Subject: RISKS DIGEST 16.83 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 21 February 1995 Volume 16 : Issue 83 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, etc. ***** Contents: Denver's Computerized Baggage System Finally Works (NYT via Edupage) Cyberbandits in Europe (CommunicationsWeek via Edupage) Perfect (?) Office Bug can cause harm (Gary Gillard) I can't help but say more about this addiction thing. (Peter Ladkin) Sparc10 keyboards and resetting the CPU (Carlos M. Puchol) Married by computer (Scott Sterner) UPS not quite so uninterruptable after all (Mark Frank via Jerry Leichter) Risks of generalized designs (Jim Griffith) Stolen ATM Card nets $346,770 (Rich Wells) Re: JUDGES-L (Peter da Silva) "PGP: Pretty Good Privacy" by Garfinkel (Rob Slade) The Coming Plague (Peter Wayner) Scan results (Frederick B. Cohen) Symposium on medical records (Phil Agre) NCSA Conference: Security on the I-Way (Mich Kabay) Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. ---------------------------------------------------------------------- Date: Sun, 19 Feb 1995 20:11:21 -0500 From: info@ivory.educom.edu (Edupage) Subject: Denver's Computerized Baggage System Finally Works Denver's new high-tech airport appears finally ready for operation later this month, after four false delays caused primarily by a malfunctioning computerized baggage handling system. The system now seems to be working -- but a $50 million conventional baggage handling has been built as a backup, just in case the computerized systems should fail again. (_The New York Times_ 19 Feb 1995, p.12) [From Edupage 19 Feb 1995] ------------------------------ Date: Sun, 19 Feb 1995 20:11:21 -0500 From: info@ivory.educom.edu (Edupage) Subject: Cyberbandits in Europe CommunicationsWeek International reports that computer crackers have been giving European network managers a hard time recently. Among their transgressions are stealing $150,000 worth of international phone calls from five U.K. companies and causing $400,000 in losses for a Dell Computer subsidiary that had to shut down a free customer service phone line because of fraud. (_Information Week_ 20 Feb 1995, p.63) [From Edupage 19 Feb 1995] ------------------------------ Date: Tue, 21 Feb 1995 14:17:25 -0500 (EST) From: GILLARD@NIMUE.HOOD.EDU Subject: Perfect (?) Office Bug can cause harm An annoying, and possibly serious, bug has surfaced in the recent release of Novell Perfect Office for Microsoft Windows. Temporary files may be left behind in the directory designated as TEMP in the user's autoexec.bat file. This is usually C:\TEMP or C:\WINDOWS\TEMP. Left unchecked, the files could eventually accumulate to the point where they clog the directory so that Windows applications will not run. The files take the form ~WT123B.TMP (where 123B is a unique identifier generated by the system) and are 5888 bytes long. Although Novell/WordPerfect installation help is "aware" of the bug and is "working on it," I was told that at present no user-notification program is being planned. You might think they'd learn from Intel's recent public relations fiasco.... Gary Gillard, Department of Math & Computer Science, Hood College Frederick, Maryland 21701 ------------------------------ Date: Sat, 18 Feb 1995 20:29:50 +0100 From: ladkin@techfak.uni-bielefeld.de Subject: I can't help but say more about this addiction thing. (Slade, 16.82) In RISKS-16.82, Rob Slade perceptively points out that behavior some have called `computer addiction' is part of wider patterns, and notes by his analogy that there aren't simple criteria. It may be helpful to distinguish rather than to conflate: firstly, between compulsive behavior and obsession. I would describe compulsive behavior as following an urge to do something, often repetitively, without concomitant reward other than that of appeasing the urge. We won't count the usual bodily functions...... but if you find yourself washing your hands a few hundred times a day, or the citizens of Koenigsberg set their watches by your daily walk to work, you're probably being compulsive. Obsession is when your thoughts, feelings, maybe actions orient narrowly towards one thing for a disproportionate time, whether it's rewarding or not. Sitting there with the same thought about Demi Moore buzzing round your head, you are obsessed, but not compelled (we hope). If getting rid of mother-in-law is your all-consuming hobby, you may try arsenic in the cake, running her over with the lawnmower, spiking her brandy, and rigging the breech of her shotgun. Your wife might leave you for failing at your single purpose in life, but no one would convict you of compulsive behavior. These descriptions are dependent on social variables. Nevertheless, excessive obsessive/compulsivity is regarded as one of the 15-20 diagnosable personality extremes in the DSM (the Diagnostic and Statistical Manual, Revision IV, of the American Psychiatric Association, is a helpful guide to the current US classification of human behaviors that may lead to social problems for individuals). Most successful academics, writers, musicians, cooks, winemakers, mathematicians, scientists