The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 19 Issue 73

Sunday 10 May 1998

Contents

o Defeat New Copyright Legislation
Simson L. Garfinkel
o Woman tackles 'deadbeat-dad' glitches
PGN
o Once again, I'm risking my life flying
Bob Frankston
o Microsoft Year 2000 Compliance
Simon Waters
o Microsoft using Y2k to force sales?
Bob Dubery
o Dutch ISPs forced by law to provide built-in wiretapping possibilities
Sander Tekelenburg
o CompuServe Germany indicted for forwarding porn
Klaus Brunnstein
o C-Guard system jams cellular communications
CrACKeD
o More on limited-number risks: GPS, D10K
R. Geoffrey Newbury
o Computer glitch turns traffic ticket into sex conviction
PGN
o 102-yr old gets a birthday card for 2-yr olds
Mark Corcoran
o France 98 Cup Tickets
Mike Ellims
o Fidelity Investments PIN procedure hollow
Mark Seecof
o REVIEW: "Privacy on the Line", Whitfield Diffie/Susan Landau
Rob Slade
o Info on RISKS (comp.risks)

Defeat New Copyright Legislation

"Simson L. Garfinkel" <simsong@vineyard.net>
Thu, 7 May 1998 23:27:53 -0400
[This is Simson's article in *The Boston Globe*, 7 May 1998.  PGN]

Two bills that are up for a vote in the House of Representatives could
seriously jeopardize the right of Americans to read in the next century. The
backers of these bills say that the legislation is necessary to protect the
interests of creative individuals and publishers in the digital age.  But
the legislation goes further by allow publishers to repeal the "fair use"
provisions of today's copyright law and creating a whole new category of
intellectual property.

The first bill, strongly backed by the Clinton Administration, is the "WIPO
Copyright Treaties Implementation Act," (H. R. 2281). This bill is designed
to implement sections of the World Intellectual Property Organization treaty
that was adopted back in December 1996. The bill creates a new kind of crime
in US law, the crime of "circumvention." It's a kind of crime that one would
expect in George Orwell's 1984, rather than in the America of the next
century.

H.R. 2281 is being supported by big publishing interests including Time
Warner, Viacom, the Motion Picture Association of America, and Microsoft.
These organizations are terrified by the way computers and digital networks
make it easy to copy books, songs, videos and computer programs. For years
these groups have tried to stop illegal copying with copy-protection
systems. H.R. 2281 would make it a crime to subvert these systems for any
purpose whatsoever.

The problem with this legislation, says Adam Eisgrau, Legislative Counsel of
the American Library Association's Washington Office, is that many
publishers are likely to use copy-protection systems to restrict activities
that are otherwise lawful.

For example, many web sites on the Internet today as you to register with
your name and e-mail address before you can view the information that they
contain. A substantial number of people bristle at this notion, and they
have figured out ways to circumvent the registration process. Under the
legislation, these people could be sued and awarded $200 to $2,500 in
statutory damages for each web page that they viewed.

And its not just consumer groups that are upset about the legislation. As it
currently exists, the legislation would make it a felony for engineers to
open up competing products and see how they work--- "something that is
essential for achieving interoperability in the industry," says Lowell
Sachs, the government affairs representative of Sun Microsystems. "So far,
the House has failed to focus upon the very real threat that its actions
could pose to competition and innovation in the United State."

The criminal provisions of H.R. 2281 apply even if the offender is legally
entitled to the information that is under copyright management control. For
example, the Supreme Court has ruled that individuals have a right to record
movies off the air and view them at a later time. Nevertheless, the film
industry doesn't want us to make our own tapes---they want us to buy
pre-recorded tapes. In the future, the film industry might create a new
copyright protection system that prevents home taping off the Internet
unless a person pays an additional fee. Under the proposed legislation, a
person who circumvented this new copy-protection system and made their own
legal home copy would nevertheless be guilty of circumvention, and
potentially subject to a fine of $500,000 and 5 years imprisonment for the
first offense.

