Subscribers of America Online recently received e-mail apparently from AOL's chief of Member Services, entitled ``Important AOL Information'' and giving an update on AOL's efforts to improve its service. At the end was a URL to a letter from AOL Chairman Steve Case, in which readers were asked to give their name, address, home phone, and credit-card number to update AOL's new computers. Surprisingly to most victims (AOL's subscribers include many online novices, more of whom should be reading RISKS!), the file being updated was that of a scammer who simply raked in the information. (It was not specified whether his/her identity had been determined.) [Source: An item by Rajiv Chandrasekaran, *Washington Post*, 26 Aug 1997, seen in the *San Francisco Chronicle*, p. A3. PGN Stark-Abstracting] [See RISKS-19.07,11,26,27,28 for other recent items on AOL.]
[PGN Abstracting, from article by Will Rodger, from Inter@ctive Week Online, 21 Aug 1997, 9:14am PDT, http://www5.zdnet.com/zdnn/content/inwo/0821/inwo0002.html] The NASDAQ stock exchange was knocked off much of the Internet for several hours on 19 Aug 1997 as a result of administrative errors at the InterNIC, a centralized Internet address clearinghouse run by Network Solutions Inc. of Herndon, Va., NASDAQ officials said Wednesday. Though the problem was initially invisible to NASDAQ, which maintains its own database of Internet addresses, the temporary suspension of access to the exchange's site blocked users of major computer networks -- including those owned by IBM Corp., MCI Communications Corp., PSINet Inc. and UUnet Technologies Inc. -- from getting to the site. As a result, NASDAQ was unreachable to most Internet users for at least several hours Tuesday morning. Problems with the Web site had no effect on the functioning of NASDAQ itself. The snafu was due to a clerical error at NSI, which evidently lost track of NASDAQ's $50 fee, submitted in October 1996. Will remarked that things like this seem to be occurring more often. The weekend before, more than 5,000 Web sites were blocked for over 24 hours, when Web Communication Inc and other domains were bumped from the Internet after a screwup in routine InterNIC maintenance. Will also mentioned the disappearance of .com and .net, noted earlier in RISKS (Pouzzner, RISKS-19.25).
Subtitle: Error makes mains exceed their capacity Reported by the *Rocky Mountain News,* 25 Aug 1997. "Officials blamed a malfunctioning computer for five water main breaks late Saturday that cut service to about 40 homes, flooded basements and garages and turned city streets into rushing streams." A computer controlling water pressure gave inaccurate readings (presumably lower than actual?), prompting a city worker to open up the mains. The full article is online for a few days at http://www.rockymountainnews.com/news/0825wat3.htm S. J. Hutto, pSIBER Technologies Inc. http://www.psibertech.com
Carlos Felipe Salgado Jr. ("Smak") has pleaded guilty before his trial. As reported in RISKS-19.19, an FBI sting had paid him $260,000 for a diskette with personal data on more than 100,000 credit-card holders that he had obtained by hacking into company databases on the Net. The maximum penalties reported earlier have apparently been doubled -- up to 30 years in prison and fines up to $1 million. [Sources: AP and others, 26 Aug 1997]
A little-noticed clause in the recently proposed $368-billion deal struck between the nation's largest tobacco sellers and states' attorneys general states, "The new regime would ... prohibit tobacco product advertising on the Internet unless designed to be inaccessible in or from the United States." Critics note that if the settlement becomes law, that clause could set a disturbing precedent for restricting all forms of online speech, and could encourage other countries to emulate these restrictions or make them even tougher. Any company with a global commercial presence, says a law professor at University of California at Los Angeles, would be forced to limit its online presence to whatever is allowed by the most restrictive country it does business in. (*Investor's Business Daily*, 22 Aug 1997; Edupage, 24 Aug 1997)
Julie Bird at the *Air Force Times* reported a spelling-checker gaffe that could have caused combat-relevant complications. The spelling checker rejected the Marine motto 'Semper Fi' and recommended 'Semi-pro fiddles' instead. The copy editor then accepted the change, although it was caught before publication. [Violins? Nonviolence? Puttering around? Meddling? Perhaps the spelling checker was written for the U.S. Navy, where a fiddle is a something aboard ship that keeps dishes from sliding around. This case is quite a stretch; perhaps checkers are getting ever more imaginative these days. This item from Julie Bird <email@example.com>, abstracted for RISKS, is excerpted from BONG Bull, The Burned-Out Newspapercreatures Guild's Newsletter, #437. To subscribe: e-mail to firstname.lastname@example.org, with text subscribe bong-l PGN]
