Subject: RISKS DIGEST 17.12
REPLY-TO:
[email protected]
RISKS-LIST: Risks-Forum Digest Saturday 13 May 1995 Volume 17 : Issue 12
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
***** See last item for further information, disclaimers, etc. *****
Contents:
Software Piracy (Edupage)
Risks of trusting authority... (Peter da Silva)
Mercedes-E marketing spreads virus (Klaus Brunnstein)
Nautilus foils wiretaps (Simson L. Garfinkel)
Microsoft "Bob" passwords (Jeremy Epstein)
Internet Addiction (Ivan Goldberg)
More on CNID (Marc Rotenberg)
The Risks of trying to teach someone that doesn't want to learn
(David P. Miller)
Cellular disturbances (Torsten Lif)
GPS Risks (Mark Moore)
GPS landing systems (Neil Youngman)
Problems with wrong assumptions about date conversion (Paul Eggert)
Re: Year 2000? Don't forget 1752! (Tom Wicklund)
ASIS articles Webbed (Frederick B. Cohen)
ABRIDGED Info on RISKS (comp.risks) [See other issues for full info]
----------------------------------------------------------------------
Date: Sun, 7 May 1995 19:54:51 -0400
From:
[email protected] (Edupage)
Subject: Software Piracy (Edupage 7 May 1995)
Worldwide estimates of losses from piracy surpassed $15.2-billion last year.
The problem is most rampant in Indonesia and Kuwait, where about 99% of all
software is copied illegally. (Toronto Financial Post 5/6/95 p. 8)
------------------------------
Date: Fri, 5 May 1995 10:59:09 -0500
From:
[email protected] (Peter da Silva)
Subject: Risks of trusting authority...
> ... Clifford Stoll ... says that what's missing in cyberspace is
> "anyone who will say, hey, this is no good... Editors serve as barometers
I would say the opposite is true. On Usenet you *can't* get away with
posting nonsense, because there are thousands of "editors" ready to jump on
your posting and gleefully shred it in public. With printed information,
you're depending on the editor being competent to judge the veracity of the
information presented. It's become routine, for me at least, to check on the
net to verify things I've read in print media.
Yes, you have to be a bit savvy, to find the groups where competant people
are monitoring postings, but that's true in print too. You have everything
from the electronic equivalents of the National Enquirer, to groups like,
well, comp.risks.
> The date/time functions of Sybase won't accept dates before 1753 because...
What do they do about dates in pre-soviet Russia?
I had the same reaction to the general idea of using floating point numbers
for relative time. Even in integers you need to beware of the singularity
around zero (say you're dividing an integer by 2 to schedule events, if your
division truncates towards zero you'll miss one event because -1, 0, and +1
all end up at the same point), with floating point these singularities are
scattered up and down the number line. In any case the example seems to have
been more a case of using floating point operators to perform 48 bit integer
arithmetic, rather than using floating point arithmetic.
------------------------------
Date: Wed, 10 May 1995 15:49:36 +0200
From: Klaus Brunnstein <
[email protected]>
Subject: Mercedes-E marketing spreads virus
2000 journalists recently received a diskette containing marketing
information on Mercedes' new E-class cars. As hidden donation, this diskette
contained also a virus of the Stoned family (Stoned.NoInt alias Stoned III
alias Bloomington) which so far was not "in the wild" in Germany. After
having been alarmed, Mercedes shipped 2,000 diskettes of a reliable AV
product to the journalists.
Many media reported this accident in Germany, claiming that "this virus is
harmless". This is not fully untrue as the only intentional "damage" in this
stealth variant of the Stoned family results in failures only with
high-density diskettes. It is also possible that unintended damage occurs in
the directory structure. This virus attempts to hide the infected boot
sector against detection by some AV product. Fortunately, the product
choosen by Mercedes reliably detects Stoned.NoInt on diskettes and disks.
Question remains open whether the addressed journalists tested and cleaned
all diskettes and systems which had been in contact with the infected
diskette; otherwise, Mercedes marketing may have a long-time impact on some
Mercedes drivers' PC systems :-)
Klaus Brunnstein (Univ.Hamburg, May 10, 1995)
------------------------------
Date: Thu, 11 May 1995 15:43:02 -0400
From:
[email protected] (Simson L. Garfinkel)
Subject: Nautilus foils wiretaps
PC SOFTWARE FOILS WIRETAPS 5/10/95
By SIMSON L. GARFINKEL
Special to the Mercury News
As the U.S. Senate debates granting the Federal Bureau of Investigation new
powers to wiretap personal communications, three West Coast computer
programmers have planned their own preemptive strike: a free program,
distributed on the Internet, that renders legal and illegal wiretaps
useless.
