Subject: RISKS DIGEST 16.28 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Friday 22 July 1994 Volume 16 : Issue 28 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for information on RISKS (comp.risks) ***** Contents: Hoods Hit the Highway (Jon Loeliger) Dutch police victim of phone-tapping criminals (Ralph Moonen) As the Worm Turns--Ant-icipating Problems (Mich Kabay) It's a real world out there, and the Internet is part of it. (Phil Agre) Automated mail listserver causes "Spamming" on the Internet (Jean Renard Ward) Leahy Statement on Gore Statement on Clipper (Marc Rotenberg) Privacy Journal this month (Robert Ellis Smith) CFP: IEEE Symposium on Security and Privacy (Catherine A. Meadows) Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. ---------------------------------------------------------------------- Date: Fri, 22 Jul 1994 09:49:25 -0500 From: Jon Loeliger Subject: Hoods Hit the Highway From Jon Loeliger, Healthcare Communications Inc. jdl@healthcare.com Hoods Hit the Highway; Computer users warned of scams By Charlotte Anne Lucas Austin Bureau of The Dallas Morning News Dallas Morning News, 1 July 1994, REPRINTED WITH PERMISSION OF THE DALLAS MORNING NEWS AUSTIN -- Computer users, beware: Driving on the information highway, it's possible to get fleeced. Scam artists have hit the cyberspace, offering high-tech ponzi schemes, sending illegal electronic chain letters and hyping virtually worthless stock, according to state securities regulators across the nation. In Texas, regulators say an Austin retiree lost $10,000 in a fake mutual fund deal sold by a man who promoted his "money managing" skills through an on-line computer service. "The danger here is that cyberspace, which could be a beneficial way for consumers to do a better job of informing themselves, will instead be discredited as a haven for fast-buck artists," said Denise Voigt Crawford, the Texas Securities Commissioner. In New Jersey and Missouri on Thursday, securities regulators filed cease and desist orders against promoters who used computer links to tout allegedly fraudulent deals. Texas regulators say it is likely that they will seek an indictment in the case of the nonexistent mutual fund. But with nearly 4 million computer users nationwide linked into commercial computer services and 20 million people on the internet, a world-wide computer network, "it is almost too big to police effectively," said Jared Silverman, chief of the New Jersey Bureau of Securities and chairman of a multi-state team that investigates computer fraud. In response, regulators in all 50 states issued a bulletin to investigators, describing the potential frauds and listing steps small investors can take to protect themselves. "We're trying to tell people to be careful," said Ms. Crawford, "there is a new fraud on the horizon." Although regulators are concerned about the problem, Ms. Crawford acknowledges enforcement will be a challenge. Because electronic conversations, or E-mail, are considered private, "we don't know what difficulties we are going to have getting subpoenas enforced or what kind of cooperation we will get from (commercial bulletin board systems)." [sic] Officials say promoters tend to advertise offers or stock tips on the financial bulletin board sections of on-line computer services such as CompuServe, America Online and Prodigy, or in the specialized discussion forums in the Internet. Regulators said that of 75,000 messages posted on one computer service bulletin board during a recent two-week period, 5,600 were devoted to investment topics. While some commercial computer bulletin board services try to control the publicly posted investment tips, most do not try to control most communications on the service. What begins as innocent E-mail can end with an unwary investor "getting cleaned out by high-tech schemers," said Ms. Crawford. In Texas, the case under investigation began when an Austin retiree posted a public note in a commercial bulletin board system looking for conversations about the stock market, according to John A. Peralta, deputy director of enforcement at the Texas Securities Board. "He was contacted. It turned into a private E-mail conversation, a telephone conversation and then exchanges through the mail," said Mr. Peralta. But the person who promoted himself on the computer as a skilled money manager turned out to be unlicensed -- and the mutual fund the retiree invested in turned out to be nonexistent. Mr. Peralta