The Risks Digest, Volume 21, Issue37

Peter G. Neumann

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 21: Issue 37

Thursday 3 May 2001

Microsoft Is Set to Be Top Foe of Free Code: David Farber
DMCA: It's Like ... an Analogy Fest!: Monty Solomon
Recording industry threatens researcher with lawsuit: NewsScan
Hack attacks from China?: NewsScan
Space Station software problems predicted four years ago: Philip Gross
Incompatibility shuts down Xerox corporate network: Nelson H. F. Beebe
Destia shuts down service: Doneel Edelson
Mobile phones to prevent car theft?: Yerry Felix
CNN censors profane Webby nominee: Jim Griffith
Another problem with the DNS: Bob Frankston
MS security updates infected with virus: Dave Stringer-Calvert
Microsoft error message: Jean-Jacques Quisquater
Using calendar reminder service to remember anniversary of sad event: Elinsky
Risks of Net-connected appliances: Robert J. Woodhead
Re: MSN "upgrade" creates long distance calling: Steve Holzworth
The follow-on to James Bamford's *Puzzle Palace*: David Farber
Definitions for Hardware and Software Safety Engineers: Meine van der Meulen
Info on RISKS (comp.risks)

Microsoft Is Set to Be Top Foe of Free Code

Thu, 03 May 2001 09:43:23 -0400


John Markoff in *The New York Times*, 3 May 2001:

  Microsoft is preparing a broad campaign countering the movement to give
  away and share software code, arguing that it potentially undermines the
  intellectual property of countries and companies.  At the same time, the
  company is acknowledging that it is feeling pressure from the freely
  shared alternatives to its commercial software.
  http://www.nytimes.com/2001/05/03/technology/03SOFT.html

    [Dave's IP archives are at
       http://www.interesting-people.org/
    PGN]

DMCA: It's Like ... an Analogy Fest!

Wed, 02 May 2001 10:53:14 -0700

MEDIA GROK, 2 May 2001

We know, we know: Media coverage of the Digital Millennium Copyright Act
makes your eyes glaze over. Think that's bad? Imagine the DMCA being
discussed in a courtroom. This happened yesterday when a New York appeals
court became ground zero for testimony on whether DVD code-busting software
violates the DMCA. Reporters tried mightily - and several succeeded - to
make sense of lawyers' attempts to out- argue each other.

Call yesterday's event a different kind of Hollywood strike. When the e-zine
2600.com posted DeCSS, a computer program capable of cracking DVDs' security
code, a coalition of film studios struck back with a lawsuit. The studios
won, and the lower court based its ruling on the DMCA-based ban on
code-busting devices. 2600 appealed, its lawyers arguing that DeCSS has fair
and allowable uses.

Is law so complex that it has to be fed to us in analogies? We grew dizzy
trying to follow the analogy free-for-all that gripped the appeal hearing
and its coverage. Let's start with the DMCA. It's like Congress deciding
that the blueprint for a copying machine can't be published because it might
be used to violate the copyright laws, said Kathleen Sullivan, Stanford Law
School dean. Here's one about DeCSS: It should be banned because it's akin
to software that shuts off smoke detectors or airplanes' navigational
systems, said DMCA defender and assistant U.S. attorney Daniel Alter,
according to the New York Law Journal. The First Amendment wouldn't bar the
government from prohibiting distribution of that kind of software, Alter
said, and the same goes for DeCSS. No, no, no. DeCSS is "a useful tool for
scientific study and journalistic inquiry - or a burglar's crowbar designed
for breaking, entering and stealing," the Law Journal chimed in.

Lawyers, of course, love this kind of talk, which is no doubt why, as Inside
reported, the three-judge panel was revved up enough by the legal banter to
allow the session to run an extra 30 minutes. Inside ran a solid and
readable analysis of the ideas that were raised, as did ZDNet, which
included the tidbit that one "hacker-type" wore a T-shirt displaying the
illegal DeCSS code.

