precedence: bulk Subject: RISKS DIGEST 19.23 RISKS-LIST: Risks-Forum Digest Thursday 26 June 1997 Volume 19 : Issue 23 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** U.S. SUMMER SLOWDOWN IN EFFECT. BE PATIENT. ***** See last item for further information, disclaimers, caveats, etc. ***** Contents: U.S. Supreme Court rules on Communications Decency Act (PGN) RSA's DES challenge achieved (PGN) McCain-Kerrey Secure Public Networks Act (PGN) Revised Internet Regulation in China Announced (Li Gong) "Hackers" get into Ramsay case computer (Jonathan Corbet) Backhoe-attack cable thief disables phone service in Russia (Betty G.O'Hearn) Malfunction Causes Motor Melee (Scott Lucero) 1998-1999 Leonids may damage satellites (Jonathan Nash) Unix path risks -- well-known, but still amusing (Michael Patrick Jackson via Alan Wexelblat) Microsoft Web site Interrupted by cracker (Edupage) MS Outlook sends e-mail on Ctrl-Enter when editing with Word (Michael Passer) Malepropylene Microdictus (Stephen Speicher) Re: Software Problems with new UK ATC Center (Andres Zellweger) Old risks, new villains... when will they learn? (Quinn Yost) 7-Eleven Big Brother (Mich Kabay) UK Government proposes ID numbers for 4-year-olds (Gary Barnes) Chip Theft by Home Invasion (David Kennedy) Re: Company blackmails Netscape for details of browser bug (Dorothy Denning) Netscape vs. Cabocomm (Andy Waldis) "Secret Power" claims to expose secret international spying networks (Betty G.O'Hearn) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 26 Jun 97 8:12:48 PDT From: "Peter G. Neumann" Subject: U.S. Supreme Court rules on Communications Decency Act Seven* Justices (in the majority opinion written by Justice Stevens) ruled that the Communications Decency Act violated free-speech rights in attempting to protect children from sexually explicit material on the Internet. The remaining two Justices (in an opinion written by Justice O'Connor, with Chief Justice Rehnquist concurring) agreed that the CDA was unconstitutional, but wrote that they would invalidate the law only insofar as it interferes with the First Amendment rights of adults. [The decision opinions are on-line at http://www.cdt.org, http://www.epic.org, and http://www.ciec.org. See RISKS-17.71,72,74, and RISKS-18.20 for earlier background. Similar state laws in NY and Georgia were also recently overturned. PGN] [* Typo (nine) fixed in Archive copy. NINE thought it unconstitutional. Two had caveats. PGN] ------------------------------ Date: Thu, 26 Jun 97 8:12:57 PDT From: "Peter G. Neumann" Subject: RSA's DES challenge achieved After four months and exhaustion of about one fourth of the 72 quadrillion possible keys, the RSA challenge for the 56-bit DES key was successful. The *brute* in *brute force* is becoming more Godzilla-like. [See http://www.rsa.com for the status of the other RSA challenges.] ------------------------------ Date: Thu, 26 Jun 97 8:13:03 PDT From: "Peter G. Neumann" Subject: McCain-Kerrey Secure Public Networks Act The McCain-Kerrey bill calls for extensive key-recovery infrastructures for encryption used in storage and communications. The wording also seems to require key recovery for authentication and certificate authorities as well, which would seem to introduce enormous potential risks above and beyond those previously addressed in RISKS. The bill was slipped through the committee as a substitute for ProCode, with essentially no discussion. It appears that there are many lurking issues that were not adequately understood by the Senators. Serious study seems urgently needed. [See http://www.epic.org and http://cdt.org for text and analyses of the bill. Senate Judiciary Committee hearings on this subject were scheduled for yesterday (25 Jun), but were postponed at the last minute because of other Senate action. You will find my would-have-been testimony on my web page. PGN] ------------------------------ Date: Sat, 14 Jun 1997 11:49:39 -0700 From: Li Gong Subject: Revised Internet Regulation in China Announced The overseas edition of the *People's Daily* (June 9, 1997, p.2) gave details of the 17-clause revised regulation regarding the establishment and operation of any computer network that is connected to the Internet. Highlights include: Clause 6. All networks with direct international connections must go through public access networks managed by the Post and Telecommunication Ministry. Clause 7. Existing networks are to be reorganized and managed by the following 4 institutions: Post and Telecommunication Ministry, Electronics Ministry, National Council of Education, and the Chinese Academy of Sciences. Clause 9.3 All operators (ISPs and their clients) must have security and secrecy regulations in place and must have adequate technical protection mechanisms. Clause 13. All operators and personnel must abide by laws regarding national security, criminal activities, ..., and the spread of pornography. Clause 9.3 seems to have gone beyond the normal expectation of an operator in the west. Li Gong, JavaSoft, Sun Microsystems, Inc. ------------------------------ Date: Fri, 13 Jun 1997 09:53:10 -0600 From: Jonathan Corbet Subject: "Hackers" get into Ramsay case computer I assume most of