Subject: RISKS DIGEST 18.63

Subject: RISKS DIGEST 18.63

RISKS-LIST: Risks-Forum Digest Tuesday 26 November 1996 Volume 18 : Issue 63

FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

***** See last item for further information, disclaimers, caveats, etc. *****

Contents:
Mars Probe crashes (Ben Morphett)
Massive NY tax fraud (Mich Kabay)
Complexity of the airplane pilot's interface (Mich Kabay)
Bell Atlantic 411 outage (Rich Mintz)
DIMACS Network Threats workshop, Rutgers, 4-6 December 1996 (Rebecca Wright)
Year 2000 Problem Will Cause Lawsuits, Bankruptcies (Edupage)
Y2K *Guardian* article on retroactive liability (Martin Minow)
Danish government puts its own records on the Web, illegally (Ketil Perstrup)
Badly placed hardware (Abigail)
Digital footprints on the Internet (Martin Minow)
"Disappearing Cryptography" by Peter Wayner (Rob Slade, Peter Wayner)
Re: Effects of the next cycle of solar interference (McInnis)
Risks of believing what you read: Re: Irish rock band (Stuart Woodward)
The SEI Conference on Risk Management (Carol Biesecker)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Thu, 21 Nov 1996 09:28:23 +1100 (EST)
From: Ben Morphett <[email protected]>
Subject: Mars Probe crashes

When the Russian Mars probe crashed earlier this week, it provided an
interesting example of the difference between precision and accuracy.

The first reports said that the probe would crash land in central Australia,
bringing with it 200 g of plutonium. State emergency services all over
Australia went into yellow alert. Soldiers were mobilised.

From the TV pictures, the first estimates of where it would land were
anywhere in an area about 2000 km across. The next reports said that it
would be landing at about the New South Wales/Queensland border, and they
seemed to think it would come down somewhere in an area about 500 km across.
The next reports said that it would come down somewhere in an area in the
north west of New South Wales, and the precision of this estimate seemed to
be about 100 km.

As it turned out, it came down about 2000 km west of Chile, in the Pacific
Ocean, a third of the way around the world from Australia.

So as the precision of the reports was increasing, the accuracy of the
reports was about staying about the same - very wrong.

Ben Morphett [email protected]

------------------------------

Date: 22 Nov 96 12:36:43 EST
From: Mich Kabay <[email protected]>
Subject: Massive NY tax fraud

Hacker Scheme, By KAREN MATTHEWS, Associated Press Writer
NEW YORK (AP) -- City workers, in exchange for bribes from property
owners, falsified computer records to eliminate nearly $13 million in
unpaid taxes in a scheme called the largest tax fraud case in New York
City history. [Associated Press news wire via CompuServe's Executive News
Service, AP US & World, 22 Nov 1996]

The author makes the following key points:

o Some tax records erased.
o Other records falsely indicated as paid using funds from legitimate
payments by innocent victims.
o So far, 29 people charged in federal court.
o 200 more expected to be charged.
o $13M of debts erased.
o $7M in interest lost.
o Fraud thought to have started in 1992.
o Investigation started in 1994.
o In a section particularly intriguing for RISKS and NCSA FORUM participants,
the author writes, ``Three employees of the city collector's offices
exploited computer "glitches" to make it appear that unpaid taxes had
been paid, officials said.

More, no doubt, as the case unfolds.

M. E. Kabay, Ph.D. (Kirkland, QC), Director of Education
National Computer Security Association (http://www.ncsa.com)

------------------------------

Date: 25 Nov 96 16:06:50 EST
From: Mich Kabay <[email protected]>
Subject: Complexity of the airplane pilot's interface

This item from last week in Executive News Service on CompuServe caught my eye:

Pilots said stretched to limit by cockpit high-tech
Reuters World Report, 20 Nov 1996

LONDON, Nov 20 (Reuter) - Airline pilots are being stretched
to the limit by increasingly complex cockpit technology and need
radically different training methods to cope in future, a top
medical aviation specialist said on Wednesday.

