In ordinary usage, a yegg is a safecracker or robber. Electronic equivalents of yeggs are using the Internet and its service providers for undesired spams. Some are also victimizing people as well -- through scams, but sometimes with major inconveniences. Here is an example of the latter, exploiting the trick of faking the FROM: address to avoid counterspams and threats. Tracy LeQuey Parker was apparently victimized by C.N. Enterprises (Craig Nowak) in San Diego. C.N. used her FROM: address and her ISP (Zilker Internet Park) to send out a massive e-mail promotion. The message offered information about free cash grants for college students for $19.95. The clinker is that she and her ISP received all the hard bounces (due to the address list containing lots of invalid addresses) and temporary bounces (due to system or network unavailability). (This happens to me every time I send out an issue of RISKS; I once had over 400 bounces in a day! But that's small potatoes compared with what happened to Parker and Zilker.) In response, a lawsuit has been filed against C.N. by Parker, Zilker, the Texas Internet Service Providers' Association, and the Austin TX chapter of the Electronic Frontier Foundation. [Source: Associated Press item in the *Palo Alto Daily News*, 30 May 1997.] We hope they bring home the bacon.
> KGB infiltrates MI5 on the hotline (Reuters World Report, 25 May 1997) > From Executive News Service via CompuServe ("Odds and Ends") > LONDON - Would-be James Bonds bidding to join Britain's secret service got > a shock when they phoned the job application line -- Russia's KGB said it > had taken over. Key points: * After MI5 placed ads for recruits in Britain, 20,000 hopeful security agents called in only to hear a bizarre message on the answering machine: "Hello my name is Colonel Blotch. I am calling on behalf of the KGB. We have taken over MI5 because they are not secret any more and they are a very [useless] organisation." * MI5 investigating how the taped message was altered. [MK comment: of course, with two-digit "security" codes on many answering machines allowing full control of the devices, tampering is no mystery.] M.E. Kabay, PhD, CISSP (Kirkland, QC), Director of Education National Computer Security Association (Carlisle, PA) http://www.ncsa.com
Here is yet another inadvertent invasion of privacy, another inadvertent trail of activities: I rented a car from Hertz and requested their in-car navigational system. I ended up in a Ford Taurus with the Hertz "NeverLost" system, made by Rockwell. Among its features is a history list of previously selected destinations. This is a useful feature, especially as during the several days of my trip, I had to return to previous locations. Note that the system allows you to specify destinations by street address or by name of business or scenic attraction. So my list included the street addresses of the house at which I stayed and the people with whom I visited, the names of the restaurants, the airport and the Hewlett-Packard group that I traveled to -- all of which were easy to select from the system's index. Of course, the history list also had the locations of all the places the previous renters of the car had visited. Interesting; I even tried to figure out what sort of people they were from the places they had visited. Yes, you can delete items from the history list, but only one item at a time. Moreover, this feature wasn't immediately obvious to me. I had to seek it out and then I had to experiment a bit to figure out how to use it. It's well designed and simple to use - just not immediately obvious. Did I delete the information about my travels? Well, um, I meant to, but -- well, you know how it is. I meant to do it, but on the day of departure, I woke up early in the morning, rushed to the car, set the navigational system to the airport, and took off. I rushed through the traffic, rushed to the check-in lane, rushed to the airport terminal, rushed aboard the airplane, and then sat back and relaxed. Only then do I think "damn, I forgot to erase my history list." I suspect that other travelers will have similar experiences. What do I recommend? I have no brilliant suggestions. The history list is a valuable feature. The designers did put in a selective erasure feature that is pretty easy to use. Problem is, it was designed for the owner of the car, not for the rental car situation. The best I can recommend is that the system have a "forget all" function that the rental car maintenance people are trained to engage during the car servicing between rentals. Not a great solution, and one prone to errors of omission. Do I care? Normally I would say no. I think we are overdoing many of the privacy concerns. Why would I care that the next driver of the car could see where I had gone?. Well, it actually