Subject: RISKS DIGEST 17.13 REPLY-TO: risks@csl.sri.com RISKS-LIST: Risks-Forum Digest Thursday 18 May 1995 Volume 17 : Issue 13 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, etc. ***** Contents: "Double your fun" (CA lottery woes) (Bruce Findlay) AOL Used For Sting by Miami TV Station (David Tarabar) Marketing use of medical DB (Mark Seecof) Safeware: System Safety and Computers, Nancy Leveson (PGN) Computers, Ethics, & Social Values, Johnson and Nissenbaum (PGN) Building in Big Brother: The Cryptographic Policy Debate (Lance Hoffman) Microsoft plans corporate espionage (Chris Norloff) RISKS in Microsoft's Windows95 (identity withheld) Re: "Bob" passwords (Brian T. Schellenberger) 30 February 1712 (Tapani Tarvainen) Re: Intuit's Macintax security lapse... (Don Faatz) Re: "Nautilus foils wiretaps" (M. Vincent) Re: Cellular disturbances (David Woolley, Frederick Roeber) Re: Internet Addiction (Shawn Mamros, Rob Cunningham) Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. ---------------------------------------------------------------------- Date: Tue, 16 May 1995 07:50:47 -0700 From: Bruce Findlay Subject: "Double your fun" (CA lottery woes) Excerpted from the local paper of record, the San Jose Mercury News [probably on 15 May 1995, which is when a similar item appeared in the San Francisco Chronicle. PGN]: Lottery computer gets ahead of itself California Lottery officials scrambled Sunday to make amends for a computer glitch that unexpectedly halted sales three hours early for the weekend's $3 million jackpot. By mistake, the computer began issuing tickets for Wednesday's upcoming drawing instead - causing anger and confusion for lottery players and retailers around the state... Lottery officials decided Sunday that players affected by the mix-up will have their tickets honored in both contests... Lottery spokesman said an employee of Sacramento's GTECH, which runs the lottery computer, was conducting routine maintenance when he mistakenly entered a command that closed the draw pool for Saturday's drawing. ...it wasn't clear how many tickets were sold during the three hours but GTECH has promised to make up any losses to the state. RISKS? Where do I start? Why was an employee able to disturb what is supposed to be an unriggable game? If GTECH does not know how many tickets were sold, how will the loss be made right? And since when does basic operator error mean the same thing as "computer glitch?" ------------------------------ Date: Tue, 16 May 95 11:23:26 -0400 From: dtarabar@hstbme.mit.edu (David Tarabar) Subject: AOL Used For Sting by Miami TV Station A Miami TV Station (WPLG) set up a sting operation on America Online that resulted in the resignation of a VP at the Denver Post. In an attempt to show how easily strangers can approach unsupervised children on online services, the TV station created an AOL user that pretended to be a 13 year old boy. A birthdate was clearly listed in a user profile and the 'boy' spoke like a 13 year old who liked swimming and skateboarding. A user named 'Ken4boys' spoke with this 'boy' in private chats and said that he would be coming to Florida soon, and asked, "How about a hot-oil massage from an older guy". Ken4boys did meet an actor at an agreed upon place, but within seconds found himself facing a TV camera and an investigative reporter. When this news story made it's way back to Denver, Ken resigned his position as VP of Marketing at the Denver Post. The anonymity of online personas seems a major risk here for all involved. The TV station was being fraudulent in its attempt to get a juicy sweeps week story. Still it is worrisome that they were able to find someone who appeared to use AOL to spice up his business trips. 'Ken4boys' also learned the danger of anonymity, but it is difficult to feel sympathy for him. I have been skeptical about the 'PCs are a danger to your kids' stories on local news, but this is an impressive example. I don't think that AOL is too happy about any aspect of this. ------------------------------ Date: Thu, 11 May 1995 14:28:00 -0700 From: Mark Seecof Subject: Marketing use of medical DB Under the headline "Eli Lilly Plans to Use PCS Unit's Database to Boost Drug Sales" the Wall Street Journal reported on page B6, May 11, 1995 that: "Eli Lilly & Co. sees big opportunities for expanding use of its Prozac antidepressant and other drugs by exploring the patient database it acquired with its $4 billion purchase of PCS Health Systems." (Errors in the summary here may be Mark Seecof's fault). Lilly's CEO Randall L. Tobias said that patients, as well as Lilly, would benefit from Lilly's trolling the PCS database of prescriptions for 56 million patients to find (a) patients whose prescriptions suggest that they may suffer from depression manifested as several other minor illnesses--Lilly will try to get doctors