Subject: RISKS DIGEST 17.18
REPLY-TO:
[email protected]
RISKS-LIST: Risks-Forum Digest Thursday 15 June 1995 Volume 17 : Issue 18
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
***** See last item for further information, disclaimers, etc. *****
Contents:
Flash: Netflashing unflashionable [Exon ...]
Another TCAS incident (Stephen L Nicoud)
Re: Europe - Central Air Traffic Control (Jim Wolper)
Sun's "talk" program (Steve Kilbane)
Multo ante natus eram (Bernard S. Greenberg via Donna Woodka)
U.K. Lottery Computers Hit by Gremlins (Mich Kabay)
``Fatal Defect: Chasing Killer Computer Bugs'' by Ivars Peterson (PGN)
"Computer error" not a basis for suppressing evidence (Curt Karnow)
Gambling on the Internet (Samuel Edward Greenfield)
Re: "Nautilus foils wiretaps" (D.J. Bernstein)
The risk of not caring about Prodigy (Bob Morrell)
Flawed instructions for anonymous mail (Tony Harminc)
Absurd New Zealand copyright violations (Bruce Johnson, J. Wilson,
Chuck Karish, Mike Hocker)
One Week Course on Internet Security, July 24-28, at Stanford (Arthur Keller)
People, Networks and Communication... an invitation (Robert Mathews)
ABRIDGED Info on RISKS (comp.risks) [See other issues for full info]
----------------------------------------------------------------------
Date: Thu, 15 Jun 95 11:22:41 PDT
From: "Peter G. Neumann" <
[email protected]>
Subject: Flash: Netflashing unflashionable [Exon, Exoff; Exrated, Execrated?]
For the benefit of the RISKS archives, if nothing else, let me note that the
U.S. Senate voted 84 to 16 yesterday for the Exon amendment to the
telecommunications bill. Senator Exon's measure imposes fines up to
$100,000 and prison terms up to two years for knowingly transmitting
indecent material over a computer network accessible to minors. It also
applies to "obscene lewd, lascivious, filthy or indecent" comments,
requests, or suggestions intended to annoy or harass.
Decidedly in the minority of senators on this issue, Senator Leahy produced
a stack of petitions from some 35,000 people (presumably most of whom used
E-mail) who believe that Exon's measure is a serious threat to
constitutional rights, free speech, and the Internet.
------------------------------
Date: Thu, 8 Jun 95 07:59:26 PDT
From: Stephen L Nicoud <
[email protected]>
Subject: Another TCAS incident
*Aviation Daily* reports in its "Intelligence" section 8 Jun 1995 that an
erroneous command in TCAS (Traffic Alert and Collision Avoidance system)
nearly resulted in a midair collision Sunday involving a United 737 and a
Viscount Air Services 737, both on approach. After both aircraft received a
TCAS warning, the United airplane began to climb from 10,000 feet to 12,000
feet while the Viscount plane started to descend to 10,000 feet. The
aircraft came within 200 feet of each other before controllers instructed
the Viscount flight to return to 11,000 feet. The incident occurred in the
``Northwestern portion of the U.S.''
Stephen L Nicoud <
[email protected]> [Disclaimers]
------------------------------
Date: Thu, 8 Jun 95 10:42:51 -0600
From: Jim Wolper <
[email protected]>
Subject: Re: Europe - Central Air Traffic Control (James, RISKS-17.17)
Mike James asked "What happens if the ATC goes off-line while you are in the
air?" I am an instrument flight instructor, and this is one of the major
points of instrument training. There are very specific rules about which
routes and altitudes a pilot must use, as well as when s/he can begin the
landing approach to the airport. Basically, the pilot must follow the
clearance given by ATC, at the altitude to which the aircraft has been
cleared (there are exceptions that enable the aircraft to safely climb for
higher terrain). The landing approach should begin at the Estimated Time of
Arrival computed from the actual time of departure and the time enroute
specified in the flight plan.
The primary purpose of the ATC system is to separate aircraft operating
under Instrument Flight Rules (IFR), and the _assumption_ is that ATC knows
the pilot's intentions so they can clear out the necessary airspace.
