Subject: RISKS DIGEST 17.73 RISKS-LIST: Risks-Forum Digest Weds 14 February 1996 Volume 17 : Issue 73 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, etc. ***** Contents: Wildcard inconsistencies in Windows 95 (Lawrence D'Oliveiro) Lack of Common Sense is Biggest Risk Of All (B. Gunderson) More Web risks (David Gadbois) Possible future risk of virtual reality (Martin Cohen) Risks of your system clock being off? (J. Eric Townsend) Time signals from TV stations (Clay Jackson) Turn of the century (Lars-Henrik Eriksson) Reverting to default PINs (Rebecca Walpole) Medical Prescription Dispensing Robot (Sudhakaran Ram) Spelling Checkers...(more) (Sudhakaran Ram) RISKS of efficient netiquette enforcement? (Tim Kolar) Re: The measurement of risk (Michael J Zehr, Clark Savage Turner) Re: Homebanking NonSecurity demo (Sebastian Garbe) IMC Resolving E-mail Security Complexity workshop (Dave Crocker) Reliability Symposium (T Totev) Call for Papers -- Journal of Technology Law & Policy (lazooli) ABRIDGED info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 14 Feb 1996 09:39:05 +1300 From: "Lawrence D'Oliveiro" Subject: Wildcard inconsistencies in Windows 95 I just read something disturbing in PC Magazine, which I have verified is true. In Windows 95, the "?" wildcard is treated inconsistently in file specifications: sometimes it means "exactly one character", and other times it means "at most one character". Suppose you have a directory with two files in it, one named XX and one named XXX. The command "DIR XX?" will only show the second file, but "DEL XX?" will delete both files! One dependable rule in every computer system I have ever used prior to this, is that a wildcard specification will always expand to the same set of filenames, regardless of what command you use it in. Wind95 not only breaks this rule, it breaks it in the worst way: the "delete" command, given the same wildcard specification, will delete a larger set of files than the less harmful "directory" command will display! This means you can no longer use the technique of checking a wildcard specification with DIR to make sure it will only affect the right files, before letting it loose with DEL. Lawrence D'Oliveiro, Computer Services Dept, University of Waikato Hamilton, New Zealand +64-7-856-2889 ldo@waikato.ac.nz ------------------------------ Date: Thu, 8 Feb 96 15:18:01 PST From: B Gunderson Subject: Lack of Common Sense is Biggest Risk Of All Excerpted from a front page article of Feb. 5th, 1996 issue of Federal Computer Week titled "Budget cuts, culture hurt NASA systems", article written by Elizabeth Sikorovsky: ****snip***** Hackers have already attached password sniffers to NASA systems and used the space agency's computers to store and exchange stolen data and software. And there are fears that satellites could be "hijacked" by hackers armed with nothing more than a PC and a ham radio. This is not science fiction, NASA security inspectors insist. No attacks on satellites have been detected, but "the only reason it hasn't happened is because hackers haven't thought about it yet," said [name deleted by the person submitting this to the RISKS forum, out of kindness], a communications security specialist at NASA. ****snip**** Amazing. I wonder how many people are out there, right now, trying to be the first to drive a NASA satellite from home. The biggest RISK will always be people. Unless of course, the folks at NASA just wanted to encourage some independent 'assessments' of their satellite comms' security posture. B. Gunderson ------------------------------ Date: Thu, 8 Feb 1996 20:33:52 -0600 (CST) From: David Gadbois Subject: More Web risks One Web-related risk that many folks seem oblivious to is the amount of information that a Web server can receive when they retrieve a document: The client host name, the referring URL, and personal identifying information (if the client is running a finger or ident server.) Furthermore, the Alta Vista server includes the search keywords in the URL corresponding to the search results: I was initially alarmed when I saw a referring URL on my server that had the keywords "explicit," "sex," and "images." It turned out that the Alta Vista webcrawler had indexed a technical report that just happened to contain those three words. --David Gadbois [Perhaps RISKS will now be on the censored list?] ------------------------------ Date: Wed, 14 Feb 96 17:10:50 PST From: Martin Cohen Subject: Possible future risk of virtual reality I was recently watching my 11-year-old son play a computer racing game. His car was invulnerable, and he crashed into other cars at every opportunity. It occurred to me that enhancements of this might lead to this future risk: A 15 year old is an expert player of a VR racing game (this is set about 5 years from now) that almost completely simulates reality - steering wheel, pedals, eyes and ears with VR input, and more. In the game, you do better by crashing into cars that cut you off. At sixteen, our hero gets a driver's license. On the road, another driver cuts him off. Using his finely tuned, VR trained reflexes, he immediately crashes into the other car. Is this risk plausible? What other risks might there be from using reflexes developed in VR games in real-life