The author of the bill "are very clever," says Adam Eisgrau. "They don't
repeal the legal basis of fair use," which would create a huge political
outcry. Instead, the legislation "creates a new law which makes fair use
impossible to exercise, unless the appropriate price is paid." And that's
not Fair Use at all.

The second bill that should give lawmakers pause is H.R. 2652, the
"Collections of Information Antipiracy Act." This law, if passed, would give
legal protection to the contents of databases over and above what is
provided by today's copyright law.

The database law finds its genesis in a 1991 Supreme Court decision, Feist
Publications, Inc. v. Rural Telephone Service Co., in which the Court ruled
that the factual information in a telephone white pages---a large database
of names, addresses and phone numbers---cannot be copyrighted. This decision
is one of the key factors responsible for the proliferation of "white pages"
services on the Internet like Switchboard.COM.

H.R. 2652 would basically overturn the Feist decision, making it a crime to
extract date from a "collection of information" and use it in a way that
harms the real or potential economic interest of the collection's owner. One
of the fundamental problems with this bill, says the EFF, is that there's no
limit to the kind of information that can receive protection once it is put
into a databank. In particular, government information and information
that's in that's already in the public domain could be dropped into a
computerized databank and then receive new, copyright-like protections. And
the Act doesn't have any exemptions for "fair use."

So how could all of this impact on our right to read? Just ask Richard
Stallman, founder of the Free Software Foundation. In his story "The Right
To Read," Stallman argues convincingly that new restrictions on information
will ultimately force people to pay for every book and article that they
read, whether they are at home, at work, or at school.

Stallman's story is a science fiction parable in which one college student
risks imprisonment by lending his computer to his girlfriend and telling her
his password---in effect, giving her access to books that he has licensed
for himself. "Dan knew she came from a middle-class family and could hardly
afford the tuition, let alone her reading fees. Reading his books might be
the only way she could graduate," Stallman writes. You can find the entire
story at http://www.gnu.org/philosophy/right-to-read.html

Indeed, if you want find out more about these issues, there's no better
place to turn than the Web. A group opposed to the legislation called the
Digital Future Coalition has put together a website at http://www.dfc.org/
explaining the problems. Meanwhile, a group of publishers have banded
together and created their own competing group, the Creative Incentive
Coalition. You can find its website at http://www.cic.org/. Finally, you can
download the full text of these bills from the Library of Congress's Thomas
system at http://thomas.loc.gov/.

But hurry, while you still have a right to read.


Woman tackles 'deadbeat-dad' glitches

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 4 May 1998 13:34:23 -0500
Danny Woodall was pursued by West Virginia for seven years because the state
had falsely tagged him as a deadbeat dad, according to OSCAR, their $20M
Online Support Collections and Receipts system.  Finally, his wife Lisa
implemented software that debunked OSCAR.  She proved that the state
actually owed her husband money.  She has now started a company called
Support Scrutiny to help out in other similar cases.  In June 1997, a
legislative audit found that almost one-third of the West Virginia Child
Support Enforcement Division's files contained incorrect data.  Those errors
led the agency to wrongly collect about $1.7 million from 3,788 parents
during the 1995-96 fiscal year, the auditors say.  [Source: *USA Today*, 2
May 1998, PGN Abstracting]


Once again, I'm risking my life flying

<Bob_Frankston@frankston.com>
Thu, 7 May 1998 21:27 -0400
Caveat: I'm not an expert on avionics. My interest is in creating resilient
distributed systems....

I just walked off a DC-10 that had mechanical problems was delayed. The 757
I'm on is racing it to Interop at the moment.

DC-10 was already an hour late getting from the hanger to the gate due to
either traffic problems (within O'Hare) or a cargo door problem.

But the new problem is (was) a bad compass. The third compass on the plane
had to be replaced due to FAA rules. After all, we can't take any risks, can
we? I asked the crew whether they could travel without it and rely on a GPS.
Of course, a DC-10 has no GPS! Not surprising given the age of the
plane. But what is of concern is that they couldn't just go out to the
store, buy a GPS, and place it in the cockpit.. As a passenger, when I bring
my GPS and PC, I've got technology far far ahead to the technology on the
plane. Technology to which two hundred (whatever a full DC-10 holds) trust
their lives! On the other hand, if both of the other two compasses did fail,
there are still lots of ground systems that can find the plane and bring it
to a nearby beacon (it is cloudy, so they can't just get out their road
maps).