said at least one other person, not from Texas, invested $90,000 in the same deal, "We are aware of two, but we don't really know," he said. "There may be dozens of victims." Securities regulators began taking interest in on-line scams last fall, after Mr. Silverman -- a computer junkie -- raised the issue at a national meeting of regulators. "I heard stories about things going on on computer bulletin board services, and I have been monitoring these things for close to a year," he said. In fact, the New Jersey case came from Mr. Siverman's off-hours cruising of an on-line service. "I sit at a keyboard two hours a day -- to the chagrin of my wife -- scanning these things," he said. What he found was a promoter pushing an E-mail chain letter. The promoter, identified only as from San Antonio, claimed that in exchange for $5, investors could earn $60,000 in three to six weeks. Regulators said participants were told to send $1 to each of five people on a list in the computer bulletin board, add their own name to the list and post it on 10 different computer bulletin board sites. That, regulators said in a statement, "amounted to a high-tech variation on the old pyramid scam, which is barred by federal and state laws." In Missouri, regulators Thursday moved against an unlicensed stockbroker for touting his services and "making duubious [sic] claims for stocks not registered for sale in the state." Among other things, regulators said, the promoter falsely claimed that Donald Trump was a "major, behind-the-scenes player in a tiny cruise line" whose stock he pitched. Ms. Crawford said that while computer users may be sophisticated in some ways, they still are attractive targets because they tend to have discretionary income and frequently are looking for ways to invest their money. Some of the commercial services also allow users to use various aliases, making it all the more difficult for investigators to figure out who they are really communication with. ------------------------------ Date: Fri, 22 Jul 1994 11:59:33 +0200 From: ralph@inter.nl.net (Ralph Moonen) Subject: Dutch police victim of phone-tapping criminals Usually law enforcement's arguments for regulated encryption center around their ability to tap criminal's conversations. In the Netherlands this discussion has taken a whole new twist when Dutch newspaper De Telegraaf laid hands on phone-tap recordings not from the police, but from criminals who had tapped various high police officials' home and work phones. Needless to say the newspaper published transcripts of the recordings which proved to be quite interesting. (Proving police used several illegal means of gathering evidence and revealing a lot of internal trouble in the police dept.) Soon after publication police officials called for more funding to be able to buy encryption devices. Was this just naivety on the part of the police to assume criminals couldn't wire-tap or was it an isolated incident where the criminals got lucky? Evidence supports only the first assumption. Hopefully this incident will lead to more discussion on encryption technology. A while ago legislation was proposed to ban encryption without having a permit for such devices. This proposal was cut down in light of strong opposition from industry and commerce. After that, no-one in the Netherlands really took up the issue, which I think we all agree upon is one of the most important ones of the information age. Oh, the RISK? I dunno, but I think it's obvious :-) --Ralph ------------------------------ Date: 22 Jul 94 08:47:44 EDT From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Subject: As the Worm Turns--Ant-icipating Problems >From the United Press International newswire (94.07.21 @ 12:17 EDST) via CompuServe's Executive News Service (GO ENS): Ants help BT improve computers By SIMONA de LOGU "LONDON, July 21 (UPI) -- British Telecom scientists are exploring ways of making computer programs more robust and adaptable by using ant colonies as models for interactive programs that respond to changing conditions in computer networks. A team of computer specialists based at BT's Martlesham Heath laboratories in Ipswich, east England, has been studying research material on ants for the past two years and using their findings on developing programs." Key points from the article: o "Our system is made up of small, autonomous, reactive, mobile blocks of computer code that interact in a way derived from ant behavior," said