Subject: RISKS DIGEST 18.31 RISKS-LIST: Risks-Forum Digest Friday 9 August 1996 Volume 18 : Issue 31 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** Contents: "Buffer overload" crashes network bridge (Jeff Anderson-Lee) Re: America Offline (David Kennedy, David Cassel) Re: AOL outage: risks of scaling inappropriately (Jeff Hayward) Re: Kirk Enterprises: What's in a name? (Jeffrey Mogul) Novel: Slow River (Steve Kilbane) Re: The increasing complexity of everyday life (Barry L. Brumitt) Re: Department of Motor Vehicle records (Lauren Weinstein, Steven Bellovin, C. Titus Brown, A.E. Siegman, Kevin Johnsrude) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: 9 Aug 96 17:16:35 GMT From: jonah@shiva.CS.Berkeley.EDU (Jeff Anderson-Lee) Subject: "Buffer overload" crashes network bridge End of summer... time for the floors to be buffed before the students come back. So the custodians bring out their heavy duty floor buffers and plug 'em in. Given the old, out-of-date wiring in this building they blow a circuit. Instead of resetting the breaker however they just try another outlet and keep going. The result: the network bridge on that circuit is put out and half the net is cut off from the other half. Of course we had trained the custodian NOT to do this in the past, but that particular custodian is off on sick-leave, and their replacement had not been so briefed. Fortunately someone remembered the previous time this happened and found the problem. But what happens if they go away too? Jeffrey Anderson-Lee [You shuffle off to buffer-low, without getting too big for your bridges. PGN] ------------------------------ Date: 09 Aug 96 12:56:47 EDT From: David Kennedy <76702.3557@CompuServe.COM> Subject: Re: America Offline (RISKS-18.30) Courtesy of the Dow Jones News Service via CompuServe's Executive News Service: AOL's Blackout Eclipses Jump In Fourth-Quarter Profit By Thomas E. Weber and Jared Sandberg, Staff Reporters of The Wall Street Journal (Dow Jones, 9 August 1996) >> It wasn't until late yesterday that AOL provided a detailed >>explanation for the outage to supplement Chairman Stephen M. >>Case's on-line apology, which AOL posted late Wednesday night. >>The company cited a "coincidental" series of events it said are >>unlikely to recur. The problem centered on routers, >>computerized switches that serve as traffic cops for >>information on AOL's complex network. >> Computers at an AOL unit fed these switches with an erroneous >>"roadmap" of the Internet just as engineers were upgrading >>them. When problems cropped up, the engineers mistakenly >>thought their upgrade was to blame -- not the roadmap. That >>misunderstanding delayed discovery of the source of the >>problem. Compounding the confusion, diagnostic software that >>could have helped track down the problem had been turned off >>during the upgrade, AOL said. o AOL is compensating customers with one free day's worth of connect time. [DMK: I pay US$9.95/mo for AOL and get 300 min-->10min/day or US$0.33/day. Give me a break!] o In a letter to subscribers, Mr. Case said: >>I would like to be able to tell you that this sort of thing >>will never happen again, but frankly, I can't make that >>commitment, as we are building a new medium and breaking new ground. and >>This was a very unfortunate occurrence and I don't want to make >>light of that. But it did have an interesting side effect: it >>reminded all of us how important AOL is becoming in our >>everyday lives. and closes with >>Today's outage reminds us that despite the recent progress >>we've made in expanding our AOLnet network and enhancing the >>responsiveness of our Member Services team, we still have a >>long way to go to make AOL as reliable as must-have utilities >>such as electricity and the telephone. But that's what we >>intend to do. Dave Kennedy [CISSP] InfoSec Recon Team Chief, National Computer Security Assoc [MODERATOR'S CORRIGENDUM: Typo (should have been 6 million subscribers) in RISKS-18.30 fixed in archive copy. Oddly, no one remarked on it, but I stumbled onto it myself! PGN] ------------------------------ Date: 8 Aug 1996 15:27:28 -0700 From: destiny@crl.com (David Cassel) Subject: Re: America Offline (RISKS-18.30) AOL issued a statement early Wednesday saying service would be restored Wednesday afternoon. In fact, it didn't go up until 11 pm. Subscribers trying to log on received the following series of messages. "The system is temporarily unavailable. Please try again in 15 minutes." "The system is temporarily unavailable. Please try again in 30 minutes." "The system is temporarily unavailable. Please try again in an hour." "The system is temporarily unavailable. Please try again in 90 minutes." This kind of thing is going to get AOL a reputation for dishonesty. The Wall Street Journal wrote, "AOL put out a puzzling press release claiming that [newly-hired Chief Operating Officer] Razzouk had chosen to resign largely because he didn't like 'the prospect of relocating his family to the Washington, D.C. area.' Never mind," the