Subject: RISKS DIGEST 17.15 REPLY-TO: risks@csl.sri.com RISKS-LIST: Risks-Forum Digest Weds 28 May 1995 Volume 17 : Issue 15 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator >>>>> I'm back on-line for a while. PGN <<<<< ***** See last item for further information, disclaimers, etc. ***** Contents: Prodigy Held Liable (Dave Banisar) Stuyvesant High School Hackers (Mich Kabay) J. Schwartz on Decency and Democracy (Mich Kabay) Defamation by BBS (Mich Kabay) Defying pitfalls of a cashless society (Brian Randell) Flightdeck automation problems (Kenneth Funk) A slightly more global look at time and date issues (Robert J Horn) "Calling the Ahperator"(William Newman) Denial of Service attack on ISP (Simon Lyall) Drug-Addicted Geniuses Built Cyberspace (Daniel Frankowski) Re: Positive-Ion Dangers: Computers and stress / depression (Lindsay F. Marshall, Jonathan I. Kamens) Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. ---------------------------------------------------------------------- Date: 26 May 1995 23:12:00 -0400 From: "Dave Banisar" Subject: Prodigy Held Liable A New York state trial court ruled on 24 May 1995 that Prodigy is responsible for the libelous statements of its users because it exercises editorial control over their posts. In the case, an anonymous Prodigy user made statements against New York Investment firm Stratton Oakmont accusing it of criminal and fraudulent acts. Stratton Oakmont sued Prodigy and the volunteer moderator of the forum where the statements were published. The Court found that Prodigy was acting as a publisher and therefore was responsible for the content of the posts. The Court distinguished the case from the earlier Cubby v. Compuserve decision, which found that Compuserve was subject to the standards of a bookstore or library. It that case, the US District court ruled that Compuserve had no editorial control over the text. According to the New York state court: In contrast, here Prodigy has virtually created an editorial staff of Board Leaders who have the ability to continually monitor incoming transmissions and in fact do spend time censoring notes. Indeed, it could be said that Prodigy's current system of automatic scanning, guidelines, and Board Leaders may have a chilling effect on freedom of communications in Cyberspace, and it appears that this chilling effect is exactly what Prodigy wants, but for the legal liability that attaches to such censorship. Let it be clear that this court is in full agreement with Cubby and Auvil. Computer bulletin boards should generally be regarded in the same context as bookstores, libraries and network affiliates...It is Prodigy's own policies, technology and staffing decisions which have altered the scenario and mandated the finding that it is a publisher. The court also attempted to downplay the significance of its decision on the greater area of electronic networks: Prodigy's conscious choice, to gain the benefits of editorial control, has opened it up to greater liability that Compuserve and other computer networks that make no such choice. For the record, the fear that this Court's finding of publisher status for Prodigy will compel all computer networks to abdicate control of their bulletin boards, incorrectly presumes that the market will refuse to compensate a network for its increased control and the resulting increased exposure. The Court also found that the volunteer "Board Leader" of the Prodigy Bulletin Board was acting as an agent of the company. The Court found Prodigy exercised control over the Board Leaders though the the Bulletin Board Leader Agreement and the actions of Prodigy's employees. Prodigy has said that it will consider appealing the decision. EPIC has materials on free speech available at http://epic.org/free_speech/ We will be making a copy of the decision available in the next few days. David Banisar Electronic Privacy Information Center 666 Pennsylvania Ave, SE, Suite 301 Washington, DC 20003 202-544-9240 HTTP://epic.digicash.com/epic ------------------------------ Date: 29 May 95 15:38:14 EDT From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Subject: Stuyvesant High School Hackers >From the Associated Press news wire via CompuServe's Executive News Service: Hacker High, by RAYNER PIKE, Associated Press Writer NEW YORK (AP) -- Some of New York's best and brightest set out to show that they can rush in where high schoolers are not supposed to tread -- the computer systems of Ivy League colleges. They succeeded. Their principal was not amused. Their victims