Subject: RISKS DIGEST 16.82

Subject: RISKS DIGEST 16.82
REPLY-TO: [email protected]

RISKS-LIST: RISKS-FORUM Digest Friday 17 February 1995 Volume 16 : Issue 82

FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

***** See last item for further information, disclaimers, etc. *****

Contents:
New York Parking Meters In Violation of Federal Law (A. Padgett Peterson)
Big Brother in the Big House (Peter Wayner)
Computer aids in predicting death (Lauren Wiener)
Hacker Mitnick arrested (Jim Griffith)
Computer addiction and the 6 O'Clock News (Rob Slade)
New Area Codes & PBX Programs (Mich Kabay)
E-mail risks (Vincent Gogan)
Re: Self-disabling software (Bruce Johnson)
Re: Invisible blue zone (David Stodolsky)
CERT Advisory CA-95:04.NCSA.http.daemon.for.unix.vulnerability
Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc.

----------------------------------------------------------------------

Date: Wed, 15 Feb 95 15:32:24 -0500
From: [email protected] (A. Padgett Peterson)
Subject: New York Parking Meters In Violation of Federal Law

Re: Notification on Self-Disabling Software (Jeremy Epstein)

This leads naturally to the following item:

(1998): In a surprise move, federal marshals yesterday seized nearly nine
million parking meters in New York City, citing violation of the Software
Disability Act of 1996. Consumer advocates praised the move, saying ``the
meters all stopped working when the time ran out." The Parking Violations
Bureau issued protests that ``all motorists in NYC on were issued a notice
on 1 April 1975, along with the courtesy windshield cleaning." However,
these protests were not accepted, because the majority of motorists
ticketed were not old enough to have had licenses at the time.

[I guess April comes early in 1995. PGN]

------------------------------

Date: Wed, 15 Feb 95 21:55:36 PST
From: Peter Wayner ([email protected])
Subject: Big Brother in the Big House

The WSJ has a big article on the prison phone call business on Wednesday,
February 15, 1995. The article discusses how the major long-distance
companies court prisons because prisoners have nothing better to do than
spend heavily on phone calls.

But supplying phone service to prisons is not a risky job, because convicts
have a habit of phone and credit card fraud. They'll call an outside phone
number at random, con the person who answers into giving out a credit card
number, and then use that number to order goodies for themselves.

So, many prisons require the phone-service providers to provide anti-fraud
measures, which include tape-recording equipment and voice-print
identification. Some prisoners have their access to phones restricted, and
they try to use someone else's access codes. The voice print identification
can nab these guys. The technology is now being deployed.

All of this avoids the question of just what is prison in a world where the
apartments are smaller and telecommuting is more popular. If prisoners can
dial out, conduct business, and even access the net, the walls seem filled
with virtual loopholes.

[This also gives new meaning to ``Reach out and touch someone." PGN]

------------------------------

Date: Thu, 16 Feb 95 21:28:46 -0800
From: Lauren Wiener <[email protected]>
Subject: Computer aids in predicting death

>From _The Oregonian_, 16 Feb 1995, p. D11:

Computer Aids in Predicting Death, by Mike Koller, AP, Philadelphia

[...] Using a new program, researchers say they are able to predict when a
terminally ill person will die with more accuracy than doctors using their
own judgment. The study could help doctors determine which treatments
should be given to terminally ill patients and help decide when life-support
efforts should be stopped. ``The computer remembers thousands and thousands
of cases and keeps the different risk factors in perspective," said Dr.
William A. Knaus of George Washington University. Knaus led the study,
published in the Jan. 31 issue of the Annals of Internal Medicine. ``And
when we included the survival estimate from the patient's own physician in
the model, the two together predicted time until death more accurately than
either alone," he said. The program was developed from June 1989 to June
1991, using information from 4,301 patients. It was tested from January
1992 to January 1994 on 4,028 patients, Knaus said.

The program, called SUPPORT (Study to Understand Prognoses and Preferences
for Outcomes and Risks of Treatments), focused on nine diseases and
conditions, such as liver disease, colon or lung cancer, heart or lung
disease and multiple organ failure. Knaus said he was confident that
Support will prove reliable and eventually be expanded to predict death
rates for other diseases. Seriously ill patients with a projected life
expectancy of six months were entered in the study when they were
hospitalized. [...]