Journal added, "that Mr. Razzouk had, in truth, just sold his Memphis home -- and that he had already closed on the purchase of a new $1.7 million showplace in McLean, Va." But technical misstatements will always come back to haunt you. Earlier this week an AOL rep told the *San Francisco Chronicle* that AOL's computers were "immune" to the kind of outage that occurred yesterday. And days after AOL told a content provider they'd fixed a security hole, hackers used it to take the stage during an on-line celebrity appearance, taunting the regular guest... The day after they came back on-line, their system was automatically displaying the worst possible messages. The mandatory-viewing ad pitching more time on the system began, "We know that many of you have been reluctant to fully explore the diverse offerings..." The "Top News Story" in their Reuters headline area turned out to be "AOL Apologizes for Massive Outage." And the sign-off ad: "This week: 'Gravity Kills' ". "We can't definitively state the root of the problem," AOL's Vice President told Reuters that night. The ultimate irony: just last month AOL took out help-wanted classified ads saying "At America Online, we not only dominate the programs we design...." David Cassel http://www.crl.com/~destiny/time.htm [David, "dishonesty" sounds a little harsh. How well can anyone predict how long it is going to take to fix a problem that has not yet been identified and understood? PGN] ------------------------------ Date: Fri, 9 Aug 96 12:08:29 CDT From: Jeff Hayward Subject: Re: AOL outage: risks of scaling inappropriately (Snyder, RISKS-18.30) Joel Snyder writes of the widespread effects of the AOL outage on mail systems throughout the Internet. While I agree that there are some interesting risks in putting so many user's eggs in the "@aol.com" mail basket, the severe consequences of an AOL outage on (other) mail systems can be looked at as different sort of inappropriate scaling risk - the inability of the majority of mail systems in the net today to handle the large queues and outages that are the reality of today's Internet. The vast majority of mail systems in the Internet rely in one way or another on mail transfer software that was never designed to scale well - often the much maligned but mostly essential "sendmail" program. Among sendmail's well know faults are its handling of the backlog queue as a single batch, and its lack of ability to schedule retries for unreachable hosts on any but the most simple-minded basis. In the event of an outage creating a large queue this can effectively deliveries for everyone as the system tries and tries to deliver undeliverable messages. Fortunately for me, for the week prior to the AOL outage I had been running the outbound mail from one of my mail servers through a system running qmail, a mail transport system designed as ground-up replacement for sendmail. (See http://pobox.com/~djb/qmail.html for more information). The two features of qmail that kept the mail flowing for me during the AOL outage are (1) delivery attempts are scheduled independently for each message in the queue, and (2) delivery attempts are scheduled following a backoff algorithm that prevents the retries from consuming the mail system as the backlog grows. So for my site, the AOL outage was a non-event. The backlog for AOL grew and grew but mail for other sites continued to flow expeditiously and load on the server was nearly constant. When AOL became available again, there were no major load spikes delivering the backlog because the delivery retries were well spread out in time. I had to do nothing extra to keep things going - a new experience for me! So I don't see the risk(s) as necessarily one-sided. AOL has some whale-sized scaling problems to overcome to be sure, but sites that depend on simple-minded mail delivery software should consider their own exposure, and investigate software designed with modern conditions in mind if they want to keep delivering the mail. -- Jeff Hayward ------------------------------ Date: Thu, 08 Aug 96 17:50:23 MDT From: Jeffrey Mogul Subject: Re: Kirk Enterprises: What's in a name? (Koenig, RISKS-18.30) Andy writes: I went to Lycos and did a search for `Kirk Enterprises.' What came back was a flood of references to Star Trek. Of course, the real "risk" here was that of using the wrong search engine. I tried "Kirk Enterprises" (the '"'s are significant) in AltaVista, and got exactly 20 responses, not one of which contained the work "trek". -Jeff ------------------------------ Date: Fri, 9 Aug 1996 14:16:53 +0100 From: Steve_Kilbane@cegelecproj.co.uk Subject: Novel: Slow River RISKS readers with a fondness for near-future sci-fi might like to check out Nicola Griffith's novel "Slow River". Much of the plot is concerned with the safe operation of a water purification plant, in the face of bad management and staffing problems. steve ------------------------------ Date: Fri, 9 Aug 96 11:56:40 EDT From: "Barry L. Brumitt" Subject: Re: The increasing complexity of everyday