Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Car makers have known for a while that talking on a cell phone while driving can cause accidents, but now research shows that wireless phones can disrupt anti-lock braking and other electronic systems. For instance, Mercedes Benz warns that the electromagnetic radiation emitted by the microchips in wireless phones can disable its Babysmart toddler restraint seat, which automatically switches off the passenger side air bag when a child is sitting up front. "As far as we know, no injury or death has resulted from interference between wireless phones and other radio-frequency emitting devices," says an AT&T Wireless Services spokeswoman, but some late model owner's manuals contain special warnings regarding the problem. (_USA Today_ 4 Mar 1998; Edupage, 5 March 1998) <To subscribe to Edupage, send e-mail to: listproc@educom.unc.edu with the message: subscribe edupage [your name]>
WIRELESS MARRIAGE RF-Link Technology has developed a Wireless PC@TV product that allows an Internet link via a PC in one room to be displayed on a television in another. A scan converter translates the PC's video display signals into signals that a TV can process, and wirelessly sends the audio and video signals using a radio-frequency transmitter and receiver. The signals can travel up to 100 feet, and a wireless keyboard allows the user to manipulate the PC while watching the action on the TV in another room. The cost is about double that of a set-top WebTV receiver, but does not require a special Internet service. (_Popular Science_, Mar 98; Edupage) So when my next-door neighbor is browsing www.playboy.com, does that mean that my six-year-old can read right along? Colin
On the heels of the recent attack on unclassified Pentagon computer systems, three Army World Wide Web sites were hacked on 8 Mar 1998: the Army Air Defense Artillery School, the Army 7th Signal Brigade[*], and the Army Executive Software Systems Directorate. Official content was replaced with messages about the previous Pentagon attacks. One of the messages said, "For those of you in the security community, the so-called Pentagon hackers are using nothing more advanced then the 'statd'. Get a list of 200 sites, and sit and try the same exploit to every one of them. [You're] going to get one out of 100 sites eventually." [* The 7th's diddly SINS? PGN]
People or companies who run Windows NT 4 and experience frequent unexplained "STOP" errors may like to know about the following risks: 1. There is a small probability that one of those STOP errors will render the NT filesystem unbootable by corrupting one of the system files; in this case it cannot be repaired even with a repair disk. 2. If you re-install Windows NT over an existing installation, the %Systemroot%\Profiles tree, including all user data that it contains, is deleted. 3. Even if you back up the registry, you may not be able to restore it correctly in a new NT installation, because the various user numbers, etc., would have changed; extensive manual editing / glitch fixing is required. Silas S. Brown, http://members.bigfoot.com/~silasbrown/
Federal prosecutors in New York indicted 14 operators of offshore companies for using phone lines for the purposes of illegal gambling activities. All 14 are American. The government says it is not charging bettors for using the sites but hopes that the indictment will serve as warning that such activities are illegal. (_The New York Times_, 5 Mar 1998; Edupage, 5 March 1998.)
The "centraal corporation" of Palo Alto recently introduced a new scheme for entering WWW host addresses into Web browsers. According to the marketing literature, you could replace all of that nasty http://host/directory nonsense with a single word. They presented this with a gentle, heartwarming Disney example. Who wants to think of their toddler son having to type in all those dots and slashes to read about their favorite fawn, when they could just use the new scheme and type in "bambi"? Well, it turns out Junior had better stick with the punctuation. Following their press release, thousands of users went directly to their browsers and typed in "bambi". Normal browser auto-expansion dropped them on "www.bambi.com", a decidely non-Disney site where children can learn about a side of wildlife not fully depicted in the movie. There are some fascinating tidbits in a Reuters article on the subject: o The company is selling the service to large companies who want simpler web addresses in advertising. o As people have found, the "single word" approach has some regrettable side effects if you don't have their special software installed. o The president of the company was "surprised" that browsers would jump to a site given an incomplete address. Offhand I'd say their business plan is in tatters. All because normal, unenhanced web browsers are a little too smart.
