Subject: RISKS DIGEST 15.64 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Thursday 10 March 1994 Volume 15 : Issue 64 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for information on RISKS (comp.risks) ***** Contents: Irony & embarrassment (Gene Spafford) Another twist on Harding e-mail breach (John C. Rivard) Maybe appalling grammar is bad language design (Don Norman) Wrong credit card in the mail (Stephanie Leif Aha) Troubled water crossing bridge (Harald Hanche-Olsen) Calling-Number-ID catches obscene caller (Richard R Urena) X windows makes patient breathless (Govinda Rajan and Mathew Lodge) Trouble in comicland? (Arthur Goldstein) Getting help on the Internet (Phil Agre) Re: Clipper (Keith Henson, Carl Ellison, Stanton McCandlish) COMPUTER RISK! [Early April Fooling?] (Simon Travaglia) Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. ---------------------------------------------------------------------- Date: Tue, 08 Mar 94 20:15:54 -0500 From: Gene Spafford Subject: Irony & embarrassment Twice in the last 6 months I have received a rather interesting brochure in the mail. Before I comment on it, let me describe it. The first page is bright yellow, with the picture of a small guinea pig. In big letters, it proclaims "Microsoft would like to use your company as a test site for the 4,000,000 lines of new code in NT." Inside, it states "SunSoft would like to offer you a leading-edge operating system with 10 years of fine-tuning behind it: Solaris." It then goes on with other "ad-speak". I find this amusing in several respects: 1) It plays on a long-standing perception of many computer users that Microsoft does a poor job of testing their code (I am enclosing a humorous posting that circulated on the Usenet recently that also points this out); 2) It underscores one of the major, major concerns about using large software artifacts (e.g., NT) -- they are often poorly tested, and the consumer is usually the one to suffer; 3) Sun's Solaris has been the subject of several very public, very significant bugs and security lapses over the past several years. It is hardly something to crow about in comparison to NY. When the first round of these ads came out a few months back, a great many of the engineers inside Sun were very chagrined by it. Several were even angry -- they got a lot of comment from people outside Sun struggling with bugs in tar, sendmail, lpr and other utilities. It makes Sun appear to be unaware and uncaring about existing bugs and problems. Now, for a second round of mailing to appear is almost the height of cluelessness by the advertising folks. Risks? 1) Advertising folks who don't talk to the software engineers or customer support people. 2) Companies that spend more money and effort getting problems out the door than they do on design and testing. 3) Using your company as the test site for 4 million lines of Windows NT. Or X million lines of Solaris. 4) If you develop a reputation for poor testing and poor customer service, it can be used against you in advertising. [Spaf also included an item on People for the Ethical Treatment of Software (PETS). Because that item has already been widely circulated on the net, I have removed it here. But if you did not see it, you might ask spaf for a copy. PGN] ------------------------------ Date: Thu, 10 Mar 1994 11:44:47 -0500 From: jcr@msen.com (John C. Rivard) Subject: Another twist on Harding e-mail breach In the March 9-15 1994 issue (Vol XIV, No. 23 p.9) of the Metro Times, the freely distributed alternative newspaper in Detroit, Dennis Rosenblum reports on yet another ethically-questionable activity ironically associated with the violation of Tonya Harding's e-mail at the Olympics. <"E-Mail blunder at Olympics" RISKS 15-58> Both the Detroit News and the Detroit Free Press reported that Free Press sports reporter Michelle Kaufman--with two other reporters from other papers--broke into Harding's account, but did not read any mail. The Free Press story was printed on page 8D in the sports section, but the News printed its story on page 1A, the front page, and portrayed it as much more scandalous. The News and Free Press operate under a Joint Operating Agreement (JOA), a controversial arrangement which allowed the two supposedly editorially independent papers to combine their business and production facilities to cut costs, with a 100-year federal antitrust exemption. Both papers argued successfully in federal court that the Free Press would go out of business if not for this agreement. The twist comes in when the Detroit News ran a photo of Kaufman with their front-page story. The digital image was stolen from the production facilities in the News building, which both papers share. According to Rosenblum: "It turns out that a photo of Kaufman which the News ran with its story came from Free Press computer files. A News editor had a composting room worker sneak along a copy of the digital photo file, without the knowledge of the Free Press." "Ed Wendover, a leader of Citizens for an Independent Press, which opposed the JOA in court, considered it predictable. 