didn't take much thought to think of some reasons why I would care. A competing company might find out about my hot new, yet-still-secret product by noting which companies I had visited. Moreover, I have been told by a very reliable source that senior computer company executives are targeted by an international crime ring with standard prices for stealing their personal computers or briefcases (no, I am not making this up). My boss was told that he is on the list, and was even told how much his PC was worth. Am I on the list? I certainly could be. And the navigational system has the address of the house at which I stayed - and where I will stay again. In many ways, this example is less serious than the trail we already leave with our cell phones and credit cards, but it differs in that ordinary citizens can get to it. In any event, it's useful to compile a complete list. So, add this item to your list of RISKS. Don Norman, Hewlett-Packard Laboratories email@example.com http://cogsci.ucsd.edu/~norman
Courtesy of Reuters News via CompuServe's Executive News Service: > Federal agents arrest 11 New York prison guards > NEW YORK (Reuter, 22 May 1997) - Federal investigators Thursday arrested > 11 guards assigned to the Metropolitan Detention Center in Brooklyn on > charges of smuggling and supporting jailed mobsters, according to grand > jury indictments. They were charged with smuggling drugs, liquor, food > and other supplies into the jail and helping prisoners from the mob > conduct meetings and search computer files for potential witnesses. The > prisoners were also warned about searches. :: One guard, Anthony Martinez demanded US$800/wk for favors that included "the names of informants in their cases after checking through prison computers." :: Max penalty--15 years and US$250K fines. Dave Kennedy [CISSP] Research Team Chief, National Computer Security Assoc.
An interesting incident was reported in our local newspaper recently: A young man wanted to buy a train ticket from Freiburg to Herbolzheim, a trip of about 30 miles. Since tickets for short journeys like this cannot be bought at the regular ticket stands but have to be purchased from a computerized ticket vending machine, he tried to do so. The machine took his money (about $10) and gave him a ticket that had several flaws: - no destination was printed on the ticket - the expiry date for the ticket was Dec 31st, 1969 (!) The young man went to the ticket office to complain. However, the officials claimed that he had forged the ticket (since the computer never makes mistakes) and refused to give him a refund. He tried to make clear to them that nobody would ever forge a ticket in such a stupid way, but to no avail. He gave up and tried to board the train anyway, but they would not let him and threatened to impose an extra fine upon him for travelling without a ticket. Since the young man's clothes were of a somewhat unclean appearance, he suspected that this explained a good deal of the officials' unfriendliness, a suspicion that was confirmed the next day when he returned in a suit and met the officials in a much friendlier attitude. This story was reported in our newspaper. A few days later, several officials of other train stations wrote to the newspaper that they knew about this problem and had already reported it to their superiors. It's the same risks again: Computers are never wrong, and if they are, the errors are not reported to other users. Also, you can expect to be discriminated against when improperly dressed. Tim Pietzcker, University of Freiburg
The news wires (via PointCast News on the Industries channel) report another Web site hacked: > Hackers leave print on ``Lost World'' (Reuter, 28 May 1997) The opening page for the Web site for the film ``The Lost World: Jurassic Park'' wasn't all it was quacked up to be after hackers got through with it Tuesday. In place of the film's trademark dinosaur logo was a profile of a prehistoric-looking duck, accompanied by the title ``The Lost Pond: Jurassic Duck.'' The report makes the following key points: * Signed "hackers." * Alan Sutton, Universal Studios vice president for distribution and marketing, said he thought prank was amusing and done in a spirit of fun. * Universal plan to improve their security. M.E. Kabay, PhD, CISSP (Kirkland, QC), Director of Education National Computer Security Association (Carlisle, PA) http://www.ncsa.com