Dan Charles of NPR reports that TV mfgrs responded to the
"What happens when parents lose the {V-chip} password?" question
with:
We haven't figured that out yet..
If certificates, authentication and such are a morass for the DOD [as they
are discovering....]; what happens in the larger world of TV sales? Will we
see ads in the classifieds such as:
For Sale, 27' Sony, lost password, only gets Disney..
The RISK? Mandated solutions to problems only partially thought-out.
A Kansas City company, Applied Micro Technology Inc., is about to begin selling a device for censoring language in TV broadcasts (intended for the protection of children). It works only on closed-captioned broadcasts. If a banned word is found in the closed caption, the sound is muted and the closed caption displayed with a milder word substituted. The original design just matched on words, causing DICK VAN DYKE to turn into JERK VAN GAY. This was obviously inadequate, so it was extended to recognize context. The designer, Rick Bray, says that it now catches 65 out of 66 "offensive words" in the movie Men in Black (for example), and so he now allows his children to see it, and so they're pleased with the device. The article [sorry, source missing] does not say how many false hits it finds, nor how much dialogue gets lost because the closed captions are not actually always synchronized with the audio. There are at present 100 banned words.
You may have noticed, that with almost every new movie trailer or advertisement comes an URL for a web site that in most cases contains motion video clips, stills, and other information about the movie. Seems like just another promotional opportunity which I think few would take issue with. However, I have also noticed a darker trend developing in parallel with this. Operators of porn sites are increasingly obtaining domain names nearly identical to that of the movies being promoted, usually with only a bit of punctuation being the difference. The most recent example: the science-fiction movie "Deep Impact", due out this summer (an apocalyptic tale of comets crashing to earth). The print ads and trailers note the URL "www.deep-impact.com". However, if you miss the hyphen in the URL and enter "www.deepimpact.com" instead, you are greeted with a starfield background (similar, if not identical to the legitimate site), with a single line of hyperlinked text: "Click to continue". Even if you do not click on the text, after about four seconds you are automatically linked (redirected) to the page of a pornographic site with graphics that leave little doubt as to its purpose. Especially disturbing is this recent trend for these redirector sites to try to mirror the initial image of the legitimate sites in order to prevent the user from realizing the error until after the next page has loaded, or worse (possibly trying to create a legally defensible position) being able to claim that the user consented to view the site by clicking on the linked text. The risks? People seeking information on unreleased motion pictures (kids especially) receiving instead an unwanted porn page. Plus, the possible backlash against the movie and its associates from people who may not realize the difference a single omitted character can make can make in an URL and might assume some link between the sites due to the similarity in the names. A possible alternate risk, would be for people who access the web from their work or other monitored environment trying to explain why they have accessed a pornographic site once the access is noted in a log file. -jim jimw@agora.rdrop.com The Computer Garage http://www.rdrop.com/~jimw Fax - (503) 646-0174 [It is astounding how many folks say "dash" instead of "hyphen" (or, perhaps less strongly typed, "minus"). For example, Siskel and Ebert have only recently realized that their URL contains a hyphen, not a dash. PGN]
There are cities in California and Texas called "Cypress" so I don't think we should blame the spell checker. It would have to understand the sentence to catch the mistake. We can execute the proof reader though. — Mark [Several folks commented on this. If the dictionary contains Cypress, it should also contain Cyprus. If it knows only about trees and not geographical names, it is not a very good dictionary for a spelling checker to use. Let the fir fly, and spruce up the on-line dictionaries. PGN]
The Idaho state government ruled that the City of Boise's e-mail is fair game under the Freedom of Information Act. They had to make the city council's e-mail available to the newspaper. [_Information Week_, March 9, 1998, p. 8]
