Subject: RISKS DIGEST 15.04 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Friday 10 September 1993 Volume 15 : Issue 04 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: [RISKS issues unlikely for the next two weeks. Don't complain.] EuroDigital (Brian Randell) Brussels Branch Of BNP Hit By Computer Fraud (jxm) Screen savers hide what's running below them (Alan Munn) Where should we look for risks? (Steve Talbott) Re: Security holes and risks of software ... (Geoffrey H. Cooper, John Carr) Re: "Offshore Data Havens" (Fred Baube, Gary Preckshot) Re: The risks of Naive Users (Mark Brader) Re: More Gripen Griping (Mark Stalzer) The RISKS Forum is a moderated digest discussing risks; comp.risks is its USENET counterpart. Undigestifiers are available throughout the Internet, but not from RISKS. Contributions should be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to risks@csl.sri.com, with appropriate, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. PLEASE SEND REQUESTS FOR SUBSCRIPTIONS, archive problems, and other information to risks-request@csl.sri.com (not automated). BITNET users may subscribe via your favorite LISTSERV: "SUBSCRIBE RISKS". Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 15, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. If you are interested in receiving RISKS via fax, please send E-mail to risks-fax@vortex.com, phone +1 (310) 455-9300, or fax +1 (310) 455-2364 for information regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; instead, as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM . ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Thu, 9 Sep 1993 18:10:41 +0100 From: Brian.Randell@newcastle.ac.uk Subject: EuroDigital The attached article about a new digital phone service, about to be launched in the UK, is from the Monday, Sept 6, 1993, issue of The Independent. Also in this issue was a two page advertisement for the new service - the text of this is also attached. My understanding is that the new equipment produces emissions that have characteristics that were not considered when the regulations and guidelines (under which existing devices such as hearing aids were designed) were laid down. If this is right, then the statement by the providers of the new service that the problems are the responsibility of the manufacturers of such devices would seem to be highly questionable. I await with interest RISKs readers' reactions to the article (and the advertisement). Brian Randell, Dept. of Computing Science, University of Newcastle, Newcastle upon Tyne, NE1 7RU, UK Brian.Randell@newcastle.ac.uk PHONE = +44 91 222 7923 =========== PHONES - THREAT TO HEARING AID USERS Mary Fagan More than two million people who are deaf or hard of hearing face distress and discomfort with the launch this autumn of new digital mobile telephone equipment that interferes with hearing aids, according to the Royal National Institute for the Deaf. The telephones could also cause interference if used close to computer screens, and there is speculation that they could cause problems with other electronic equipment. Last week, Vodafone launched a digital mobile telephone service and Mercury's One-2-One digital service will be onstream within weeks. Cellnet hopes to start a commercial service next year. The new telephones send pulses of radio signal rather than the continuous signal sent by existing analogue cellular telephones. According to the RNID, when these pulsed signals are transmitted close to audio and video equipment they are picked up in wiring, causing interference. Mike Martin, the RNID's chief scientist, said hearing aid users standing up to six feet from a handheld mobile phone could be affected. More powerful car phones could affect pedestrians. The telephones can cause people wearing hearing aids to hear a noise like a bee buzzing. It can drown out other sound and cause pain and considerable distress, a spokesman for the RNID said. Cellnet and Vodafone admit there can be problems with hearing aids and computer screens. But the companies say the problem is with the telephones - which they do not manufacture - and with the equipment affected by them. A spokesman for Vodafone said that the real problem was the standard of hearing aids. In Germany, where there has been most experience with digital telephony, no problems have been experienced. A spokeswoman for Mercury One-2-One said that as the telephones used on One-2-One were very low-power, only equipment very close by could be affected. ----- (Advt.) LIBERTE' The Freedom to make a call in total security We have given you freedom. We have created a secure tomorrow for businessmen and travellers both here and in Europe. New frontiers beckon. Vodafone proudly announces EuroDigital. The most advanced and most secure mobile phone network. So sophisticated that it can even be used to make and receive calls in