precedence: bulk Subject: RISKS DIGEST 19.63 RISKS-LIST: Risks-Forum Digest Friday 13 March 1998 Volume 19 : Issue 63 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** Contents: Cell Phones Can Interfere with Auto Systems (Edupage) Remote viewing (Colin Rafferty) Three Army Web sites hacked (SINS) Windows NT 4 corrupting filespace and deleting directories (Silas S. Brown) Federal Prosecutors Indict Internet Gambling Operators (Edupage) Browser site autoexpansion strikes again (Tim Kolar) V-Chip: details, details (wb8foz) TV censors (PGN) For want of a hyphen, you get porn (James Willing) Re: Newspaper spelling checker forgets Europe (Mark Stalzer) Boise's city e-mail subject to FOIA (Doneel Edelson) Radar blip lost Air Force One (Doneel Edelson) Re: The anti-crypto rhetoric ratchets up (Scott R. Traurig) Re: COMPAQ usability problem (Pete Mellor) Re: Atlantic Monthly, "The Lessons of ValueJet 592" (E Florack) Re: The cost of deception (Richard Snider) ACM Policy '98 Conference Announcement (Policy 98 Info) New Security Paradigms Workshop, Call For Papers (Mary Ellen Zurko) Software Certification Conference: Call for Participation (Chuck Howell) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 5 Mar 1998 19:04:28 -0500 From: Edupage Editors Subject: Cell Phones Can Interfere with Auto Systems Car makers have known for a while that talking on a cell phone while driving can cause accidents, but now research shows that wireless phones can disrupt anti-lock braking and other electronic systems. For instance, Mercedes Benz warns that the electromagnetic radiation emitted by the microchips in wireless phones can disable its Babysmart toddler restraint seat, which automatically switches off the passenger side air bag when a child is sitting up front. "As far as we know, no injury or death has resulted from interference between wireless phones and other radio-frequency emitting devices," says an AT&T Wireless Services spokeswoman, but some late model owner's manuals contain special warnings regarding the problem. (_USA Today_ 4 Mar 1998; Edupage, 5 March 1998) ------------------------------ Date: 10 Mar 1998 15:48:42 -0500 From: Colin Rafferty Subject: Remote viewing WIRELESS MARRIAGE RF-Link Technology has developed a Wireless PC@TV product that allows an Internet link via a PC in one room to be displayed on a television in another. A scan converter translates the PC's video display signals into signals that a TV can process, and wirelessly sends the audio and video signals using a radio-frequency transmitter and receiver. The signals can travel up to 100 feet, and a wireless keyboard allows the user to manipulate the PC while watching the action on the TV in another room. The cost is about double that of a set-top WebTV receiver, but does not require a special Internet service. (_Popular Science_, Mar 98; Edupage) So when my next-door neighbor is browsing www.playboy.com, does that mean that my six-year-old can read right along? Colin ------------------------------ Date: Tue, 10 Mar 1998 12:54:49 -0500 From: "Security Information News Service: SINS[*]" Subject: Three Army Web sites hacked On the heels of the recent attack on unclassified Pentagon computer systems, three Army World Wide Web sites were hacked on 8 Mar 1998: the Army Air Defense Artillery School, the Army 7th Signal Brigade[*], and the Army Executive Software Systems Directorate. Official content was replaced with messages about the previous Pentagon attacks. One of the messages said, "For those of you in the security community, the so-called Pentagon hackers are using nothing more advanced then the 'statd'. Get a list of 200 sites, and sit and try the same exploit to every one of them. [You're] going to get one out of 100 sites eventually." [* The 7th's diddly SINS? PGN] ------------------------------ Date: Mon, 9 Mar 1998 21:08:11 +0000 From: "Silas S. Brown" Subject: Windows NT 4 corrupting filespace and deleting directories People or companies who run Windows NT 4 and experience frequent unexplained "STOP" errors may like to know about the following risks: 1. There is a small probability that one of those STOP errors will render the NT filesystem unbootable by corrupting one of the system files; in this case it cannot be repaired even with a repair disk. 2. If you re-install Windows NT over an existing installation, the %Systemroot%\Profiles tree, including all user data that it contains, is deleted. 