I was already thinking about these issues after talking to the crew (while
waiting for the plane to appear out of the mists at the gate) about the 727
which has even more primitive avionics. The reason that the systems can't be
upgraded is that the whole plane would have to be recertified as a new
aircraft.

There is something very wrong here. The engineering practices that are
supposed to assure our safety seem to work to assure our lack of safety.

I can understand the historic necessity of treating the airplane as a single
tightly interconnected system. There wasn't the luxury of giving the
electronic systems enough capability to act autonomously. I presume, though,
that the mechanical systems try to be independent-enough to reduce the
propagation of failures.

But, if we think about the simple example of just placing a GPS in the
cockpit and allowing the airplanes computer to use the data we have a very
different model. Of course, the navigation system should fully trust the GPS
and must do some reasonable checks as well as cross-check with other
sources. If the GPS fails, then it would compensate.

Yes, there can be strange systemic interactions. But, instead, we have a
situation that assures lousy navigation rather than permitting improvements
when available.

Understanding how to build such resilient distributed systems is still in
the challenge category. But the Web is a very good example. I see the
technology growing more due to hacking than design. Effective hackers work
against the constraints of others and are thus forced into being tolerant of
other's mistakes. Most will get it wrong, but I'd rather a pilot just put a
GPS in the cockpit even if not interconnected, than having to get out the
sextant for each flight.


Microsoft Year 2000 Compliance

Simon Waters <Simon@wretched.demon.co.uk>
Sat, 9 May 1998 10:30:24 +0100
The big risk here is what the site does not tell you.

http://www.microsoft.com/year2000

When the resource centre was announced Windows NT 3.51 was listed as not
having completed testing!

"Compliant with issues" was identified by PGN as involving some trivial
issues, but it also may mean that the application (or OS) may not accept
29/02/2000 as a valid date for data input.

On a lighter note, Excel is quite happy to believe there is a 29/02/2000,
because it believes there is a 29/02/1900, allegedly to be compatible with
LOTUS 1-2-3.

  Back to misc.survivalism for TEOTWAWKI...


Microsoft using Y2k to force sales? (Re: Stalzer, RISKS-19.69)

Bob Dubery <elvis@theking.org>
Thu, 07 May 1998 19:10:56 GMT
> Perhaps Microsoft's real objective is to force everyone to upgrade next
> year -- thereby turning the Y2K problem into a profit opportunity.

There's going to be a lot of that going on. Here in South Africa we have a
couple of locally developed off-the-shelf accounting packages that have
achieved good market penetration. Usually you have the option of buying the
package with a support contract, or buying just the package. If you got the
second route it can be a case of flying solo, but usually the user contracts
with a 3rd party for support.

Now the developers of one of these packages have admitted (almost
advertised) that their product has a Y2k bug. They will provide an upgrade
that corrects the problem, but only to people who have a support contract
with the development house (not a 3rd party support agent) and who can
produce installation disks and an invoice to prove purchase of the product
from an approved vendor.

This is not just about forcing the owner of the software to buy a support
contract - it's also about cocking a snook at people who have illegal
software.

The question is this: Is this a responsible attitude or not? Say Microsoft
adopt a similar policy... Yes, they may make a point to people using pirated
software, but imagine the number of businesses that might fold, and the
domino effect of that.

The e-mail address in the headers is bogus :-)
to mail me unknot megapode@KNOTglobal.co.za


Dutch ISPs forced by law to provide built-in wiretapping possibilities

Sander Tekelenburg <tekelenb@euronet.nl>
Wed, 6 May 1998 07:06:13 +0200
I was just informed by my ISP that the dutch parliament just passed a law
that forces ISPs to 'make it easy' for police to tap consumers on-line.
Apparently The Netherlands have chosen for the more then dubious honour to
be the first to pass such legislation.