situations? ------------------------------ Date: Sat, 10 Feb 1996 22:29:57 -0800 From: jet@abulafia.genmagic.com (J. Eric Townsend) Subject: Risks of your system clock being off? [How many of us don't care what time our non-networked micro is set to? How many of us might care now? --jet] SYRACUSE, N.Y. (AP) -- A convicted felon was charged with possession of pornography after he asked a repairman to delete pornographic images of young boys from his computer, officials said. [... blah blah, claimed some kids had been at his house using the computer, said he wasn't there... children said they were 'looking at things they shouldn't have... blah blah ] Instead the repairman took a computer disc containing the images to police, who turned it over to the FBI, Riker said. ==> The dates on the files did not match Moore's story, Riker said. <=== Moore was sentenced to five years' probation May 15, 1995, after he was convicted of first-degree sexual abuse in Onondaga County Court. ------------------------------ Date: Fri, 09 Feb 1996 22:47:04 -0800 From: Clay Jackson Subject: Time signals from TV stations Here's an interesting twist - we purchased a new VCR recently, it has a "feature" that will receive time signals "over the air". The signals are mostly broadcast on PBS channels. The other night, we set the VCR up to record a program, as normal, and just happened to be near the VCR at the time it should have come on - it didn't. We recorded the program manually, and then went troubleshooting. It turns out that the date/time in the VCR had been set by a signal from KCTS (Channel 9, here in Seattle) which had the correct TIME, but was off by a full day! When I called Channel 9, it took them 2 days to get back to me, and the person who returned the call said "Thanks for letting us know - we have no real monitors on that system, and it took a 'power hit' a few days ago". I'm glad I wasn't trying to do anything more serious with that time signal... Clay Jackson clay@interramp.com ------------------------------ Date: Tue, 13 Feb 1996 23:10:12 +0100 From: lhe@kore.lk.se (Lars-Henrik Eriksson) Subject: Turn of the century Yesterday my wife noticed the first tangible evidence of software problems caused by two-digit year fields rolling over from 99 to 00, that I have seen here in Sweden. A note was stuck on a credit-card parking meter in my town, with the text: "Due to a software error this machine does not accept XX cards with an expiration date after 1999". I happen to have an XX card which was issued only two months or so ago. I took a quick look to see that it expires in November 1999. The first cards expiring in January 2000 must just have been issued... Lars-Henrik Eriksson Logikkonsult NP AB, Swedenborgsgatan 2, S-118 48 STOCKHOLM, SWEDEN +46 8 615 68 69 Fax: +46 8 641 19 06 lhe@lk.se ------------------------------ Date: Fri, 09 Feb 96 17:17:25 PST From: walpolr@chert.CS.ORST.EDU Subject: Reverting to default PINs My university uses phone registration with a PIN that depending on your department and status is either assigned to you or is your birthdate. Students can also access and change certain personal information online using the same PIN. This Access program allows you to change your PIN as well, so I did, since I was one of those with a birthdate PIN. Unfortunately, these PINs are reset automatically and without notification! I was unable to log in until, in desperation, I tried the old birthdate PIN. Being a swamped graduate student, I let this happen 3 times before I found someone to complain to. Here's the response I received: > I was not aware that we were changing PINs back to dates, but it does >not surprise me. The University is in the process of bringing up a new >version of Telephone Registration that will use a separate PIN for >advising functions, (Unfortunately, it will not be coming up as soon as we >would have liked.) At that time the Access PIN we use now will not be >continually reset. Until then however, I guess we have to put up with it. Besides the obvious risk of a malicious person dropping me from all my classes, giving me late registration fees, or changing my address, I can now worry about the risks of non-risk-sensitive people in high places. ------------------------------ Date: Fri, 9 Feb 96 15:18:06 PST From: Sudhakaran Ram - 7035 Subject: Medical Prescription Dispensing Robot Few days ago there was a report on CNN that a Hospital in Atlanta has switched to a Robot system to dispense inhouse medications for the Hospital patients. Patient prescriptions will be read from barcodes. How many times have heard about patients being wrongly tagged. Risks are obvious, the human factor involved (tagging wrongly) and a robot blindly dispensing what it sees. ------------------------------ Date: Fri, 9 Feb 96 15:12:56 PST From: Sudhakaran Ram - 7035 Subject: Spelling Checkers...