the civilized world has heard about the Jon-Benet Ramsay murder case. Here in Boulder, where it's a local story, our newspaper reports on it daily, while chiding the tabloids for doing the same thing. I long since stopped reading these stories, which seemed to offer little of interest. The top of page 1 today, however, reads "Hackers Invade Ramsay Case File." The real problem appears to be that somebody got into the "war room" where the computer lives, and somehow messed with the machine. The investigators are now going through a process of comparing electronic documents with printed versions, looking for things that have been changed. The article doesn't say anything about backups. What do you bet they were in the same room, if they exist at all? Manually comparing with printed documents seems like a poor recovery strategy. Meanwhile they have no idea of what information may have been taken out of the room. The risks: information on your computer will never be safe if you allow physical access to the machine. And an environment where a burglar becomes a "hacker" does not help in identifying the real problems. The story can be found at http://www.bouldernews.com/BoulderNews/News/Local/html/X_9706130172.htm jon ------------------------------ Date: Thu, 19 Jun 1997 13:30:33 -0400 From: "Betty G.O'Hearn" Subject: Backhoe-attack cable thief disables phone service in Russia "Ron Eward has been saying this for years! The backhoe attack is the low-tech efficient way to shut down telecomm services without the help of hackers. See what happened in Moscow?" Winn Schwartau A thief removed 60 meters of cable from the center of the remote Russian city of Ulan-Ude (the capital of the Republic of Buryatiya, near Mongolia), which shut down external communications for five hours on 19 Jun 1997. The incident affected military and other communications in the region and caused an estimated loss of 800 million rubles ($135,000). Apparently, the criminal or criminals may have been harvesting precious metal from the lines. (Earlier this week two thieves were electrocuted in eastern Kazakhstan as they tried to steal copper wires from a high-voltage power transmission line.) [Source: Itar-Tass news, 19 Jun 1997] [Warning: *To backhoe* may be dangerous to your health! (In the second case, the copper got them in the end.) PGN] ------------------------------ Date: Wed, 18 Jun 97 15:02:36 EST From: "lucero" Subject: Malfunction Causes Motor Melee The United States Auto Club (USAC) declared a new winner in the True Value 500 on 8 June 1997 when an electronic device in five of the cars failed to record the laps where cars pull into the pit stop. Although there are two forms of manual backup, neither were used until hours after the race was complete even though the officials received notice of the malfunction during the race. USAC officials are considering fining A.J. Foyt and Arie Luyendyk, who turned out to be the winner following the audit, after they got into a victory circle scuffle. The malfunction came with 19 laps remaining, not leaving much time to change over manual methods. Race officials counted on the malfunction not affecting the outcome of the race. The USAC Chief Stewart said this is the first major malfunction since the devices were introduced in 1990. The RISK is believing that, just because it hasn't happened in the past, doesn't mean that it isn't happening now. Scott Lucero ------------------------------ Date: Thu, 26 Jun 1997 01:36:23 -0400 (EDT) From: Jonathan Nash Subject: 1998-1999 Leonids may damage satellites An article in the 9 Jun 1997 issue of *Science News* warned that the Leonid meteor showers in 1998 and 1999 may damage satellites. The Leonid meteor shower occurs around the middle of November and usually 100 meteors an hour may be visible. In the Far East in 1998, 100,000 meteors an hour may be visible. In 1999 there will also be a very heavy Leonid shower in Western Europe. "A Leonid storm occurs every 33 years, when Earth passes through the meteoroid storm shortly after Temple-Tuttle has neared the sun and spewed fresh particles. On 17 Nov 1998, Earth will hit the Leonid stream just 9 months after the comet has passed closet to the sun. In that short interval, the torrent of new meteoroids won't have had time to spread out. Our planet will encounter a dense swath of debris, creating a veritable tempest. "The dust particles are tiny, so chance collisions with spacecraft aren't the prime worry of scientists. Rather, researchers express concern about the potential of these particles to create localized clouds of electric charge, or plasma, that can penetrate satellites and short-circuit equipment. "The high speed of a Leonid meteoroid - about 72 kilometers per second, more than three times that of an average meteoroid - favors the production of clouds of charged material, notes Brown. These can generate lightninglike discharges inside satellites, zapping fragile electric components. "Another meteor storm, this one associated with a swath of cometary debris known as the Perseids, is credited with taking a satellite out of commission in 1993 (SN: 2 Oct 1993, p. 217). However, the potential for damage is highly uncertain... Come 1998, 