3. Even if you back up the registry, you may not be able to restore it correctly in a new NT installation, because the various user numbers, etc., would have changed; extensive manual editing / glitch fixing is required. Silas S. Brown, http://members.bigfoot.com/~silasbrown/ ------------------------------ Date: Thu, 5 Mar 1998 19:04:28 -0500 From: Edupage Editors Subject: Federal Prosecutors Indict Internet Gambling Operators Federal prosecutors in New York indicted 14 operators of offshore companies for using phone lines for the purposes of illegal gambling activities. All 14 are American. The government says it is not charging bettors for using the sites but hopes that the indictment will serve as warning that such activities are illegal. (_The New York Times_, 5 Mar 1998; Edupage, 5 March 1998.) ------------------------------ Date: Fri, 13 Mar 1998 09:17:17 -0800 (PST) From: Tim Kolar Subject: Browser site autoexpansion strikes again The "centraal corporation" of Palo Alto recently introduced a new scheme for entering WWW host addresses into Web browsers. According to the marketing literature, you could replace all of that nasty http://host/directory nonsense with a single word. They presented this with a gentle, heartwarming Disney example. Who wants to think of their toddler son having to type in all those dots and slashes to read about their favorite fawn, when they could just use the new scheme and type in "bambi"? Well, it turns out Junior had better stick with the punctuation. Following their press release, thousands of users went directly to their browsers and typed in "bambi". Normal browser auto-expansion dropped them on "www.bambi.com", a decidely non-Disney site where children can learn about a side of wildlife not fully depicted in the movie. There are some fascinating tidbits in a Reuters article on the subject: o The company is selling the service to large companies who want simpler web addresses in advertising. o As people have found, the "single word" approach has some regrettable side effects if you don't have their special software installed. o The president of the company was "surprised" that browsers would jump to a site given an incomplete address. Offhand I'd say their business plan is in tatters. All because normal, unenhanced web browsers are a little too smart. ------------------------------ Date: Thu, 12 Mar 1998 17:47:30 -0500 (EST) From: wb8foz@nrk.com Subject: V-Chip: details, details Dan Charles of NPR reports that TV mfgrs responded to the "What happens when parents lose the {V-chip} password?" question with: We haven't figured that out yet.. If certificates, authentication and such are a morass for the DOD [as they are discovering....]; what happens in the larger world of TV sales? Will we see ads in the classifieds such as: For Sale, 27' Sony, lost password, only gets Disney.. The RISK? Mandated solutions to problems only partially thought-out. ------------------------------ Date: Thu, 12 Mar 98 8:26:51 PST From: "Peter G. Neumann" Subject: TV censors A Kansas City company, Applied Micro Technology Inc., is about to begin selling a device for censoring language in TV broadcasts (intended for the protection of children). It works only on closed-captioned broadcasts. If a banned word is found in the closed caption, the sound is muted and the closed caption displayed with a milder word substituted. The original design just matched on words, causing DICK VAN DYKE to turn into JERK VAN GAY. This was obviously inadequate, so it was extended to recognize context. The designer, Rick Bray, says that it now catches 65 out of 66 "offensive words" in the movie Men in Black (for example), and so he now allows his children to see it, and so they're pleased with the device. The article [sorry, source missing] does not say how many false hits it finds, nor how much dialogue gets lost because the closed captions are not actually always synchronized with the audio. There are at present 100 banned words. ------------------------------ Date: Fri, 13 Mar 1998 14:48:12 -0800 (PST) From: James Willing Subject: For want of a hyphen, you get porn You may have noticed, that with almost every new movie trailer or advertisement comes an URL for a web site that in most cases contains motion video clips, stills, and other information about the movie. Seems like just another promotional opportunity which I think few would take issue with. However, I have also noticed a darker trend developing in parallel with this. Operators of porn sites are increasingly obtaining domain names nearly identical to that of the movies being promoted, usually