But both Inside and Wired News predicted the appeals court would probably
uphold the lower court's ruling. Sometimes pushing new ideas is like an
uphill battle. - Deborah Asbrand

Second Circuit Weighs DVD Copying
http://www.law.com/cgi-bin/gx.cgi/AppLogic+FTContentServer?pagename=law/View&c=Article&cid=ZZZ9P7GD8MC&live=true&cst=1&pc=5&pa=0&s=News&ExpIgnore=true&showsummary=0

In Lively Oral Arguments, Lawyers Put Digital Copyright Act on Trial
http://www.inside.com/jcs/Story?article_id=29820&pod_id=13

Throwing the Book at DeCSS
http://www.zdnet.com/zdnn/stories/news/0,4586,5082131,00.html

DVD Piracy Judges Resolute
http://www.wired.com/news/digiwood/0,1412,43470,00.html

Court Hears Appeal of Hacker Wanting to Post Descrambling Code on Internet
http://interactive.wsj.com/articles/SB988759509262167525.htm
(Paid subscription required.)

Judges Weigh Copyright Suit on Unlocking DVD Shield
http://www.nytimes.com/2001/05/02/technology/02CODE.html
(Registration required.)

Recording industry threatens researcher with lawsuit

<"NewsScan" <newsscan@newsscan.com>>

Tue, 24 Apr 2001 09:20:08 -0700


The litigation department of the Recording Industry Association of America
(RIAA) has threatened legal action against a Princeton University computer
scientist if he and his colleagues give a conference presentation this week
explaining how to get around a system developed by the industry to protect
copyrighted music. The researcher, Dr. Edward W. Felton, works in the field
of steganography, which develops techniques such as digital watermarking.
The head of RIAA's litigation department insists: "There is a line that can
get crossed, and if you go further than academic pursuit needs to go, you've
crossed the line and it's bad for our entire community, not just for artists
and content holders, it's everyone who loves art, and it's also bad for the
scientific community." [*The New York Times*, 24 Apr 2001; NewsScan Daily,
24 April 2001  http://www.nytimes.com/2001/04/24/technology/24MUSI.html]

Hack attacks from China?

<"NewsScan" <newsscan@newsscan.com>>

Mon, 30 Apr 2001 08:52:04 -0700


The FBI cybercrime division called the National Infrastructure Protection
Center is warning that Chinese hackers have publicly discussed increasing
their activities in the first week of May, in celebration of two Chinese
holidays and in memory of the two-year anniversary of the U.S. accidental
bombing of the Chinese embassy in Belgrade. The Internet security company
Vigilinx warns that it has the potential to escalate into something very
damaging if emotions run unchecked. There is no evidence that attacks have
been approved by the Chinese government. (AP/*USA Today*, 27 Apr 2001)
http://www.usatoday.com/life/cyber/tech/2001-04-27-chinese-hack.htm
NewsScan Daily, 30 April 2001

Space Station software problems predicted four years ago

<"Philip Gross" <png3@cs.columbia.edu>>

Sat, 28 Apr 2001 15:20:16 -0400


I contributed an article to RISKS on December 8, 1997, (RISKS-19.49) about
the enormous risks involved with the software of the International Space
Station.  3.5 million lines of code, coming from multiple countries, with
little indication of the verification methodologies.  In the two subsequent
issues RISKS-19.50 and 19.51, anonymous posters with connections to the
program agreed with and amplified these concerns.

Now we see that, indeed, difficult-to-diagnose software problems are
starting to plague the craft.
"Computer problems have kept the Endeavour at the station longer than
expected as astronauts try to carry out operations of a critical robot arm.
The ISS has suffered a series of glitches since Tuesday that left ground
controllers with only tentative command," says CNN.
(http://www.cnn.com/2001/TECH/space/04/28/shuttle.launch.02/index.html)

The RISKS here involve the well-known dangers of leaving debugging until the
system is already in use.  Although critical safety and control mechanisms
may be compromised until the problems are fixed,
"Russian space officials refused to delay Saturday's launch but agreed to
put the Soyuz in a holding pattern if the shuttle was still at the space
station on Monday. Russia said it had been unwilling to postpone the Soyuz
mission because the cosmonauts must replace the space station's escape
craft, whose service lifetime expires at the end of the month."