were not impressed. The systems of Columbia and Princeton, as well as Bucknell University, were targeted by hackers from the elite Stuyvesant High School. Key points: o Principal said, "No harm was done and none was intended." o School adding ethics classes to computer courses. o Bucknell University staff said the hack was a prank and not slick. o "...students got a couple of Bucknell passwords and used them to send E-mail. They left one note without removing coding that tracked the sender back to Stuyvesant, a public school for academically gifted children." o Students used one Columbia University ID but no obvious damage. o Princeton IDs and passwords obtained but apparently not used. M.E.Kabay,Ph.D. / Dir. Education, Natl Computer Security Assn (Carlisle, PA) ------------------------------ Date: 30 May 95 14:47:07 EDT From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Subject: J. Schwartz on Decency and Democracy >From the Washington Post news wire via CompuServe's Executive News Service: WP 05/29 NETWORKINGS Making the On-Line Community Safe for Decency -- and Democracy By John Schwartz Washington Post Staff Writer Sen. James Exon sounds for all the world like a man who's ready to make a deal. Sitting in his Capitol office, the Nebraska Democrat puffs amiably on his pipe and discusses the bill that has made him anathema to many people in the on-line community, the Communications Decency Act. Exon's bill, part of the Senate version of a broad telecommunications bill, would impose jail terms and fines on those who create or solicit on-line material that is deemed "obscene, lewd, lascivious, filthy, or indecent." Key points: o Massive opposition from all sectors, including the Dept of Justice. o "For the record, Exon has no personal experience on-line, but says he finds the positive uses of the networks exciting." o Christian Coalition's http://www.cc.org home page has support for such restrictions. o Sen. Dianne Feinstein (D-CA) wants to clamp down on anarchist files. o The author writes: ...a Justice Department memo ... describes the bill as an enforcement nightmare that would criminalize constitutionally protected speech. The memo concluded it would clash with other laws and "hamper the government's ongoing work in stopping the dissemination of obscenity and child pornography and threaten law enforcement's continued ability to use court-authorized wiretaps." o The Exon bill would make materials which are legally available in print illegal if obtained online. o Sen. Patrick J. Leahy (D-VT) proposes to help parents exercise greater control over their children's access to cyberspace using technology--"lockout boxes" like devices being made available to cable-TV subscribers. o The author quotes Sen. Leahy: "To say that everyone using the Internet is going to be held to the standard of my neighbor's 7-year-old child is wrong -- and is going to cripple the Internet," said Leahy.... Overly restrictive legislation, he said, "will make one of the best free-enterprise experiments a hollow shell." o The article ends with signposts for further information: The Exon bill is a hot topic on-line. You can find World Wide Web sites devoted to the bill at http://www.cdt. org and http://www.eff.org/pub/ Alerts maintained by the Center for Democracy and Technology and the Electronic Frontier Foundation, respectively. Folks whose Internet access is limited to e-mail can get information by sending a message to cda-infocdt.org in which the text area is left blank and the subject line reads send-events. Sending the same message to cda-statcdt.org will get you the current status of the bill. M.E.Kabay,Ph.D. / Dir. Education, Natl Computer Security Assn (Carlisle, PA) ------------------------------ Date: 30 May 95 14:47:33 EDT From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Subject: Defamation by BBS [An example of Level I Information Warfare] >From the Australian Associated Press news wire via CompuServe's Executive News Service: AAP 05/25 1443 QLD: CALL FOR CONTROLS ON DEFAMATION SUPERHIGHWAY BRISBANE, May 25 AAP - A Labor MP whose name and address were posted on a computer billboard as the contact for buying stolen telephone cards, today urged the federal government to legislate to prevent high tech defamation. MP Stephen Robertson was cleared of all wrong-doing or involvement in the scandal after investigation by the Criminal Justice Commission. The MP may nonetheless have suffered damage to his reputation. M.E.Kabay,Ph.D. / Dir. Education, Natl Computer Security Assn (Carlisle, PA) ------------------------------ Date: Tue, 30 May 1995 16:55:55 +0100 From: Brian.Randell@newcastle.ac.uk (Brian Randell) Subject: Defying pitfalls of a cashless society Defying pitfalls of a cashless society Victor Keegan (The Guardian, Economics Notebook, 30 May 1995) The kingdom of cash is starting to be attacked in a pincer movement: from in front, by electronic, or digital, cash, and from behind, by the growing popularity of the barter system Letts - artificial local currencies (rather like a baby-sitting points system), which people use instead of real money to pay each other for services rendered. [...] The world's central banks -- including the Bank of England -- are beginning to wake up to the fact that digital money could pose a threat to their hegemony. This is particularly true of the so-called "electronic purses" (like Mondex, which Midland Bank and others are pioneering) and, much more so, the digital (and untraceable) cash being-pioneered by DigiCash, the Amsterdam-based company. [...] As long as these are issued by banks-like Midland's Mondex-then it is nothing more than another bank deposit, albeit in electronic form. [...] Central banks have been sufficiently worried about the provision of electronic purses getting into the wrong hands to set up a working group of the European Monetary Institute. The conclusion was predictable: they are all right-so long as they are restricted to approved credit institutions (that is, banks), so that they can be properly monitored. Enter DigiCash, whose founder, the proselytising David Chaum, wants to create a digital system which could assume a life of its own. He has even patented a process whereby a bank or a company could validate a secret number which could be used as a unit of currency even though the issuing authority could not trace it. The place just waiting for such anonymous digital money (which would also be rather useful for kidnappers and launderers of drug money) is the Internet, the worldwide electronic cobweb of computer data bases. [...] Should the Net be provided with its own currency, it would suddenly become not only a global market place, but a virtual economy as well. It could become the first economy without a government or even a central bank at the centre. But if there is no government, no one will pay taxes. [...] We are not talking science fiction. Mr Chaum has already distributed a million digitised dollars to 5,000 pioneers taking part in a trial. Their Cybercash can be spent purchasing goods and services from 50 companies taking part in the trial. At the other end of the scale, the growth of Lett schemes is not yet a problem, if only because most of the schemes are small-scale and the people involved are probably earning below the threshold at which they would be required to pay tax. In a typical scheme one member might help another build a wall, thereby earning himself currency points, to be exchanged for work by someone else or for buying goods. If such a scheme went nationwide and electronic (so that the participants carried their points on a micro-chip on a plastic card), this could quickly evolve into electronic money effectively outside the control of the banking system and on which the participants would be reluctant to pay tax. The transactions might even take place through the Internet. Of course, central banks will move quickly if they feel their supervisory role and their divine right to print money is being challenged. The point is that the financial world is moving into uncharted waters. The change could be as far-reaching as the transition from metals to money in the last century. [What I found interesting was the way this article tied together (hi-tech) developments related to digital cash and the rise in popularity, at least here in the UK, of (typically low-tech) barter schemes. BR] Dept. of Computing Science, University of Newcastle, Newcastle upon Tyne, NE1 7RU, UK Brian.Randell@newcastle.ac.uk +44 191 222 7923 ------------------------------ Date: Fri, 19 May 1995 11:09:47 -0700 (PDT) From: Kenneth Funk Subject: Flightdeck automation problems With a grant from the US Federal Aviation Administration, scientists at Oregon State University, America West Airlines, and Honeywell have compiled over 2,300 citations of perceived problems with and concerns about commercial transport aircraft flightdeck automation. These citations are summarized in a paper available by anonymous FTP from engr.orst.edu. The paper (in ASCII) is in /pub/funkk/problems.txt. Ken Funk, Asst. Prof., Ind. & Mfg. Engr., Oregon State Univ., Corvallis, OR 97331 503-737-2357 funkk@engr.orst.edu FAX: 503-737-5241 [Also forwarded by horning@pa.dec.com (Jim Horning). PGN] ------------------------------ Date: Sat, 20 May 1995 21:01:45 +0059 (EDT) From: Robert J Horn Subject: A slightly more global look at time and date issues The date/time discussion illustrates two more global risks related issues. 