There are plenty of opportunities for sin on the Internet, but precious few sources of absolution. So today, Britain's only Christian radio station launches an online "confession box" for sinful surfers who feel the need to repent. The website, www.theconfessor.co.uk allows users to file their wrongdoings - in return for a comforting Bible text. The automated response will not reflect the gravity of the offence: coveting thy neighbour's wife and throttling thy neighbour's tearaway teenage son elicit similarly sympathetic passages. They see a series of contemplative texts and then a page offering the chance to type out a confession. They are reassured with the message: "All you type remains on your computer and will not be transmitted in any way to anyone else. This is between you and God and your privacy is respected." [Source: *The Guardian* online, 21 Jan 2000]
*The Washington Post*, 6 Jan 2000, reported that the National Archives lost an estimated 43,000 e-mail messages (the number is a guess based on the number of users). The backup system also failed: the contractor was not doing as instructed (according to the Archives). The audit log, which might have shed light, had been turned off because it reduced performance. The Assistant Archivist says that they've improved the backup system now, but "the safest way to save important messages is to print them out". Hurrah for the paperless office! RISKS: What good are backups & audits if they're not used correctly? Full article at http://www.washingtonpost.com/wp-srv/WPlate/2000-01/06/124l-010600-idx.html
According to Noticias Intercom (in Spanish) http://www.noticias.com/noticias/2000/0001/n0001202.htm quoting *Providence Journal*, the Rhode Island police have stopped arresting people, because they found that their new system Justice Link asked them to arrest eight innocent people. Justice Link is made by Oracle and Systems & Computer Technology Corp. Developers found 350 bugs to trigger detention.
[...] The risk is that the innocent victim argues with the police and ends up dead ... or worse, is beaten, thrown before a judge and falsely convicted. Makes the prospect of encountering criminals a safer bet than a drive through Rhode Island. The part of this that really gets my ire: "We knew we had bad data in the old warrant system," Harrall said. He added that neither Oracle nor SCT are at fault, instead attributing a large part of the problem to a rush to get the system up and running to meet a Y2K deadline. "I will not hang those on the vendor," Harrall said. Thanks for hanging it on the innocent public, instead.
A 16-year-old hacker, one of a group calling themselves Global Hell, infiltrated Pacific Bell's Internet service and lifted codes to the accounts of 200,000 subscribers. When Eldorado, Calif., detectives checked his bedroom last week, they found that he'd decrypted 63,000 of those accounts, causing PacBell to advise those subscribers to change their passwords. Authorities found the boy after he broke into the computers of an Eldorado Hills Internet service provider and began bragging about his exploits in a chat room. According to a sheriff's detective, the same teenager hacked into 26 other sites, including a master computing system at Harvard, before he was arrested Dec. 14. Authorities expect to charge him with unlawful computer access and grand theft next month. [Source: *Los Angeles Times*, 12 Jan 2000, http://www.latimes.com/business/20000112/t000003535.html; NewsScan Daily, 12 Jan 2000]
Thousands of newborn babies have been listed officially as 100 years old. Computers at English register offices are refusing to recognise the year as 2000 and are printing 1900 on birth certificates. [...] [Source: The (London) *Times*, 17 Jan 2000; The full story is online at: http://www.the-times.co.uk/news/pages/Times/frontpage.html?1069542] Brian Randell, University of Newcastle, Newcastle upon Tyne, NE1 7RU, UK +44 191 222 7923 http://www.cs.ncl.ac.uk/~brian.randell/
A popular free-of-charge predictor for UNIX platforms, SatTrack V3.1, went completely haywire. On 7 Jan. it told me: Date: XXX -358Jan01 (I think the XXX should be the day of the week) UTC : -358-11:-32:-94 Countdown to next pass: 657443 days 11 hours 32 minutes 10 seconds (this is rather precisely 1800 years) Satellite position: 0.0 deg lat. 0.0 deg. long. (does not move) In all fairness, this version is a few years old; the latest version comes at a cost, and is said to be Y2K compliant. Another popular program, WinOrbit 3.5 for Windows 95/98 nearly got it right. I found only one problem: If you want to print the prediction for several future passes, you get a pop-up on which you have to enter the starting time for the calculation. There is a "NOW" button that fills in this entry, giving the year as 00. 00 means 1900 to the program. You can type 2000 instead of 00, and you get the correct results. Easy, once you know. But it took some time to first discover that the results were wrong, then figure out the work-around. I am told that yet another predictor works fine in 2000, as long as you use the orbit parameters, the so-called "2-line elements", from end 1999, but goes wrong with parameters that have a year entry of 00. I haven't got the details. Erling Kristiansen