scientist Simon Steward. "The control system that emerges from all of these mobile software agents working together is inherently adaptable and robust unlike normal computer programs." o The goal of the work is to prevent system crashes when an unanticipated [PGN, please forbear] condition occurs. o The distributed computing model uses message-passing to coordinate computation. o "The programs are mobile like ants, moving from one computer to another, when needed." o After making software or parameter changes, the "mobile programs" would "leave messages for other programs on how the system has been adapted." o Modules will display "a certain amount of random behavior...." o The system will display heuristic, goal-seeking behaviour. [Comments from MK follow:] Programs that move from system to system are usually called worms. The work described above is related to Von Neumann's concepts of cellular automata, and I guess would count as an example of "artificial life" or a-life. The idea that semi-autonomous computer programs would migrate from place to place reminds one of the debate about "useful viruses." I was getting antsy about this (the idea was really bugging me), so I searched on "ant or ants" in the Ziff Computer Database Plus (GO COMPDB on CompuServe) and located an article in Computergram International (June 10, 1994), p. 15 entitled, "British Telecom's research lab claims to have found the fastest Travelling Salesman algorithm." In this application, which runs on a single RISC workstation, "The search algorithm is set in motion on a problem to find the shortest travelling distance between several cities, for example. In effect a whole series of `ants' are thrown on a map of the area and if the system doesn't find a destination city, it dies, whereas if it does find a chosen destination city it `gives birth' and grows." A path is then established between cities. The algorithm is very fast--two seconds for a 100-point optimization problem and 2.5 minutes for 1000 points. All this is fascinating, and I naturally wondered about the implications for system reliability. Turning back to the UPI story, it seems to me that there must be a lot of work to include quality assurance principles into heuristic, semi-autonomous algorithms that change system or network configuration. The consequences of malfunction increase when the problems occur in control structures e.g., a hole in your hose can swamp your lawn, but a bug in your electronic shutoff valve that reverses inputs (off -> on) can really put a bee in your bonnet. One of the main objections to free-roaming software worms and viruses is that they (themselves) offer no opportunity for a system manager or owner to block their activity (one can usually do so with antivirus tools, though). When a system is seeded with these rogue programs, one never knows what will flower. Who wants untested software making changes in her computer system? Similarly, how do we cope with "genetic" algorithms that spontaneously make changes in, say, operating system tables or even executable code? How does one test a real-time change in the operating system? It will be interesting to follow this work and see how concerns for reliability are worked into this evolving field. Michel E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn ------------------------------ Date: Fri, 22 Jul 1994 14:21:17 -0700 From: Phil Agre Subject: It's a real world out there, and the Internet is part of it. Many denizens of the Internet think of it as a place of untrammeled free speech and decentralized democracy. Evidence is accumulating that it's more complicated than that. Writing in the liberal journal _The Nation_, Jon Wiener (a historian at UC Irvine whose does a sort of investigative journalism) outlines some of the complications. The full reference is: Jon Wiener, Free Speech on the Internet, The Nation 258(23), 13 June 1994, pages 825-828. He describes the Karla Homolka trial in Canada, a group of Turks who swamp newsgroups with automatic messages denying the Armenian genocide, gun activists taking over alt.motherjones, libel suits provoked by on-line statements, gender imbalances, abusive behavior by unreformed net-guys, and more. None of which means the net is bad; it just means the net is part of reality. At one level the Risk is computer-related: bad stuff can happen on-line, just like in real life. But the real Risk comes from believing the hype: just because it's decentralized doesn't make