to prescribe Prozac for those patients; (b) patients who may be taking inadvisable combinations of drugs--Lilly will warn its pharmacists or doctors; (c) drug-treated diabetic patients who might be persuaded to take to Lilly's Humulin insulin product. (The story DOESN'T say) Lilly may find other ways to exploit the prescription billing data. For example, Lilly could use it to monitor other firms' pricing strategies. Or Lilly could match the data with other data--for example, Lilly could match prescription billing info against credit report or insurance (MIB) data then sell derivative information to people. (How many landlords will rent to tenants who have prescriptions for AZT?) Various privacy laws may restrict some of the possible uses of the data. But none of them will protect the people whose medical condition can be estimated from the record of the drugs prescribed for them from unscrupulous marketers at Lilly or even faithless clerks at Lilly willing to take bribes from, say, skip tracers. I think that Lilly's plan to push Prozac on people with "backaches and sleeplessness" (direct quote from Tobias) is unethical and risky. Mark Seecof ------------------------------ Date: Wed, 17 May 95 19:10:38 PDT From: "Peter G. Neumann" Subject: Safeware: System Safety and Computers, Nancy Leveson If you have ever been seriously concerned with developing systems that must satisfy stringent safety requirements, or expect to be sometime in the future, you MUST read this book. Just published, it is immediately the definitive work on software safety, and has a system perspective that is really important. After careful consideration of the fundamentals, requirements analysis, hazard analysis (including models and techniques), and human interfaces are examined with loving care. Many cases familiar to RISKS readers (Therac-25, Apollo 13, the Challenger, Bhopal, Three Mile Island, Chernobyl, and others) are treated in considerable detail in the appendices, and much new information is revealed. The book is useful as a course text and as a guidebook for safety engineers. And it all fits in 680+xvii pp. Your Risks Moderator says check it out. Author = {Nancy G. Leveson}, Title = {Safeware: System Safety and Computers}, Publisher = {Addison Wesley, Reading, Mass 01867-3999}, Year = {1995}, Note = {ISBN 0-201-11972-2} ------------------------------ Date: Wed, 17 May 95 18:58:16 PDT From: "Peter G. Neumann" Subject: Computers, Ethics, & Social Values, Johnson and Nissenbaum Deborah G. Johnson and Helen Nissenbaum have come up with a superb book, collected from a bunch of friends and colleagues with long experience and interesting views on the titled subject. This book is absolutely essential for anyone concerned with ethical issues related to the use of computers, and should also be read by anyone not clear on the issues. I won't list all the chapters and contributors, but it is a fine selection. Author = {Deborah G. Johnson and Helen Nissenbaum}, Title = {Computers, Ethics, & Social Values}, Publisher = {Prentice Hall, Englewood Cliffs, NJ 07632}, Year = {1995}, Note = {ISBN 0-13-103110-4} ------------------------------ Date: Thu, 18 May 1995 04:48:10 -0400 (EDT) From: "Lance J. Hoffman" Subject: Building in Big Brother: The Cryptographic Policy Debate A collection of readings with commentary by Prof. Lance J. Hoffman (The George Washington University) has now been published by Springer Verlag. >From a publisher's blurb: "...This book presents the best readings on cryptographic policy and current cryptography trends. ... Detailed technological descriptions of promising new software schemes are included as well as analysis of the constitutional issues by legal scholars. Important government cost analyses appear here for the first time in any book. Other highlights include the text of the new US digital telephony law and the pending encryption regulation bill and a list of hundreds of cryptographic products available around the world. There is even a paper on how to commit the perfect crime electronically, using public key encryption. Much more detailed information and a table of contents is available by pointing your Web browser to http://www.seas.gwu.edu/seas/instctsp/docs/book 560 pages, 19 illustrations, softcover $29.95 ISBN 0-387-94441-9 Call 1-800-SPRINGER to order, email orders to orders@springer-ny.com Professor Lance J. Hoffman, Dept of Elec Eng and Comp Sci, The Geo Washington U, 801 22nd St NW, Wash DC 20052 (202) 994-4955 ------------------------------ Date: Wed, 17 May 95 13:44:40 EDT From: cnorloff@tecnet1.jcte.jcs.mil Subject: Microsoft plans corporate espionage Microsoft officials confirm that beta versions of Windows 95 include a small viral routine called Registration Wizard. It interrogates every system on a network gathering intelligence on what software is being run on which machine. It