Subject: RISKS DIGEST 17.10 REPLY-TO: risks@csl.sri.com RISKS-LIST: Risks-Forum Digest Sunday 30 April 1995 Volume 17 : Issue 10 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, etc. ***** Contents: Metromover inner loop back on line (Charles P Schultz) Radar-detector messages & cop-car computers (Mark Seecof) AOHell (Simson L. Garfinkel) Terrorism and telecommuting (Tim Kolar) CyberWinter: A Forecast (Richard K. Moore) Privacy directory (Simson L. Garfinkel) Re: Lotus Notes authentication protocol challenged (Charlie Kaufman) Re: Floating-Point Time (David Cline, Bill Hopkins) Re: Digital libraries (Shannon Nelson, Michael D. Sullivan) Clipper paper available for anon FTP (Michael Froomkin) Advanced Surveillance, Call for Papers (Dave Banisar) ABRIDGED Info on RISKS (comp.risks) [See other issues for full info] ---------------------------------------------------------------------- Date: 28 Apr 95 08:22:57 -0600 From: CharlesP_Schultz-ECS013@email.mot.com Subject: Metromover inner loop back on line Miami's Metromover was running again Wednesday afternoon after the downtown inner loop was closed for more than two days because of "phantom" trains on the track. Trains began rolling again on the 1.9 mile inner loop at 12:19 p.m. The rest of the 4.4-mile system - an outer loop and extensions north to the Omni International Mall and south to Brickell - was not affected. Metro-Dade Transit Agency technicians attributed the problem to a faulty transmitter in a computer. Manny Palmeiro, a MDTA marketing manager, said the system detected trains when none were on the tracks. "Phantom" trains have been a recurring Metromover glitch, one of a long string of computer and other electronic and electric problems plaguing the system. MDTA disclosed last week that in the spring and fall, sunshine sometimes trips safety sensors that detect the presence of trains. Those sensors are being realigned to shield them from the sun. Last month, MDTA managers warned that Metromover glitches likely will not go away soon. In fact, they said glitches may well be a permanent fixture of the nation's largest and most elaborate downtown automated rail system. [Source: *Miami Herald*, 27 Apr 1995] ------------------------------ Date: Thu, 27 Apr 1995 19:22:22 -0700 From: Mark Seecof Subject: Radar-detector messages & cop-car computers At page 91 of the April 1995 Law and Order magazine (v.43 no.4) in the "Police Equipment News" section a short item describes a "Collision avoidance system" which "takes advantage of the millions of radar detectors in civilian use." Basically, the system requires police cruisers and other emergency vehicles (e.g., ambulance) to be equipped with microwave transmitters designed to set off speed-radar detectors. Drivers will presumably react to radar-detector alerts by looking around, improving the chance that they will see and yield to or avoid a vehicle using lights &| siren to claim right-of-way. The detector vendor Cobra Electronics developed the system and sells detectors capable of decoding short text messages from the alerting signal. Cobra's present CAS transmitters can be programmed to send either "Emergency Vehicle" (moving vehicle) or "Road Hazard" (vehicle stopped on highway) and the scheme allows for other messages. I'm not sure how to score the risks here. I admire the elegance of regarding existing radar detectors as general-purpose warning receivers, and the message encoding is icing on the cake. (I applaud the designers for using an open and flexible alphameric code to permit arbitrary message content.) On the other hand, the transmitters will ``pollute the channel'' (degrade S/N ratio) in a sense, making it harder for drivers to detect ``real'' radar threats. So long as police confine system use to emergencies I think it's great. If the system gains wide use, auto makers could put alert-receivers into vehicles at the factory (such receivers need not serve as general radar-detectors; they could discriminate warning signals by their alphameric code content). An article in the same magazine at page 77 by Tom Yates titled "Magic Patrol Cars: Police Travel Information Superhighway" suggests in glowing terms the many benefits to be had from increasing the computerization of patrol cars. I think the author reveals a certain naivete. For example he writes of one in-car machine: "the system is easy to learn because the software operates under the computer industry standard MS-DOS/Windows operating systems. To make the system even faster dedicated function keys minimize the number of keystrokes required for a given