'everyone is going to go through this test, whether they like it or not.'" ------------------------------ Date: Wed, 25 Jun 1997 23:13:38 -0400 From: wex@kangaroo.media.mit.edu (Graystreak) Subject: Unix path risks -- well-known, but still amusing Date: Wed, 25 Jun 1997 21:39:14 -0400 >From: Michael Patrick Johnson Subject: insane bug Reply-To: aries@media.mit.edu This bug is one for the record books. It's just too funny. If only all bugs could make me laugh. I was trying to show someone how to use emacs rmail to read mail today. We got the stuff setup. We are using some kerberized pop program for movemail, not default movemail. Fine. We try to incorporate mail and suddenly this 3D OpenGL spinning BEAVER HEAD program pops up!! My god, what the hell was going on? Did someone spawn that accidentally? No, it goes away when I C-g. Incorporate again, IT'S BACK! OK, I am thinking SOMEONE is playing with this poor new student, someone hacked a dotfile on his somewhere. No, nothing this insidious. As it turns out, the beaver head program was a program he wrote to learn OpenGL. The question was, how the hell was it running? Long story short, the movemail program was actually a script which did a lot of string munging and happened to use the unix function "head" in it. A bad dotfile had put . (dot) first in his path. His beaver program was called head. So we got his beaver head, not the real head. Moral: To not lose your head, put . in your path! Michael Patrick Johnson aries@media.mit.edu MIT Media Lab http://www.media.mit.edu/~aries/ ------------------------------ Date: Wed, 25 Jun 1997 01:03:42 -0400 (EDT) From: Edupage Editors Subject: Microsoft Web site Interrupted by cracker Microsoft's Web site was disrupted briefly by a computer cracker who broke into the site's server computers by exploiting a flaw in the Microsoft Internet server software. The site was down only about 10 minutes, but company officials say users may have experienced more problems because the company currently is upgrading its servers. Microsoft has posted a fix for the flaw on its Web site, and a marketing director says all that was needed to get the machines going again was a reboot. (*Wall Street Journal*, 23 Jun 1997; http://www.wsj.com; Edupage, 24 June 1997) ------------------------------ Date: Thu, 26 Jun 1997 10:55:11 GMT From: mwp@acm.org (Michael Passer) Subject: MS Outlook sends e-mail on Ctrl-Enter when editing with Word When using Microsoft Outlook (part of their Office 97 suite) to compose an e-mail message yesterday, I attempted to get rid of some unwanted text formatting by inserting a page break. Under normal circumstances, Word recognizes the key combination Ctrl-Enter as a command to insert a page break. (WordPerfect also treats the key combination this way.) However, when Word is launched by Outlook as an e-mail editor, Ctrl-Enter causes the e-mail message to be sent--immediately, with no confirmation. This behavior is documented on the File menu, where Send has the keyboard accelerator label "Ctrl-Enter" right next to it. Perhaps I should have RTFM (Read The Fine Menu). However, I don't think co-opting a key with a fairly common editing function was an optimum user interface design decision. The RISK? Sending e-mail unintentionally, before it is completely edited, can cause problems ranging from trivial (e,g., mild embarrassment at having sent a message that wasn't done yet) to catastrophic (e.g., abrupt unemployment as a result of having fired off an unedited missive to an executive at one's company before one has cooled off). ------------------------------ Date: Thu, 19 Jun 1997 13:36:37 -0700 (PDT) From: Stephen Speicher Subject: Malepropylene Microdictus Whoever is the genius in the advertisement deptartment at Microsoft, they have done it this time. Anybody seen the IE ads on TV lately? The one with a very effective choral music playing in the background? Well, the background music is the Confutatis Maledictis from Mozart's Requiem (Mass for the dead). And the words of the final blast of music which accompanies "Where do you want to go today?" are saying "confutatis maledictis, flammis acribus addictis..." which means "the damned and accused are convicted to flames of hell" Is this the right message for an ad? Stephen Speicher, Internex Information Services [Depends on what you *really* think of your product? PGN] ------------------------------ Date: Tue, 17 Jun 97 13:30:02 -0500 From: "Andres Zellweger" Subject: Re: Software Problems with new UK ATC Center (Ladkin, RISKS-19.18) Peter Ladkin, in his report on NERC (New En Route Centre) is absolutely correct in pointing out the problem of "scaling up" is much more serious that just fixing bugs. To my knowledge, no one has yet been successful in building a modern distributed ATC system that has scaled to the size needed for NERC or one of the US En Route ATC Centers. In most cases, the problems have come from the various mechanisms put in place for achieving high availability and reliability. As an aside, NERC, located in Swanick, is in a beautiful new building where all of the controller work stations, with their 20x20 inch 2000 line resolution color displays, have been installed for months. Interestingly