Subject: RISKS DIGEST 17.12 REPLY-TO: risks@csl.sri.com RISKS-LIST: Risks-Forum Digest Saturday 13 May 1995 Volume 17 : Issue 12 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, etc. ***** Contents: Software Piracy (Edupage) Risks of trusting authority... (Peter da Silva) Mercedes-E marketing spreads virus (Klaus Brunnstein) Nautilus foils wiretaps (Simson L. Garfinkel) Microsoft "Bob" passwords (Jeremy Epstein) Internet Addiction (Ivan Goldberg) More on CNID (Marc Rotenberg) The Risks of trying to teach someone that doesn't want to learn (David P. Miller) Cellular disturbances (Torsten Lif) GPS Risks (Mark Moore) GPS landing systems (Neil Youngman) Problems with wrong assumptions about date conversion (Paul Eggert) Re: Year 2000? Don't forget 1752! (Tom Wicklund) ASIS articles Webbed (Frederick B. Cohen) ABRIDGED Info on RISKS (comp.risks) [See other issues for full info] ---------------------------------------------------------------------- Date: Sun, 7 May 1995 19:54:51 -0400 From: info@ivory.educom.edu (Edupage) Subject: Software Piracy (Edupage 7 May 1995) Worldwide estimates of losses from piracy surpassed $15.2-billion last year. The problem is most rampant in Indonesia and Kuwait, where about 99% of all software is copied illegally. (Toronto Financial Post 5/6/95 p. 8) ------------------------------ Date: Fri, 5 May 1995 10:59:09 -0500 From: peter@nmti.com (Peter da Silva) Subject: Risks of trusting authority... > ... Clifford Stoll ... says that what's missing in cyberspace is > "anyone who will say, hey, this is no good... Editors serve as barometers I would say the opposite is true. On Usenet you *can't* get away with posting nonsense, because there are thousands of "editors" ready to jump on your posting and gleefully shred it in public. With printed information, you're depending on the editor being competent to judge the veracity of the information presented. It's become routine, for me at least, to check on the net to verify things I've read in print media. Yes, you have to be a bit savvy, to find the groups where competant people are monitoring postings, but that's true in print too. You have everything from the electronic equivalents of the National Enquirer, to groups like, well, comp.risks. > The date/time functions of Sybase won't accept dates before 1753 because... What do they do about dates in pre-soviet Russia? I had the same reaction to the general idea of using floating point numbers for relative time. Even in integers you need to beware of the singularity around zero (say you're dividing an integer by 2 to schedule events, if your division truncates towards zero you'll miss one event because -1, 0, and +1 all end up at the same point), with floating point these singularities are scattered up and down the number line. In any case the example seems to have been more a case of using floating point operators to perform 48 bit integer arithmetic, rather than using floating point arithmetic. ------------------------------ Date: Wed, 10 May 1995 15:49:36 +0200 From: Klaus Brunnstein Subject: Mercedes-E marketing spreads virus 2000 journalists recently received a diskette containing marketing information on Mercedes' new E-class cars. As hidden donation, this diskette contained also a virus of the Stoned family (Stoned.NoInt alias Stoned III alias Bloomington) which so far was not "in the wild" in Germany. After having been alarmed, Mercedes shipped 2,000 diskettes of a reliable AV product to the journalists. Many media reported this accident in Germany, claiming that "this virus is harmless". This is not fully untrue as the only intentional "damage" in this stealth variant of the Stoned family results in failures only with high-density diskettes. It is also possible that unintended damage occurs in the directory structure. This virus attempts to hide the infected boot sector against detection by some AV product. Fortunately, the product choosen by Mercedes reliably detects Stoned.NoInt on diskettes and disks. Question remains open whether the addressed journalists tested and cleaned all diskettes and systems which had been in contact with the infected diskette; otherwise, Mercedes marketing may have a long-time impact on some Mercedes drivers' PC systems :-) Klaus Brunnstein (Univ.Hamburg, May 10, 1995) ------------------------------ Date: Thu, 11 May 1995 15:43:02 -0400 From: simsong@acm.org (Simson L. Garfinkel) Subject: Nautilus foils wiretaps PC SOFTWARE FOILS WIRETAPS 5/10/95 By SIMSON L. GARFINKEL Special to the Mercury News As the U.S. Senate debates granting the Federal Bureau of Investigation new powers to wiretap personal communications, three West Coast computer programmers have planned their own preemptive strike: a free program, distributed on the Internet, that renders legal and illegal wiretaps useless. The programmers, Bill Dorsey of Los Altos, Pat Mullarky of Bellevue, Wash., and