Europe in total security. EuroDigital represents a revolution in mobile phone technology. A superior digital system that provides a top quality service. A quality that doesn't falter, that doesn't break up. Line rental is 21.50 per month. UK call charges 25p per minute peak, 10p off peak. Only Vodafone can offer this. Liberate yourself. Enjoy freedom of speech and security. Rise above the rest. Call free, 0500 123 123 and ask for more information. All prices are recommended and are exclusive of V.A.T. VODAFONE EuroDigital ------------------------------ Date: Thu, 9 Sep 93 14:41:22 -0400 From: Subject: Brussels Branch Of BNP Hit By Computer Fraud Brussels, Belgium, September 8, 1993 (NB) -- The Belgian office of Banque Nationale du Paris (BNP) has admitted it was the victim of a major computer fraud in June of this year, according to Belgian press sources. The AFP news agency reports that a total of BFr 245 million was taken in the computer fraud, although bank officials have now recovered the money and Police are holding two suspects. The two fraudsters used their direct computer access facilities to request debits from BNP accounts and switch the proceeds into their own bank accounts with other banks. According to BNP sources, auditors picked up the fraud when they carried out a routine series of checks on inter-bank transactions in June. As soon as the fraud was discovered, the third party banks were contacted and the money recovered. As a result of the fraud, BNP is carrying out an internal inquiry into how the frauds occurred and whether its security systems can be beefed up to prevent a recurrence. ------------------------------ Date: Fri, 10 Sep 93 15:18:40 CDT From: Alan Munn Subject: Screen savers hide what's running below them I discovered (the hard way) that screen savers can be dangerous if you don't know what's running underneath them. Normally when you pop a disk into a Mac with a screen saver running, it stops the screen saver and presents you with whatever is running at the time. It so happened that when I stuck my disk into our Computer support person's machine, she had been running Apple's Disk Copy program, which once you get it started blindly accepts disks and makes a copy of the resident disk image. This is handy if you have lots of disks to make, but was fatal in my case, since my disk was completely erased. I did have copies on my hard disk, but... The moral of the story is don't stick your disk into a machine if you don't know what it's doing. Alan Munn Dept. of English University of Missouri, Columbia MO 65211 P.S. On a lighter note, windows without screens are also a risk. I swatted at a bug that came flying at me last night and my glasses flew out the window onto the grass (luckily) two stories below. Of course I couldn't look for them until I found them, so I had to call campus police to help out. ------------------------------ Date: Thu, 9 Sep 1993 15:52:05 EDT From: stevet@ora.com (Steve Talbott) Subject: Where should we look for risks? I was gratified to receive some 30 responses to my post "worrying about online education" (RISKS-14.86). Most were sympathetic, and the majority of those that were critical still made a point of saying that the subject is well worth discussing in forums like RISKS. That poses a problem for moderators, however, for I have to admit that the tendency of such discussions is almost always to violate the (desirable) standards enforced by the moderator. Looking at the division among USENET discussion groups between those that "get real work done" and those that pursue "philosophy," one is tempted to conclude that it's in the very nature of the net to disallow the sensitive and constructive exploration of complex or deep issues. The system is more suited for what we like to call the exchange of "information." Perhaps that is one of the risks! Well, I don't have any particular solution to offer. I find myself unable to tolerate the philosophical groups, but am still driven to pursue issues that seem slightly out of place in the more business-like groups. One thing this dilemma has done, however, is to push me toward the formulation of the most concise (business-like!) statement I could manage regarding the question, "Where should we look for technological risks?" To offer a parallel: anyone speaking about the effects of television upon society would probably no longer be content merely to point at a set of good (or bad) TV programs. There are deeper questions that require us to penetrate the medium itself, as well as our own natures. Perhaps the following 4 paragraphs--representing my attempt to answer the question voiced above--will interest some members of this group. Obviously, such a statement can only be a preface to particular studies, but it seems to me worth keeping in mind. As always, I welcome critical comment. Steve Talbott stevet@ora.com ######################################################################### In assessing the complex "symbiosis" between man and machine, it will hardly do to look for external cause and effect. Every contrivance, from the plow to the hydrogen bomb, expresses something within *us*. If we extend ourselves in our mechanical tools, we also meet ourselves in them. At the same time, just as the corporation seems to gain a life and tendency of its own, independent of its employees, so too the machine can become almost willful in its reaction upon its creators. "To someone who possesses only a hammer, everything begins to look like a nail." It is important, nevertheless, to recognize ourselves in this willfulness, even if doing so requires a bit of painful psychological excavation. The machine's double existence as an expression of the human being and as an independent force is most fully realized in the computer. Just consider those several disciplines--psychology, linguistics, philosophy, artificial intelligence--whose natural confluence has given us the remarkable developments in cognitive science. Here the pressing question is not so much, "How are computers expressions of ourselves?" as it is the much balder, "Are computers selves?" We who produce such devices cannot escape our own most intimate responsibility for the planet's rapidly crystallizing, electromechanical nimbus, nor can we escape the prospect of its increasing--and potentially threatening--independence and self-will. All this is to say, in a nutshell, that if we cannot point to any simple determination of society by machines, neither can we claim straightforward human control of the effects of those machines. We and our mechanical offspring are bound together in an increasingly tight weave. This has one clear implication: to substantially modify the larger pattern--rather than simply be carried along by it--requires profound analysis of things not immediately evident, and a difficult effort to change things not easily changed. If it is only by a certain self-awareness and an inner adjustment that I can restrict the hammer in my hands to its proper role, I must multiply the effort a millionfold when dealing with a vastly more complex technology--one endowed in a much more powerful sense with its own willful tendencies. Steve Talbott stevet@ora.com ######################################################################## Copyright 1993 Stephen L. Talbott. You may freely redistribute these remarks on a not-for-profit basis so long as this notice and the remarks themselves are left fully intact and unedited. ######################################################################## ------------------------------ Date: Fri, 10 Sep 93 14:31:07 PDT From: geof@aurora.com (Geoffrey H. Cooper) Subject: Re: Security holes and risks of software ... (Ranum, RISKS-15.03) > ...It seems to me that in designing a complex program that requires > privileges, the complex part and the privileged part should be separated... I agree with this statement, but find another conclusion/RISK. This is the risk of having security mechanisms that are too cumbersome to be used easily. Following the example given, classical UNIX provides only the setuid mechanism for increasing the access of a program, and setuid always applies to an entire program. Thus, if a program must run partially as root, the only way to avoid having it ALL run as root is to divide it up into communicating processes. Depending on the application, this is not always easy to do. If you want security, you have to make it easy to be secure. For example, if a setuid program had to explicitly enable and disable the setuid access (running otherwise as the user who invoked it), the body of code that needed to be carefully checked to verify security would be significantly diminished; a loophole in another part of the program could not compromise the entire system's security. - Geof ------------------------------ Date: Fri, 10 Sep 1993 19:52:05 EDT From: John Carr Subject: Re: Security holes and risks of software (Ranum, RISKS-15.03) >Ideally, the worst the complex code can do to you is give you a core dump Back in 1988 I was writing a program which connected to a finger server. I knew enough about UNIX at the time to go to the real documentation: the source code for fingerd. I noticed a fixed size buffer, and verified that sending a long string would make fingerd crash. Just a core dump, right? And fingerd is restarted by inetd for each new request, so there is no denial of service. I thought so, and didn't follow up. A few months later everyone learned that there were worse side effects. Think of a core dump as the best thing that can happen when your program goes wrong, not the worst. If you want a program to dump core under certain conditions, call abort(). Don't depend on memory corruption to do the job right. --John Carr (jfc@athena.mit.edu) [On the other hand, getting a system to dump core can be gold mine of information for a malicious attacker... P.] ------------------------------ Date: Fri, 10 Sep 93 10:03:37 EET From: flb@flb.optiplan.fi (F.Baube[tm]) Subject: Re: "Offshore Data Havens" (Bruni, RISKS-15.03) Perhaps someone else has provided the reference, but there is a very well-written science fiction novel which explores vividly and in some detail the concept of "offshore data haven". This is "Islands in the Net", by Bruce Sterling, a well-known author in the "cyberpunk" genre. The point of the book is that an international "black market" in information about individuals is inevitable and unstoppable. I highly recommend the book. Don't let the foolish cover illustration put you off. Fred Baube (tm) GU/MSFS/88 baube@optiplan.fi ------------------------------ Date: 10 Sep 1993 13:23:48 U From: "Gary Preckshot" Subject: Re- Off-shore data havens (Bruni, RISKS-15.03) The interesting to me about this report is the nuance of ownership of the data. Presumably the "legitimate owners" of the data are wroth since only they are allowed to sell, or otherwise profit from, our privacy. We're already embroiled in a continuing dispute over a restricted form of data termed "intellectual property" and we've been unable to resolve even relatively simple issues in that regard. So it's interesting to contemplate how one "owner" of data would proceed against some other "owner" of data for "stealing" the former's data. Whose name is on the data? Owner #1, owner #2, or your name, or my name? What risks are we running here? Possibly 1) Financial loss to owner #1 2) Financial loss to owner #2 3) Loss of privacy to third party 4) Onerous litigation that burdens everybody 5) Foolish laws passed by Congress Given the noted ability of our courts to resolve current intellectual property imbroglios (microcode and program copyrights), a paraphrase of Mark Twain's comment is probably appropriate: no one's life or property is safe while court is in session. There are so many potential victims and litigants that circumscribing risks may defy our meager abilities. Maybe the best thing to do is just to ignore off-shore data havens, since the cures and the would-be doctors are all worse than the disease. And you can get the data for a price right now, anyway. ------------------------------ Date: Fri, 10 Sep 1993 16:56:00 -0400 From: msb@sq.com (Mark Brader) Subject: Re: The risks of Naive Users (Shapir, RISKS-15.03) > I apologize for my son, he's 20 month old, yet he needed less than > 20 second on the floor to break the UPS down... Anyone else reminded of this entry in the Jargon File? :molly-guard: /mol'ee-gard/ [University of Illinois] n. A shield to prevent tripping of some {Big Red Switch} by clumsy or ignorant hands. Originally used of the plexiglass covers improvised for the BRS on an IBM 4341 after a programmer's toddler daughter (named Molly) frobbed it twice in one day. Later generalized to covers over stop/reset switches on disk drives and networking equipment. Mark Brader ...the scariest words of the afternoon: SoftQuad Inc., Toronto "Hey, don't worry, I've read all about utzoo!sq!msb, msb@sq.com doing this sort of thing!" -- Vernor Vinge ------------------------------ Date: Thu, 9 Sep 93 14:32:58 PDT From: stalzer@macaw.hrl.hac.com Subject: Re: More Gripen Griping Mary Shafer writes on Thu, 26 Aug 93 15:40:49 PDT (RISKS-14.89): >As far as I can tell, the real problem was control-surface rate limiting. >Cf. the YF-22 crash and the Space Shuttle ALT-5 multi-axis PIO. > >I've flown a rate-limited configuration in a variable-stability Learjet >and it looked a lot the same, just before the safety trips gave the plane >back to the safety pilot. My flight experience is minimal, but in a small plane the maximum rate at which control surfaces can be moved is limited only by the pilot's strength and desire not to damage the plane. More importantly, there is a direct connection between the position of the control surface and the stick. I believe this form of feedback exists even on large planes that have hydraulically assisted control surfaces. Apparently, in fly-by-wire aircraft, there may not be much of a correlation between the position of the stick and the control surfaces. What used to be a closed-loop control system is now more open-loop. The aviation community must have done some studies on how this lack of feedback can effect pilots, especially during critical situations (when a pilot reverts back to his or her most fundamental training). Or was it just assumed that pilots would adapt to the new ``user interface''? -- Mark Mark Stalzer, Hughes Research Labs RL65, 3011 Malibu Canyon Rd, Malibu CA 90265 E-Mail: stalzer@macaw.hrl.hac.com Voice: 310-317-5581 FAX: 310-317-5483 ------------------------------ End of RISKS-FORUM Digest 15.04 ************************