, pirates
copying my software, or other developers writing software that uploads
information from my machine without my consent and knowledge.

"Where do you want your information to go, today?"

Valentin


The problems of no human verification

Iain "Kaos" Holmes <kaos@ctrl.com.au>
Sat, 25 Apr 1998 04:23:06 +1100 (EST)
I was talking with some friends over IRC and there was an item on the TV
news about the CIA kids web site, so I decided to look up the URL for them,
I went to yahoo ( http://www.yahoo.com ) to check where it might be so after
a few clicks I find myself at

  http://www.yahoo.com/Government/Intelligence/Countries/

at this point I notice my home country Australia has a link, and make a
mental note to come back & check it out.

I return to see what is under Australia and find what claims to be a link to
ASIO (Australian Intelligence Security Organisation) but the link actually
points to

  http://armidale.nsw.uca.org.au/asio/

which turns out to be a non-existent page on the server for a diocese of a
church, nothing to do with any government intelligence organisation.

This raises a few questions in my mind;

i) Can the search engines trust the data given to them by anonymous people?

ii) Should a webserver give you an error when you have specified something
    that doesn't exist or should it try and second guess what you meant?

iii) If the answer to ii) is the later, how do you test it?

It seems to me that someone has checked that the web spider/robot/whatever
has done something sensible, but not checked that the end result is valid, a
danger for those of us involved with automated testing.

Iain "Kaos" Holmes  Control (Australia) Pty Ltd
kaos@ctrl.com.au  http://www.ctrl.com.au/


Re: For want of a hyphen, you get porn (Willing, RISKS-19.63)

<Identity withheld>
Mon, 16 Mar 1998 13:59:28 -0500
This sort of thing sounds similar to something I discovered during a recent
incident in which my 11-year-old son attempted to access adult web sites.
As would be expected from someone his age, he gave a litany of excuses
trying to convince me he had gotten into the site by accident or due to
viruses/hackers/ etc.  However, one of them turned out to be true.  BTW,
this was using Netscape 3.0 16-bit with a PPP dialup.

When I visited one of the adult sites in question, I was suddenly taken to a
different site in a fashion similar to what one sees when a site has been
moved and the old site has a "server push" pointing to the new one.
However, both sites were added to the stack (the browser's internal list of
sites), and the first site turned out to include pointers to several other
adult sites and would automatically redirect the user to a different one
each time.  The net effect of this is that when visiting one of these sites
in this manner, pressing the "Back" button takes you to another adult site,
ad infinitum.

The user can, of course, still get out by selecting "Go" from the menu bar
and backing out two or more levels, or using a bookmark or entering the name
of a site manually, but to a user who is in the habit of using the "Back"
button to leave a website this behavior is disconcerting, and is suspect
when it occurs in an adult site.


Shoulder-Surfing Automated

Mark Brader <msb@sq.com>
Wed, 22 Apr 98 00:08:21 EDT
According to TV news reports tonight (CTV National News and CFTO News),
criminals secretly installed a miniature camera in a gas station in the
Toronto suburb of Newmarket.  As customers were using debit cards to make
payments directly from their bank accounts, their fingers would be
videotaped to obtain their secret personal identification numbers (PINs).

The gas station clerk, who was in on the scam, would provide data from the
card reader, and you can guess the rest.  A dummy card with a copy of the
machine-readable data; a midnight trip to an ATM; the PIN from the
videotape, and cash in hand.  The withdrawals were made at midnight so that
the maximum daily amount could be obtained twice on one visit.

Three suspects, all from the Toronto area, have been charged; nothing was
said about how they were identified.  Police refer to "hundreds of thousands
of dollars" being taken, and say that the criminals were planning to expand
soon to another 5 gas stations.

Mark Brader, msb@sq.com


Re: Worried about Y2K? Now there's D10K!

Gregory Bond <gnb@itga.com.au>
06 Apr 1998 16:35:20 +1000
Similar problems have already occurred in the Australian stock market:
 - The number of shares on issue for a company exceeded 2^31
 - The number of trades in a day exceeded 60,000 [which did nasty
   damage to the live trading system]
 - The market value of a company exceeded $10b
 - An index reached 10k points

All of these caused minor problems and plenty of red faces without in any
sense being Armageddon.  The most serious was the 60k trades in a day
problem that occurred late last year with the IPO of the local telecoms
monopoly.  [This exceed by a factor of nearly 3 the previous peak number of
trades in a day.]  This caused some market summary information to be lost
but trading was still possible.

But on the other hand, we don't (yet) have live electronic trading and
on-line automated risk management trading strategies that will decide
the DOW has just fallen from 9990 to 0010 so it's time to SELL!

