Subject: RISKS DIGEST 16.82 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Friday 17 February 1995 Volume 16 : Issue 82 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, etc. ***** Contents: New York Parking Meters In Violation of Federal Law (A. Padgett Peterson) Big Brother in the Big House (Peter Wayner) Computer aids in predicting death (Lauren Wiener) Hacker Mitnick arrested (Jim Griffith) Computer addiction and the 6 O'Clock News (Rob Slade) New Area Codes & PBX Programs (Mich Kabay) E-mail risks (Vincent Gogan) Re: Self-disabling software (Bruce Johnson) Re: Invisible blue zone (David Stodolsky) CERT Advisory CA-95:04.NCSA.http.daemon.for.unix.vulnerability Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. ---------------------------------------------------------------------- Date: Wed, 15 Feb 95 15:32:24 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: New York Parking Meters In Violation of Federal Law Re: Notification on Self-Disabling Software (Jeremy Epstein) This leads naturally to the following item: (1998): In a surprise move, federal marshals yesterday seized nearly nine million parking meters in New York City, citing violation of the Software Disability Act of 1996. Consumer advocates praised the move, saying ``the meters all stopped working when the time ran out." The Parking Violations Bureau issued protests that ``all motorists in NYC on were issued a notice on 1 April 1975, along with the courtesy windshield cleaning." However, these protests were not accepted, because the majority of motorists ticketed were not old enough to have had licenses at the time. [I guess April comes early in 1995. PGN] ------------------------------ Date: Wed, 15 Feb 95 21:55:36 PST From: Peter Wayner (pcw@access.digex.com) Subject: Big Brother in the Big House The WSJ has a big article on the prison phone call business on Wednesday, February 15, 1995. The article discusses how the major long-distance companies court prisons because prisoners have nothing better to do than spend heavily on phone calls. But supplying phone service to prisons is not a risky job, because convicts have a habit of phone and credit card fraud. They'll call an outside phone number at random, con the person who answers into giving out a credit card number, and then use that number to order goodies for themselves. So, many prisons require the phone-service providers to provide anti-fraud measures, which include tape-recording equipment and voice-print identification. Some prisoners have their access to phones restricted, and they try to use someone else's access codes. The voice print identification can nab these guys. The technology is now being deployed. All of this avoids the question of just what is prison in a world where the apartments are smaller and telecommuting is more popular. If prisoners can dial out, conduct business, and even access the net, the walls seem filled with virtual loopholes. [This also gives new meaning to ``Reach out and touch someone." PGN] ------------------------------ Date: Thu, 16 Feb 95 21:28:46 -0800 From: Lauren Wiener Subject: Computer aids in predicting death >From _The Oregonian_, 16 Feb 1995, p. D11: Computer Aids in Predicting Death, by Mike Koller, AP, Philadelphia [...] Using a new program, researchers say they are able to predict when a terminally ill person will die with more accuracy than doctors using their own judgment. The study could help doctors determine which treatments should be given to terminally ill patients and help decide when life-support efforts should be stopped. ``The computer remembers thousands and thousands of cases and keeps the different risk factors in perspective," said Dr. William A. Knaus of George Washington University. Knaus led the study, published in the Jan. 31 issue of the Annals of Internal Medicine. ``And when we included the survival estimate from the patient's own physician in the model, the two together predicted time until death more accurately than either alone," he said. The program was developed from June 1989 to June 1991, using information from 4,301 patients. It was tested from January 1992 to January 1994 on 4,028 patients, Knaus said. The program, called SUPPORT (Study to Understand Prognoses and Preferences for Outcomes and Risks of Treatments), focused on nine diseases and conditions, such as liver disease, colon or lung cancer, heart or lung disease and multiple organ failure. Knaus said he was confident that Support will prove reliable and eventually be expanded to predict death rates for other diseases. Seriously ill patients with a projected life expectancy of six months were entered in the study when they were hospitalized. [...] ``Most adults say that if they are going to die within a year, they want realistic estimates of their risks, both in the immediate future and during the next few months," Knaus said. ``This predictive tool is important for its use for counseling very sick patients and their families." However, not everyone agrees. Toby Gordon, vice president for planning and marketing at Johns Hopkins Hospital and Health Systems in Baltimore, said the program raises questions. ``Any information that helps us learn how to better take care of patients -- in quality of care and quality of life -- makes a contribution," Gordon said. ``But whether patients and their families will want to use it is questionable." He also questioned the ramifications of being able to accurately predict death. ``In the expansion of