it democratic. If we want democracy we have to actively make it. Just like in real life. Phil Agre, UCSD ------------------------------ Date: Fri, 22 Jul 94 08:49:50 EDT From: jrward@midget.ptltd.com (Jean Renard Ward) Subject: Automated mail listserver causes "Spamming" on the Internet The past week I have been getting filled-out copies of a survey form completed by beta users of the netsurf.com services. Each day up to a half-dozen of these forms would show up in my Internet mailbox. Evidently the problem caused by three factors: (1) the original survey form had in the "cc:" field the listserv address for mailing to the entire beta user group, (2) many of the beta users had "reply to all" set as the default for their mailer software, and (3) the folks at netsurf.com hat configured their listserver to remail the incoming Emails with the completed forms back out to the addresses on their beta user list. The only interesting thing about getting the completed survey forms is that most of the respondents to the survey seemed to be middle-aged males with "erotica" as one of their interests in using the Internet. Netsurf's questionnaire specifically stated that they had no interest in invading anyone's privacy, so that the questionnaire would be effectively confidential, even though they could not guarantee that formally. Notes Emailed to netsurf.com had no effect. Finally, out of frustration, I did a "reply to all" on one of the incoming forms with a note about the problem back out to the same listserver. Although this was an act of "spamming" on its own, it did get the people at netsurf.com to address (intentional pun) the problem. A last note: I got a note from netsurf.com blaming __me__ and all those users who had set "reply to all" as the default in their mail software for spamming their beta user list, rather than admitting that they had overlooked the possible effects of their listserver and mailing configuration. By the way -- this is being sent with a cc: to netsurf.com. ------------------------------ Date: Fri, 22 Jul 1994 15:48:32 EST From: Marc Rotenberg Organization: Electronic Privacy Information Center Subject: Leahy Statement on Gore Statement on Clipper U.S. SENATOR PATRICK LEAHY, Vermont STATEMENT OF PATRICK LEAHY ON VICE PRESIDENT GORE'S CLIPPER CHIP LETTER July 21, 1994 I have read the July 20th letter from the Vice President about the Administration's current thinking on Clipper Chip and, to my mind, it represents no change in policy. In fact, when this letter was sent, I would be surprised if the Administration even thought it was news. The letter makes clear to me that the Administration continues to embrace key escrow encryption technology, and stands behind Clipper Chip as a federal standard for telephone communications. The official standard makes clear that this standard applies to any communications over telephone lines. Those communications include not only voice, but also low-speed computer data and facsimile messages. The Administration is working on encryption technologies for higher-speed transmissions, such as for computer networks and video networks. The Vice President says that they want to work with industry to design a key escrow system that could be implemented not just in hardware, but also in software, that would be voluntary, exportable and not rely upon a classified encoding formula. The Administration said all this last February when the federal standard was approved. Yet, when Administration witnesses were questioned about the progress they had made in this effort at my Judiciary subcommittee hearing in early May, I learned they had held only a few meetings. Last week, the Appropriations Committee accepted strong Report language I suggested on Clipper Chip. The Attorney General is directed to report to Congress within four months on ten areas of concern about Clipper Chip. I agree with the Vice President that balancing economic and privacy needs with law enforcement and national security is not always an easy task. But we can do better than Clipper Chip. ------------------------------ Date: Fri, 22 Jul 94 14:38 EST From: Robert Ellis Smith <0005101719@mcimail.com> Subject: Privacy Journal this month Here are the headlines from the July 1994 PRIVACY JOURNAL: DIVORCE LAWYERS FIND A SPOUSE'S PC A GOLD MINE A TENTATIVE PROPOSAL FOR A NATIONAL ID CARD AN ILLUSTRATION ON HOW MATT BLAZE DISCOVERED A HOLE IN CLIPPER A NEW DATA BASE FOR BRADY GUN-CONTROL LAW TWO PRIVACY CLEARINGHOUSES