The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 21 Issue 45

Wednesday 6 June 2001

Contents

Ed Felten and researchers sue RIAA, DoJ over right to publish
Declan McCullagh
Billboard error message
Phil Agre
California bill prohibits online gambling
Jim Griffith
Dutch government to act against virtual child pornography
Marcus de Geus
Payday delayed by one day in Belgium
Kris Carlier
Mobile phones to manage truancy - and other free publicity
Nick Brown
Inevitability of risks
Mick Topping
Re: The Faith-Based Missile Defense
S. Alexander Jacobson
Re: Eurocops want seven-year retention of all phone, Net traffic
Morten Norman
Re: Our software is *never* wrong
Scott E. Preece
WSJ/Word change tracking/"MS Tool Lifts Veil on Spin"
Daniel P. B. Smith
Re: Word file turns into two disjoint texts
Lloyd Wood
Steve Gibson: Windows XP Vulnerable; Big ISPs just don't care
Chris Meadows
Re: Office XP modifies what you type
Bear Giles
LShaping
Re: "Hacker Insurance" charges higher rates for Windows systems!
Elana
Re: UK Government Gateway blocks non-MS browsers
David G. Bell
10th USENIX Security Symposium
Tiffany Peoples
Announcement - 16th Annual Software Engineering Symposium 2001
Carol Biesecker
Info on RISKS (comp.risks)

FC: Ed Felten and researchers sue RIAA, DoJ over right to publish

<Declan McCullagh <declan@well.com>>
Wed, 06 Jun 2001 10:01:08 -0400

Code-Breakers Go to Court
By Declan McCullagh (declan@wired.com), 6:22 a.m. June 6, 2001 PDT

WASHINGTON -- After a team of academics who broke a music-watermarking
scheme bowed to legal threats from the recording industry and chose not to
publish their research in April, they vowed to "fight another day, in
another way."

On Wednesday, Ed Felten of Princeton University and seven other researchers
took their fight to a New Jersey federal court in a lawsuit asking that they
be permitted to disclose their work at a security conference this summer.

Joining them is the Usenix Association, a 26-year-old professional
organization that has accepted Felten's paper for its 10th security
symposium in Washington during the week of Aug. 13. The Electronic Frontier
Foundation is representing the researchers and Usenix.

In what appears to be the first legal challenge to the Digital Millennium
Copyright Act's criminal sections, Usenix is asking the court to block the
Justice Department from prosecuting the conference organizers for allowing
the paper to be presented.  [...]

  [http://www.wired.com/news/mp3/0,1285,44344,00.html]

Background:
  http://www.politechbot.com/cgi-bin/politech.cgi?name=felten
DMCA-related photos:
  http://www.mccullagh.org/theme/dmca-appeals-arguments.html
  http://www.mccullagh.org/theme/dvd-2600-trial.html
  http://www.mccullagh.org/theme/dmca-protest.html
EFF document archive:
  http://www.eff.org/Legal/Cases/Felten_v_RIAA/

POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/


Billboard error message

<Phil Agre <pagre@alpha.oac.ucla.edu>>
Mon, 4 Jun 2001 19:10:09 -0700

I was driving on I-405 northbound in southern Los Angeles County when I saw
a bitmapped billboard on the east side of the road that was displaying a
Windows error message.  I couldn't take down the exact text, but it was
something like "The file cannot be played; it may be corrupt".  This was a
first for me.  I had seem Windows error messages displayed on video monitors
in airports and other public places, but never on a full-sized billboard.
Now, digital billboards that display animation are already a Risk of
distraction to passing drivers; there is an especially bright billboard on
the Sunset Strip that is IMHO a serious traffic hazard, and it often plays
music videos and the like.  I don't know what the billboard on I-405
normally shows.  One might argue that the giant Windows error is actually an
anti-Risk because it reminds the entire populace just how unreliable
Microsoft products are, thus reducing the likelihood that a passing motorist
will specify such products as part of a safety-critical system once they get
to work.  On the other hand, it is easy to imagine the havoc that could be
caused by someone who managed to hack a billboard next to the freeway and
display their own content on it, particularly if the billboard is supposed
to display safety-relevant traffic messages.