computer-assisted technology we will see a proliferation of these techniques, bringing into question ethics and rationing of care," he said. The authors warned that the project has not been tested outside the strictly controlled settings of teaching hospitals. Its reliability in conventional hospitals settings has not been established, they said. ------------------------------ Date: Thu, 16 Feb 1995 23:37:24 -0800 From: griffith@netcom.com (Jim Griffith) Subject: Hacker Mitnick arrested KCBS Radio (San Francisco) reported tonight that The Well and Netcom combined efforts, resulting in the arrest of 31-year-old hacker Kevin Mitnick in Raleigh North Carolina. Both companies discovered large caches of data being stored on their systems. At the same time, "a well-known San Diego consultant" discovered security breaches in his system. This led to vigorous efforts to track the hacker, and after 24-hour electronic surveillance and at least one cellular phone trace, law enforcement officials arrested Mitnick. Mitnick's early escapades are chronicled in the book _CYBERPUNK_ by Katie Hafner and NY Times reporter John Markoff, and, in fact, Mitnick is accused of breaking into Markoff's computer. Mitnick, a fugitive from justice, faces up to 30 years in prison for various crimes, including allegedly breaking into NORAD computers. Law enforcement officials are now wrestling with jurisdictional issues, as Mitnick is wanted for crimes in at least six different jurisdictions. [See excellent articles by John Markoff in *The New York Times*, 16 Feb (TWO) and 17 Feb 1995. I could not begin to excerpt these three long articles, and of course cannot include them in their entirety. But they are very well done. PGN] ------------------------------ Date: Thu, 12 Jan 1995 15:09:02 EST [TIMELY! Yes, we are backlogged!] From: "Rob Slade, Social Convener to the Net" Subject: Computer addiction and the 6 O'Clock News Hello, my name's Rob, and I'm a ... a ... Netaholic. They tell me a lot of you have a story like mine. It started out with a committee and someone at the local university offered me an account, just to keep in touch, you know? Then, somebody introduced me to "Computers and Society". I could handle that: it only came every week or so. Then I got into RISKS-FORUM and the IBM-PC Digest. That pretty much guaranteed something every day! I was really smokin', man! I thought I was just King Modem! In order to feed my habit, I started pushing. I was porting Info-Mac to local bulletin boards for access.time. I started doing unmoderated lists. Then a friend turned me on to Usenet. By this time, I was doing about a half a meg a day. I was hooked, but I wouldn't admit it. I told myself it was all job-related. I only read VIRUS-L in order to flog my book. But why did I have alt.best-of- usenet in my .newsrc? My wife took to asking, "Is that in real time or computer time," when I said I'd be offline in ten minutes. I didn't recognize the danger signs. I could tell people the first alt.adjective.noun.verb.verb.verb group. My wife left me when I started introducing myself at parties as, "Hi! roberts@decus.ca. What's your group?" I started talking familiarly about people that my friends in Vancouver had never met. I started hoarding accounts. When I found out I could never match Bill Murray's two full columns on a business card, it was a real bad trip. I crashed for a week. Then, it all fell apart. My access provider started to go flaky. I tried Fidonet, but it just wasn't the same. I ... I ... started reviewing Internet books. It wasn't a pretty sight. Soon, I had two bookshelves completely full. *And* that little pile behind the door where I thought no one could see ... I finally realized I needed help. As part of the twelve-step process, I'm telling my story in public. And I'm going to bust up my modem ... as soon as I do this one more posting ... ___ Yes, I'm sarcastic. It's an addiction, OK? Yes, I believe we can all admit that computers can be very addictive. Programming, itself, is as "moreish" as salted peanuts--and often has a similar effect on the waistline. Computers are relatively inexpensive, give results with minimal training, are completely under the control of the user (why else call them "personal" computers?) and don't require any particular considerations. But do they *cause* addiction? Our society seems to be not merely predisposed to, but actually encouraging of, obsessive behaviour. The evidence is not limited to lone psychopaths, the drug culture, cults and tragedies such as anorexia nervosa. Amateur "athletes" who constantly require medical intervention are considered normal. We don't *really* believe that a workaholic is a problem. We expect scientists to have no idea of culture and artists to have no idea of technology. Another newswire report of computer addiction, therefore, adds no new information to the study. We all know computers can be attractive--but we all know that there is a difference between the fellow (usually male, isn't it?) who runs up enormous bills on the Compuserve CB simulator, and those of us whose work or study requires as much online correspondence as we can afford to give. In many cases, the computer is not a cause but merely a means. If it were not the computer, it would be something else. Recently a co-worker happened to drop the comment that he didn't watch much TV--only about five hours a day. If that is OK (or even "not much"!) can I spend five hours a day with the modem? (Can I add an hour for social