Clearances are formulated to prevent potential collisions in the event of
widespread communications outages (for example, I was once approaching a
busy airport under IFR and the approach controller accidentally turned off
his transmitter).
The system is by no means perfect, but there are backup modes in place, and
all operators (pilots and ATC) are trained in their use. The
human-in-the-loop aspect also makes the system more robust. Pilots and
controllers know to try to contact each other over many different
frequencies and methods (eg, in the approach control incident above, we used
the local controller's frequency to call someone in the same building. It
is also common for ATC to have Flight Service, a different agency, contact
aircraft with lost communications over navigational frequencies, private
frequencies, and the like.) The worst case scenario -- complete outage of
ATC radio communications -- would probably be handled by pilots using
air-to-air communications. (This is in fact the standard for separation of
IFR traffic in more remote sections of Australia.)
Jim Wolper, CFII Department of Mathematics Idaho State University
------------------------------
Date: Tue, 13 Jun 1995 14:56:41 +0100
From:
[email protected] (Steve_Kilbane)
Subject: Sun's "talk" program
I don't know whether this applies to many variants of "talk", but this hit
me on a SunOS 5.3 box.
Talk allows direct interaction with another user elsewhere on the network.
Each user types text into a "window" on the screen, and the other user sees
the text appear on the other window on their own screen. The problem is that
when one user breaks the connection, the program also terminates for the
other user.
In my case, I was just finishing off a line ("bye") and hitting return when
the other user disconnected. "by" had been read by talk, leaving "e\n" to be
read by my shell.
The RISK, of course, is that users can accidentally invoke potentially
damaging commands by doing this. All I did was run a line editor, but
supposing I'd been giving advice: "whatever you do, don't type [exit] rm -rf
$HOME"...
Steve <
[email protected]>
------------------------------
Date: 8 Jun 1995 22:45:59 GMT
From: "Bernard S. Greenberg" <
[email protected]>
Subject: Re: Multo ante natus eram
[A woodka tonic forwarded to RISKS by Donna Woodka <
[email protected]>, who
probably knows my penchant (or even pun-chant) for Multics tales.
Thanks to Bernard for having fortifived our archives and providing
evidence that Multics still lives! PGN]
Ward Anderson at ACTC just reported an interesting crash on Multics (10.2)
at ACTC -- Collection 1 initialization discovered that I became 45 years old
Tuesday past, an event which was extremely unlikely, and crashed the system
before the clock did damage to the file system, or so it feared.
The code in scs_and_clock_init is perfectly clear - the time "06/06/95 18:31
est Tuesday" is hard-coded in, in characters, with the comment that it is
"Bernard S. Greenberg's 45th birthday". It has been there for twenty years
in plain text visible to anyone reading the code! (I loved to read code in
my day, especially initialization - perhaps I was the last?)
Maybe Tom Van Vleck remembers, but it is extremely likely that twenty years
ago at CISL our operator at the time for the nth and last time forgot to set
the clock, or set it poorly, and damaged the file system (which looks quite
askance on "back to the future" jaunts), and Tom and I said "This has to
end. We have to put a gullibility check in the clock init code", and I did
this. Probably saved a lot of file system damage over the years. If I had
it to do over again, I'd do it over again! This code did the -right-thing-!
At 25, I could not imagine I'd ever be 45, let alone that
scs_and_clock_init.pl1 would be there along with me! Somehow, though, 65
doesn't seem that far away any more...
As Ward said, this is a -real- Multics story.
Bernie
[email protected]
--------------------------------
Date: 12 Jun 95 18:24:33 EDT
From: "Mich Kabay [NCSA Sys_Op]" <
[email protected]>
Subject: U.K. Lottery Computers Hit by Gremlins
>From the Press Association (U.K.) news wire via CompuServe's Executive News
Service, 10 Jun 1995
LOTTERY COMPUTERS HIT BY GREMLINS, by Sarah Vincent, PA News
National Lottery computer outlets throughout the UK crashed today -- ahead
of tonight's expected record [pounds] 20 million jackpot prize-draw.
Terminals across the country failed just after 11.30am when part of the
satellite network broke down. Engineers traced the failure to a piece of
equipment at the Camelot headquarters which was replaced and the
system was running within 15 minutes.