Via Executive News Service on CompuServe: > CYBER PET `DEATHS' MAY LEAVE OWNERS NEEDING COUNSELLING > PA News May 22, 1997 16:03:00 > Heartbroken Tamagotchi computer pet owners may need bereavement > counselling to help them get over the "virtual" deaths of the little > gizmos, experts said today. ... The egg-shaped "pets", which have an > interactive screen, were invented for children not allowed real animals. > Owners press buttons to feed, stroke and exercise the computer toys, > which beep if they become "ill" - and "die" if neglected. According to the article, * Dr Daniel DeSouza, of Toronto, Canada says the children may grieve over the "death" of these "pets." * He has set up a support group on the Internet to help bereaved owners. * Dr Sidney Crown of the Royal London Hospital said that "lonely children are most at risk." * At Nottingham Trent University, Dr Mark Griffiths, an expert in addiction to computer games, supported these concerns. [MK comment: This is no different, as far as I can see, from weeping over the death of creatures existing only in books and in our imagination: certainly I wept when Gandalf "died" in _The Lord of the Rings_ when I was a kid. Oops, excuse me, but now I have to go feed my pet electrons.] M.E. Kabay, PhD, CISSP (Kirkland, QC), Director of Education National Computer Security Association (Carlisle, PA) http://www.ncsa.com
Courtesy of United Press International via CompuServe's Executive News Service: > Florida computer gang members arrested > LECANTO, Fla., 22 May 1997 (UPI) -- Florida authorities have arrested two > alleged leaders of a so-called computer "gang" they say set up a Web site > that accused a teacher of having a homosexual affair with a student. The > Web site displayed a photograph of the student's prom picture with the > teacher's head superimposed onto the head of the boy's female date. :: Two 19 year olds were charged with "publication of material that exposes a person to hatred, contempt or ridicule." Because they worked together, anti-gang laws apply upgrading the charges from misdemeanors to felonies. :: The victim-teacher has been the target of harassment before, another former student was sentenced to 6 months' probation last December. Dave Kennedy [CISSP] Research Team Chief, National Computer Security Assoc.
Well, it looks as if the wily criminals of rural British Columbia have taken to the spirit of crimes reported in RISKS, specifically trying to steal the hardware itself (a la CalTrans and the various DMV break-ins.) Using a "grapple-loader" (imagine a bulldozer with a big, well, grapple in the front), the criminals broke through the wall of the shopping centre and tried to lift the ATM into a pick-up truck. However, they dropped it, ran and abandoned the grapple-loader. (Bobbling the grapple loader is boggling given there aren't googols of them around - pretty easy to trace I would think.) No word if they planned to set it up in a mall and steal PINs... John Oram firstname.lastname@example.org (* rot13 to unscramble e-mail address)
The story about an eavesdropping incident on AT&T Worldnet is incorrect. In fact, a later story by the same author says as much (see http://www.pcworld.com/news/daily/data/0597/970523154723.html). But there are some lessons to be learned from what happened. The original report noted that certain Web pages do not use encryption. We were already aware of this, and the upgrade was in progress even before this incident. But the report also claimed that as a result of the lack of encryption, a customer was able to observe other accounts and passwords going by. This struck us as more than slightly odd, since the user was coming in from a dial-up modem... I won't bother enumerating all the possibilities we considered and investigated. The ultimate answer was that there was no eavesdropping going on; rather, a network administrator had extracted accounts and passwords for a number of users from a LAN-based file server, and fed these into a simulated network monitor program. And how did these passwords get there? Well, various people used a shared facility -- that is, a network of PCs -- as their platform for connecting to AT&T Worldnet. This exposed their passwords to anyone with suitable access to the file server -- which is what happened. What can we learn from this? The first point, of course, is that the system administrator wins -- always. Nothing short of token-based encryption is even a plausible defense against someone who can read any file, and plant programs to monitor keystrokes. (That latter didn't happen here, to my knowledge.) A corollary is that you can't meaningfully encrypt such files, if the enemy is a knowledgeable administrator. If the key is stored in your programs, it can be extracted; the same skills that are used to defeat copy protection will suffice. At most, such encryption is a minor hurdle; more likely, it's security through obscurity, giving the same grade of protection as the lock on a bathroom door. Could the user supply the key? Part of the answer is "no, see above about keystroke monitors". But there's a more fundamental issue, one that goes to the heart of the real problem. When we deploy computer systems, we engineer them. That is, we choose among