The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 19 Issue 63

Friday 13 March 1998

Contents

o Cell Phones Can Interfere with Auto Systems
Edupage
o Remote viewing
Colin Rafferty
o Three Army Web sites hacked
SINS
o Windows NT 4 corrupting filespace and deleting directories
Silas S. Brown
o Federal Prosecutors Indict Internet Gambling Operators
Edupage
o Browser site autoexpansion strikes again
Tim Kolar
o V-Chip: details, details
wb8foz
o TV censors
PGN
o For want of a hyphen, you get porn
James Willing
o Re: Newspaper spelling checker forgets Europe
Mark Stalzer
o Boise's city e-mail subject to FOIA
Doneel Edelson
o Radar blip lost Air Force One
Doneel Edelson
o Re: The anti-crypto rhetoric ratchets up
Scott R. Traurig
o Re: COMPAQ usability problem
Pete Mellor
o Re: Atlantic Monthly, "The Lessons of ValueJet 592"
E Florack
o Re: The cost of deception
Richard Snider
o ACM Policy '98 Conference Announcement
Policy 98 Info
o New Security Paradigms Workshop, Call For Papers
Mary Ellen Zurko
o Software Certification Conference: Call for Participation
Chuck Howell
o Info on RISKS (comp.risks)

Cell Phones Can Interfere with Auto Systems

Edupage Editors <educom@educom.unc.edu>
Thu, 5 Mar 1998 19:04:28 -0500
Car makers have known for a while that talking on a cell phone while driving
can cause accidents, but now research shows that wireless phones can disrupt
anti-lock braking and other electronic systems.  For instance, Mercedes Benz
warns that the electromagnetic radiation emitted by the microchips in
wireless phones can disable its Babysmart toddler restraint seat, which
automatically switches off the passenger side air bag when a child is
sitting up front.  "As far as we know, no injury or death has resulted from
interference between wireless phones and other radio-frequency emitting
devices," says an AT&T Wireless Services spokeswoman, but some late model
owner's manuals contain special warnings regarding the problem.  (_USA
Today_ 4 Mar 1998; Edupage, 5 March 1998)
  <To subscribe to Edupage, send e-mail to: listproc@educom.unc.edu
  with the message: subscribe edupage [your name]>


Remote viewing

Colin Rafferty <craffert@ml.com>
10 Mar 1998 15:48:42 -0500
WIRELESS MARRIAGE

RF-Link Technology has developed a Wireless PC@TV product that allows an
Internet link via a PC in one room to be displayed on a television in
another.  A scan converter translates the PC's video display signals into
signals that a TV can process, and wirelessly sends the audio and video
signals using a radio-frequency transmitter and receiver.  The signals can
travel up to 100 feet, and a wireless keyboard allows the user to manipulate
the PC while watching the action on the TV in another room.  The cost is
about double that of a set-top WebTV receiver, but does not require a
special Internet service. (_Popular Science_, Mar 98; Edupage)

  So when my next-door neighbor is browsing www.playboy.com, does that
  mean that my six-year-old can read right along?  Colin


Three Army Web sites hacked

"Security Information News Service: SINS[*]" <ravensceo@MCIONE.COM>
Tue, 10 Mar 1998 12:54:49 -0500
On the heels of the recent attack on unclassified Pentagon computer systems,
three Army World Wide Web sites were hacked on 8 Mar 1998: the Army Air
Defense Artillery School, the Army 7th Signal Brigade[*], and the Army
Executive Software Systems Directorate.  Official content was replaced with
messages about the previous Pentagon attacks.  One of the messages said,
"For those of you in the security community, the so-called Pentagon hackers
are using nothing more advanced then the 'statd'.  Get a list of 200 sites,
and sit and try the same exploit to every one of them.  [You're] going to
get one out of 100 sites eventually."

  [* The 7th's diddly SINS?  PGN]


Windows NT 4 corrupting filespace and deleting directories

"Silas S. Brown" <silasbrown@bigfoot.com>
Mon, 9 Mar 1998 21:08:11 +0000
People or companies who run Windows NT 4 and experience frequent unexplained
"STOP" errors may like to know about the following risks:

1. There is a small probability that one of those STOP errors will
   render the NT filesystem unbootable by corrupting one of the system
   files; in this case it cannot be repaired even with a repair disk.