The article makes the following key points:

o Dr Michael Bagshaw is head of aviation medical services at
British Airways. He wonders, "Are we perhaps reaching the
limit to pilots' mental processing capacity?"

o However, he answered in his address in London to the Royal
Society in London , "On the face of it we may have reached a
plateau. But experience shows that having reached a plateau,
we then move on again."

o According to the expert, "In both military and commercial
aviation the complexity of the environment is increasing.
Automation is being developed but the question remains
as to whether the automation relieves workload or increases it."

o "If we examine the accident rate by type of aircraft, it
can be seen that although the overall trend is down ... new
highly-automated types have a relatively higher accident rate."

o In some cases, plane design prevents manual overrides
even if the automated system is in trouble.

o The increasing use of CRT and LCD displays means that what
used to be on separate dials now appears, in the words of the
author of the article, "on one cluttered computer
display, which meant pilots needed to spend more time
interpreting what they were seeing."

o Dr Bagshaw added, "We are starting to see some of the
limitations of information processing. This is the weak
link -- information is derived from a number of sources.
It has to be integrated, then interpreted, and the appropriate
action taken to use that information appropriately."

o The changes in technology necessitate new methods of training:
"I think we can move on from the plateau by altering the
way we approach training. We've now reached a watershed by
accepting that human error is normal," said Baghshaw after his
speech. "The old approach was to think that human error was a
mistake which should be avoided. Now we have to assume it will
happen and instead assess how pilots cope with error."

M. E. Kabay, Ph.D. / Director of Education
National Computer Security Association (NCSA) http://www.ncsa.com

------------------------------

Date: Tue, 26 Nov 1996 11:18:10 -0500
From: Rich Mintz <[email protected]>
Subject: Bell Atlantic 411 outage

On Monday 25 Nov 1996, Bell Atlantic -- the local telephone company serving
the mid-Atlantic region of the USA, including Philadelphia and Washington,
D.C. -- saw an outage of several hours in its telephone directory assistance
service, due (apparently) to an errant operating system upgrade on a
database server. For unknown reasons, the backup system also failed. The
result was that for several hours, telephone operators ended up taking
callers' requests and telephone numbers, looking the requested information
up in printed directories, and calling the callers back with the
information.

Apparently, the problem was solved by backing out the software upgrade.
Significantly (in my opinion), the Washington Post's article on the outage
mentioned this fact (albeit in slightly less technical language), which is
yet another indication of the pervasiveness of software, and of the growing
number of people in society at large that are generally aware of software
and how it works.

------------------------------

Date: Mon, 25 Nov 1996 14:57:02 -0500 (EST)
From: Rebecca Wright <[email protected]>
Subject: DIMACS Network Threats workshop, Rutgers, 4-6 December 1996

DIMACS Workshop on Network Threats

Sponsored by the DIMACS as part of the 1996-97 Special Year on Networks

December 4-6, 1996

DIMACS Center, CoRE Building (Computer Research and Education)
Rutgers University Busch Campus
New Brunswick, New Jersey, USA

Workshop organizers:
Steve Bellovin, AT&T Labs - Research, [email protected]
Peter G. Neumann, SRI International, [email protected]
Rebecca Wright, AT&T Labs - Research, [email protected]

As the use of computer networks, and in particular the Internet, has
increased, so has the potential threat to security. In the last several
years, we have seen numerous security-related attacks on Netscape, Java, and
the Internet protocols. New protocols and systems for electronic commerce,
secure financial transactions, and other applications are being introduced,
and are being deployed quickly, and on a large scale. This workshop aims to
bring together theorists and practitioners working in areas related to
network security in an informal setting to foster discussion regarding the
nature of the threat and what we, as researchers, can do to help manage it.

