Subject: RISKS DIGEST 18.01 RISKS-LIST: Risks-Forum Digest Friday 5 April 1996 Volume 18 : Issue 01 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** Contents: Sixth Computers, Freedom and Privacy (Shabbir J. Safdar) A Wiretap Incident in New Orleans (Shabbir J. Safdar) Computer Error Costs MCI $Millions (Scott Lucero) Teen Accused of Hacking (David M Kennedy) Only Americans can contact the AT&T operator (Tom Gardner) Re: Wrong approach to Java security (Frank Stuart) Re: Risks of rewritable BIOSes (Jeremy J Epstein) Re: "This is not a bug" messages: MacsBug (David A. Lyons) Re: The Queen's Speech (Allan Engelhardt) Re: Notes on e-mail: Use of diaeresis (Dan Hicks, Daan Sandee) On the meaning of "email" (Clive Feather) Browser return e-mail addresses (Walter Roberson) ABRIDGED info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 04 Apr 1996 16:05:34 -0500 From: shabbir@vtw.org (Shabbir J. Safdar) Subject: Sixth Computers, Freedom and Privacy I attended last week's Sixth Computers, Freedom, and Privacy conference in Cambridge MA, where policy-makers, technical experts, and activists came together to hash out the intersection of the three elements of its title. CFP is an unusual place; the closest thing our community can get to "neutral ground" on many issues. This is best expressed by the fact that in the hallways of the hotel, it's not unusual to see those that supported and those that fought the Communications Decency Act hob-nobbing it up, trading friendly swipes about their take on the bill. In addition, it's always an enjoyable thing to be able to meet an FBI agent in a neutral setting and ask them questions about their perspective on various issues. CFP is still finding it's way, though, as the issues it covers evolve in and out of the mainstream. A few years ago the issues were hackers and search warrants for computers and bulletin boards. Now that seems to have been replaced by encryption policy, wiretaps and how much of the First Amendment applies to the net. CFP has survived well, and I continue to return every year I can. I return not only see the issues from new perspectives, but also to obtain the synergy that can only happen in a face-to-face encounter. This isn't to say that CFP doesn't stumble occasionally. There were a few panels this year that fell into the CFP trap, where individuals came to express none-to-fresh perspectives on problems that have been beaten like the Lone Ranger's dead steed. Encryption is typically the cause of these. On the other hand, however, CFP was successful in what is the most entertaining and enlightening approach to the encryption debate I've seen in the last two years. Centering around a mock law that required key escrow, the CFP program committee set up a "moot court" of five Federal judges (real ones, with black robes and everything) that heavily questioned attorneys that presented a cases for the government on one side, and plaintiffs challenging the law on the other. The live questioning, and the exercise of having to put one's arguments into a legal framework was an experience that everyone enjoyed. This was clearly the most heavily attended panel of the conference. The other interesting thing this year was the final panel of the conference, a reflection on the entire conference done by four science fiction authors: Bruce Sterling, Vernor Vinge, Pat Cadigan, and Tom Maddox. This was probably the most interesting way to reflect on the conference, and the writers seemed to form a sort of "collective conscience" for the rest of us. Bruce Sterling, in particular, provided a dystopian view with such a forceful delivery that I, and many others, probably stumbled from the room unable to decide if we were happy we knew where we were going, or if we should run screaming in terror at society's impending train wreck. It was somewhat appropriate that there was no time for questions after that panel. They would have simply detracted from the fact that the writers got the "last word". It's a great role though, to have those who dream for us, our science fiction writers, act as our conscience. I hope the program committee lets them do it next year, and I look forward to meeting the next set of faces that I'll have met on the net over the next year. -Shabbir J. Safdar * Online Representative * Voters Telecomm. Watch (VTW) http://www.vtw.org/ * Defending Your Rights In Cyberspace [Note: This was a very lively meeting. I hope further reportage will appear in RISKS. By the way, Shabbir, Matt Blaze, Bob Metcalfe and I were honored with this year's EFF Pioneer Awards. Greatly appreciated! PGN] ------------------------------ Date: Thu, 04 Apr 1996 