2. If you re-install Windows NT over an existing installation, the
   %Systemroot%\Profiles tree, including all user data that it contains,
   is deleted.

3. Even if you back up the registry, you may not be able to restore
   it correctly in a new NT installation, because the various user numbers,
   etc., would have changed; extensive manual editing / glitch fixing is
   required.

Silas S. Brown, http://members.bigfoot.com/~silasbrown/


Federal Prosecutors Indict Internet Gambling Operators

Edupage Editors <educom@educom.unc.edu>
Thu, 5 Mar 1998 19:04:28 -0500
Federal prosecutors in New York indicted 14 operators of offshore companies
for using phone lines for the purposes of illegal gambling activities.  All
14 are American.  The government says it is not charging bettors for using
the sites but hopes that the indictment will serve as warning that such
activities are illegal.  (_The New York Times_, 5 Mar 1998; Edupage, 5 March
1998.)


Browser site autoexpansion strikes again

Tim Kolar <tkolar@cisco.com>
Fri, 13 Mar 1998 09:17:17 -0800 (PST)
The "centraal corporation" of Palo Alto recently introduced a new scheme for
entering WWW host addresses into Web browsers.  According to the marketing
literature, you could replace all of that nasty http://host/directory
nonsense with a single word.

They presented this with a gentle, heartwarming Disney example.
Who wants to think of their toddler son having to type in all those dots
and slashes to read about their favorite fawn, when they could just use
the new scheme and type in "bambi"?

Well, it turns out Junior had better stick with the punctuation.  Following
their press release, thousands of users went directly to their browsers
and typed in "bambi".  Normal browser auto-expansion dropped them on
"www.bambi.com", a decidely non-Disney site where children can learn
about a side of wildlife not fully depicted in the movie.

There are some fascinating tidbits in a Reuters article on the subject:

 o The company is selling the service to large companies who want
   simpler web addresses in advertising.

 o As people have found, the "single word" approach has some regrettable
   side effects if you don't have their special software installed.

 o The president of the company was "surprised" that browsers would
   jump to a site given an incomplete address.

Offhand I'd say their business plan is in tatters.  All because normal,
unenhanced web browsers are a little too smart.


V-Chip: details, details

<wb8foz@nrk.com>
Thu, 12 Mar 1998 17:47:30 -0500 (EST)
Dan Charles of NPR reports that TV mfgrs responded to the
"What happens when parents lose the {V-chip} password?" question
with:
    We haven't figured that out yet..

If certificates, authentication and such are a morass for the DOD [as they
are discovering....]; what happens in the larger world of TV sales? Will we
see ads in the classifieds such as:

  For Sale, 27' Sony, lost password, only gets Disney..

The RISK?  Mandated solutions to problems only partially thought-out.


TV censors

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 12 Mar 98 8:26:51 PST
A Kansas City company, Applied Micro Technology Inc., is about to begin
selling a device for censoring language in TV broadcasts (intended for the
protection of children).  It works only on closed-captioned broadcasts.  If
a banned word is found in the closed caption, the sound is muted and the
closed caption displayed with a milder word substituted.  The original
design just matched on words, causing DICK VAN DYKE to turn into JERK VAN
GAY.  This was obviously inadequate, so it was extended to recognize
context.  The designer, Rick Bray, says that it now catches 65 out of 66
"offensive words" in the movie Men in Black (for example), and so he now
allows his children to see it, and so they're pleased with the device.  The
article [sorry, source missing] does not say how many false hits it finds,
nor how much dialogue gets lost because the closed captions are not actually
always synchronized with the audio.  There are at present 100 banned words.


For want of a hyphen, you get porn

James Willing <jimw@agora.rdrop.com>
Fri, 13 Mar 1998 14:48:12 -0800 (PST)
You may have noticed, that with almost every new movie trailer or
advertisement comes an URL for a web site that in most cases contains motion
video clips, stills, and other information about the movie.  Seems like just
another promotional opportunity which I think few would take issue with.