See
<URL:http://www.euronet.nl/ned/euronetizen/archief/0598/artikelen/art02-02.html>
(dutch), and <URL: http://www.news.com/News/Item/0,4,21084,00.html> (Englisho).

Tomorrow's election day. Guess who I won't be voting for.

Sander Tekelenburg, <mailto:tekelenb@euronet.nl>
Web site at <http://www.euronet.nl/%7Etekelenb/>


CompuServe Germany indicted for forwarding porn

Klaus Brunnstein <brunnstein@informatik.uni-hamburg.de>
Sat, 9 May 1998 11:48:38 +0200
German media report that, after a year-long analysis by a Bavarian state
attorney, a former manager of CompuServe Germany has been formally indicted
before a Bavarian court for having made pornographic information available
to German subscribers. Possession and distribution of pornographic
information is strictly forbidden by German criminal code. According to
these reports, the CompuServe manager argues for his defence that the German
subsidiary of CompuServe has no control whatsoever over content transmitted
from USA.

The background of the related case has been controversially discussed here
and overseas (some members of the FFI anti-censoring movement have even
censored messages of the author of this report concerning backgrounds of
this case :-). Evidently, the Bavarian state attorney regards this case as
pilot trial to test applicability of the "traditional" anti-pornographic
regulations to Internet. Very likely, the case will need technical expertise
to answer technical questions such as: was the content anywhere on German
territory (where German legislation applies undoubtedly) stored so that
CompuServe had a chance to analyse the stuff to exercise its legal
responsibility for protecting customers from criminal material. Very likely,
there will again be a discussion whether such stuff (rated criminal in
German law) should be freely accessible e.g. "for adult usage" - which
implies changing criminal law.

Klaus Brunnstein (University of Hamburg, May 9,1998)


C-Guard system jams cellular communications

CrACKeD <cracked@primenet.com>
Mon, 4 May 1998 22:03:12 -0700 (MST)
This seems to me like a classic case of two wrongs (not) equaling a right.
Preventing someone from using their cellular telephone, possibly even
without their knowledge, will likely end up causing more problems than it
solves.  If the only reason for suppressing/jamming cell phone traffic is to
eliminate unwanted ringing noise, while possibly preventing emergency
communications from going through, this "C-Guard" system looks like a
not-so-great idea.  Using "C-Guard" in a hospital environment where cellular
telephones may interfere with medical equipment almost makes it seem
beneficial, but considering how critical cellular communications can be in
that type of environment, perhaps not.  If this or any system like this is
implemented into a public area it will bring with it enormous risks, mostly
because it will be virtually impossible to warn everyone who carries a
cellular telephone that important/emergency communications will not be
possible.

  [The TechWeb article, Israeli Firm Combats Nuisance Cell Phone Traffic,
  by Neal Sandler, TechWeb, 22 Apr 1998, is at
  http://www.techweb.com/wire/story/TWB19980422S0006 .  PGN]


More on limited-number risks: GPS, D10K

"R. Geoffrey Newbury" <newbury@io.org>
Fri, 08 May 98 16:22:26 -0500
Further to a comment I previously made about the GPS system, it appears that
the problem is limited to some older GPS receivers. The problem is in the
receiver's software in that it might not know how to handle a rollover on
the 'week' counter from 1023 to 0 on August 21, 1999.

The actual GPS satellites have no problem according to the Coast Guard
web-site. All recent (4-5 years?) GPS receivers are ok.

That leaves, of course, the older (more expensive) units in aircraft.....The
FAA is concerned....

Further information at http://vancouver-webpages.com/peter/

Also I thought you would be interested in the following article from the
Financial Post, bylined from the Financial Times:
  Surging Dow poses five-digit danger
  5 May 1998 The Financial Post

  [Re: D10K for the Dow Jones Industrial Average hitting 10,000:
    * Triggering automatic buy/sell programs...
    * Effort to fix dominated by Y2K...
    * Etc.
  PGN Extremely Stark Abstracting.]