Confirmed speakers:
Steven M. Bellovin (AT&T Labs - Research)
Bill Cheswick (Bell Labs)
Shiu-Kai Chin (Syracuse University)
Cindy Cullen (Bellcore)
Drew Dean (Princeton University)
Yvo Desmedt (University of Wisconsin - Milwaukee)
Ed Felten (Princeton University)
Robert J. Hall (AT&T Labs - Research)
Catherine Meadows (Naval Research Laboratory)
Peter G. Neumann (SRI International)
Sarvar Patel (Bellcore)
Jean-Jacques Quisquater (Universite de Louvain)
Alexis Rosen (PANIX Public Access Networks Corporation)
Avi Rubin (Bellcore)
Adam Shostack (Consultant)

There is still room in the schedule for a few more talks. If you
would like to give a talk describing current, unpublished work, please
e-mail a 1-2 page abstract (postscript or plain ASCII text) to Rebecca
Wright at [email protected].

MORE INFORMATION:

The full workshop program, plus information regarding registration,
travel and local arrangements for this workshop can be found at:

http://dimacs.rutgers.edu/Workshops/Threats/index.html

------------------------------

Date: Sun, 24 Nov 1996 15:12:08 -0500 (EST)
From: Edupage Editors <[email protected]>
Subject: Year 2000 Problem Will Cause Lawsuits, Bankruptcies

At a recent meeting sponsored by the Electronic Banking Economics Society,
one speaker predicted that a bankruptcy rate of between 1% and 5% could
result directly from costs related to fixing the notorious "Year 2000
Problem." "If you have not yet begun a Year 2000 conversion today, you will
not be able to convert by 2000," he said, noting that there are only 150
weekends left to work on systems affected by the problem. If companies
choose to ignore the problem, they'll be liable for millions in lawsuits
brought by shareholders when company stock prices begin to plummet. Only
one third of U.S. companies are addressing the problem, with another third
entering the preliminary discussion phase, and the other third doing
nothing. Still, that's better than the rest of the world: "Britain is three
steps behind the United States on this issue, Europe about 10 steps behind
the United States on the issue, and Japan is about 15 steps behind the
United States on the issue," the consultant said. (*BNA Daily Report for
Executives*, 20 Nov 1996, A16; Edupage, 24 Nov 1996)

------------------------------

Date: Thu, 21 Nov 1996 16:26:33 -0800
From: Martin Minow <[email protected]>
Subject: Y2K *Guardian* article on retroactive liability

The online edition of the Guardian newspaper has an interesting article on
the year 2000 problem; concentrating on the legal responsibility of software
and hardware vendors.

The article quotes Stephen Castell, a consultant in computer technology:
"Castell believes that around the beginning of 1992 is the earliest time
from which suppliers may be liable. He says, "The problem was sufficiently
recognised in the industry from around then, and systems developers should
have considered moving on from the two-figure date." However, if it is
correct that the potential problem should have been obvious, courts may be
less indulgent to developers who overlooked it even before 1992."

http://go2.guardian.co.uk/computing/961121coonUpagainstthecloc.html
(Note that the Guardian may only archive articles for a short time.)

Martin Minow [email protected]

------------------------------

Date: Fri, 22 Nov 1996 15:28:58 +0100
From: [email protected] (Ketil Perstrup)
Subject: Danish government puts its own records on the Web, illegally

Many of the requests processed by local government offices are requests for
information from government records. This fact has given the Danish
Ministry of Research a seemingly brilliant idea: Making government records
available on the World Wide Web would free local government officials from
processing these requests.

The first government records were made public on October 1 on
<http://ditdanmark.nethotel.dk/vurdering/>. The information was taken from
the land and building property evaluation records of the Danish Tax
Ministry. These records are used by employees in the tax offices of the
local government for taxation of land and building property. The published
information included the following for each piece of land and building
property in Denmark: Location, owner, estimated value, date and price
(including down payment) of last sale (if sold since last evaluation of the
property in 1992), debts to local government, rental value for
non-residential property (if rented) and further notes intended to assist
evaluation.

On the October 15 the records were made inaccessible when the large,
reputable Danish newspaper Berlingske Tidende published a critique by
professor Erik Fr�kj�r from the Department of Computer Science at
Copenhagen University. Two thing were criticized:

1. The records could be copied without explicit permit by anyone with
access to the Internet, something which is not allowed according to the
Danish Public Authorities' Registers Act.