The world's first space tourist may have an interesting ride...

Incompatibility shuts down Xerox corporate network

<"Nelson H. F. Beebe" <beebe@math.utah.edu>>

Mon, 23 Apr 2001 14:02:12 -0600 (MDT)


*Computerworld* (16-Apr-2001, p. 6 and 78) has two articles on how an
incompatibility between a beta release of Microsoft Windows XP and Cisco
5000 routers shut Xerox's corporate network down several times.  According
to the page-long column on p. 78, ``It got so bad that Xerox warned all
50,000 of its U.S. employees not to installed XP betas without permission or
they'd face disciplinary action.''.

Nelson H. F. Beebe, Center for Scientific Computing, University of Utah
Department of Mathematics, Salt Lake City, UT 84112-0090  +1 801 581 5254

Destia shuts down service

<"Edelson, Doneel [euler:aci]" <doneel.edelson@eulergroup.com>>

Thu, 3 May 2001 17:47:14 -0400


Destia (known as EconoPhone), a part of Viatel, shut down service to all
customers Monday night or Tuesday.  Thousands of people with direct-dial
service (1+) are scrambling to get an alternate long-distance provider.
Until then, they cannot make any long-distance calls except to 800 numbers.
Also inbound 800 number service and calling cards provided by this company
do not work.

Mobile phones to prevent car theft?

27 Apr 2001 23:59:44 +0100


  Econet Wireless brand manager David Dzumbira said in the unfortunate event
  of the vehicle being violated or vandalised, Cellstop will alert the owner
  by calling on his/her cellphone within seconds of the incident happening.
  Cellstop will dial the number three times and if these calls are
  unanswered or responded to, the Cellstop unit will automatically starve
  fuel to the engine, making it impossible to drive the vehicle, said
  Dzumbira.

But what if the owner forgets the phone, loses it or the phone is stolen?
Or, if the phone runs out of power? And what happens if the device springs
into action whilst the car is being driven by the legitimate owner?

Note that the vehicle is stopped regardless of whether the phone is ignored
or answered!

Moreover, given the amount of false car alarms that seem to occur, this
could be very annoying, although, being the victim of nightly car alarms in
my street, I don't have much sympathy here :-)

The full article:
  http://www.mweb.co.zw/zimin/index.php?id=3176&pubdate=2001-04-27

CNN censors profane Webby nominee

Thu, 26 Apr 2001 20:17:34 -0500


An interesting aspect of this year's Webby's nominees is the nomination
of www.f**kedcompany.com in the Humor category (for which I was a nominating
judge).  When reading the CNN article about the nominations, at
  http://www.cnn.com/2001/TECH/internet/04/26/webby.awards.reut/index.html#12
I was interested to find that the above-mentioned site was apparently
deliberately excluded from the list of nominees, probably for the profane
name.  The *San Jose Mercury News* site reported the complete list, however.

  [comp.risks censors "CNN censors profane Webby nominee" as well.  PGN]

Another problem with the DNS

<"Bob Frankston" <rmf2gOther@bobf.Frankston.com>>

Mon, 30 Apr 2001 15:16:55 -0400


I e-mailed a URL, http://www.washtech.com/news/media/9387-1.html. The
spelling corrector apparently chanted washtech to washes which is a porno
site! The risk here isn't so much spelling correction as the current attempt
to use the DNS as a directory. The density of the namespace is just one of
the many problems.

Bob Frankston  http://www.Frankston.com

MS security updates infected with virus

Sun, 29 Apr 2001 19:18:28 -0700


Microsoft security fixes infected with FunLove virus

A virus infection of security fix files on Microsoft's partner and premier
support Web sites has forced the software giant to suspend certain
downloads for more than a fortnight. Microsoft issued an alert on Monday,
which states that various Hotfix files on its Premier Support and
Microsoft Gold Certified Partners Web sites are infected with the FunLove
virus. A copy of the notice said Microsoft has stopped access "in order to
protect customers" to an unspecified number of files, and expects to be
able to restore access later today.  Customers were advised to contact
their technical account manager in the interim.
  [http://www.theregister.co.uk/content/8/18516.html]
     [Also noted by Jeremy Epstein.  PGN]