with only a bit of punctuation being the difference. The most recent example: the science-fiction movie "Deep Impact", due out this summer (an apocalyptic tale of comets crashing to earth). The print ads and trailers note the URL "www.deep-impact.com". However, if you miss the hyphen in the URL and enter "www.deepimpact.com" instead, you are greeted with a starfield background (similar, if not identical to the legitimate site), with a single line of hyperlinked text: "Click to continue". Even if you do not click on the text, after about four seconds you are automatically linked (redirected) to the page of a pornographic site with graphics that leave little doubt as to its purpose. Especially disturbing is this recent trend for these redirector sites to try to mirror the initial image of the legitimate sites in order to prevent the user from realizing the error until after the next page has loaded, or worse (possibly trying to create a legally defensible position) being able to claim that the user consented to view the site by clicking on the linked text. The risks? People seeking information on unreleased motion pictures (kids especially) receiving instead an unwanted porn page. Plus, the possible backlash against the movie and its associates from people who may not realize the difference a single omitted character can make can make in an URL and might assume some link between the sites due to the similarity in the names. A possible alternate risk, would be for people who access the web from their work or other monitored environment trying to explain why they have accessed a pornographic site once the access is noted in a log file. -jim jimw@agora.rdrop.com The Computer Garage http://www.rdrop.com/~jimw Fax - (503) 646-0174 [It is astounding how many folks say "dash" instead of "hyphen" (or, perhaps less strongly typed, "minus"). For example, Siskel and Ebert have only recently realized that their URL contains a hyphen, not a dash. PGN] ------------------------------ Date: Mon, 09 Mar 1998 12:47:18 -0800 From: Mark Stalzer Subject: Re: Newspaper spelling checker forgets Europe (RISKS-19.62) There are cities in California and Texas called "Cypress" so I don't think we should blame the spell checker. It would have to understand the sentence to catch the mistake. We can execute the proof reader though. -- Mark [Several folks commented on this. If the dictionary contains Cypress, it should also contain Cyprus. If it knows only about trees and not geographical names, it is not a very good dictionary for a spelling checker to use. Let the fir fly, and spruce up the on-line dictionaries. PGN] ------------------------------ Date: Wed, 11 Mar 1998 13:46:02 -0500 From: "Edelson, Doneel" Subject: Boise's city e-mail subject to FOIA The Idaho state government ruled that the City of Boise's e-mail is fair game under the Freedom of Information Act. They had to make the city council's e-mail available to the newspaper. [_Information Week_, March 9, 1998, p. 8] ------------------------------ Date: Wed, 11 Mar 1998 13:46:02 -0500 From: "Edelson, Doneel" Subject: Radar blip lost Air Force One The Federal Aviation Administration is investigating whether an air traffic tracking system went out amid reports that Air Force One vanished from radar screens for 24 seconds. Broadcast reports said the airplane disappeared from radar screens Tuesday morning as President Clinton traveled to Connecticut. ... The long-range radar system at the center has a history of going off and momentary blips are a frequent occurrence, DiPalmo said. [_USA Today_, 11 Mar 1998] ------------------------------ Date: Tue, 10 Mar 1998 20:04:48 -0500 From: "Traurig, Scott R" Subject: Re: The anti-crypto rhetoric ratchets up (Ellison, RISKS-19.62) Mr. Ellison's observation that perhaps criminals are too lazy to use encryption, supported by Ms. Denning's survey results showing that encryption is not in widespread use by criminals, may be an important one, indeed. That our delicate world, made all the more so by our reliance on technology as often discussed in this forum, has not already been made a total shambles through criminal or terrorist activity, is a constant source of amazement for me. Many. if not most of us who participate in this forum would have little difficulty in raining havoc upon a large population with equally little chance of retribution by society. Although there are certainly exceptions, one can only hope that most criminals and terrorists, by their very nature, are either incredibly