16:05:34 -0500 From: shabbir@vtw.org (Shabbir J. Safdar) Subject: A Wiretap Incident in New Orleans [From VTW's BillWatch newsletter, an announcement-only list archived at http://www.vtw.org/billwatch/] -Shabbir J. Safdar * Online Representative * Voters Telecomm. Watch (VTW) http://www.vtw.org/ * Defending Your Rights In Cyberspace A TRAGIC STORY ABOUT A WIRETAP by Shabbir J. Safdar, VTW Board (New York, NY) This week most of VTW's staff attended the Computers, Freedom, and Privacy conference in Cambridge Massachusetts. I go to the conference every year to recharge my batteries, put names to faces, and enjoy the synergy that can only come with face-to-face dialogue. This year the debate over encryption seemed focused on three panels, the only novel one being a panel which was a "moot court". Presided over by five real Federal judges, attorneys for plaintiffs and the government argued over the Constitutionality of a mock law that would require escrowing of encryption keys. Aside from this, the conference added no new material to the encryption debate. One valuable experience happened on the way home, however. I picked up the New York Times and came across a story in the New York Times Magazine about a corrupt New Orleans police chief, and how he reacted to a woman who filed a police brutality complaint against him. The story goes this way: the FBI was wiretapping a number of New Orleans police officers who were allegedly guarding a 286 pound shipment of cocaine. During that time the FBI overheard a conversation between the police chief and several other police officials that the FBI alleges was a murder plot. The intended victim had previously filed a police brutality complaint against the chief. Although the FBI had the conversation in hand, they were unable to decode the police chief's "street slang and police jargon" in time to prevent the murder. The woman who filed the complaint, a 32 year old mother of three, was shot while standing in front of her house. It's easy to be angry about this incident. One could (and should) be angry with the murderers and their conspirators. However out of this comes two important observations on the encryption policy debate. One, while wiretaps have probably been effective in other cases, they were not effective in this one. While we can grant law enforcement the benefit of the doubt in other cases, the existence of this one shows that a wiretap is not the "silver bullet" of law enforcement that we have been led to believe. Another observation that can be made is that this parallels the key escrow debate very closely. No reasonable person is objecting to the FBI's right to conduct a wiretap. However what is being debated is the extent to which individuals and law enforcement can go to accomplish their duties. The Clinton Administration is striving for a world where everyone is forced to speak in a form of encryption that is easily decoded by law enforcement. The public and industry is striving for a world where they continue to have private conversations. The situational parallel to this would be if the Administration had pushed a law that requires everyone to speak on the telephone in plain English, without slang and without any double meanings. This is the equivalent of key escrow. However, would this have really saved the person so tragically killed above? Unlikely. Individuals involved in criminal conspiracies will continue to use whatever means at their disposal to obscure their activities from the police. The corrupt police chief who allegedly ordered the murder would have still used slang and code, regardless of any laws banning such use. He was allegedly conspiring to commit a murder, why should he care? Such laws will, however, affect law abiding citizen's attempts to gain privacy. Law-abiding citizens that may be speaking to their doctors, attorneys, loved-ones, or business partners will continue to be targets of industrial espionage, private investigators, and, in a few cases, trusted individuals abusing that trust. This example from the New York Times Magazine (3/31/96, p.32) shows that while we can certainly give a little to law enforcement on their arguments about the effectiveness of wiretaps, they need to give a little in the other direction on the practicality of forcing people to speak in a law-enforcement-understandable code. Obviously, criminals don't care about such rules. Since that is the case, is it really worth handicapping all technology, and exposing individuals to privacy intrusions when such measures won't even be effective at attaining their stated goals? ------------------------------ Date: Wed, 03 Apr 96 15:15:29 EST From: "lucero" Subject: Computer Error Costs MCI $Millions In the *Washington Post* 29 March 1996, MCI reported that they will refund approximately $40 million due to a computer error. A billing error was uncovered by an investigative reporter from local television station, WRIC in Richmond, VA. The reporters found that they were charged for 4 minutes after making a 2.5 minute call, leading to an in-depth investigation. Scott Lucero ------------------------------ Date: Thu, 04 Apr 1996 16:28:49 -0500 From: David M Kennedy Subject: Teen Accused of Hacking Courtesy of the Associated Press via CompuServe's Executive News Service: AP 2 Apr 96 20:21 EST V0491 >> ST. LOUIS (AP) -- A St. Louis teen-ager arrested last week near Philadelphia on computer fraud charges is more than just a kid with a hobby -- and far more dangerous, federal authorities say. Christopher Schanot, 19, of High Ridge, Mo., is a computer genius who"hacked" his way into the computers of some of the nation's largest computers, causing security breaches that forced at least one company to spend thousands of dollars fixing.<< o Authorities claim he's a member of the Internet Liberation Front (ILF). o He claims to be able to take control of any computer he chooses to. o He was taken to St. Louis Tuesday with a arraignment and bond hearing set for Thursday. o His father was quoted: "If a parent can't monitor the child or if the parent doesn't understand how the Internet works, the computer's modem should be unplugged." The younger Schanot received his first computer at the age of 4 years. His father was quoted as instructing him to use only public access computer systems and, "He was an honor student, really he was all you could want in a child. It was such a shock to us when he disappeared." o He was an honors student at Vianney High School in suburban St. Louis. Shortly after graduation last summer he went to Philadelphia to "lay low." o His father became concerned about him and contacted the authorities and turned over his PC to them. >>In the computer, authorities found a message headed "Greetings from the Internet Liberation Front." The message was saved to his computer on Thanksgiving Day 1994, the day of a computerized "break-in" at NBC. The message said the group "has now declared war on any company suspected of contributing to the final demise of the Internet." "Big boys" in the telecommunication industry have turned the Internet "into another overflowing cesspool of greed," the message added. "We are capable of penetrating virtually any network linked to the Internet -- ANY network," the message said. << [DMK: Gee, that was in RISKS and any number of net-news reports back in 94. The only reason it's not on _my_ PC is I purged it to save disk space. Does that qualify me as a "purged" ILF member?] o His PC also had hundreds of passwords to corporate computer systems, including defense contractors and the computers of credit reporting agencies. The PC also had AT&T calling card numbers, and credit card numbers in it. o He was indicted on five counts (unspecified...18 USC 1029/1030?) last month. Max slammer time = 30 years + US$1.25E06 in fines. o Victims: Southwestern Bell Telephone, BELLCORE, Sprint, and SRI. o Time frame: Oct 24, 1994 to Apr 23, 1995 MAJ Dave Kennedy [CISSP] ------------------------------ Date: Tue, 02 Apr 1996 16:05:53 -0800 From: Tom Gardner Subject: Only Americans can contact the AT&T operator Tom Gardner Hewlett Packard Laboratories, Filton Rd, tgg@hpl.hp.com Stoke Gifford, Bristol, Avon, BS12 6QZ, ENGLAND. Fax: +44 117 9228920 Tel: +44 117 9799910 ext. 28192 Subject: I Cannot Call The AT&T Operator While in the US, I recently wanted to find out a number in England, and since I don't know the local directory enquiries number, I called the AT&T operator. After dialling "00" the "conversation" between me and the abuser interface (ABI) was: ABI: "AT&T. To place a call, please dial the number now, or say 'operator' to be connected to an operator". Me: "Operator" ABI: "Sorry, your response was not understood. To place a call, please dial the number now, or say 'operator' to be connected to the operator". Me: "Operator" ABI: "Sorry, your response was not understood..." Thus the abuser interface would only allow me to do the single thing that I didn't know how to do. After a few more abortive attempts I found that the necessary incantation involved pinching my nose and saying "er- per-eight-er". The risk? That people with speech impediments, and ethnic minorities who do not speak with a "standard" US accent (i.e., the majority of the human race!) cannot be connected with an operator, and are thus unable to place