I managed to get Microsoft Flight Sim 2000 Pro Edition for Xmas, great! After installing I went to the Microsoft web site and found an update - of course there was one - 9 megabytes in total. I downloaded it, installed it, everything was fine. A few days later I did my in-frequent disk cleanups, etc. I had not run scandisk for ages so set it off. I was surprised when it announced that it had found a bad file. The file was with one of the Flight Sim 2000 files, and the problem was that it had an invalid date. This problem occurred with all the Flight Sim 2000 files that had come as part of the update I had downloaded. Was it a Y2K problem? I'm not sure. Everything worked okay and McAfee Virus Checker didn't complain about funny dates on the files. Of course, it could have been a problem with the disk scan program. Dave Smith
Finally relenting to continued pressure from the technology industry, the Clinton Administration has decided to remove virtually all restrictions on the exportation of powerful data encryption software, and to require companies to seek government permission only when they plan to sell the technology to a foreign government or military organization. Companies will still be prohibited from selling to seven nations thought to be supporting terrorism: Iran, Iraq, Libya, Syria, Sudan, North Korea, and Cuba. Industry leaders expect the decision to give a significant boost to the sale of U.S. technology, and Novell chairman Eric Schmidt says it "clearly sets the stage for the next big growth phase of the Internet." [AP/*San Jose Mercury News*, 13 Jan 2000 http://www.sjmercury.com/svtech/news/breaking/merc/docs/009455.htm; NewsScan Daily, 13 Jan 2000] [Open-source software is apparently unrestricted. PGN]
Before we all get too carried away about perceived risks, a few questions need to be asked. In the interests of credibility, we should not fall into scaremongering. As supposedly expert practitioners in computing related risks, we should be sure we have established a logical thread before we reach conclusion. Other wise we *risk* being classified with the boy who cried wolf, and thereby exclude ourselves from contributing to improved security and risk management. In the Visa case, what source code was *stolen*? It is extremely unlikely that it was *the source code for the Visa card system* as stated! There is no such thing. Like any system, it would consist of many source libraries, each relating to different modules of the overall system. So we should be asking what source was copied? (You can hardly say it was *stolen*, as that would imply that it was taken away, leaving the rightful owner without possession of the item of stolen property, and we all know that is not what happens in such cases. In a shop like Visa, the code promotion system maintains multiple copies in the migration libraries, so erasure of the sole copy is highly unlikely) Was it the card number validation module? Perhaps part of staff payroll processing? or Some CGI for their public web site? or Perhaps an in-house written reporting tool? Was it the current version, an old one, a pre-production one, a half-tested development one? As it appears that Visa is not stating what code was copied, it is rather hard to support the assertion that their system was *compromised* in the manner implied. And what is the basis for stating that *Visa seems to have had no fall back plan*. What fallback is appropriate when source is illicitly copied? What is the threat we need to counter? It all depends on what was copied.
Not all billing systems write off *small debts*, or at least didn't always do so. When I left UK in 1981 after living and working there for a time, I took with me my Barclay Visa card and used it for expenses as I took the long route home to Australia via the US. Naturally, it took a few months for all my purchase charges to catch up with me. (1981 was before widespread on-line merchant transaction processing). Finally all the charges were in and I paid out my statement by wire transfer from my Australian bank. Of course I left it to the last minute to pay, and the payment got to my Visa account a day or so late. So, next month I received a statement with one line item - Credit Charges: 40pence (equiv $US.050), contained in an envelope bearing 85 pence in postage. At $A5 ($US3.00) in fees per wire transfer, I chose to ignore the statement. Next month, another statement for 40p. And then another. And then nothing. I presume I appeared on the delinquent debtors list for recovery action and someone at Barclays then realised they had spent PndsStg2.55 in postage while attempting to recover 40p from the other side of the world! Although I've been back to UK numerous times since (twice in the employ of a Bank and carrying a Corporate Visa card), I do wonder what Barclay's reaction would be if I ever applied for another card with them? Am I black listed as a credit risk forever? Or maybe their system has been revamped a few times since then and the delinquents list wasn't transferred across?