and sportspeople are more obsessive than the general population. The way to be better than others is to do something with more enthusiasm and for longer - and it helps if this concentration jives with your personality. Addiction is a state of the organism, rather than predominantly a predisposition to certain behavior. A substance addict has highly goal-related behavior. Being drunk or high for these people is a relatively comfortable state of mind and body for *very* short periods of time. But it ruins their health, and causes self and others all sorts of problems. Addiction may be encouraged or even caused by compulsive behavior, but it is not itself a personality trait, according to the APA. If deleting email sends a thrilling tingle through your fingers, and tickles your corpus callosum until you can't let go, you may be addicted. But the boundaries are blurred. Whether you call heavy use of computers addictive, obsessive/compulsive, or simply morally virtuous may depend on the context, the evident goals of the behavior, and whether you're spouse or employer. So I won't be too surprised when some misguided soul tries to enroll all us academics, writers, musicians, cooks, winemakers, mathematicians, scientists and sportspeople in a twelve-step program. Peter Ladkin ------------------------------ Date: 19 Feb 1995 19:05:18 -0600 From: cpg@cs.utexas.edu (Carlos M. Puchol) Subject: Sparc10 keyboards and resetting the CPU It has happened to me several times now that I inadvertently knock the keyboard cable of the Sun SPARCstation 10 I work on these days. Most of the times, the result is a complete and instantaneous crash of the machine. So I tried and it seems that unplugging and plugging back in the keyboard cable at the base of the keyboard always crashes and reboots the host. This can obviously cause disks and user data to be lost. Other times only the X Window System dies. Maybe it is just this particular machine, but otherwise I can't think what is so critical about a keyboard's hardware that could cause the machine crash. No doubt a RISK in my book. -- Carlos Puchol -- http://www.cs.utexas.edu/users/cpg ------------------------------ Date: Tue, 21 Feb 95 07:43:06 -0500 From: ssterner@BBN.COM Subject: Married by computer A few months ago I moved into a new apartment. I have since received a lot of junk mail for Mary Thompson, the former resident, whom I have never met. (Name changed to protect the innocent.) From conversations I have had with neighbors, I know that she lived alone. About a month ago, I started to receive credit card ads addressed to "Scott Thompson". I wrote this off as just a database entry error (e.g., only overwriting part of the new resident's name), until this past week. A few days ago I received two identical ads, with one addressed to "Scott Thompson" and the other addressed to "Mrs. Mary Thompson". Yikes! Married to someone I've never met! If only our names were confused (e.g., "Scott Thompson"), it would not be much of a risk. However, now that at least one database considers us husband and wife, what kinds of problems does this open? - Do I get a free ride on *her* credit card history, or does she get a free ride on *mine*? (Stated the opposite way, do I suffer for *her* credit card history, or does she suffer for *mine*?) - If I fill out the credit card applications listing my real name, but they issue the cards to me as "Scott Thompson", am I liable for fraud? - If I never reply to any of these ads, could this "false name" come back to hurt me? (In other words, do I have to *proactively* stop this name from circulating, or could it never cause me harm so long as I do not use it?) Scott Sterner ------------------------------ Date: Mon, 20 Feb 95 08:33:20 EDT From: Jerry Leichter Subject: UPS not quite so uninterruptable after all [Forwarded with permission of the author. Jerry] From: Mark Frank Subject: Need UPS smarter than me. Date: Sat, 18 Feb 1995 09:11:00 -0800 (PST) To: Info-VAX@Mvb.Saic.Com I use a UPS on my PC at home. The power switch is on the front. UPS sits on the floor (the way it has to for the AC outlets to face the right way). The other day I bumped the front of the UPS with my foot and hit the power switch, power went off, and I lost my work. Now that really pissed me off... they SAID it was UNINTERRUPTABLE, but one little nudge of the power switch and off it went! Wouldn't honor the warranty, either. Ok...Ok... so I'm a moron. Moral to the story: If you are considering a UPS for a workstation-sized computer, be sure to get one with appropriate protection (like a hinged door) covering the power switch. Mark S. Frank, Department of Radiology, University of Washington, 325 9th Ave Seattle, WA 98104 frankmrk@u.washington.edu (206) 223-3561 ------------------------------ Date: Tue, 21 Feb 1995 11:19:15 -0800 From: griffith@netcom.com (Jim Griffith) Subject: Risks of generalized designs I'm playing in a computer-moderated play-by-mail game with a not-to-be-named company out of Oregon, and I ran into an interesting software logic gap. In the game, players have locations with soldiers defending it. Locations