Gregory Bond  ITG Australia Ltd, Melbourne, Australia
<mailto:gnb@itga.com.au> <http://www.bby.com.au/~gnb>


"Experimenting" with the net's generosity and gullibility

George Swan <gswan@globalserve.net>
Sun, 26 Apr 1998 05:33:27 -0400 (EDT)
I subscribe to the newsgroup alt.support.thyroid.  Earlier this week (21 Apr
1998) an off-topic post appeared.  A guy named David Dameron posted what
would have been a heart-rending story of how his baby daughter was suffering
from a rare, fatal, real-sounding, liver disease, and how he and his wife
were turning to the internet to raise the $100,000 they would need for her
life-saving liver transplant.

I checked, and he had posted the same identical article to other newsgroups
in the "alt.support.*" hierarchy.  A few readers were suspicious.  I
reported him to the postmaster@dejanews.com, the site where the article was
posted.  Dejanews told me he had been warned not to do it again.  (I still
don't know whether it was the SPAM or the subterfuge they objected to.)
Anyhow, Dameron came clean a few days later.  Here is the first paragraph of
his retraction:

  "This is David Dameron posting to let everyone know that I have been
  conducting an experiment on the Internet. I was the person who posted the
  message regarding raising money for my daughter who was in need of a liver
  transplant.  Well, the story was a complete fabrication on my part and was
  used only to raise the issue of fraudulent fundraising on the Internet."

In the rest of the article he says he is a free-lance writer, that he was
planning to write an article on fraudulent ads on the Internet, that he was
going to return the cheques of anyone who fell for his story, with an
admonition not to be so gullible in future, and that he advised his local
police department of his plan.

This is not the first fund-raising attempt I have seen in which the
perpetrator later claimed it was an "experiment".  The first one was a few
years ago.  The perpetrator of that one an undergrad.  I'll spare you the
details.  I was suspicious, and asked him some tough questions via e-mail.
When he admitted to me that it was an "experiment" in measuring the
generousity and credulity of the internet I decided to report him the system
administrators of the University's computer system, with a suggestion they
forward the details of his "experiment" to his faculty adviser and the
University's office of human research.  It seemed to me that his
"experiment" fell short of the ethical requirement that his subjects be able
to give prior informed consent.

The risks here?  Is it possible that these individuals may have decided to
wait to see if how many people twigged?  If no-one noticed the subtle clues,
maybe it is more lucrative to cash the donation cheques than to write the
free-lance article?

So far as I am concerned both of these experiments were unethical.  Dameron
didn't say he advised the Police _prior_ to the experiment.  And unless I
contact the North Hollywood police department, I wouldn't have any
confidence that he did.  I certainly don't think the Police should give even
tacit approval to this kind of subterfuge.

  I suppose Dameron's article would be on to be a high-liver?
  To a first approximation, BEWARE of ALL Internet solicitations.  PGN]


Re: 1/3 of Microsoft apps Y2K compliant (Stalzer, RISKS-19.69)

Li Gong <gong@games.Eng.Sun.COM>
Wed, 22 Apr 1998 14:02:46 -0700
The latest issue of Fortune has an article discussing law suits already
filed for Y2K problems.  A major argument by the plaintiffs is that although
a minor upgrade would solve the compliant issue, the fact that a recent
version of software is non-compliant means that it is defective and thus
damage must be paid.  Many of already filed cases have been settled out of
court, according to the article.

Li Gong, Java Software Division, Sun Microsystems


REVIEW: "Beyond Calculation", Peter J. Denning/Robert M. Metcalf

"Rob Slade" <rslade@sprint.ca>
Fri, 24 Apr 1998 08:47:22 -0800
BKBYDCAL.RVW   980207

"Beyond Calculation", Peter J. Denning/Robert M. Metcalfe, 1997,
0-387-94932-1, U$27.00
%A   Peter J. Denning
%A   Robert M. Metcalfe bob_metcalfe@infoworld.com
%C   175 Fifth Ave., New York, NY   10010
%D   1997
%G   0-387-94932-1
%I   Springer-Verlag
%O   U$27.00 212-460-1500 800-777-4643 wborden@springer-ny.com
%P   313 p.
%T   "Beyond Calculation: The Next Fifty Years of Computing"

Fortune telling is a mugs game.  The more so in a rapidly changing field
like information technology, where a single technical innovation can advance
the work ten years, and a business instigated lawsuit can retard development
a like amount.  As James Burke points out in the foreword, invention changes
life and society in elusive ways that are difficult to observe and almost
impossible to predict.

However, if anyone can give us a glimpse of what might be ahead, it is the
stellar who's who of computing represented by most of the pieces gathered in
these pages.  It is also worth noting that Denning and Metcalfe have done a
superior job in grouping, organizing, and introducing the essays.  However,
while all of the papers are informed, and many are stimulating, too many of
them signally fail to boldly go where computing hasn't already been.