However, I have also noticed a darker trend  developing in parallel with
this.  Operators of porn sites are increasingly obtaining domain names
nearly identical  to that of the movies being promoted,  usually with only
a bit of punctuation being the difference.

The most recent example: the science-fiction movie "Deep Impact", due out
this summer (an apocalyptic tale of comets crashing to earth).  The print
ads and trailers note the URL "www.deep-impact.com".

However, if you miss the hyphen in the URL and enter "www.deepimpact.com"
instead, you are greeted with a starfield background (similar, if not
identical to the legitimate site), with a single line of hyperlinked text:
"Click to continue".

Even if you do not click on the text, after about four seconds  you are
automatically linked (redirected) to the page of a pornographic site with
graphics that leave little doubt as to its purpose.

Especially disturbing is this recent trend for these redirector sites to try
to mirror the initial image of the legitimate sites in order to prevent the
user from realizing the error until after the next page has loaded, or worse
(possibly trying to create a legally defensible position) being able to
claim that the user consented to view the site by clicking on the linked
text.

The risks?  People seeking information on unreleased motion pictures (kids
especially) receiving instead an unwanted porn page.  Plus, the possible
backlash against the movie and its associates from people who may not
realize the difference a single omitted character can make can make in an
URL and might assume some link between the sites due to the similarity in
the names.

A possible alternate risk, would be for people who access the web from their
work or other monitored environment trying to explain why they have accessed
a pornographic site once the access is noted in a log file.

-jim  jimw@agora.rdrop.com  The Computer Garage
http://www.rdrop.com/~jimw  Fax - (503) 646-0174

  [It is astounding how many folks say "dash" instead of "hyphen"
  (or, perhaps less strongly typed, "minus").  For example, Siskel and Ebert
  have only recently realized that their URL contains a hyphen, not a dash.
  PGN]


Re: Newspaper spelling checker forgets Europe (RISKS-19.62)

Mark Stalzer <stalzer@macaw.hrl.hac.com>
Mon, 09 Mar 1998 12:47:18 -0800
There are cities in California and Texas called "Cypress" so I don't think
we should blame the spell checker. It would have to understand the sentence
to catch the mistake.  We can execute the proof reader though.

  -- Mark

  [Several folks commented on this.  If the dictionary contains Cypress,
  it should also contain Cyprus.  If it knows only about trees and not
  geographical names, it is not a very good dictionary for a spelling
  checker to use.  Let the fir fly, and spruce up the on-line dictionaries.
  PGN]


Boise's city e-mail subject to FOIA

"Edelson, Doneel" <doneeledelson@aciins.com>
Wed, 11 Mar 1998 13:46:02 -0500
The Idaho state government ruled that the City of Boise's e-mail is fair
game under the Freedom of Information Act.  They had to make the city
council's e-mail available to the newspaper.  [_Information Week_, March 9,
1998, p. 8]


Radar blip lost Air Force One

"Edelson, Doneel" <doneeledelson@aciins.com>
Wed, 11 Mar 1998 13:46:02 -0500
The Federal Aviation Administration is investigating whether an air traffic
tracking system went out amid reports that Air Force One vanished from radar
screens for 24 seconds.  Broadcast reports said the airplane disappeared
from radar screens Tuesday morning as President Clinton traveled to
Connecticut.  ... The long-range radar system at the center has a history of
going off and momentary blips are a frequent occurrence, DiPalmo said.
[_USA Today_, 11 Mar 1998]


Re: The anti-crypto rhetoric ratchets up (Ellison, RISKS-19.62)

"Traurig, Scott R" <scott.r.traurig@lmco.com>
Tue, 10 Mar 1998 20:04:48 -0500
Mr. Ellison's observation that perhaps criminals are too lazy to use
encryption, supported by Ms. Denning's survey results showing that
encryption is not in widespread use by criminals, may be an important one,
indeed.

That our delicate world, made all the more so by our reliance on technology
as often discussed in this forum, has not already been made a total shambles
through criminal or terrorist activity, is a constant source of amazement
for me. Many. if not most of us who participate in this forum would have
little difficulty in raining havoc upon a large population with equally
little chance of retribution by society.