The programmers, Bill Dorsey of Los Altos, Pat Mullarky of Bellevue, Wash.,
and Paul Rubin of Milpitas, plan to release today a program that turns
ordinary IBM-compatible personal computers into an untappable secure
telephone. It uses an encryption algorithm called ''triple-DES'' that is
widely believed to be unbreakable.
''Electronic surveillance by the government is on the rise,'' says Dorsey,
the group's lead programmer. ''There also exists an equally large threat
from the private sector as well: industrial espionage. Foreign governments
are interested in wiretapping and getting information out of our high-tech
firms.''
Called Nautilus, the program is being released as an attack on the Clinton
administration's national encryption standard, the Clipper chip. Civil
rights groups have criticized the Clipper initiative, since the federal
government holds a copy of every chip's master key and can use that key to
decrypt -- or decode -- any Clipper-encrypted conversation. But since the
keys used by Nautilus to encrypt conversations are created by users, the
government does not have a copy.
A nod to Jules Verne
Nautilus has another advantage over Clipper: Whereas AT&T's
Clipper-equipped Telephone Security Devices Model 3600 costs $1,100,
Nautilus is free program.
''You don't need any special expensive hardware for it. You just use
ordinary PCs,'' says Rubin.
The name ''Nautilus'' was taken from Captain Nemo's submarine in the Jules
Verne novel, ''20,000 Leagues Under the Sea.'' But whereas Nautilus the sub
was used to sink Clipper ships, the programmers hope that their creation
will sink Clipper chips.
To use Nautilus, both participants must have a copy of the program and an
IBM PC-compatible computer equipped with a Sound Blaster card and a
high-speed modem. The two participants must also agree upon a series of
words called a ''pass phrase,'' which is used to encrypt the conversation.
Both participants run the program and type in the pass phrase; one person
instructs their computer to place the telephone call, the other instructs
their computer to answer.
Once the call is in progress, either user must press a key on their
computer in order to speak, similar to using a hand-held radio. But unlike
walkie-talkies, the users can interrupt each other.
Could help criminals
Such innovations could lead to conversations that would be practically
foolproof from eavesdropping, either by pranksters or the government. It
could become invaluable in future years to financial institutions and other
corporations involved in sensitive negotiations.
''It will certainly be beneficial to many citizens and many other users of
it,'' says Jim Kallstrom, assistant director of the Federal Bureau of
Investigation's New York field office. ''I suspect that it also will be
beneficial, unfortunately, to criminals.
''I would hope the extremely enterprising and smart people that we have in
this country would work toward solutions that would not only protect the
communication of citizens . . . but would also allow the law enforcement
objectives to be maintained.''
Rubin stressed that while Nautilus was a challenge to write, it ''isn't
rocket science.'' Much of the program, in fact, was assembled from parts
that already were available on the Internet, the worldwide network of
computer networks. It will even be easier to construct programs similar to
Nautilus once Microsoft releases its computer telephony system for Windows
95. ''It will be impossible to keep a program like Nautilus out of the
hands of people who want it,'' Rubin said.
Gene Spafford, a professor of computer science at Purdue University who is
an expert on computer security, said: ''It will be interesting to see what
reaction this provokes from the government.'' Nevertheless, Spafford said,
in order for encryption to be widely adopted, it will have to be ''built
into the phones.''
Dorsey said that anybody in the United States who has Internet access can
download the program. For the instructions, use the Internet FTP command to
connect to the computer FTP.CSN.ORG. Change to the ''mpj'' directory and
retrieve the file called README. Use a text editor to read the README file,
which contains some fairly complex instructions on how to get the actual
Nautilus file.
This computer has been set up so that the program cannot be downloaded by
people located outside the United States. ''I intend to follow all laws
regarding the release of cryptography,'' he said.
------------------------------
Date: Wed, 10 May 1995 09:25:28 -0400 (EDT)
From:
[email protected] (Jeremy Epstein -C2 PROJECT)
Subject: Microsoft "Bob" passwords
The May/June 1995 issue of InfoSecurity News reports that Microsoft Bob
(Microsoft's "user-friendly" front end to Windows) has a "feature" that if
you mistype your password three times in a row, it concludes that you've
forgotten it, and asks if you want to change it. The Microsoft product
manager says "It's not really an attempt at security" (no kidding!).
If this is what "user-friendly" systems have to offer for security,
I think I'll retreat to the world of paper tape and punch cards!