Other points in the article:
o Breakdown definitely not due to resource saturation; was not
busiest time in their history.
o 51 terminals affected country-wide.
M.E.Kabay,Ph.D. / Dir. Education, Natl Computer Security Assn (Carlisle, PA)
------------------------------
Date: Wed, 14 Jun 95 15:19:53 PDT
From: "Peter G. Neumann" <
[email protected]>
Subject: ``Fatal Defect: Chasing Killer Computer Bugs'' by Ivars Peterson
Fatal Defect: Chasing Killer Computer Bugs
Ivars Peterson
Times Books (Random House)
1995
ISBN 0-8129-2023-6
Ivars Peterson is a fine writer who is well-known for his articles in
_Science News_ on physics, math, and computers. His fourth book (``Fatal
Defect ...'') is a wonderfully readable work that threads its way gently
through some computer-system problems that will be familiar to those of you
who are old-time RISKS readers. Peterson does this with a fresh view of the
problems and their origins, so that the book is worth reading by everyone --
experienced and novice, young and old, technologists and nontechnologists,
optimists and pessimists. Peterson also brings to life many of the people
behind the scenes, some of whom are quite familiar to RISKS readers.
------------------------------
Date: Thu, 8 Jun 95 12:27:44 PDT
From:
[email protected]
Subject: "Computer error" not a basis for suppressing evidence
Original-Subject: Unlawful arrest based on computer error does not lead to
exclusion of evidence
<From: Curt Karnow [Landels, Ripley & Diamond] <
[email protected]>
The United States Supreme Court in Arizona v. Evans (March 1, 1995)
discussed an illegal arrest precipitated by a "computer error." A man was
arrested based on what police officers thought was an outstanding warrant
for his arrest; in fact the warrant had been quashed; court clerical
personnel had failed to clear the warrant from their computer system. The
police thus had no legal basis for the arrest.
Following the arrest, the police found a bag of marijuana. The issue was
whether the marijuana evidence should be suppressed (which would have the
effect of dismissing the case). The state court threw out the evidence under
the old suppression rule -- holding that the "fruit" (drugs) of the
poisonous tree (the illegal arrest) should not come into evidence. The U.S.
Supreme Court reversed, and held that the purpose of the exclusionary rule
-- to encourage proper police procedures -- would not be furthered by
tossing the evidence.
The Supreme Court found that excluding the evidence would not have a
significant effect on the actions of court personal, and thus that errors by
court clerks were not a basis for excluding evidence. The Court did not
address whether court personnel's outright misconduct, and such personnel's
deliberate efforts to violate peoples' constitutional rights, would lead to
the exclusion of evidence, but the reasoning in this case strongly suggests
that such misconduct would *not* lead to exclusion.
------------------------------
Date: Tue, 6 Jun 1995 17:36:14 -0400 (EDT)
From: Samuel Edward Greenfield <
[email protected]>
Subject: Gambling on the Internet
A Clarinet brief, news:
[email protected], if
you have Clarinet, stated that a group of people would like to "bring
the thrill of casino gambling to the Internet."
There are clearly many risks to this. First, there is no way to
verify that the person gambling is who they say they are. That is, I can
easily steal someone's credit card and spend money at a digital casino
without them knowing. Of course, if I win, the other person might be happy
if their credit card is credited, but chances are, I will lose their money.
Second, there is no way to verify the age of the player. There are
already problems with minors gambling in real casinos and there will
certainly be a problem with minors gambling in virtual ones.
Third, there is absolutely no way to tell if the house is cheating
or not. At least in a real casino, there are video tapes of the dealer or
operator and independent auditors. I am curious who the digital gambling
houses will hire to audit their systems.
Fourth, what happens when bugs are discovered in the code? This can
cut both ways: the computer might give away too much money, or the computer
could never let anyone win.
The brief on Clarinet said the Justice Dept. said gambling via the
Internet may break many laws. However, even if it doesn't, I think people
would really be taking a big risk by gambling on the Internet. (Of course,
that is really the point of gambling anyway, isn't it?)