Although there are certainly exceptions, one can only hope that most
criminals and terrorists, by their very nature, are either incredibly stupid
and/or lazy. This theory is well supported by the alleged criminals shown on
the U.S. television program "Cops." Perhaps the "smarter" criminals also
have some measure of morality that limits their activities.  Let's hope is
stays that way.

Scott Traurig <Scott.R.Traurig@lmco.com>


Re: COMPAQ usability problem (Mellor, RISKS-19.60)

Pete Mellor <pm@csr.city.ac.uk>
Fri, 13 Mar 1998 17:16:27 GMT
Further to my original mailing (which described what was actually reported
on "The News Quiz"), I actually did a bit of fact-checking with the COMPAQ
help desk. They were not aware of any changes to screen messages, and not
aware of the story that is going around.

Another urban myth bites the dust!

Peter Mellor, Centre for Software Reliability, City University, Northampton
Square, London EC1V 0HB, UK. Tel: +44 (171) 477-8422 http://www@csr.city.ac.uk/


Re: Atlantic Monthly, "The Lessons of ValueJet 592" (RISKS-19.62)

"EFLORACK" <eflorack@servtech.com>
Tue, 10 Mar 1998 18:54:40 -0500
Just a quick comment: Is it possible, then that an extrapolation to this
MIGHT just be that government trying to prevent all problems will instead of

gaining the goal, will in fact create more problems?  The question applies
of course to the finding in the case of VJ592, since most of the system
involved are government mandated... but the question of RISK would seem to
apply to all other government mandates, as well.


Re: The cost of deception (Cohen, RISKS-19.62)

Richard Snider <rsnider@tdc.on.ca>
Tue, 10 Mar 1998 14:24:37 -0500 (EST)
In RISKS-19.62 an article appears promoting a product that allows system
administrators to "decept" would-be hackers into thinking they have broken
into your system when in reality have not.  It then goes on to extol the
virtues of such an approach without exploring possible negative side-effects
of such software.  While there is questionable facility with using such
software since "true hackers" would likely know they are being faked out,
the more interesting question arises when "junior hackers" have succeeded in
breaking into a system but don't know enough to realize they have done so.
This is especially bad if they know that this kind of faker software exists.

I put forth the example which brings this all to mind.  I used to look after
a computer network used by a large school board in Toronto.  As expected
there were a few students who took it upon themselves to try and break into
the system (e.g., gaining passwords by watching people type them).  At one
point my friend who worked on the system with me decided we would have a bit
of fun with the students and wrote a program that emulated the operation of
the system administrator account.  By leaving a good number of clues around
we were able to divert the efforts of the students into accessing this
account, and after watching them for a while we rounded them all up and had
a good laugh (I was a student as well at this time).  This had immediate
predictable effects:

   1. The students gained valuable knowledge about how the sys admin
      account really works (our simulation was quite authentic).
   2. The students knew that such a faker program existed.
   3. Any static program which simulates behaviour of the system
      was likely to be easily detected by those who have experienced
      it before (many of the students figured this out within minutes
      of using it).

What happened next was totally unexpected.  A budding, inexperienced hacker
under the tutorship of some of the previous students was instructed on how
to "break" into the system.  They unfortunately did not follow the
instructions given to them correctly and succeeded in breaking into the
system FOR REAL.  Knowing that the faker program existed, they assumed that
this is what they had accessed and thus set about a path of destruction that
would take over a week to unravel and fix.

I can only imagine what interesting things might happen once the hackers
start suggesting/contributing updates to this package.

The risk here is that you never know who is being deceived.