operation such as calling up information, editing data, or initiating system functions." He's describing a system to be used while the patrol car is moving. Considering how the car may lurch around I wonder if users will get in trouble by sometimes striking the wrong function key? Later in his column Mr. Yates (who, I should point out, is a good writer and clearly an expert on police vehicles and operations--if still on middle of the computer learning curve) discusses engine computers and suggests that they will be improved to offer very sophisticated variations in performance for different (e.g., cruising, pursuing) situations. I'm sure many RISKS readers would wait, as I would, for the second or third software release... Mark Seecof [all usual disclaimers implied] ------------------------------ Date: Fri, 28 Apr 1995 15:27:59 -0400 From: simsong@acm.org (Simson L. Garfinkel) Subject: AOHell (C) 1995 Simson L. Garfinkel Originally appeared in The Boston Globe, April 21, 1995 [Reproduced in RISKS with the author's permission] It's 10:00 P.M. on a weekend night, and some obnoxious guy in the America Online Chat Forum won't shut up. What do you do? You give them the finger, of course. And if that doesn't work, you can always shoot them. Want everybody in the chat room to shut up so you can talk? Just click the button labeled "Ghost," and the screen will clear away everyone else's comments, giving you space to make yourself heard. You won't find these features on America Online's standard set of menu options. But they are part of a new anti-AOL program called AOHell that's making the rounds on some electronic bulletin board systems. AOHell can do more than make mischief in America Online's chat rooms: the program has a number of devilish features that seem designed for turning online lives into living nightmares. Armed with AOHell, one user can send dozens, or hundreds, of electronic mail messages to an unwitting victim in just a few seconds, a technique known as "mail bombing." AOHell can also mail bomb the victim's fax machine and even his US mailbox. And what if you really don't like another subscriber? Just click on the "Punt" command and you'll abruptly log them off, thanks to an apparent bug in America Online's operating software. Why would someone develop such a program and give it away for free over the Internet? "I hate the staff on AOL for one, I hate most of the people on AOL for another, and I wanted to cause a lot of chaos," explains one of the anonymous authors of AOHell, who identifies himself only as Da Chronic, in the program's instruction manual. Indeed, AOHell's worst punches seem to be aimed directly at America Online itself. AOHell has a nefarious system built into it for generating fictitious credit-card numbers. According to users, the program can make free accounts that last up to 10 hours of online time or one week, whichever comes first. For users with high bills for the nation's second-largest online service, AOHell has the ability to let users download files for free. "Any member using AOHell will have their account immediately terminated," says Margaret Ryan, a spokesperson for the company. AOHell is a piece of software for engaging in illegal activities, sometimes called banditware, which runs in conjunction with America Online's communications software for Windows-based computers. It appears to be the first time that such a program has been written to directly attack one of the nation's large online services. Some of the AOHell's abilities appear to exploit bugs in the America Online system, while others, such as the ability to display a raised middle finger in a chat room, seem to merely simulate an extremely rapid typist. Ryan wouldn't say if AOL has any technical fixes in the works that would prevent the program from functioning properly. Indeed, Ryan doesn't even know who wrote AOHell. Although AOHell's author has chosen to remain anonymous, a built-in feature allows AOHell users to send bug reports to the program's author. Those reports get sent to a computer in Finland called an anonymous remailer, which allows people on the Internet to exchange electronic mail without knowing each other's identities. "If you think AOH 2.0 is marvelous, wait until you see 3.0," wrote the program's author, in response to an electronic mail message. "I'm almost finished with it and it will make version 2 look like a Commodore 64 program, to say the least." ------------------------------ Date: Fri, 28 Apr 95 23:24:31 PDT From: Tim Kolar Subject: Terrorism and telecommuting In the aftermath of the recent tragedy in