Microsoft error message

Mon, 30 Apr 2001 22:11:37 +0200


Q276304 - Error Message: Your Password Must Be at Least 18770 Characters
          and Cannot Repeat Any of Your Previous 30689 Passwords

New level of security at Microsoft.  Jean-Jacques Quisquater,

  [The password must be Macrohard?  PGN]

Using calendar reminder service to remember anniversary of sad event

<Elinsky@aol.com>

Tue, 24 Apr 2001 16:46:05 EDT


This is from the "Metropolitan Diary" section of *The New York Times*, 23
Apr 2001.  The writer unknowingly set herself up for an eerie reminder mail,
by not entering the event as "Anniversary of Grandpa's death".  Even if she
had, the mail probably would've still contained the (presumably
inappropriate) gift suggestions.

Harriet Inselbuch signed up for a calendar reminder service on the Internet
and duly entered important dates like birthdays and anniversaries.  The
service notifies her by e-mail a few days before an important event.  One
anniversary she listed was of a family death, a reminder to her to light a
candle.  A few days before that particular date, she did receive a message
and it provided somewhat of a shock.  It read, "Reminder: Grandpa's death is
just around the corner" followed by three or four gift suggestions for the
occasion.

Risks of Net-connected appliances

<"Robert J. Woodhead (AnimEigo)" <trebor@animeigo.com>>

Mon, 23 Apr 2001 17:12:45 -0400


After watching a breathless CNN report about Internet-enabled espresso
machines, it occurs to me that one of the greatest risks of having
appliances connected to the Internet is that one's refrigerator might start
forwarding spam instead of simply storing it.

Robert Woodhead, Webslave & Mad Overlord    http://selfpromotion.com/

Re: MSN "upgrade" creates long distance calling (RISKS-21.32)

Fri, 27 Apr 2001 14:17:46 -0400


WRAL-TV Online reports that the Microsoft Network (MSN) has agreed to pay
back dozens of people who received huge Internet phone bills by mistake.

http://www.wral-tv.com/features/5onyourside/2001/0426-msn-second-folo/

"Combined, complainants were billed more than $13,000 in unexpected charges.

For about a month when the Wake County customers accessed the Internet, they
were routed to a long distance Chapel Hill number -- a number they did not
know they had been switched to.

John Bason, a spokesman for the North Carolina Department of Justice, says
the situation definitely needs to be addressed." ...  "Microsoft is telling
the Attorney General's office that the error was theirs and agreed to pay
back consumers. Any MSN customers who were erroneously billed must file a
complaint with the Attorney General's office at 919-xxx-xxxx."

Steve Holzworth, Senior Systems Developer, SAS Institute, Cary, N.C.
Open Systems R&D VMS/MAC/UNIX    <sch@unx.sas.com>

IP: The follow-on to James Bamford's Puzzle Palace

Wed, 25 Apr 2001 15:04:56 -0400


James Bamford
Body of Secrets: Anatomy of the Ultra-Secret National Security Agency:
  From the Cold War Through the Dawn of a New Century

  [Good review in *The New York Times* Sunday Book Review section,
  29 April 2001.  PGN]

Definitions for Hardware and Software Safety Engineers

Thu, 3 May 2001 09:50:50 +0200


I would like to bring the book 'Definitions for Hardware and Software Safety
Engineers' under your attention. It quotes definitions in the field of
hard-and software dependability engineering from over a hundred sources.
When more definitions exist it quotes these to enable comparison. Much
attention has been paid to cross-referencing.

  M.J.P. van der Meulen, Definitions for Hardware and Software Safety
  Engineers, ISBN 1-85233-175-5, Springer, London, hardcover, 342 pages.

URL: http://www.springer.de/cgi-bin/search_book.pl?isbn=1-85233-175-5

Meine van der Meulen, Max Euwelaan 60, 3062 MA Rotterdam  Tel 010-4535959
SIMTECH Engineering: www.simtech.nl  <m.van.der.meulen@simtech.nl>

Report problems with the web pages to the maintainer