'This is perhaps only a precursor of what happens when they move in together,' said Wendover, a suburban publisher." "In a memo to editors at the News, Editor and Publisher Robert Giles termed it a 'clear breach of the security that is critical to maintaining editorial separation and independence...as required by the joint operating agreement.'" The irony of this story is obvious, but the RISK involves the impact of lax computer security on the First Amendment issues concerning the distinct editorial voices that were promised under the JOA. (Quoted with permission of the author.) John C. Rivard, JCR Design and Consulting jcr@msen.com ------------------------------ Date: Mon, 28 Feb 1994 18:41:14 -0800 From: dnorman@apple.com (Don Norman) Subject: Maybe appalling grammar is bad language design A recent flurry of articles in RISKS talks about poor spelling and punctuation, including the common problem of confusing "it's" and "its". Let me try the argument that these errors, like so many so-called "human errors" are in actuality design errors -- language design. English is well known for its peculiarities in spelling, in part due to its multiple origins that give rise to words with different historical roots, in part because so many reformers have tinkered with it, sometimes successfully, sometimes not (Ben Johnson, George Bernard Shaw and Noah Webster come to mind, and I am sure that RISKS readers can name others). As a result, the spelling is so inconsistent on the surface that it takes a Halle & Chomsky to write a learned book explaining that there is an underlying deep consistency. If it takes a complex book to explain it, then maybe spelling isn't "designed" with the user in mind. Now take punctuation. One problem is that English uses the symbol ' for at least two separate meanings (not counting its use in quotations): contraction and possession, as in "that's my dog's ball." With words that are homonyms, so the same spelling indicates contraction and possession, the rule is that contraction wins use of the '. Hence, "It's not its fault," where "it's" is a contraction and "its" is a possessive. Try explaining that to a non-native speaker of English. Hell, try explaining that to a native speaker. If English weren't so stingy with symbols and used different symbols for possession and contraction, then we wouldn't have any problem. English doesn't use symbols to mark parts of speech such as subject, or indirect object (or, in a case-based framework, agent or recipient): why use a symbol to mark possession? Anyway, some human error in spelling and punctuation is really a system or design error: blame evolution -- or those early typographers who transformed the spoken language into its printed form. Don Norman, Apple Computer, Inc. MS 301-3UE, 1 Infinite Loop, Cupertino, CA 95014 USA dnorman@apple.com +1 408 862-5515 Fax: +1 408 255-7045 ------------------------------ Date: Tue, 08 Mar 1994 10:30:38 -0800 From: steph@ics.uci.edu (Stephanie Leif Aha) Subject: Wrong credit card in the mail I just received my new credit card in the mail, only it wasn't mine. The paper enfolding the card had my name and account number but the card had a different name and account number. The credit card company claimed that this had _never_ happed before, blocked both accounts as having lost/stolen cards and is sending me a new card. I was really surprised to be the first one having this problem. I would assume that this could happen if the entire run of cards mailed was off by one and we all received the right paper with the wrong cards. Compounding the problem, they have redesigned the card this year so that the names are printed in the same color as the card, making them hard to read. Only by chance did I look closely enough to notice that it wasn't my card. Perhaps the entire line did go astray after all. Stephanie Aha grad student ICS Dept. U.C. Irvine ------------------------------ Date: Tue, 8 Mar 1994 17:29:06 +0100 From: Harald Hanche-Olsen Subject: Troubled water crossing bridge No computer risks in this one, but a nice example of an unexpected failure mode: When a water mains broke in downtown Trondheim yesterday, a basement was flooded. No big surprise, except the basement was across the river! The drains were all plugged with ice and snow, so the water ran across the nearby bridge. - Harald Hanche-Olsen Dept of Mathematical Sciences, The Norwegian Institute of Technology ------------------------------ Date: Tue, 08 Mar 1994 10:48:00 -0500 (EST) From: Richard R Urena Subject: Calling-Number-ID catches obscene caller An article by the Associated Press notes that a woman in Pembroke, Massachusetts, used the CNID feature to track down an obscene caller who had been bothering her since 1991. After years of harassment, the woman signed up with her phone company for the CNID service, compiled a map with the numbers and addresses of public phone booths in her vicinity, and obtained a second telephone line to alert police. Her efforts paid off last Saturday at about 2:30 AM, leading to the arrest of a 28 year old suspect, who was still on the phone when the police arrived. ------------------------------ Date: Tue, 8 Mar 94 13:51:32 GMT From: lodge@ferndown.ate.slb.com Subject: X windows makes patient breathless The following article was posted to the USENET newsgroup comp.os.lynx today. The group deals with a UNIX-style hard real-time operating system called LynxOS. LynxOS' primary market is the real-time process control market (which is also often a safety critical market). I should explain that LynxOS threads are light-weight