The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 23 Issue 26

Monday 8 March 2004

Contents

U.S. Senate security shenanigans
Kristina Herrndobler via James Bauman
PFIR Conference Announcement: "Preventing the Internet Meltdown"
PFIR
Yet another worm masquerades as Microsoft update
NewsScan
The price of e-mail is constant vigilance
Rob Slade
Firms look to limit liability for online security breaches
Jonathan Krim via Monty Solomon
Smartcards weren't so smart after all, says Target
NewsScan
BBC reports card cloning scam
John Sawyer
An interesting airplane user interface
David Magda
Re: Legal Mercedes driver jailed for 18 months
David Gillett
Extended Call for Papers: Voting, Elections, and Technology
Micah Altman
Info on RISKS (comp.risks)

U.S. Senate security shenanigans

<"James Bauman" <James.Bauman@safety-kleen.com>>
Fri, 5 Mar 2004 13:41:26 -0500

If an independent or Justice Department investigation occurs beyond the one
by the U.S. Senate sergeant-at-arms, the security issues (and their possible
accompanying illegal and/or unethical issues) should be interesting to read
about.  Right now, there are a lot of questions about the incident and not
much clarity.

According to a *Chicago Tribune* article, a Senate Republican clerk, Jason
Lundell, watched a system administrator gain access to Democratic folders on
a network.  Then, Mr. Lundell, repeated the administrator's actions and
"downloaded more than 4,670 files" from those folders.  Lundell gave the
files to Manuel Miranda, who was a staffer for Majority Leader Bill Frist
(R-Tenn.).  Lundell said "Miranda told him that it was common knowledge that
staff could access each other's files".  [Then, I suppose?... Republican
staffers could access Democratic files and Democratic staffers the
Republican ones.]

A Question" If each side could look at each other's files, then why did
Jason Lundell need special knowledge about network security to download the
files?

Regarding this: "Republican committee Chairman Sen. Orrin Hatch of Utah
condemned the actions of the staff members, who no longer work for the
Senate."  "'I am mortified that this improper, unethical and simply
unacceptable breach of confidential files occurred," Hatch said Thursday as
he released the report. "There is no excuse that can justify these improper
actions.'"

Later in the article is this: "Furthermore, Mr. Lundell recalled that
Mr. Miranda had told him that Sen. Hatch wanted the staff to use any means
necessary to support President Bush's nominees," the sergeant-at-arms
reported.

Seems that the two Republican staffers took "any means necessary" in the
most literal of senses, and Lundell's assertion in the previous paragraph
could be an embarrassment for Hatch given Hatch's latest statements of
outrage.

Anyway, it's got the earmarks of a good future read as more facts develop
and the smoke clears.

Source: Kristina Herrndobler, GOP staffers accused of taking senators'
files, *Chicago Tribune*, 5 Mar 2004
  http://www.chicagotribune.com/news/nationworld/
  chi-0403050231mar05,1,7561874.story?coll=chi-news-hed


PFIR Conference Announcement: "Preventing the Internet Meltdown"

<PFIR - People For Internet Responsibility <pfir@pfir.org>>
Sat, 06 Mar 2004 18:14:43 -0800

                       PFIR Conference Announcement
                    "Preventing the Internet Meltdown"
                            Spring/Summer 2004
                      Los Angeles, California, USA
                       http://www.pfir.org/meltdown

         PFIR - People For Internet Responsibility - http://www.pfir.org
        [ To subscribe or unsubscribe to/from this list, please send the
          command "subscribe" or "unsubscribe" respectively (without the
          quotes) in the body of an e-mail to "pfir-request@pfir.org". ]

People For Internet Responsibility (PFIR) is pleased to preliminarily
announce an "emergency" conference aimed at preventing the "meltdown" of the
Internet -- the risks of imminent disruption, degradation, unfair
manipulation, and other negative impacts on critical Internet services and
systems in ways that will have a profound impact on the Net and its users
around the world.

We are planning for this conference (lasting two or three days) to take
place as soon as possible, ideally as early as this coming June, with all
sessions and working groups at a hotel in convenient proximity to Los
Angeles International Airport (LAX).

A continuing and rapidly escalating series of alarming events suggest that
immediate cooperative, specific planning is necessary if we are to have any
chance of avoiding the meltdown.  "Red flag" warning signs are many.  A
merely partial list includes attempts to manipulate key network
infrastructures such as the domain name system; lawsuits over Internet
regulatory issues (e.g. VeriSign and domain registrars vs. ICANN); serious
issues of privacy and security; and ever-increasing spam, virus, and related
problems, along with largely ad hoc or non-coordinated "anti-spam" systems
that may do more harm than good and may cause serious collateral damage.

