The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 19 Issue 25

Friday 18 July 1997

Contents

o Partial failure of Internet root nameservers
Daniel Pouzzner
o Norwich Union to make e-mail libel payout
Jonathan Bowen
o Phone industry wants FCC's help against FBI's wiretap plans
Edupage
o Voice-controlled MS WORD
Edupage
o Medical computer crashes
Tom Van Vleck
o New York State information-systems learning standards
Frederick W. Wheeler
o Regulatory Improvement Act requires risk assessments
Mary Bryant
o Unique definition of "proof of correctness"
Daniel P.B. Smith
o Vigilante fallout from the Megan's Law CD-ROM
Joel G
o Re: Website on Spreadsheet Research
John R. Levine
o DEC Alpha Bug, final resolution
Gregory F. March
o Security risks from active usenet articles
Jonathan de Boyne Pollard
o Re: Faulty lavatory smoke detector lawsuit
PGN
o DA Computer Chief Almost loses Job:" follow-up report
Curtis Karnow
o Anti-spam redux
Simson L. Garfinkel
o comp.risks was spammed last night
PGN
o The truth about Usenet's Psychic Spammers!
Greg Corteville
o "25 Steps to Safe Computing" by Sellers
Rob Slade
o Info on RISKS (comp.risks)

Partial failure of Internet root nameservers

Daniel Pouzzner <douzzer@kill-9.ai.mit.edu>
Thu, 17 Jul 1997 05:58:57 -0400 (EDT)
In the wee hours of 17 Jul 1997, a remarkable event occurred.  The 4AM
update of the root nameserver database was botched - horribly.  The
immediate and very real effect of this is that the Internet does not work
right.  In this episode, the top-level domains .com and .net have ceased to
exist.  .edu and .gov (presumably among others) appear to be unaffected, but
in short - most of the network is practically inaccessible.  So that the
full weight of this error can be appreciated, I list below some sample
results of attempted name resolutions.

-* dnsquery -n a.root-servers.net. digital.com.
Query failed (h_errno = 1) : Unknown host
-* dnsquery -n a.root-servers.net. saic.com.
Query failed (h_errno = 4) : No address associated with name
-* dnsquery -n a.root-servers.net. sun.com.
Query failed (h_errno = 4) : No address associated with name

And similar responses for queries for mobil.com, exxon.com, toyota.com,
internic.net, mci.com, sprint.com, geffen.com, ge.com, and presumably any
other .com or .net we've come to take for granted.  IBM fails in a slightly
different way: they have a special entry for the *host* ibm.com, which
successfully resolves, but this is of no practical utility since that host
is not itself a name server.

If the dysfunction endures for much longer, we can expect serious
repercussions.  Barring a quick repair, people will start arriving at work
over the next two hours to discover that the Internet, as far as they are
concerned, has ceased to exist overnight.  Even if the Internic manages to
get things rolling again before then, we should all consider this a
harbinger.

The outage continues as I complete this message.  To get this e-mail to the
RISKS mailbox, I bypassed the root name servers by resolving sri.com through
the Stanford University name servers (on a hunch).  These are the sorts of
tricks we will all be slowly learning as the size of the Internet and the
weaknesses of its foundational technology continue to burgeon beyond
manageability.

-Daniel Pouzzner,  New York City

  [The problem apparently began around 11:30pm 16 Jul EDT, during the
  autogeneration of the NSI top-level domain zone files, and resulted from
  the failure of a program converting Ingres data into the DNS tables,
  corrupting the .COM and .NET files.  Quality-assurance alarms were
  evidently ignored and the corrupted files were released at 2:30am EDT --
  with widespread effects.  Other servers copied the corrupted files from
  the NSI version.  Corrected files were issued four hours later, although
  there were still some lingering problems.  An excellent analysis by
  Peter Wayner exists on the 18 Jul 1997 www.NYTimes.com Cybertimes.  PGN]


Norwich Union to make e-mail libel payout

Jonathan Bowen <J.P.Bowen@reading.ac.uk>
Fri, 18 Jul 1997 10:58:29 GMT
[In addition to the Internet fiasco,] further e-mail problems were also
reported in the [London] *Times* on 18 July 1997, p25:

Norwich Union, an insurance company, has been ordered to pay 450,000 UK
pounds (c $750,000) and to issue an apology for libeling a private
healthcare group by e-mail, the first time [in the UK?] that a company has
received damages for libel via e-mail.