Sam
[1st, crypto-based authentication technology is progressing,
but will never be completely foolproof. 2nd, NO WAY is perhaps
too strong. 3rd, NO WAY, perhaps; you could have bonded/trusted
third-parties -- although the casinos would object. 4th, bugs?
Gee, you think there might be bugs? BTW, see Home Gambling Network
(Kabay), RISKS-16.86, and my April Fools' semispoof in RISKS-17.02
for some further background on this topic. PGN]
------------------------------
Date: Thu, 8 Jun 1995 15:43:16 -0700
From: "D. J. Bernstein" <
[email protected]>
Subject: Re: "Nautilus foils wiretaps" (PGN comment on Back, RISKS-17.16)
PGN comments on the cryptographic mailing label shown in the New York Times:
> As I recall, the left margins were (intentionally?) fuzzied.
Strangely enough, the same mailing label was published the same day in
the Washington Post, with the _right_ margins fuzzied. Anyone who picked
up both papers could easily piece together the whole label.
Which paper has violated the export control laws?
Okay, I'm kidding about the Washington Post, but the question remains.
---Dan
------------------------------
Date: Tue, 6 Jun 1995 15:11:39 -0400 (EDT)
From: Bob Morrell <
[email protected]>
Subject: The risk of not caring about Prodigy
In RISKS-17.17, I worried out loud about the broader possible implications
of the recent ruling against Prodigy.
My concern was, and remains, that by viewing Prodigy as a newspaper because
it exerts =some= editorial control, the courts failed to make distinctions
both of degree and technology. Like the moderator of this forum, I worried
about forums which may be edited (by post rejection) to increase signal
noise ratios, or to eliminate off topic posts. Such forums, could, if the
Prodigy ruling reflects a lack of discernment by the courts, be forced to
discontinue or begin much more controlled editing. I found this somewhat
incredible, since it meant that the ruling could well lead to more
censorship, and worse, less forums.
To my surprise, my mailbox began filling with mail from individuals quite
happy about the ruling, most specifically, happy about any discomfort to
Prodigy. Now, I am neither a friend to censorship nor to Prodigy, but I
found the enmity towards this private business puzzling. After all, anyone
is free to subscribe or not subscribe. While I oppose censorship, I also
oppose interfering with what private businesses offer to their customers.
Since, to my knowledge, Prodigy never guaranteed that the facts in any post
appearing on their system were true, to hold them liable is to force them to
do something for their customers that was not in the contract voluntarily
agreed to by both Prodigy and its subscribers.
The RISK I am perceiving is this: the popular net bias against filters,
censors, and restricted info access, (however justifiable) has created such
hatred against Prodigy, which appears to be practicing the most control of
any provider (though still nothing like a newspaper) has people cheering
over its loss in the courts despite the fact that the ruling holds grave
risks to the internet and its culture as a whole.
Bob Morrell
[email protected]
------------------------------
Date: Tue, 13 Jun 95 13:37:00 PDT
From: HARMINC Tony <
[email protected]>
Subject: Flawed instructions for anonymous mail
Frank Magazine, an Ottawa based satirical/gossip magazine solicits
assistance (leaks) on various hot topics via their Web page
http://www.achilles.net/~frankmag/ :
"FRANK is currently conducting inquiries into the subjects listed below.
Any assistance you could render in this regard would be greatly
appreciated. To let us know about without tipping off your
electronic-surveillance-happy superior, just delete the name and e-mail
address in your browser's mail preferences file." ...
Later they have more detailed instructions for temporarily removing one's
name and address from Netscape.
Whether Frank actually believes that this will defeat corporate/government
mail snoops isn't clear, but there are probably going to be some people who
act on their advice and get burned.
Tony Harminc Antares Alliance Group Toronto Software Development Centre
[email protected]
------------------------------
Date: 13 Jun 1995 17:59:42 GMT
From:
[email protected] (Bruce Johnson)
Subject: Absurd New Zealand copyright violations (Re: Ronald, RISKS-17.17)
Here is a prime example of the idiocy (IMHO) of non-technically
oriented lawyers expounding on copyright infringement on the internet...
these are the same people that say, technically, you need two legal copies
of any form of software, because it is read off the disk into memory, so you
have two copies at once. Both lead to situations where the law is completely
unenforceable.