then creates a complete listing of both Microsoft's and competitors' products by machine, which it reports to Microsoft when customers sign up for Microsoft's Network Services, due for launch later this year. "In Short" column, page 88, _Information Week_ magazine, May 22, 1995 The implications of this action, and the attitude of Microsoft to plan such action, beggars the imagination. Chris Norloff cnorloff@tecnet1.jcte.jcs.mil [Also reported by jyoull@cs.bgsu.edu (Jim)" and herzog@uask4it.eng.sun.com (Brian Herzog - Sun Microsystems, Inc.). The following analysis was also sent to RISKS by a contributor who requested anonymity. PGN] ------------------------------ Date: Wed, 17 May 95 12:22 xxT From: [identity withheld at submitter's request] Subject: RISKS in Microsoft's Windows95 Sometime in the latter part of the summer, Microsoft is planning to release their Windows95 follow-on for Windows 3.1 to the masses. Whether the effort required to keep things working after installing the release vs. the perceived benefits of Win95 makes the installation a sensible decision is quite an open question. Reports from beta testers are indicating that even for Windows experts, getting their system running again after the upgrade can be a bad experience, given the wide variety of complex hardware, drivers, and other components that have been integrated into Windows 3.1 environments over the years. For Windows users who are less than experts, the problems risk being even more serious, with various applications (or even entire systems) effectively useless without various "tweaks", fixes, new drivers, new software, etc. In other words, the backwards compatibility of Win95 in the real world of people's existing Windows 3.1 installations should be an issue of grave concern, especially among users concerned about prolonged downtime. We may be reaching a stage where the sheer complexity of PC application software and hardware is making the entire concept of major operating system upgrades being installed successfully by average users extremely problematical. It seems very likely that large numbers of Windows 3.1 users will (or at least should) be extremely cautious about being an early adopter of Win95. Bya the way, here's a new feature announced for Win95 that carries new RISKS of its own. Called "AutoPlay" it is apparently a feature of the Win95 CD-ROM driver that allows CD-ROM authors to create a special init file on the disc that will automatically start running programs from the disc as soon as a disc is inserted into the CD-ROM drive. From the descriptions available so far, there doesn't seem to be a system-wide way to disable such a feature, you have to remember to hold down the shift key on your keyboard while inserting the disc to disable it for that particular insertion (apparently folks with remote keyboards might just be out of luck!) What sorts of harm could come from autoloading of CD-ROMs? Outside of the obvious malicious applications (don't laugh, CD-ROMs are getting so cheap to produce that all manner of nasties could be planted on purpose or by accident), there's the obvious problem that most PC CD-ROM applications need considerable software and disk support, often involving significant use of disk space, changes to system-wide configuration and other driver data, etc. It is not unusual for these changes to conflict in some manner with other programs and installations, needing manual intervention. At least when you do the installation manually you can stop, look for README files, etc. before starting the guts of the install, but if the CD-ROM fires off on its own there's no telling what might happen. True, a reasonable CD-ROM author would query the user about this process rather than running off and starting the install without user input, but it's probable that many authors who want things to look "slick" won't bother with this. In fact, Microsoft seems to be encouraging the "slick" attitude in their description of this feature. Another point. You're about to start seeing music CDs that carry CD-ROM programs and data on the initial part of the disc before music track 1. If such discs tried to make use of the Win95 AutoPlay feature, an unsuspecting user who stuck the music disc into his or her CD-ROM player planning to hear only music (lots of PC users play music CDs on their CD-ROM drives these days) could end up getting a lot more than bargained for. ------------------------------ Date: Tue, 16 May 1995 13:36:02 GMT From: bts@unx.sas.com (Brian T. Schellenberger) Subject: Re: "Bob" passwords (Epstein, RISKS-17.12) |if you mistype your password three times in a row, it concludes that you've |forgotten it, and asks if you want to change it. It's easy to make fun of this scheme, but *I* think it's a pretty good approach. This is equivalent of the foil on your vitamins: Not tamperproof