Subject: RISKS DIGEST 17.74
RISKS-LIST: Risks-Forum Digest Thursday 15 February 1996 Volume 17 : Issue 74
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
***** See last item for further information, disclaimers, etc. *****
Contents:
China requires registration of Internet access (Li Gong)
GM Plans to Plug Cadillacs into Communication System (Mark Anthony Beadles)
Boza virus: knee-jerk media response more hazardous to wallet (George Smith)
At-work Web browsing? (Sean Reifschneider)
Federal Court enjoins CDA provision (Marc Rotenberg from EPIC Alert 3.04)
Correction to CDA article (Stanton McCandlish)
A simple solution to the CDA risk (Russ Broomell)
Seatbelts and the CDA, history repeats? (A. Padgett Peterson)
Re: Wildcard inconsistencies in Windows 95 (George C. Kaplan)
100% not spent on hospitals by a long way (Philip Overy)
Re: Lack of Common Sense is Biggest Risk of All (George C. Kaplan)
Re: Possible future risk of virtual reality (Michael Brady, Mark Meuer,
Barton C. Massey, Brad Davis)
ABRIDGED info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Thu, 15 Feb 1996 11:16:52 -0800 (PST)
From: Li Gong <
[email protected]>
Subject: China requires registration of Internet access
The (Chinese) People's Daily (overseas edition, Feb.15, page.4) relays
a news report of Feb. 14 by the New China News Agency, which announces
that the Chinese Ministry of Public Security (the police) has issued a
regulation that requires any institutions and individuals connecting
or disconnecting to the Internet must register with the local police
authority within 30 days. Non-registration will lead to penalty.
The regulation is said to cover all direct and indirect network access
to areas outside China (including Taiwan, Hong Kong, and Macau). The
report says that as of July of 1995, China has more than 40,000
end-points that are networked [it is unclear if they are all connected
to the Internet or just the domestic networks]. It says that the
regulation is a first important step towards computer security
enforcement, and more regulations are expected.
Li Gong, SRI International,
http://www.csl.sri.com/~gong/
[Also noted by Al Stangenberger <
[email protected]>. PGN]
------------------------------
Date: Thu, 15 Feb 96 16:54:58 -0500
From: Mark Anthony Beadles <
[email protected]>
Subject: GM Plans to Plug Cadillacs into Communication System
Article: "GM Plans to Plug Cadillacs into Automatic Communication System"
WSJ, February 9, 1996, Page B3, Column 1
In summary, GM is introducing a system in its high-end automobiles that will
"automatically call for help" in an accident, including flashing lights and
honking the horn. Called the OnStar system, it is scheduled to appear as an
option in the 1997 front-wheel-drive Caddies. According to the article, it
is activated by the air bag being deployed. In addition to honking and
flashing, the system will transmit (to whom was not clear) the location of
the car in event of accident, theft, or "other emergencies". The system also
includes navigational assistance that works throughout the US, using the car
telephone as the output device.
OnStar's managing director, Chet Huber, is attributed as saying, "the
company has done extensive market research that says drivers want a greater
sense of security and control." Tying the car into a nationwide
communication system that can track your every move and control your car is
evidently how they intend to accomplish this.
The RISKS here are numerous, in my mind:
1.A `false alarm' condition could cause the emergency transmissions,
flashing lights, and honking horns, when there is in fact no emergency.
This is similar to the present risks associated with home alarms.
2.Tracking the location of one's car can be a benefit (prevents you
from getting lost in the Mojave), but it can also allow people to
find you when you don't want them to. Cars have traditionally been
seen as private havens in the US.
3.The system could give wrong navigational information to the driver.
Who will be verifying the nationwide database of road information?
The driver could follow the system's recommendations and become lost.
Come to think of it, I guess that's an argument for having item 2.