Phone industry wants FCC's help against FBI's wiretap plans

Edupage Editors <educom@educom.unc.edu>
Thu, 17 Jul 1997 18:38:50 -0400
Arguing that the FBI's requests for expanded wiretap capabilities go beyond
that agency's authority, telephone industry officials are asking the Federal
Communications Commission to help them resist the FBI's proposed digital
phone design, which would allow law enforcement officials to continue the
wiretapping of a conference call even after the person targeted by a
court-authorized wiretap drops out of the call.  The phone industry claims
the request would cost billions of dollars to implement and would expose it
to lawsuits by civil liberties groups fighting against privacy invasions.
(*The New York Times*, 16 Jul 1997; Edupage, 17 July 1997)


Voice-controlled MS WORD (Edupage)

Edupage Editors <educom@educom.unc.edu>
Thu, 17 Jul 1997 18:38:50 -0400
Lernout & Hauspie, a speech technology software vendor, will introduce a
voice-controlled software editor for Microsoft Word in the fall.  Users will
be able to select a sentence, underline a group of words, and change the
color and size of a font, all by naturally spoken voice.  "It'll make people
give up the mouse," says Lernout & Hauspie's chief technology officer.  The
Lernout & Hauspie product uses discrete dictation pathology software from
Kurzweil Applied Intelligence, which it acquired earlier this year.
Kurzweil's artificial intelligence technology allows the software to prompt
users for answers as if they were entering information onto a form.  The
initial product will be aimed specifically at pathologists, with other
versions for the legal profession and police reporting to follow.
(*InfoWorld Electric*, 17 Jul 1997; Edupage, 17 July 1997)

  [RISKS has previously suggested what might happen if someone walking
  by your office coincidentally uttered something meaningful to the system.
  The concept of SPOKEN WORD viruses may present some glorious new forms of
  attack, as well as utter punning.  Victor Borge would have a field day. PGN]


Medical computer crashes

Tom Van Vleck <thvv@best.com>
Wed, 16 Jul 1997 19:49:14 -0700
I visited a hospital emergency room recently late at night.  As I was
reciting my data to the admitting clerk, a horn sounded, and she said, "Oh
darn, the computer's crashed.  It crashes every day at midnight, and takes
about fifteen minutes to come back."  She didn't know what kind of computer
it was; the keyboards were labeled IBM.

  [Why wait for Y2K?  This is Midnight Madness, or Rollover Twist.  PGN]


New York State information-systems learning standards

"Frederick W. Wheeler" <wheeler@ipl.rpi.edu>
Thu, 10 Jul 1997 11:43:24 -0400
RISKS readers will be pleased to learn that New York State public schools
are preparing students to address many of the concerns discussed in this
forum.  The New York State Education Department (http://www.nysed.gov) has
published learning standards as a guide to evaluate school curricula and
student proficiency.

The Mathematics, Science and Technology Standard (http://www.nysed.gov/mst)
has a section on Information Systems that addresses the benefits, risks and
ethical issues of using computers to store information.

The three parts of the Information Systems section are listed below, along
with examples of student proficiency for each part.  The examples are
excerpted from "Mathematics, Science and Technology Performance Indicators",
pages 8,9 (http://www.nysed.gov/mst/perf.pdf).

Mathematics, Science and Technology Standards: Section 2, Information Systems

PART 1: Information technology is used to retrieve, process, and
communicate information and as a tool to enhance learning.

PART 2: Knowledge of the impacts and limitations of information systems is
essential to its effective and ethical use.

  Elementary Level Students:

    * understand that computers are used to store personal information

  Intermediate Level Students:

    * understand the need to question the accuracy of information
    displayed on a computer because the results produced by a computer
    may be affected by incorrect data entry

    * understand why electronically stored personal information has
    greater potential for misuse than records kept in conventional
    form

  Commencement Level Students:

    * explain the impact of the use and abuse of electronically
    generated information on individuals and families

    * discuss the ethical and social issues raised by the use and
    abuse of information systems

PART 3: Information technology can have positive and negative impacts
on society, depending upon how it is used.

  Elementary Level Students:

    * demonstrate ability to evaluate information critically

  Intermediate Level Students:

    * describe applications of information technology in mathematics,
    science, and other technologies that address needs and solve
    problems in the community

    * explain the impact of the use and abuse of electronically
    generated information on individuals and families

  Commencement Level Students:

    * discuss how applications of information technology can address
    some major global problems and issues

    * discuss the environmental, ethical, moral, and social issues
    raised by the use and abuse of information technology


A RISK here is assuming that the standards are met.