2. The last three items in the list above were confidential information and
could not legally be published under Danish law.

Access to the records was reestablished the next day when the offending
items had been removed. At that time the publisher, Kommunedata, assured
the public and the Danish Data Surveillance Authority ("Registertilsynet")
that the records could not be copied. The company also publicly explained
that Erik Fr�kj�r could not possibly have copied the records except by
means that were not entirely legal.

Soon after this a group of researchers contacted the Danish Data
Surveillance Authority to demonstrate that the records are easily copied
(with entirely legal means), but the offer of a demonstration has been
declined by the Authority. Copies of the case obtained from the Authority
under the Danish Freedom of Information Act show that the Authority has been
made aware by other means that copying is possible. Despite this the
Authority refuses to take action based on this evidence so WWW access is
still possible. The only change since the reopening has been removal of most
of the information about sales when the Court in �rhus informed the
Authority that this information is not and should not be publicly available.

This is the first case known to me of government records being published on
the World Wide Web. The case is instructive: There has been repeated valid
objections to the legal basis on which the records are made available. This
and the fact that the continuing operation of this service is not important
for anything but the reputation of the parties involved, leads me to expect
that access ought to be at least temporarily suspended until the questions
were resolved.

This case demonstrates a large collection of security problems inherent to
World Wide Web publication of government records as well as a lot of legal
problems that will not be mentioned here. These problems are probably
compounded because both the Danish government and Kommunedata wants to be
perceived as technologically advanced and "Internet-friendly".

1) The original records were used by the employees in local tax offices, so
information that was not meant to be disclosed publicly was maintained
together with the evaluation of each piece of property. When the records
were made available on the World Wide Web without cleanup, confidential
information was disclosed. Moral: When sensitive information is put to use
in a new way it should be checked to make sure that all information is
appropriate for the new use.

2) The Danish Data Surveillance Authority does not have its own technical
staff, so it wasn't able to asses the correctness of the claim made by the
publisher, Kommunedata, that the records could not be copied. Moral:
Government authorities should not rely on experts employed by the companies
that are checked. When new types of problems are encountered the government
should use their own or independent security experts to assess the claims
made by companies.

3) It is not possible to prevent information published on the Internet from
being copied, so information that must not be copied should not be available
on the Internet.

4) Until now the companies and government authorities involved has ignored
criticism from computer professionals. Moral: Government officials does not
automatically listen when professionals criticize security. If the critique
goes against official policy you might very well be ignored or worse, no
matter how serious the problem is.

5) Denmark prides itself on its large information systems in the public
administration. These information systems have been accepted by the public
because of a set of very restrictive laws governing these records and strict
attention to security. Other governments may be tempted to publish similar
records on the World Wide Web because when the security-conscious Danes do
it, it must be OK.

6) To add insult to injury the programs used by Kommunedata to control
access to the records performs no parameter validation which shows that
this publication probably has yet more security problems in store.

Despite the problems with publication of the records the Ministry of
Research and Kommunedata wants to make even more sensitive and personal data
available on the World Wide Web in the future. I shudder as I contemplate
the consequences.

Ketil Perstrup ([email protected])

------------------------------

Date: Thu, 21 Nov 1996 01:52:04 -0500 (EST)
From: "Abigail" <[email protected]>
Subject: Badly placed hardware

Two days ago, I was in a computer room of a large financial institution. A
whole range of different computers is in that room. One (PC) setup consisted
of a tower on the ground, and a monitor and keyboard on a table. Nothing
usual here. But the monitor was placed on a box which had switches for the
monitor, the tower, and a printer, and a masterswitch, on one end, and
cables on the other. The switches where facing forward.

The machine was happily minding its own - important - business.

My partner and I were working on a different machine. At one moment, he
gives way to let me handle the machine. He puts his elbow on the table,
slightly disturbing the keyboard, which is moved enough to just have the
master switch break the contact for a moment, causing the machine to crash.

- "Is that serious?", he asked.
- "It is a live machine..."

When I left two hours later, at least 5 people had been trying to get it
working again, and at least 10 nervous people asked what was going on. They
were still trying to boot it.