protection, but tamper-*evident* protection. This avoids the problems of users who aren't accustomed to password forgetting them and getting locked out, saving Microsoft technical support a lot of hassle. It is intended for home computers, which as a rule are not widely accessible to the public, and don't have any password protection currently. And it's part of a program whose "job" is not security, but user assistance; it would be inappropriate to add security in such a program that might lock people out of their computer. On the other hand, a scheme that makes it evident if somebody has been mucking around on the computer is a handy feature, and that's just what has been achieved here. (Whether or not the product manager and/or development team realizes it.) I think there is a RISK in assuming that all security must be maximal. (Not to downplay the RISK in not advertising this for what it is, if that's what Microsoft is doing.) Brian T. Schellenberger SAS Institute Inc. R2266 919-677-8000 x7783 [It also provides a seeming denial of service opportunity, enabling an attacker to change EVERYONE's password. But then even that would not matter. This is almost as good as having NO passwords. Chances are no one would ever bother to look at the audit trail anyway, because in the absence of meaningful authentication, the accountability is next to worthless. PGN] ------------------------------ Date: 14 May 1995 17:42:30 GMT From: tt@tarzan.math.jyu.fi (Tapani Tarvainen) Subject: 30 February 1712 (Re: Wicklund, RISKS-17.12) >There's an additional risk from the fact that different nations >switched calendars at different times. Indeed. Sweden adopted the leap-year rule of the Gregorian calendar in 1700, making it a non-leap year, but without adjusting the calendar otherwise, so that after that Sweden was out of sync with both Julian and Gregorian calendars. After a while they discovered it was not such a great idea, and in 1712 Sweden moved back to Julian calendar by adding an extra day to February, resulting in the unusual date of 30 February 1712. One should be careful in rejecting "impossible" dates... Tapani Tarvainen ------------------------------ Date: 10 May 1995 01:11:42 GMT From: don_faatz@rpi.edu (Don Faatz) Subject: Re: Intuit's Macintax security lapse... Unfortunately, it doesn't take a software screw-up to mess up electronic income taxes. My boss has had a Compuserve account for a few years. Each year at tax time, he receives several people's tax returns in his Compuserve e-mail. His Compuserve E-mail address is one character different than the address of some company that offers an electronic filing service via Compuserve. He has contacted both Compuserve and the vendor - neither were interested in trying to solve the problem. The returns are encrypted in some way ... ------------------------------ Date: Tue, 16 May 1995 11:01:57 +0100 (BST) From: "(aardvark)" Subject: Re: "Nautilus foils wiretaps" (Garfinkel, RISKS-17.12) Simson points out that the software is only available to the US. Now I may not be the cleverest person in Europe, but I do have an account on a FreeNet site in the US which for the moment will remain nameless. Now really, what is to prevent me downloading nautilus to my free-net and from thence to home. Note that I am NOT indicating that I am about to do this, but it's a valid RISK - isn't it! Malcolm Vincent (m.vincent@qub.ac.uk) ------------------------------ Date: Wed, 17 May 95 23:53 BST From: david@djwhome.demon.co.uk (David Woolley) Subject: Re: Cellular disturbances (Lif, RISKS-17.12) >The new (European) digital "GSM" cellular standard produces lots of >interference as can be heard on any radio or even HiFi amplifier The risks here are of confusing the behaviour of faulty equipment of one type with there being a fault in another piece of equipment, and of generalising that to the behaviour of faulty equipment of a third type. Also there is a risk of only seeing one side of a two sided problem. The fault resulting in the "interference" here is in the amplifier, which is acting as a radio receiver, or the radio receiver which is receiving on a completely wrong frequency. (The chances are that the radio isn't even receiving the interfering signal through its aerial.) The transmitter can be transmitting a signal which is perfectly contained within its allocated band, and still generate this effect. A lot of modern electronics could be made radio immune, but isn't, to save a small fraction on the price. The complex digital logic in a GSM mobile is immune to its signals from only a few inches away. The generalisation is the assumption that audio frequency interference in an AC coupled device will have the same impact on a DC coupled device working at 1000s of times the frequency. In fact, a radio signal which produced no audible effect at all, might still cause