R. Geoffrey Newbury, Barrister and Solicitor, Toronto, Ontario, Canada
416-362-4048   newbury@io.org


Computer glitch turns traffic ticket into sex conviction

<Neumann@csl.sri.com>
Mon, 04 May 98 08:16:35 EST
BOZEMAN, Mont. (April 29, 1998 1:55 p.m.  EDT) -- Cody Johnston is suing a
weekly newspaper and the court system for libel after a computer glitch
transformed a report of a traffic ticket into a conviction for deviate
sexual conduct.  Johnston had been fined $195 for a commercial trucking
weight violation. But the list given to the newspaper contained the sex
charge, which covers homosexual acts and bestiality.  [Source: *Nando Times
of Japan (www.nando.net), courtesy of Keith Rhodes.  PGN Abstracting]


102-yr old gets a birthday card for 2-yr olds

<Mark.Corcoran@softel.co.uk>
Fri, 08 May 1998 15:50:16 +0000
The Mail on Sunday (03-MAY-1998) reports that Health officials in Dumfries,
Scotland, have apologised for a computer error that sent a local citizen a
birthday card designed for 2yr olds, with the message "Brush your teeth
every day".

The citizen is 102, and doesn't have any real teeth left.

Same old story, just a different day...  It'd be mighty interesting however
to see what happens to computerised records for people who are going to be
100 in the year 2000 though...

Mark Corcoran, VMS Systems Manager, Teletext Dept.,Softel Ltd.
 +44 (0)118 984 2151  PSImail: 234273400398::MARK


France 98 Cup Tickets

Mike Ellims <mike.ellims@pigroup.co.uk>
Sun, 3 May 1998 18:47:50 +0100
The phone system in Britain coped well with the expected demand, or rather
was set up not to cope by British Telecom.  Expecting a surge of calls for
tickets, BT set the system up to reject most calls to the ticket number once
a threshold had been passed.  Deliberate degradation of the system to one
specific number.  The main problems seems to be angry people and broken
dreams.  One man got though after 4 hours, ordered the tickets he wanted
only to find that his credit card (Delta) isn't accepted in France...

Mike Ellims - Pi Technology - mike@pires.co.uk
www.pi-group.com -  +44 (0)1223 441 256

  [Also commented on by Lindsay Marshall.  Also, report
  of similar problems in The Netherlands from Malcolm Gillies.  PGN]


Fidelity Investments PIN procedure hollow

<marks@writ.com>
Thu, 07 May 1998 22:14:50 -0700
When I tried to access the secure area of Fidelity Investments' Web site to
mess with my IRA account, I was deflected onto a page saying my account was
blocked, and I should telephone customer service.  Happily, Fidelity answers
the 'phone at 9:30 PM and their representative told me many things.  First,
they "block" accounts when 3 login errors have accumulated--which happens
easily over time.  The rep guessed correctly that I didn't access my account
very often since it had not been blocked in more than a year.  Second, after
a short quiz (more on this below) they will "unblock" the account
immediately, but this action *clears the PIN* forcing one to choose a new
PIN.  One may choose a new PIN immediately.  One may use the new PIN right
away.

The quiz seems formidable, but really affords no security.  One
must provide one's name, SSN, birthdate, and Fidelity account
number.  The first three are public information (particularly
in those states using SSN as drivers-license number), and the
last is printed on every statement Fidelity sends one.  Fidelity
offers neither password security nor call-back confirmation.
I ask the rep to "unblock" my account but leave my previously-
chosen PIN in place (that being the only secret Fidelity and
I shared!).  Not possible, I was told.  I discussed my concerns
with the rep (she wasn't too busy, and offered to forward my
comments to some responsible person inside Fidelity).  She told
me that she had asked me for "four authenticators."  When I
pointed out their worthlessness, she told me that my real
protection lay in their policy of (a) sending me a notice by
(paper) mail that my PIN had been changed, and (b) guaranteeing
the status-quo-ante of my account up to US$ 1.0e6 if I could
convince them someone else had accessed it fraudulently.