``Most adults say that if they are going to die within a year, they want
realistic estimates of their risks, both in the immediate future and during
the next few months," Knaus said. ``This predictive tool is important for
its use for counseling very sick patients and their families."

However, not everyone agrees. Toby Gordon, vice president for planning and
marketing at Johns Hopkins Hospital and Health Systems in Baltimore, said
the program raises questions. ``Any information that helps us learn how to
better take care of patients -- in quality of care and quality of life --
makes a contribution," Gordon said. ``But whether patients and their
families will want to use it is questionable." He also questioned the
ramifications of being able to accurately predict death. ``In the expansion
of computer-assisted technology we will see a proliferation of these
techniques, bringing into question ethics and rationing of care," he said.

The authors warned that the project has not been tested outside the strictly
controlled settings of teaching hospitals. Its reliability in conventional
hospitals settings has not been established, they said.

------------------------------

Date: Thu, 16 Feb 1995 23:37:24 -0800
From: [email protected] (Jim Griffith)
Subject: Hacker Mitnick arrested

KCBS Radio (San Francisco) reported tonight that The Well and Netcom
combined efforts, resulting in the arrest of 31-year-old hacker Kevin
Mitnick in Raleigh North Carolina. Both companies discovered large caches
of data being stored on their systems. At the same time, "a well-known San
Diego consultant" discovered security breaches in his system. This led to
vigorous efforts to track the hacker, and after 24-hour electronic
surveillance and at least one cellular phone trace, law enforcement
officials arrested Mitnick. Mitnick's early escapades are chronicled in the
book _CYBERPUNK_ by Katie Hafner and NY Times reporter John Markoff, and, in
fact, Mitnick is accused of breaking into Markoff's computer.

Mitnick, a fugitive from justice, faces up to 30 years in prison for various
crimes, including allegedly breaking into NORAD computers. Law enforcement
officials are now wrestling with jurisdictional issues, as Mitnick is wanted
for crimes in at least six different jurisdictions.

[See excellent articles by John Markoff in *The New York Times*, 16 Feb
(TWO) and 17 Feb 1995. I could not begin to excerpt these three long
articles, and of course cannot include them in their entirety. But
they are very well done. PGN]

------------------------------

Date: Thu, 12 Jan 1995 15:09:02 EST [TIMELY! Yes, we are backlogged!]
From: "Rob Slade, Social Convener to the Net" <[email protected]>
Subject: Computer addiction and the 6 O'Clock News

Hello, my name's Rob, and I'm a ... a ... Netaholic.

They tell me a lot of you have a story like mine. It started out with a
committee and someone at the local university offered me an account, just to
keep in touch, you know? Then, somebody introduced me to "Computers and
Society". I could handle that: it only came every week or so. Then I got
into RISKS-FORUM and the IBM-PC Digest. That pretty much guaranteed
something every day! I was really smokin', man! I thought I was just King
Modem!

In order to feed my habit, I started pushing. I was porting Info-Mac to
local bulletin boards for access.time. I started doing unmoderated lists.
Then a friend turned me on to Usenet. By this time, I was doing about a
half a meg a day.

I was hooked, but I wouldn't admit it. I told myself it was all
job-related. I only read VIRUS-L in order to flog my book. But why did I
have alt.best-of- usenet in my .newsrc? My wife took to asking, "Is that in
real time or computer time," when I said I'd be offline in ten minutes.

I didn't recognize the danger signs. I could tell people the first
alt.adjective.noun.verb.verb.verb group. My wife left me when I started
introducing myself at parties as, "Hi! [email protected]. What's your
group?" I started talking familiarly about people that my friends in
Vancouver had never met. I started hoarding accounts. When I found out I
could never match Bill Murray's two full columns on a business card, it was
a real bad trip. I crashed for a week.

Then, it all fell apart. My access provider started to go flaky. I tried
Fidonet, but it just wasn't the same. I ... I ... started reviewing
Internet books. It wasn't a pretty sight. Soon, I had two bookshelves
completely full. *And* that little pile behind the door where I thought no
one could see ...

I finally realized I needed help. As part of the twelve-step process, I'm
telling my story in public. And I'm going to bust up my modem ... as soon
as I do this one more posting ...