In the latest assault in the escalating battle between pioneer online bookseller Amazon.com and Barnes & Noble, Amazon.com has filed a countersuit against Barnes & Noble, alleging that the bricks & mortar entity should be charging sales tax on the books it sells over the Internet. Amazon 's argument is based on the fact that B&N, unlike Amazon.com, has a physical presence in most states through its chain of 1,000-plus stores that therefore constitute the "nexus" of activity in each state. An attorney for B&N says there is "no basis whatever" for Amazon's claim. In May, Barnes & Noble filed suit against Amazon.com, saying its claim to be "the world's largest bookstore" was false advertising. (Wall Street Journal 22 Aug 97; Edupage, 24 Aug 1997)
An article on Clarinet (22 Aug 1997) tells us that Florida has let a $6.2 million contract to Unisys to automate the issuance of traffic citations. Troopers will "be armed with pen-based laptop computers and printers. The laptops...will 'recognize' the troopers' hand printing and automatically convert it to easily readable text." Anybody care to predict the number of traffic tickets thrown out of court over the next several years because they were issued to the wrong people? The one saving grace is that the motorist gets a printout with a copy of the ticket. But I can just see the poor innocent party who has to prove that he was in Bangladesh on the day that somebody with a similar license number ran a red light. Didn't they learn from the Newton? Geoff Kuenning email@example.com http://fmg-www.cs.ucla.edu/geoff/
The forwarded message below was sent to the "DefCon Stuff List" (firstname.lastname@example.org, email@example.com for information, sub/unsub requests, etc.). My concern about is this: why would an aircraft designer take RISKs with passenger safety by installing (apparently, at least to me) non RF-shielded equipment that can be damaged by the RF output from a 3 watt 800MHz RF signal (saying the phones are analog), not to mention several computers? I have several computers, radios, etc. here on the ground (producing a lot of RF, spurious and non) and I have no problems with 3 watts of 800MHz RF. If that little RF can wipe a aircraft computer, what could it do to major office buildings, etc. where cell phones are used in MUCH closer proximity to computers (and sometimes much more sensitive ones). Matt - ---------- Forwarded message ---------- Date: Mon, 25 Aug 1997 09:07:54 +0300 >From: Imran <firstname.lastname@example.org> To: DC-Stuff <email@example.com> Subject: Can your cell-phone hijack a plane? Yesterday I read an article in a local newspaper describing how it is illegal to take all your weapons and explosives on flight -- except for your cell-phone and laptop. Last week a flight inbound for London from Istanbul had to crash land in Switzerland because all the cockpit data got wiped off because of a cell-phone. At the specific moment two people were talking and three had their phones open. Police are still investigating. [...]
A Florida state agency auditing group (OPPAGA) reported: Best agency answer to data question: When asked to explain why its data base showed that lab tests of water quality samples were completed before the samples had even been collected, agency staff provided the following memo: Top 10 Reasons Why Data is Analyzed Before it is Collected 10. We practice Zen and the Art of Ground Water Sampling. 9. We can impress auditors that way. 8. We can tell whether collecting the sample will be worth our time. 7. We get results much sooner this way. 6. It saves money. 5. It lets us know what type of sample we need to take. 4. We can notify the well owner that we have a hunch their well should be tested. 3. Our lab has an incredible turn around time. 2. The lab transmits data faster than light speed, so it arrives before it is sent. 1. Our computer's clock battery has been dead since 1992, so every sample gets that creation date. Quoted in: http://www.ncsl.org/programs/fiscal/nlpes/nlp96-64.htm Scot E. Wilcoxon firstname.lastname@example.org
After the recent security breach of the "Crack-A-Mac" server (which has now been compromised three times), Ric Ford's Macintouch web-site provides an interesting e-mail exchange comparing the relative security of Macintosh against Unix systems. To quote one respondent: "Because the Mac was not made to be a networked computer, it is infinitely more secure than a UNIX box. If you are running plain vanilla Webstar on a Mac, you are safe. Period. If you are running plain vanilla Apache (or other UNIX webserver) on a UNIX box, you are toast if there is a determined hacker. Only the most dedicated SysAdmins can keep up with all the CERT advisories and patches... and even if you do, there will be holes. Whether it be a NIS hole, a finger hole, a telnet bug, or what have you, there will always be one more hole than fix on a UNIX box." The exchange is at <http://www.macintouch.com/macsec.html>. Macintouch is a daily newsletter with hints and comments on the Macintosh written by a columnist for Macweek magazine. It is at <http://www.macintouch.com>. Martin Minow email@example.com [Infinitely, eh? Wow, that is *really* impressive! PGN]