(more) Here is another item on spelling checkers. I had misspelled the word "Contributed" as "Contibuted" in a FrameMaker document. The following were the alternatives that it gave: Countability, Conduplicate, Conductible, Contiguity, Contiguities, Conjugated, Contested, etc. "Contributed" was never listed. This from a popular word processing software. [You've contibplated another spelling checker? PGN] ------------------------------ Date: Tue, 13 Feb 96 23:28:16 PST From: Tim Kolar Subject: RISKS of efficient netiquette enforcement? (Garfinkel, RISKS-17.72) In a recent RISKS article, simsong@vineyard.net recounted the tale of a friend who had accidentally left a program running that looked like it was attacking LANL over the network. He told of LANLs rather aggressive response, threating to sue both his friend and his friend's ISP, and (apparently having received no response) ended up getting the ISP to shut down the account. His last paragraph: >This is really scary --- the thought that some government official can call >up your ISP and, through a combination of threats and legal citations, have >somebody's internet feed immediately terminated. What about due process of >law? What about innocent until proven guilty? What about having to go >through the mere formality of obtaining a court injunction before having >action such as this taken? I read this with some amusement, reflecting that calling up a suspected hacker's ISP (usually a university) has *always* been the fastest and easiest way to deal with a threat. Shutting down an account until you could figure out what was going on was SOP. Back in college I had my student account (mistakenly) shut down this way once, and later as an system administrator I was involved in a number of cases that started with a concerned phone call from a remote sysadmin. When people of talk of the internet being a cooperative effort, this implicit responsibility taken by ISPs is the first thing that springs to my mind. But there's an important wrinkle now -- to my knowledge no student has ever sued a university over having a computer account shut down by accident (though I did get a homework extension when it happened to me). A lawsuit against a commercial ISP is almost a certainty. Obviously LANL knows this and went completely over the top in order to secure the ISPs' cooperation. In the process what used to be a respectful exchange between sysadmins has been turned into a legal feeding frenzy. Was LANL wrong to do this? I don't know. Commercial ISPs have been increasingly strident in refusing to take responsibility for their users, and may need prodding. On the other hand, LANL could simply have stopped accepting all traffic from that ISP and called it a day. It would be interesting to know their reasoning. The only RISKs in this situation are ones we already know about. Lawsuits follow money, and money has found the internet. Who can sue who, and for how much, is still being worked out. -Tim ------------------------------ Date: Wed, 14 Feb 96 20:08:27 -0500 From: tada@MIT.EDU Subject: Re: The measurement of risk (Minow and Walking-Owl, RISKS-17.72) The "Us vs. Them" and the business of groups weighing the economic costs of risks leads to the issue of not only how do people evaluate risks, but how to groups evaluate risks. Individuals have inherently different means of valuing things than groups do, and this is only sound economic principles at work. For example, most individuals will expend virtually all their assets in order to maintain their health and prolong their life. (They tend to do this more at the later stages than the earlier ones, based on the future vs. immediate risks, as has been mentioned here.) Yet while this makes fine sense for an individual, it would be ludicrous to suggest that 100% of the world's GDP should be spent on medicine and hospitals. The community as a whole has to allocate both benefits and risks to the individuals around, but allocating a risk or benefit isn't the same as evaluating the worth of the individuals involved. As previously noted, people downplay risks they understand, such as the risk of being in a car accident. Likewise they downplay the reduction in such risks. Having mobile phones means that the average response time to many emergencies (car accidents, crimes, fires, etc) can be reduced thanks to a person having a phone in their hand as the emergency occurs. (Of course this goes along with the added risk of a drive on a mobil phone *causing* an accident!) I don't want to be the one in a million that catches cancer, but neither do I want to be the one in a million that needs emergency help when the phone lines are down but a mobile phone would still be functioning.... -michael j zehr ------------------------------ Date: Wed, 14 Feb 1996 16:42:03 -0800 From: Clark Savage Turner WA3JPG Subject: Re: The measurement of risk (Shaw, RISKS-17.71) Dave Shaw's comments are well taken, and the ideas have been around for some time. A particularly interesting formulation of the main ideas is expressed by Martin and Schinzinger in their book, "Ethics in Engineering" (McGraw-Hill 1989). They view engineering as a form of social experimentation. Engineers do not have complete knowledge of the world and all its natural and social laws, but go ahead with projects due to the perceived benefits. Viewing engineering as an experiment on a societal scale puts the focus where it "should be" - on the human beings affected by technology. In an analogy with medical experimentation, the authors note that society has recently come to recognize the primacy of the subject's safety and freedom of choice as to whether to participate. Informed consent is considered an important moral