All facets of Internet users and a vast range of critical applications are
at risk from the meltdown.  Commercial firms, schools, nonprofit and
governmental organizations, home users, and everybody else around the world
whose lives are touched in some way by the Internet (and that's practically
everyone) are likely to be seriously and negatively impacted.

Most of these problems are either directly or indirectly the result of the
Internet's lack of responsible and fair planning related to Internet
operations and oversight.  A perceived historical desire for a "hands off"
attitude regarding Internet "governance" has now resulted not only in
commercial abuses, and the specter of lawsuits and courts dictating key
technical issues relating to the Net, but has also invited unilateral
actions by organizations such as the United Nations (UN) and International
Telecommunications Union (ITU) that could profoundly affect the Internet and
its users in unpredictable ways.

Representatives from commercial firms, educational institutions,
governmental entities, nonprofit and other organizations, and any other
interested parties are invited to participate at this conference.
International participation is most definitely encouraged.

The ultimate goal of the conference is to establish a set of *specific*
actions and contingency plans for the Internet-related problems that could
lead to the meltdown.  These may include (but are not limited to) technical,
governance, regulatory, political, and legal actions and plans.  Scenarios to
consider may also include more "radical" technical approaches such as
"alternate root" domain systems, technologies to bypass unreasonable
ISP restrictions, and a wide range of other practical possibilities.

It is anticipated that the conference will include a variety of panels
focused on illuminating specific aspects of these problems, along with
potential reactions, solutions, and contingency planning for worst-case
scenarios.  Breakout working groups will be available for detailed
discussion and planning efforts.  Formal papers will not be required, but
panel members may be asked to submit brief abstracts of prepared remarks in
advance to assist in organizing the sessions.

The ability of this conference to take place, and necessary conference
details such as the specific program, costs, etc. will depend largely on the
response to this announcement and particularly on the number of persons and
organizations who express a potential interest in attending.

If you may be interested in participating (no obligation at this point, of
course) or have any questions, please send an e-mail as soon as possible to:

     meltdown@pfir.org

or feel free to contact Lauren at the phone number below.  As appropriate,
please be sure to mention how many people from your organization may be
interested in attending.  If you express an interest in attending, you will
be added to a private mailing list for upcoming announcements regarding this
conference unless you ask not to be so notified.

Together, we may be able to stop the Internet meltdown.
But we need to act now.

Thank you for your consideration.

  - - -

Lauren Weinstein
lauren@pfir.org or lauren@vortex.com or lauren@privacyforum.org
Tel: +1 (818) 225-2800
Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org
Co-Founder, Fact Squad - http://www.factsquad.org
Co-Founder, URIICA - Union for Representative International Internet
    Cooperation and Analysis - http://www.uriica.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
http://www.pfir.org/lauren

Peter G. Neumann
neumann@pfir.org or neumann@csl.sri.com or neumann@risks.org
Tel: +1 (650) 859-2375
Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org
Co-Founder, Fact Squad - http://www.factsquad.org
Co-Founder, URIICA - Union for Representative International Internet
    Cooperation and Analysis - http://www.uriica.org
Moderator, RISKS Forum - http://risks.org
Chairman, ACM Committee on Computers and Public Policy
http://www.csl.sri.com/neumann

David J. Farber
dave@farber.net
Tel: +1 (412) 726-9889
Distinguished Career Professor of Computer Science and Public Policy,
    Carnegie Mellon University, School of Computer Science
Member of the Board of Trustees EFF - http://www.eff.org
Member of the Advisory Board -- EPIC - http://www.epic.org
Member of the Advisory Board -- CDT - http://www.cdt.org
Member of Board of Directors -- PFIR - http://www.pfir.org
Co-Founder, URIICA - Union for Representative International Internet
    Cooperation and Analysis - http://www.uriica.org
Member of the Executive Committee USACM
http://www.cis.upenn.edu/~farber

(Affiliations shown for identification only.)