Paul Rubin of Milpitas, plan to release today a program that turns ordinary IBM-compatible personal computers into an untappable secure telephone. It uses an encryption algorithm called ''triple-DES'' that is widely believed to be unbreakable. ''Electronic surveillance by the government is on the rise,'' says Dorsey, the group's lead programmer. ''There also exists an equally large threat from the private sector as well: industrial espionage. Foreign governments are interested in wiretapping and getting information out of our high-tech firms.'' Called Nautilus, the program is being released as an attack on the Clinton administration's national encryption standard, the Clipper chip. Civil rights groups have criticized the Clipper initiative, since the federal government holds a copy of every chip's master key and can use that key to decrypt -- or decode -- any Clipper-encrypted conversation. But since the keys used by Nautilus to encrypt conversations are created by users, the government does not have a copy. A nod to Jules Verne Nautilus has another advantage over Clipper: Whereas AT&T's Clipper-equipped Telephone Security Devices Model 3600 costs $1,100, Nautilus is free program. ''You don't need any special expensive hardware for it. You just use ordinary PCs,'' says Rubin. The name ''Nautilus'' was taken from Captain Nemo's submarine in the Jules Verne novel, ''20,000 Leagues Under the Sea.'' But whereas Nautilus the sub was used to sink Clipper ships, the programmers hope that their creation will sink Clipper chips. To use Nautilus, both participants must have a copy of the program and an IBM PC-compatible computer equipped with a Sound Blaster card and a high-speed modem. The two participants must also agree upon a series of words called a ''pass phrase,'' which is used to encrypt the conversation. Both participants run the program and type in the pass phrase; one person instructs their computer to place the telephone call, the other instructs their computer to answer. Once the call is in progress, either user must press a key on their computer in order to speak, similar to using a hand-held radio. But unlike walkie-talkies, the users can interrupt each other. Could help criminals Such innovations could lead to conversations that would be practically foolproof from eavesdropping, either by pranksters or the government. It could become invaluable in future years to financial institutions and other corporations involved in sensitive negotiations. ''It will certainly be beneficial to many citizens and many other users of it,'' says Jim Kallstrom, assistant director of the Federal Bureau of Investigation's New York field office. ''I suspect that it also will be beneficial, unfortunately, to criminals. ''I would hope the extremely enterprising and smart people that we have in this country would work toward solutions that would not only protect the communication of citizens . . . but would also allow the law enforcement objectives to be maintained.'' Rubin stressed that while Nautilus was a challenge to write, it ''isn't rocket science.'' Much of the program, in fact, was assembled from parts that already were available on the Internet, the worldwide network of computer networks. It will even be easier to construct programs similar to Nautilus once Microsoft releases its computer telephony system for Windows 95. ''It will be impossible to keep a program like Nautilus out of the hands of people who want it,'' Rubin said. Gene Spafford, a professor of computer science at Purdue University who is an expert on computer security, said: ''It will be interesting to see what reaction this provokes from the government.'' Nevertheless, Spafford said, in order for encryption to be widely adopted, it will have to be ''built into the phones.'' Dorsey said that anybody in the United States who has Internet access can download the program. For the instructions, use the Internet FTP command to connect to the computer FTP.CSN.ORG. Change to the ''mpj'' directory and retrieve the file called README. Use a text editor to read the README file, which contains some fairly complex instructions on how to get the actual Nautilus file. This computer has been set up so that the program cannot be downloaded by people located outside the United States. ''I intend to follow all laws regarding the release of cryptography,'' he said. ------------------------------ Date: Wed, 10 May 1995 09:25:28 -0400 (EDT) From: jepstein@cordant.com (Jeremy Epstein -C2 PROJECT) Subject: Microsoft "Bob" passwords The May/June 1995 issue of InfoSecurity News reports that Microsoft Bob (Microsoft's "user-friendly" front end to Windows) has a "feature" that if you mistype your password three times in a row, it concludes that you've forgotten it, and asks if you want to change it. The Microsoft product manager says "It's not really an attempt at security" (no kidding!). If