Subject: RISKS DIGEST 17.77 RISKS-LIST: Risks-Forum Digest Tuesday 20 February 1996 Volume 17 : Issue 77 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, etc. ***** Contents: Re: Maryland train collision (Steve Bellovin) Garbage truck worker wipes out telephone service (Andrew J Klossner) Using better words to discuss WWW (Mark Seecof) Acrobat quietly 'censors' text in missing TrueType fonts (Henry Baker) Java security problems (Drew Dean) Passwords and the Media (Eriks Ziemelis) Non-standard use of ";" in file names (John Cigas) Re: Risks of MS Word (Nicholas C. Weaver) Re: Computer unmasks Anonymous? (Erann Gat) Re: The Measurement of Risk (Arthur Byrnes) Libel and censorship issues: misc.transport.air-industry (Brian A. Reynolds) ABRIDGED info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 19 Feb 1996 08:54:51 -0500 From: Steve Bellovin Subject: Re: Maryland train collision (Lesher, RISKS-17.76) Although the investigation is far from complete, some facts that have come to light (see *The New York Times*, 19 Feb 1996) point to the role of total system design for safety. The event recorder aboard the MARC train shows that the train was going twice as fast as it should have been, just prior to the crash. Why was this? The train passed a yellow signal, which should have told the engineer to slow down. But the signal was *before* a station; there is speculation that during the station stop, the engineer forgot what the signal read, and just accelerated to normal track speed. (N.B. Investigators have not yet determined if that signal was truly yellow, or if it changed to yellow while the train was in the station; these factors would obviously change the hypothesis given here.) The interesting part is that the signal used to be after the station, as is common on passenger lines, precisely to avoid that problem. But it was moved a few years ago to increase the passenger train capacity of the line, which is primarily used for freight trains. Signal spacing is correlated with the maximum speed and weight of the trains; to increase speed, one should space the signals further apart and/or add more signals. (A recent New York subway accident occurred because this was not done as the rolling stock changed.) Numerous factors apparently interacted to cause this accident: - The line was used for both freight and passenger trains; these have different characteristics (weight, frequency, length of train, signal conventions). - Simply adding a repeater for the misplaced signal might have caused operational problems -- the rules on that line require engineers to radio an acknowledgement each time they pass a signal. Another signal means more radio traffic. (The crew of the MARC train did make the required report, but the witnesses don't remember what signal aspect they reported. Investigators are searching for audio tapes now.) - The line was set up for Centralized Traffic Control (CTC), permitting bidirectional operation on both tracks. That provides flexibility -- it let the Amtrak train use to left-hand track to pass a stopped freight train -- but at the cost of complexity. But it also led to the crash, which happened as the Amtrak train was about to switch back to the right-hand track. (Btw -- it's worth noting that CTC is not a new system; according to the references I have on hand, it became economically feasible as early as 1930. ``Interlocking'' -- tying signals to switch track positions -- may date to as early as 1857.) - Train signals are normally set up so that only one train at a time can be in a ``block''. If you want a lot of trains on a line, you need short blocks, but that also means you need more complex signal indications to tell the engineer when to slow down to prepare for a red signal several blocks ahead. This in turn puts more demand on both the engineer and the signaling logic (though the latter, at least, does not seem to be implicated here). - Automatic train control equipment, which regulates the speed of trains per the signal equipment, would have helped, but such equipment is rare in the U.S. (Again, this is not new technology; the Federal rule limiting track speeds to 79 mph in the absence of such gear dates to 1951.) Why wasn't it used? Well, it's expensive, commuter lines often don't run that fast anyway, because of their frequent stops, and this is primarily a freight line. (MARC paid CSX (the freight line) for one signal system upgrade in 1993.) - If the problem is indeed the placement of the signal before the station, cab signals (vintage: 1921) would have helped. Again, though, this is expensive equipment. The newspaper article was silent on this point. - If any of the equipment I mention here had been used, the cost would have been greater complexity, which in and of itself increases the likelihood of failure (though I should note that railroads have a pretty good record of using fail-safe or fail-soft equipment -- automatic block signaling wasn't adopted until a fail-safe design was developed). Though computers were apparently not involved in this accident, the lesson is the same: many failures are caused by complex interactions. There is rarely a single cause. ------------------------------ Date: Tue, 20 Feb 1996 07:58:27 PST From: Andrew J Klossner Subject: Garbage truck worker wipes out telephone service Even worse than errant squirrels ... ------- Forwarded Message (from a colleague) I'd like to apologize if you've had trouble contacting me recently. What the