life (Shekerjian, RISKS-18.30) Rshek@aol.com asks "What if the electricity and telephones go kablooie at the SAME time??", and posits that there are a myriad of activities which human beings can engage in which are independent of these pursuits. However, it remind me strongly of an episode of "Connections" by James Burke which I believe was entitled "Technology Trap." In light of the famous power east coast power outage in the late 60's, he examines carefully what might really happen if such a disaster occurred. Comp.risks is for a discussion of the risks from computers and technology. I'd encourage anyone who is interested in this field who has *not* seen this episode to seek it out and view it. It's scary, enlightening, and perhaps the best presentation of how Risky our dependence on technology can be... Barry Brumitt Robotics Institute, Carnegie Mellon University ps. It was originally a BBC program. Videotapes are available. Check your local library. ------------------------------ Date: Fri, 9 Aug 96 00:28 PDT From: lauren@vortex.com (Lauren Weinstein) Subject: Re: Department of Motor Vehicle records (Ellermeier, RISKS-18.30) On the matter of Oregon DMV records being made available on the net, news reports have indicated (I have not checked this personally) that the private party who put them online has removed them, apparently after a very negative reaction. However, this of course does not prevent others from doing so, and the information already out there on those CD-ROMs can never be recalled (though the accuracy will of course fade over time). Of more importance in the long run is the incredibly bad policy of making that data easily available at all. Now that use of SSNs for DMV records has been mandated nationally, easy access to DMV information poses even more of a risk. Down here in California, access to DMV records is now severely limited, prodded mainly by a number of celebrity stalking cases where DMV records were involved. Oregonians might consider looking to California for leadership on this topic. --Lauren-- Moderator, PRIVACY Forum http://www.vortex.com ------------------------------ Date: Fri, 09 Aug 1996 07:27:21 -0400 From: Steven Bellovin Subject: Re: Department of Motor Vehicle records (Ellermeier, RISKS-18.30) There has recently been a great deal of outrage about someone putting the Oregon license plate database on the Internet. That's not the problem -- the real problem is that the data is available at all. Many states make such data available, and there have long been people with complete files of such things. The only thing different here is that it was more easily available to the general public, with a fee. In fact, more comprehensive services are already on the Web. It took about 10 minutes with AltaVista to find several similar services, though in some cases it wasn't clear if they actually did business over the Net, or simply used it for advertising. The Web has become a microcosm of our society. If it's out there, it's on the Web -- and if it suddenly shows up on the Web, it's probably because it was already out there, but you didn't know it. --Steve Bellovin ------------------------------ Date: Thu, 8 Aug 96 22:19 PDT From: brown@reed.edu (C. Titus Brown) Subject: Re: Department of Motor Vehicle records (Ellermeier, RISKS-18.30) While it may be a valid point that the Internet/WWW has not come to terms with the limits of the freedom, I don't believe that issue can be linked with the issue of the DMV making records available. Simply, the DMV _should not_ have made this information available. Whether or not "the Internet" should have taken this information and distributed it in such a manner is besides the point. It is virtually inevitable that all information not strictly kept under wraps will make it onto the WWW. Blaming the WWW (or the Internet) for this is senseless. ObRisk: This sort of thought process (blaming the accessibility of information on the medium used to transport, not the provider) is what leads to things like the CDA: censorship too late & targetted on the wrong thing. --Titus ------------------------------ Date: Thu, 08 Aug 1996 17:29:39 -0700 From: siegman@ee.stanford.edu (AES) Subject: Re: Department of Motor Vehicle records (Ellermeier, RISKS-18.30) Let me disagree: 1) There are important reasons (law enforcement, traffic accidents) for making this information rapidly available to police officers down to very low (small community) levels. Once you do this, the information is so easily compromised (I can overhear this kind of information on a police scanner any evening) that it's better that it be just plain public, and let everyone know that it is. 2) If RISKS 2 and 3 above are the best that can be cited for not making such information available, they seem to me pretty negligible. When my car is at the airport, several other people and two large dogs are likely still at home -- if this thief drives the 30 minutes to my house, he'll pretty disappointed. "Road rage", especially in combination with CD-ROM ownership, I suspect is statistically insignificant, if not mostly an urban legend. 