this is what "user-friendly" systems have to offer for security, I think I'll retreat to the world of paper tape and punch cards! --Jeremy Epstein, Cordant Inc. ------------------------------ Date: Thu, 11 May 1995 12:20:52 GMT From: psydoc@netcom.com (Ivan Goldberg) Subject: Internet Addiction [ Article crossposted from comp.multimedia ] [ Author was Ivan Goldberg ] [ Posted on Thu, 11 May 1995 12:14:59 GMT ] As the incidence and prevalence of Internet Addiction Disorder (IAD) has been increasing exponentially, a support group, The Internet Addiction Support Group (IASG) has been established. Below are the official criteria for the diagnosis of IAD and subscription information for the IASG. Internet Addiction Disorder (IAD) - Diagnostic Criteria A maladaptive pattern of Internet use, leading to clinically significant impairment or distress as manifested by three (or more) of the following, occurring at any time in the same 12-month period: (I) tolerance, as defined by either of the following: (A) A need for markedly increased amounts of time on Internet to achieve satisfaction (B) markedly diminished effect with continued use of the same amount of time on Internet (II) withdrawal, as manifested by either of the following (A) the characteristic withdrawal syndrome (1) Cessation of (or reduction) in Internet use that has been heavy and prolonged. (2) Two (or more) of the following, developing within several days to a month after Criterion 1: (a) psychomotor agitation (b) anxiety (c) obsessive thinking about what is happening on Internet (d) fantasies or dreams about Internet (e) voluntary or involuntary typing movements of the fingers (3) The symptoms in Criterion 2 cause distress or impairment in social, occupational or another important area of functioning (B) Use of Internet or a similar on-line service is engaged in to relieve or avoid withdrawal symptoms (III) Internet is often accessed more often or for longer periods of time than was intended (IV) There is a persistent desire or unsuccessful efforts to cut down or control Internet use (V) A great deal of time is spent in activities related to Internet use (e.g., buying Internet books, trying out new WWW browsers, researching Internet vendors, organizing files of downloaded materials.) (VI) Important social, occupational, or recreational activities are given up or reduced because of Internet use. (VII) Internet use is continued despite knowledge of having a persistent or recurrent physical, social, occupational, or psychological problem that is likely to have been caused or exacerbated by Internet use (sleep deprivation, marital difficulties, lateness for early morning appointments, neglect of occupational duties, or feelings of abandonment in significant others) Subscribe to the Internet Addiction Support Group by e-mail: Address: listserv@netcom.com Subject: (leave blank) Message: Subscribe i-a-s-g Ivan Goldberg, MD, 1346 Lexington Ave NYC 10128 212-876-7800 ikg1@columbia.edu psydoc@netcom.com http://avocado.pc.helsinki.fi/~janne/ikg/ ------------------------------ Date: 13 May 1995 11:48:49 -0400 From: "Marc Rotenberg" Subject: Re: more on CNID From EPIC ALERT 2.04: Calling-Number-ID Blocking Fails in Pennsylvania and Wisconsin Following the disclosure by the New York Times that Calling-Number-ID blocking had failed in New York State, newspapers report that at least two other states have had similar problems with the controversial phone service. The Philadelphia Inquirer reported on March 1 that the phone numbers of more than 13,000 Bell Atlantic customers were improperly disclosed. Bell Atlantic did not inform the customers or the Public Utility Commission for several weeks, until they corrected the problem. The phone company described the problem as "human error" in many cases and a software programming error in others. The Pennsylvania PUC is investigating to see if Bell Atlantic violated state law by not informing customers of the error when it was discovered. Last month, after the NYNEX problems in New York State were uncovered, Ameritech revealed that nearly 1,000 customers in Wisconsin also were unprotected after signing up for the service. Marc Rotenberg, Electronic Privacy Information Center, 666 Pennsylvania Ave SE, #301, Washington, DC 20003 202-544-9240 ftp/gopher/wais cpsr.org ------------------------------ Date: Thu, 11 May 1995 13:55:22 -0500 From: dpmiller@mitre.org (David P. Miller) Subject: The Risks of trying to teach someone that doesn't want to learn STUDENTS SUE COLLEGE OVER COMPUTER COURSE (Edupage, 9 May 1995) Two students won the lawsuit they brought against New York's Pace University when an instructor for a beginner's course in computing gave a homework assignment the students thought was too hard: calculating the price of an atom of aluminum on Friday given such information as the price of aluminum on Wednesday, the rate change between