Oklahoma, there have been several reports of government agencies allowing at least temporary telecommuting arrangements for their employees. One wonders if widespread telecommuting could alleviate this kind of problem completely. Individual attacks and attempts to disrupt the communications backbone are a possibility, but I'm not sure there's much to attract terrorists in either of them. Harrassing individuals hasn't done much for the so-called "Unabomber", and disruption of telephone service is more an annoyance than something to live in terror of. In any case, I like the sound of "everyone go home and work" a lot better than "we'll be installing video cameras on every street corner". -Tim Kolar ------------------------------ Date: Sun, 30 Apr 1995 09:39:02 +0000 From: rkmoore@iol.ie (Richard K. Moore) Subject: CyberWinter: A Forecast Not that this should be unexpected news to any of you, but Cyber Winter is at hand. We are aware of the Cyber Glaciers -- in the form of the S.390 Censorship Bill and the S.1984 FBI Police-State Enablement Act -- blasted loose from the Washington Ice Floes by the ever-so-timely Oklahoma explosion. But merely the _news_ of the glaciers is enough to chill hearts and will... One list, with mild political content, was shut down last week with no explanation. After persistent investigation, I was able to learn that someone up the byte-chain feared that the list _might_ be perceived as controversial _by someone someday_, and out of concern for his "job and family", felt he better shut down the list ASAP. I learned this from the person himself, although it took several rounds of questions to get past his layers of embarrassment. This was at a prestigious university. I promised not to name names. The Internet is very fragile. It doesn't require police activity to shut it down; all it takes is the fear of controversy, in a climate of media-fanned public emotions. The lists and servers operated by universities and corporations are brittle as fine crystal -- those institutions have no incentive to risk even the _potential_ censure of their customers, alumni, directors, funding sources, etc. Commercial providers (AOL, CServe, etc) similarly won't wait for a knock on the door before they "clean up their act" -- and I mean sparkling lemon-fresh baby-powder clean, suitable for children, grannies, and Baptists (no offense intended.). We are entering what the ACLU refers to as a "chilling" era. The Well, CPSR, APC -- and other sites with a conscience -- will in many cases take a principled, courageous stand for cyber rights. But those are exactly the sites that the Police State legislation is designed to suppress. They can't afford to pursue the "Enumerated Defenses", the way Cyberspace INC will be able to, when it distributes its interactive soft-porn cyber-soaps into everyone's home, in order to sell burgers, lager, and designer jeans. Forget open BBS's -- they'll soon be history. It's time to get out your winter coats. For what little difference it'll make, you might want to take down the personal email and snail addresses of your online associates while you still can. ------------------------------ Date: Sun, 30 Apr 1995 10:24:19 -0400 From: simsong@acm.org (Simson L. Garfinkel) Subject: Privacy directory This isn't so much a RISK as a RESOURCE. The Privacy Journal has assembled a really phenomenal directory of privacy professionals. The directory has hundreds of people, with their names, phone numbers, addresses, email addresses, and brief descriptions of what they do or have done that's notable in the privacy field. I've been writing about privacy issues for nearly a decade, but even my own personal database pales in contrast to what the Privacy Journal's publisher Robert Ellis Smith has assembled. You can get the directory for $12.50 from Smith. It is available in print or electronically. Here is Smith's entry: Smith, Robert Ellis Publisher Privacy Journal P. O. Box 28577 Providence RI 02908 401/274-7861 fax upon request Attorney, publishes monthly newsletter, books and special reports; author of Our Vanishing Privacy (1993), The Law of Privacy Explained (1993), Compilation of State and Federal Privacy Laws (1994) E-mail address: 0005101719@mcimail.com (Note: I write occasionally for The Privacy Journal, but this is still a great resource.) ------------------------------ Date: 28 Apr 95 9:53:31 EDT From: Charlie Kaufman/Iris Subject: Re: Lotus Notes authentication protocol challenged (Gong, RISKS-16.87) >(2) [...] Cynthia Dwork of IBM Almaden wrote in ACM SIGACT >News 26(1) (March 1995) that the