> Viridian Curia Member Laura Stinson points out that people unwise enough > to use "Microsoft Outlook" cannot read the entire "Manifesto of January 3, > 2000." That's because one line of the text happens to begin with the word > "begin," followed by two spaces. When Microsoft Outlook sees this, it > interprets everything that follows as an attachment. I tried this at work as soon as I heard about it. Of 5 Outlook users reporting back, 4 were indeed "blinded" - they did not see the line beginning "begin" or any text thereafter. One of them reported seeing an attachment she could not open. One user saw the whole test text with no problem. He believes that the difference is that he gets his mail from a Microsoft Exchange server rather than directly (using IMAP? I don't use Outlook so I don't know what the other choices are). So unfortunately, rather than giving a preferential advantage to those who "spurn Microsoft products" as the original message suggests, this problem may be taken as evidence that if you buy one Microsoft product, then (to coin a phrase) you "gotta get them all!" Dan Franklin, Comverse Network Systems
[Many of you wrote that you were unable to reproduce this problem. This item is in response to a message to Linda from Tom Neff... PGN] I found it running Outlook 98 on NT. Another person reports reproducing the problem on Outlook Express 5 on NT, but NOT on Outlook Express 5 on NT, Outlook 97 on NT, or Outlook Express 4.5 on MacOS. I don't know of any reason why OS version (NT vs. 95/98/00) would make a difference, but who knows what evil lurks in the relevant DLLs? Since neither Bruce nor Microsoft are paying me to debug, I'm disinclined to investigate further. [...] Laura Stinson <email@example.com>
[Many of you have sent in the Kangaroo story that was excerpted from rec.humor.funny in RISKS-20.47. This item from Paul Mallory was forwarded to RISKS by Paul Green. PGN] > Date sent: Thu, 16 Dec 1999 15:49:34 +0000 (GMT) > From: firstname.lastname@example.org (Walter Mallory) > Subject: (Fwd) Re: Probably should be in .software_eng, > To: email@example.com > Organization: GEC Marconi Dynamics, Inc. > > Adrian Frith wrote: > This sounds like an urban legend and when I first heard of it (as reported > on the Defence Systems Daily web site). I thought that it was until I > read the correction story shortly afterward. I have attached the > correction below. It is even weirder than the original. > What those Killer Kangaroos really fired, 29 November 1999 > On Friday DSD told the story of the killer kangaroos. Now we know the > truth. And it is even weirder: the kangaroos threw beach balls! > Dr Anne-Marie Grisogono, Head, Simulation Land Operations Division at the > Australian DSTO has told us what actually happened and we are delighted to > set the record straight. > "I related this story as part of a talk on Simulation for Defence, at the > Australian Science Festival on May 6th in Canberra. The Armed > Reconnaissance Helicopter mission simulators built by the Synthetic > Environments Research Facility in Land Operations Division of DSTO, do > indeed fly in a fairly high fidelity environment which is a 4000 sq km > piece of real outback Australia around Katherine, built from elevation > data, overlaid with aerial photographs and with 2.5 million realistic 3d > trees placed in the terrain in those areas where the photographs indicated > real trees actually exist. > "For a bit of extra fun (and not for any strategic reason like kangaroos > betraying your cover!) our programmers decided to put in a bit of animated > wildlife. Since ModSAF is our simulation tool, these were modeled on > ModSAF's Stinger detachments so that the associated detection model could > be used to determine when a helo approached, and the behaviour invoked by > such contact was set to 'retreat'. Replace the visual model