Phil Agre

  [Phil, Please drive safely, with hands-free cell phone headset (unless you
  already have a dashboard-mounted videocam/videophone set), coffee in one
  hand, a hot dog in the other, while watching your GSP video screen at the
  same time.  Then you can safely ignore the safety-related signs.

    BTW, My local movie N-plex recently displayed a bunch of operating
    system prompts and reboot script in the space devoted to which shows
    were sold out.  We've also had reports of similar activities in RISKS.
    PGN]


California bill prohibits online gambling

<griffith@olagrande.net>
Wed, 30 May 2001 18:43:08 -0500 (CDT)

The California Assembly passed a bill today which would make it illegal for
Californians to play games online that are otherwise illegal in California.
The bill would fine first-time transgressors $25 per transaction (not
conviction) and $100 per transaction thereafter.  Companies (anywhere)
convicted of catering to Californians could be liable for $1000 per
transaction and 90 days in jail.  The bill supposedly specifically allows
prosecutors to go after offshore corporations.

http://www0.mercurycenter.com/breaking/docs/064216.htm

We're barely finished cursing France for their stupidity in attacking
Yahoo!, and we go and do something equally stupid.  Hopefully, our Senate or
Governor is a little smarter than our Assembly.

Anyone want to bet that this bill doesn't work as intended?  No, wait a
minute, I could get arrested for that.


Dutch government to act against virtual child pornography

<"Marcus de Geus" <marcus@degeus.com>>
Thu, 31 May 2001 09:38:35 +0000

The Dutch Minister of Justice, Korthals, has announced measures that will
make it illegal to produce or possess child pornography created by means of
electronic image manipulation. The proposed legislation appears to be aimed
at preventing the production and possession of artificially rendered images
that could be interpreted as representations of children involved in sexual
acts. Current Dutch law states that the production or possession of
pornography is a criminal offence if it involves the physical (ab)use of
(real) persons under a certain age. [Based on a report in an e-mail message
from Radio Nederland Wereldomroep.]

Leaving aside for the moment the moral issues involved, as well as the
practical aspects of enforcement, or even the difficulty of ascertaining the
age of a virtual person, the legal ramifications could prove interesting,
since the proposal appears to be based on the assumption that the virtual
representation of an activity can somehow be put on a par with its physical
counterpart.

Few, if any, people will be prepared to argue in favour of sexual acts
involving children, which is why it is an illegal activity. In the same
vein, few would argue in favour of the wholesale slaughter of people for the
purpose of entertainment. We find the idea repugnant, which is why such
activities have also been made illegal, at least in most modern countries.

On the basis of these premises, I wonder how the widespread legal
availability of virtual reality shoot-'em-up computer games will affect, or
be affected by, the proposed legislation. I somehow doubt that Mr. Korthals
will be prepared to do battle with such economic forces as represented by
Messrs. Sony, Nintendo, and soon, Xbox producers, Microsoft.

The RISKS?  Assuming that seeing is believing, or that What You See Is What
You Get.

Marcus de Geus <marcus@degeus.com>  http://www.degeus.com


Payday delayed by one day in Belgium

<Kris Carlier <root@iguana.be>>
Sat, 2 Jun 2001 10:38:44 +0200 (MET DST)

On 1 Jun 2001, the majority of people on the government payroll were paid
with a one-day delay. The same goes for refunds for VAT and taxes. The
reason: Belgian postal services are tasked with doing the money transfers
towards the different banks.

Seems that they had a special situation: on 31 May, not only people had to
be paid, but the next weekend (02-04 Jun) being a long one, an
'exceptionally large number' of transactions were fed to the system.  In
itself this should not have been a problem, but the system has some built-in
time-restrictions, described as being rather 'large'. This of course to
avoid runaway jobs from causing further damage, just in case. Yet, some
components were hitting these time-restrictions before they were actually
finished.  The Post's spokesman said that this kind of situation is only
encountered once in 5 years.