___

Yes, I'm sarcastic. It's an addiction, OK?

Yes, I believe we can all admit that computers can be very addictive.
Programming, itself, is as "moreish" as salted peanuts--and often has a
similar effect on the waistline. Computers are relatively inexpensive, give
results with minimal training, are completely under the control of the user
(why else call them "personal" computers?) and don't require any particular
considerations. But do they *cause* addiction?

Our society seems to be not merely predisposed to, but actually encouraging
of, obsessive behaviour. The evidence is not limited to lone psychopaths,
the drug culture, cults and tragedies such as anorexia nervosa. Amateur
"athletes" who constantly require medical intervention are considered
normal. We don't *really* believe that a workaholic is a problem. We
expect scientists to have no idea of culture and artists to have no idea of
technology.

Another newswire report of computer addiction, therefore, adds no new
information to the study. We all know computers can be attractive--but we
all know that there is a difference between the fellow (usually male, isn't
it?) who runs up enormous bills on the Compuserve CB simulator, and those
of us whose work or study requires as much online correspondence as we can
afford to give. In many cases, the computer is not a cause but merely a
means. If it were not the computer, it would be something else. Recently a
co-worker happened to drop the comment that he didn't watch much TV--only
about five hours a day. If that is OK (or even "not much"!) can I spend
five hours a day with the modem? (Can I add an hour for social utility? As
long as I promise not to use Mosaic?)

I am *not* saying that computer addiction cannot be a problem. If it is,
however, let us give some thought to isolate and identify the difference.

======================
DECUS Canada Communications, Desktop, Education and Security group newsletters
Editor and/or reviewer [email protected], [email protected], Rob Slade at 1:153/733

------------------------------

Date: 17 Feb 95 15:11:06 EST
From: "Mich Kabay [NCSA Sys_Op]]" <[email protected]>
Subject: New Area Codes & PBX Programs

An AP item on 17 Feb 1995 reported that many businesses in Washington state
and Alabama are having trouble receiving phone calls since new area codes
were introduced last month. The new area codes, 360 in western Washington
and 334 in Alabama, are the first in the country not to use a one or zero as
the middle digit. The item reports that PBXs reject area codes that include
anything but a 0 or a 1 in the middle position. The problem will worsen
when additional area codes are installed in, among other regions, Los
Angeles, Denver, and Tampa.

M.E.Kabay,Ph.D., Director of Education, Natl Computer Security Assn
(Carlisle, PA); Mgmt Consultant, LGS Group Inc. (Montreal, QC)

------------------------------

Date: Wed, 15 Feb 1995 14:54:36 -0500
From: Vincent Gogan <[email protected]>
Subject: E-mail risks (risk of many mail programs)

Most mail programs that I have dealt with share a flaw... they don't
indicate to whom a message will be actually sent.

This became particularly evident this Valentine's Day when I received a very
warm personal note thanking me for some beautiful flowers and indicating how
I always knew how to make this women happy. This came as quite a surprise to
my wife (and myself)!

.. Many a sitcom episode has started with a weaker premise than this.
Luckily, my wife would never have fit in with the Three's Company crowd
and all is well.

Still, this probably happened because of quite a simple error. This women
either typed in an alias/nickname that didn't work or just typed the first
name of her suitor instead of his account name. In either case, the mail
program should have indicated to whom the message would be sent. For local
addresses (as this was), the actual name of the recipient (as opposed to the
account name) should be indicated.

Vincent Gogan [email protected]

------------------------------

Date: Thu, 16 Feb 1995 11:40:28 MST
From: "Bruce Johnson" <[email protected]>
Subject: Re: Self-disabling software (Leichter, RISKS-16.80)

If a third party triggers the disable feature, or, even under the
right circumstances, the owner of the software (ie: the client has paid, but
you disable it anyway) that is a felony in most states, theft by control; ie
: embezzling. If you hold the software to ransom through such an act, it's
also a felony.

As a side note...this was used as a plot device in the movie "Single
White Female" a few years back, as a revenge sub-plot.