--Jeremy Epstein, Cordant Inc.
------------------------------
Date: Thu, 11 May 1995 12:20:52 GMT
From:
[email protected] (Ivan Goldberg)
Subject: Internet Addiction
[ Article crossposted from comp.multimedia ]
[ Author was Ivan Goldberg ]
[ Posted on Thu, 11 May 1995 12:14:59 GMT ]
As the incidence and prevalence of Internet Addiction Disorder (IAD) has
been increasing exponentially, a support group, The Internet Addiction
Support Group (IASG) has been established. Below are the official criteria
for the diagnosis of IAD and subscription information for the IASG.
Internet Addiction Disorder (IAD) - Diagnostic Criteria
A maladaptive pattern of Internet use, leading to clinically significant
impairment or distress as manifested by three (or more) of the following,
occurring at any time in the same 12-month period:
(I) tolerance, as defined by either of the following:
(A) A need for markedly increased amounts of time
on Internet to achieve satisfaction
(B) markedly diminished effect with continued use
of the same amount of time on Internet
(II) withdrawal, as manifested by either of the following
(A) the characteristic withdrawal syndrome
(1) Cessation of (or reduction) in Internet use
that has been heavy and prolonged.
(2) Two (or more) of the following, developing within
several days to a month after Criterion 1:
(a) psychomotor agitation
(b) anxiety
(c) obsessive thinking about what is happening
on Internet
(d) fantasies or dreams about Internet
(e) voluntary or involuntary typing movements
of the fingers
(3) The symptoms in Criterion 2 cause distress or
impairment in social, occupational or another
important area of functioning
(B) Use of Internet or a similar on-line service is engaged in
to relieve or avoid withdrawal symptoms
(III) Internet is often accessed more often or for longer periods of time
than was intended
(IV) There is a persistent desire or unsuccessful efforts to cut down
or control Internet use
(V) A great deal of time is spent in activities related to Internet
use (e.g., buying Internet books, trying out new WWW browsers,
researching Internet vendors, organizing files of downloaded materials.)
(VI) Important social, occupational, or recreational activities are
given up or reduced because of Internet use.
(VII) Internet use is continued despite knowledge of having a persistent
or recurrent physical, social, occupational, or psychological
problem that is likely to have been caused or exacerbated by
Internet use (sleep deprivation, marital difficulties, lateness for
early morning appointments, neglect of occupational duties, or
feelings of abandonment in significant others)
Subscribe to the Internet Addiction Support Group by e-mail:
Address:
[email protected]
Subject: (leave blank)
Message: Subscribe i-a-s-g
Ivan Goldberg, MD, 1346 Lexington Ave NYC 10128 212-876-7800
[email protected]
[email protected] http://avocado.pc.helsinki.fi/~janne/ikg/
------------------------------
Date: 13 May 1995 11:48:49 -0400
From: "Marc Rotenberg" <
[email protected]>
Subject: Re: more on CNID
From EPIC ALERT 2.04:
Calling-Number-ID Blocking Fails in Pennsylvania and Wisconsin
Following the disclosure by the New York Times that Calling-Number-ID
blocking had failed in New York State, newspapers report that at least two
other states have had similar problems with the controversial phone service.
The Philadelphia Inquirer reported on March 1 that the phone numbers
of more than 13,000 Bell Atlantic customers were improperly disclosed.
Bell Atlantic did not inform the customers or the Public Utility
Commission for several weeks, until they corrected the problem. The
phone company described the problem as "human error" in many cases and
a software programming error in others. The Pennsylvania PUC is
investigating to see if Bell Atlantic violated state law by not
informing customers of the error when it was discovered.
Last month, after the NYNEX problems in New York State were uncovered,
Ameritech revealed that nearly 1,000 customers in Wisconsin also were
unprotected after signing up for the service.
Marc Rotenberg, Electronic Privacy Information Center, 666 Pennsylvania Ave SE,
#301, Washington, DC 20003 202-544-9240 ftp/gopher/wais cpsr.org
------------------------------
Date: Thu, 11 May 1995 13:55:22 -0500
From:
[email protected] (David P. Miller)
Subject: The Risks of trying to teach someone that doesn't want to learn
STUDENTS SUE COLLEGE OVER COMPUTER COURSE (Edupage, 9 May 1995)
Two students won the lawsuit they brought against New York's Pace University
when an instructor for a beginner's course in computing gave a homework
assignment the students thought was too hard: calculating the price of an
atom of aluminum on Friday given such information as the price of aluminum
on Wednesday, the rate change between the prices of the metal on Wednesday
and Friday, the atomic mass of aluminum, the value of Avogadro's number
(6.02 X 10 to the 23rd power), etc., etc. The students handled their own
case against the university, and asked the teacher to answer such questions
as: "Do you this was a good choice for a beginning class?" The judge
decided: "Students are consumers. There is nothing holy or sacred about
educational institutions." (Wall Street Journal 5/9/95 A1)
The judge seemed to mistake the product of educational institutions as being
the work that is given out (rather than the learning that results from doing
the work).