3) There are certainly other legitimate reasons for making this data available. If some clever inventor comes up with an add-on that will lower the pollution and raise the mileage (currently 12 mpg) of my beloved classic '67 Mustang, for example, I'd love to have him scan the DMV database and send me a sales message. One can think of many other health and safety as well commercial reasons for being able to find the owner of a car rapidly. ------------------------------ Date: Fri, 9 Aug 1996 10:23:04 PST-8 From: "Kevin Johnsrude" Subject: Re: Department of Motor Vehicle records (Ellermeier, RISKS-18.30) With regard to informational privacy and the state of Oregon's selling of DMV data, the Cyberspace-Law list indirectly makes a number of interesting points: Consider 4 cases: (1) Your local supermarket offers a "No-coupon discount card" for customers who fill out an application. On the application, you list your name, your sex, your income, your employment, and the company gives you a card. Using the card, you then make purchases for the next year. The supermarket then compiles the data about your purchases, and sells it to marketers. You have not been notified that they intend to use the information like this; nor have you explicitly consented to this use. (2) Your credit card company has the same information about you -- you supplied it when you got your credit card. Imagine it now collects the data about your purchases, and then sells it to marketers. (3) Your local video store keeps data about the videos you rent. It then sells to marketers your name and address, along with list of films that you have rented. (4) A credit card company enters into an agreement with the IRS, to report to the IRS people whose spending habits change dramatically. The IRS then uses that data to help it decide which returns will be subject to audit. All four cases raise the problem of *informational privacy* -- the question how much control, if any, does the law give you over the collection, and dissemination, of information about you that you have willingly given over to someone else. The answer in general is quite simple: Not much. American law in the main gives individuals very little control over what others can do with the information collected about them. This lack of protection distinguishes American law from most European democracies. "Data protection" is an important part of European human rights law. But with slight exceptions, it is not an important part of our tradition. The exception is case (3): Because of the outrage over the publication of Judge Robert Bork's video rentals when he was nominated for a seat on the Supreme Court, Congress passed the Video Privacy Protection Act of 1988, which makes it a crime to release individualized data about the videos any individual may rent or buy. At least that part of your "record" is protected: but not what books you check out at the library, or what your purchases at the grocery store are, or what movies you use your credit card to buy tickets for. These remain unregulated by the law. *** Consider 4 more cases: (1) On a local university network, users can read USENET news stories -- stories posted on the USENET bulletin boards by users from across the world. The stories range from discussions of technical material about computer operating systems, to highly controversial political discussions, or to discussions about sexuality. Imagine now that network users can use a simple command to list all other users logged onto the system at that time, as well as what those users are doing. If the users are reading news stories from the USENET new server, then the command will report to the users what news stories they are reading. (2) An activist group is angry about pornography on the net. It decides to attack the problem in a somewhat unique way. It opens up an erotic web site, and then as individuals access the web site, the group collects the information about who accessed the site. On a separate web site the group then publishes a list: "Known consumers of pornography" and then lists the information it has about people who have accessed its site. Or imagine the same case, with slightly different facts: Imagine the activist group is an anti-gay activist group, and it puts up a web site on resources for gay and lesbians, and then publishes the lists of who accesses the site. Or an anti-abortion group, that publishes information about access to abortion clinics. (3) Some World Wide Web browsers collect a list of the web sites that you have accessed. This list is kept on your machine. When you access a web site, the software makes it possible for the web site to read the list of web sites that you have previously accessed. Imagine that a web site has implemented a procedure to read your list of web sites, and then decides whether to admit you based on what other places you've been. (In a sense, the system is discriminating in granting access, but what is important for