Mark Anthony Beadles
[email protected] -
http://www.acm.org/~beadles
------------------------------
Date: Thu, 15 Feb 1996 15:46:29 -0600 (CST)
From: Crypt Newsletter <
[email protected]>
Subject: Boza virus: knee-jerk media response more hazardous to wallet
Recently, the Associated Press newswire triggered another round of
ridiculous computer virus alarms with a story on the Boza/Bizatch
computer virus, an admittedly barely infectious parasite on Win95
executables. Attributed to the VLAD Australian virus-writing group,
due to the equivalent of a computer underground press release embedded
in the virus extolling VLAD members and their technical virtuosity
vis-a-vis writing them, Associated Press reporter Sue Leeman
issued a news brief and it echoed internationally.
In a pattern of action and reaction that has become standard for
many computer virus stories reported in the mainstream press, the
Boza piece generated countless questions from on-line users who thought
they were in danger from it, although realistically they were
statistically more likely to be hit by an automobile than the virus in
their lifetime. The original Associated Press attributed Sophos' Paul
Ducklin saying the Boza virus wasn't on the loose, but most subsequent
news stories and fragments derived from it, including copycat
press releases from other vendors, stripped this from the original.
The Associated Press story wound up being printed in toto or in
fragments in countless newspapers around the country that subscribe
to the newswire.
A good example, but only one of many, was a prominently displayed bulletin
mounted on the Compuserve "What's New" public announcement board. This
board is displayed to callers everyday and it contained a warning about the
Boza virus and a tip to head to Thunderbyte Anti-virus's spot on the service
for a cure. However, the fact that the virus wasn't in circulation or even
likely to be so, while present in the original seed AP piece, was gone.
The results were predictably confusing. Some PC users on Compuserve who did
not even have Windows 95 installed on machines concluded they might have
been exposed to Boza. I noted similar results on other networks like FIDO
and in Usenet newsgroups.
The Boza mini-panic, coming as it does close to the Michelangelo virus
anniversary on March 6, illustrated the need for consistent media criticism,
particularly when it comes to certain varieties of technology stories, like
those dealing with computer viruses. A few rules of thumb to keep in mind
when dealing with this type of thing are:
1. Computer virus stories are the best vehicle in which software developers
selling cures can pimp for their products. Even if the virus is shown to be
pathetic as a public menace, interest in those cited will always peak
transiently during the run of the story. This amounts to software sales and
on-line time spent through commercial services offering information or
software fixes through download, even if it's unnecessary.
2. Being the first vendor mentioned in a story like Boza throws competitors
immediately on the defensive, scrambling to recover and fueling the story in
the process. Even though competing companies may have known of a virus
weeks previously and quietly written cures into software as the usual course
of business, the average PC user - after reading this type of story - is
given the impression everyone else was asleep at the wheel. This sets off a
chain reaction in which competitors quickly release copycat press releases
which drive developments and strip more information from the primary seed in
an effort to maximize exposure. Those vendors who don't do this often face
tons of witless support questions from those needlessly frightened by the
news in on-line computer help forums. They also face a transient image that
they've been caught flat-footed by competing vendors who've been more
successful at generating publicity. From a consumer standpoint, this leads
to counter-productive behavior in which some vendors, burned by the lack of
exposure, gear up to generate even more press releases on potential future
threats _before_ they materialize.
3. It encourages some vendors to increase their contact with known active
virus-writers and their groupies so that they will be the first to receive
new viruses which, may or may not (more often "not"), work. This is a nasty
spiral which tends to encourage virus-writers to produce more than they
usually would for their "audience." Having written a book on virus-writers,
I've seen this happen more than a few times since 1992.
George Smith, Crypt Newsletter
------------------------------
Date: Wed, 14 Feb 1996 23:40:31 -0600 (CST)
From: Sean Reifschneider <
[email protected]>
Subject: At-work Web browsing?
A company I'm working at has had a lot of growth recently on their WWW proxy
servers. Last Friday evening I was finishing business just as a memo
started its rounds... It seems that on a given day in January when they
monitored the system, 1100+ connections to ESPNet were made, 800+ to
Playboy, 600+ to Penthouse, etc...
It seems that now that they "have the new proxy servers in place which are
able to log all transactions by source and destination address", they are
going to start logging all "inappropriate" accesses with source destination
IP address and send the appropriate log extracts to the persons boss.
The RISKS?
Who says that an IP address maps to a person?