telephone calls. The abuser interface would have been perfectly acceptable if there had been an an additional escape clause such as "...or wait for 30 seconds to be connected to an operator". On a separate but related issue, can anyone tell me whether the codecs in "digital" cellular phones are usable with non-Indo-European languages such as: - languages where the pitch is extremely important but the "consonants" are relatively unimportant, e.g. (I believe) Mandarin Chinese - the African "click" languages [Tom, ``Standard US?'' Many North "Americans" have troubles. Regional dialects here are pretty severe. But certainly Cockney, Australian * ('Strine), and other variants of English are unlikely to be decoded. I suppose we all need the language training that actors get. I am always astounded when I hear a Brit or Aussie actor known for wonderful BEnglish or AusEnglish dialect speaking perfect AEnglish. Just a thought. PGN] [* Slight spelling correction in archive copy to ward off pe-roo-sers.] ------------------------------ Date: Mon, 1 Apr 1996 19:57:37 -0600 (CST) From: Frank Stuart Subject: Re: Wrong approach to Java security (Palme, RISKS-17.95) In RISKS-17.95, Jacob Palme suggests that the reputation of "well-kept depositories" and PICS-like ratings can be used to guard against malicious Java code. A more useful idea along the same lines is to allow for code to carry a digital signature. A user could then configure his browser to reject code with unknown or incorrect signatures. A more daring user might simply want a warning. Confidence could be placed in code obtained from anywhere, even a malicious host, as long as the signature is valid and you trust the entity signing it. Digital signatures are not a panacea, however. There are real problems with key distribution and even the smallest change in the code would require it to be re-signed. Further, although digital signatures offer protection from malicious code, there is still the possibility of bugs with security implications or other harmful effects. Frank Stuart [That is actually similar to the Microsoft CAPI (Cryptographic Application Programming Interface) concept extended to browsers. Not a bad idea. Note: concerning hyphenating vs. hyphen-hating, notice the distinction between re-signed and resigned. I won't resign from my crusade. PGN] ------------------------------ Date: Tue, 02 Apr 1996 15:31:18 -0500 From: JEREMY J EPSTEIN Subject: Risks of rewritable BIOSes (Valverde, RISKS-17.96) In RISKS-17.96, J.R. Valverde talked about the risks of having BIOS stored in flash RAM (because it's rewritable, I hesitate to call it ROM). A similar point was raised by Martin Portman in RISKS-17.58, with related information by Sean Reifschneider in RISKS-17.61. All of these are quite accurate as to the problem. The purpose of this posting is to let people know what's happening to fix the problem. As part of a project I'm working on, I've been working with some of the large PC vendors. What I've found is that virtually all Pentium based PCs on the market today have the flaw described. This sort of problem was almost unknown in the 286/386/486 generations of PCs, which used real ROM for storing the BIOS. Some of the hardware manufacturers understand the risk here, and have started to address it. One solution adopted by some vendors is to build a one-way switch in hardware. Once the switch is "thrown" (by sending commands to a device on the board), the write signal to the flash ROM holding the BIOS is disabled until the next power cycle. Some vendors have put code in their BIOS to automatically throw the switch before they boot from the floppy or hard drive. This prevents any sort of malicious software from modifying the BIOS. To allow BIOS updates to occur, the BIOS looks for a "signature" on the floppy before throwing the switch, and if the signature is found it doesn't throw the switch. (The ease of spoofing the signature is another topic.) Other vendors have implemented a BIOS modification password, which must be written to a particular address before the write signal to the flash is unlocked. Unfortunately, such a password is usually subject to a dictionary attack by the malicious software, which would be invisible to the user. The good news is that because each vendor has solved the problem differently, it would be difficult for a virus writer to disable arbitrary PCs (although they might be able to disable all PCs from a given vendor). That is, diversity results in resistance to plague. The bad news is that even for those vendors who are doing a good job addressing this problem, they can't retrofit machines already in the field, since it