Given the growing popularity of the Web as a internetworking
paradigm, the only way to avoid your copyrights being violated is to keep
your material off the Web...a dandy way to ensure that a significantly
smaller audience (market?) has anything to do with your work.
Carried to it's logical, if utterly absurd conclusion, reading
anything is a copyright violation, because we certainly store significant
quantities of the information in our brains.
When a user browses ANY sort of information on a computer, a
temporary copy is made, even if only in a screen buffer.
When opinions like this get floated about, unfortunately, the
real issues of maintaining copyright protections in a distributed network
environment like the Web get buried in the silly stuff, which in the
present (at least in the US) legal climate leads to 'ban everything'
stupidity.
Bruce Johnson Information Technology/College of Pharmacy
The University of Arizona
[email protected]
------------------------------
Date: Sat, 10 Jun 95 06:17:00 UTC
From:
[email protected]
Subject: Absurd New Zealand copyright violations (Re: Ronald, RISKS-17.17)
Similar thinking allegedly prevails in the committee appointed to
study copyright law under US Vice President Al Gore's "Reinvention of
Government" program, as reported in the April, 1995 issue of SCIENTIFIC
AMERICAN.
Literal interpretation of the New Zealand Act's language as quoted
above would prevent many uses in the classroom as well as boardroom. A
simple overhead projector would produce a "transient" copy on the silvery
screen, to name one instance.
One may presume that "fair use" or a general license for educational
purposes would allow the overhead projector use, but how does this differ
from using a web browser to allow all of the audience to view the same
document? Quibbling with the definition of "medium," I could argue that the
virtual images created by eyeglasses constitute a copy. Should we wish to
pursue the matter ad absurdum, an image of the material is stored in the
colloidal medium of the viewer's central nervous system, though this may be
considered an abstract only, at least given this RISKS reader's memory.
The RISK is of course making sweeping provisions in law that at the
time of legislation seem to encompass very little, while human innovation
tiles those sparsely-settled plains more quickly with each passing year.
------------------------------
Date: 12 Jun 1995 07:06:26 GMT
From:
[email protected] (Chuck Karish)
Subject: Absurd New Zealand copyright violations (Re: Ronald, RISKS-17.17)
I've seen and heard a number of "warnings" of this sort. They strike me as
belonging in the same category as Chicken Little's concern that the sky is
falling, for two reasons.
First, the fact that someone who owns the rights to a piece has published it
to the World Wide Web can be construed as permission to make a transient
copy for the purpose of viewing and/or listening to the piece. Someone who
wishes to prevent others from keeping more persistent copies of such works
should protect the relevant rights by causing a statement of reservation of
rights to be presented alongside the works to be protected.
Second, the people who own the copyrights and the people who make the laws
that govern them (a) are not all idiots and (b) do talk to each other. The
problem on this level is easy to fix. There are much more difficult
problems concerning intellectual property on the Web and the Internet.
Let's not spend too much effort worrying about the trivial ones. --
Chuck Karish
[email protected] 415 323 9000 x117
------------------------------
Date: Tue, 13 Jun 95 14:57:41 EDT
From:
[email protected]
Subject: Absurd New Zealand copyright violations (Re: Ronald, RISKS-17.17)
>New Zealand's Copyright Act defines copying to include "storing the work in
>any medium by any means". ...
Any medium/any means? How about if the work is memorized?
_Reductio ad absurdum_ perhaps... a new way to avoid schoolwork:
the assignment to memorize the passages requires illegal behavior!
Mike Hocker (
[email protected])
------------------------------
Date: 13 Jun 1995 06:14:39 GMT
From:
[email protected] (Arthur Keller)
Subject: One Week Course on Internet Security, July 24-28, at Stanford
The Western Institute of Computer Science announces a Practical Week-long
Course for Consultants, Educators, Government and Industry Scientists and
Engineers on INTERNET SECURITY, at Stanford University July 24-28, 1995.