I recently saw a new anti-junk-e-mail tactic which, at first glance, struck me as a great idea. The concept is to "sting" the producers of bulk e-mail mailing lists by including something like the following in your .sig: And for you automated e-mail junk-mailers out there, here is a list of the current board of the Federal Communications Commission: Chairman Reed Hundt: firstname.lastname@example.org Commissioner James Quello: email@example.com Commissioner Susan Ness: firstname.lastname@example.org Commissioner Rachelle Chong: email@example.com And let's help you send some junk mail to the USPS, too: firstname.lastname@example.org This is based on the assumption that the junk list compilers sift entire Usenet News articles (not just the "From:" lines) for any syntactically valid e-mail addresses. The e-mail addresses listed above will thus be included on the compiled lists; then these worthy individuals will receive any junk mail sent by anyone using said lists. Since these people have influence on public policy, it is hoped that the annoyance of actually receiving as much junk mail as the rest of us do will push them in the direction of strong sanctions against such junk mail. Where I work, we have been having a discussion in-house about whether or not doing this is advisable. The strongest objection that I have seen is that by including such addresses in one's e-mail, one is actually contributing to junk mail, and thus acting contrary to the same anti-junk-mail principle that one is trying to promote. Also, if one does it from one's company account, one may be acting against the corporate policy for internet use; and finally, there is the issue of contributing to a violation of the right to privacy (here meaning the right not to be harassed) of the public individuals cited. I find these contra arguments not completely persuasive, but I am still undecided. The final RISK that I can see is that we may actually influence the policy-makers to take some action, but that action may turn out different from our expectation and preference. Max Stern, Sherman Oaks, CA
Unsolicited commercial/propaganda e-mail subject to legal action. Under US Code Title 47, Sec.227(a)(2)(B), Sec.227(b)(1)(C), and Sec.227(b)(3)(C), a State may impose a fine of not less than $500 per message. Read the full text of Title 47 Sec 227 at http://www.law.cornell.edu/uscode/47/227.html This text deals with unsolicited commercial _telephone_ calls and _faxes_, not explicitly with junk e-mail. For a pessimistic analysis of the argument that existing federal laws cover junk e-mail, see "Garbage In: Emerging Media and Regulation of Unsolicited Commercial Solicitations" by Michael W. Carroll <http://server.berkeley.edu/BTLJ/articles/11-2/carroll.html>. This jurist provides a thorough and award-winning review of the applicability of such laws to junk e-mail, especially section 2a, "Has Congress Already Banned Spamming?" His answer is, alas, "No." SPAM DELENDUM EST! M.E. Kabay, PhD, CISSP (Kirkland, QC), Director of Education National Computer Security Association (Carlisle, PA) http://www.ncsa.com [I read the sections and concluded that it is not a black-and-white issue. However, a suit in progress could clarify the issue somewhat. PGN]
Does the proposed Goodlatte legislation say that the copying has to be illegal? (The Edupage squib did not say.) If not, we should be able to put those felons at Microsoft and Sun and IBM and HP away for years for the all that software that they copy and sell. About the only people who wouldn't be felons here would be GNU since their software is free and they can copy it as many times as they want and not reach the $5,000 limit. But I suspect Microsoft thinks Windows95 is worth at least $1 and they have probably made over 5000 copies, so lock them up! [This reminds me of the original California computer crime legislation, which said in effect that it is illegal to read, write, alter, or delete data. Perhaps it still does. I once chided someone in Sacramento for that, and he said, "Oh, but we'd never use it on someone who wasn't doing something wrong." PGN]
Methinks the Beltway Bandit doth protest too much! For some reason, bureaucrats and their Beltway Bandit lackeys always assume that more regulation is better than less regulation. In this case, Willis is arguing that "the system ain't broke, so don't fix it". I would argue that the system _is_ broken, and it is badly broken. Here in California we pay twice as much for our electricity as people in other states, and many of these costs were _caused_ by the politicians and the bureaucrats themselves in the first place. We're not happy about paying for these hair-brained ideas like nuclear power plants and doctor/dentist-taxshelter windmills. I, and nearly everyone I know, could afford to purchase a backup generator _every year_ for what we pay in excess electricity costs. The Internet works precisely because it dispenses with link-by-link guarantees, and uses end-to-end protocols. Its openness encourages innovation -- something that the electrical utilities have discouraged for the past 80-100 years. Perhaps the myth of 'economies of scale' that the utilities have wrapped themselves in for the past 100 years is just that -- simply a myth. Or if the economies of scale exist, but never make it to the customer, then they doesn't matter. The best place to put redundancy is at the customer level, where each customer can optimize for his own goals and costs. Henry Baker ftp://ftp.netcom.com/pub/hb/hbaker/home.html