floods here in Oregon were unable to do, a cowboy garbage truck driver made up for. It seems that they have this little game they like to play on the way back into town after dumping their load called "swing the cables". They raise the forks (used to lift the dumpsters up over the truck to empty it into the back) to try to flick the big thick telephone cables stretched across the highway. One guy overdid it and ripped out the cable for service to the entire west side of the telephone central office that serves my home and office. It took a lot of work to put that cable back into service considering that it was shredded where it was torn from the shattered telephone poles on both sides of the highway. Meanwhile, five lanes of traffic were driving over the fallen corpse. As I write this the telephone guys are still up there in their little tents, high above the ground, huddled against the rain, slowly splicing it all back together. As a work-around I had the telephone company forward all calls to my cellular phone but somebody made a typographical error setting it up and by calls got forwarded to Timbuktu instead of to my cell phone. Furthermore, I hadn't seen any need to equip my cell phone with FAX or modem so I was FAX-blind and isolated from my e-mail and other internet access. So, if I haven't responded to something that you've sent me or you have been unable to FAX me, please try again now. ------------------------------ Date: Mon, 19 Feb 1996 12:38:46 -0800 From: Mark Seecof Subject: Using better words to discuss WWW If I were going to censor anything about the WWW it would be the use, by those of us who should know better, of the term "publish" to describe the act of making data available from a server. I think much trouble comes from using this unfortunate word. Most people do not understand that surfing the net is much more like placing 'phone calls than reading a magazine found lying on a chair. We have confused the public debate by using the term "publish" because it connotes, to virtually all non-computer-geeks, communication through materials which can be sent or delivered to people who have not requested them. All public discussions of the censorship issue have included statements, sometimes maliciously uttered by activists who know better, but more often repeated by the ignorant, to the effect that evil people will send undesirable images or words to children. Magazines may be mailed to non-subscribers; but only computer geeks know that the images on the web-browser's screen appear only when the user calls for them. The word "broadcast" is even worse. The mere invocation of this word has been claimed to justify censorship precisely because it connotes the possibility of unsolicited delivery. When we use the terms "publish" or "broadcast" we invite the public to misunderstand the 'net. Even when some of us, with the best of motives, demand to be treated "as publishers legally" the effect is to shoot ourselves in the foot. Publishers are required to register with the government, for goodness' sake. The correct legal treatment to request is that accorded private citizens speaking freely to anonymous telephone callers! Links to other folks' pages are akin to giving out a 'phone number--no one who does so should be thought responsible for any message which may be heard by calling it. ------------------------------ Date: Mon, 19 Feb 1996 08:04:35 -0800 From: hbaker@netcom.netcom.com (Henry Baker) Subject: Acrobat quietly 'censors' text in missing TrueType fonts Adobe Acrobat 2.1 on the Mac _quietly_ drops text for which it lacks TrueType fonts. In particular, if your Mac has bitmap fonts for the 'Times' fonts, but no scalable TrueType fonts, then Acrobat 2.1 doesn't bother displaying text in the 'Times' fonts at all. This lossage is particularly curious, since Acrobat has a very sophisticated font-substitution capability using its 'generic' serif and sans-serif fonts for more obscure fonts. Even more curious is the fact that on Adobe's own technical notes on ftp.adobe.com, the following text _will not be displayed_ if your 'Times' fonts are missing: "...Adobe Systems Incorporated assumes no responsibility or liability for any errors or inaccuracies, makes no warranty of any kind (express, implied or statutory) with respect to this publication, and expressly disclaims any and all warranties of merchantability, fitness for particular purposes and noninfringement of third party rights." If this text is missing from Adobe's _own_ documents, then such disclaimer text could well be missing from _every_ document, whether from Adobe or some third party, if this disclaimer is set in one of the 'Times' fonts. Since many important manuals and forms -- including IRS tax forms and many state tax forms -- are now being distributed in 'PDF' (Acrobat) format, the risks should be obvious. ("All the text that's fit to print ??" 