stupid and/or lazy. This theory is well supported by the alleged criminals shown on the U.S. television program "Cops." Perhaps the "smarter" criminals also have some measure of morality that limits their activities. Let's hope is stays that way. Scott Traurig ------------------------------ Date: Fri, 13 Mar 1998 17:16:27 GMT From: Pete Mellor Subject: Re: COMPAQ usability problem (Mellor, RISKS-19.60) Further to my original mailing (which described what was actually reported on "The News Quiz"), I actually did a bit of fact-checking with the COMPAQ help desk. They were not aware of any changes to screen messages, and not aware of the story that is going around. Another urban myth bites the dust! Peter Mellor, Centre for Software Reliability, City University, Northampton Square, London EC1V 0HB, UK. Tel: +44 (171) 477-8422 http://www@csr.city.ac.uk/ ------------------------------ Date: Tue, 10 Mar 1998 18:54:40 -0500 From: "EFLORACK" Subject: Re: Atlantic Monthly, "The Lessons of ValueJet 592" (RISKS-19.62) Just a quick comment: Is it possible, then that an extrapolation to this MIGHT just be that government trying to prevent all problems will instead of gaining the goal, will in fact create more problems? The question applies of course to the finding in the case of VJ592, since most of the system involved are government mandated... but the question of RISK would seem to apply to all other government mandates, as well. ------------------------------ Date: Tue, 10 Mar 1998 14:24:37 -0500 (EST) From: Richard Snider Subject: Re: The cost of deception (Cohen, RISKS-19.62) In RISKS-19.62 an article appears promoting a product that allows system administrators to "decept" would-be hackers into thinking they have broken into your system when in reality have not. It then goes on to extol the virtues of such an approach without exploring possible negative side-effects of such software. While there is questionable facility with using such software since "true hackers" would likely know they are being faked out, the more interesting question arises when "junior hackers" have succeeded in breaking into a system but don't know enough to realize they have done so. This is especially bad if they know that this kind of faker software exists. I put forth the example which brings this all to mind. I used to look after a computer network used by a large school board in Toronto. As expected there were a few students who took it upon themselves to try and break into the system (e.g., gaining passwords by watching people type them). At one point my friend who worked on the system with me decided we would have a bit of fun with the students and wrote a program that emulated the operation of the system administrator account. By leaving a good number of clues around we were able to divert the efforts of the students into accessing this account, and after watching them for a while we rounded them all up and had a good laugh (I was a student as well at this time). This had immediate predictable effects: 1. The students gained valuable knowledge about how the sys admin account really works (our simulation was quite authentic). 2. The students knew that such a faker program existed. 3. Any static program which simulates behaviour of the system was likely to be easily detected by those who have experienced it before (many of the students figured this out within minutes of using it). What happened next was totally unexpected. A budding, inexperienced hacker under the tutorship of some of the previous students was instructed on how to "break" into the system. They unfortunately did not follow the instructions given to them correctly and succeeded in breaking into the system FOR REAL. Knowing that the faker program existed, they assumed that this is what they had accessed and thus set about a path of destruction that would take over a week to unravel and fix. I can only imagine what interesting things might happen once the hackers start suggesting/contributing updates to this package. The risk here is that you never know who is being deceived. Richard Snider ------------------------------ Date: Fri, 13 Mar 1998 17:00:00 PST From: Policy 98 Info Subject: ACM Policy '98 Conference Announcement ASSOCIATION FOR COMPUTING MACHINERY * * * POLICY '98 CONFERENCE * * * http://www.acm.org/policy98/ "Shaping Policy in the Information Age" Washington, DC, Renaissance Hotel May 10-12, 1998 Register now for the one computing policy conference you don't want to miss...featuring: - Senator Orrin Hatch (invited): Future of Intellectual Property - Special Advisor to the President Ira Magaziner: White House Report - Representative Vern Ehlers (invited): Reformulating US Science Policy - Representative Constance Morella: The Role of the Federal Government in Computing - Assistant Director Juris Hartmanis: The Role of the National Science Foundation in Computing Policy - Assistant Secretary of Commerce for Communications and Information Larry Irving: Universal Service - Debate: Esther Dyson and Gary Chapman - ACM Presidential Award for founding NetDay: John Gage, Sun Microsystems - Making Science Policy: Roundtable with NPR Correspondent Dan Charles The ACM Policy '98 Conference will focus on public policy issues affecting future applications of computing. Our goal is to forge stronger links between computing professionals and policy makers. Attendees will interact with prominent leaders from academia, industry, Congress, and Executive agencies, and participate in debates on policy issues including: - Universal Access - Electronic Commerce - Intellectual Property - Education Online All Policy '98 attendees are invited to the Annual ACM Awards Banquet on Sunday evening May 10th, and a conference reception on Monday evening May 11th at the new headquarters of the American Association for the Advancement of Science. Register online at http://www.acm.org/policy98/ or write to policy98@acm.org. Early registrants and ACM members receive discounts. A limited number of low-priced student registrations are available. Conference Chairs - Ben Shneiderman, Dianne Martin Program Chairs - Marc Rotenberg, Keith Miller Panel Moderators - Jim Horning, Pamela Samuelson, Charles Brownstein, Oliver Smoot USACM Chair - Barbara Simons ------------------------------ Date: Tue, 10 Mar 1998 11:43:47 -0500 From: Mary Ellen Zurko Subject: New Security Paradigms Workshop, Call For Papers Call For Papers New Security Paradigms Workshop '98 A workshop sponsored by ACM 22 - 25 September 1998 Charlottesville, Virginia http://www-hsc.usc.edu/~essin/nspw98.html Paradigm shifts disrupt the status quo, destroy outdated ideas, and open the way to new possibilities. This workshop explores deficiencies of current computer security paradigms and examines radical new models that address those deficiencies. Previous years' workshops have identified problematic aspects of traditional security paradigms and explored a variety of possible alternatives. Participants have discussed alternative models for access control, intrusion detection, new definitions of security, privacy, and trust, biological and economic models of security, and a wide variety of other topics. The 1998 workshop will strike a balance between building on the foundations laid in past years and exploring new directions. Deadline 3 Apr 1998 for e-mail submissions, 27 Mar 1998 for hardcopy. [First check out http://www-hsc.usc.edu/~essin/nspw98.html .] Workshop Co-Chairs Bob Blakley, IBM, 11400 Burnet Road, Mail Stop 9134, Austin, TX 78758 USA e-mail: blakley@us.ibm.com voice: +1 (512) 838-8133 fax: +1 (512) 838-0156 Darrell Kienzle, The MITRE Corp., 1820 Dolley Madison Blvd., McLean VA 22102 e-mail: kienzle@mitre.org voice: +1 (703) 883-5836 fax: +1 (703) 883-1397 Program Committee Co-Chairs: Mary Ellen Zurko, The Open Group Research Institute 11 Cambridge Center, Cambridge, MA 02142 USA e-mail: zurko@opengroup.org voice: +1 (617) 621-7231 fax: +1 (617) 225-2943 Steven J. Greenwald, 2521 NE 135th Street, North Miami, FL 33181 USA e-mail: sjg6@gate.net voice: +1 (305) 944-7842 fax: +1 (305) 944-5746 [``Buddy can use paradigm?'' (variant of ``Buddy, can youse paradigm?'' PGN] ------------------------------ Date: Tue, 10 Mar 1998 06:52:25 -0500 From: Chuck Howell Subject: Software Certification Conference: Call for Participation CALL FOR PARTICIPATION First International Software Assurance Certification Conference (ISACC'99) Theme: Early Lessons Learned and Prospects Location: Washington D.C. Date: Spring 1999 General Chair: Chuck Howell, howell@rstcorp.com Program Chair: Dr. Jeffrey Voas, jmvoas@rstcorp.com Conference Secretariat: Ms. Peggy Wallace, pwallace@rstcorp.com Conference Web Site: www.rstcorp.com/ISACC99 Conference Management: Reliable Software Technologies Sterling, VA USA http://www.rstcorp.com Tel: 703.404.9293 Fax: 703.404.9295 Additional Sponsors: Software Testing Assurance Corporation Stamford, CT USA http://www.stacorp.com Tel: 203.972.9557 Fax: 203.966.5506 ISACC'99 will be the first conference in an annual series to be devoted