The Federal Aviation Administration is investigating whether an air traffic tracking system went out amid reports that Air Force One vanished from radar screens for 24 seconds. Broadcast reports said the airplane disappeared from radar screens Tuesday morning as President Clinton traveled to Connecticut. ... The long-range radar system at the center has a history of going off and momentary blips are a frequent occurrence, DiPalmo said. [_USA Today_, 11 Mar 1998]
Mr. Ellison's observation that perhaps criminals are too lazy to use encryption, supported by Ms. Denning's survey results showing that encryption is not in widespread use by criminals, may be an important one, indeed. That our delicate world, made all the more so by our reliance on technology as often discussed in this forum, has not already been made a total shambles through criminal or terrorist activity, is a constant source of amazement for me. Many. if not most of us who participate in this forum would have little difficulty in raining havoc upon a large population with equally little chance of retribution by society. Although there are certainly exceptions, one can only hope that most criminals and terrorists, by their very nature, are either incredibly stupid and/or lazy. This theory is well supported by the alleged criminals shown on the U.S. television program "Cops." Perhaps the "smarter" criminals also have some measure of morality that limits their activities. Let's hope is stays that way. Scott Traurig <Scott.R.Traurig@lmco.com>
Further to my original mailing (which described what was actually reported on "The News Quiz"), I actually did a bit of fact-checking with the COMPAQ help desk. They were not aware of any changes to screen messages, and not aware of the story that is going around. Another urban myth bites the dust! Peter Mellor, Centre for Software Reliability, City University, Northampton Square, London EC1V 0HB, UK. Tel: +44 (171) 477-8422 http://www@csr.city.ac.uk/
Just a quick comment: Is it possible, then that an extrapolation to this MIGHT just be that government trying to prevent all problems will instead of gaining the goal, will in fact create more problems? The question applies of course to the finding in the case of VJ592, since most of the system involved are government mandated... but the question of RISK would seem to apply to all other government mandates, as well.
In RISKS-19.62 an article appears promoting a product that allows system
administrators to "decept" would-be hackers into thinking they have broken
into your system when in reality have not. It then goes on to extol the
virtues of such an approach without exploring possible negative side-effects
of such software. While there is questionable facility with using such
software since "true hackers" would likely know they are being faked out,
the more interesting question arises when "junior hackers" have succeeded in
breaking into a system but don't know enough to realize they have done so.
This is especially bad if they know that this kind of faker software exists.
I put forth the example which brings this all to mind. I used to look after
a computer network used by a large school board in Toronto. As expected
there were a few students who took it upon themselves to try and break into
the system (e.g., gaining passwords by watching people type them). At one
point my friend who worked on the system with me decided we would have a bit
of fun with the students and wrote a program that emulated the operation of
the system administrator account. By leaving a good number of clues around
we were able to divert the efforts of the students into accessing this
account, and after watching them for a while we rounded them all up and had
a good laugh (I was a student as well at this time). This had immediate
predictable effects:
1. The students gained valuable knowledge about how the sys admin
account really works (our simulation was quite authentic).
2. The students knew that such a faker program existed.
3. Any static program which simulates behaviour of the system
was likely to be easily detected by those who have experienced
it before (many of the students figured this out within minutes
of using it).
What happened next was totally unexpected. A budding, inexperienced hacker
under the tutorship of some of the previous students was instructed on how
to "break" into the system. They unfortunately did not follow the
instructions given to them correctly and succeeded in breaking into the
system FOR REAL. Knowing that the faker program existed, they assumed that
this is what they had accessed and thus set about a path of destruction that
would take over a week to unravel and fix.
I can only imagine what interesting things might happen once the hackers
start suggesting/contributing updates to this package.
The risk here is that you never know who is being deceived.
