Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
On 29 Mar 1998, in the early morning hours (02:00), the official time in Germany changed from wintertime (UTC +1, MEZ) to summertime (UTC +2, MESZ). The hour from 02:00 to 03:00 is 'stolen' and will be given back in the changing from summertime to wintertime. Everyone has to adjust the clocks with a delta of +1 hour. Deutsche Telekom, the formerly state-owned telecommunication company provides the time in their ISDN exchanges ("Vermittlungsstelle"). On 29 Mar 1998 the Deutsche Telekom made some mistakes in the City of Luebeck (local area code 0451): The system clocks were adjusted *twice* instead of once so that the ISDN-exchange provided a false time to all connected ISDN-devices. Normally all the ISDN-Exchanges are synchronized by a radio driven clock (DCF77 transmitting the official time in Germany). Operators at the hotline were scared about this failure. After a few minutes they called me and told that the clock would be corrected immediately. Computer systems equipped with a ISDN-Card can normally obtain the DCF-77 based time by retrieving the time token from the ISDN-Exchange and save the money for a local DCF-77 card — which costs several hundred Deutschmarks (1.85 Deutschmark =~ 1 US$). The risk of trusting the time provided by the Deutsche Telekom is obvious. When you want or need the official time, you better spend some money in a dedicated DCF-77 radio-controlled clock-device. Nikolaus Bernhardt <Nikolaus@nikon.on-luebeck.de>
Check out http://www.redfish.com/USEmbassy-China/sandt/y2ku.htm for the Y2K situation in China as well as some other risky issues. Don Wagner <DWag@compuserve.com> http://coco.ihi.ku.dk/~dbwagner [I did, and it is pretty scary. PGN]
It might be related to the date but things went seriously on 1 Apr 1998 in The Netherlands. Here's a recap of three problems as reported on the 6 o'clock news: - Digging activity damaged a fibre optic cable in the north, leaving part of the country without phone service for hours. A classic single point of failure error. - The national BeaNet system was down for part of the day. This is the system that processes among others debit (PIN) payments, ATM cash withdrawals and online I-Pay transactions. The failure was attributed to 'a problem with the computer'. Let's hope one computer is not what they depend on to run such an essential system. - The Postbank (one of the largest banking institutions in the country) were confronted by a maintenance operation that took longer than it should. This had the side effect that the systems for online transactions (separate from the BeaNet system) were not reloaded with the latest account balances from the day befor only only. This caused problems for people trying to retrieve cash from postbank ATMs whose balance should have been positive but weren't because of the mismatch (the opposite was probably also true). Note that there are at least two separate systems here that track account balance (I think there are even three) that get synchronized only once every 24 hours. This allows for a lot of overdrafting. Paul van Keep, Sumatra Software
101 Ways to Hack into Windows NT MELBOURNE, AUSTRALIA: A study by Shake Communications Pty Ltd has identified not 101, but 104, vulnerabilities in Microsoft Windows NT, which hackers can use to penetrate an organisation's network. Many of the holes are very serious, allowing intruders privileged access into an organisation's information system and giving them the ability to cause critical damage - such as copying, changing and deleting files, and crashing the network. Most of the holes apply to all versions (3.5, 3.51 and 4) of the popular operating system. Shake Communications, an information and internet security firm, has compiled the statistics as part of an ongoing study and compilation of vulnerabilities in popular hardware, operating systems, applications and programming languages. The vulnerabilities are ranked High, Medium or Low according to the damage (loss or resources, time and money) they can cause and are categorised into Denial of Service (D.O.S.) vulnerabilities, Server Message Block (S.M.B.) vulnerabilities, Malicious Program vulnerabilities and Miscellaneous vulnerabilities. The majority of weaknesses affect Versions 3.5, 3.51 and 4. Some apply only to one or two of the versions and others apply where an application, such as Microsoft Access, is running on Windows NT. Some examples of how hackers (from both the outside and the inside of an organisation) can exploit the various vulnerabilities are as follows: * An intruder can crash the Windows NT system by sending spoofed packets to multiple ports where the source and destination settings are the same; * Holes in the Server Message Block authentication can give a local user unauthorised network access under certain conditions (for example, an employee can break into the payroll system); * An