requires a hardware change that isn't economical. Further, because there's no way to tell by physical inspection whether a given machine has a rewritable BIOS, users can't determine whether they're at risk. Vendors are reluctant to disclose how they've solved this problem (if at all), which makes it impossible for users to tell if they're at risk. Of course the whole problem occurs only because most PCs don't run modern operating systems that would prevent a virus from directly accessing the hardware. For example, a PC running UNIX, OS/2, or NT is immune to these sorts of viruses except at boot time (which can be addressed using careful procedures). ------------------------------ Date: Thu, 21 Mar 1996 01:46:45 -0800 From: dlyons@netcom.com (David A. Lyons) Subject: Re: "This is not a bug" messages: MacsBug (Rafn, RISKS-17.92) Mark Rafn's message in RISKS-17.92 reminded me of a change I made to the low-level debugger MacsBug, during development of Macintosh System 7.5. If the user holds down the Control key during startup, the debugger intentionally seizes control and says "User break at ." Users who aren't expecting this write up bug reports that say "The system crashes when I hold down the control key during startup." After the third or so of these reports, I was tired of saying "it's a feature" and decided to make the situation clearer to the users. Now the message reads: Welcome to MacsBug (Thank you for holding down the Control key) The bug reports stopped. Perhaps this message shows an appropriate degree of respect for the user (some alternate versions I considered showed less). ------------------------------ Date: Tue, 2 Apr 1996 12:03:06 +0100 From: allane@parallax.co.uk (Allan Engelhardt) Subject: Re: The Queen's Speech The Electronic Telegraph (http://www.telegraph.co.uk/) reported that the sentence mentioning the Polish Jews were in the electronic version of the Queen's speech and in the printed copy that was used for proof reading. However, the version the Queen was reading from when she gave her speech was printed in a bigger font and the sentence "fell of the bottom of the page". The RISKs are obvious. --- Allan. [Also noted by "timothy (t.j.) hewson" . But Europeans already use longer paper, so one (silly) approach might be to proof-read in the U.S. and print the final copy in England? Oh, yes, lawyers like long paper too, but let's keep them out of it, or the Queen couldn't afford it. PGN] ------------------------------ Date: Tue, 02 Apr 1996 00:43:10 -0600 From: Dan Hicks Subject: Re: Notes on e-mail: Use of diaeresis This article brings to mind the birth of the daughter of a teammate of mine. Seems the chosen name of the child was Zoe (with diaeresis over the "e"). So my teammate sent around a note announcing this name. However, shortly after the note went out, people started asking him why in the world he'd named the kid "ZoK". Turns out that e-diaeresis is mapped as ctrl-K (or is it alt-K?) on our system. When the message was sent to other systems, however, the mail software converted text that looked something like "Zo^K" to read simply as "ZoK". So another risk of computers is one of losing your identity -- on the day you're born. Dan Hicks http://www.millcomm.com/~danhicks ------------------------------ Date: 2 Apr 1996 16:20:16 GMT From: sandee@Think.COM (Daan Sandee) Subject: Re: Notes on e-mail: Use diaeresis (Callas, RISKS-17.96) The deficiency of this proposal is demonstrated by the fact that it arrives on my screen as "co=F6perate", "na=EFf", and "Bront=EB.". My system is set up to properly handle ISO 8859-1, which is the only reasonable extended character set standard for use on the Internet. It was already mangled in the RISKS posting (I checked), and as far as I can guess it was presumably mangled before it left Jon's machine. I wish people wouldn't assume that the way their machine handles non-ASCII characters is the same as everyone else's. Usenet (at least NNTP) is generally 8-bit transparent, and any European soc.culture group will tell you that ISO 8859-1 usually works, though some people's newsreaders may have to be told about it. This post of mine, however, goes out by e-mail (SMTP) and upper bits will be stripped, so I can't demonstrate its use. |> [Not a bad idea for folks who can deal with diaeresis, but |> there are still lots of problems that does not handle. PGN] Well, I can handle diaereses all right, as long as they arrive in a form recognizable by my software. Daan Sandee sandee@think.com Burlington, MA [Also commented on by Malcolm Vincent . PGN] ------------------------------ Date: Tue, 2 Apr 1996 12:14:04 +0100 (BST) From: Clive Feather