1) There is a risk from overconfidence and lack of proper analysis when the subject matter is something you have known "completely" since childhood. People often get very excited or upset when they realize that there is significant hidden complexity. Most of us have achieved our full understanding of time by the age of ten. It has no more mysteries (except perhaps time zones). Discovering just how much more there is to time and its measurement is a surprise. QUIZ: For a more timely example than 18th century calendars, when does Sunday become Monday? (See below) 2) There is a significant misunderstanding around the relative merits of integer vs floating point notation in general. If your real world process can be represented as a finite field mapped onto the integers, then you can eliminate concerns regarding representation error. This makes an integer representation attractive because it reduces your error analysis problem to: a) Prove that the finite field mapping is correct. If your application involves division, you don't have a finite field. You also better be sure that the finite field mapping is understood the same way by all involved. It can be a big problem if well into your project you discover that you need additional resolution. So don't skip this step. b) Analyze the error characteristics of your algorithms in the confident knowledge that the errors have been reduced to: initial error = measurement error, and results error = numerically propagated measurement errors. Lots of people seem to think that you can skip the numerical analysis just because your operations are on a finite field. This is not the case. Measurement error is still present and it still propagates. I've seen too many instances where people omit the error analysis because "integer computations are error free". You may have a finite field, but measurement error must still be analyzed. Still, the analysis is simpler and integers are often an excellent representation for measured data. With floating point representation, you have different advantages: a) Much greater dynamic range b) Much more uniform error characteristics (always present, but lacking the sudden lurch that occurs when your finite field mapping fails.) c) The psychological pressure to analyze errors because some error is always present. The difficulty is that your error analysis is harder: initial error = measurement error + representation error results error = propagated measurement error + propagated representation error + representation error. This can be more work, although I have found that in most real world situations the measurement errors have dominated. Usually I could completely ignore representation error because the measurement errors were orders of magnitude larger. Oh, and the answer to the quiz: It depends upon what part of the world you are in. In some areas, the day ends at sunset. So during some parts of the year, 1730 (local) Sunday occurs before 1800 (local) Sunday, and in other parts of the year it occurs after. And you need to know the latitude and longitude to figure out when sunset occurs. Is it any wonder that people who care about time quickly end up using UTC for everything. But this is a lurking trap for the unwary who want to make a properly internationalized application that allows the use of local time. R Horn rjh@world.std.com ------------------------------ Date: Mon, 22 May 1995 05:53:30 PDT From: Newman@europarc.xerox.com Subject: "Calling the Ahperator" My attempts to reach the long-distance operator from my Washington DC hotel instead connected me to a voice-activated interface instructing me to say "Operator" to get through, but my British pronunciation clearly didn't sound right. I found I could get through with a phony American "ahperader" but only on the second attempt, the first attempt always getting a lengthy recorded apology and a repeat of the (even lengthier) instructions. Out of frustration, I resorted to dialling the number direct, for which my hotel charged me $95 for a call that would otherwise have cost $52. It seems strange to require long-distance callers from DC hotels, many of whom are presumably foreigners trying