I give Fidelity high marks for customer service availability.
I give them low marks for security.  Their "blocking" criterion
guarantees frequent PIN changes, probably desensitizing
customers to PIN-change notices.  Their security quiz is a
joke.  They will not establish password or call-back security
for customers even by special request, which means that they
do not share any secrets with customers that they could use to
authenticate phone calls.  Worse, their "blocking" scheme puts
crackers in control--they can get the account "blocked" without
knowing the PIN, get it "unblocked" without knowing the PIN,
and set a new PIN without knowing any secrets, not even the
old PIN.  Then they can mess with an account, leaving the true
owner the little chore of proving fraud to Fidelity before he
will be made whole.

It would be very easy for Fidelity to fix up their system;
I hope they do.  At a minimum, they should permit customers to
establish secret passwords to authenticate PIN-change requests.

Mark Seecof


REVIEW: "Privacy on the Line", Whitfield Diffie/Susan Landau

Rob Slade <rslade@sprint.ca>
Tue, 5 May 1998 08:35:39 -0800
BKPRIVLN.RVW   980301

"Privacy on the Line", Whitfield Diffie/Susan Landau, 1998,
0-262-04167-7, U$25.00
%A   Whitfield Diffie
%A   Susan Landau
%C   55 Hayward Street, Cambridge, MA   02142-1399
%D   1998
%G   0-262-04167-7
%I   MIT Press
%O   U$25.00 +1-800-356-0343 fax: +1-617-625-6660 manak@mit.edu
%P   342 p.
%T   "Privacy on the Line: The Politics of Wiretapping and Encryption"

This seems to be the year for privacy.  Hard on the heels of
"Technology and Privacy" (cf. BKTCHPRV.RVW), "The Electronic Privacy
Papers" (cf. BKELPRPA.RVW), and the related "Borders in Cyberspace"
(cf. BKBRDCYB.RVW) comes this volume.

Given the emotional content with which the encryption debate has been
loaded in recent years, it is important that the introduction, in
chapter one, is a neutral and even-handed look at the background of
the discussion, presenting the issues on both sides, although little
of the case for either.  Specific references may be from the United
States, but the arguments made are generic enough to be considered by
all audiences.  Chapter two gives an overview of cryptography, which
is, of course, excellent.  Not only does it explain the importance of
keys and cryptographic strength, but it also gives insightful analysis
into business and social factors in the development of the field.
Cryptography and public policy, in chapter three, is restricted to
developments within (and related to) the US, but looks at all types of
issues, both technical and not.  Chapter four discusses national
security with a quick but clear and thorough overview of the various
aspects of intelligence gathering, particularly communications
intelligence.  There is also brief mention of information warfare.
Much of the heat in the current debate about encryption restrictions
involves law enforcement.  (References are frequently made to drug and
child pornography rings.)  Therefore, the brevity of chapter five is
disappointing.  The content, however, is not.  It builds a solid
framework for the topic, and notes an instructive difference in
effectiveness between wiretaps and other electronic bugs.  Chapter six
is again specific to US history, reviewing activities both in support,
and destructive, of privacy.

Chapter seven deals specifically with wiretapping technology,
activities, and legality in the US.  Much of the material in the
chapter has been at least touched on previously, and there is
noticeable duplication.  There is less duplication in chapter eight's
discussion of the current communications scene, although little new
material.  The same is not the case with current cryptography in
chapter nine, providing brief backgrounds of the myriad efforts being
made to disseminate and suppress encryption capabilities.  The
conclusion, in chapter ten, seems to come down on the side of opening
encryption development and distribution.

An extensive, possibly exhaustive, bibliography is a major resource in
the book.

The thorough research, even tone, and informed analysis make this work
an excellent foundation for discussion.  It does not, however, provide
much in the way of direction.  That the authors should tend to support
the dropping of restrictions on cryptography is not surprising, but
such support is neither strong nor impassioned.

copyright Robert M. Slade, 1998   BKPRIVLN.RVW   980301

Please report problems with the web pages to the maintainer

Top