unauthorised user can use the alerter and messenger services to send fake pop-up messages to legitimate users and thereby fool them into entering information such as their password; * Hackers can use their own programs to exploit holes, such as L0phtCrack, a password cracking program, and NtAddAtom, a program which crashes NT; * Even where a domain user creates a file and removes all its permissions (reading, writing, deleting), an unauthorised user can still delete such a file. Some of the holes have no recommended countermeasures and others rely on physical security measures (such as locking the Windows NT server in a room). Fortunately, there are software patches or fixes available to rectify many of the vulnerabilities. Microsoft freely provides these at its Web Site (http://www.microsoft.com). Unfortunately, many users are probably unaware that this service exists. Shake Communications also provides links to patches/fixes in its Vulnerabilities Database, which also covers other operating systems, programs, applications, languages and hardware. For more information contact Shake Communications at info@shake.net or +613 9555 8560. Shake Communications maintains a Vulnerabilities Database containing over 3,000 vulnerabilities and associated patches/fixes at http://www.shake.net. This is updated daily and available by subscription. Acknowledgments Costin Raiu Joba DoVoe Microsoft Corporation Paul Ashton The L0pht www.ntshop.com
A correction published in a magazine about flying (if I heard correctly)... The phrase reading: "state zip code" should have read: "pull rip cord". [source BBC Radio 4 - "The News Quiz"] Risks: left to your imagination :-) Andrew Gabriel, Consultant Software Engineer
Being copywriters with a love for reliable and simple technology, we still use WordPerfect 5.1. However, this program also seems to have its glitches, one of which can be quite embarrassing. Last week, a colleague stumbled on an error in his (Dutch) spell-checker. While scanning his text, the program didn't recognize the word 'Campbell'. It suggested 'kampbeul' as an alternative. Which in English stands for *camp bully *or *camp executioner*. Good thing he wasn't using the spell checker on autopilot. Such mistakes can very well cause a customer to end all relationships. Jeroen Bruintjes [You needed a Campbell Soup-er Checker. Dank U wel. PGN]
Stolen shamelessly from alt.humor.best-of-usenet, which was stolen shamelessly from rec.humor.oracle.d: > Subject: Re: The question was too hard... > From: "Roger Strong" <rstrong@yetmans.mb.ca> > Newsgroups: rec.humor.oracle.d > > One of my co-workers was on the phone, walking a customer through removing > the software for a Star multiport from an NCR Tower. The command was > "rm -r star". It took a full fifteen minutes for him to figure out why it > was taking so long..... Jim
The statement made by Carl Ellison <cme@cybercash.com>, 06 Mar 1998 (RISKS-19.62), "How come Dorothy Denning didn't find any significant use of crypto by criminals in her survey of law enforcement officers?", is inaccurate. The Denning-Baugh report, referenced below, did find significant use of encryption by criminals, 500 current cases worldwide, over 20 cases were presented in detail, and they estimate that the number is growing at annual rate of 50-100% (some cases from the report are listed below). In more than one of the cases, the encrypted information could not be deciphered by law enforcement. The report does make clear that encryption could pose problems for law enforcement in the future. "Our findings suggest that the total number of criminal cases involving encryption worldwide is at least 500, with an annual growth rate of 50 to 100 percent." And "Quite a few people are technically sophisticated." Instead, the study's main conclusion was that it was unable to find any current incident where the use of cryptography significantly hindered an investigation or prosecution. "Most of the investigators we talked to did not find that encryption was obstructing a large number of investigations. When encryption has been encountered, investigators have usually been able to get the keys from the subject, crack the codes, or use other evidence," states the report. The statements that criminals have not used Crypto AG or CyLink encrypting telephones are also incorrect. The Denning-Baugh report did not even address this topic. But, evidence was presented in the late 1980's that possible foreign Terrorist organizations and Drug Cartels were using Crypto AG Voice Ciphering products. According to an ex-employee's legal filings, and "tell-all" book, Crypto AG was requested to insert flaws and weaknesses into their equipment that could be falling into criminal hands. An interesting observation about the report is that when encryption is encountered by law enforcement, they are unprepared to deal with it and forced to use in-house computer