"Click here to see technical specs on the XYZ Widgitifier" (points to
Penthouse -- haha, fooled 'ya)
I run a caching proxy server to increase my workgroups performance and
reduce load on the company T1 and T3 lines. It's not really an
official resource (in that the guys sending out this list don't
know about it), so it looks like I spend a LOT of time browsing :-)
Have someone you don't exactly like who's machine is turned off? Maybe
they didn't get to the PC today. Maybe you just install a redirector
on their machine... My NNTP redirector took about an hour to write.
Did anyone actually believe their connections that were going through a
central proxy were NOT being logged? Perhaps I've just run a proxy
site for too long...
I'm sure there will be thoughts of "invasion of privacy", but (a) there are
notices posted all over that personal use of company equipment is a no-no,
and (b) this is a "regulated" industry -- you'd actually be using TAX
dollars to do your web browsing. The company can get it BIG trouble for
NOT doing everything they can to prevent it from happening.
It's a trend I see coming...
Sean Reifschneider <
[email protected]> URL: <
http://www.tummy.com/xvscan>
------------------------------
Date: 15 Feb 1996 20:11:57 -0500
From: "Marc Rotenberg" <
[email protected]>
Subject: Federal Court enjoins CDA provision (from EPIC Alert 3.04)
FLASH: Federal Court Enjoins Internet "Indecency" Provision --
ACLU, EPIC, and Others Score Partial Victory in CDA Challenge
A federal judge in Philadelphia has issued a partial temporary restraining
order prohibiting enforcement of the "indecency" provision of the
Communications Decency Act (CDA). The judge declined to enjoin those
provisions of the Act dealing with "patently offensive" communications.
The court agreed with the plaintiffs' claim that the CDA will have a
chilling effect on free speech on the Internet and found that the CDA raises
"serious, substantial, difficult and doubtful questions." The court further
agreed that the CDA is "unconstitutionally vague" as to the prosecution for
indecency. But the court left open the possibility that the government
could prosecute under the "patently offensive" provisions
The court has recognized the critical problem with the CDA, which is the
attempt to apply the indecency standard to on-line communications.
Nonetheless, online speech remains at risk because of the sweeping nature of
the CDA.
The entry of the court order is a strong indication that the "indecency"
provision of the legislation that went into effect on February 8 will not
survive constitutional scrutiny by a three- judge panel that has been
empaneled in Philadelphia. The panel will fully evaluate the constitutional
validity of the legislation and consider entry of a permanent injunction
against enforcement of the new law.
The temporary restraining order (TRO) was issued in a lawsuit filed by the
Electronic Privacy Information Center (EPIC), the American Civil Liberties
Union and a broad coalition of organizations. EPIC is also participating as
co-counsel in the litigation.
The court ruling comes in the wake of widespread denunciation of the CDA,
which was included in the telecommunications reform bill signed into law
last week.
According to EPIC Legal Counsel David Sobel, one of the attorneys
representing the coalition, "The court's decision is a partial victory for
free speech, but expression on the Internet remains at risk. This is
destined to become a landmark case that will determine the future of the
Internet." Looking ahead to proceedings before the three-judge panel, Sobel
said "we are optimistic that further litigation of this case will
demonstrate to the court that the CDA, in its entirety, does not pass
constitutional muster."
EPIC has maintained since its introduction in Congress that the ban on
"indecent" and "patently offensive" electronic speech is a clear violation
of the free speech and privacy rights of millions of Internet users.
Comprehensive information on the CDA lawsuit, including plaintiffs' brief in
support of the TRO, is available at:
http://www.epic.org/free_speech/censorship/lawsuit/
------------------------------
Date: Wed, 14 Feb 1996 19:40:55 -0800 (PST)
From: Stanton McCandlish <
[email protected]>
Subject: Correction to CDA article (RISKS-17.72)
Due to a mis-paste [mis-spaced!], I gave out misinformation on who voted
against the CDA in my recent article. The correct version is:
Earl Hilliard (D-AL), Pete Stark (D-CA), Pat Schroeder (D-CO), Neil
Abercrombie (D-HI), Lane Evans (D-IL), Sidney Yates (D-IL), Barney Frank
(D-MA), John Conyers (D-MI), Collin Peterson (D-MN), Harold Volkmer (D-MO),
Pat Williams (D-MT), Maurice Hinchey (D-NY), Jerrold Nadler (D-NY), Peter
DeFazio (D-OR), Timothy Johnson (D-SD), Bernard Sanders (independent-VT)
Senators
Dianne Feinstein (D-CA), Patrick Leahy (D-VT), Paul Simon (D-IL), Paul
Wellstone (D-MN), Russ Feingold (D-WI), and John McCain (R-AZ).