Bruce Johnson, University of Arizona, College of Pharmacy
Information Technology Group

------------------------------

Date: Thu, 16 Feb 95 23:03:51 +0100 (CET)
From: [email protected] (David Stodolsky)
Subject: Re: Invisible blue zone (Jonas, RISKS-16.81)

> The cancelbots then cancel those postings and I'm essentially barred from
> the internet.

Cancelbots are not normally being used to cancel spams. The articles are
typically selectively cancelled, often one copy will be left in a newsgroup
in which it is "on-topic". Non-spam posts by the same sender are not
affected.

[Also noted by [email protected] (Frederick G.M. Roeber). PGN]

However, there is now a Call for Discussion (CFD) about reorganization of
the news hierarchy. This could, among other things, create a moderated
newsgroup, news.admin.net-abuse.announce, for the posting of announcements,
etc., related to abuse. Opponents fear that a moderated group would give the
announcements a stamp of authority that would lead to attacks on the
apparent abusers.

Axel Boldt is maintaining an "Internet Advertisers Blacklist" To quote a
draft FAQ, "Administration of Cancel Messages": Axel Boldt
<[email protected]> should be notified about abusive advertisers, so they
can be added to his Internet Advertiser's Blacklist. Please use the word
"Blacklist" somewhere in the subject line. Make sure to check the last
version of the List first, so that he won't get multiple complaints about
incidents already covered. The newest version is always available over the
WWW at URL: http://math-www.uni-paderborn.de/~axel/blacklist.html.

> ... I have no way to know to appeal (let alone to whom) and I must get

Fears of this development have led to the organization of the NetNews
Judges (TM) List (this is a reformatted InterNIC resource entry):

===========================================================================

Judges-L - NetNews Judges List
Resource Type: Mailing list

Description: The Judges' List distributes messages to a panel of
Judges who cancel multiple posts to NetNews immediately.
The List is used to help Judges organize themselves,
finalize policy, and set procedures to enforce rules. It
is primarily directed to those who issue cancels.
Secondarily, to those who survey cancels issued, in
order to ensure that the cancel facility is not being
abused. The protection of the NetNews system from overload
by posts to multiple newsgroups is the focus of activity.

Access: Messages go to: [email protected].
Subscriptions go to: [email protected].

Services: Dispute Resolution:

Complaints are primarily about spam, multiple off-topic
posts. Posters may also complain about inappropriate
cancels. An opinion is reached via a consensus
decision-making procedure based upon private deliberations
in which all parties may participate.

Preparation of Periodic Posts:

Frequently Asked Question (FAQ) lists are prepared to inform
users about appropriate use of cancel messages, how to file
complaints, how the List processes complaints, etc.

Keywords: posting software, law, security mechanism, control message,
freedom of speech, censorship, due process, advertisement,
chain letter, rumor, conflict resolution, forgery, infection,
news administration, kill file

David S. Stodolsky, PhD * Social * Internet: [email protected]
Tornskadestien 2, st. th. * Research * Tel.: + 45 38 33 03 30
DK-2400 Copenhagen NV, Denmark * Methods * Fax: + 45 38 33 88 80

------------------------------

Date: Fri, 17 Feb 1995 17:36:01 -0500
From: [email protected] (CERT Advisory)
Subject: CERT Advisory CA-95:04.NCSA.http.daemon.for.unix.vulnerability

[Also, see CA-95:03, February 16, 1995, Telnet Encryption Vulnerability,
if you are using Berkeley Telnet with the experimental Telnet encryption
option using the Kerberos V4 authentication. PGN]

CA-95:04 CERT Advisory
February 17, 1995
NCSA HTTP Daemon for UNIX Vulnerability

The CERT Coordination Center has received reports that there is a
vulnerability in the NCSA HTTP Daemon V.1.3 for UNIX. Because of this
vulnerability, the daemon can be tricked into executing shell commands.

If you have any questions regarding this vulnerability, please send
e-mail to Beth Frank at the NCSA, [email protected].

I. Description

A vulnerability in the NCSA HTTP Daemon allows it to be tricked into
executing shell commands.

II. Impact

Remote users may gain unauthorized access to the account (uid) under
which the httpd process is running.

III. Solution

The following solution was provided by the HTTPD Team at SDG at
NCSA.