At first, of course, the functionaries were suspecting their respective
payment departments to be responsible. Phones didn't stop ringing all
day, then finally it was also on the news.

kris carlier - kris@iguana.be  KC62-RIPE   SMS: +32-475-61.43.05


Mobile phones to manage truancy - and other free publicity

<BROWN Nick <Nick.BROWN@coe.int>>
Fri, 1 Jun 2001 16:11:51 +0200

*The Guardian* (UK) "reports" (by printing a press release) today on a
"system" to allow teachers to report truanting children to their parents.
The "article" contains a number of less-than-stunning revelations, such as
that "a large number of parents have mobile phones", and some highly
meaningless claims, for example "The device can also be used to inform
headteachers, therefore cutting down on the time the overall monitoring
process takes."

Full text:
http://www.guardian.co.uk/Archive/Article/0,4273,4196245,00.html
(and don't forget to click on the related story at the end, about students
calling their parents from the classroom to complain about their teachers !)

The RISKs should be fairly obvious to regular readers, both in the system
itself, and also in the phenomenon of supposedly "upmarket" newspapers with
a tradition of investigative reporting, printing technology company press
releases as news.  A further example of the latter is the collection of
unverifiable claims in the "article" on Microsoft Office XP at
http://www.guardian.co.uk/Archive/Article/0,4273,4196242,00.html.

Nick Brown, Strasbourg, France


Inevitability of risks

<"Mick Topping" <mick@mtopping.com>>
Fri, 1 Jun 2001 22:27:15 -0500

Apparently the Gullibility Virus
http://bob.bob.bofh.org/~robm/manual/virus/gullibility.html
has struck more people than first realized

Remember this from several months back?

   Subject: New Minnysoota Virus.

       Sven and Ole vere here.

      Yew have yust received da Sven & Ole Computer Virus.
      Because ve don't know how to program computers, dis  virus verks
      on  da honor  system. Please delete all da files on yewr hard drive
      manually  and forward dis message to everyvon on yewr mailing list.

      Tank yew fer yewr kewhopeeration.

      Sven and Ole

I thought this was pretty funny, at the time, but then I saw the recent
warnings on the Hoax-Virus, like this:
http://www.thestandard.com/article/0,1902,26780,00.html It suddenly came to
me, that someone had taken the Sven&Ole model, and improved on it, just a
little. AND IT IS WORKING!  Apparently you don't even have to be a
script-kiddy to make an effective virus.  (Hey kid, if you put sugar in your
dad's car's gas tank, it will run real fast...Well, Joe, if you want to get
that charcoal started FAST, try this jar of gasoline...If you don't have a
fuse, just stick a penny in the socket...memes?) It is not surprising that a
few users might fall for this, but the very fact that something like this
can find a toe-hold to spread, confirms that a big risk of technology
(ignorance) has been with us since the first tool user cut himself with the
first sharp rock.

Is real risk of information technology is that it enables the ultra-rapid
spread of malicious memes?


Re: The Faith-Based Missile Defense

<"S. Alexander Jacobson" <alex@shop.com>>
Tue, 29 May 2001 20:49:06 -0400 (Eastern Daylight Time)

I find it surprising that people on this list are so dismissive of
anti-ballistic missile technology:

* the US and Russia both use and sell various forms of surface to air
missiles designed to shoot down even very fast planes like F-16s and
MIG-29s.

* attack missiles in terminal phase seems like a natural extension of the
capabilities of existing SAM systems (not a radically new technological
development)

* missiles in boost phase are very hot and move very slowly and predictably
(much more so than highly maneuverable fighter planes) -- so there is some
reason to believe that boost phase systems can be more effective than SAMs.
From a technical perspective, development of boost phase interception does
not seem obviously more complex than that of Aegis ship based defense
system.

Moreover, general ABM seems like a natural extension of the Aegis system
in particular.  We now know that the USSR actually deployed an integrated
missile tracking system at Krasnoyarsk -- so at very least that portion of
the technology is actually deployable.

Obviously developing and deploying ABM systems will not be easy and there
is substantial risk of failure.  Moreover even a successful project will
may be substantially less than 100% effective.  However, the same is true
of most defense systems, but we develop and deploy them anyway.  Why hold
ABM to a different standard than other defense technology?