Yet another worm masquerades as Microsoft update

<"NewsScan" <newsscan@newsscan.com>>
Mon, 08 Mar 2004 09:23:00 -0700

The latest variation on the Sober worm -- Sober.D -- tries to trick
recipients into opening it by disguising itself as a Microsoft Update
message. "It arrives in an e-mail that pretends to be a patch to protect
against a version of MyDoom," says a senior consultant at antivirus firm
Sophos. "The e-mail appears to be a Microsoft patch so people will of course
double-click on that attachment." Once a user clicks on the file, the worm
scans the PC to see if it's already infected -- if not, it installs itself
and uses its own SMTP engine to send copies of itself to e-mail addresses
found on the victim's PC. Microsoft emphasizes that it does not send patches
via e-mail and that users should ignore such messages.  [ZDNet 8 Mar 2004;
NewsScan Daily, 8 Mar 2004]
  http://zdnet.com.com/2100-1105_2-5171243.html


The price of e-mail is constant vigilance

<Rob Slade <rslade@sprint.ca>>
Sat, 6 Mar 2004 16:37:18 -0800

Peter Wilson's article on spam and viruses (on Saturday, March 6, 2004)
lists a number of antispam measures that are currently being promoted.  He
also retails Bill Gates' confident prediction that spam will be a thing of
the past by 2006.  Remember that prophecy, because Bill Gates is going to be
proven wrong.  An examination of the measures listed in the article
demonstrates why.

SPF (sender-permitted format) is currently garnering the greatest interest.
The description of SPF as a kind of caller-ID is not quite correct.  All
e-mail carries caller-ID in the form of the information about who the
message is from, and information about the Internet Protocol (IP) address
that originated the message.  SPF is actually an attempt to contact the site
that is supposed to have originated the message, and verify that these two
pieces of information match, or, at least, are likely.  Spammers, when
creating spoofed addresses, don't bother to make sure that they do.  Or, at
least, they haven't up until now.

Microsoft's own version seems to be either an attempt to compete or an
attempt to derail SPF: SPF is primarily promoted by AOL, and the two
companies have never played particularly well together.  Microsoft's plan is
derided by the SPF camp for being proprietary.  It is true that SPF uses
features and functions that make more effective use of the e-mail protocols
that are currently in use on the Internet.  The configuration of factors is
not universal, though, and some of the activities will require new
programming for everyone who participates in SPF.  Which may mean that the
Internet might become split into the camp of those who use SPF, and those
who don't.

I have seen this in action already.  I have a number of accounts.  (And, of
course, get tons of spam.)  One is through Vancouver CommunityNet, which
does not have very much in the way of spam detection or prevention.  Because
of the volume of spam this account receives (particularly during the Sobig
flood last summer), I forwarded the account to a service that does spam and
virus filtering.  One of the functions that the service uses is similar to
the SPF protocol.  A great deal of the spam that was being forwarded was
unverifiable, and so the service simply refused to accept it.  This meant
that a volume of e-mail built up on Vancouver CommunityNet, to the point that
it affected the mail system as a whole.  (Vancouver CommunityNet, despite
being informed of all the details, and my own actions to rectify the
situation, has handled the whole matter in a very sloppy manner.)

SPF has promise, and it may be possible (unlike the Microsoft proposal) to
provide workarounds for a variety of systems, platforms, and applications.
However, there are a number of issues that still have to resolved, such as
e-mail aliases, third-party services, and applications such as mailing lists,
which operate in a wide variety of forms.  The difficulties are not
insurmountable, but an enormous amount of work still has to be done.

Microsoft's micropayments strategy is apparently the most recent one, but
has been raised many times over the history of the nets.  (One of the
popular programs providing Usenet news, a type of topical discussion, used
to remind anyone who attempted to post a message that it would possibly cost
thousands of dollars to send this to everyone: did they really want to do
that?)  Unfortunately, the issue of mailing lists comes up almost
immediately.  Even if we assume one cent per message, if I send a message to
a popular list such as the RISKS-FORUM Digest, with a possible hundred
thousand subscribers, am I charged a thousand dollars for that message?  Is
the list moderator charged?  In the case of RISKS, it is also redistributed
by a number of sub-mailing lists: do those costs get charged to the accounts
of the local administrators?  The list moderator?  Me?

(The obvious second question is: who *gets* the money?  The Internet
Engineering Task Force?  Some bloated bureaucracy parcelling out the cash to
the various national telecom carriers?  Charity?  Microsoft?  The recipient?
Hmmm.  Maybe I should rethink my objection to the micropayment system.  At
one point I was getting 8,000 [yes, eight thousand] copies of spam from one
system in China.  Per hour.  Same message.)

And, of course, in order to provide for such a micropayment system,
everybody is going to have to use a Microsoft mailer.  With a Microsoft
payment system.  And a Microsoft account.  This sounds like an attempt to
resurrect the (justly derided and roundly condemned) Passport and Palladium
systems.