Richard Snider <rsnider@tdc.on.ca>
ASSOCIATION FOR COMPUTING MACHINERY
* * * POLICY '98 CONFERENCE * * *
http://www.acm.org/policy98/
"Shaping Policy in the Information Age"
Washington, DC, Renaissance Hotel
May 10-12, 1998
Register now for the one computing policy conference you don't
want to miss...featuring:
- Senator Orrin Hatch (invited): Future of Intellectual Property
- Special Advisor to the President Ira Magaziner: White House Report
- Representative Vern Ehlers (invited): Reformulating US Science Policy
- Representative Constance Morella: The Role of the Federal Government
in Computing
- Assistant Director Juris Hartmanis: The Role of the National Science
Foundation in Computing Policy
- Assistant Secretary of Commerce for Communications and Information
Larry Irving: Universal Service
- Debate: Esther Dyson and Gary Chapman
- ACM Presidential Award for founding NetDay: John Gage, Sun
Microsystems
- Making Science Policy: Roundtable with NPR Correspondent Dan Charles
The ACM Policy '98 Conference will focus on public policy issues affecting
future applications of computing. Our goal is to forge stronger links
between computing professionals and policy makers. Attendees will interact
with prominent leaders from academia, industry, Congress, and Executive
agencies, and participate in debates on policy issues including:
- Universal Access - Electronic Commerce
- Intellectual Property - Education Online
All Policy '98 attendees are invited to the Annual ACM Awards Banquet on
Sunday evening May 10th, and a conference reception on Monday evening May
11th at the new headquarters of the American Association for the Advancement
of Science.
Register online at
http://www.acm.org/policy98/
or write to policy98@acm.org. Early registrants and ACM members receive
discounts. A limited number of low-priced student registrations are
available.
Conference Chairs - Ben Shneiderman, Dianne Martin
Program Chairs - Marc Rotenberg, Keith Miller
Panel Moderators - Jim Horning, Pamela Samuelson,
Charles Brownstein, Oliver Smoot
USACM Chair - Barbara Simons
Call For Papers
New Security Paradigms Workshop '98
A workshop sponsored by ACM
22 - 25 September 1998
Charlottesville, Virginia
http://www-hsc.usc.edu/~essin/nspw98.html
Paradigm shifts disrupt the status quo, destroy outdated ideas, and
open the way to new possibilities. This workshop explores deficiencies
of current computer security paradigms and examines radical new models
that address those deficiencies. Previous years' workshops have
identified problematic aspects of traditional security paradigms and
explored a variety of possible alternatives. Participants have discussed
alternative models for access control, intrusion detection, new
definitions of security, privacy, and trust, biological and economic
models of security, and a wide variety of other topics. The 1998 workshop
will strike a balance between building on the foundations laid in past
years and exploring new directions.
Deadline 3 Apr 1998 for e-mail submissions, 27 Mar 1998 for hardcopy.
[First check out http://www-hsc.usc.edu/~essin/nspw98.html .]
Workshop Co-Chairs
Bob Blakley, IBM, 11400 Burnet Road, Mail Stop 9134, Austin, TX 78758 USA
e-mail: blakley@us.ibm.com voice: +1 (512) 838-8133 fax: +1 (512) 838-0156
Darrell Kienzle, The MITRE Corp., 1820 Dolley Madison Blvd., McLean VA 22102
e-mail: kienzle@mitre.org voice: +1 (703) 883-5836 fax: +1 (703) 883-1397
Program Committee Co-Chairs:
Mary Ellen Zurko, The Open Group Research Institute
11 Cambridge Center, Cambridge, MA 02142 USA
e-mail: zurko@opengroup.org voice: +1 (617) 621-7231 fax: +1 (617) 225-2943
Steven J. Greenwald, 2521 NE 135th Street, North Miami, FL 33181 USA
e-mail: sjg6@gate.net voice: +1 (305) 944-7842 fax: +1 (305) 944-5746
[``Buddy can use paradigm?'' (variant of ``Buddy, can youse paradigm?'' PGN]
CALL FOR PARTICIPATION
First International Software Assurance Certification Conference (ISACC'99)
Theme: Early Lessons Learned and Prospects
Location: Washington D.C.