utility? As long as I promise not to use Mosaic?) I am *not* saying that computer addiction cannot be a problem. If it is, however, let us give some thought to isolate and identify the difference. ====================== DECUS Canada Communications, Desktop, Education and Security group newsletters Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733 ------------------------------ Date: 17 Feb 95 15:11:06 EST From: "Mich Kabay [NCSA Sys_Op]]" <75300.3232@compuserve.com> Subject: New Area Codes & PBX Programs An AP item on 17 Feb 1995 reported that many businesses in Washington state and Alabama are having trouble receiving phone calls since new area codes were introduced last month. The new area codes, 360 in western Washington and 334 in Alabama, are the first in the country not to use a one or zero as the middle digit. The item reports that PBXs reject area codes that include anything but a 0 or a 1 in the middle position. The problem will worsen when additional area codes are installed in, among other regions, Los Angeles, Denver, and Tampa. M.E.Kabay,Ph.D., Director of Education, Natl Computer Security Assn (Carlisle, PA); Mgmt Consultant, LGS Group Inc. (Montreal, QC) ------------------------------ Date: Wed, 15 Feb 1995 14:54:36 -0500 From: Vincent Gogan Subject: E-mail risks (risk of many mail programs) Most mail programs that I have dealt with share a flaw... they don't indicate to whom a message will be actually sent. This became particularly evident this Valentine's Day when I received a very warm personal note thanking me for some beautiful flowers and indicating how I always knew how to make this women happy. This came as quite a surprise to my wife (and myself)! ... Many a sitcom episode has started with a weaker premise than this. Luckily, my wife would never have fit in with the Three's Company crowd and all is well. Still, this probably happened because of quite a simple error. This women either typed in an alias/nickname that didn't work or just typed the first name of her suitor instead of his account name. In either case, the mail program should have indicated to whom the message would be sent. For local addresses (as this was), the actual name of the recipient (as opposed to the account name) should be indicated. Vincent Gogan vincent@cs.toronto.edu ------------------------------ Date: Thu, 16 Feb 1995 11:40:28 MST From: "Bruce Johnson" Subject: Re: Self-disabling software (Leichter, RISKS-16.80) If a third party triggers the disable feature, or, even under the right circumstances, the owner of the software (ie: the client has paid, but you disable it anyway) that is a felony in most states, theft by control; ie : embezzling. If you hold the software to ransom through such an act, it's also a felony. As a side note...this was used as a plot device in the movie "Single White Female" a few years back, as a revenge sub-plot. Bruce Johnson, University of Arizona, College of Pharmacy Information Technology Group ------------------------------ Date: Thu, 16 Feb 95 23:03:51 +0100 (CET) From: david@arch.ping.dk (David Stodolsky) Subject: Re: Invisible blue zone (Jonas, RISKS-16.81) > The cancelbots then cancel those postings and I'm essentially barred from > the internet. Cancelbots are not normally being used to cancel spams. The articles are typically selectively cancelled, often one copy will be left in a newsgroup in which it is "on-topic". Non-spam posts by the same sender are not affected. [Also noted by roeber@vxcern.cern.ch (Frederick G.M. Roeber). PGN] However, there is now a Call for Discussion (CFD) about reorganization of the news hierarchy. This could, among other things, create a moderated newsgroup, news.admin.net-abuse.announce, for the posting of announcements, etc., related to abuse. Opponents fear that a moderated group would give the announcements a stamp of authority that would lead to attacks on the apparent abusers. Axel Boldt is maintaining an "Internet Advertisers Blacklist" To quote a draft FAQ, "Administration of Cancel Messages": Axel Boldt should be notified about abusive advertisers, so they can be added to his Internet Advertiser's Blacklist. Please use the word "Blacklist" somewhere in the subject line. Make sure to check the last version of the List first, so that he won't get multiple complaints about incidents already covered. The newest version is always available over the WWW at URL: http://math-www.uni-paderborn.de/~axel/blacklist.html. > ... I have no way to know to appeal (let alone to whom) and I must get Fears of this development have led to the organization of the NetNews Judges (TM) List (this is a reformatted InterNIC resource entry): =========================================================================== Judges-L - NetNews Judges List Resource Type: Mailing list Description: The Judges' List distributes messages to a panel of Judges who cancel multiple posts to NetNews immediately. The List is used to help Judges organize themselves, finalize policy, and set procedures to enforce rules. It is primarily directed to those who issue cancels. Secondarily, to those who survey cancels issued, in order to ensure that the cancel facility is not being abused. The protection of the NetNews system from overload by posts to multiple newsgroups is the focus of activity. Access: Messages go to: Judges-L@UBVM.cc.buffalo.edu. Subscriptions go to: LISTSERV@UBVM.cc.buffalo.edu. Services: Dispute Resolution: Complaints are primarily about spam, multiple off-topic