Richard Snider <rsnider@tdc.on.ca>


ACM Policy '98 Conference Announcement

Policy 98 Info <policyinfo@HQ.ACM.ORG>
Fri, 13 Mar 1998 17:00:00 PST
           ASSOCIATION FOR COMPUTING MACHINERY
            * * *  POLICY '98 CONFERENCE  * * *
               http://www.acm.org/policy98/

         "Shaping Policy in the Information Age"
            Washington, DC, Renaissance Hotel
                    May 10-12, 1998

Register now for the one computing policy conference you don't
want to miss...featuring:
  - Senator Orrin Hatch (invited): Future of Intellectual Property
  - Special Advisor to the President Ira Magaziner: White House Report
  - Representative Vern Ehlers (invited): Reformulating US Science Policy
  - Representative Constance Morella: The Role of the Federal Government
      in Computing
  - Assistant Director Juris Hartmanis: The Role of the National Science
      Foundation in Computing Policy
  - Assistant Secretary of Commerce for Communications and Information
      Larry Irving: Universal Service
  - Debate: Esther Dyson and Gary Chapman
  - ACM Presidential Award for founding NetDay: John Gage, Sun
Microsystems
  - Making Science Policy: Roundtable with NPR Correspondent Dan Charles

The ACM Policy '98 Conference will focus on public policy issues affecting
future applications of computing.  Our goal is to forge stronger links
between computing professionals and policy makers.  Attendees will interact
with prominent leaders from academia, industry, Congress, and Executive
agencies, and participate in debates on policy issues including:

  - Universal Access         - Electronic Commerce
  - Intellectual Property    - Education Online

All Policy '98 attendees are invited to the Annual ACM Awards Banquet on
Sunday evening May 10th, and a conference reception on Monday evening May
11th at the new headquarters of the American Association for the Advancement
of Science.

Register online at
  http://www.acm.org/policy98/
or write to policy98@acm.org.  Early registrants and ACM members receive
discounts.  A limited number of low-priced student registrations are
available.

  Conference Chairs - Ben Shneiderman, Dianne Martin
  Program Chairs - Marc Rotenberg, Keith Miller
  Panel Moderators - Jim Horning, Pamela Samuelson,
    Charles Brownstein, Oliver Smoot
  USACM Chair - Barbara Simons


New Security Paradigms Workshop, Call For Papers

Mary Ellen Zurko <zurko@opengroup.org>
Tue, 10 Mar 1998 11:43:47 -0500
                           Call For Papers
                   New Security Paradigms Workshop '98
                      A workshop sponsored by ACM
                        22 - 25 September 1998
                      Charlottesville, Virginia
               http://www-hsc.usc.edu/~essin/nspw98.html

Paradigm shifts disrupt the status quo, destroy outdated ideas, and
open the way to new possibilities. This workshop explores deficiencies
of current computer security paradigms and examines radical new models
that address those deficiencies. Previous years' workshops have
identified problematic aspects of traditional security paradigms and
explored a variety of possible alternatives. Participants have discussed
alternative models for access control, intrusion detection, new
definitions of security, privacy, and trust, biological and economic
models of security, and a wide variety of other topics. The 1998 workshop
will strike a balance between building on the foundations laid in past
years and exploring new directions.

Deadline 3 Apr 1998 for e-mail submissions, 27 Mar 1998 for hardcopy.
[First check out http://www-hsc.usc.edu/~essin/nspw98.html .]

Workshop Co-Chairs

Bob Blakley, IBM, 11400 Burnet Road, Mail Stop 9134, Austin, TX 78758 USA
e-mail: blakley@us.ibm.com  voice: +1 (512) 838-8133  fax: +1 (512) 838-0156

Darrell Kienzle, The MITRE Corp., 1820 Dolley Madison Blvd., McLean VA 22102
e-mail: kienzle@mitre.org  voice: +1 (703) 883-5836  fax: +1 (703) 883-1397

Program Committee Co-Chairs:

Mary Ellen Zurko, The Open Group Research Institute
11 Cambridge Center, Cambridge, MA 02142 USA
e-mail: zurko@opengroup.org  voice: +1 (617) 621-7231  fax: +1 (617) 225-2943

Steven J. Greenwald, 2521 NE 135th Street, North Miami, FL 33181 USA
e-mail: sjg6@gate.net  voice: +1 (305) 944-7842  fax: +1 (305) 944-5746

  [``Buddy can use paradigm?'' (variant of ``Buddy, can youse paradigm?'' PGN]


Software Certification Conference: Call for Participation

Chuck Howell <howell@rstcorp.com>
Tue, 10 Mar 1998 06:52:25 -0500
CALL FOR PARTICIPATION
First International Software Assurance Certification Conference (ISACC'99)