Date: Spring 1999
General Chair: Chuck Howell, howell@rstcorp.com
Program Chair: Dr. Jeffrey Voas, jmvoas@rstcorp.com
Conference Secretariat: Ms. Peggy Wallace, pwallace@rstcorp.com
Conference Web Site: www.rstcorp.com/ISACC99
Conference Management:
Reliable Software Technologies
Sterling, VA USA
http://www.rstcorp.com
Tel: 703.404.9293
Fax: 703.404.9295
Additional Sponsors:
Software Testing Assurance Corporation
Stamford, CT USA
http://www.stacorp.com
Tel: 203.972.9557
Fax: 203.966.5506
ISACC'99 will be the first conference in an annual series to be devoted
exclusively to software certification. Enormous demand is driving the
development of technologies, tools, methodologies, and models for certifying
software — that is, certifying that software will "behave as advertised"
with respect to a specific set of behaviors, or at least that the software
has specific properties. ISACC will be the premier forum where consumers and
producers of software can exchange points of view on how best to certify
software technology.
The theme of the ISACC'99 is "Early Lessons Learned and Prospects". ISACC'99
will focus on the many different ways that certification is currently
approached in the software industry. Examples range from independent
confirmation of a narrow set of properties of a specific program (e.g., Key
Labs' "100% Pure Java Certification") to complex regulatory oversight of an
entire development process (e.g., FAA's DO-178B framework). What can be
inferred when a software product is certified, and what cannot? What
approaches have proven successful, and where have certification efforts
bogged down?
The near-term prospects for software certification are driven in large
measure by non-technical issues. Software is increasingly used in systems
where failure threatens safety, economic loss, loss of privacy or
confidentiality, and other injuries. In addition, the "Year 2000 Problem"
has dramatically raised awareness of the extent to which businesses ability
to function have become dependent on software, with corresponding
consequences for software that does not "work as advertised". Software
liability is the Sword of Damocles hanging over the head of the software
industry. Liability concerns make ISACC especially timely. A key question is
whether the government should decide what the certification requirements are
for a given class of systems and uses of software, or whether
"private-sector" developers should self-regulate via a core set of
certification technologies. If self-policing is preferred, will it be by an
honor system or will software certification laboratories be the means by
which software vendors show that their software is of high quality?
Besides paper presentations, ISACC'99 will also host a series of tutorials
explaining how regulatory certification frameworks (such as the FAA's
DO-178B or the FDA's 510(k) guidelines) are enforced. Certification experts
will teach attendees the steps that they must successfully complete in order
to get software systems approved. Similar tutorials will be offered by
experts on examples of "self policing" certification frameworks from
commercial software developers and certification laboratories.
A panel discussion on certification frameworks in other industries (e.g.,
Civil Engineering, Electrical Engineering) will provide additional
perspective on ways of structuring certification processes.
In summary, the series of ISACC conferences will seek practitioners, legal
experts, and researchers that wish to discuss how software certification can
be transformed from being viewed as a tax on the industry to being viewed as
a trophy.
Topics of particular interest to the program committee include:
Certification Authorities and Laboratories
Existing Software Guidelines or
Standards (ISO, CMM, IEC, USNRC, FDA, NCSA, etc.)
Formal development methods
Product vs. Process Certification
Public-domain software
Qualifying and Quantifying the Reliability of COTS Software
Software Metrics and Measurement
Software Validation
Software Liability
Software Insurance
Software Assurance Tools
Software Reliability Measurement
Software Safety Assessment
Software Security Assessment
Software Maintenance
Uniform Commercial Code
Year 2000 Certification
The Role of Professional Organizations (ACM, IEEE, ASQ, etc.)
Certification of third-party software
In late March 1998, the official CALL FOR PAPERS for ISACC will be
mailed. If you would like to be on ISACC's mailing list to receive the CALL
FOR PAPERS announcement and the program brochure, please send e-mail to
isacc@rstcorp.com .
Please report problems with the web pages to the maintainer