of the Stinger > detachment in your stealth viewer with a visual model of a kangaroo (or > buffalo...) and you have wildlife that moves away when approached. It is > true that the first time this was tried in the lab, we discovered that we > had forgotten to remove the weapons and the 'fire' behaviour. > "It is NOT true that this happened in front of a bunch of visitors > (American or any other flavour). We don't normally try things for the > first time in front of an audience! What I didn't relate in the talk is > that since we were not at that stage interested in weapons, we had not set > any weapon or projectile types, so what the kangaroos fired at us was in > fact the default object for the simulation, which happened to be large > multicoloured beachballs. > "I usually conclude the story by reassuring the audience that we have now > disarmed the kangaroos and it is again safe to fly in Australia." > Andy
The Tenth Conference on Computers, Freedom and Privacy (CFP2000) April 4-7, 2000, Westin Habour Castle, Toronto, Ontario, Canada For additional details and registration forms see http://www.cfp2000.org Featured speakers: - Tim O'Reilly, founder and CEO of O'Reilly & Associates, Inc., open source champion - Neal Stephenson, author of Cryptonomicon, Snow Crash, The Diamond Age, and Zodiac: The Eco Thriller - Austin Hill, co-founder and president of Zero-Knowledge Systems - Duncan Campbell, freelance investigative journalist abd TV producer, discovered the existence of the ECHELON system - Jessica Litman, Professor of Law at Wayne State University - Whitfield Diffie, Distinguished Engineer at Sun Microsystems, co-inventor of public-key cryptography - Steve Talbott, editor of the "NetFuture - Technology and Human Responsibility" online newsletter Scholarships are available for students as well as law enforcement officials, prosecutors, and criminal defense attorneys. Scholarships cover conference registration, travel, and hotel expenses. Application deadline: January 31. See http://www.cfp2000.org/scholarships/ ** TUESDAY, APRIL 4 9 AM - 12:30 PM - Tutorials, Workshop on Freedom and Privacy by Design - Constitutional Law in Cyberspace - How Did We Get Where We Are: A Brief History of Privacy and Surveillance in the U.S. - Intellectual Property 2 - 5:30 PM - Tutorials, Workshop on Freedom and Privacy by Design - The Electronic Communications Privacy Act - Everything You Need to Know to Argue About Cryptography - Privacy Policies: Public Protection or Trojan Horse? 8 PM - Welcome Reception ** WEDNESDAY, APRIL 5 8:45-9:30 AM - Opening Session - Keynote speaker: Austin Hill 9:30-10:45 AM - Domain Names Under ICANN: Technical Management or Policy Chokepoint 11:15 AM - 12:30 PM - New Justice Information Technologies: Does Existing Privacy Law Contemplate Their Capabilities? 12:30-2pm - Lunch - Luncheon speaker: Steve Talbott 2:15-3:30 PM - Security and Privacy in Broadband Internet Services 4-5:15 PM - Privacy Commissioners: Powermongers, Pragmatists or Patsies? 5:15-7:15 PM - The 2000 Orwell Awards and Reception 7:30-9:30 PM - Dinner - Dinner Speaker: Neal Stephenson 9:30 PM - midnight - BOFS ** THURSDAY, APRIL 6 8:45-9:30 AM - Keynote speaker: Duncan Campbell 9:30-10:45 AM - Intellectual Property and the Digital Economy 11:15 AM - 12:30 PM - CFP2000 Hot Topics - TBA 12:30-2pm - Lunch - Luncheon speaker: Jessica Litman 2:15-3:30 PM - Parallel Sessions - Free Expression v. Privacy - Infomediaries and Negotiated Privacy - Human Subjects Research in Cyberspace - Network Society as Seen by Two European Underdogs - The Media and Privacy 4-5:15 PM - "Who Am I and Who Says So?": Privacy and Consumer Issues in Authentication 5:15-6 PM - Keynote Speaker: Tim O'Reilly 7:00 - EFF Pioneer Awards Reception 9:30 PM - midnight - BOFS ** FRIDAY, APRIL 7 8:45-9:30 AM - Keynote speaker: TBA 9:30-10:45 AM - Internet Voting: Spurring or Corrupting Democracy 11:15 AM - 12:30 PM - Negotiating the Global Rating and Filtering System: Views of the Bertelsmann Foundation's Self-regulation of Internet Content Proposal 12:30-2pm - Lunch - Luncheon speaker: Whitfield Diffie 2:15-3:30 PM - Parallel Sessions - Broadband and Speech - Is Technology Neutral? Space, Time and the Biases of Communication - Governance of the Internet - Personal Data Privacy in the Pacific Rim - Campaign Finance Law and Free Expression 4-5:15 PM - 10 Years of CFP: Looking Back, Looking Forward
