Subject: RISKS DIGEST 18.20 RISKS-LIST: Risks-Forum Digest Weds 12 June 1996 Volume 18 : Issue 20 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** Contents: [SUMMER SLOWDOWN IN EFFECT] Federal Court KOs CDA (Marc Rotenberg) The computer is always right - again (Richard S. MacDonald) The Risks of *Zero Hour* by Joe Finder (Peter Wayner) Re: L-vis Lives in Virtual TV (Barry L Gingrich, Eamonn McManus) Digital photographic forgeries: nothing's ever new! (Scott Alastair) Re: Digital unreality (Jason Eisner, Lauren Weinstein) F-15 revisited again (David Damerell) Ariane-5 failures (Bertrand Meyer, David Wadsworth) RISKs of bogus FAQs (Tom Lane) CFP: 1997 Symposium on Network and Distributed System Security (Matt Bishop) Re: HTTP cookie privacy risk (Kenneth Albanowski, Rob Streno, Scott Hazen Mueller) ABRIDGED info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: 12 Jun 1996 18:15:34 -0500 From: "Marc Rotenberg" Subject: Federal Court KOs CDA In a ruling likely to have a significant impact on the future of the Internet, a special three-judge federal court today declared the Communications Decency Act unconstitutional on its face. The landmark decision came in a legal challenge initiated by the ACLU, EPIC and 18 other plaintiffs. EPIC is both a plaintiff and co-counsel in the litigation. The ACLU/EPIC case was consolidated with a subsequent action filed by the American Library Association and a broad coalition of co-plaintiffs. Today's lengthy ruling consists of separate opinions authored by the three members of the federal court panel. While the three judges differed in their approaches to the legal issues raised in the case, they were unanimous in their strong conclusions that the CDA constitutes a clear violation of the First Amendment. A complete copy of the opinion, as well as selected excerpts and related news items, can be found at http://www.epic.org/ . Marc Rotenberg, EPIC ------------------------------ Date: Wed, 12 Jun 1996 12:03:51 -0600 From: "Richard S. MacDonald" Subject: The computer is always right - again A major computer chain recently tried to charge me an exorbitant price for ZIP disks. The price was about 1.5 times what other stores are selling them for and about the same amount higher than the price listed on the tag on the shelf. The manager was willing to sell me the disks at the shelf price but noted that they would have to change that since the computer said it was higher. I told her that their price tag was most likely to be right because of the comparison to other chains but she insisted that the tag must be wrong rather than the computer. I wonder how many people paid $62.96 for the package instead of $45.96 or if they simply don't sell as many as their competition. I also wonder if computer stores are more or less likely than other stores to believe that the computer is in error. Fortunately in this case there is another chain right across the street... Richard S. (Dick) MacDonald ------------------------------ Date: Mon, 10 Jun 1996 23:30:13 -0400 From: pcw@access.digex.net (Peter Wayner) Subject: The Risks of *Zero Hour* by Joe Finder The dust jacket copy for _Primary Colors_ promises that the book will tell the truth in a way that only fiction can do. RISKS readers might enjoy a friend Joe Finder's novel _Zero Hour_ for the same reason. The book is a crisp thriller that revolves around a high-tech hold up. Many of the plot twists are modern day extensions of deus ex machina. The characters assume that technology will do the right thing only to discover that they missed one fatal detail. Time and time again the plot zigs because of a topic that would be ripe for comp.risks if the book was only factual. Given that many fiction writers are often just rogues who wanted a presentable day job, we might be better off learning these lessons before the less law-abiding discover them and the twists become fact. ------------------------------ Date: Mon, 10 Jun 1996 21:39:57 -0600 (MDT) From: gingrich@indra.com (Barry L Gingrich) Subject: Re: L-vis Lives in Virtual TV (RISKS-18.18) Think about the logical next step of combining L-Vis, Digital Cable, and Direct Marketing. (It's the sort of thing you almost don't want to mention because it just might come to pass... :-) In such a digital world, micro-marketing is possible. For example, consider a can of soda in an episode of the X-Files. Scully's soda appears to be a can of SpiffyFizz (tm) on my set ("Hey! My favorite!"), while my neighbor sees Diet Kumquat Royale, and someone across town sees her drinking a can of Nietzsche Lite Beer. The possibilities are endless, of course. One effect could be the denial of the (doctored?) video image as evidence in court, something that's been predicted for quite some time now. Another could be the crumbling of the public's faith in the media, something that's also been predicted for Quite Some Time now. As T Bone Burnett said, "I have a feeling that once something appears in the paper, it ceases to be true." These are societal risks, not technical ones. They certainly are gloomy predictions, but this technology could provide some benefits as well. For example, a filmmaker could correct problems with a particular scene (a la what was done for a scene with Brandon Lee in "The Crow"), obviating the need for a reshoot. The technology has great potential