forensic specialists (with little training in cryptography), consultants, academics, and/or private companies to attack the problem. While the U.S. Government spends at least $7 to $10 billion per year on "code breaking" at Military-Defense and Intelligence organizations, under current law ("posse comitatus" on up) it is illegal for these resources to be used for domestic law enforcement. We could change these laws, and increase funding to these agencies to handle their new mission? We could create similar agencies inside domestic law enforcement at equivalent cost? Therefore, the requests by law enforcement, to promote and have access to corporate and local Key Recovery systems, can be seen as a low-cost solution to the problem and an effort to save money for the U.S. taxpayer. The cases examined include: * "The Japanese death cult, Aum Shinrikyo, which used encryption to store records on its computers. Authorities were able to decrypt the files in 1995 after finding the decryption key on a floppy disk. And found evidence of plans to launch attacks in the U.S. and Japan." * The New York subway bomber, Edward Leary, who had created his own encryption system to scramble files on his computer. According to the report, after Manhattan police "failed to break the encryption, the files were sent to outside encryption experts. These experts also failed. Eventually, the encryption was broken by a federal agency. The files contained child pornography and personal information which was not particularly useful to the case." * "A police department in Maryland encountered an encrypted file in a drug case. Allegations were raised that the subject had been involved in document counterfeiting, and file names were consistent with formal documents. Efforts to decrypt the files failed, however, so the conviction was on the drug charges only." * "The head of a California gambling ring kept his records in a commercial accounting program encrypted with a code word. The maker of the program refused to help law enforcement break the code, but access to the files was gained by exploiting a weakness in the computer system. This yielded four years of bookmaking records which resulted in a guilty plea on criminal charges and payment of back taxes." * The espionage case against former CIA employee Aldrich Ames, who was directed by his Soviet handlers to encrypt computer file information that was passed to them, "and was eventually convicted of espionage against the U.S., was aided because the investigator handling the case was able to decrypt Ames's files using AccessData Corp. software (an automatic de-encryption program)." References : * National Strategy Information Center, Dorothy Denning and William Baugh, "Encryption and Evolving Technologies as Tools of Organized Crime and Terrorism," July, 1997. * The Washington Post - WashTech, Elizabeth Corcoran, "Around the Beltway, Encryption: Who will Hold the Key? Two Bills Reflect the Split over Restrictions", Aug-04-1997. * Mercury News, Simson Garfinkel, "Denning unable to confirm FBI Assertions; alters her position", 31-Jul-1997. Robert Perillo, CCP, CNE Richmond, VA perillo@dockmaster.ncsc.mil Staff Computer Scientist perillo@gibraltar.ncsc.mil [Usual disclaimers] [The Ames case strikes me as a bad example, and a classic case of trying to oversell the impediments of crypto, considering the long history of incriminating phone calls in the clear and the long trail of other evidence that would seem to have been ignored or perhaps suppressed in an effort to gather more evidence. PGN]
The RC5-64 Project can change the US law on encryption technology. However, it needs your help to achieve this goal. US laws currently limit the export of high-bit encryption messages/programs. The RC5-64 Project proves that these low-bit technologies offer insufficient protection. If you're interested, visit http://bovine.home.ml.org . The Bovine United Team
I assume (hope? wish!!??) this is a joke? > this new approach, dubbed "Fault-Oblivious Computing", to quickly become the > dominant software-engineering paradigm. [...] I have a few better ideas - but DARPA will not likely fund them: 1) Devise a language that fails safely (where safety has programmer adaptable defaults and values) so that failures "do the right thing". I think that Perl and Basic come pretty close to this. 2) Create a set of standard and approved subroutines that replace the default system calls and include proper error handling (as well as providing for easier portability). 3) Teach programmers that "don't care" return values are turned into real - and usually wrong - semantics at runtime. 4) Create a charge-back system where each system crash costs the company that provided the software $100. Based on historical statistics, mandate that a bond in the expected amount for the lifecycle of the system be posted as a condition of sale. 5) Use a real operating system and real programs built for resiliency instead of demos built for time to market in critical systems. 6) Require a quality control and support system for those who provide government systems for military use. Fred Cohen & Associates: http://all.net - fc@all.net - tel/fax:510-454-0171