The challenge-response system is already being used by a number of outfits
providing spam filtering and other services.  It is a nuisance.  It can
create a great deal of annoyance in a number of situations, not least being
mailing lists.

It also doesn't work.  The most common challenge response systems present a
graphical image of a word.  This word is supposed to be entered in a field
on a web page in order to create permission for the message to go through.
People can read the word easily, but machines have difficulty with this type
of task, so this makes it impossible for spammers to automate the sending of
e-mail: they have to read and respond to every challenge.

That's the theory.  In fact, spammers have already been found to be
"automating" the process--using Internet web surfers.  A number of web pages
have been set up promising access to pornography.  In order to access the
files, you have to respond to a challenge.  The challenges are, of course,
those that are being presented on the antispam filtering sites.  Those
challenges are simply extracted, presented to the surfers wanting access to
pornographic images, solved by the user, and the solution fed back to the
antispam site.  The same problems apply to computational puzzles: they are
simply another form of challenge-response.

In fact, most of these antispam technologies fail in the face of the problem
of spam nets set up by viruses.  Spam sent from infected machines could
simply use the name of the owner, thus verifying the identity.  Spam sent
from infected machines could use the micropayment "wallet" on the infected
machine, thus creating not only problems of clean-up for the owner, but also
a real cost.  Infected machines could be used to crack computational
puzzles, or the owner could be presented with challenges to respond to, in a
variety of ways.

Spam has passed the stage of being a nuisance.  E-mail is a means of
communication that is starting to rival the phone, and spam is seriously
degrading the effectiveness and utility of e-mail.  Antispam measures are
badly needed, but we cannot accept any proposed solution uncritically.
Dividing the Internet into isolated camps of incompatible (and rival)
antispam technologies takes us back to the early days of online systems,
when lots of people had e-mail, but nobody could talk to each other.

There is no easy fix, and there is no easy answer.  Administrators have to
ensure that they are not providing open relays that can be used for spam.
E-mail filtering services are checking for inappropriate inbound e-mail, but
must also check what is going out.  ISPs (Internet Service Providers) must
be more vigilant in regard to the use being made of the net to which they
provide access.  Computer users at all levels have to check for malicious
software, unpatched vulnerabilities, open ports and services, and what is
going out of their systems as well as what is coming in.  Everybody needs to
become more aware of what is going on, and keep up with the changes in
threats around us all.

And anyone who tells you it is not going to be painful is selling something.

rslade@vcn.bc.ca      slade@victoria.tc.ca      rslade@sun.soci.niu.edu
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade


Firms look to limit liability for online security breaches (Krim)

<Monty Solomon <monty@roscom.com>>
Fri, 5 Mar 2004 09:30:15 -0500

Firms Look to Limit Liability for Online Security Breaches
Jonathan Krim, *The Washington Post*, 5 Mar 2004; Page E01

In the face of ongoing attacks by computer hackers, some companies that
store their customers' personal data are adopting a new defensive tactic: If
your information is stolen, they're not legally responsible.  Across the
Internet, retailers and other service providers that handle consumer
transactions are requiring customers to agree to waive any right to sue the
companies if the businesses are hacked, regardless of how secure their
systems are.  The waivers are contained in lengthy terms-of-use agreements
that consumers often click to accept without reading closely.  ...
  http://www.washingtonpost.com/wp-dyn/articles/A31874-2004Mar4.html


Smartcards weren't so smart after all, says Target

<"NewsScan" <newsscan@newsscan.com>>
Thu, 04 Mar 2004 10:33:54 -0700

Target is phasing out the computer chips embedded in its branded Visa cards
less than three years after they were first introduced, citing "limited use"
by shoppers. The technology allowed cardholders to download coupons from the
Internet or in-store kiosks in order to receive discounts on merchandise,
but few customers took advantage of the feature. Only 3.5% of Americans 18
years or older said they had used a smart payment card like Target's,
according to a survey conducted by Financial Insights in March 2004. John
Gould, director of consumer lending and bank cards at TowerGroup, says
Target had been on the right track with its smartcard rollout and perhaps
was overhasty in its decision to curtail the program.  "I don't think they
gave it time to mature," he says.  [Reuters, 3 Mar 2004; NewsScan Daily,
4 Mar 2004]
  http://www.reuters.com/newsArticle.jhtml;jsessionid=
  JPT5K1DAV2VEACRBAEKSFEY?type=technologyNews&storyID=4491160&section=news


BBC reports card cloning scam

<John Sawyer <jpgsawyer@btopenworld.com>>
Fri, 5 Mar 2004 14:28:34 +0000 (GMT)

The BBC is reporting that a Automatic Teller Machine Scam that records card
and password details to allow card cloning is spreading in Cardiff and other
parts of West Wales.
  http://news.bbc.co.uk/1/hi/wales/3535473.stm

Risks has seen this kind of thing before but perhaps not to this level of
sophistication.