can contain guilds (representing an organization supporting a certain skill or collection of skills). A location's owner may be different from the owners of the guilds within it. In addition to the location's soldiers, guilds' soldiers can be ordered to defend the location against attack if both the location's and guilds' owner agree. An amusing incident just occurred, when we captured a location from an enemy position. Capturing it required us destroying all of the location's soldiers. However, one of the location's guild owners tried to take the location back from us by putting soldiers in his guild and then trying to launch a "guild coup". Unfortunately, the guild which attacked the city was also ordered to defend the city against attack. The location's previous owner had set this up with the guild's owner, and the change in ownership from our conquering the location didn't affect the guild defense options. So the guild ended up fighting itself. Needless to say, it lost. And in another amusing result, it turned out that the defender's ending values from a battle are written to the database before the attacker's. So since the attacker had no troops left, the guild ended up with no troops left - even though the guild-as-defender had troops survive the battle. This kind of problem crops up all of the time in software dvelopment. At my previous company, I had a problem attempting to deal with real-time data when an application which was both a data consumer and a data producer attempted to request data from itself. The normal protocol would have been to send the request out to the network, have the network manager route the request back to the application, and have the application handle it in course. But the network manager was "smart" and told the consumer "you're requesting from yourself", and refused the request. This protocol forced anyone writing a producing/consuming application to create its own internal method for requesting data from itself, in addition to the normal method of requesting data from the network. Both cases come down to developers who pictured a very general model, without considering some of the specific exceptions to the model which may very well occur in day-to-day use. In the game company's defense, this flaw has existed for several years, and as far as they know this is the first time players have actually encountered it. Jim ------------------------------ Date: Fri, 17 Feb 1995 22:25:16 -0500 From: RichWells@aol.com Subject: Stolen ATM Card nets $346,770 In RISKS 16.81 "Whittle, Jerome SMSgt" wrote: >5. Karen Smith isn't liable for the theft even though she left her card and > PIN number unsecured. I believe that she should shoulder some of the > blame and loss. I hope I'm not the only one who will speak out against this "blame the victim" mentality. Granted, the crime could and should have been prevented, but since it did happen, the blame for the crime falls squarely on the shoulders of the reprobates who committed it. The risk I see here is that if we continue to cut criminals some slack by placing some of the blame on the victim, we're only going to invite more crime of this sort. To me, this is only slightly more palatable than blaming a rape victim because of how she was dressed. ------------------------------ Date: Mon, 20 Feb 1995 11:17:43 -0600 From: peter@nmti.com (Peter da Silva) Subject: Re: JUDGES-L (Stodolsky, RISKS-16.82) > Fears of this development have led to the organization of the NetNews > Judges (TM) List (this is a reformatted InterNIC resource entry): Note that the people who actually do the volunteer work that keep Usenet running, as well as most long time Usenet readers that know about it, consider Judges-L to be a crank list. It's a closed list, with rules about the dissemination of messages outside the official membership. It periodically produces informational postings that have no relationship to accepted net behaviour. Like any other "authority" on Usenet it has no power but what individuals grant it. Unlike "authorities" like David Lawrence, who is accepted by the majority of sites as being the authoritative source of new groups, Judges-L has no followers except for the people who are actually on the list... and even then some of the people on Judges-L are only there to keep an eye on them. [Also commented on by Kevin Blackburn Kevin@fairbruk.demon.co.uk] ------------------------------ Date: Sat, 18 Feb 1995 15:54:54 EST From: "Rob Slade, Social Convener to the Net" Subject: "PGP: Pretty Good Privacy" by Garfinkel BKPGPGAR.RVW 950116 "PGP: Pretty Good Privacy", Garfinkel, 1995, 1-56592-098-8 %A Simson Garfinkel simsong@next.cambridge.ma.us simsong@expert.com %C 103 Morris Street, Suite A, Sebastopol, CA 95472 %D 1995 %G 1-56592-098-8 %I O'Reilly & Associates, Inc. %O 800-998-9938 707-829-0515 fax: 707-829-0104 info@ora.com or nuts@ora.com %P 393 %T "PGP: Pretty Good Privacy" Part one of this guide to Phil Zimmermann's "Pretty Good Privacy" (universally known by its initials, PGP) contains two rather disjointed chapters introducing PGP, itself, and cryptography basics. After that rocky start, however, part