This article is short on details (did the rest of the class think this was
hard? Was the grade in the course based heavily on this assignment? How was
the course advertised?). But I cannot imagine the details that would justify
the judge finding for the plaintiffs. (especially since, at heart, this is a
trivial problem). The only excuse I can think of is that the judge (along
with those students) perceives computers as inherently difficult, and
therefore any course which is not obviously hand-holding the students must
be fundamentally advanced.
David P. Miller, MITRE Corporation, 7525 Colshire Drive, McLean, VA 22102
(703)883-7667
[email protected] http://www.ai.mit.edu/people/dmiller/dpm.html
------------------------------
Date: Mon, 8 May 95 10:18:52 +0200
From:
[email protected] (Torsten Lif - Cyberspace Cyclist)
Subject: Cellular disturbances
I have one to add to the recent article about cellular phones being
banned from hospitals.
A week ago, one of my fellow sysops had to reboot one of our SUN servers. He
was installing some software on one server when his cellular phone rang and
the console terminal (a VT220-clone) of another server started "hiccupping"
badly. After he power-cycled it, the server had halted and wouldn't start
without a full reboot. As he was sitting there staring at the row of
consoles, his cellular phone rang (again) and another terminal crashed!
This time it was sufficient to "c"ontinue the server so there was only a
halt of a few seconds, but the implication is clear. We carry those cellular
phones to be available quickly in case a server goes down. Instead, the
phone was the cause of a crash.
The new (European) digital "GSM" cellular standard produces lots of
interference as can be heard on any radio or even HiFi amplifier within a
few feet of a GSM phone in operation. An apparently "idle" phone next to any
critical electronic equipment is a time-bomb waiting to go off since an
incoming call to it automatically triggers bursts of transmissions as the
phone acknowledges the call. This means that banning the use of them may not
be enough - people don't tend to think of just carrying a phone as "using"
it. They must be turned OFF.
As an aside, the previous (analog) cellular standards did not cause nearly
as much interference despite operating in the same 900 MHz band. At the
worst, they might "blank out" radio receivers momentarily but we never
observed them interfering with digital equipment. Now, the European Union is
pushing GSM as its sole cellular standard and is trying to force operators
to phase out analog systems to provide more channels for digital. I think
we've only seen the tip of this iceberg yet...
Torsten Lif, Ericsson Telecom AB Stockholm, Sweden
[email protected]
------------------------------
Date: Fri, 05 May 1995 21:29:54 -0400
From:
[email protected] (Mark Moore)
Subject: GPS Risks
All of the talk of time recently reminded me of an article in the
March/April 1995 issue of ``Ocean Navigator'' entitled `GPS-derived time
baffles NOAA researcher' written by Dan Endres of the Climate Monitoring and
Diagnostics Lab near Point Barrow, Alaska.
In this article he discusses the discrepancies he discovered in time as
reported by WWV and his Garmin GPS-50 receiver. He ``found a discrepancy of
up to 1.5 seconds between the time readout of a Garmin GPS-50 and time as
broadcast by WWV.''
He decided to compare several GPS receivers with a GOES synchronized clock
and all of the GPS units showed the same problem. After a discussion of the
differences between UT (UT0, UT1 (GMT), and UT2), ET, and AT he reports the
assurances of the manufacturers that the GPS units report accurate UT. What
his own testing found was that the GPS receivers would ``start out
displaying time very close to the 486-DC (GOES sync'd clock), and within 15
minutes would drift to settle at between 1 and 1.5 seconds slow.''
After several additional phone calls, a technician (employer not mentioned)
explains that there is indeed a software problem "and that all the
manufacturers were aware of it but not sure how to fix it, or if it was even
worth fixing because of the small error." The author explains the obvious
risk of shipboard personnel relying upon GPS time for a high degree of
accuracy.
There are, of course, the usual additional risks of blindly relying on
technology manufactured by people who are reluctant to admit to problems.