misoperation of a computer. The other side of the coin is that computers which are susceptible to radio transmissions, are usually very good radio transmitters themselves. Even PCs, which are designed for domestic use, can cause severe interference to shortwave receivers, which cannot be cured by modifications to the receiver (remote aerials apart). The Sun in this case, probably wasn't designed to the same standard, so would generate even more interference. It is possible that GSM transmissions are more likely to jam susceptible electronics, but this is not directly related to the audible effect on faulty amplifiers, but might be the result of using higher peak powers, although both may be the consequence of using time division multiplexing. David Woolley, London, England david@djwhome.demon.co.uk ------------------------------ Date: Mon, 15 May 1995 21:53:09 +0200 From: roeber@cern.ch Subject: Re: Cellular disturbances (Lif, RISKS-17.12) Oh, wonderful! At CERN we're replacing our beeper system with GSM phones. This has some nice side effects, especially when you drive in merely to discover a machine needs rebooting. But of course, most of the folks with beepers or phones are going to be the ones on piquet duty -- the ones who have to go in and fix the balky computers, networks, delicate equipment, or (best of all) those enormous, incredibly sensitive, bleeding-edge particle detectors. And of course there's always some idiot who calls you up half an hour into a tricky procedure to ask, "How's it going?" "Well, it *was* going great, but now that you ask..." Frederick Roeber roeber@cern.ch ------------------------------ Date: Sun, 14 May 95 20:50:45 EDT From: mamros@ftp.com (Shawn Mamros) Subject: Re: Internet Addiction (Goldberg, RISKS-17.12) If one admits to the existence of "Internet addiction" as a real problem (and it very well might be for some people), it would seem to me that putting together a support group using an *Internet mailing list* (thus encouraging continued use of the 'net, as opposed to therapy involving spending time *away* from the 'net) would be precisely the *wrong* way to help these people out... -Shawn Mamros mamros@ftp.com ------------------------------ Date: Mon, 15 May 95 09:28:10 EDT From: rkc@xn.ll.mit.edu Subject: Re: Internet Addiction (Goldberg, RISKS-17.12) In the most recent RISKS-17.12, Dr. Ivan Goldberg helpfully announced a support group for Internet Addiction. Am I the only one who finds it ironic that one needs access to the Internet to participate in this support group? It seems that even if this group is successful in reducing other Internet use, the user will continue to use the Internet via e-mail to this account. Is this similar to announcing a support group that gets together to drink beers and discuss their addiction to alchohol? -Rob [merlyn@stonehenge.com (Randal L. Schwartz) and "F. Barry Mulligan" both likened it to holding an AA meeting in a bar. PGN] ------------------------------ Date: 24 March 1995 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. U.S. users on .mil or .gov domains should contact (Dennis Rears ). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, THEN please send requests to (which is not yet automated). SUBJECT: SUBSCRIBE or UNSUBSCRIBE; text line (UN)SUBscribe RISKS [address to which RISKS is sent] CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS MESSAGES in responses to them. Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. All other reuses of RISKS material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using RISKS material should obtain permission from the contributors. RISKS can also be read on the web at URL http://catless.ncl.ac.uk/Risks Individual issues can be accessed using a URL of the form http://catless.ncl.ac.uk/Risks/VL.IS.html (Please report any format errors to Lindsay.Marshall@newcastle.ac.uk) RISKS ARCHIVES: "ftp unix.sri.comlogin anonymous[YourNetAddress] cd risks or cwd risks, depending on your particular FTP. Issue J of volume 17 is in that directory: "get risks-17.J". For issues of earlier volumes, "get I/risks-I.J" (where I=1 to 16, J always TWO digits) for Vol I Issue j. Vol I summaries in J=00, in both main directory and I subdirectory; "bye" I and J are dummy variables here. REMEMBER, Unix is case sensitive; file names are lower-case only. =CarriageReturn; UNIX.SRI.COM = [128.18.30.66]; FTPs may differ; Unix prompts for username and password. Also ftp bitftp@pucc.Princeton.EDU. WAIS repository exists at server.wais.com [192.216.46.98], with DB=RISK (E-mail info@wais.com for info) or visit the web wais URL http://www.wais.com/ . Management Analytics Searcher Services (1st item) under http://all.net:8080/ also contains RISKS search services, courtesy of Fred Cohen. Use wisely. ------------------------------ End of RISKS-FORUM Digest 17.13 ************************