Fred Wheeler, Electrical Engineer (wheeler@ipl.rpi.edu)
Susan Nelson, Music Teacher


Regulatory Improvement Act requires risk assessments

"Mary Bryant" <bryant@usit.net>
Fri, 27 Jun 1997 19:43:27 -5
A statement released 27 Jun 1997 by Senator Fred Thompson on the proposed
bipartisan Levin-Thompson Regulatory Improvement Act is available on line in
RiskWorld, along with a summary of the proposed legislation. The Act will
require cost-benefit analyses and risk assessments of major rules, a process
for reviewing existing rules, and executive oversight of the rule-making
process. A press release from the offices of the bill's sponsors, Senator
Thompson, R-Tenn., and Senator Carl Levin, D-Mich, is also posted. Visit
RiskWorld at http://www.riskworld.com and go to the News Stories department.


Unique definition of "proof of correctness"

"Daniel P. B. Smith" <dpbsmith@world.std.com>
Fri, 18 Jul 1997 14:10:53 -0400 (EDT)
*Computer Design*, July 1997, p. 38, describes the IDT-C6, a
Pentium-compatible microprocessor designed by Centaur Technology.  "IDT
claims to have tested the C6 with most modern PC operating systems,
including WIndows 95, Windows 3.1, NetWare, and Solaris for Intel. _The
complexity and pervasiveness of the Windows operating system generally are
considered to make up an exacting proof of correctness..._" [emphasis
supplied]

Give up, folks... the marketers have won.  Once they redefine a
term, the engineers _never_ win it back...

Daniel P. B. Smith  dpbsmith@world.std.com


Vigilante fallout from the Megan's Law CD-ROM

<joelga@amber.rossinc.com>
Wed, 16 Jul 1997 16:55:07 -0700
Re: California's Megan's Law CD ROM: Not only is the CD full of incorrect
information, but even trying to validate it is a risk.

The following is from an AP story in the 12 Jul 1997 *San Diego Union*
entitled "Vigilantes suspected in firebombing" with a related story "Covina
victim has record of sex crimes":

COVINA -- Investigators suspect vigilantes of firebombing the van of a
neighbor after it was revealed that he had a record of sex crimes.  Willie
Lee McAlister's van was burned the morning of July 5, a few days after
deputies came to his door and a neighbor verified his identity in a CD-ROM
database put out by the state.

"It doesn't take a rocket scientist to put two and two together," sheriff's
Sgt. Lynn Judes said.  However, the Sheriff's Department said in a press
release later that investigators had found no evidence that McAlister was
targeted because of his past.  [...]  Sheriff's Sgt. Larry Crookshanks said
that once a neighbor learned of McAlister's record "it spread like
wildfire." No eyewitnesses have come forward, but vigilantes seemed the
logical attackers, he said.  "It stands out and hits you between the eyes,"
Crookshanks said.

Sylvia Earles, who lives across the street from McAlister, said she saw
deputies at his door July 1, confronted him and learned why they had come:
The deputies were checking to make sure that his address was correct before
releasing the database.

jg


Re: Website on Spreadsheet Research (Panko, RISKS-19.24)

John R. Levine <johnl@iecc.com>
17 Jul 1997 02:26:38 -0000
> Every study that has tried to measure spreadsheet error rates has
> found them and has found them at levels that are deeply disturbing.

Over ten years ago, I was one of the authors of Javelin, a PC time
series modelling package.  Our main competitor was 1-2-3.

Javelin offered a lot more tools than spreadsheets did to build
correct models.  Variables had names, not just cell locations, and
could be time series with definite start, stop, and interval (day,
week, month, year, etc.)  There was a single internal model regardless
of which of several views (formulas, worksheet, graph, etc.) you
looked at.  Time series were handled automatically, and if you wanted
one variable to feed into another with a time shift, you had to say so
explicitly.  We also had auditing features so for any variable you
could see what its inputs or outputs were, displayed in a tree, and
walk up and down the trees looking at the values.

We figured that this model reliability would be a strong selling
point, but in focus groups we consistently found that people didn't
want to hear about it.  They had their 1-2-3 models, they were using
the results, and they weren't inclined to do much debugging.  One of
the more telling responses we got was "it's up to my manager to verify
my spreadsheets."

In our limited experiments we found that as a rough approximation, any
spreadsheet large enough to be interesting had serious mistakes.  I see that
a decade later that hasn't changed.