Critics may have good policy reasons to oppose deployment of ABM systems,
but creating FUD about development risks is a service to no one.

Alex   S. Alexander Jacobson  1-646-638-2300


Re: Eurocops want seven-year retention of all phone, Net traffic

<marten-risks@norman.qmail.com>
Tue, 5 Jun 2001 21:58:39 +0200 (MET DST)

> Are they mad?  One barely knows where to start enumerating the risks
> of such an undertaking.

Try to remind the politicians of snail mail and the fact that anyone
may send a letter anonymously by dropping it in a mailbox.

I humbly suggests them to put a clerk and a photo copy machine at
every snail mail box.  Let the clerk identify everyone droppping
a letter.  And of course open the envelope and make a photocopy of
the letter to be archived for seven years.

If they still think it's a good idea, vote for other politicians.

Morten Norman


Re: Our software is *never* wrong (Gat, RISKS-21.41)

<"Scott E. Preece" <preece@urbana.css.mot.com>>
Thu, 31 May 2001 14:59:40 -0500 (CDT)

It is possible to explain this without the credit-card company rep being
either stupid or over-trusting.  If the database tracks changes to the data
and the rep was aware of an automated change (a systematic change to the
database, such as might occur in changing the schema in the database), the
rep might be able to know that you should have gotten a preference update
notification and that no manual changes had been made to your data.

Obviously, it is also possible that there was some break-in, but if the rep
had a reasonable explanation consistent with all the data, Occam's razor
argues for assuming that explanation.

scott preece, motorola/css urbana design center preece@urbana.css.mot.com
1800 s. oak st., champaign, il 61820   1-217-384-8589


WSJ/Word change tracking/"MS Tool Lifts Veil on Spin"

<"Daniel P. B. Smith" <dpbsmith@bellatlantic.net>>
Wed, 30 May 2001 20:01:22 -0400

If you send a Word .doc file directly to someone else, without going to
"track changes" and accepting all changes, your recipient can see all
the edits you have made to the document, with results that can be
humorous, embarrassing, or worse.  This is old news to RISKS
readers--how long ago did the first mention of the problem appear in
RISKS?  But perhaps the recent appearance of an article about it in The
Wall Street Journal (May 14th, page C1) is worthy of mention.

The article is entitled "How to Read Between the Corporate Lines." It
gives the procedure for viewing Microsoft Word edits, and (with somewhat
less clarity) the procedure you must go through to prevent someone else
from viewing YOUR edits.

The way the Journal puts it: "Just a couple of clicks provides a
revealing peek into how some companies massage their public messages to
Wall Street."  In a news release from Ameritrade Holding Corp, "in one
draft, Ameritrade billed the March hiring of Mr. Moglia as one of the
'right decisions' the company made during a difficult second quarter.
But his name ended up on the cutting-room floor, a thin blue line
erasing him from the final version."  It mentions that "Analysts and
investors looking at an earlier draft would have found a per-share,
quarterly loss of 31 cents.  But that, too, was crossed out and change
to a loss of 30 cents."  An Ameritrade spokeswoman brushed off the
changes, saying "it is too bad--but on the other side of it, it is too
bad that someone would think to turn the edits on."

The article goes on to cite minor gaffes from Visa USA, Allied Capital,
Web Street, and Acxiom, leaving little doubt that the problem is widespread.

There are no real howlers or scandals here. But you'd think the RISKS
would be obvious, wouldn't you?

Daniel P. B. Smith <dpbsmith@world.std.com>
"Lifetime forwarding" address: dpbsmith@alum.mit.edu


Re: Word file turns into two disjoint texts (Page, RISKS-21.40)

<Lloyd Wood <l.wood@eim.surrey.ac.uk>>
Wed, 30 May 2001 20:05:28 +0100 (BST)

> Word was set to allow "Fast Saves", which is a non-default setting
> that performs incremental rather than complete saves.

It's worth pointing out that for a long time the default was to have
fast save _on_. The first thing I would do with any version of Word is
check for and disable it, having discovered its lack of reliability.
(Many patches to earlier versions of Word were solely to address,
er, issues with fast save.)