'Sign' of The Times.) ("The dog ate my font ??") Henry Baker ftp://ftp.netcom.com/pub/hb/hbaker/home.html ------------------------------ Date: Sun, 18 Feb 1996 23:57:02 -0500 From: Drew Dean Subject: Java security problems We have discovered a serious security problem with Netscape Navigator's 2.0 Java implementation. (The problem is also present in the 1.0 release of the Java Development Kit from Sun.) An applet is normally allowed to connect only to the host from which it was loaded. However, this restriction is not properly enforced. A malicious applet can open a connection to an arbitrary host on the Internet. At this point, bugs in any TCP/IP-based network service can be exploited. We have implemented (as a proof of concept) an exploitation of an old sendmail bug. If the user viewing the applet is behind a firewall, this attack can be used against any other machine behind the same firewall. The firewall will fail to defend against attacks on internal networks, because the attack originates behind the firewall. The immediate fix for this problem is to disable Java from Netscape's "Security Preferences" dialog. An HTTP proxy server could also disable Java applets by refusing to fetch Java ".class" files. We've sent a more detailed description of this bug to CERT, Sun, and Netscape. A second, also serious, bug exists in javap, the bytecode disassembler. An overly long method name can overflow a stack allocated buffer, potentially causing arbitrary native code to be executed. The problem is an unchecked sprintf() call, just like the syslog(3) problem last year. Many such bugs were in the alpha 3 release's runtime, but were carefully fixed in the beta release. The disassembler bug apparently slipped through. This attack only works on users who disassemble applets. The fix is to not run javap until Sun releases a patch. Note that we've only had success in exploiting the first flaw on an SGI. Windows 95 and DEC Alpha versions of Netscape have other bugs in their socket implementations that make it harder (although not necessarily impossible) to exploit the problem. This is the second time that unrelated implementation bugs have prevented us from demonstrating security problems in Java. http://www.cs.princeton.edu/~ddean/java will contain more information soon, including a revised version of our paper, to appear in the 1996 IEEE Symposium on Security and Privacy. Drew Dean Ed Felten Dan Wallach Department of Computer Science, Princeton University For more information, please contact Ed Felten, 609-258-5906, FAX 609-258-1771. ------------------------------ Date: Mon, 19 Feb 96 8:43:38 MST From: Eriks Ziemelis Subject: Passwords and the Media The 5:00PM news broadcast on a local channel here in the Denver area ended with a story on how the news anchors were a bit worried that they would not be able to deliver the news that evening. It seems that someone on the news staff had locked everyone out of the system used to write-up the "copy". The news anchor went on to say that if you are not careful while typing in your name, and that your last name is "Lockheart", you might cause your fellow workers some anxiety. The usual "humorous anecdote anchor laugh" followed. The obvious risks: o Be careful of the passwords you pick, especially where your "average" user has the potential to cause harm (that "!&wjl186" password is starting to look good...) o Don't let your "talking heads" blurt out what is in effect your systems root password over the air. I just hope that the system administrators changed the password, if not before the anchors gaffe then at least afterword. Eriks A. Ziemelis eriks_ziemelis@stortek.com ------------------------------ Date: Mon, 19 Feb 1996 15:36:33 -0600 (CST) From: cigas@Cs.rockhurst.edu (John Cigas) Subject: Non-standard use of ";" in file names Speaking of problems with filename globbing and the conventions on different systems, I found out about encrypted files under DR DOS the hard way a few years back. I was trying to use sz to download several files from a VMS system to my PC, on which I was newly using DR DOS. The VMS version of sz wouldn't allow wild cards at all, so I issued a DIR command, saved the results in a file, then used this file as input to a DCL command file to invoke sz. For those who aren't familiar, VMS associates a version number with each file, as in FOO.BAR;1 I'd never had any problems with VMS to MS DOS file name conversion before - MS DOS just ignored the ;1 so I didn't pay any attention. All my files downloaded just fine, but I couldn't access them. The file names all looked right, but DR DOS kept telling me the files were password protected. After several frustrating minutes of scrounging through the manuals, I found that DR DOS uses the ";xxxxxx" syntax to specify a password to be associated with a file. Sure enough, all my files had a password of "1","2", or "3". It was hard learning to use a semicolon properly in writing class but I didn't expect it to be that tricky in computing as well ;) John Cigas, Rockhurst College, cigas@acm.org ------------------------------ Date: Sat, 17 Feb 1996 18:51:38 -0800 (PST) From: "Nicholas C. Weaver" Subject: Re: Risks of MS Word (Gebe, RISKS-17.76) This is probably just a matter of sloppy programming at Microsoft, in that the program simply acquires x blocks of disk space, but doesn't zero them out before using them. This way, gaps in the file or at the end are occupied by old data from the disk. (In your case, probably a piece of your web-browser's history list). Of course, it is also a file-system problem, in that data is not zeroed-out when a disk block is freed. A similar discovery around 6-7 years ago nearly torpedoed Prodigy (whether this would have been a good thing is open to debate. :). In a perfectly sensible manner, Prodigy created a cache file on the disk. The program grabbed a fairly large amount of space for this file, although it did not fill up right away. Somebody looking through this file discovered bits and pieces of their own data, and rumors flew from there. I personally believe