Theme: Early Lessons Learned and Prospects
Location: Washington D.C.
Date: Spring 1999

General Chair: Chuck Howell, howell@rstcorp.com
Program Chair: Dr. Jeffrey Voas, jmvoas@rstcorp.com
Conference Secretariat: Ms. Peggy Wallace, pwallace@rstcorp.com

Conference Web Site: www.rstcorp.com/ISACC99

Conference Management:

     Reliable Software Technologies
     Sterling, VA   USA
     http://www.rstcorp.com
     Tel: 703.404.9293
     Fax: 703.404.9295

Additional Sponsors:

     Software Testing Assurance Corporation
     Stamford, CT  USA
     http://www.stacorp.com
     Tel: 203.972.9557
     Fax: 203.966.5506

ISACC'99 will be the first conference in an annual series to be devoted
exclusively to software certification. Enormous demand is driving the
development of technologies, tools, methodologies, and models for certifying
software -- that is, certifying that software will "behave as advertised"
with respect to a specific set of behaviors, or at least that the software
has specific properties. ISACC will be the premier forum where consumers and
producers of software can exchange points of view on how best to certify
software technology.

The theme of the ISACC'99 is "Early Lessons Learned and Prospects". ISACC'99
will focus on the many different ways that certification is currently
approached in the software industry.  Examples range from independent
confirmation of a narrow set of properties of a specific program (e.g., Key
Labs' "100% Pure Java Certification") to complex regulatory oversight of an
entire development process (e.g., FAA's DO-178B framework). What can be
inferred when a software product is certified, and what cannot?  What
approaches have proven successful, and where have certification efforts
bogged down?

The near-term prospects for software certification are driven in large
measure by non-technical issues. Software is increasingly used in systems
where failure threatens safety, economic loss, loss of privacy or
confidentiality, and other injuries. In addition, the "Year 2000 Problem"
has dramatically raised awareness of the extent to which businesses ability
to function have become dependent on software, with corresponding
consequences for software that does not "work as advertised". Software
liability is the Sword of Damocles hanging over the head of the software
industry. Liability concerns make ISACC especially timely. A key question is
whether the government should decide what the certification requirements are
for a given class of systems and uses of software, or whether
"private-sector" developers should self-regulate via a core set of
certification technologies. If self-policing is preferred, will it be by an
honor system or will software certification laboratories be the means by
which software vendors show that their software is of high quality?

Besides paper presentations, ISACC'99 will also host a series of tutorials
explaining how regulatory certification frameworks (such as the FAA's
DO-178B or the FDA's 510(k) guidelines) are enforced.  Certification experts
will teach attendees the steps that they must successfully complete in order
to get software systems approved. Similar tutorials will be offered by
experts on examples of "self policing" certification frameworks from
commercial software developers and certification laboratories.

A panel discussion on certification frameworks in other industries (e.g.,
Civil Engineering, Electrical Engineering) will provide additional
perspective on ways of structuring certification processes.

In summary, the series of ISACC conferences will seek practitioners, legal
experts, and researchers that wish to discuss how software certification can
be transformed from being viewed as a tax on the industry to being viewed as
a trophy.

Topics of particular interest to the program committee include:

     Certification Authorities and Laboratories
     Existing Software Guidelines or
     Standards (ISO, CMM, IEC, USNRC, FDA, NCSA, etc.)
     Formal development methods
     Product vs. Process Certification
     Public-domain software
     Qualifying and Quantifying the Reliability of COTS Software
     Software Metrics and Measurement
     Software Validation
     Software Liability
     Software Insurance
     Software Assurance Tools
     Software Reliability Measurement
     Software Safety Assessment
     Software Security Assessment
     Software Maintenance
     Uniform Commercial Code
     Year 2000 Certification
     The Role of Professional Organizations (ACM, IEEE, ASQ, etc.)
     Certification of third-party software

In late March 1998, the official CALL FOR PAPERS for ISACC will be
mailed. If you would like to be on ISACC's mailing list to receive the CALL
FOR PAPERS announcement and the program brochure, please send e-mail to
isacc@rstcorp.com .

Please report problems with the web pages to the maintainer

Top