and legal safeguard in this respect. Informed consent is seen as having two elements: (1) subjects must be given all the information needed to make a reasonable decision, and (2) subjects must enter into the experiment without being subjected to force, fraud, or deception. What is "sometimes overlooked" is "the common enough human readiness to accept risks voluntarily undertaken (as in daring sports), even while objecting to involuntary risks resulting from activities in which the individual is neither a direct participant nor a decision maker. In other words, we all prefer to be the subjects of our own experiments rather than those of somebody else." (page 69) Clark Savage Turner, Esq., Grad Student in computer science at UC, Irvine. csturner@uci.edu ------------------------------ Date: Fri, 2 Feb 1996 21:03:09 +0100 (MET) From: Sebastian Garbe Subject: Re: Homebanking NonSecurity demo (Brunnstein, RISKS-17.66) Is the German Homebanking unsecure? In his article Klaus Brunnstein "proved" that Homebanking in Germany is unsecure. But this is not true in practice! I had the possibility to correct this in an television interview this Monday in the same TV Magazine in which Mr. Brunnstein gave his "proof" of NonSecurity last week. Indeed theoretically there are some possible attacks concerning PARTS of the whole security system. But a whole system is secure for the customer and the bank if the sum of all necessary criminal acts that are necessary to break the system do not destroy the interest of potential criminal hackers. Our Homebanking-System is really very secure as the statistics show: Over 15 Years, with now over 1.5 million accounts, there was not even one successful attack!!!! Why isn't there any encryption? Most of our customers use simple terminals so called "BTX-Decoder". These terminals do not support any encryption or signature and do not have any intelligence. A lot of the customers even use hardware-terminals (special telephones or TV-set-top-boxes) which don't have any possibility to be updated. We feel, that we don't have the right to exclude all these people from our homebanking, especially as there never has been any fraud. Will there be any improvements in the future? Yes there will! For some time we are already working on an new Homebanking-Standard called "Homebanking Computer Interface (HBCI)" which will provide a whole bunch of new features, digital signature and encryption. It will only be usable for PC users (not for users of dump BTX-terminals), but for those it will really be a fantastic improvement (especially it is supported be all German banks, so you will be able to use the homebanking-software of your choice with all German banks). Sebastian Garbe, Association of German Banks aky11@rrz.uni-koeln.de Kuempchenshof 13, D-50670 Koeln (Germany) Tel. (priv): ++49-221/1300 189 ------------------------------ Date: Fri, 9 Feb 1996 10:53:58 -0800 From: Dave Crocker Subject: IMC Resolving E-mail Security Complexity workshop For those who have not already seen this announcement: Resolving E-mail Security Complexity Workshop 21 February 1996 * 8:30 AM - 5:00 PM San Jose (CA) Hilton & Towers * San Carlos Room (next to Convention Center) Pre-registration & payment: $50 * After February 16: $75 (cash, check, wire transfer, money order, or First Virtual) Security is critical for moving the Internet further into the mass- and commercial-market. There are multiple choices for e-mail-based security over the Internet, but they do not interoperate with each other. MOSS, PGP, and S/MIME each has supporters and detractors. In general, the constituencies are not communicating with each other, instead pursuing their development and deployment independently, promising us all a future filled with considerable complexity and non- interoperability. We suffer an excess of riches. COMPLEXITY AND NON-INTEROPERABILITY The Internet Mail Consortium (IMC) is organizing a one-day workshop to consider the problem of multiple MIME-based security mechanisms. This is a complicated topic with a long and painful history, but the previous pain is insignificant compared to what is in store for vendors and, worse still, for users. This is an open working meeting intended for e-mail security principal contributors and others involved in this area. It will include key contributors and solicit additional attendance by vendors, providers, users, and technologists who are knowledgeable about e-mail security and concerned with its lack of coherence. The workshop is not a tutorial. Attendees are assumed to be familiar with the basics of the three major e-mail security alternatives. IMC is providing a pre-workshop discussion list and printed materials at the workshop. The attendance goal is to have a critical mass of those with the technical expertise and industry involvement to review and debate the requirements, capabilities, and possibilities. The work goal is to seek common ground for a common solution. While we are not overly hopeful that the end of the day will see peace and resolve among the masses, we do hope for improved understanding and some convergence. With luck, there will even be clarification of the constituencies -- that is, a strengthening of the political base for some of the alternatives. This Workshop is