Step 1:

In the file httpd.h, change the string length definitions
from:
/* The default string lengths */
#define MAX_STRING_LEN 256
#define HUGE_STRING_LEN 8192
to:
/* The default string lengths */
#define HUGE_STRING_LEN 8192
#define MAX_STRING_LEN HUGE_STRING_LEN

Step 2:

Install the following patch, which performs the functionality of
strsubfirst (i.e., copy src followed by dest[start] into dest) without
the use of a temporary buffer.

----[Lengthy patch deleted for RISKS. Contact CERT FOLKS. PGN]----

After you apply this patch, recompile httpd, kill the current running process,
and restart the new httpd.

[The CERT Coordination Center thanks Steve Weeber, Carlos Varela, and
Beth Frank for their support in responding to this problem.]

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in Forum of Incident Response and
Security Teams (FIRST).

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise that the e-mail be encrypted.
The CERT Coordination Center can support a shared DES key, PGP (public key
available via anonymous FTP on info.cert.org), or PEM (contact CERT staff
for details).

Internet E-mail: [email protected]
Telephone: +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
and are on call for emergencies during other hours.
Fax: +1 412-268-6989

Postal address: CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
USA

CERT advisories and bulletins are posted on the USENET newsgroup
comp.security.announce. If you would like to have future advisories and
bulletins mailed to you or to a mail exploder at your site, please send mail
to [email protected].

Past advisories, CERT bulletins, information about FIRST representatives, and
other information related to computer security are available for anonymous FTP
from info.cert.org.

CERT is a service mark of Carnegie Mellon University.

------------------------------

Date: 6 February 1995 (LAST-MODIFIED)
From: [email protected]
Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc.

The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks.
Undigestifiers are available throughout the Internet, but not from RISKS.

SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on
your system, if possible and convenient for you. BITNET folks may use a
LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. U.S.
users on .mil or .gov domains should contact <[email protected]>
(Dennis Rears <[email protected]>). UK subscribers please contact
<[email protected]>. Local redistribution services are
provided at many other sites as well. Check FIRST with your local system or
netnews wizards. If that does not work, THEN please send requests to
<[email protected]> (which is not yet automated). SUBJECT: SUBSCRIBE
or UNSUBSCRIBE; text line (UN)SUBscribe RISKS [address to which RISKS is sent]

CONTRIBUTIONS: to [email protected], with appropriate, substantive Subject:
line, otherwise they may be ignored. Must be relevant, sound, in good taste,
objective, cogent, coherent, concise, and nonrepetitious. Diversity is
welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS
MESSAGES in responses to them. Contributions will not be ACKed; the load is
too great. **PLEASE** include your name & legitimate Internet FROM: address,
especially from .UUCP and .BITNET folks. Anonymized mail is not accepted.
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.
All other reuses of RISKS material should respect stated copyright notices,
and should cite the sources explicitly; as a courtesy, publications using
RISKS material should obtain permission from the contributors.

RISKS can also be read on the web at URL http://catless.ncl.ac.uk/Risks
Individual issues can be accessed using a URL of the form
http://catless.ncl.ac.uk/Risks/VL.IS.html
(Please report any format errors to [email protected])

RISKS ARCHIVES: "ftp unix.sri.com<CR>login anonymous<CR>YourName<CR>
cd risks<CR> or cwd risks<CR>, depending on your particular FTP.
Issue J of volume 16 is in that directory: "get risks-16.J<CR>". For issues
of earlier volumes, "get I/risks-I.J<CR>" (where I=1 to 15, J always TWO
digits) for Vol I Issue j. Vol I summaries in J=00, in both main directory
and I subdirectory; "bye<CR>" I and J are dummy variables here. REMEMBER,
Unix is case sensitive; file names are lower-case only. <CR>=CarriageReturn;
UNIX.SRI.COM = [128.18.30.66]; FTPs may differ; Unix prompts for username and
password. Also ftp [email protected]. WAIS repository exists at
server.wais.com [192.216.46.98], with DB=RISK (E-mail [email protected] for info)
or visit the web wais URL http://www.wais.com/ .
Management Analytics Searcher Services (1st item) under http://all.net:8080/
also contains RISKS search services, courtesy of Fred Cohen. Use wisely.

------------------------------

End of RISKS-FORUM Digest 16.82
************************