to reach overseas, to speak with an American accent. No alternative means of reaching the operator is offered, and this could be a source of risk in emergency situations. When I got through to the supervisor to point this out, she agreed, but said, "You could have dialled zero instead." Why didn't I think of trying this? But the recorded instructions say nothing about this option. William Newman newman@europarc.xerox.com ------------------------------ Date: Tue, 23 May 95 09:11 NZST From: simon@darkmere.midland.co.nz (Simon Lyall) Subject: Denial of Service attack on ISP The following was posted to a Local (New Zealand) group. Both iprolink and Cybernet are ISP's servicing the Auckland market and targetting similar customers. Cybernet was in the papers a few weeks ago after someone there NFS mounted a disk (read & write) at Auckland University (This disk included /bin directories according to some reports). The mserve machine is the workstation of a Cybernet staff member. >From: Craig Anderson Newsgroups: nz.netstatus Subject: Network Attack Mars Internet Show Date: 22 May 1995 13:51:29 GMT Organization: Internet ProLink NZ, Auckland Last week (15-20 May) Internet ProLink NZ, along with InfoTech Weekly, TUANZ, Megascreen, Atrium on Elliott, and Dymocks, sponsored a week long series of free Internet demonstrations at the Atrium in Auckland. The event was marred by an attack on our system during the first three days of the show. The intent appears to have been to deny us the use of our Internet connection during the show. This posting should serve as a warning to system administrators. Note that eliminating these types of attacks requires filtering at the site to whom you are connected, and that similar attacks with the traffic destined to routers can be difficult to monitor. Monday: Thousands of ICMP echo packets each minute from 202.36.227.10 (mserve.cybernet.co.nz) saturate our link in both directions. These high priority packets almost completely prevent us from using our link at all. The packets initially were sent to iprolink.co.nz, but later to router1.iprolink.co.nz. The attack lasted approximately two hours from about 2:15 pm and stopped when we unplugged our link for several minutes. Tuesday: ICMP packets sent to our router again completely saturate our link. Attack begins around noon and ends when the University of Auckland temporarily disconnects Cybernet's link. Wednesday: TCP packets (again from mserve.cybernet.co.nz) were sent to ports 7, 8, 2, 3, 4, 5, 6, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, and finally port 19 on iprolink.co.nz, where our outbound link was saturated with traffic for more than one hour. No further attacks were seen after Cybernet was contacted by the University of Auckland. Our apologies to those who turned up for the show during these attacks only to find that the Internet link was too slow to be used. Thanks to the University of Auckland Computer Center staff who did a tremendous job in helping to monitor and stop this attack. -Craig ------------------------------ Date: Mon, 22 May 1995 17:49:15 -0500 (CDT) From: Daniel Frankowski Subject: Drug-Addicted Geniuses Built Cyberspace I have the pleasure of presenting one of the most absurd claims I've read in the mainstream press in a long time. In the Minneapolis Star Tribune, Monday, May 22, 1995, on page 10A, yet another inflammatory article about the Internet appeared, titled ``Cyberstoned''. The article is adapted from Boston Magazine, written by Stephen Rodrick at Boston Magazine and Vladimir Edelman, a Boston-based freelance writer. The point of the article was that there is drug dealing on the net, and that there are net-specific problems for law enforcement. I agreed with parts of the article, e.g. that law enforcement needs to learn about the net, that freedom of information and anonymity make law enforcement more difficult, etc. The writers give away their position when they report that ``after Internet zealots howled about the loss of privacy, the fate of the Clipper chip remains in doubt,'' but I forgive them. Then they make an absurd pronouncement backed up by scant evidence: In fact, much of the cyberspace revolution of virtual reality, the Internet and other high-speed technology burst out of the minds of computer geniuses spaced out on drugs such as acid and ecstasy. In his book *Cyberia: Life in the Trenches of Hyperspace*, Douglas Rushkoff traces the creation of the drug culture's special place on the Internet. `Developments in the computer industry and on the Internet