that this is a MUCH more severe problem then is commonly realized. Most file-systems do not overwrite old data, then many programs compound this flaw by simply grab space. I think the risks are obvious, especially in a multi-user environment. E.G., one could conceivably write a program to grab a block on disk, search through them for interesting data (eg the public key a security paranoid uses for his e-mail, which happened to get swapped out to disk for a moment), mark the block as read, and then free it. Or who knows what interesting tidbits may have inadvertently found their way into major ftp archives (now available on CD-Rom). Nicholas C. Weaver nweaver@cs.berkeley.edu http://www.cs.berkeley.edu/~nweaver ------------------------------ Date: Mon, 19 Feb 1996 00:54:24 -0800 (PST) From: gat@aig.jpl.nasa.gov (Erann Gat) Subject: Re: Computer unmasks Anonymous? (Wayner, RISKS-17.75) >If Joe Klein, a well-known political writer, is indeed the author, it is >clear that he didn't learn one of the first lessons of Washington. If >you're going to leak information or quotes to the world, make sure you use >the diction of your enemy. On the other hand, if Joe Klein is *not* the author, then it is clear that the real author *did* learn that lesson. That's the trouble with Washington. The people who are telling you that you are being lied to might be lying. Erann Gat gat@jpl.nasa.gov gat@power.net ------------------------------ Date: Mon, 19 Feb 96 14:42:34 EST From: byrnes@escmail.orl.mmc.com Subject: Re: The Measurement of Risk (Overy, RISKS-17.74) >pjo33@mailbox.rl.ac.uk (Philip Overy) says; >The following type of example should be borne in mind when comparing safety >propaganda and safety spending with "common sense solutions": Asthma is >generally reckoned to be a disease caused by vehicle pollution: In the UK >last year 4m pounds was spent on asthma research 6m pounds was spent on >POLICING demonstrations against the proposed new M11 road. Maybe this type of statement is the "Glaring Light" to show the problems with "The Measurement of Risk". People who have Asthma may be sensitive to vehicle pollution, but Asthma existed long before the invention of the automobile. And people with Asthma are often sensitive to lots of other air borne items besides vehicle pollution, such as pollen, dander, etc. So, Phillip, gives us a perfect example of a statement designed to enrage and scare people to get more funding for his "pet disease". (And villify, a technological item that he disagrees with, motor vehicles.) >As for Telstra's radio emissions, well, I suppose...it was the technical >world telling them that radioactivity was good for you... The UK must be a really strange place, I don't remember hearing this in the US. Even the old 50's movies show that exposure to radioactivity would create, "The Amazing Colosso Man" or "The Incredible Shrinking Woman". Arthur Byrnes ------------------------------ Date: Mon, 19 Feb 96 11:20:26 -0600 From: "Brian A. Reynolds" Subject: Libel and censorship issues: misc.transport.air-industry The following thread is developing in misc.transport.air-industry. Quite frankly I have stopped reading the group because in the desire to engage in enlightened discourse with other reasonable minds, the unreasonableness of the legal system intrudes. I see the risk as: Any communication by an individual using a company domain name is legally perceived as being a representative of that company without regards to any efforts to distance the user from the provider. I know of at least one case where this was true, and while the individual included a disclaimer, the inclusion of the disclaimer was itself construed as meaning that the individual was attempting to speak for the company. Until this is actually tried in court, I think that the safe assumption has to be that anything you say can, and will, be used against you. - - - - - - - - - - - - Subject: [ADMIN] CENSORSHIP OF MISC.TRANSPORT.AIR-INDUSTRY - misc.transport.air-industry #6069 In article <4g2vmc$9a9@gsb-birr.Stanford.EDU>, rna@gsb-birr.Stanford.EDU (Robert Ashcroft) wrote: A few days ago, misc.transport.air-industry moderators received the following message. With the permission of the author, we repeat it here. All misc.transport.air-industry moderators have received a copy of this message, and know who the author is. We can tell you the author is a long-time contributor to the newsgroup, not given to extreme opinions, but we will not identify the author further for obvious reasons. We have no reason to doubt the veracity or motivation of the author (this author has not been involved in the debates on Airbus safety or subsidies so far as we know). >This may seem like a strange request, and I will understand if you cannot >comply with it. Airbus Corporate Legal sent a Letter to my company's >corporate offices complaining about a posting of mine on an Internet >newsgroup. I believe that it was this news group. The posting was >really quite benign (it wasn't on the ever present safety issue). It >was taken completely out of context, but that is really beside the point. >First of all, I have been asked (by my legal department) if that posting >and the entire thread is retrievable. My guess was that it isn't, but I >told them I would ask. > >Thankfully, I work for a company which values free speech (as I do this on >my on time on my own computer), but I still find it somewhat chilling that >rather than participate in the discussion in this