The risk lies in changing the defaults when user experience has led to
certain expectations. In this case, if you were hoping that fast save
would let you recover mistakenly deleted text based on experience of
older versions of Word, you'd be out of luck.

<L.Wood@surrey.ac.uk>PGP<http://www.ee.surrey.ac.uk/Personal/L.Wood/>


Steve Gibson: Windows XP Vulnerable; Big ISPs just don't care

<Chris Meadows <robotech@eyrie.org>>
Mon, 04 Jun 2001 22:57:10 -0500

The report on this webpage

    http://grc.com/dos/grcdos.htm

is from Steve Gibson, a respected name in the tech community, and it
details his travails after grc.com came under attack from a 13-year-old
hacker, at first due to a mistaken belief Gibson had called him a name,
then simply because it was fun.  It mentions how Windows XP was all but
made with these so-called "script kiddies" in mind, and they're aware of
it--and when it is more widely spread, they will be able to launch
devastating, perhaps unstoppable attacks.

He also mentions how much trouble he had getting any of the major ISPs to
cooperate with him.

This is an eye-opening report.  Ignore it at your peril.

Chris Meadows aka Robotech_Master Co-moderator rec.toys.transformers.moderated
robotech@eyrie.org <URL:http://www.eyrie.org/~robotech/>


Re: Office XP modifies what you type (RISKS-21.42)

<Bear Giles <bear@coyotesong.com>>
Tue, 29 May 2001 23:42:20 -0600 (MDT)

I believe that the RISKS here are far more profound than a few broken links.

In the beginning, authors were responsible for their own words and our
programs (confusingly called 'editors') preserved them.  Until those
butchers, our human editors, hacked at them.

Then computers became powerful enough for 'editors' to act as advising
editors.  We still owned our own words, at least until
they-who-edit-because-they-cannot-write got ahold of them, but the programs
could handle the tedious work of digging out the dictionary.

Now, for the first time, we see a program usurping the role of the human
editor.  Unlike the human counterpart, we can't bribe this one with cheap
booze when the facts fail to sway them.  On this issue the program is the
FINAL editor, sans appeal.

This is... scary.  The smaller problem is one of liability - if a human
editor screws up, he can face real consequences.  But if a program is
responsible for dropping a single word from the sentence "Mr. Smith did not
murder his wife," the humans will still bear the responsibility even though
they were powerless to prevent it.  This type of liability isn't
unprecedented, but it probably hasn't seen widespread use since codpieces
were the height of male fashion.  (hmmm....)

The bigger problem is that this will be an unbearable temptation to the same
"technical solutions to social problems" crowd that loves photo radar and
net filters in libraries.  Why worry about the attitudes that would make
someone type "the N word" if you can require software to automatically edit
out the offensive word or phrase?  Even better, we even have the precedence
that WYSIWYG doesn't mean WYSIWYG - it's now perfectly legitimate for the
original author to see what he typed, but for the saved file (and all
subsequent viewers) to see a different word.

What would stop the Republic of Freedonia from requiring all word processors
replace all references to their breakaway province Catatonia with the phrase
"breakaway province of Catatonia"?  The Breakaway Province of Catatonia
would naturally have its own laws regarding Imperialistic Freedonia.

In the US we have the First Amendment to protect us from laws requiring such
changes.  Which just means that these law will sneak in the back door.  Some
obvious examples: how could any school justify allowing minor students to
write obscene screeds?  (Never mind legitimate book reports on Mark Twain.)
How can any company defend itself against a sexual harassment suit, already
an extremely confusing body of case law, if company e-mail allows employees
to be referred with "the B and C words?"

This "feature" isn't scary because it will break a few links.  It's scary
because it opens the door for our voices to become those of a stranger.

Bear Giles  bgiles (at) coyotesong (dot) com


Re: Office XP modifies what you type (Deegan/Arnold, RISKS-21.42)

<LShaping <nospam@all.please>>
Fri, 01 Jun 2001 13:15:02 GMT

Microsoft knows best.  That is no different than Windows 95 forcing all
capital-letter file names into Microsoft's chosen format.  You have no
choice, you are not given any way to change the behavior, you must submit
to Microsoft's wishes.  Must feel good to be a monopoly and be able to
force personal computer users to behave as you wish.


