Code-Breakers Go to Court By Declan McCullagh (firstname.lastname@example.org), 6:22 a.m. June 6, 2001 PDT WASHINGTON -- After a team of academics who broke a music-watermarking scheme bowed to legal threats from the recording industry and chose not to publish their research in April, they vowed to "fight another day, in another way." On Wednesday, Ed Felten of Princeton University and seven other researchers took their fight to a New Jersey federal court in a lawsuit asking that they be permitted to disclose their work at a security conference this summer. Joining them is the Usenix Association, a 26-year-old professional organization that has accepted Felten's paper for its 10th security symposium in Washington during the week of Aug. 13. The Electronic Frontier Foundation is representing the researchers and Usenix. In what appears to be the first legal challenge to the Digital Millennium Copyright Act's criminal sections, Usenix is asking the court to block the Justice Department from prosecuting the conference organizers for allowing the paper to be presented. [...] [http://www.wired.com/news/mp3/0,1285,44344,00.html] Background: http://www.politechbot.com/cgi-bin/politech.cgi?name=felten DMCA-related photos: http://www.mccullagh.org/theme/dmca-appeals-arguments.html http://www.mccullagh.org/theme/dvd-2600-trial.html http://www.mccullagh.org/theme/dmca-protest.html EFF document archive: http://www.eff.org/Legal/Cases/Felten_v_RIAA/ POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe, visit http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/
I was driving on I-405 northbound in southern Los Angeles County when I saw a bitmapped billboard on the east side of the road that was displaying a Windows error message. I couldn't take down the exact text, but it was something like "The file cannot be played; it may be corrupt". This was a first for me. I had seem Windows error messages displayed on video monitors in airports and other public places, but never on a full-sized billboard. Now, digital billboards that display animation are already a Risk of distraction to passing drivers; there is an especially bright billboard on the Sunset Strip that is IMHO a serious traffic hazard, and it often plays music videos and the like. I don't know what the billboard on I-405 normally shows. One might argue that the giant Windows error is actually an anti-Risk because it reminds the entire populace just how unreliable Microsoft products are, thus reducing the likelihood that a passing motorist will specify such products as part of a safety-critical system once they get to work. On the other hand, it is easy to imagine the havoc that could be caused by someone who managed to hack a billboard next to the freeway and display their own content on it, particularly if the billboard is supposed to display safety-relevant traffic messages. Phil Agre [Phil, Please drive safely, with hands-free cell phone headset (unless you already have a dashboard-mounted videocam/videophone set), coffee in one hand, a hot dog in the other, while watching your GSP video screen at the same time. Then you can safely ignore the safety-related signs. BTW, My local movie N-plex recently displayed a bunch of operating system prompts and reboot script in the space devoted to which shows were sold out. We've also had reports of similar activities in RISKS. PGN]
The California Assembly passed a bill today which would make it illegal for Californians to play games online that are otherwise illegal in California. The bill would fine first-time transgressors $25 per transaction (not conviction) and $100 per transaction thereafter. Companies (anywhere) convicted of catering to Californians could be liable for $1000 per transaction and 90 days in jail. The bill supposedly specifically allows prosecutors to go after offshore corporations. http://www0.mercurycenter.com/breaking/docs/064216.htm We're barely finished cursing France for their stupidity in attacking Yahoo!, and we go and do something equally stupid. Hopefully, our Senate or Governor is a little smarter than our Assembly. Anyone want to bet that this bill doesn't work as intended? No, wait a minute, I could get arrested for that.