group; Airbus is looking >to silence people via threats to their companies. If they are going to >come after me due to a benign third part[y] comment on performance, what >are they going to do to some of these other folks? Obviously the moderators of misc.transport.air-industry are concerned about any attempt at censorship of this newsgroup. It's unclear exactly what this group should or can do about it, and we welcome your suggestions. We all have an interest in keeping debate both open and lively in misc.transport.air-industry (and more generally, on the net as a whole). RNA misc.transport.air-industry comoderator, for the m.t.a-i moderators - - - - - - - - - - - - In article <1996Feb16.222312.1@eisner.decus.org>, mezei_jf@eisner.decus.org (Jean-Francois Mezei) wrote: In article <4g2vmc$9a9@gsb-birr.Stanford.EDU>, rna@gsb-birr.Stanford.EDU (Robert Ashcroft) writes: [...] If a poster has a signature file that makes reference to whom his employer is, even if there is a "my opinions are mine and not my employers" type of statement, and that employer has contractual ties to the plaintif (Airbus), then I can -understand- why the plaintif would send a complaint to the employer since one of its employees made public statements *possibly* containing information that was obtained under non-disclosure etc. However, no matter how slanderous a statement is posted by an individual without any reference to an employer, there should never be any legal retributions possible. The issue is not of censorship but that of representation. When an employer is mentioned, the poster is linked (like it or not, disclaimer or not) to that company and represents it in some way. When the employer's name is posted to give credibility to the poster, the link is all that much stronger. So, if an individual (or his employer) has problems with another entity (individual, corporation, government), the problem is not at the Internet/newsgroup level and moderators should not worry. - - - - - - - - - - - - In article <4g5fgj$h31@bronze.coil.com>, ebright@coil.com (Jim Ebright) writes: >In article <4g2vmc$9a9@gsb-birr.Stanford.EDU>, >Robert Ashcroft wrote: > ... >Obviously the moderators of misc.transport.air-industry are concerned >about any attempt at censorship of this newsgroup. It's unclear >exactly what this group should or can do about it, and we welcome >your suggestions. We all have an interest in keeping debate both open >and lively in misc.transport.air-industry (and more generally, on the >net as a whole). Avoiding obviously libelous statements is almost certainly an obligation of both posters and moderators. But what is libel? _Sullivan vs The New York Times_ set the standard for libel of `public figures' in the USofA. I suspect newsworthy corporations fall under this umbrella ... but I have not researched this. (Consult your favorite lawyer for paid research :) Three tests must ALL be passed for a statement (posting) to be libelous: 1) the statement must be false. 2) the poster must have known the statement was false at the time he/she made it. 3) the statement must have been made with malicious intent by the poster. With these criteria, I know of no postings in the mentioned newsgroups that are libelous. (Beware, standards are much more strict for non-public figures...but this probably isn't operative in this case.) Of course, most other countries have less protection for free speech. But if you don't go there, they can't do anything to you :) 'moo2u from osu' Jim Ebright ebright@bronze.coil.com Internet/newsgroup level and moderators should not worry. [Variant spellings of "libelous" unified by PGN. By the way, PLEASE note that I almost always routinely remove the disclaimers at the end of each submitted message, relying on the blanket disclaimer at the end of each issue. Submitters must assume that all contributions become public statements, and you should be intellectually accountable for what you write -- irrespective of any legal implications thereof. PGN] ------------------------------ Date: 14 February 1996 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: ABRIDGED info on RISKS (comp.risks) The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. [...] DIRECT REQUESTS to (majordomo) with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] INFO [for further information] CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, nonrepetitious, and without caveats on distribution. Diversity is welcome, but not personal attacks. [...] ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. By submitting an item that is accepted for publication in RISKS, the author grants permission for unlimited noncommercial public distribution and redistribution in electronic and print form. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT Software Engineering Notes or SIGSAC Review. RISKS can also be read on the web at URL http://catless.ncl.ac.uk/Risks RISKS ARCHIVES: "ftp ftp.sri.comlogin anonymous[YourNetAddress] cd risks or cwd risks, depending on your particular FTP. [...] [Back issues are in the subdirectory corresponding to the volume number.] Individual issues can be accessed using a URL of the form http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue] ftp://ftp.sri.com/risks PRIVACY: For info on the PRIVACY Forum Digest and Computer PRIVACY Digest, see the INFO file at RISKS-Request (one-line message INFO noted above). ------------------------------ End of RISKS-FORUM Digest 17.77 ************************