processes. > From: govinda@anest.fgg.eur.nl (N Govinda Rajan) > Newsgroups: comp.os.lynx > Subject: Window move in X holds up other threads even of higher priority > Date: Tue, 8 Mar 1994 10:43:50 GMT > Organization: Dept Of Anesthesiology, Erasmus University, Rotterdam > Message-ID: > > When I move a window or resize a window, all other threads in any process > which has the X Main Loop [are] held up. For example, I have a process which > has the X Main Loop which starts a thread. This priority of this thread is > made higher than the process and it starts a count down timer and waits for > the timer signal, which is SIGALRM. When the timer counts down it does some > work (actually sends an analog signal through D/A convertor to an external > instrument) and restarts the count down timer once more and sigwaits once > more and so on. SIGALRM is supposed to be thread unique. > All goes well, except when I move a window or resize, then the timer thread > does not respond at all and as long as I have the mouse button pressed down > it does not respond. When I release it everything continues normally again. So far, so good. The problem can be explained by the fact that when an X window manager wants to move or re-size a window, it "grabs" the X server to prevent other X events from interfering with the window move. Now the comes the RISKy bit: > My external instrument is an artificial ventilator and if it does not get > the signal in time the patient does not get any breaths. [temporary technical solution from article deleted] So the patient's life depends entirely the timely delivery of a software signal (and nothing else)? The complete absence of any recognition that this is a safety critical system that could kill people horrifies me. I think I'll be staying away from Dutch ventilators if at all possible... Mathew Lodge, Software Engineer, Schlumberger Technologies, Ferndown, Dorset, UK, BH21 7PP lodge@ferndown.ate.slb.com (+44) (0)202 893535 x276 ------------------------------ Date: Tue, 8 Mar 1994 03:40:30 GMT From: goldsten@cs.uiuc.edu (Arthur Goldstein) Subject: Trouble in comicland? >From the March 7th, 1994 Blondie comic strip (without permission): Dagwood Bumstead speaking and looking at bills: "I don't get it! Why can't we keep up with all our bills?" "We don't live high! We don't splurge!" "Yet somebody keeps sending me all these bills!" "Could they have me mixed up with some other Dagwood Bumstead?" Perhaps Dagwood should check out comp.risks for other cases of duplicate identities. Arthur Goldstein, Comp. Sci. Univ of IL, 1304 W. Springfield, Urbana, IL 61801 goldsten@uiuc.edu UUCP: {uunet,harvard}!uiucdcs!goldsten ------------------------------ Date: Sat, 5 Mar 1994 16:37:30 -0800 From: Phil Agre Subject: Getting help on the Internet (Yurman, RISKS-15.57) In response to Dan Yurman's note in RISKS-15.57 about misguided teachers instructing students to send basic questions to Internet discussion groups, I've written a short article about how to ask people for information (on or off the net). The skills it describes are common sense to long-time net dwellers, but they're definitely not common sense to beginners. To fetch a copy, send a message that looks like: To: rre-request@weber.ucsd.edu Subject: archive send getting-help Feel free to post it to any discussion groups that have had this problem, or send it to teachers or students involved in courses that involve Internet-based research. Phil Agre, UCSD ------------------------------ Date: Tue, 8 Mar 94 12:31:20 PST From: hkhenson@cup.portal.com Subject: Re: Clipper If I may boil down the government's side of the Clipper debate, it is this: "We need to implement this encryption method so as to avoid problems we think may be coming. Trust us! We promise not to abuse your privacy." Except, of course, Clipper technology gives them a 'pen register' on every phone. Pen register give those in power a running list of every phone contact made between two Clipper phones without the need to fill out even the minor paperwork now required for this surveillance. I do not doubt the sincerity of Dorothy Denning or others who defend Clipper. And I would have fewer problems with Clipper/Capstone proposal if the people who will be granting access to the keys and those with legal access to the keys and call records were of Dorothy's caliber. However, people of good will are not likely to be the ones who apply for these keys to your privacy in the future. I am right in the middle of a case which has remarkable similarities to a Clipper "request for keys." Full details have been posted to comp.eff.talk and misc.legal, but in brief summary, a Postal Inspector from Tennessee is attempting (for political reasons) to impose the obscenity standards of that region on an adult BBS run from Milpitas (just North of San Jose). To this end, he obtained a warrant to take the BBS hardware. Because of contained email and First Amendment activities of a BBS, subpoenas, not warrants, are required under *two* sections of federal law. The laws are Title 42, Section 2000aa, and Title 18 Section 2701, the same ones which were applied in the well-known Steve Jackson Games case. Pointers to these federal laws were *posted* on the BBS. The postal inspector downloaded this file and *included* it in his affidavit for a search warrant to a Magistrate-Judge in San