[As you'll note, the string "MN), Russ Feingold (D-" was some how left
out, leaving out Feingold, and making it look as if Wellstone is D-WI!
Many apologies for the error. SMcC] [Yes, it was also mis-spaced. PGN]
[Stanton's message in RISKS-17.72* was too polemic and slanted for some
readers, who wondered about why I included it in RISKS. I had a similar
reaction, but chose to include it anyway rather than try to censor it
(!) -- because I had not seen any other appropriate submissions on this
subject and felt that the subject itself was without doubt worthy of
mention in RISKS. Had I written the analysis myself, it would have been
quite different, but I try to keep RISKS as open a forum as possible
within the posted guidelines, and very seldom try to edit for content --
apart from adding interstitial notes such as this one. PGN]
[*Typo fixed in archive copy.]
------------------------------
Date: Thu, 15 Feb 96 09:45 EST
From: "Broomell, Russ" <MARKETING/MARKETING/RUSS%
[email protected]>
Subject: A simple solution to the CDA risk (McCandlish, RISKS-17.72)
What we have in the CDA as has been said by many before is the consequence
of non-technical people making decisions on technology without technical
information. The internet itself is a complex technological system, but the
content the CDA seeks to regulate is easily understood, with even the
quickest training (i.e. Look, Senator, if you click here you get the Mona
Lisa, but if you click here, you get the Moaning Lisa). It seems that our
elected officials are too busy even for this brief glimpse.
What many people have overlooked is a simple effective solution that almost
everyone uses - passwords. While simple password protection is not enough
to ward off a "high-tech" attack, it is usually enough to discourage your
teenager from delving into the sometimes objectionable world of alt.*.* and
some of those chat groups. I have an on-line service account on one of the
major services, and at least once a week, my teenage son and I "surf the
net" - the 1996 equivalent of "watch TV with your children". My son does
not know my online password and I change it regularly. Can he defeat this
code? Sure, but he can walk down to the corner store and pick up any one of
a dozen "objectionable" publications much easier. This seems to me an
acceptable risk. He has learned to be a responsible online citizen. I feel
that I have handled the risk that the CDA sought to eliminate.
------------------------------
Date: Thu, 15 Feb 96 11:00:48 -0500
From:
[email protected] (A. Padgett Peterson)
Subject: Seatbelts and the CDA, history repeats?
Over twenty years ago, Congress passed a resolution that required automobile
manufacturers to restrict use of automobiles unless seatbelts were fastened
and the seatbelt interlocks of 1974 ensued. Such a public outcry ensued
that the requirement was removed in time for the next year's models.
Fortunately for those with '74s (not a great year for cars in general)
unplugging a single connection on each front seat disabled the mechanism.
In its wake, a more rational system followed with a dashboard warning light
and state laws mandating seat belt use to take the onus of compliance from
the manufacturers, and placing it on the users of the automobiles in states
where prodding was felt appropriate.
I predict a similar fate for the CDA: the US Gov getting out of the conflict,
removing the onus from the service providers, while placing the bulk of the
responsibility back onto users/parents and permitting definition of
community standards *within the communities* and not for the entire net.
To accomplish this, some control mechanism is needed -- but, like the
warning light on the dashboard, a flag could be placed on sites containing
potentially offensive material, a flag for which the software vendors could
provide a "parental control" switch. Not difficult to do just not done, yet.
In Florida, a parent is held responsible if a child gains access to a gun.
Similarly only an adult can purchase a firearm and must show "proof of age".