Unfortunately, this response demonstrates the problems with the SET process: 1. It is highly dependent on an Electronic Wallet, which is never discussed in the SET process. 2. It is highly dependent on who the user of the wallet is, which is never discussed in the SET process, nor is how to identify the user discussed. 3. The very practical issue of carrying the user's certificate between PCs is never discussed in the SET process. SET ignoring this issue and its security demands doesn't make the issue go away! Not addressing mobility ignores the issue that insiders will use those techniques to overcome SET protection. 4. The issue of insiders usurping complete certificate messages is never discussed in the SET process. This must be a very serious issue since the card associations have already published a disclaimer. See the V/MC press release of 8/6/97. It establishes the SET Mark (a trade mark like symbol) for SET acceptable web pages. The release clearly states the purpose to be "...to use their cards on marked web sites WITHOUT ANY WORRY OF THEIR CARD DETAILS BEING INTERCEPTED." (my capitalization). Are they so naive as to think there will not be counterfeit SET marks on unauthorized web pages? Any security solution that depends on the user or employee actions is known to be ineffective. 5. The history lesson that software exposures exist in the current card system anyway, misses the point. SET is supposed to be the NEW invincible solution and doesn't fix this known exposure. 6. The attempt to disassociate the SET process from the vendor implementation flies in face of a card association PR campaigne to enumerate the outside vendor role in making SET happen. It flies in the face of intense vendor promotion of the SET process as their basis for selling the new invincible SET solutions - which we are now told has the some of the same shortcomings as the current software solutions. 7. The response that consumers will not have much choice is wrong. The Mondex system completely by passes the SET complex 26 step process with a demonstrated card-to-card security solution usable through open systems. Mondex USA has announced significant roll out this and next year. The concepts are being tested by Citibank (with the Verifone Personal ATM, phone connected device), and Chase (with Mondex units) in the early 1998 major field test in New York early next year. All the banks and credit unions of Canada have announced Mondex use. Also, several USA financial institutions have announced that Mondex smart cards will carry both USA and Canadian dollars, and will carry cash, debit and credit funds. I would be a little worried at the card associations. The associations can not continue to stone wall smart card credit cards in the United States. In fact, smart cards (NOT addressed in the SET process) would go a long way to overcome the SET deficiencies I have discussed in this note. Or, maybe this message from Mr Sterling is notice that MasterCard (51% owner of Mondex International) is about to suppress Mondex use in the USA. In summary, the credit-card associations and their SET process can't have it both ways. To offer the invincible Internet solution - but keep the old problems. To offer the SET process but ignore the shortcomings of the vendor implementations. To offer an open system, Internet, solution and then to ignore smart card benefits and the practical issue of SET process mobility between the five PCs in my life. (home, office, laptop, hotel and the company I am visiting.) jerome svigals, email@example.com
Addendum to the stiction item: On a very stuck Seagate hard drive, after dropping , smacking, and spinning the drive on its axis didn't unstick the heads from the disk, I took The Final Desperate Measure. Clean-area precautions were taken: hands were scrubbed and a Hefty-brand portable clean room was prepared. After the "warranty void if removed" drive lid was removed, the platter was turned by hand with about ten pounds of force and the lid was reattached. The drive powered up with no ping, ding, or screech sounds and valuable data was copied off as fast as fingers could fly. It worked for a year afterwards, after which the whole computer was decommissioned. When a friend's hard disk drive stuck badly, I made _him_ do it. Same results. The following mysteries remain: Were the environmental dust particles large enough to be simply spun off the platter? Was the garbage bag so static-ridden that it acted as a dust trap? Exactly how much luck was involved? Does this sort of thing work all the time? Of course, this is a RISK to any older in-service hard disk: tamper-labels should be inspected.
Curtis E.A. Karnow, Future Codes: Essays in Advanced Computer Technology and the Law, Artech House, Boston and London, 1997 (xii+276) Curtis Karnow is a practicing attorney in San Francisco with considerable experience as a federal prosecutor and judge. His background includes many cases relating to computers and risks. This book brings together new material with a collection of thoughtful essays he has written (e.g., in Leonardo Electronic Almanac, WiReD and law reviews). It could be of great interest to many RISKS readers interested in the law. This is a crossover book that makes it very clear why computer folks need to know much more about the law, and why lawyers need to know much more about computer technology.
Trapped in the Net The Unanticipated Consequences of Computerization By Gene I. Rochlin Published by Princeton University Press 310 pages Hardback: 0-691-01080-3 Having only read the first chapter so far this book appears to discuss a lot of issues relevant to RISKS and can be found at: http://pup.princeton.edu/books/rochlin/
Please report problems with the web pages to the maintainer