John R. Levine, IECC, POB 640 Trumansburg NY 14886 +1 607 387 6869
johnl@iecc.com, Village Trustee and Sewer Commissioner, http://iecc.com/johnl


DEC Alpha Bug, final resolution (Re: RISKS-19.24)

"Gregory F. March" <march@BondNet.COM>
Fri, 18 Jul 1997 10:09:33 -0400
So, as it turns out, DEC finally made it to our site and replaced the
motherboard.  Everything worked fine after that.  Unfortunately, I was on
vacation at the time and missed the service call (and the opportunity to
compare boards / chip batch numbers).  I'm kind of bummed about that, but
alas, that's life.

DEC claimed it was a bad chip on *that* board only.

Three questions remain:

    1) Was the chip bad, but that aspect of the chip is not tested?
    2) Was the chip bad and the failure was missed during testing?
    2) Did the chip fail after shipping?

BTW, not being a real DEC guru, I'm not up on my model numbers.  From what I
gather this was a "3000 model 900" if that means anything to anyone.  It was
running "V3.2 148 OSF1" unix.

RISKS: How are we to monitor this type of failure in the future?  This type
of failure in the wrong place at the wrong time can cause serious damage,
both financial and more importantly physical.  Scary.  Should there be a
standard (no that will never work :-) set of tests that all chips must go
through during start up?

Anyway, happy RISKS hunting to all...

* Gregory F. March * http://www.gfm.net * march@gfm.net *


Security risks from active usenet articles (RISKS-19.18)

Jonathan de Boyne Pollard <jdebp.p3$@donor2.demon.co.uk>
19 Jun 97 22:29:18 +0100
atkins@amulek.enet.dec.com writes:
 > If I don't run a web browser then I'm immune to all the
 > (java/javascript/activeX) security holes, right?
 > Well, no.
 > I was just reading usenet using the Netscape Navigator newsreader, [...]

Except, of course, that Netscape Navigator _is_ a web browser.

Running Netscape Navigator to read news means that one is "running a web
browser" as well.  On my machine at least, there is one executable,
NETSCAPE.EXE, and one running process in the process list irrespective of
the number or type (browser or newsreader) of windows open.

Perhaps the risk here should be the risk of assuming that the _apparently_
different and completely separate parts of "integrated" applications (such
as a combination web browser and NNTP news reader) actually _are_ different
and completely separate, or of not knowing what one actually _is_ running
when one uses a program.

 > JdeBP <

Please remove the '$' in the from line before reply via e-mail.
Anti-UCE filter in operation.


Re: Faulty lavatory smoke detector lawsuit (RISKS-19.24)

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 17 Jul 97 9:30:49 PDT
Despite its lack of computer relevance, I included the lavatory item in the
previous issue because it reminds us once again of (1) the risks of
depending on technological solutions, and (2) the fallibility of people.  As
it turns out, it was a different passenger who was smoking in the adjacent
lavatory.  The crew apparently eventually recognized they had made a
mistake, but still threatened the innocent passenger with arrest if he
complained or kept asking for their names.  [Perhaps tobacco companies are
now developing cigarettes that won't trigger the alarms?]


"DA Computer Chief Almost loses Job:" follow-up (Haynes, RISKS-19.24)

<curtis_e._a._karnow@sonnenschein.com>
Wed, 16 Jul 1997 21:31:52 -0600
I was the lawyer that, on behalf of client Ralph Minow, reviewed a print out
that supposedly pointed to my client as the perpetrator of a computer
sabotage.  I then prepared an analysis that finally convinced the
authorities to drop the case.  The dump of the daily log of the UNIX based
suggested that someone had made a very minor modification to a backup file,
rerouting the backup back to a on-line drive, with very nasty results.
Someone with supervisor privileges, of course... and my client had such
privileges.  The investigators knew a little, but not enough, about the
system and assumed that my client must have been the culprit, not realizing
that someone else could have logged on as a supervisor and pretended to be
my client.  The lesson, we all know on RISKS: when humans have final control
over the computer output, then the computer output is no more trustworthy
than the human input.  Time stamps, user logins, all that and more, can be
changed with someone with enough control over the system.  An old lesson:
GIGO.

Curtis Karnow, Sonnenschien Nath & Rosenthal


Anti-spam redux

"Simson L. Garfinkel" <simsong@vineyard.net>
Thu, 17 Jul 1997 16:43:26 -0400
More time had elapsed between when I did my anti-spam DNS work and when the
article appeared in RISKS.  During that time, Vineyard.NET decided to
abandon our DNS-blocking SMPT server. The reason was that two key Internet
sites---AT&T's WorldNet and Dow Jones ---quiet simply refused to set up
valid reverse DNS for the mail servers.