SEEK FUNDING HOW VEGAS AND JERSEY KEEP A COMPUTERIZED EYE ON HIGH ROLLERS A VICTIM OF E-MAIL PROFANITIES LOSES LAWSUIT CALIFORNIA BEGINS NEW 'OPT-OUT' FOR CREDIT-CARD CUSTOMERS Robert Ellis Smith/Publisher 401/274-7861, or 0005101719@mcimail.com [The all-caps format makes it begin to sound like a weekly tabloid. PGN] ------------------------------ Date: Fri, 22 Jul 94 17:27:46 EDT From: meadows@itd.nrl.navy.mil (Catherine A. Meadows) Subject: CFP: IEEE Symposium on Security and Privacy CALL FOR PAPERS 1995 IEEE Symposium on May 8-10, 1995 Security and Privacy Oakland, California sponsored by IEEE Computer Society Technical Committee on Security and Privacy in cooperation with The International Association for Cryptologic Research (IACR) The Symposium on Security and Privacy has for fifteen years been the premier forum for the presentation of developments in computer security, and for bringing together researchers and practitioners in the field. This year, we seek to build on this tradition of excellence by re-emphasizing work on engineering and applications as well as theoretical advances. We also seek to broaden the scope of the Symposium by introducing new topics. We want to hear not only about new theoretical results, but also about work in the design and implementation of secure systems and work on policy relating to system security. We are particularly interested in papers on policy and technical issues relating to privacy in the context of the information infrastructure, papers that relate software and system engineering technology to the design of secure systems, and papers on hardware and architectural support for secure systems. The symposium will focus on technical aspects of security and privacy as they arise in commercial and industrial applications, as well in government and military systems. It will address advances in the theory, design, implementation, analysis, and application of secure computer systems, and in the integration and reconciliation of security and privacy with other critical system properties such as reliability and safety. Topics in which papers and panel session proposals are invited include, but are not limited to, the following: Secure systems Privacy Issues Access controls Security verification Network security Policy modeling Information flow Authentication Database security Data integrity Security Protocols Viruses and worms Auditing Biometrics Smartcards Commercial and industrial security Intrusion Detection Security and other critical system properties Distributed systems A new feature of the symposium this year will be a special session of very brief (5-minute) talks. Our goal is to make it possible for us to hear from people who are advancing the field in the areas of system design and implementation, and who would like to present their ideas to the symposium audience but may lack the time and resources needed to prepare a full paper. Submissions for this session will be accepted up to five weeks before the symposium, to permit us to hear of the most recent developments. Abstracts of these talks will be distributed at the conference. INSTRUCTIONS TO AUTHORS: Send six copies of your paper and/or proposal for a panel session to Catherine Meadows, Program Co-Chair, at the address given below. Papers and panel proposals must be received by November 7, 1994. Papers, which should include an abstract, must not exceed 7500 words. The names and affiliations of the authors should appear on a separate cover page only, as a ``blind'' refereeing process is used. Authors must certify prior to December 25, 1994 that any and all necessary clearances for publication have been obtained. Papers must report original work that has not been published previously, and is not under consideration for publication elsewhere. Abstracts, overlength papers, electronic submissions, late submissions, and papers that cannot be published in the proceedings will be rejected without review. Authors will be notified of acceptance by January 16 , 1995. Camera-ready copies are due not later than March 6, 1995. Panel proposals should describe, in two pages or less, the objective of the panel and the topic(s) to be addressed. Names and addresses of potential panelists (with position abstracts if possible) and of the moderator should also be included. Submitters of abstracts for the special session of five-minute talks should submit one page abstracts to Catherine Meadows, program co-chair, at the address