exclusively to software certification. Enormous demand is driving the development of technologies, tools, methodologies, and models for certifying software -- that is, certifying that software will "behave as advertised" with respect to a specific set of behaviors, or at least that the software has specific properties. ISACC will be the premier forum where consumers and producers of software can exchange points of view on how best to certify software technology. The theme of the ISACC'99 is "Early Lessons Learned and Prospects". ISACC'99 will focus on the many different ways that certification is currently approached in the software industry. Examples range from independent confirmation of a narrow set of properties of a specific program (e.g., Key Labs' "100% Pure Java Certification") to complex regulatory oversight of an entire development process (e.g., FAA's DO-178B framework). What can be inferred when a software product is certified, and what cannot? What approaches have proven successful, and where have certification efforts bogged down? The near-term prospects for software certification are driven in large measure by non-technical issues. Software is increasingly used in systems where failure threatens safety, economic loss, loss of privacy or confidentiality, and other injuries. In addition, the "Year 2000 Problem" has dramatically raised awareness of the extent to which businesses ability to function have become dependent on software, with corresponding consequences for software that does not "work as advertised". Software liability is the Sword of Damocles hanging over the head of the software industry. Liability concerns make ISACC especially timely. A key question is whether the government should decide what the certification requirements are for a given class of systems and uses of software, or whether "private-sector" developers should self-regulate via a core set of certification technologies. If self-policing is preferred, will it be by an honor system or will software certification laboratories be the means by which software vendors show that their software is of high quality? Besides paper presentations, ISACC'99 will also host a series of tutorials explaining how regulatory certification frameworks (such as the FAA's DO-178B or the FDA's 510(k) guidelines) are enforced. Certification experts will teach attendees the steps that they must successfully complete in order to get software systems approved. Similar tutorials will be offered by experts on examples of "self policing" certification frameworks from commercial software developers and certification laboratories. A panel discussion on certification frameworks in other industries (e.g., Civil Engineering, Electrical Engineering) will provide additional perspective on ways of structuring certification processes. In summary, the series of ISACC conferences will seek practitioners, legal experts, and researchers that wish to discuss how software certification can be transformed from being viewed as a tax on the industry to being viewed as a trophy. Topics of particular interest to the program committee include: Certification Authorities and Laboratories Existing Software Guidelines or Standards (ISO, CMM, IEC, USNRC, FDA, NCSA, etc.) Formal development methods Product vs. Process Certification Public-domain software Qualifying and Quantifying the Reliability of COTS Software Software Metrics and Measurement Software Validation Software Liability Software Insurance Software Assurance Tools Software Reliability Measurement Software Safety Assessment Software Security Assessment Software Maintenance Uniform Commercial Code Year 2000 Certification The Role of Professional Organizations (ACM, IEEE, ASQ, etc.) Certification of third-party software In late March 1998, the official CALL FOR PAPERS for ISACC will be mailed. If you would like to be on ISACC's mailing list to receive the CALL FOR PAPERS announcement and the program brochure, please send e-mail to isacc@rstcorp.com . ------------------------------ Date: 1 Apr 1997 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Or use Bitnet LISTSERV. Alternatively, (via majordomo) DIRECT REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] => The INFO file (submissions, default disclaimers, archive sites, .mil/.uk subscribers, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 18" for volume 18] or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS ------------------------------ End of RISKS-FORUM Digest 19.63 ************************