for abuse, but the people who would abuse it are *people*, and the risk lies with them. It's much like the arguments over the 'net: Is it a pit of doom, a pillar of hope, or a useful tool? There are many things that could go wrong, of course, and I'm sure the denizens of RISKS will collect ample examples of L-VIS wipeouts, screw-ups, and wacky unexpected behaviors. Barry L. Gingrich gingrich@indra.com ------------------------------ Date: Tue, 11 Jun 96 11:00:23 -0400 From: Eamonn McManus Subject: Re: L-Vis Lives in Virtual TV (Ackeret, RISKS-18.19) In RISKS-18.19, Matt Ackeret says, of the electronic insertion of advertisements into live video, that the system is "really lame" and "jitters all over the place", and that it uses "regular old green screen chroma key". This is plainly not the same system that I saw a report on in February on French TV. In that report, they showed images from the Open Gaz de France as broadcast in France and in Germany. The French images were untouched but in the German ones a French ad behind one of the players was replaced by an equivalent German one. The substitution was *absolutely imperceptible*, and this even though the field being replaced was not a simple green rectangle but an ad in black on white. The report mentioned that the system had been developed by a French company, so it is presumably not the same as the Princeton Video Image system mentioned by PGN. The image processing is done by a bank of equipment in a small truck on site. It may be that the TV standards (PAL and SECAM) used in Europe lend themselves more easily to this kind of treatment than the US standard. Eamonn McManus Grenoble, France ------------------------------ Date: Tue, 11 Jun 1996 09:27:58 +0100 From: "Scott Alastair (Exchange)" Subject: Digital photographic forgeries: nothing's ever new! Tampering with images has been done, I would suspect, ever since the birth of photography: I can think, off the top of my head, of a number of cases from well before the age of computer imaging: (i) Retouching of facial features to make family members appear villainous (1911); (ii) Removal of Trotsky from a picture, plus many other similar forgeries (1928); (iii) Removal of Soviet astronauts from group photographs when they fell out of favour (1950s and 1960s). The first was part of a study by Goddard on the heredity of IQ and has been exposed in Stephen Jay Gould's essays; the second is well-known (a photo of Lenin haranguing a crowd from a lectern with Trotsky [not] standing at the bottom of it); I wish I could get hold of the book again in which I saw the third, where astronauts were replaced by strategically-placed rose bushes, doors etc. etc. This whole thread illustrates a common misattribution: evils attributed to the baleful influence of computers were actually practiced well before computers could help perpetuate them! Come to think of it, the whole area of digital and "analogue" photographic forgery is so interesting it almost demands to have a book written about it. ------------------------------ Date: Tue, 11 Jun 1996 12:51:02 -0400 From: jeisner@unagi.cis.upenn.edu (Jason Eisner) Subject: Re: Digital unreality (Asmis, RISKS-18.19) > Now with digital camcorders, who will believe the next "Rodney King" video > clip? Not enough cops? Add some more! It will probably boil down to the > integrity of the picture-taker. Or the integrity of the camcorder. Any digital camera -- certainly any camera used for police work or journalism -- ought to sign its output with a factory-installed private key. (If the camera is not robustly tamper-proof, someone might extract the private key by reverse engineering, or diddle the innards of the camera so that the image is optically or digitally altered before being signed. However, if each camera has a different private key, a court can check for an unbroken seal on the one that purportedly shot and signed the picture.) Jason Eisner University of Pennsylvania ------------------------------ Date: Tue, 11 Jun 96 10:54 PDT From: lauren@vortex.com (Lauren Weinstein) Subject: Re: Digital Unreality It appears that image tinkering to create lies is now considered to be a mass-market product selling point. In a national television commercial from a *major* PC manufacturer that seems to have just started airing, a "nerd" who finishes a marathon long after everyone else (in over 9 hours), upon learning that someone is coming over to visit, immediately scans the photo of himself and the marathon clock, changes the leading "9" to a "2", and prints it out. He then proceeds to burn his mouth on a piece of pizza. --Lauren-- P.S. The pizza lends an air of authenticity, but would the nerd have even run the marathon in the first place? ------------------------------ Date: Tue, 11 Jun 1996 10:53:15 +0100 From: David Damerell Subject: F-15 revisited again > - (To my disbelief) It was suggested some type of plastic cap be > placed on the main trigger during future training missions to > prevent pilots from triggering(!?). >The last low-tech solution to the prevention of triggering the missile >was almost comical. Comical and low-tech, perhaps, but it would _work_. Sometimes a visible physical barrier is superior to any number of invisible things which _should_ have been done right... ------------------------------ Date: Fri, 7 Jun 96 10:07:42 