The report in RISKS-19.64 about the likelihood that a five-figure Dow Jones Average will break many software programs designed to deal will four-digit averages brings to mind a current problem. Berkshire Hathaway is a significant stock on the New York Stock Exchange. For good and sufficient reasons, Warren Buffett, the chairman of the company, does not consider it wise to either split the stock or to pay dividends. As has been widely reported, Berkshire Hathaway has been very successful. The problem is that as the price of the stock is now far greater than any other stock on the NYSE. (As I write, it is well above $60,000 a share.) The computers that set the stock tables for the *Wall Street Journal* and *The New York Times* cannot cope with Berkshire. I discovered that the price of BRK.A is hand entered into the stock tables of both papers when I called both to report that their closing price for the previous day differed substantially. Apparently it was not the first time it had happened. Other newspapers avoid both the software and the column-formatting problems by omitting Berkshire (which happens to be a leading stock in terms of market capitalization.) On the Internet, I have been unable to find a single generally available portfolio program that can deal with Berkshire! Among those that cannot are My Yahoo!, Quote.com and C|Net's Snap.
I recently read a joke which went something like this: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - LETTER TO VICE PRESIDENT: Bob Smith, my assistant programmer, can always be found hard at work in his cubicle. Bob works independently, without wasting company time talking to colleagues. Bob never thinks twice about assisting fellow employees, and he always finishes given assignments on time. Often Bob takes extended measures to complete his work, sometimes skipping coffee breaks. Bob is a dedicated individual who has absolutely no vanity in spite of his high accomplishments and profound knowledge in his field. I firmly believe that Bob can be classed as a high-caliber employee, the type which cannot be dispensed with. Consequently, I duly recommend that Bob be promoted to executive management, and a proposal will be executed as soon as possible. - Project Leader - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - A SUBSEQUENT MEMO WAS SOON SENT FOLLOWING THE ABOVE LETTER: That idiot was reading over my shoulder while I wrote the report sent to you earlier today. Kindly read ONLY the odd numbered lines (1, 3, 5, etc...) for my true assessment of him. Regards. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How's that for separating the wheat from the chaff? Stacy Friedman, Senior Performance Engineer, Oracle Forms sfriedma@us.oracle.com (650) 506-8008
>The April 9 _New York Review of Books_ has published a long special >supplement, "The Fall of TWA 800: The Possibility of Electromagnetic >Interference," by Elaine Scarry, a noted author and Harvard professor: I note from the paper itself that Elaine Scarry is professor of "Aesthetics and General Theory of Value". I don't know whether her noted authorship includes any titles of relevance to air investigation or EMI. The paper itself makes a number of elementary errors of fact and relies heavily on innuendo for effect. It is far from a rational, scientific review of the evidence. The author claims that parts have been subjected to scientific review. It seems unlikely. > > http://jya.com/twa800-emi.htm (128K with 3 images) > >The article closely examines the possibility of electromagnetic interference >in TWA 800's controls, comm, and black boxes by activities of the ten US >military planes and ships in the vicinity which were heavily equipped for >electronic warfare and were conducting tests of the gear. The paper presents no evidence (and doesn't even claim) that the military units were either "heavily equipped for electronic warfare" or "conducting tests". Piers