Re: "Hacker Insurance" charges higher rates for Windows systems!

<falcospav@excite.com (Elana Who?)>
5 Jun 2001 07:54:19 -0700

Two quotes from the article:

"J.S. Wurzler Underwriting Managers, one of the first companies to offer
hacker insurance, has begun charging its clients 5 percent to 15 percent
more if they use Microsoft's Windows NT software in their Internet
operations. "

"...found that system administrators working on open source systems tend to
be better trained and stay with their employers longer than those at firms
using Windows software, where turnover can exceed 33 percent per year."

The article can be found at:
http://www.zdnet.com/intweek/stories/news/0,4164,2766045,00.html

-Elana


Re: UK Government Gateway blocks non-MS browsers (Mistry, R-21.44)

<dbell@zhochaka.demon.co.uk ("David G. Bell")>
Tue, 05 Jun 2001 07:25:03 +0100 (BST)

The same system is also being used for the electronic submission of EU
subsidy claim forms to MAFF (the UK's agriculture department), the details
of which are available from the www.maff.gov.uk site.  While it has been
heavily pushed by MAFF, as a consequence of the outbreak of Foot and Mouth
Disease in the UK, and a desire to reduce the risk of accidental transfer of
the virus by farmers delivering forms to MAFF offices, there is still the
problem of getting the certificates.

Also, some of the claim forms require additional documents, such as sketch
maps, which cannot be so easily presented as a blank electronic form in a
browser.  There seems to be a RISK that instead of a large envelope,
containing everything and delivered, with tracking, by the Post Office,
there is an envelope, and a set of electronic data, which must be connected
together somewhere in the MAFF admin system.

There has been some reporting by users, this year and of the trial last
year, in the uk.business.agriculture newsgroup.  The abbreviations "IACS"
and "AAPS" will be useful in any searches of news archives.

Incidentally, I had an e-mail discussion, before the trials started, with
one of the MAFF personnel involved, about the various open signature and
encryption standards defined in RFCs.  He had, as I recall, not heard of
them.

David G. Bell -- Farmer, SF Fan, Filker, and Punslinger.


10th USENIX Security Symposium

<Tiffany Peoples <tiffany@usenix.org>>
Thu, 31 May 2001 16:40:51 -0700

10th USENIX Security Symposium
August 13-17, 2001
Washington, D.C.
http://www.usenix.org/events/sec01
Sponsored by USENIX, the Advanced Computing Systems Association www.usenix.org

REGISTER BY JULY 20, 2001 AND SAVE UP TO $200!

PRACTICAL SECURITY FOR THE REAL WORLD

KEYNOTE ADDRESS by Richard M. Smith, CTO, Privacy Foundation
  "Web-Enabled Gadgets: Can We Trust Them?"
24 REFEREED PAPERS on the best new research
INVITED TALKS by Matt Blaze, Mark Eckenwiler, Eric Murray,
  John Young, Deborah Natsios, etc.
6 TUTORIALS


Announcement - 16th Annual Software Engineering Symposium 2001

<cb@sei.cmu.edu (Carol Biesecker)>
Sun, 3 Jun 2001 20:13:07 +0000 (UTC)

SEI 16th Annual Software Engineering Symposium 2001
October 15 - 18, 2001
Grand Hyatt at Washington Center
Washington, D.C.
World Wide Web: http://www.sei.cmu.edu/symposium/

Catalysts for Improving Acquisition and Development of
Software Intensive Systems

Symposium 2001 Conference Coordinator
412 / 268-3007
E-mail: symposium@sei.cmu.edu

For more information about the Symposium, contact
Symposium 2001 Conference Coordinator
Phone: 412 / 268-3007
FAX:   412 / 268-5556
E-mail: symposium@sei.cmu.edu
World Wide Web: http://www.sei.cmu.edu/symposium/

Please report problems with the web pages to the maintainer

Top