PDT From: bertrand@vienna.eiffel.com (Bertrand Meyer) Subject: Ariane-5 failures [>From Le Monde, dated 8 June 1996, i.e. published on the 7th; on-line edition at http://www.lemonde.fr. Extracted and translated by BM. (Although ellipses are not marked, I have considerably abbreviated the text and removed some of the anthropomorphic comments, e.g. "the machine's brain" and the like. Comments in square brackets [] by BM.)] THE MYSTERIES OF ARIANE'S CHAMBER, by Jean-Francois Augereau Who [sic] caused the in-flight explosion of Ariane-5 on Tuesday, June 4? After more than forty-eight hours of preliminary investigations, "witnesses" are starting to talk. The propulsion system, which could have been suspicious because of its novelty, has been cleared. The likely culprits are elsewhere, "in the software or the hardware", that is to say the computer-related parts. Only five of them are left, gathered in one "closed room". [???] According to Daniel Mugnier, head of the Launchers ("lanceurs") division at the CNES (National Center for Aerospace Studies), the inquiry is focusing on the "electrical and software system" which allows the various elements of Ariane-5 to talk to each other. The launcher is loaded with sensors which constantly monitor its moves and accelerations. Our first suspect is an Inertial Reference System (IRS)*, the balancing center of the launcher. The IRS, or its mate, is in charge of using these data to compute the launcher's exact position, speed and acceleration. But at this stage of the inquiry it seems that the sensors themselves have been exonerated. There is no alibi, however, for the IRS. Doubts remain, even though the on-board computer and the backup unit show a record of having received [litt. "claim to have received"] the same information. How could they have failed at the same time and in the same way? Hence the questions about the behavior of on-board computers. According to Daniel Mugnier, "they ``claim'' to have received abnormal information from the IRS. Whom [sic] should we believe? Daniel Mugnier is reluctant to incriminate that component [i.e. the computers?]. Same thing with another component, the "1553 bus". It is a kind of information highway [??!!]; all navigation commands go through it. According to one of the investigators, "it is a proven system, which has been used for a long time on all NATO fighter planes". This leaves two other suspects: the in-flight software program and the coder. Does the program, made of long lines [???] of computer writing, include a "bug" or a fault? Did the converter**, which translates the sensors' analog language into the computers' digital language, stutter? One cannot exclude the possibility that the computer is denouncing errors that it itself created. The investigation continues. The report should be turned in by July 15. [Notes: * I have translated "Centrale Inertielle (SRI)" by "Inertial Reference System (IRS)". I found the acronym in Jane's Defence Glossary at http://www.thomson.com/hanes/janesgloss. I don't believe it's directly connected to the Internal Revenue System. ** I used "converter" for the analog-to-digital "codeur".] Bertrand Meyer ISE Inc., Santa Barbara, , http://www.eiffel.com ------------------------------ Date: Fri, 07 Jun 96 17:40:28 GMT From: dwadsw@etna.demon.co.uk (David Wadsworth) Subject: Ariane-5 failures An interesting feature of the Ariane 5 explosion, as seen on television, was the commentary in French in the background. As the fragments of the destroyed rocket were coming down, the French voice was still saying the equivalent of "All systems go", "All parameters normal" "course correct" etc. I suppose the risk of a commentator reading from a script describing what *should* be happening is obvious. At least they could have given him a window or a monitor to check that it loosely coincided with reality! David Wadsworth dwadsw@etna.demon.co.uk ------------------------------ Date: Mon, 10 Jun 96 23:10:23 -0700 From: Tom Lane Subject: RISKs of bogus FAQs (Boggio-Togna, RISKS-18.19) > This would seem to open up interesting possibilities for anyone objecting > to the contents of a FAQ and wishing to have it removed from the archive. I maintain another such FAQ article. Most of the FAQ archive sites that I know about will archive any article that comes by, if it (a) is crossposted to news.answers and (b) contains the appropriate headers, such as the proper Approved: line and Archive-Name: line. Of course, these conditions are trivially easy to forge for anyone familiar with the workings of netnews transport software. (In fact, the standard posting software most FAQ authors use requires no special system privileges; you could say that we *all* forge these headers.) So far, there hasn't been any concerted attack on FAQ archives, but I'm sure there will be one someday ... and that nothing will be done to plug the security holes until an incident occurs :-(. The archive site Gianfranco describes seems to have laxer security than average, but there isn't any trustworthy system in place. My own FAQ is several posting cycles out of date in most of the FAQ archive sites, and I think that Risks readers might be interested in the reasons why. I normally post my FAQ every other weekend. Four weeks ago, the posting got lost due to failure of the local netnews system at netcom.com. Two weeks ago, it went out OK, but that weekend some self-appointed vigilante decided to shut down the alt.binaries.