posts. Posters may also complain about inappropriate cancels. An opinion is reached via a consensus decision-making procedure based upon private deliberations in which all parties may participate. Preparation of Periodic Posts: Frequently Asked Question (FAQ) lists are prepared to inform users about appropriate use of cancel messages, how to file complaints, how the List processes complaints, etc. Keywords: posting software, law, security mechanism, control message, freedom of speech, censorship, due process, advertisement, chain letter, rumor, conflict resolution, forgery, infection, news administration, kill file David S. Stodolsky, PhD * Social * Internet: david@arch.ping.dk Tornskadestien 2, st. th. * Research * Tel.: + 45 38 33 03 30 DK-2400 Copenhagen NV, Denmark * Methods * Fax: + 45 38 33 88 80 ------------------------------ Date: Fri, 17 Feb 1995 17:36:01 -0500 From: cert-advisory@cert.org (CERT Advisory) Subject: CERT Advisory CA-95:04.NCSA.http.daemon.for.unix.vulnerability [Also, see CA-95:03, February 16, 1995, Telnet Encryption Vulnerability, if you are using Berkeley Telnet with the experimental Telnet encryption option using the Kerberos V4 authentication. PGN] CA-95:04 CERT Advisory February 17, 1995 NCSA HTTP Daemon for UNIX Vulnerability The CERT Coordination Center has received reports that there is a vulnerability in the NCSA HTTP Daemon V.1.3 for UNIX. Because of this vulnerability, the daemon can be tricked into executing shell commands. If you have any questions regarding this vulnerability, please send e-mail to Beth Frank at the NCSA, efrank@ncsa.uiuc.edu. I. Description A vulnerability in the NCSA HTTP Daemon allows it to be tricked into executing shell commands. II. Impact Remote users may gain unauthorized access to the account (uid) under which the httpd process is running. III. Solution The following solution was provided by the HTTPD Team at SDG at NCSA. Step 1: In the file httpd.h, change the string length definitions from: /* The default string lengths */ #define MAX_STRING_LEN 256 #define HUGE_STRING_LEN 8192 to: /* The default string lengths */ #define HUGE_STRING_LEN 8192 #define MAX_STRING_LEN HUGE_STRING_LEN Step 2: Install the following patch, which performs the functionality of strsubfirst (i.e., copy src followed by dest[start] into dest) without the use of a temporary buffer. ----[Lengthy patch deleted for RISKS. Contact CERT FOLKS. PGN]---- After you apply this patch, recompile httpd, kill the current running process, and restart the new httpd. [The CERT Coordination Center thanks Steve Weeber, Carlos Varela, and Beth Frank for their support in responding to this problem.] If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in Forum of Incident Response and Security Teams (FIRST). If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise that the e-mail be encrypted. The CERT Coordination Center can support a shared DES key, PGP (public key available via anonymous FTP on info.cert.org), or PEM (contact CERT staff for details). Internet E-mail: cert@cert.org Telephone: +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 USA CERT advisories and bulletins are posted on the USENET newsgroup comp.security.announce. If you would like to have future advisories and bulletins mailed to you or to a mail exploder at your site, please send mail to cert-advisory-request@cert.org. Past advisories, CERT bulletins, information about FIRST representatives, and other information related to computer security are available for anonymous FTP from info.cert.org. CERT is a service mark of Carnegie Mellon University. ------------------------------ Date: 6 February 1995 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. U.S. users on .mil or .gov domains should contact (Dennis Rears ). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, THEN please send requests to (which is not yet automated). SUBJECT: SUBSCRIBE or UNSUBSCRIBE; text line (UN)SUBscribe RISKS [address to which RISKS is sent] CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS MESSAGES in responses to them. Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. All other reuses of RISKS material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using RISKS material should obtain permission from the contributors. RISKS can also be read on the web at URL http://catless.ncl.ac.uk/Risks Individual issues can be accessed using a URL of the form http://catless.ncl.ac.uk/Risks/VL.IS.html (Please report any format errors to Lindsay.Marshall@newcastle.ac.uk) RISKS ARCHIVES: "ftp unix.sri.comlogin anonymousYourName cd risks or cwd risks, depending on your particular FTP. Issue J of volume 16 is in that directory: "get risks-16.J". For issues of earlier volumes, "get I/risks-I.J" (where I=1 to 15, J always TWO digits) for Vol I Issue j. Vol I summaries in J=00, in both main directory and I subdirectory; "bye" I and J are dummy variables here. REMEMBER, Unix is case sensitive; file names are lower-case only. =CarriageReturn; UNIX.SRI.COM = [128.18.30.66]; FTPs may differ; Unix prompts for username and password. Also ftp bitftp@pucc.Princeton.EDU. WAIS repository exists at server.wais.com [192.216.46.98], with DB=RISK (E-mail info@wais.com for info) or visit the web wais URL http://www.wais.com/ . Management Analytics Searcher Services (1st item) under http://all.net:8080/ also contains RISKS search services, courtesy of Fred Cohen. Use wisely. ------------------------------ End of RISKS-FORUM Digest 16.82 ************************