BKETHICS.RVW 980131 "Computers, Ethics and Society", M. David Ermann/Mary B. Williams/Michele S. Shauf, Oxford, 1997. %A M. David Ermann %A Mary B. Williams %A Michele S. Shauf %C 70 Wynford Drive, Don Mills, Ontario M3C 1J9 %D 1997 %G 0-19-510756-X %I Oxford University Press %O C$29.95 800-451-7556 fax: 919-677-1303 cjp@oup-usa.org %P 340 p. %T "Computers, Ethics and Society, Second Edition" Ethics. Don't talk to me about ethics. Computer industry the size of a planet, security specialists sleeping under every bush, a zillion philosophy students and what do we do? We write a textbook. It's so depressing. It has been seven years since the first edition of this book was published, and five years since I reviewed that first edition. I was rather looking forward to it at the time, it being the only title I had found to address this all important issue. I was a bit chagrined to find that it was, a) a series of articles, rather than a book; and, b) a textbook. Well, courses on computer ethics are important, and in the interim there have been both other textbooks and serious examinations of the topic for the working professional. I've gotten over my disappointment that the book was a textbook, but still find it to be flawed *as* a textbook. As with other, similar, works, some of the disappointment arises from the fact that, so far, this is close to the best we can do. The apparent organization of the material is good. The first section of papers deals with general ethical theory. Unfortunately, the background is somewhat limited, dealing only with utilitarianism, generally simplified to "the greatest good for the greatest number", and some minor variations. (Kant's "Categorical Imperative" is covered, but it can easily be seen as a special case of utilitarianism where "badness" is exponential.) The first paper, "Ethical Issues in Computing," stands as an overview of topics to be covered in the book. As such, the piece can't be faulted for a lack of depth. However, what analysis there is in the essay betrays a reliance on facile reasoning and presumptions based on strictly anecdotal evidence, or no evidence at all. In this regard, it foreshadows too much of the material in the book overall. The second and third papers, "Information Technologies Could Threaten Privacy, Freedom, and Democracy," and "Technology is a Tool of the Powerful," demonstrates another shortcoming of the book: an emphasis on theoretical societal, rather than practical personal, responsibilities and issues. As the material begins to examine generic ethical principles in light of specific problems, the treatment becomes uneven, although by and large it offers little except further problems in defining moral action. (I was sad to see that a first rate treatise on privacy as it relates to monitoring of criminal offenders; lucid, readable and almost poetic while casting an insightful new light on the subject; has been removed.) In light of my comments about a social bias to the book, it may seem strange that part two is entitled "Computers and Personal Life." However, personal action and responsibility is in the minority. Four papers deal with privacy, commerce, and employment, again pitting the individual against the mass, if not the state. The excerpt from Gates' "The Road Ahead" (an unremarkedly ironic inclusion given the current debate and legal battles over "ownership" of the desktop) is nothing more than a bit of blue sky pronouncing. The articles by Postman, Gergen, and Broadhurst are better informed, but no closer to ethics. Eugene Spafford seems to be the only contender in the personal activity arena. "Computers and the Just Society" is definitely back with the person against the principality, paying particular attention to employment (in the aggregate) and privacy (as being eroded by legislation against encryption). There is a nod to cyberspace and the law on the way through, but it isn't much improvement over the first edition. (Aristotle and Augustine didn't even make the cut this time out.) Part four, on "Computing Professionals and Their Ethical Responsibilities" shows titular promise, but is back on the individual against society once more. Indeed, there is little that is specific to the computing professional. A paper on "whistle-blowing' is clear as to the issues, but finally ambiguous as to any answers. Steven Levy's piece on Lotus Marketplace is a bit depressing when you realize the final outcome: Lotus never did release marketplace, but a number of recent "products" are much greater invasions of privacy. Given the almost absolute emphasis on society, I was rather surprised to see only one paper, and that tangentially, related to the rise of the Internet. The net has become a major force in society, both in spreading hate literature and other disinformation, and in promoting democracy and discourse. The second edition does not appear to have taken the opportunity to come up to date in this regard. Much of the material collated here is interesting, and worthwhile background for a course in computer ethics, but it doesn't go anywhere. The quality is very uneven and, ultimately, much of the writing is disappointing. The section and subsection headings often bear only the most tenuous connection to the contents, although related articles to tend to have some commonality. As course reading material, this book could be very useful in the hands of a good instructor. As a resource for those working in the lines ... well, I suppose we keep looking and hoping. copyright Robert M. Slade, 1993, 1998 BKETHICS.RVW 980131
Please report problems with the web pages to the maintainer