Dr John Sawyer, Department of Mechanical and Design Engineering
University of Portsmouth


An interesting airplane user interface

<David Magda <dmagda@ee.ryerson.ca>>
Sat, 6 Mar 2004 08:50:20 -0500

I found the following anecdote in Edward Tufte's message board:
  http://www.edwardtufte.com/bboard/q-and-a-fetch-msg?
  msg_id=0001Gl&topic_id=1&topic=Ask%20E%2eT%2e

  Alan Kay and User Interfaces

  I attended the course in Boston yesterday, and enjoyed it very much.  Made
  me think about the following story which might spur some discussion or
  comments here. It seems related to the overall theme here.

  In 1985 I attended an OOPSLA (Object oriented programming languages ...)
  conference. Alan Kay (PARC/Smalltalk/ Apple/Macintosh/...) gave a
  presentation. Alan told the following true story:

  He once flew down to Mexico on vacation, to some lonely place on the
  California peninsula for surfing etc. A pilot was supposed to come in a
  week to pick him up at a rural landing strip. Alan got there on time,
  waited, and eventually the plane, an older DC3, came. When Alan entered
  the plane he noticed that almost all the instruments had been unscrewed
  from the panels, pulled out and twisted around in various positions, and
  were basically standing (or waving) on their cable hoses like flowers on
  their stems. He got worried, considered exiting the plane, but decided to
  stay. The pilot, a younger fellow, seemed trustworthy.

  When the plane had reached cruising altitude and speed Alan suddenly "got
  it" wrt. the instruments. As long as everything was operating correctly,
  all the needles on the instruments was pointing in the same direction! It
  was very easy to spot if anything out of the ordinary was going on, and
  what that might be.

  This story has stuck with me as a super example of adapting the technology
  to what we people are good at, as opposed to the other way around which is
  too often the case.

  Enjoy, Harald

With the multitude of gauges in a cockpit this is a brilliant way to quickly
scan the status of the various components of the airplane.  The display of
information is quite important in complex systems and has been discussed in
RISKS before (e.g., RISKS-23.12, the whole "Bubba" debate).


Re: Legal Mercedes driver jailed for 18 months (Lesser, RISKS-23.2x)

<David Gillett <dgillett@deepforest.org>>
Fri, 05 Mar 2004 00:13:36 -0800

A few years back, before my father retired from traffic engineering, his was
one of several cars narrowly missed by a vehicle operated with excessive
speed and careless disregard for others on the road.  He told me that the
driver, when he appeared in court, argued that as the holder of a racing
driver's permit, he had been in perfect control of his vehicle at all times.

The judge ruled that it was entirely UNreasonable to assume a similar level
of skill and coordination on the part of other drivers using the roadway,
and imposed the maximum available sentence.

Yes, you can be liable for provoking foreseeable mis-reactions....


Extended Call for Papers: Voting, Elections, and Technology

<Micah Altman <Micah_Altman@harvard.edu>>
Thu, 4 Mar 2004 19:22:28 -0500 (EST)

Due to the scheduling of other journal issues, the SSCORE editor has given
us an opportunity to extend the original deadline for submissions to this
special issue until June 15.

  Call for Papers: *Voting, Elections, and Technology*
  a special issue of _Social_Science_Computer_Review_

This special issue of Social Science Computer Review will bring together a
collection of high quality academic work that extends, refines and
challenges our understanding of the use, state of the art, and challenges
associated with voting and election technology, broadly conceived.

This special issue will bring together papers that investigate specific
cases of the use of technology in voting and elections, as well as analysis
of policy, and reviews of the state of the art. Papers from a broad range of
social science perspectives are encouraged. Submissions can be in the form
of full papers (maximum 20 printed pages) or in the form of short papers (5
printed pages). Post-graduate students are particularly encouraged to submit
early work in the form of short papers.

 *Sample Topics*: E-voting, Online voter survey methods, Technologies for
election forecasting, Agent,based models of voting behavior, Web,based
campaign fundraising, Redistricting technology, Policy implications

[Abridged for RISKS.  For more on SCORE, see this URL:
 	http://hcl.chass.ncsu.edu/sscore/sscore.htm
]

Please report problems with the web pages to the maintainer

Top