* newsgroups by issuing forged cancels for every article posted or crossposted to any alt.binaries.* group. My FAQ is crossposted to several .d (discussion) groups under alt.binaries.*, and it got canceled before being archived at most sites. The vigilante was toast a couple days later, of course, but the damage was done. The most recent posting is hung up in our outgoing news queue due to another local news system failure. Perhaps it will eventually get out, or perhaps not. Meanwhile, the single most popular FAQ archive site (ohio-state.edu's WWW-accessible archive) has had ongoing reliability problems because its volunteer founder and administrator left Ohio State over a year ago, and everything is running on autopilot. There are other regularly posted FAQs that are more out of date in ohio-state's archive than mine. The RISK: things you would think are bedrock Internet services may actually be unfunded volunteer projects full of security holes. Another example I've recently been reading about is that a couple of the root DNS nameservers have been down for several days. If they all go down, the Internet as we know it comes to a stop. Yet the administration of these critical services is run on an ad-hoc, volunteer basis. Sooner or later, the net will have to grow up and take itself seriously. Tom Lane ------------------------------ Date: Fri, 07 Jun 1996 13:13:36 -0700 From: Matt Bishop Subject: CFP: 1997 Symposium on Network and Distributed System Security CALL FOR PAPERS [abridged for RISKS] The Internet Society Symposium on Network and Distributed System Security February 10-11, 1997, San Diego Princess Resort, San Diego, California Submissions due: August 1, 1996 GOAL: The symposium will bring together people who are building hardware and software to provide network and distributed system security services. The symposium is intended for those interested in the practical aspects of network and distributed system security, focusing on actual system design and implementation, rather than theory. We hope to foster the exchange of technical information that will encourage and enable the Internet community to apply, deploy, and advance the state of available security technology. Symposium proceedings will be published by the IEEE Computer Society Press. Topics for the symposium include, but are not limited to, the following: * Design and implementation of communication security services: authentication, integrity, confidentiality, authorization, non-repudiation, and availability. * Design and implementation of security mechanisms, services, and APIs to support communication security services, key management and certification infrastructures, audit, and intrusion detection. * Requirements and designs for securing network information resources and tools -- WorldWide Web (WWW), Gopher, archie, and WAIS. * Requirements and designs for systems supporting electronic commerce -- payment services, fee-for-access, EDI, notary -- endorsement, licensing, bonding, and other forms of assurance. * Design and implementation of measures for controlling network communication -- firewalls, packet filters, application gateways, and user/host authentication schemes. * Requirements and designs for telecommunications security especially for emerging technologies -- very large systems like the Internet, high-speed systems like the gigabit testbeds, wireless systems, and personal communication systems. * Special issues and problems in security architecture, such as interplay between security goals and other goals -- efficiency, reliability, interoperability, resource sharing, and cost. * Integration of security services with system and application security facilities, and application protocols -- including but not limited to message handling, file transport, remote file access, directories, time synchronization, data base management, routing, voice and video multicast, network management, boot services, and mobile computing. GENERAL CHAIR: David Balenson, Trusted Information Systems PROGRAM CHAIRS: Clifford Neuman, University of Southern California Matt Bishop, University of California at Davis All submissions and program related correspondence (only) should be directed to the program chair: Clifford Neuman, University of Southern California, Information Sciences Institute, 4676 Admiralty Way, Marina del Rey, California 90292-6695, Phone: +1 (310) 822-1511, FAX: +1 (310) 823-6714, e-mail: sndss97-submissions@isi.edu. Dates, final call for papers, advance program, and registration information will be available at the URL: http://www.isoc.org/conferences/ndss97. ------------------------------ Date: Tue, 11 Jun 1996 16:18:20 -0400 (EDT) From: Kenneth Albanowski Subject: Re: HTTP cookie privacy risk (Goldstein, RISKS-18.19) This site makes very interesting reading, as does an AltaVista search for "ad.doubleclick.net", as does my ~/.netscape/cookies file, which contains a reference to ad.doubleclick.net. It appears that anyone can set up with "DoubleClick.net" (for a fee) so that access to their own web pages goes through DC.net. DC.net then returns the original web page, with targeted advertising added, based on the information that some web browsers hand out on every fetch operation. It's unclear exactly how the cookies come into this, but they undoubtedly let DC.net try and target individual preferences, probably based on what pages they read that go through DC.net. The interesting thing is that this is all completely invisible, unless you happen to notice having a cookie for ad.DC.net, or have a habit of reading through HTML code and see an odd URL that points to ad.DC.net. Most people would never see these. Thus does modern marketing come to the WWW. The risks here are enormous. The solutions, to some extent, are simple -- no hidden cookies, and no personal information getting sent out without approval. You can't very well hide your domain, however, and that lets people guess all sorts of fun things. The solution to that is not so simple. Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126) ------------------------------ Date: Tue, 11 Jun 1996 16:18:28 -0400 From: rstreno@dayton.csc.com (Rob Streno) Subject: Re: HTTP cookie privacy risk (Goldstein, RISKS-18.19) You've been visiting commercially sponsored sites, haven't you. Doubleclick is responsible for the ads that you see on pages such as the DejaNews search engine (http://www.dejanews.com) are linked via DoubleClick to the destination site. As far as privacy risks go, if I remember, the Netscape documentation about the cookie file indicates that it is a file to be used to hold information from one page to the next. . . i.e., one page writes the cookie, and another page reads it. This keeps from having long, convoluted URL lines which contain all of the information you need to pass from page to page. As far as gathering marketing information, I can't fault DejaNews, Doubleclick, or any other company for gathering marketing information. My guess is that they'll use that information to tailor which ads are most effective to display on a page like DejaNews. I doubt that they'll use that information to direct market you via e-mail. Robert M. Streno rstreno@dayton.csc.com (513) 890-7700 x2455 rstreno@csc.com xinc@ix.netcom.com xinc@delphi.com ------------------------------ Date: Tue, 11 Jun 1996 22:18:17 GMT From: scott@zorch.sf-bay.org (Scott Hazen Mueller) Subject: Re: HTTP cookie privacy risk DoubleClick is a Web advertising agency. They buy space on Web sites (Yahoo, Netscape, Travelocity, etc.) and sell impressions ("eyeballs") to advertisers. While they may or may not actually care about your particulars (and your browser/OS information is available to any Web site that cares to gather it, regardless of cookies), it's much more likely they're just tagging you, like a biologist tags wild birds. Ideally, it's a trade-off, you see. In exchange for free information (quid), you give a little information on your Web usage (pro quo). In a RISKy world, the concern is that you give up too much for too little. As a person who cares about privacy, I have to applaud Netscape for putting a little alert about cookies on the users screen. As a Web site maintainer, I have to wonder if this is going to affect my ability to deliver advanced forms of content. Scott Hazen Mueller | scott@zorch.SF-Bay.ORG or tandem!zorch!scott ------------------------------ Date: 18 March 1996 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: ABRIDGED info on RISKS (comp.risks) The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. [...] DIRECT REQUESTS to (majordomo) with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] INFO [for unabridged version of RISKS information] CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, nonrepetitious, and without caveats on distribution. Diversity is welcome, but not personal attacks. [...] ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Particularly relevant contributions may be adapted for the RISKS sections of issues of ACM SIGSOFT Software Engineering Notes or SIGSAC Review. * Submissions: By submitting an item that is accepted for publication in RISKS, the author grants permission for unlimited public distribution and redistribution in electronic or other form. * Reuse: Blanket permission is hereby granted for reuse of all materials in RISKS, under the following conditions. All redistributed items must include the Risks-Forum masthead line. All reuse must be accompanied by the following statement: Reused without explicit authorization under blanket permission granted for all Risks-Forum Digest materials. The author(s), the RISKS moderator, and the ACM have no connection with this reuse. As a courtesy, reusers of individual items (as opposed to forwardings of entire issues) should notify the authors, and should pay particular attention to any subsequent corrections. RISKS ARCHIVES: "ftp ftp.sri.comlogin anonymous[YourNetAddress] cd risks or cwd risks, depending on your particular FTP. [...] [Back issues are in the subdirectory corresponding to the volume number.] Individual issues can be accessed using a URL of the form http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue] ftp://ftp.sri.com/risks The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS PRIVACY: For info on the PRIVACY Forum Digest and Computer PRIVACY Digest, see the unabridged INFO file at RISKS-Request (send one-line message INFO to risks-request@CSL.sri.com as noted above). ------------------------------ End of RISKS-FORUM Digest 18.20 ************************