many possible designs, to balance needs against costs. There is no such thing as absolute security, of course; more importantly, there is a price to any security system, and it makes no sense to spend more on security than it can save you. We're dealing here with a mass market product. J. Random Customer *will*, with a fairly high probability, forget his or her password. The cost of an unrecoverable account is quite high -- we probably lose the customer. But it has to be taken a step further -- it's important to minimize the number of calls to Customer Care. (Customer Care is expensive in the mass market world. There are a fair number of software packages around for which the vendor loses money on any copy that generates even a single call.) This, then, is the bottom line. The engineers who made certain security choices -- storing account information in the clear -- saved a moderate amount of money, traded against a small diminution in security. The customers who used a shared facility to store these account information files (unknowingly) trusted someone else. The overall complexity of the total system -- the AT&T Worldnet end, the user software, the end users, and their environment, including an untrustworthy administrator -- led to some accounts being compromised. And the one simple palliative cited -- encryption of certain network sessions -- would have done nothing to protect anyone. Steve Bellovin
Thomas Brazil tells of receiving "automated" phone calls consisting of 10 seconds of hum, followed by a hangup. He accuses BellSouth of generating these calls in an attempt to get subscribers to sign up for automated call return, an accusation supported by no evidence except the coincidence of *one* of these calls with a telemarketing call from BellSouth. It seems to me that if this were the case, it would be a very short time before somebody used call return, CNID, or a call tracing facility to identify the perpetrator as BellSouth, and the FCC would have a dandy time punishing them. It is far more likely that the calls, if truly automated, are purely accidental. Suppressing them may be a pain, but I doubt a nefarious purpose. The only RISK I see here is that as the RISKS list becomes more widespread, our moderator is less and less able to filter out unsupported and illogical claims from the overly paranoid. Geoff Kuenning email@example.com http://fmg-www.cs.ucla.edu/geoff/ [But maybe I let a few through just to see who is paying attention? PGN]
As others have pointed out, the web page in question only creates a form for you to print and mail. USPS especially likes this since it results in a form without a very common risk--the usual illegible handwriting. But there still are a variety of privacy-related concerns surrounding change of addresses, and these issues were the subject of my PRIVACY Forum Radio interview with Mike Selnick of USPS Washington, D.C. headquarters late last year. > I wonder if it's possible to instruct one's post office not to accept any > change of address except in person? This point was also covered in that interview. The answer at the current time appears to be no. The full interview is available online for playback through the PRIVACY Forum; it runs about thirty minutes. It can be accessed through the PRIVACY Forum/PRIVACY Forum Radio links via: http://www.vortex.com --Lauren-- Moderator, PRIVACY Forum www.vortex.com
> Special relativity says there's no difference. General Relativity > says there _is_ a difference. The non-meaningfulness is actually due to the fact that simultaneity is not well-defined for spacelike-separated events. If two events have a spacelike separation -- basically, if they happen "close enough in time / far apart enough in space" such that there isn't time for a photon to go from one to the other -- then various observers may see the events happen in different orders. This isn't an illusion: take everything into account, including the speed of light, clock differences, etc., and different observers can still see this difference. Causality is still preserved because neither event can possibly affect the other. But it does mean that simultaneity is a somewhat fuzzy concept: "this exact moment, somewhere else" can actually correspond to a range of times at that other location. This is why it's not meaningful to compare two clocks a few (light-)milliseconds apart to within a microsecond. Frederick G.M. Roeber, Physicist in Residence, Netscape
Twelfth Annual IFIP WG 11.3 Working Conference on Database Security Porto Carras Complex, Chalkidiki, Greece 15-17 July, 1998 ["Conference" limited to 40 people. Consequently, CFP truncated for RISKS. PGN] More information about the conference and about IFIP WG 11.3 can be found at URL: http://www.cs.rpi.edu/ifip/
Please report problems with the web pages to the maintainer