Today I was in the room again. They had turned the box 90 degrees.

Abigail

------------------------------

Date: Thu, 21 Nov 1996 12:21:15 -0800
From: Martin Minow <[email protected]>
Subject: Digital footprints on the Internet (Article in UK Guardian)

The online edition of the UK Guardian newspaper has a long article on the
way that "Internet users leave traces and records of every online action,
from sending e-mail or posting to newsgroups to visiting Web sites."

... At the moment unwanted e-mail is about the limit of the intrusion, but
this could change. Internet commentator Dominique Paul Noth points out:
"You have no guarantee that the information is intelligently or even
accurately employed to your benefit." As more information is collected, it
is more useful to those collecting it - and less easily controlled.

... One alternative is making yourself anonymous by deleting cookie files
and using mail programs that disguise your identity.

However, making yourself anonymous online means that you cannot
personalise Web pages, ask for information via e-mail, or join mailing
lists. The issue, as Noth and other commentators recognise, is more to do
with how this information is used. Credit card companies know what we are
buying, and there is a legal framework to control their use of this
information. There is no such framework in force for online information.

It seems that the very lack of "real world" controls over online activity
which many Internet users favour has created the environment in which
marketing companies can thrive. As long as the Internet is seen as somehow
outside the reach of the law, then there will be those who abuse its
freedom. So as you surf for Christmas presents, look out for surprises in
your mailbox as a result.

The full article is at
http://go2.guardian.co.uk/internet/961121wwonDigitlafootprint.html
(However, note that newspaper articles on the Web are often only
visible for a short time.)

Martin Minow [email protected]

------------------------------

Date: Mon, 25 Nov 1996 11:15:46 EST
From: "Rob Slade" <[email protected]>
Subject: "Disappearing Cryptography" by Peter Wayner

BKDSCRPT.RVW 960902

"Disappearing Cryptography", Peter Wayner, 1996, 0-12-738671-8, U$29.95
%A Peter Wayner [email protected]
%C 1300 Boylston Street, Chestnut Hill, MA 02167
%D 1996
%G 0-12-738671-8
%I Academic Press Professional
%O U$29.95 +1-617-232-0500 +1-800-3131277 [email protected]
%P 295
%T "Disappearing Cryptography"

The title seems to allude to, and the book jacket definitely trumpets,
steganography, the act or art of "hiding in plain sight". An example of a
steganographic message would be one which appears to be an innocuous and
ordinary family letter, but which carries detailed information in the
background. One chapter of the book does deal with this type of encryption,
although only in terms of hiding text data in pictures. The book as a whole
seems more like a collection of essays on topics related to encryption.

The topics represented cover a broad range of information science. The level
of detail provided varies, but in general the explanations are fairly simple.

copyright Robert M. Slade, 1996 BKDSCRPT.RVW 960902
Vancouver Institute for Research into User Security Vancouver Canada V7K 2G6
[email protected] [email protected] [email protected]

------------------------------

Date: Tue, 26 Nov 1996 09:43:08 -0500
From: [email protected] (Peter Wayner)
Subject: "Disappearing Cryptography" by Peter Wayner

Rob Slade is right. Much of my book, _Disappearing Cryptography_ is filled
with simple discussion. It was intended to offer many casual readers some
insight into how morphable information can be. This is a highly important
technical topic these days because of the battles over encryption
regulation. Sure, I could have written a nerd opera, but that wouldn't have
helped people without an advanced degree in number theory. This topic is so
important for policy that I wanted to try and spread the knowledge around a
bit.

I think he's wrong on other counts. The book discusses how to use
error-correcting codes, encryption, dining cryptographers networks,
compression functions, and compiler technology to make information look like
something else. I think that each of these solutions offers a unique way to
make information `disappear' because, if it looks like something innocuous,
then it escapes detection.

My home page (http://www.access.digex.net/~pcw/pcwpage.html) has the table
of contents for those that are interested. Feel free to write if you have
more questions. [A minireview by your moderator is in RISKS-18.17. PGN]

------------------------------

Date: Thu, 21 Nov 1996 10:52:43 -0600 (CST)
From: [email protected] (McInnis)
Subject: Re: Effects of the next cycle of solar interference (RISKS-18.62)

I guess one's man's poison is another man's feast.