Subject: On the meaning of "email" ... the Oxford English Dictionary has a citation from 1480: emailed: arranged in net or open work Presumably we can back-form "email" from this. Clive D.W. Feather, Managing Director, CityScape Internet Services cdwf@cityscape.co.uk +44 1223 566950 Fax: +44 1223 566951 [Mark Brader notes that this is in the Jargon File / New Hacker's Dictionary, edited by Eric Raymond. From version 3.3.3 of the Jargon File: ``Oddly enough, the word `emailed' is actually listed in the OED; it means "embossed (with a raised pattern) or perh. arranged in a net or open work". A use from 1480 is given. The word is probably derived from French `'emaill'e' (enameled) and related to Old French `emmaille"ure' (network). A French correspondent tells us that in modern French, `email' is a hard enamel obtained by heating special paints in a furnace; an `emailleur' (no final e) is a craftsman who makes email (he generally paints some objects (like, say, jewelry) and cooks them in a furnace).'' Thanks. That only strengthens my argument for e-mail or E-mail! PGN] ------------------------------ Date: Sat, 16 Mar 1996 16:19:13 -0600 From: roberson@hamer.ibd.nrc.ca (Walter Roberson) Subject: Browser return e-mail addresses I recently received an e-mail reply that addressed someone else by name about a topic I've never dealt with. My system logs did indicate that I'd e-mailed the person earlier in the day, so I figured that I had replied to a posting of theirs and forward a copy to them, and that they had replied to the wrong message. I was, though, unable to find any previous postings by that author, and so concluded that it had simply been so recent that the search engines had not catalogued it yet. After a day or so I finally realized what had happened. I had, a few weeks prior, visited another site and had needed to send e-mail out from a WWW browser on the lab computer I was using. I had configured my e-mail address as the return address, and had given my server's address as the SMTP gateway. I did not remember to de-configure them when I left, so the next time someone send e-mail from that system's browser it not only claimed to be me but also showed up in my server's logs. So if you are using a lab computer, be sure to check the reply address before starting to send mail. If you are replying to someone who might have been using a lab computer, make sure the reply address matches your expectations. Walter Roberson roberson@ibd.nrc.ca ------------------------------ Date: 18 March 1996 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: ABRIDGED info on RISKS (comp.risks) The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. [...] DIRECT REQUESTS to (majordomo) with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] INFO [for unabridged version of RISKS information] CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, nonrepetitious, and without caveats on distribution. Diversity is welcome, but not personal attacks. [...] ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Particularly relevant contributions may be adapted for the RISKS sections of issues of ACM SIGSOFT Software Engineering Notes or SIGSAC Review. * Submissions: By submitting an item that is accepted for publication in RISKS, the author grants permission for unlimited public distribution and redistribution in electronic or other form. * Reuse: Blanket permission is hereby granted for reuse of all materials in RISKS, under the following conditions. All redistributed items must include the Risks-Forum masthead line. All reuse must be accompanied by the following statement: Reused without explicit authorization under blanket permission granted for all Risks-Forum Digest materials. The author(s), the RISKS moderator, and the ACM have no connection with this reuse. As a courtesy, reusers of individual items (as opposed to forwardings of entire issues) should notify the authors, and should pay particular attention to any subsequent corrections. RISKS ARCHIVES: "ftp ftp.sri.comlogin anonymous[YourNetAddress] cd risks or cwd risks, depending on your particular FTP. [...] [Back issues are in the subdirectory corresponding to the volume number.] Individual issues can be accessed using a URL of the form http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue] ftp://ftp.sri.com/risks The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS PRIVACY: For info on the PRIVACY Forum Digest and Computer PRIVACY Digest, see the unabridged INFO file at RISKS-Request (send one-line message INFO to risks-request@CSL.sri.com as noted above). ------------------------------ End of RISKS-FORUM Digest 18.01 ************************