two is both readable and rivetting. Chapters on the history of cryptography, the history and development of PGP, privacy, and patents gather both the technical and social aspects of PGP together in one place. The conceptual background for public key cryptography is presented both soundly and in a manner accessible for non-experts. The many controversies over PGP are presented in a very detailed manner. Part three, "Using PGP", has chapters on file encryption, key creation, key management, email encryption, digital signatures (authentication), key distribution and certification, and Internet key servers. The style of the nutshell books give a very "technical" look to the material, and in some cases the content is very terse in comparison to Stallings' "Protecting Your Privacy" (cf. BKPRTPRV.RVW). In others (such as key management), though, the text here is paradoxically clearer. In any case, the examples are straightforward and easily followed. (Readers may, however, be excused for failing to follow the explanation of Diffie-Hellman on page 356.) The appendices cover obtaining and installing PGP for MS-DOS, UNIX and Macintosh. copyright Robert M. Slade, 1995 BKPGPGAR.RVW 950116 Vancouver Institute for Research into User Security Canada V7K 2G6 ROBERTS@decus.ca Robert_Slade@sfu.ca rslade@cue.bc.ca p1@CyberStore.ca ------------------------------ Date: Mon, 20 Feb 1995 09:31:37 -0500 From: pcw@access.digex.com (Peter Wayner) Subject: The Coming Plague While RISKS is ostensibly devoted to the foibles of computer generated bugs, readers of the list will probably enjoy _The Coming Plague_ by Laurie Garrett (Farrar Straus & Giroux). The book explores many of the battlefields between humans and microbes and then concludes that it is only a matter of time before the microbes score some dramatic victories. Many of the themes are familar to RISKS readers: the fix causes more pain than it solves; the bountiful commonweal often comes with a quicksilver lining; and there is no such thing as the last bug. The bestselling _Hot Zone_ covers a small part of the scope of this book and it is more a movie outline than a book on science. _The Coming Plague_ comes with copious footnotes and is filled with the technical details that scientists love. I've enjoyed it more and I suspect that others who read this list might feel the same. Given that some computer scientists talk of solving NP complete problems with DNA techniques, I guess that the fields are effectively merged and this is entirely appropriate for this list. ------------------------------ Date: Sat, 18 Feb 1995 07:24:56 -0500 (EST) From: "Dr. Frederick B. Cohen" Subject: Scan results Since announcing the on-line over-the-wire security scanning service (http://all.net:8080) on the risks forum, over 350 sites have performed scans. I am interested in finding out some things about the results of these scans. Any answers would be welcomed: 1) Did the service detect anything you did not expect? 2) Was the range of tests interesting enough to warrant keeping the service? 3) Is the service genuinely helpful or just a waste of time? 4) Did your defense detect the attempted attacks/defend against them? Thank you in advance for your replies (email to fc@all.net). Also, I would like to note that scans performed over the last few days, only 20 or so failed to be delivered to the tester because of mail failures. FC ------------------------------ Date: Sat, 18 Feb 1995 18:28:29 -0800 From: Phil Agre Subject: symposium on medical records A symposium is coming up that has tremendous consequences for the privacy of sensitive personal medical records -- Toward an Electronic Patient Record '95, 14-19 March 1995 in Orlando, Florida. The basic idea is to put all of your medical records on-line in a centralized repository, accessible to any medical professional who needs them. This is great when the folks in the emergency room need your records in a hurry, but it's not so great when your records are also available to insurance companies and marketers, not to mention private investigators who are willing to push the law a little bit. Right now the outlook for serious privacy protections on computerized medical records is not so good. As a result, I think it would be excellent if any net citizens were to attend this symposium and report back to the net community. I would particularly direct your attention to a meeting of the Standards Subcommittee on Access, Privacy and Confidentiality of Medical Records, which is to be held on Sunday March 12th and will be open to the public. It isn't good enough for privacy to be protected by vague principles and guidelines after the systems have been designed. Privacy capabilities such as patients' control over their personal information must be built into the technical standards, and if you can be in Florida in March then you can help out by informing the net community about the progress of those standards. More generally, the standards for a whole generation of privacy-sensitive systems are being set right now -- Intelligent Transportation Systems are another example -- and I think it's important for the net