Part one of the book looks to the technical developments that we can
reasonably foresee over the next fifty years.  Bell and Gray start off in
"The Revolution Yet to Happen" with a review of the growth (and shrinkage)
of computing hardware based on past trends, which indicates a future of
massive numbers of high powered computers per person and a ubiquitous
network linking everything.  Cerf presents a scenario of what computers will
be like "When They're Everywhere" as well.  Frankston acknowledges the
problems with endlessly projecting current growth trends, but points out
that developments outside the information technology field will help us go
"Beyond Limits."  If we miss the mark in estimating the future it will
probably be because of failing to see the forest of evolution for the trees
of specific technologies, or, as Dijkstra puts it, "The Tide, Not the
Waves."  Hamming also tells us "How to Think About Trends" in considering
the progress of computing itself, outside fields, and society at large.
Weiser and Brown project a "Coming Age of Calm Technology" from an extension
of historical "periods" of computing.  These papers are thought provoking,
but certain omissions, like the lack of mention of the age of the
minicomputer, point out the haste of preparation that went into the book.
Other gaps point out the volunteer nature of the book: although all but one
of the essays sees great things coming from networking, and although a
number of the authors have contributed to networking, none is primarily
involved with telecommunications.  An advance in routing technology and the
assignment of a small section of spectrum to personal computer use would
have more impact on computing than any breakthrough that would allow Moore's
law to continue beyond 2010.

Part two looks at the topic of human-machine interaction, largely in the
broadest interpretation of the concept of machine intelligence, and at the
impact that may have upon who we are as human beings.  Unlike the network
basis of Tapscott's "Growing Up Digital" (cf.  BKGRUPDI.RVW), Turkle
explores "Growing Up in the Culture of Simulation."  Her points are
interesting, but not, perhaps, compelling, relying as much on fairy tales as
on harder forms of reality.  In "Why It's Good That Computers Don't Work
Like the Brain,", Norman states that machine and human intelligence cannot
be compared because they are orthogonal and complementary.  He raises a
number of interesting questions but, somewhat frustratingly, doesn't address
them.  In "The Logic of Dreams," on the other hand, Gelernter proposes that
we examine and try to model even more areas of human cognition, even those
as seemingly non-mechanical as emotion.  Alt generally seems to agree with
Norman, and in "End-Running Human Intelligence" he suggests some interesting
areas where expert systems may supplant, or at least assist, human experts.
Abrahams suggests that difficulty of design as well as societal factors may
hinder the computer and robotic target of "A World Without Work."  However,
his assertion that sex, preaching, art and other activities are strictly
limited to human endeavour I find less than compelling in view of
fetishists, televangelists, and "Danielle Steel" knock-offs that are
acceptable to steadfast fans.  (For the purposes of this review, we will not
enter into disputes as to whether writings by Danielle Steel constitute
art.)  In "The Design of Interaction," Winograd traces the history of
information technology from computing to communication, from hardware to
specific application (in stark contrast to the attempts of any entire
generation of computer literacy teachers to explain the computer as a
toolbox), and from oddity to personal tool.  (My own projection of these
trends is to envisage a person surrounded by a host of well informed tutors
for any task, but I don't think this is where Winograd goes with it.)  In
terms of prognostication this section is disappointing since, with the
exception of Alt, most of the essays are generally philosophical without
much attempt made to project ideas forward.

Business and innovation is the topic of part three, but, again, more of it
looks back than forward.  Evans description of IBM as "The Stumbling Titan"
may have lessons to suggest, but it doesn't say where the next decade will
lead, let alone fifty years.  In "The Leaders of the Future" Flores traces
the movement from computing to communications, and then extends it to
articulation of business vision.  His extension, however, is little more
than an assertion without analysis of how advances in technology will make
this possible.  Data security is under increasing attack from "ease of use"
in technology.  Druffel's look at "Information Warfare" shows that the
current situation is pretty deplorable but it doesn't go much beyond that.
A staple of the cyberpunk genre is the rise of the corporation beyond the
state.  Mowshowitz does visit this future in "Virtual Feudalism" but doesn't
try to test it against the virtual corporations mentioned elsewhere.
Chamberlin's vision of "Sharing Our Planet" raises interesting and fairly
convincing points about the fact of evolution in software, but his cultural
prediction seems to rest mostly on wish fulfillment.  In "There and Not
There," Mitchell and Strimpel's review of telepresence starts out by noting
that presence costs.  Unfortunately, they don't follow up with the obvious
corollary: that, due to bandwidth, high fidelity telepresence is going to
have a cost as well.  Tsichritzis tells us that "The Dynamics of Innovation"
have to change, but his proposal seems to be merely a restating of the old
battle between basic research and technical development.  Similarly,
Dennings' exposition of "How We Will Learn" is a market forces based view of
the time-hallowed spat between universities and technical institutes,
vocational schools, or even guild halls.

To a certain extent, I feel a lack of imagination in these writings.  There
is discussion of networking, but not distributed processing, as an extension
of parallel processing, or Fred Cohen's proposed viral computing
environment, as an extension of both.  While this hesitation on the part of
the authors may be disappointing, at least the material is a great deal more
thoughtful and thought provoking than too many of the blue sky visions of
the road ahead.

copyright Robert M. Slade, 1998   BKBYDCAL.RVW   980207

Please report problems with the web pages to the maintainer