Francisco, along with a remarkably weak theory of how he could avoid application of these laws to himself. To obtain a warrant to take email and 2000aa materials, the laws require a number of judicial findings to be made. None of these requirements were considered by the court. The postal inspector got his warrant, mailed child pornography to the BBS, served the warrant, "found" the child porn and obtained an indictment in TN. The child porn charge is bogus because the agent specifically described the material as "sent without his knowledge" (referring to the sysop). Of course the sysop has to defend himself from the charges 2000 miles from home and shut down his business while doing so, and everyone on the system had their email copied and passwords compromised. This example applies directly to the Clipper situation. The risk under Clipper is that your private communications will be protected by the *weakest* link in the chain--one of the thousands of low level Magistrate-Judges among whom corrupt or zealous law enforcement agents shop for warrants and will shop for keys. These magistrates (who are *not* judges, but work for the US Attorney's office) tend to be busy, or lazy or corrupt or all three. As in this case, even if the law is *directly quoted* in search warrant affidavits or key requests, and these laws *expressly forbid* granting warrants or key requests under the conditions cited, the magistrate may not even read the supporting affidavit before approving it. He is *very* unlikely to read or consider the underlying laws when granting a request. The key escrow agents provide no protection whatsoever since they simply fill orders from agents with approved applications. Judges ignore the law with impunity, and so do law enforcement agents because one agency will almost never investigate another. As a practical matter, applications for search warrants are almost never denied. The same situation is certain to occur for Clipper key applications, no mater how weak the justification happens to be, or what laws are being violated by those seeking the keys. Keith Henson ------------------------------ Date: Tue, 8 Mar 1994 13:59:03 -0500 From: Carl Ellison Subject: re: Bidzos on Clipper (RISKS-15.61) Jim Bidzos submitted his reaction to the Clipper proposal. I agree with him for the most part, but would add a few notes: [risks of Clipper] >- Potential abuses by government and loss of privacy for all citizens. I would add: increased vulnerability to Organized Crime (because they're not very experienced with cryptanalysis but they have lots of experience with bribery, breaking/entering, theft of machines and data, ... -- in other words, all the talents you need to break the key escrow scheme). >AN ALTERNATIVE PROPOSAL > >One approach would be to have NIST develop a standard with three >levels. The first level could specify the use of public-key for key >management and signatures without any key escrow. There could be a >"Level II" compliance that adds government key escrow to message >preparation. What's wrong with just having the FBI, NSA, GCHQ, French bureau (whatever it's name), ..., publish their own RSA keys (both PGP and RIPEM format) so that individuals can voluntarily include those keys as recipients when they encrypt, if they want to volunteer to give the gov't access? This achieves exactly the voluntary wiretapping the NSA says it wants -- with no hardware and no special code. >II products would be decontrolled for export. The market can decide; >vendors will do what their customers tell them to. This satisfies >the obvious desire on the part of the government to influence what >happens, as a consumer. I disagree with any plan to control exportability based on the NSA's ability to read traffic. I believe nothing which is already available outside the US should be restricted from export. Anything else just makes the US government look stupid. ------------------------------ Date: Tue, 8 Mar 1994 20:07:02 -0500 (EST) From: Stanton McCandlish Subject: EFF's Barlow v. Denning on Clipper - AOL March 10, 9PM EST LIVE [Cc:ed to a lot of groups] CLIPPER CHIP DEBATE Thursday, March 10, 9 pm eastern Dorothy Denning, cryptologist and chair of the computer science department at Georgetown University, will debate John Perry Barlow, cognitive dissident and co-founder of the Electronic Frontier Foundation, in the TIME Odeon on America Online this Thursday at 9 pm. Philip Elmer-DeWitt, TIME senior writer, and Robert Pondiscio, TIME public affairs director, will moderate. The floor will be open to questions from the audience. You need an America Online account to participate. Call America Online at 703-448-8700 to subscribe. Philip Elmer-DeWitt ped@panix.com ped@well.com TIME Magazine philiped@aol.com ------------------------------ Date: Wed, 9 Mar 94 15:34 +1300 From: Simon Travaglia Subject: COMPUTER RISK! [Early April Fooling?] ************************************************ Computer Risk Bulletin #478 ************************************************ Warning Notice M.U.D-1 On the 3rd of September, 1992 the computing world was rocked by the horror of a new computer-originated illness and the life it claimed. Eldred Squires, a 26 year old Operator/Administrator at major British Chemical Company was the first victim. At approximately 9:03am, Squires logged into his personal