I got a kick out of the article about the problems that could be caused by
the next peak of the 11-year sunspot cycle. Most of us amateur radio
operators are waiting in breathless anticipation for the sunspots to pick up
because it "turns on" some of the radio frequencies to long range
communications. It's sort of like a starry-eyed 4 year old kid waiting for
Christmas hearing someone grumbling about how they don't like Christmas.

Also, the 11-year sunspot cycle has been going on for several hundred years
since the last gap in the cycle. It says something about our technology
that some systems might not be prepared for it. It's like someone being
surprised that it's getting cold as winter approaches. ("Gee, didn't it
start getting cold about this time last year, too?")

73 de KB5YAC Mickey McInnis - [email protected]

------------------------------

Date: Fri, 22 Nov 1996 17:13:18 GMT
From: [email protected] (Stuart Woodward)
Subject: Risks of believing what you read: Re: Irish rock band (RISKS-18.62)

> ... first group to be burglarized on the Internet [?]

Those who are following this story will already know that the samples from
U2's new album were not ""siphoned off" along cables feeding the band's own
video camera", that provides a one day delayed view of U2's studio
activities, but were copied from a promotional video that was sent out from
Island Records to their office in Hungary. The video was reported to have
been borrowed and samples taken from it - a purposely degraded recording -
were uploaded to a web page on the Internet.

The story seems to have got very quickly elaborated to include hackers. The
hacker aspect appears to have come from the quote in the Sunday Times from a
"former hacker":

Hackers may have used the camera as a door into the studio's computers
where the new songs are stored.

The real risk here is that it seems that newspapers don't employ anyone
qualified to proofread and follow up their Internet related stories. (Also
c.f. the recent Observer story about pornography on the Internet).

------------------------------

Date: 25 Nov 1996 20:30:22 GMT
From: [email protected] (Carol Biesecker)
Subject: The SEI Conference on Risk Management

The SEI Conference on Risk Management: Managing Uncertainty in a Changing
World April 7-9, 1997, The Cavalier Hotel, Virginia Beach, Virginia.
Planned in cooperation with the Society for Risk Analysis, the IEEE Computer
Society, the Hampton Roads SPIN, and the Best Manufacturing Practices
Association; cooperation with Software Program Managers Network is pending.

[Featured renowned keynote speakers, distinguished presenters, contributed
presentations, papers, tutorials, workshops...]

For additional information about the conference, contact
SEI Customer Relations, Software Engineering Institute
Carnegie Mellon University, Pittsburgh, PA 15213
Phone, Voice Mail, and On-Demand FAX 412 / 268-5800
[email protected]
World Wide Web: http://www.sei.cmu.edu

Event Registration: Contact
Events, Software Engineering Institute
Carnegie Mellon University, Pittsburgh, PA 15213-3890
Phone, Voice Mail, and On-Demand FAX 412 / 268-7388
FAX 412 / 268-7401
Internet [email protected]

------------------------------

Date: 15 Aug 1996 (LAST-MODIFIED)
From: [email protected]
Subject: Abridged info on RISKS (comp.risks)

The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. Or use Bitnet LISTSERV. Alternatively,
(via majordomo) DIRECT REQUESTS to <[email protected]> with one-line,
SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or
INFO [for unabridged version of RISKS information]
=> The INFO file (submissions, default disclaimers, archive sites, .mil/.uk
subscribers, copyright policy, PRIVACY digests, etc.) is also obtainable from
http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info
The full info file will appear now and then in future issues. *** All
contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to [email protected] with meaningful SUBJECT: line.
=> ARCHIVES are available: ftp://ftp.sri.com/risks or
ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue].
The ftp.sri.com site risks directory also contains the most recent
PostScript copy of PGN's comprehensive historical summary of one liners:
get illustrative.PS

------------------------------

End of RISKS-FORUM Digest 18.63
************************