This course is taught by leading researchers and practitioners in the area
of internet security: Arthur M. Keller, Dave Crocker, Tina M. Darmohray,
Whitfield Diffie, Mark Eichin, Gail Grant, Lance Hoffman, Sushil Jojodia,
Peter Neumann, Allan M. Schiffman, and William Wong. Participants will
receive a grounding in internet security, familiarity with current concepts
and issues, and exposure to the most important research and development
trends in the area.
Connecting to the Internet brings both unparalleled information resources
and unparalleled security dangers. Protecting computer systems and networks
from attacks is a critical and ongoing process. Equally important is
protecting corporate intellectual property assets from inappropriate access.
This course will examine a variety of network security topics, including
protecting against intrusion, detecting and tracking intruders, and
repairing damage after intrusion.
The course will begin with a survey of basic security concepts, followed by
a detailed description of cryptography. We will then cover Internet
security architecture and identification and authentication. The course
will then cover specific security technologies. These include network
firewalls, which provide perimeter security, intrusion detection systems,
Kerberos and addition of security to existing network applications, secure
messaging, secure payments, and World Wide Web security, including Secure
HTTP and SSL. This course will also analyze security issues for electronic
commerce, such as viruses and cryptographic policy. We will also show a
videotape presentation on SATAN by Dan Farmer, one of its developers.
FOR INFORMATION: Call Western Institute of Computer Science at (916) 873-0575;
OR E-mail to
[email protected];
OR WRITE to P.O. Box 1238, Magalia, CA 95954;
OR FAX (916) 873-6697.
[Tell them RISKS sent you, and see if they know what that means.]
------------------------------
Date: Tue, 13 Jun 1995 18:23:10 -1000 (HST)
From: Robert Mathews ICICX-PNC <
[email protected]>
Subject: People, Networks and Communication... an invitation
For our academic, scientific and educational colleagues who are participants
in the IT, CS, IRM, Computer/Information/Network Security, Integration,
Interoperability, Network Services, Network Metrics or Policy fields, please
consider this your PERSONAL invitation to PNC - People, Networks and
Communication '95..
TITLE: " PNC - People, Networks & Communication '95 " (C)
THEME: " Turning 21 - A Journey to Maturity in Communications" (C)
TOPIC: " The Emergence of Application, Information Technology & Policy
for the 21st Century."
DATES: October 30 - November 3, 1995
VENUE: Mid-Pacific Conference Center, Hilton Hawaiian Village Resort.
Honolulu; Island of Oahu - " The Gathering Place ", Hawaii.
For information, send E-mail to:
[email protected]
Sponsored by ICICX - International Community Interconnected Computing
eXchange / The Pacific Network Consortium Ltd., involved in Information
Technology Research, Planning & Practice.
Dr. Ernest Kho, Jr. Mr. Robert Mathews.
Conference Chairman Conference Coordinator
University of Hawaii. ICICX
Telephone: + 808.933.3383 Telephone: + 808.921.2097
Telecopier: + 808.933.3693 Telecopier: + 808.921.2097
E-mail:
[email protected] E-mail:
[email protected]
------------------------------
Date: 24 April 1995 (LAST-MODIFIED)
From:
[email protected]
Subject: ABRIDGED Info on RISKS (comp.risks) [See other issues for full info]
The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks.
SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on
your system, if possible and convenient for you. BITNET folks may use a
LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. [...]
REQUESTS to <
[email protected]> (which is not yet automated). [...]
CONTRIBUTIONS: to
[email protected], with appropriate, substantive Subject:
line, otherwise they may be ignored. Must be relevant, sound, in good taste,
objective, cogent, coherent, concise, and nonrepetitious. Diversity is
welcome, but not personal attacks. [...]
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.
RISKS can also be read on the web at URL
http://catless.ncl.ac.uk/Risks
Individual issues can be accessed using a URL of the form
http://catless.ncl.ac.uk/Risks/VL.IS.html [...]
RISKS ARCHIVES: "ftp unix.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>
cd risks<CR> or cwd risks<CR>, depending on your particular FTP. [...]
[Back issues are in the subdirectory corresponding to the volume number.]
------------------------------
End of RISKS-FORUM Digest 17.18
************************