Along the way we are going to need some sort of Internet "proof of age" - in
the form of a cryptographic ID in which some agency verifies that the holder
is of legal age in the state of residence. True, there will be screams from
the rabid right but is necessary like a drivers license - you do not have to
have one, but if you want to drive a car... Also suspect that since states
have different ideas about what constitutes an adult, the mechanism should
be driven by the states and not the federal government - this would again
defuse many objections.
This prevents the customs peculiar to New York City from affecting the
different cultures of Florida or Texas.
Similarly we need to prevent local mores of Memphis from affecting what
works in San Francisco. (I suspect that some public health warnings I have
seen on SF buses might be illegal in Memphis.)
I do expect good to come from the CDA in that the Supreme Court will have
the opportunity to say "STOP THAT" to some of the more radical elements. It
seems that in some things we must go overboard just to verify that we do not
ever want to do that again. Somehow it works 8*).
Padgett
------------------------------
Date: Thu, 15 Feb 1996 10:17:36 -0800
From: "George C. Kaplan" <
[email protected]>
Subject: Re: Wildcard inconsistencies in Windows 95 (RISKS 17.73)
I've never written a program for Windows, but my dimly remembered experience
with MS-DOS indicates that programs get the raw command line parameters, and
it's up to the program to expand the wildcards according to the rules. It's
not surprising that sooner or later someone would get it wrong on one
command or another.
In contrast, the Unix shell handles the wildcard expansion, and programs
only see the expanded parameter list. Of course, there are risks here, too,
since there are multiple shells available, each with slightly different
wildcard rules.
George C. Kaplan
[email protected] 1-510-643-5651
------------------------------
Date: Thu, 15 Feb 1996 07:39:18 -0800 (PST)
From:
[email protected] (Philip Overy)
Subject: 100% not spent on hospitals by a long way (Zehr, RISKS-17.73)
There are some quaint ideas in "the measurement of risk" by
[email protected]
- I got a good laugh out of the comment about priorities on health spending:
The following type of example should be borne in mind when comparing safety
propaganda and safety spending with "common sense solutions": Asthma is
generally reckoned to be a disease caused by vehicle pollution: In the UK
last year 4m pounds was spent on asthma research 6m pounds was spent on
POLICING demonstrations against the proposed new M11 road.
The real RISK is that someone like
[email protected] works for the risk assessor
who decides whether your local hospital stays open! - tada forgets that when
the individual decides whether to spend all of his or her income on health,
the taxman grabs the Star Wars, the road, the import surcharge/export
subsidy and the MP/congressmen's salary increases before minor problems like
literacy in the local secondary schools are even debated. I am afraid that
example stopped me so dead in my tracks, I was unable to focus on a line of
the remaining eMail, so there's a risk of making statements of "obvious
facts" early on in a technical presentation.
I should think that the size of the drug problem in our two countries
demonstrates that quite a large chunk of the population have no respect
whatsoever for their personal safety, although I am sure their
representatives in congress/the Commons think they have.
As for Telstra's radio emissions, well, I suppose the main problem is that
the last time the electorate read about something with the string "radio" in
it, it was the technical world telling them that radioactivity was good for
you, so it's more a case of "once bitten, twice shy" than "Us vs. Them".
Phil Overy
------------------------------
Date: Thu, 15 Feb 1996 10:34:26 -0800
From: "George C. Kaplan" <
[email protected]>
Subject: Re: Lack of Common Sense is Biggest Risk of All (Gunderson, -17.73)
> Amazing. I wonder how many people are out there, right now, trying to be
> the first to drive a NASA satellite from home. [...]
I suppose continued "security through obscurity" is better? Contrary to
what "name deleted" said, I'm sure there are people who have already
tried to hack into a satellite control system, even before these remarks
were published. Better to sound a public alarm; it might shake people
who can do something about the problem into action.
George C. Kaplan
[email protected] 1-510-643-5651
------------------------------
Date: 15 Feb 1996 18:19:07 GMT
From:
[email protected] (Michael Brady)
Subject: Re: Possible future risk of virtual reality (Cohen, RISKS-17.73)
It seems to me that if we take credit for the good habits developed while
training in VR, we have to consider that bad habits can be developed there
too. As habits are developed through repetition it seems reasonable that
compulsive video-gamers would be much more susceptible to such a phenomenon.