the prices of the metal on Wednesday and Friday, the atomic mass of aluminum, the value of Avogadro's number (6.02 X 10 to the 23rd power), etc., etc. The students handled their own case against the university, and asked the teacher to answer such questions as: "Do you this was a good choice for a beginning class?" The judge decided: "Students are consumers. There is nothing holy or sacred about educational institutions." (Wall Street Journal 5/9/95 A1) The judge seemed to mistake the product of educational institutions as being the work that is given out (rather than the learning that results from doing the work). This article is short on details (did the rest of the class think this was hard? Was the grade in the course based heavily on this assignment? How was the course advertised?). But I cannot imagine the details that would justify the judge finding for the plaintiffs. (especially since, at heart, this is a trivial problem). The only excuse I can think of is that the judge (along with those students) perceives computers as inherently difficult, and therefore any course which is not obviously hand-holding the students must be fundamentally advanced. David P. Miller, MITRE Corporation, 7525 Colshire Drive, McLean, VA 22102 (703)883-7667 dpmiller@mitre.org http://www.ai.mit.edu/people/dmiller/dpm.html ------------------------------ Date: Mon, 8 May 95 10:18:52 +0200 From: Torsten.Lif@eos.ericsson.se (Torsten Lif - Cyberspace Cyclist) Subject: Cellular disturbances I have one to add to the recent article about cellular phones being banned from hospitals. A week ago, one of my fellow sysops had to reboot one of our SUN servers. He was installing some software on one server when his cellular phone rang and the console terminal (a VT220-clone) of another server started "hiccupping" badly. After he power-cycled it, the server had halted and wouldn't start without a full reboot. As he was sitting there staring at the row of consoles, his cellular phone rang (again) and another terminal crashed! This time it was sufficient to "c"ontinue the server so there was only a halt of a few seconds, but the implication is clear. We carry those cellular phones to be available quickly in case a server goes down. Instead, the phone was the cause of a crash. The new (European) digital "GSM" cellular standard produces lots of interference as can be heard on any radio or even HiFi amplifier within a few feet of a GSM phone in operation. An apparently "idle" phone next to any critical electronic equipment is a time-bomb waiting to go off since an incoming call to it automatically triggers bursts of transmissions as the phone acknowledges the call. This means that banning the use of them may not be enough - people don't tend to think of just carrying a phone as "using" it. They must be turned OFF. As an aside, the previous (analog) cellular standards did not cause nearly as much interference despite operating in the same 900 MHz band. At the worst, they might "blank out" radio receivers momentarily but we never observed them interfering with digital equipment. Now, the European Union is pushing GSM as its sole cellular standard and is trying to force operators to phase out analog systems to provide more channels for digital. I think we've only seen the tip of this iceberg yet... Torsten Lif, Ericsson Telecom AB Stockholm, Sweden Torsten.Lif@eos.ericsson.se ------------------------------ Date: Fri, 05 May 1995 21:29:54 -0400 From: marko@sinanju.jjm.com (Mark Moore) Subject: GPS Risks All of the talk of time recently reminded me of an article in the March/April 1995 issue of ``Ocean Navigator'' entitled `GPS-derived time baffles NOAA researcher' written by Dan Endres of the Climate Monitoring and Diagnostics Lab near Point Barrow, Alaska. In this article he discusses the discrepancies he discovered in time as reported by WWV and his Garmin GPS-50 receiver. He ``found a discrepancy of up to 1.5 seconds between the time readout of a Garmin GPS-50 and time as broadcast by WWV.'' He decided to compare several GPS receivers with a GOES synchronized clock and all of the GPS units showed the same problem. After a discussion of the differences between UT (UT0, UT1 (GMT), and UT2), ET, and AT he reports the assurances of the manufacturers that the GPS units report accurate UT. What his own testing found was that the GPS receivers would ``start out displaying time very close to the 486-DC (GOES sync'd clock), and within 15 minutes would drift to settle at between 1 and 1.5 seconds slow.'' After several additional phone calls, a technician (employer not mentioned) explains that there is indeed a software problem "and that all the manufacturers were aware of it but not sure how to fix it, or if it was even worth fixing because of the small error." The author explains the obvious risk of shipboard personnel relying upon GPS time for a high degree of