given below. Abstracts must be received by April 3, 1995. Authors will be notified of acceptance or rejection of abstracts by April 17. Submitted abstracts that are accepted will be distributed at the conference. The Symposium will also include informal poster sessions where preliminary or speculative material, and descriptions or demonstrations of software, may be presented. Send one copy of your poster session paper to Carl Landwehr, at the address given below, by January 31, 1995, together with certification that any and all necessary clearances for presentation have been obtained. Also for the first time this year, we will attempt to counsel prospective authors. If you have questions about whether or how to present your work to the symposium, please send e-mail to the Chair (landwehr@itd.nrl.navy.mil), and we will do our best to assist you. Information about this conference will be also be available by anonymous ftp from chacs.itd.nrl.navy.mil in directory /pub/SP95, by World Wide Web from http://www.itd.nrl.navy.mil/ITD/5540/announce/SP95.html, or by sending email to sp95@itd.nrl.navy.mil. PROGRAM COMMITTEE Ross Anderson, Cambridge University, UK Steve Bellovin, AT&T, USA Tom Berson, Anagram Laboratories, USA Oliver Costich, Independent Consultant, USA George Dinolt, Loral, USA Cristi Garvey, TRW, USA Li Gong, SRI, USA Sushil Jajodia, GMU, USA Steve Kent, BBN, USA Steve Lipner, TIS, USA Teresa Lunt, ARPA/CSTO, USA John McLean, NRL, USA Jonathan Millen, Mitre, USA Birgit Pfitzmann, Universit"at Hildesheim, Germany Sylvan Pinsky, DoD, USA Michael Reiter, AT&T, USA Jaisook Rho, TIS, USA Peter Ryan, DRA, UK Tom Schubert, Portland State University, USA Paul Syverson, NRL, USA Vijay Varadharajan, HP, UK Raphael Yahalom, Hebrew University, Israel For further information concerning the symposium, contact: Carl Landwehr, General Chair Catherine Meadows, Program Co-Chair Naval Research Lab., Code 5542 Naval Research Laboratory, Code 5543 4555 Overlook Ave., SW 4555 Overlook Ave., SW Washington DC 20375, USA Washington DC 20375, USA Tel: +1 (202) 404-8888 Tel: +1 (202) 767-3490 FAX: +1 (202) 404-7942 FAX: +1 (202) 404-7942 landwehr@itd.nrl.navy.mil meadows@itd.nrl.navy.mil Dale Johnson, Vice Chair John McHugh, Program Co-Chair The MITRE Corporation Computer Science Department Mailstop A156 Portland State University 202 Burlington Rd P.O. Box 751 Bedford, MA 01730-1420, USA Portland OR 97207-0751, USA Tel: +1 617-271-8894 Tel: +1 (503) 725-5842 Fax: +1 617-271-3816 Fax: +1 (503) 725-3211 dmj@mitre.org mchugh@cs.pdx.edu Charles Payne, Treasurer Naval Research Lab., Code 5542 4555 Overlook Ave., SW Washington DC 20375, USA Tel: +1 (202) 404-8763 FAX: +1 (202) 404-7942 payne@itd.nrl.navy.mil Peter Ryan, European Contact Jim Gray, Asia/Pacific Contact Defence Research Agency Department of Computer Science Room NX17 Hong Kong Univ. of Science & Technology St Andrew's Rd Clear Water Bay, Kowloon, Hong Kong Malvern Tel: +852 358-7012 Worcs WR14 3PS,UK Fax: +852 358-1477 Tel +44 (0684) 895845 gray@cs.ust.hk Fax +44 (0684) 894303 ryan@rivers.dra.hmg.gb ------------------------------ Date: 31 May 1994 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. U.S. users on .mil or .gov domains should contact (Dennis Rears ). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, THEN please send requests to (which is not automated). CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS MESSAGES in responses to them. Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ARCHIVES: "ftp crvax.sri.comlogin anonymousYourName cd risks: Issue j of volume 16 is in that directory: "get risks-16.j". For issues of earlier volumes, "get [.i]risks-i.j" (where i=1 to 15, j always TWO digits) for Vol i Issue j. Vol i summaries in j=00, in both main directory and [.i] subdirectory; "dir" (or "dir [.i]") lists (sub)directory; "bye" logs out. CRVAX.SRI.COM = [128.18.30.65]; =CarriageReturn; FTPs may differ; UNIX prompts for username, password; bitftp@pucc.Princeton.EDU and WAIS are alternative repositories. See risks-15.75 for WAIS info. To search back issues with WAIS, use risks-digest.src. With Mosaic, use http://www.wais.com/wais-dbs/risks-digest.html. FAX: ONLY IF YOU CANNOT GET RISKS ON-LINE, you may be interested in receiving it via fax; phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for info regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM . ------------------------------ End of RISKS-FORUM Digest 16.28 ************************