The Dutch Minister of Justice, Korthals, has announced measures that will make it illegal to produce or possess child pornography created by means of electronic image manipulation. The proposed legislation appears to be aimed at preventing the production and possession of artificially rendered images that could be interpreted as representations of children involved in sexual acts. Current Dutch law states that the production or possession of pornography is a criminal offence if it involves the physical (ab)use of (real) persons under a certain age. [Based on a report in an e-mail message from Radio Nederland Wereldomroep.] Leaving aside for the moment the moral issues involved, as well as the practical aspects of enforcement, or even the difficulty of ascertaining the age of a virtual person, the legal ramifications could prove interesting, since the proposal appears to be based on the assumption that the virtual representation of an activity can somehow be put on a par with its physical counterpart. Few, if any, people will be prepared to argue in favour of sexual acts involving children, which is why it is an illegal activity. In the same vein, few would argue in favour of the wholesale slaughter of people for the purpose of entertainment. We find the idea repugnant, which is why such activities have also been made illegal, at least in most modern countries. On the basis of these premises, I wonder how the widespread legal availability of virtual reality shoot-'em-up computer games will affect, or be affected by, the proposed legislation. I somehow doubt that Mr. Korthals will be prepared to do battle with such economic forces as represented by Messrs. Sony, Nintendo, and soon, Xbox producers, Microsoft. The RISKS? Assuming that seeing is believing, or that What You See Is What You Get. Marcus de Geus <email@example.com> http://www.degeus.com
On 1 Jun 2001, the majority of people on the government payroll were paid with a one-day delay. The same goes for refunds for VAT and taxes. The reason: Belgian postal services are tasked with doing the money transfers towards the different banks. Seems that they had a special situation: on 31 May, not only people had to be paid, but the next weekend (02-04 Jun) being a long one, an 'exceptionally large number' of transactions were fed to the system. In itself this should not have been a problem, but the system has some built-in time-restrictions, described as being rather 'large'. This of course to avoid runaway jobs from causing further damage, just in case. Yet, some components were hitting these time-restrictions before they were actually finished. The Post's spokesman said that this kind of situation is only encountered once in 5 years. At first, of course, the functionaries were suspecting their respective payment departments to be responsible. Phones didn't stop ringing all day, then finally it was also on the news. kris carlier - firstname.lastname@example.org KC62-RIPE SMS: +32-475-61.43.05
*The Guardian* (UK) "reports" (by printing a press release) today on a "system" to allow teachers to report truanting children to their parents. The "article" contains a number of less-than-stunning revelations, such as that "a large number of parents have mobile phones", and some highly meaningless claims, for example "The device can also be used to inform headteachers, therefore cutting down on the time the overall monitoring process takes." Full text: http://www.guardian.co.uk/Archive/Article/0,4273,4196245,00.html (and don't forget to click on the related story at the end, about students calling their parents from the classroom to complain about their teachers !) The RISKs should be fairly obvious to regular readers, both in the system itself, and also in the phenomenon of supposedly "upmarket" newspapers with a tradition of investigative reporting, printing technology company press releases as news. A further example of the latter is the collection of unverifiable claims in the "article" on Microsoft Office XP at http://www.guardian.co.uk/Archive/Article/0,4273,4196242,00.html. Nick Brown, Strasbourg, France
Apparently the Gullibility Virus http://bob.bob.bofh.org/~robm/manual/virus/gullibility.html has struck more people than first realized Remember this from several months back? Subject: New Minnysoota Virus. Sven and Ole vere here. Yew have yust received da Sven & Ole Computer Virus. Because ve don't know how to program computers, dis virus verks on da honor system. Please delete all da files on yewr hard drive manually and forward dis message to everyvon on yewr mailing list. Tank yew fer yewr kewhopeeration. Sven and Ole I thought this was pretty funny, at the time, but then I saw the recent warnings on the Hoax-Virus, like this: http://www.thestandard.com/article/0,1902,26780,00.html It suddenly came to me, that someone had taken the Sven&Ole model, and improved on it, just a little. AND IT IS WORKING! Apparently you don't even have to be a script-kiddy to make an effective virus. (Hey kid, if you put sugar in your dad's car's gas tank, it will run real fast...Well, Joe, if you want to get that charcoal started FAST, try this jar of gasoline...If you don't have a fuse, just stick a penny in the socket...memes?) It is not surprising that a few users might fall for this, but the very fact that something like this can find a toe-hold to spread, confirms that a big risk of technology (ignorance) has been with us since the first tool user cut himself with the first sharp rock. Is real risk of information technology is that it enables the ultra-rapid spread of malicious memes?