are being made by the same people who made the counterculture of the '60s possible. Those willing to explore hallucinatory dreamlike realms that didn't exist before -- never-before-navigated turf of consciousness,' Rushkoff says. I have a master's degree in computer science from the University of Minnesota, and I read newspapers with regularity if not often. I cannot recall a single story about the arrest for drug possession of a computer scientist familiar to me from their academic work. Abramson, Tannenbaum, Liskov, Stonebraker, Lazowska, not to mention my own professors and numerous others have all thus far managed to hide their dirty little secret. The risks? Reporters who are not knowledgeable about computer science. This risk generalizes easily: lawyers who are not knowledgeable about computer science, patent clerks, politicians, bureaucrats, .. If the two quoted paragraphs about "much of the cyberspace revolution" coming from druggies annoyed you as much as it did me, please email the Op-Ed page of the Minneapolis Star Tribune at opinion@startribune.com. Ptooie! Dan Frankowski dfrankow@winternet.com http://www.winternet.com/~dfrankow ------------------------------ Date: Mon, 22 May 95 09:58:43 0100 From: "Lindsay F. Marshall" Subject: Re: Positive-Ion Dangers: Computers and stress / depression Using a negative ion source is definitely beneficial, however be careful. I cannot use an ioniser in my office as whenever it I switch it on I get SCSI errors that result in me not being able to access the external disc on my Sun. (Could this be a plot by intelligent silicon to keep the world depressed?) Lindsay Dept. of Comp. Science, U of Newcastle, Newcastle upon Tyne, UK NE1 7RU UK +44-191-222-8267 http://catless.ncl.ac.uk/Lindsay.html ------------------------------ Date: Mon, 22 May 1995 14:18:31 -0400 From: "Jonathan I. Kamens" Subject: Re: Positive-Ion Dangers: Computers and stress / depression It appears that PGN was duped in RISKS-17.14 by what one poster in news.admin.net-abuse.misc calls "the slow spammer." The user who submitted the message about "positive-ion dangers" was not doing it out of the goodness of his heart or because he felt it was an appropriate, current topic for RISKS. He was doing it, I believe, because he sells negative-ion emitters. He has been slowly spamming his message to many newsgroups for some time now. Jonathan Kamens | OpenVision Technologies, Inc. | jik@cam.ov.com [... and to think that all these years we have put up with SpammoVision. There is also some moron who has been spamming usenet readers of comp.risks. I have no control over that, but apologize anyway. PGN] ------------------------------ Date: 24 March 1995 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. U.S. users on .mil or .gov domains should contact (Dennis Rears ). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, THEN please send requests to (which is not yet automated). SUBJECT: SUBSCRIBE or UNSUBSCRIBE; text line (UN)SUBscribe RISKS [address to which RISKS is sent] CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS MESSAGES in responses to them. Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. All other reuses of RISKS material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using RISKS material should obtain permission from the contributors. RISKS can also be read on the web at URL http://catless.ncl.ac.uk/Risks Individual issues can be accessed using a URL of the form http://catless.ncl.ac.uk/Risks/VL.IS.html (Please report any format errors to Lindsay.Marshall@newcastle.ac.uk) RISKS ARCHIVES: "ftp unix.sri.comlogin anonymous[YourNetAddress] cd risks or cwd risks, depending on your particular FTP. Issue J of volume 17 is in that directory: "get risks-17.J". For issues of earlier volumes, "get I/risks-I.J" (where I=1 to 16, J always TWO digits) for Vol I Issue j. Vol I summaries in J=00, in both main directory and I subdirectory; "bye" I and J are dummy variables here. REMEMBER, Unix is case sensitive; file names are lower-case only. =CarriageReturn; UNIX.SRI.COM = [128.18.30.66]; FTPs may differ; Unix prompts for username and password. Also ftp bitftp@pucc.Princeton.EDU. WAIS repository exists at server.wais.com [192.216.46.98], with DB=RISK (E-mail info@wais.com for info) or visit the web wais URL http://www.wais.com/ . Management Analytics Searcher Services (1st item) under http://all.net:8080/ also contains RISKS search services, courtesy of Fred Cohen. Use wisely. ------------------------------ End of RISKS-FORUM Digest 17.15 ************************