account, ees, and sent some email to a friend at a remote site. Logging out, he then proceeded to log into the operator account to clean up some problematic printing queues. Following this, he logged out and logged into a test account to check that his print queues were accepting data from normal users. Finding that all was well, he logged out then logged into the root account to create a new username to receive helpdesk mail, not realising the mortal danger he was in. Wanting to test this new username, he logged out from root and proceeded to login to his new account. Barely three letters into his twelve letter alphanumeric password, he slumped forward across his keyboard, dead. Investigators, on arriving at the scene could find no reason for his death and elected to wait for further information from the outcome of the Autopsy. The Autopsy revealed that the victim's cerebral cortex suffered damage consistent with heating of the brain to approximately 120 degrees celsius. Still no nearer to the solution of the death, Computer and Workplace Safety Officers decided to recreate, using accounting logs and user audits, the circumstances leading up to the tragedy. Shielding the testing officer from the equipment with leaded glass, the team commenced their tests. Within five minutes, another victim lay sprawled across the keyboard, a fine patina of sweat on their brow. Admitting defeat, the Safety Office called in an expert in Computer Related Deaths, Dr Brian Analpeeper. Within minutes of examining the logs and audits Analpeeper was able to correctly diagnose the cause of death. Multiple Username Disorders. Multiple Username Disorders, Analpeeper explained, are a dangerous new side-effect of the current computing mindset. People become encumbered with several usernames until, ultimately, their brain fries out. Analpeeper also explained that for years the Social Sciences had been aware of the existence of Multiple Personality Disorders (commonly mis-referred to as Split Personalities) and that in a small way, M.U.Ds were in fact a computer replication of this. "People are required to maintain several accounts for various purposes, One for say, an Administration function, One for their own personal use, Another for normal work, and perhaps yet another for financial and charging matters. Sooner or later the combination of what is required of the user of these accounts will wreak it's havoc on the brain, causing mass cerebric hysteria. Of course some people have a higher tolerance to this than others, yet there is *no* way of accurately judging how far we can push a user." Later, in a harmless demonstration, Dr Analpeeper, took a volunteer and assigned him 5 usernames for different purposes. Victim number 3 fell to the floor in a lifeless heap. "I lied about it being harmless" Analpeeper said. "So sue me." Months later scientists are still no nearer finding a solution to the problem, mainly because they're to scared to login to the research computers. Life goes on, or sometimes it doesn't. Are you in danger? In an effort to reduce the deaths and crippling side effects of Multiple Username Disorder, the Computer Risk Committee has compiled this list of warning symptoms: Victim may: - Wonder whether they've read their mail today - Wonder which account they're logged into - Complain of feeling hot and bothered in front of their terminal - Complain that the room appears to be getting warmer - Slur words, especially after consuming large quantities of alcohol - Repeatedly forget passwords - Ask to see the wine list at restaurants for no apparent reason - Pause for a few seconds before entering their password. - Talk to themselves whilst logging in or executing everyday commands. - Fail to notice everyday events, such as telephones ringing, power failures, being struck about the head etc - Fall to the floor dead. Should one or more of these symptoms be present, STOP USING YOUR ACCOUNT NOW! Logout and walk away. Life is, after all, too precious.. Simon Travaglia, spt@waikato.ac.nz University of Waikato Computer Centre Hamilton, New Zealand +64-7-8562889 Ext 8347, FAX 838-4066 ------------------------------ Date: ongoing From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA) with SUBSCRIBE RISKS or UNSUBSCRIBE RISKS as needed. Users on US Military and Government machines should contact (Dennis Rears). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, send requests to (not automated). CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS MESSAGES in responses to them. Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ARCHIVES: "FTP CRVAX.SRI.COMlogin anonymousYourName CD RISKS: Issue j of volume 15 is in that directory: "GET RISKS-15.j". For issues of earlier volumes, "GET [.i]RISKS-i.j" (where i=1 to 14, j always TWO digits) for Vol i Issue j. Vol i summaries in j=00. "DIR" (or "DIR [.i]") lists (sub)directory; "bye" logs out. CRVAX.SRI.COM = [128.18.30.65]; =CarriageReturn; FTPs may differ; UNIX prompts for username, password. WAIS and bitftp@pucc.Princeton.EDU are alternative repositories. FAX: ONLY IF YOU CANNOT GET RISKS ON-LINE, you may be interested in receiving it via fax; phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for info regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM . ------------------------------ End of RISKS-FORUM Digest 15.64 ************************