accuracy. There are, of course, the usual additional risks of blindly relying on technology manufactured by people who are reluctant to admit to problems. The parallels to the Intel FPU situation are clear, though I expect no outcry from the GPS using population. They have other, bigger problems enumerated in earlier editions of RISKS. The moral is also the usual one: If the results matter, verify. Mark Moore, Technical Consultant (and novice celestial navigator) Renaissance Solutions, Inc. marko@sinanju.jjm.com Mark_Moore@rsg.com ------------------------------ Date: Fri, 12 May 1995 15:19:30 +0000 From: youngman@signal.dra.hmg.gb (neil youngman) Subject: GPS landing systems I was just reading about proposals for a GPS based Instrument Landing System to replace current systems (Scientific American, April 1995). One system disconnects the autopilot and sounds the alarm if it detects a problem with the GPS. I hope the captain is right on the ball if the autopilot suddenly disconnects at low level! It might be better to sound the alarm and let the captain override the autopilot? Neil Youngman ------------------------------ Date: Thu, 4 May 95 20:03:56 PDT From: eggert@twinsun.com (Paul Eggert) Subject: Problems with wrong assumptions about date conversion I see several problems with programs that arbitrarily reject dates before 1753, as Sybase does according to Matthew Healy in Risks 17.11. * Even if we restrict ourselves to 20th-century dates, it's unwise to expect a general-purpose database server to implement the local civil calendar accurately. Some parts of the world did not switch to the Gregorian calendar until as late as 1920. Should a database server in, say, Athens reject a 1915 birthday? * Even if we assume locations now in the USA, it's unwise to assume that 1753 is the correct cutoff date; Alaska did not switch to the Gregorian calendar until 1867. * Several countries switched to the Gregorian calendar as early as 1582, and it's incorrect to prevent historical applications in these countries from using early Gregorian dates merely because England hadn't switched yet. In general, it is easier to document, use, debug, and internationalize programs that assume the Gregorian calendar all the way back to at least the Year 1. Specialized applications requiring other calendars can do conversions as necessary, perhaps using standard conversion libraries. For more on this subject, including an extensive set of conversions between all sorts of calendars, please see the following references. Calendrical conversion routines by E M Reingold are widely available as part of GNU Emacs. N Dershowitz and E M Reingold, Calendrical calculations. Software--practice and experience 20, 9 (Sep 1990), 899-928. E M Reingold, N Dershowitz, and S M Clamen, Calendrical calculations II: three historical calendars. Software--practice and experience 23, 4 (Apr 1993), 383-404. ------------------------------ Date: 5 May 1995 12:01:28 -0600 From: wicklund@Intellistor.COM (Tom Wicklund) Subject: Re: Year 2000? Don't forget 1752! There's an additional risk from the fact that different nations switched calendars at different times. Catholic countries switched in the 1500's, but England didn't because at the time (Henry VIII and Elizabeth I) the reformation was in full swing and anything Catholic was bad. I saw a comment about this when studying the Spanish Armada. The Spanish dates will all be about 10 days off of the English, which creates problems comparing dates between the records of each country. ------------------------------ Date: Fri, 5 May 1995 09:36:42 -0400 (EDT) From: fc@all.net (Frederick B. Cohen) Subject: ASIS articles Webbed The American Society for Industrial Security's (ASIS) Security Management Magazine is now making select articles available on an experimental basis over World Wide Web. This WWW area is still under development, but you might want to read a fine article about the problems of erasing electromagnetic media no on-line in this area. The URL is: http://all.net:8080 ------------------------------ Date: 24 April 1995 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: ABRIDGED Info on RISKS (comp.risks) [See other issues for full info] The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. [...] REQUESTS to (which is not yet automated). [...] CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. [...] ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. RISKS can also be read on the web at URL http://catless.ncl.ac.uk/Risks Individual issues can be accessed using a URL of the form http://catless.ncl.ac.uk/Risks/VL.IS.html [...] RISKS ARCHIVES: "ftp unix.sri.comlogin anonymous[YourNetAddress] cd risks or cwd risks, depending on your particular FTP. [...] [Back issues are in the subdirectory corresponding to the volume number.] ------------------------------ End of RISKS-FORUM Digest 17.12 ************************