community to track the standard-setting process, publicizing problems and intervening to make sure that the new generation of standards makes full use of the new generation of privacy technologies -- especially technologies such as digital cash that are based on public-key cryptography. In the case of medical records, some of the people designing the systems actually are aware of the existence of these new privacy technologies. The hard part is making sure that real privacy protection is actually built into the standards despite the probable pressure of various economic interests to the contrary. The symposium is organized by the Medical Records Institute. MRI is on the Web at http://www.nfic.com/mri/mri.html But I particularly recommend the 36-page paper version of the conference announcement since it includes information about the exhibitors -- valuable raw material for research by privacy advocates. MRI's e-mail address is 71431.2030@compuserve.com and their paper address is 567 Walnut Street, PO Box 289, Newton MA 02160 USA. Phil Agre, UCSD ------------------------------ Date: 19 Feb 95 22:16:52 EST From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Subject: NCSA Conference: Security on the I-Way SECURITY ON THE I-WAY NCSA's 1995 Technical Symposium April 10-11, 1995 Stouffer Concourse Hotel Arlington, VA NCSA is pleased to announce Security on the I-WAY '95, a technical symposium addressing two key security issues: Internet/NII Security and Computer Viruses. Our speakers this year include many of the world's leading experts in these two key areas. For further information or to register for the conference, please send e-mail to 74774.1326@compuserve.com requesting the registration form. CONFERENCE PROGRAM: April 10/Monday: 08:30 Keynote Address NCSA: New Directions Dr. Peter Tippett, President, NCSA TRACK 1: Computer Viruses Track Chairman: Charles Rutstein April 10/Monday: 09:00 Real World Anti-Virus Review and Evaluation Richard Ford, Editor, Virus Bulletin Sarah Gordon, Command Software 10:30 Virus Metrics Joe Wells, IBM Watson Research Center 13:00 Viruses and the Internet Fridrik Skulason, FRISK Software 14:30 Virus Writing: High-tech InfoSecurity Warfare Frans Veldman, ESaSS April 11/Tuesday: 09:00 Viruses in the 32-bit Operating Environment Shane Coursen, Symantec 10:30 Viruses and Windows NT Charles Rutstein, Price Waterhouse 13:00 The Good, the Bad and the Polymorphic Alan Solomon, S&S International TRACK 2: Internet/Infrastructure Security Track Chairman: Ted Phillips April 10/Monday: 09:00 The Electronic Intrusion Risks to the NII Ted Phillips, Booz-Allen Hamilton 10:30 Public Key Infrastructure Issues Warwick Ford, Bell Northern Research 13:00 Internet Security Strategies Jim Litchko, TIS 14:30 Security Applications for Smartcard Technologies Jim Dray, NIST April 11/Tuesday: 09:00 Wireless System Security Robert McKosky, GTE Laboratories 10:30 Broadband Network Security Issues John Kimmins, Bellcore 13:00 NII Network Reliability Issues Mel Sobotka, Booz-Allen Hamilton 14:30 Law Enforcement Perspectives on NII Security Hal Hendershot, FBI M.E.Kabay,Ph.D., Director of Education, Natl Computer Security Assn (Carlisle, PA); Mgmt Consultant, LGS Group Inc. (Montreal, QC) ------------------------------ Date: 6 February 1995 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. U.S. users on .mil or .gov domains should contact (Dennis Rears ). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, THEN please send requests to (which is not yet automated). SUBJECT: SUBSCRIBE or UNSUBSCRIBE; text line (UN)SUBscribe RISKS [address to which RISKS is sent] CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS MESSAGES in responses to them. Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. All other reuses of RISKS material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using RISKS material should obtain permission from the contributors. RISKS can also be read on the web at URL http://catless.ncl.ac.uk/Risks Individual issues can be accessed using a URL of the form http://catless.ncl.ac.uk/Risks/VL.IS.html (Please report any format errors to Lindsay.Marshall@newcastle.ac.uk) RISKS ARCHIVES: "ftp unix.sri.comlogin anonymousYourName cd risks or cwd risks, depending on your particular FTP. Issue J of volume 16 is in that directory: "get risks-16.J". For issues of earlier volumes, "get I/risks-I.J" (where I=1 to 15, J always TWO digits) for Vol I Issue j. Vol I summaries in J=00, in both main directory and I subdirectory; "bye" I and J are dummy variables here. REMEMBER, Unix is case sensitive; file names are lower-case only. =CarriageReturn; UNIX.SRI.COM = [128.18.30.66]; FTPs may differ; Unix prompts for username and password. Also ftp bitftp@pucc.Princeton.EDU. WAIS repository exists at server.wais.com [192.216.46.98], with DB=RISK (E-mail info@wais.com for info) or visit the web wais URL http://www.wais.com/ . Management Analytics Searcher Services (1st item) under http://all.net:8080/ also contains RISKS search services, courtesy of Fred Cohen. Use wisely. ------------------------------ End of RISKS-FORUM Digest 16.83 ************************