The parallels to the Intel FPU situation are clear, though I expect no
outcry from the GPS using population. They have other, bigger problems
enumerated in earlier editions of RISKS. The moral is also the usual one:
If the results matter, verify.
Mark Moore, Technical Consultant (and novice celestial navigator)
Renaissance Solutions, Inc.
[email protected] [email protected]
------------------------------
Date: Fri, 12 May 1995 15:19:30 +0000
From:
[email protected] (neil youngman)
Subject: GPS landing systems
I was just reading about proposals for a GPS based Instrument Landing System
to replace current systems (Scientific American, April 1995). One system
disconnects the autopilot and sounds the alarm if it detects a problem with
the GPS.
I hope the captain is right on the ball if the autopilot suddenly
disconnects at low level! It might be better to sound the alarm and let the
captain override the autopilot?
Neil Youngman
------------------------------
Date: Thu, 4 May 95 20:03:56 PDT
From:
[email protected] (Paul Eggert)
Subject: Problems with wrong assumptions about date conversion
I see several problems with programs that arbitrarily reject dates
before 1753, as Sybase does according to Matthew Healy in Risks 17.11.
* Even if we restrict ourselves to 20th-century dates, it's unwise to
expect a general-purpose database server to implement the local civil
calendar accurately. Some parts of the world did not switch to the
Gregorian calendar until as late as 1920. Should a database server
in, say, Athens reject a 1915 birthday?
* Even if we assume locations now in the USA, it's unwise to assume
that 1753 is the correct cutoff date; Alaska did not switch to the
Gregorian calendar until 1867.
* Several countries switched to the Gregorian calendar as early as
1582, and it's incorrect to prevent historical applications in these
countries from using early Gregorian dates merely because England
hadn't switched yet.
In general, it is easier to document, use, debug, and internationalize
programs that assume the Gregorian calendar all the way back to at
least the Year 1. Specialized applications requiring other calendars
can do conversions as necessary, perhaps using standard conversion
libraries.
For more on this subject, including an extensive set of conversions
between all sorts of calendars, please see the following references.
Calendrical conversion routines by E M Reingold are widely available as
part of GNU Emacs.
N Dershowitz and E M Reingold, Calendrical calculations.
Software--practice and experience 20, 9 (Sep 1990), 899-928.
E M Reingold, N Dershowitz, and S M Clamen, Calendrical calculations
II: three historical calendars. Software--practice and experience
23, 4 (Apr 1993), 383-404.
------------------------------
Date: 5 May 1995 12:01:28 -0600
From:
[email protected] (Tom Wicklund)
Subject: Re: Year 2000? Don't forget 1752!
There's an additional risk from the fact that different nations
switched calendars at different times. Catholic countries switched in
the 1500's, but England didn't because at the time (Henry VIII and
Elizabeth I) the reformation was in full swing and anything Catholic
was bad.
I saw a comment about this when studying the Spanish Armada. The
Spanish dates will all be about 10 days off of the English, which
creates problems comparing dates between the records of each country.
------------------------------
Date: Fri, 5 May 1995 09:36:42 -0400 (EDT)
From:
[email protected] (Frederick B. Cohen)
Subject: ASIS articles Webbed
The American Society for Industrial Security's (ASIS) Security Management
Magazine is now making select articles available on an experimental basis
over World Wide Web. This WWW area is still under development, but you
might want to read a fine article about the problems of erasing
electromagnetic media no on-line in this area. The URL is:
http://all.net:8080
------------------------------
Date: 24 April 1995 (LAST-MODIFIED)
From:
[email protected]
Subject: ABRIDGED Info on RISKS (comp.risks) [See other issues for full info]
The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks.
SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on
your system, if possible and convenient for you. BITNET folks may use a
LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. [...]
REQUESTS to <
[email protected]> (which is not yet automated). [...]
CONTRIBUTIONS: to
[email protected], with appropriate, substantive Subject:
line, otherwise they may be ignored. Must be relevant, sound, in good taste,
objective, cogent, coherent, concise, and nonrepetitious. Diversity is
welcome, but not personal attacks. [...]
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.
RISKS can also be read on the web at URL
http://catless.ncl.ac.uk/Risks
Individual issues can be accessed using a URL of the form
http://catless.ncl.ac.uk/Risks/VL.IS.html [...]
RISKS ARCHIVES: "ftp unix.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>
cd risks<CR> or cwd risks<CR>, depending on your particular FTP. [...]
[Back issues are in the subdirectory corresponding to the volume number.]
------------------------------
End of RISKS-FORUM Digest 17.12
************************