May 14-17, 2000, The Claremont Resort, Oakland, California Sponsored by the IEEE Technical Committee on Security and Privacy In cooperation with the International Association of Cryptologic Research Jonathan Millen, General Chair; Li Gong, Vice Chair Michael Reiter, Program Co-Chair; Roger Needham, Program Co-Chair PRELIMINARY PROGRAM (Subject to Change) [Abridged for RISKS] ** Monday, 15 May 2000 9:00-10:30 Access Control I Access Control Meets Public Key Infrastructure, Or: Assigning Roles to Strangers Amir Herzberg, Joris Mihaeli, Yosi Mass, Dalit Naor, Yiftach Ravid (IBM, Israel) A Security Infrastructure for Distributed Java Applications Dirk Balfanz (Princeton University, USA) and Drew Dean (Xerox PARC, USA) A Practically Implementable and Tractable Delegation Logic Ninghui Li, Benjamin Grosof (IBM T.J. Watson Research Center, USA), Joan Feigenbaum (AT&T Research, USA) 11:00-12:00 Applications of Cryptography Practical Techniques for Searches on Encrypted Data Dawn Song, David Wagner, Adrian Perrig (University of California, Berkeley, USA) Efficient Authentication and Signature of Multicast Streams over Lossy Channels Adrian Perrig, Dawn Song, Doug Tygar (University of California, Berkeley, USA), Ran Canetti (IBM T.J. Watson Research Center, USA) 1:30- 3:00 Panel: Is privacy too costly to implement? Moderator: Cynthia Irvine, Tim Levin 3:30- 5:00 Protocol Analysis and Design Searching for a Solution: Engineering Tradeoffs and the Evolution of Provably Secure Protocols John A Clark, Jeremy L Jacob (University of York, UK) Authentication Tests Joshua D. Guttman, F. Javier Thayer (MITRE, USA) Protocol-Independent Secrecy Jonathan Millen, Harald Ruess (SRI International, USA) ** Tuesday, 16 May 2000 9:00-10:30 Panel: Does open source really improve system security? Moderator: Lee Badger 11:00-12:00 Intrusion Detection Using Conservation of Flow As a Security Mechanism in Network Protocols John R. Hughes, Tuomas Aura, Matt Bishop (University of California, Davis, USA) Logic Induction of Valid Behavior Specifications for Intrusion Detection Calvin Ko (NAI Labs) 1:30- 3:00 Assurance Using Model Checking to Analyze Network Vulnerabilities Ronald W. Ritchey (Booz Allen & Hamilton, USA), Paul Ammann (George Mason University, USA) Verifying the EROS Confinement Mechanism Jonathan S. Shapiro, Samuel Weber (IBM T.J. Watson Research Center) Fang: A Firewall Analysis Engine Alain Mayer, Avishai Wool, Elisha Ziskind (Bell Labs, Lucent, USA) 3:30- 5:00 5-minute presentations on developing research [Contact firstname.lastname@example.org to propose a 5-minute talk.] ** Wednesday, 17 May 2000 9:00-10:30 Key Management A More Efficient Use of Delta-CRLs David A. Cooper (National Institute of Standards and Technology, USA) An Efficient, Dynamic and Trust Preserving Public Key Infrastructure Albert Levi, M. Ufuk Caglayan (Oregon State University, USA) Kronos: A Scalable Group Re-keying approach for Secure Multicast Sanjeev Setia, Samir Koussih, Sushil Jajodia, Eric Harder (George Mason University, USA) 11:00-12:00 Access Control II LOMAC: Low Water-Mark Integrity Protection for COTS Environments Timothy Fraser (NAI Labs) IRM Enforcement of Java Stack Inspection Ulfar Erlingsson, Fred B. Schneider (Cornell University, USA)
Please report problems with the web pages to the maintainer