authentication procedure using public-key >systems in Lotus Notes, as described in its "Internals online book", has >security flaws. Lotus's response is (1) the actual system does not work as >described in the manual and (2) how it actually works is proprietary >information. [LG: (1) is dangerous by itself, and if (2) is true, then why >pretending to describe the procedure in the first place.] It's all true. The authentication protocol used by Lotus Notes is a somewhat involved mix of public key and secret key cryptography designed for good security and performance. In the Security Internals online book in a section on the certificate hierarchy and the implied trust model, there is an aside on how authentication takes place once the two sides know each others public keys. Because the truth was complex and the complexity seemed irrelevant, the author substituted a "classic" public key authentication protocol for the real one. Unfortunately, while that protocol was not itself flawed, using the same public key for that protocol and for the encryption and the signing of electronic mail would be insecure. That was the central point of the Dwork article: that two well designed cryptographic protocols can be insecure when used together sharing keys. The actual Lotus Notes authentication protocol does not have this problem. While the Lotus Notes authentication protocol was never intended to be proprietary or secret, it was also never fully publicly documented, and the public documentation that did exist was incorrect. A more complete writeup has subsequently appeared in the book "Network Security: Private Communication in a Public World", by Charlie Kaufman, Radia Perlman, and Mike Speciner, Prentice Hall, 1995. The on-line documentation will be corrected. Charlie Kaufman Email: charlie_kaufman@iris.com Tel: 1-508-392-5276 Iris Associates, One Technology Park Drive, Westford, MA 01886, USA ------------------------------ Date: Sat, 29 Apr 1995 19:49:08 GMT From: dcline@netcom.com (David Cline) Subject: Re: Floating-Point Time (Kuenning, RISKS-17.09) > ... Since there are about 3x10^7seconds in a year, or about 10^8 every > 3 years, one can represent about 8x16x3 = 384 years to millisecond > precision without violating that range, right? Wrong. This confuses milliseconds and microseconds; You can represent 285 years to *microsecond* accuracy in 53 bits. If you only care about millisecond accuracy, you can represent about 285,000 years. There are also ways of using the sign bit to double the effective range. Dave Cline Spring Valley Software dcline@netcom.com [Your moderator is dismayed that this is dragging on so long! PGN] ------------------------------ Date: Fri, 28 Apr 95 11:12:30 EDT From: hopkins@VFL.Paramax.COM Subject: Re: Floating-Point Time On the year-zero and religious wars: PGN suggests [RISKS-17.09] that first-century dates (which were, after all, not invented until well after the fact) would have created religious wars had there been computers to suggest that there should be a year zero. Any self-respecting computer, however, would have balked at attempts to divide the factions by zero. Bill Hopkins hopkins@VFL.Paramax.Com Unisys Corporation (Soon to be Loral, they say) 610-648-2854 or 363-7464 Valley Forge Eng'g Ctr, POB 517, Paoli PA 19301 ------------------------------ Date: Thu, 27 Apr 95 13:11 PDT From: snelson@ptdca2.al.intel.com Subject: Re: Digital libraries (Kass, RISKS-17.09) > [...] However, the only media which has persistence of 50+ years which > has been proven in a reliable way is film. This points out a risk of being to close to the technology. Perhaps the microfilm is the only "technological" way of storing media for 50+ years, but it seems to me that the low-tech method of printed books has about 5 to 10 times that lifespan, depending on the paper and ink used. It also has the benefit of being immediately accessible to the reader, as no fancy technology is necessary to extract the data, outside of a current prescription for one's glasses. Shannon Nelson Portland Technology Development, Intel Corp. snelson@ptd.intel.com (503) 642-8149 I don't speak for Intel ------------------------------ Date: 30 Apr 1995 01:20:08 -0400 From: mds@access.digex.net (Michael D. Sullivan) Subject: Re: Digital Libraries (Kass, RISKS-17.09) And what about paper (acid-free), papyrus, or other similar media that have lasted hundreds or thousands of years intact? Or stone (e.g., cuneiforms or etchings on silicon)? Microfilm (silver on film) has been around far less time than these. In fact, the film media used in the 1930s (nitrocellulose) has