Some time ago I read (Scientific American? Wired?) that military aviators
were not allowed to operate real aircraft for some interval after using a VR
simulator.
Michael Brady --
[email protected] -- "We are what we do."
------------------------------
Date: Thu, 15 Feb 1996 10:11:39 -0600
From:
[email protected] (Mark Meuer)
Subject: Re: Possible future risk of virtual reality (Cohen, RISKS-17.73)
This is related to a more generic risk relating to trained reflexes. I once
heard an airline pilot give a talk where he said that he always has his wife
drive him home from the airport when he is done flying for the day. The
reason for this was that when a plane is on the ground, the rudder controls
(which are foot pedals) are used for steering, and the "steering wheel" of
the plane is not used at all. This pilot said that on more than one occasion
he came close to having an accident in his car because he instinctively
tried to steer with his feet.
Mark Meuer <>< |Endocardial Solutions, Inc.|(612) 644-7890|
[email protected]
------------------------------
Date: Thu, 15 Feb 1996 11:49:34 -0800 (PST)
From: "Barton C. Massey" <
[email protected]>
Subject: Re: Possible future risk of virtual reality (Cohen, RISKS-17.73)
Sad to admit, this has almost happened to me already. My institution of
higher education got an SGI Power Challenge a couple of years ago. Lovely
machine, which includes a very good flight simulator/dogfight game. A
couple of times, driving home after 4 hour sessions, I found myself
reflexively flooring the gas pedal, crossing three lanes of traffic, and
cutting in front of a car: there was "obviously" room, as my
simulator-trained perceptions would have it. I no longer play that game.
Bart Massey
[email protected]
------------------------------
Date: Thu, 15 Feb 1996 15:46:36 -0700 (MST)
From: Brad Davis <
[email protected]>
Subject: Re: Possible future risk of virtual reality (Cohen, RISKS-17.73)
This risk has already happened. A few years ago one of the branches of of
the US Military created computerized training material using video, computer
graphics overlays, and a touch screen to train technicians how to repair a
piece of radio equipment. The actual equipment was shown by video and a
"fault" generated with the graphical overlay. The student would then
"touch" (using the touch screen) a part to test or remove. The training
software was changed and the touch screen removed after a number of
graduates were injured (shocked/burned) while touching the real (live) radio.
Brad Davis, Zinc Software Inc., 405 S 100 E #201, Pleasant Grove, UT 84062
[email protected] Voice: 1 (801) 785-8900 Fax: 1 (801) 785-8996
------------------------------
Date: 14 February 1996 (LAST-MODIFIED)
From:
[email protected]
Subject: ABRIDGED info on RISKS (comp.risks)
The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks.
SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on
your system, if possible and convenient for you. BITNET folks may use a
LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. [...]
DIRECT REQUESTS to <
[email protected]> (majordomo) with one-line,
SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:]
INFO [for further information]
CONTRIBUTIONS: to
[email protected], with appropriate, substantive Subject:
line, otherwise they may be ignored. Must be relevant, sound, in good taste,
objective, cogent, coherent, concise, nonrepetitious, and without caveats
on distribution. Diversity is welcome, but not personal attacks. [...]
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
By submitting an item that is accepted for publication in RISKS, the author
grants permission for unlimited noncommercial public distribution and
redistribution in electronic and print form. Relevant contributions may
appear in the RISKS section of regular issues of ACM SIGSOFT Software
Engineering Notes or SIGSAC Review.
RISKS can also be read on the web at URL
http://catless.ncl.ac.uk/Risks
RISKS ARCHIVES: "ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>
cd risks<CR> or cwd risks<CR>, depending on your particular FTP. [...]
[Back issues are in the subdirectory corresponding to the volume number.]
Individual issues can be accessed using a URL of the form
http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]
ftp://ftp.sri.com/risks
PRIVACY: For info on the PRIVACY Forum Digest and Computer PRIVACY Digest,
see the INFO file at RISKS-Request (one-line message INFO noted above).
------------------------------
End of RISKS-FORUM Digest 17.74
************************