our purposes is that it is making that discrimination by accessing "your" information about where you have been.) For example, if it determines that you don't frequent sufficiently "posh" places, it bumps you; or if it surmises from your list that you are a Republican, it bumps you. (4) As we explained in case (1), USENET is a cooperative that distributes messages in the form of discussion threads, on wide range of topics, to millions of people across the world. People can participate in these discussions, simply by replying to a particular message. This reply then gets published across the world, with the email address of the person replying to the message attached to the reply. Ordinarily, these messages disappear after a few weeks on the net. [Not RISKS and many others... PGN] But imagine a company starts collecting these messages, and begins organizing them in a data bank. This company then makes it possible for anyone, through the Web, to search the database of USENET messages, for a particular word, or phrase, or for the name of a particular user. This search then collects all messages that have that word, or phrase, or name, and displays the list of messages, along with their senders. The user of this service can then click on the name of the senders, and get a profile of all the messages that person has sent. For example the user can discover that the sender of a particular messages has regularly contributed to a discussion of leftist politics, or a pro-life discussion group, and then access all of the messages this sender has sent to these groups. All four of these cases raise no legal problem at all, given the present state of United States law. Examples (1), (3) and (4) already exist. (Netscape would support a function like example (3); for example (4), check out http://www.dejanews.com); we don't know of an example of case (2), but there is nothing in the law to stop it. Again, as we indicated in our last message, the law does very little to protect individuals against the use of data that they make available to others. Each of these 4 cases is just an example of this same point. It is not hard to understand why the law has been so unprotective. For the most part, historically, it has been relatively difficult to get access to data like this. Perhaps one could hire a spy to follow an individual around and collect information about his habits, or purchases -- no doubt some people did. But for the most part, people didn't pay much attention, since it was very costly to pay attention. The dramatic change in data technology has changed this. Now it is quite easy to collect a vast amount of data about individuals. More importantly, now it is quite profitable to collect such data. Cyberspace will only make this more so. We are living in a time when the law has not caught up with the technology. While the inefficiency of technology provided some sort of protection before, now nothing -- neither law nor inefficiency -- protects us today. Do we want protection? Not clear. There are interests that pull the other way: Some have argued that there is a first amendment right to report to others true facts they have found out about you. Others have argued that this information would be a real gain to the efficiency of the market: Imagine, for example, advertising that was perfectly targeted to those, and only those, who would be likely to buy a particular product. *** Cyberspace law WWW page: http://www.counsel.com/cyberspace -------------------------------------------------------------------- To SUBSCRIBE to Cyberspace-Law, send a message to LISTPROC-REQUEST@COUNSEL.COM with the command SUBSCRIBE CYBERSPACE-LAW Firstname Lastname in the body of your e-mail, (replacing "Firstname" and "Lastname" with your first and last names -- or such pseudonyms as you prefer). **** Back to Kevin Johnsrude: Clearly the OR DMV is not doing anything illegal under the law. Your phone company does the same thing: when you pay your US$0.25/month not to get telephone solicitations, you are, among other things, recompensing your phone for not *selling on a list* your name, phone number and address to telemarketers. Your VISA company also does the same thing and gives marketers your complete personal and financial profile. We in the US desperately need better data privacy protection or we will effectively not have any privacy at all. --KevinJ Kevin Johnsrude, Software Design Developer, Rogue Wave Software, 850 SW 35th St., Corvallis, OR 97333 Email: kevinj@roguewave.com Voice: (541) 754-3010 ------------------------------ Date: 19 July 1996 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Or use BITNET LISTSERV. Alternatively, (via majordomo) DIRECT REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] The INFO file (guidelines, submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. All contributors are assumed to have read the full info file. ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS ------------------------------ End of RISKS-FORUM Digest 18.31 ************************