scheduled on the last day of E-Mail World in San Jose, California and the day before a two- day ISOC Security conference in San Diego, California. AGENDA The meeting will be structured with a tight agenda, having a very focused sequence of work; it is definitely not for general education. Some amount of review is appropriate, but not much. The following agenda is tentative and will be reviewed and modified on the pre-workshop discussion list. Morning * Very briefly describe the MOSS, PGP, and S/MIME solutions * Review the functional and technical concerns * Review the extent to which each alternative satisfies the concerns * Seek consensus for concerns that qualify as requirements Afternoon * Haggle about the strengths and weaknesses of the technical alternatives * Explore the choices and/or negotiate a preferred solution Those who have worked on this topic in the IETF are quite tired of the whole situation, but the unfortunate reality is that the current product and user choices are quite problematic. We need to continue seeking a viable service. ON-LINE PRE-/POST-MEETING The following Web page is provided for pre-meeting registration. Registration: or: For participating in on-line discussion before and after the meeting: Discussion: or: For information about the Internet Mail Consortium, see or . Dave Crocker +1 408 246 8253 Brandenburg Consulting fax: +1 408 249 6205 675 Spruce Dr. dcrocker@brandenburg.com Sunnyvale CA 94086 USA http://www.brandenburg.com Internet Mail Consortium http://www.imc.org, info@imc.org ------------------------------ Date: 5 Feb 1996 14:18:24 GMT From: mbgastt@menhpd03.eng.man.ac.uk (T Totev) Subject: Reliability Symposium 12TH ARTS ADVANCES IN RELIABILITY TECHNOLOGY SYMPOSIUM Tuesday 16th and Wednesday 17th April 1996 Holly Royde Conference Centre University of Manchester, UK Organised by: Institution of Mechanical Engineers Safety and Reliability Society Universities of Manchester, Loughborough, Bradford,Liverpool and UMIST A biennial event which provides an international forum for discussing current research and demonstrating recent advances, in the development and management of reliability engineering. To maximise academic participation, attendance costs have been kept as low as practicable. Also of interest to reliability consultants and practitioners. Please contact: 12th ARTS, (M.J.Harris) Division of Mechanical Engineering, The School of Engineering, The Simon Building, The University of Manchester, Oxford Road, Manchester M13 9PL, UK Tel. +44 161 275 4501; Fax +44 161 275 4346 E-mail TLTOTEV@fs1.eng.man.ac.uk ------------------------------ Date: Tue, 13 Feb 1996 19:21:56 -0500 (EST) From: lazooli@grove.ufl.EDU Subject: Call for Papers -- Journal of Technology Law & Policy Journal of Technology Law & Policy, University of Florida, College of Law CALL FOR PAPERS: Spring 1996 issue The Journal of Technology Law & Policy is devoted to exploring the legal and policy issues raised by emerging technology. We invite contributions of original works for our Spring, 1996 issue. Student contributions are encouraged. To promote access to the Journal, the Journal will be published on the World Wide Web. Submissions to the Journal are encouraged to take full advantage of this medium. Relevant graphics, sound, and video may be utilized. There are no length limitations for submissions. Submissions must include a copy in electronic form. All citations should be in Bluebook and endnote form. Please include the URL of any cited information available online. Please direct all questions, and submissions to techlaw@grove.ufl.edu http://grove.ufl.edu/~techlaw techlaw@grove.ufl.edu Fax number: (352)-377-7655 Mailing Address: Journal of Technology Law & Policy, University of Florida College of Law, P.O. 117640, Gainesville, FL 32611-7640 ------------------------------ Date: 14 February 1996 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: ABRIDGED info on RISKS (comp.risks) The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. [...] DIRECT REQUESTS to (majordomo) with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] INFO [for further information] CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, nonrepetitious, and without caveats on distribution. Diversity is welcome, but not personal attacks. [...] ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. By submitting an item that is accepted for publication in RISKS, the author grants permission for unlimited noncommercial public distribution and redistribution in electronic and print form. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT Software Engineering Notes or SIGSAC Review. RISKS can also be read on the web at URL http://catless.ncl.ac.uk/Risks RISKS ARCHIVES: "ftp ftp.sri.comlogin anonymous[YourNetAddress] cd risks or cwd risks, depending on your particular FTP. [...] [Back issues are in the subdirectory corresponding to the volume number.] Individual issues can be accessed using a URL of the form http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue] ftp://ftp.sri.com/risks PRIVACY: For info on the PRIVACY Forum Digest and Computer PRIVACY Digest, see the INFO file at RISKS-Request (one-line message INFO noted above). ------------------------------ End of RISKS-FORUM Digest 17.73 ************************