I find it surprising that people on this list are so dismissive of anti-ballistic missile technology: * the US and Russia both use and sell various forms of surface to air missiles designed to shoot down even very fast planes like F-16s and MIG-29s. * attack missiles in terminal phase seems like a natural extension of the capabilities of existing SAM systems (not a radically new technological development) * missiles in boost phase are very hot and move very slowly and predictably (much more so than highly maneuverable fighter planes) -- so there is some reason to believe that boost phase systems can be more effective than SAMs. From a technical perspective, development of boost phase interception does not seem obviously more complex than that of Aegis ship based defense system. Moreover, general ABM seems like a natural extension of the Aegis system in particular. We now know that the USSR actually deployed an integrated missile tracking system at Krasnoyarsk -- so at very least that portion of the technology is actually deployable. Obviously developing and deploying ABM systems will not be easy and there is substantial risk of failure. Moreover even a successful project will may be substantially less than 100% effective. However, the same is true of most defense systems, but we develop and deploy them anyway. Why hold ABM to a different standard than other defense technology? Critics may have good policy reasons to oppose deployment of ABM systems, but creating FUD about development risks is a service to no one. Alex S. Alexander Jacobson 1-646-638-2300
> Are they mad? One barely knows where to start enumerating the risks > of such an undertaking. Try to remind the politicians of snail mail and the fact that anyone may send a letter anonymously by dropping it in a mailbox. I humbly suggests them to put a clerk and a photo copy machine at every snail mail box. Let the clerk identify everyone droppping a letter. And of course open the envelope and make a photocopy of the letter to be archived for seven years. If they still think it's a good idea, vote for other politicians. Morten Norman
It is possible to explain this without the credit-card company rep being either stupid or over-trusting. If the database tracks changes to the data and the rep was aware of an automated change (a systematic change to the database, such as might occur in changing the schema in the database), the rep might be able to know that you should have gotten a preference update notification and that no manual changes had been made to your data. Obviously, it is also possible that there was some break-in, but if the rep had a reasonable explanation consistent with all the data, Occam's razor argues for assuming that explanation. scott preece, motorola/css urbana design center email@example.com 1800 s. oak st., champaign, il 61820 1-217-384-8589
If you send a Word .doc file directly to someone else, without going to "track changes" and accepting all changes, your recipient can see all the edits you have made to the document, with results that can be humorous, embarrassing, or worse. This is old news to RISKS readers--how long ago did the first mention of the problem appear in RISKS? But perhaps the recent appearance of an article about it in The Wall Street Journal (May 14th, page C1) is worthy of mention. The article is entitled "How to Read Between the Corporate Lines." It gives the procedure for viewing Microsoft Word edits, and (with somewhat less clarity) the procedure you must go through to prevent someone else from viewing YOUR edits. The way the Journal puts it: "Just a couple of clicks provides a revealing peek into how some companies massage their public messages to Wall Street." In a news release from Ameritrade Holding Corp, "in one draft, Ameritrade billed the March hiring of Mr. Moglia as one of the 'right decisions' the company made during a difficult second quarter. But his name ended up on the cutting-room floor, a thin blue line erasing him from the final version." It mentions that "Analysts and investors looking at an earlier draft would have found a per-share, quarterly loss of 31 cents. But that, too, was crossed out and change to a loss of 30 cents." An Ameritrade spokeswoman brushed off the changes, saying "it is too bad--but on the other side of it, it is too bad that someone would think to turn the edits on." The article goes on to cite minor gaffes from Visa USA, Allied Capital, Web Street, and Acxiom, leaving little doubt that the problem is widespread. There are no real howlers or scandals here. But you'd think the RISKS would be obvious, wouldn't you? Daniel P. B. Smith <firstname.lastname@example.org> "Lifetime forwarding" address: email@example.com
> Word was set to allow "Fast Saves", which is a non-default setting > that performs incremental rather than complete saves. It's worth pointing out that for a long time the default was to have fast save _on_. The first thing I would do with any version of Word is check for and disable it, having discovered its lack of reliability. (Many patches to earlier versions of Word were solely to address, er, issues with fast save.) The risk lies in changing the defaults when user experience has led to certain expectations. In this case, if you were hoping that fast save would let you recover mistakenly deleted text based on experience of older versions of Word, you'd be out of luck. <L.Wood@surrey.ac.uk>PGP<http://www.ee.surrey.ac.uk/Personal/L.Wood/>
The report on this webpage http://grc.com/dos/grcdos.htm is from Steve Gibson, a respected name in the tech community, and it details his travails after grc.com came under attack from a 13-year-old hacker, at first due to a mistaken belief Gibson had called him a name, then simply because it was fun. It mentions how Windows XP was all but made with these so-called "script kiddies" in mind, and they're aware of it--and when it is more widely spread, they will be able to launch devastating, perhaps unstoppable attacks. He also mentions how much trouble he had getting any of the major ISPs to cooperate with him. This is an eye-opening report. Ignore it at your peril. Chris Meadows aka Robotech_Master Co-moderator rec.toys.transformers.moderated firstname.lastname@example.org <URL:http://www.eyrie.org/~robotech/>