proven to be disastrous -- it practically self-destructs. Moreover, silver has only been in use for a bit over a century as a means of fixing an image, and it has distinct disadvantages, due to oxidation. Carbon-based ink on non-acid paper, on the other hand, lasts virtually forever. Perhaps replacing paper with Mylar would be a good step, but silver halide images would not appear to be good for long-term archiving; photographers have turned to platinum and other means of giving longevity to photographic images, in lieu of silver. India ink on papyrus or vellum might last longer, though. Maybe convert the data to carbon-based laser toner on Mylar in barcodes? Michael D. Sullivan | INTERNET E-MAIL TO: mds@access.digex.net Bethesda, Md., USA | also avogadro@well.com, 74160.1134@compuserve.com ------------------------------ Date: Thu, 27 Apr 1995 15:24:59 -0400 (EDT) From: Michael Froomkin Subject: Clipper paper available for anon FTP My paper, "The Metaphor is the Key: Cryptography, the Clipper Chip, and the Constitution" is now available for anonymous FTP. It is about 180pp. long, and contains more than 800 references. I would welcome your feedback on this paper -- even (especially?) contributions to the inevitable errata sheet. (Please note this document resides at what is officially a "temporary" site, so that if you create a web link to it, please let me know so that I can notify you when it moves). Contents of FTP://acr.law.miami.edu/pub/.. File Type - - - - - - - - - - - - - - clipper.asc ASCII clipper.wp WP 5.1/Dos clipperwp.zip Pkzipped version of clipper.wp clipper.ps My best effort at Postscript. YMMV. (approx. 7Mb.) clipperps.zip Pkzipped version of clipper.ps clipper.ps.gz Gzipped version of clipper.ps Ports provided by nice people (please note I have not checked these): clipper.ps.Z Unix compressed version of clipper.ps with carriage returns removed -- courtesy of Whit Diffie clipperMSW.sea.hqx Binhexed self-extracting Microsoft Word 5.1 for Macintosh version of clipper.wp -- courtesy of Ted Byfield None of these files contains correct and final page numbers, and there are generally trivial typos that were corrected in the printed version. The printed version appears at 143 U.Penn.L.Rev. 709 (1995). I intend to put up a web version presently. The .index file in the above directory will have details when a clean copy is ready for prime time. A link to an experimental and highly buggy HTMLized version may appear at erratic intervals at http://acr.law.miami.edu at the very bottom of the homepage. A.Michael Froomkin, Associate Professor of Law, U.Miami Law School, POB 248087, Coral Gables, FL 33146 USA +1(305) 284-4285 MFROOMKI@UMIAMI.IR.MIAMI.EDU ------------------------------ Date: 29 Apr 1995 13:22:30 -0400 From: "Dave Banisar" Subject: Advanced Surveillance, Call for Papers CALL FOR PAPERS Advanced Surveillance Technologies Sponsored by Privacy International, and Electronic Privacy Information Center 4 September 1995 Copenhagen, Denmark Overview Over the past decade, fundamental changes have taken place in the nature and the environment of surveillance. New information systems offer an unprecedented ability to identify, monitor and track a virtually limitless number of individuals. Some leading-edge technologies are likely to revolutionize the practice of surveillance. The factors of cost, scale, size, location and distance have, in many instances, become largely irrelevant. The impact of political and economic change throughout the world has also created unforeseen dimensions to surveillance. The evolution of a Global Information Infrastructure will have a profound impact on the scope of potential surveillance of individuals. The end of the cold war and the privatization of public sector activities has magnified the impact of change. The merging of technologies has also created new opportunities for wide-scale surveillance. The nature of surveillance has changed to the extent that modern information systems involve a pre-requisite of general surveillance of populations. The pursuit of perfect identity has created a rush to develop systems which create an intimacy between people and technology. Advanced biometric identification and sophisticated ID card systems combine with geographic tracking to create the potential to pinpoint the location of any individual. The use of distributed databases and data matching programs makes such tracking economically feasible on a large scale. Extraordinary advances have recently been made in the field of visual surveillance. Closed Circuit Television (CCTV) systems can