We have since explored other blocking technology. We are continuing to block
mail that does not have a valid From: addresses. We now also allow our users
to have their own individual list of domains to block. We are doing this
with a modified SMAP, part of the Trusted Information Systems Firewall
Toolkit. You can download the modified SMAP from
ftp://vineyard.net/simson/smap.c. You can download the rest of the Firewall
Toolkit from ftp://ftp.tis.com/.

If you are running sendmail, I strongly suggest that you run the Firewall
Toolkit's SMAP wrapper. You can find instructions on how to install it in my
book Practical UNIX and Internet Security, published by O'Reilly &
Associates.

I am also told that there is a very nice list of domains to block maintained
by J.D. Falk, kept at: ftp://ftp.cybernothing.org/pub/abuse/

There is now also a mailing list of anti-spamming tools. You can find info
about it at http://www.abuse.net/spamtools.html


comp.risks was spammed last night

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 18 Jul 97 16:22:10 PDT
Readers of the Risks Forum via comp.risks were spammed last night by a very
poorly advised forgery of approval.  WARNING: the CompuServe FROM: address
could have been the result of an intruder or masquerader -- or simply bogus
(I have not heard anything from the ISP yet, and various complaints have
been launched); the 1-800 number given could be an attempt to scam
responders out of their credit cards or other information; so, USENET
readers, BEWARE, and PLEASE IGNORE THE MESSAGE altogether.  I am looking
into methods of ratcheting up some serious authentication; PGPMoose has been
suggested, for example.  PGN]


The truth about Usenet's Psychic Spammers!

Greg Corteville <cortevi5@egr.msu.edu>
Sun, 13 Jul 1997 14:08:08 -0400
By now I'm sure we've all seen some of the garbage from the notorious
"psychic spammers" on just about every Usenet group.  I decided to do a
little investigating.  I wrote down a few of the 800 numbers listed in the
ads and went to a campus telephone that cannot be billed.  It has no long
distance service.  After dialing the number, callers are treated to a very
brief and very fake "recorded reading".  You are then urged to call a
different number for your "personal" reading.  The number they want you to
call has an 809 area code!

For those of you unaware of the 809 area code problem, I'll explain.  To
make an international phone call, you usually need to dial 011 first.  This
makes it quite obvious that it is an international phone call and will
likely be expensive.  However, several foreign countries have been assigned
"North American" area codes recently.  Among them, area code 809 for the
Caribbean.  Since these people are not bound by US law, they do not need to
disclose the full cost of making the phone call.  Callers are usually
charged exorbitant amounts of money, similar to a 900 number.  Some people
have been charged as much as $25 per minute!  These people are scam artists
and are using the Internet as their latest method of attack.

For more information on the area code 809 problem, take a look at these
websites:

http://www.fraud.org/809alert.htm
http://www.oag.state.tx.us/WEBSITE/NEWS/LEGALMAT/9701cpd.htm
http://www.ece.orst.edu/~alper/Info/scam.html


"25 Steps to Safe Computing" by Sellers

<"Rob Slade, doting grandpa of Ryan & Trevor">
Thu, 17 Jul 1997 07:51:16 -0700 (PDT)
BK25STSC.RVW   970126

"25 Steps to Safe Computing", Don Sellers, 1995, 0-201-88366-X, U$5.95/C$7.95
%A  Don Sellers
%C  P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario   M3C 2T8
%D  1995
%G  0-201-88366-X
%I  Addison-Wesley Publishing Co.
%O  U$5.95/C$7.95 800-822-6339 617-944-3700 Fax: 617-944-7273 bkexpress@aw.com
%P  72
%T  "25 Steps to Safe Computing"

This brief, cheap booklet should probably be available in every office.  As
Sellers notes, it should not take the place of professional advice.  It can,
and does, provide quick alerts and suggestions regarding the common maladies
associated with computer use and other office pressures.

Much of the book is common sense, and unsurprising.  Little of the
information is very detailed.  However, it does give tips and bits of advice
on signs to watch for.  In addition, there is valuable resource information
included for all twenty five chapters.

copyright Robert M. Slade, 1997   BK25STSC.RVW   970126
======================
roberts@decus.ca  rslade@vcn.bc.ca  slade@freenet.victoria.bc.ca
http://www.freenet.victoria.bc.ca/techrev/rms.html

Please report problems with the web pages to the maintainer

Top