I believe that the RISKS here are far more profound than a few broken links. In the beginning, authors were responsible for their own words and our programs (confusingly called 'editors') preserved them. Until those butchers, our human editors, hacked at them. Then computers became powerful enough for 'editors' to act as advising editors. We still owned our own words, at least until they-who-edit-because-they-cannot-write got ahold of them, but the programs could handle the tedious work of digging out the dictionary. Now, for the first time, we see a program usurping the role of the human editor. Unlike the human counterpart, we can't bribe this one with cheap booze when the facts fail to sway them. On this issue the program is the FINAL editor, sans appeal. This is... scary. The smaller problem is one of liability - if a human editor screws up, he can face real consequences. But if a program is responsible for dropping a single word from the sentence "Mr. Smith did not murder his wife," the humans will still bear the responsibility even though they were powerless to prevent it. This type of liability isn't unprecedented, but it probably hasn't seen widespread use since codpieces were the height of male fashion. (hmmm....) The bigger problem is that this will be an unbearable temptation to the same "technical solutions to social problems" crowd that loves photo radar and net filters in libraries. Why worry about the attitudes that would make someone type "the N word" if you can require software to automatically edit out the offensive word or phrase? Even better, we even have the precedence that WYSIWYG doesn't mean WYSIWYG - it's now perfectly legitimate for the original author to see what he typed, but for the saved file (and all subsequent viewers) to see a different word. What would stop the Republic of Freedonia from requiring all word processors replace all references to their breakaway province Catatonia with the phrase "breakaway province of Catatonia"? The Breakaway Province of Catatonia would naturally have its own laws regarding Imperialistic Freedonia. In the US we have the First Amendment to protect us from laws requiring such changes. Which just means that these law will sneak in the back door. Some obvious examples: how could any school justify allowing minor students to write obscene screeds? (Never mind legitimate book reports on Mark Twain.) How can any company defend itself against a sexual harassment suit, already an extremely confusing body of case law, if company e-mail allows employees to be referred with "the B and C words?" This "feature" isn't scary because it will break a few links. It's scary because it opens the door for our voices to become those of a stranger. Bear Giles bgiles (at) coyotesong (dot) com
Microsoft knows best. That is no different than Windows 95 forcing all capital-letter file names into Microsoft's chosen format. You have no choice, you are not given any way to change the behavior, you must submit to Microsoft's wishes. Must feel good to be a monopoly and be able to force personal computer users to behave as you wish.
Two quotes from the article: "J.S. Wurzler Underwriting Managers, one of the first companies to offer hacker insurance, has begun charging its clients 5 percent to 15 percent more if they use Microsoft's Windows NT software in their Internet operations. " "...found that system administrators working on open source systems tend to be better trained and stay with their employers longer than those at firms using Windows software, where turnover can exceed 33 percent per year." The article can be found at: http://www.zdnet.com/intweek/stories/news/0,4164,2766045,00.html -Elana
The same system is also being used for the electronic submission of EU subsidy claim forms to MAFF (the UK's agriculture department), the details of which are available from the www.maff.gov.uk site. While it has been heavily pushed by MAFF, as a consequence of the outbreak of Foot and Mouth Disease in the UK, and a desire to reduce the risk of accidental transfer of the virus by farmers delivering forms to MAFF offices, there is still the problem of getting the certificates. Also, some of the claim forms require additional documents, such as sketch maps, which cannot be so easily presented as a blank electronic form in a browser. There seems to be a RISK that instead of a large envelope, containing everything and delivered, with tracking, by the Post Office, there is an envelope, and a set of electronic data, which must be connected together somewhere in the MAFF admin system. There has been some reporting by users, this year and of the trial last year, in the uk.business.agriculture newsgroup. The abbreviations "IACS" and "AAPS" will be useful in any searches of news archives. Incidentally, I had an e-mail discussion, before the trials started, with one of the MAFF personnel involved, about the various open signature and encryption standards defined in RFCs. He had, as I recall, not heard of them. David G. Bell -- Farmer, SF Fan, Filker, and Punslinger.
10th USENIX Security Symposium August 13-17, 2001 Washington, D.C. http://www.usenix.org/events/sec01 Sponsored by USENIX, the Advanced Computing Systems Association www.usenix.org REGISTER BY JULY 20, 2001 AND SAVE UP TO $200! PRACTICAL SECURITY FOR THE REAL WORLD KEYNOTE ADDRESS by Richard M. Smith, CTO, Privacy Foundation "Web-Enabled Gadgets: Can We Trust Them?" 24 REFEREED PAPERS on the best new research INVITED TALKS by Matt Blaze, Mark Eckenwiler, Eric Murray, John Young, Deborah Natsios, etc. 6 TUTORIALS
SEI 16th Annual Software Engineering Symposium 2001 October 15 - 18, 2001 Grand Hyatt at Washington Center Washington, D.C. World Wide Web: http://www.sei.cmu.edu/symposium/ Catalysts for Improving Acquisition and Development of Software Intensive Systems Symposium 2001 Conference Coordinator 412 / 268-3007 E-mail: email@example.com For more information about the Symposium, contact Symposium 2001 Conference Coordinator Phone: 412 / 268-3007 FAX: 412 / 268-5556 E-mail: firstname.lastname@example.org World Wide Web: http://www.sei.cmu.edu/symposium/
Please report problems with the web pages to the maintainer