digitally scan, record, reconfigure and identify human faces, even in very poor light conditions. Remote sensing through advanced satellite systems can combine with ground databases and geodemographic systems to create mass surveillance of human activity. The globalization of information systems will take information once and for all away from the protection and jurisdiction of national boundaries. The development of data havens and rogue data states is allowing highly sensitive personal information to be processed outside any legal protection. At a more intimate level, research is underway in more than a dozen countries with the aim of implanting microchip technology directly into the human brain. US and European medical institutes have already conducted many such operations. The creation of a direct link between the human brain and computer technology is at an advanced stage. Such procedures are initially aimed at stimulating dead senses and paralyzed limbs. Within two decades, it is possible that such implants will be at a sufficiently advanced stage to enable complex interaction between the brain and external technology. The science of nanotechnology, which involves the re-configuration of individual atoms and molecules, will present the potential for virtually undetectable covert surveillance. These and other developments are changing the nature and meaning of surveillance. Law has scarcely had time to address even the most visible of these changes. Public policy lags behind the technology by many years. The repercussions for privacy and for numerous other aspects of law and human rights need to be considered sooner rather than later. This one day conference will present an overview of these leading-edge technologies, and will assess the impact that they may have in the immediate future. Experts and analysts will discuss the nature and application of the new technologies, and the public policy that should be developed to cope with their use. The conference theme is unique, and interest in the event has already been expressed from throughout the world. Program contents The first session will assess new dimensions in current surveillance technologies. The remainder of the day will be devoted to exploring technologies which are in the formative stage of development. Preliminary List of Topics: o Advanced Satellite Surveillance o Microchip Implants o Nanotechnology o Biometrics and perfect identity o Advanced Geodemographic Systems o Data Havens and Rogue Data States o Information Warfare o Cryptography The conference will be held in Copenhagen, and is timed to coincide with the 17th annual international meeting of privacy and data protection commissioners. Number of participants : approximately one hundred Cost: US $75 - Individuals/non-profit organizations $175 - Commercial organizations Privacy International and the Electronic Privacy Information Center are now requesting abstracts for papers. Papers should be directed at a general audience, and should either present an overview of an aspect of advanced surveillance technology, or they should discuss the likely use and impact of the technology. Abstracts or papers can be emailed to Privacy International at: pi@privacy.org Alternatively, they can be sent to : Privacy International Washington Office 666 Pennsylvania Ave, SE, Suite 301 Washington, DC 20003 USA 1-202-544-9240 (phone) 1-202-547-5482 (fax) Web address: http://privacy.org/pi/ gopher/ftp cpsr.org /cpsr/privacy/privacy_international/ David Banisar (Banisar@epic.org) * 202-544-9240 (tel) Electronic Privacy Information Center * 202-547-5482 (fax) 666 Pennsylvania Ave, SE, Suite 301 * ftp/gopher/wais cpsr.org Washington, DC 20003 * HTTP://epic.digicash.com/epic ------------------------------ Date: 24 April 1995 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: ABRIDGED Info on RISKS (comp.risks) [See other issues for full info] The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. [...] REQUESTS to (which is not yet automated). [...] CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. [...] ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. RISKS can also be read on the web at URL http://catless.ncl.ac.uk/Risks Individual issues can be accessed using a URL of the form http://catless.ncl.ac.uk/Risks/VL.IS.html [...] RISKS ARCHIVES: "ftp unix.sri.comlogin anonymous[YourNetAddress] cd risks or cwd risks, depending on your particular FTP. [...] [Back issues are in the subdirectory corresponding to the volume number.] ------------------------------ End of RISKS-FORUM Digest 17.10 ************************