enough, there is a lot of extra space because when the architects planned the building they didn't realize that the powerful workstations would not require the support of a large main frame computer with its own computer room etc! Dres Zellweger [Typo fixed in archive copy. Back ref to 19.18. PGN] ------------------------------ Date: Wed, 25 Jun 1997 02:34:21 +0100 From: Quinn Yost Subject: Old risks, new villains... when will they learn? The story below is not one that will cause many of you to rush to lessen it's impact on you. Instead, it simply demonstrates how (despite our best efforts and their best intentions) some companies just don't quite get our concern. The story begins a few months ago when I relocated to a new city. In the process of arranging utility type services the local phone company made their standard offer of issuing a phone card. Much to my delight, they offered to send a card with just my name and not my access number printed on it. Two weeks later, the card arrives. As I opened it, I was amused to see that it had what appeared to be a generic number (knowing it wasn't the number I had requested and appeared far too blatant) as my pin. Weeks later when I finally had a need to use it, I was somewhat surprised to hear the "The account number - pin combination you have entered is incorrect" message. After returning home, I promptly called the company and requested to have my pin changed. Which they happily did without asking for any identifying information (I can only hope they used caller-id to make an assumption that I was indeed who I claimed). I also asked what the old pin was (assuming a typo had been made or my memory was failing) and learned that the number printed on my card was not some generic number, but instead the actual pin. Again, two weeks later, the card arrives. This time, not only does it have my name and pin imprinted apon it, it also has instructions on how to determine the unprinted portion of the access number. The risks here I assume are obvious to us all. ------------------------------ Date: Wed, 25 Jun 1997 22:18:24 -0400 From: "Mich Kabay [NCSA]" Subject: 7-Eleven Big Brother > 7-Eleven Operators Resist System To Monitor Managers > By Norihiko Shirouzu and Jon Bigness > Staff Reporters of The Wall Street Journal (Dow Jones 16 Jun 1997) > Your neighborhood 7-Eleven store may soon feature a new Japanese export: a > draconian system that allows the company to monitor store managers' every > keystroke. Summary of the writers' key points: * Japanese 7-11 franchise owners must use their point-of-sale (POS) computers throughout the day to perform inventory analysis and track sales. * The inventory and just-in-time (JIT) ordering system is crucial to the Japanese operations management. * Fresh food is delivered three times a day to each store in accordance with local traffic. * "Headquarters ranks stores by how often their operators use the computer." * Managers are under enormous pressure; one reported, "It's like being under 24-hour surveillance; it's like being enslaved." * Upper management argues that these strict demands and computer-based monitoring are responsible for improving turnover of products from 100% per 25 days to 100% per 7 days. M. E. Kabay, PhD, CISSP (Kirkland, QC) / Director of Education, National Computer Security Association (Carlisle, PA) / http://www.ncsa.com ------------------------------ Date: Thu, 26 Jun 1997 10:54:54 +0100 (BST) From: gkb@aber.ac.uk (Gary Barnes) Subject: UK Government proposes ID numbers for 4-year-olds *The Times* today (26 Jun 1997) reports that the UK government plans to give every child a national identification number at the age of four, to plot pupils' progress through school. The intention is to make the official national league tables of schools' a more accurate reflection of a schools performance, by taking into account the fact that some schools take in more clever pupils than others, which naturally reflects in the current figures. According to *The Times*, David Hawker, the man responsible for developing this new scheme gave the reassurance: "We are looking at setting up a national pupil number. It is nothing to be frightened of because pupil information is covered by the Data Protection Act." I am not reassured by this, and neither is Andrew Puddephat, director of civil rights pressure group Charter 88 who warned that this could be a step towards a national identity card system. The Labour Government was opposed to a national identity card scheme when it was in Opposition. While this may seem to be more of a privacy issue than a computing RISKS issue, the blind faith that David Hawker has that there is no need for concern thanks to the Data Protection Act seems a bit misplaced, especially when no mention is made of what technical measures might be used to assure the security and integrity of the information stored about pupils. Gary Barnes ------------------------------ Date: Thu, 26 Jun 1997 17:47:58 -0400 From: David Kennedy <76702.3557@compuserve.com> Subject: Chip Theft by Home Invasion Courtesy of United Press International via CompuServe's Executive News Service: 3 at large in home invasion robbery (UPI) > HACIENDA HEIGHTS, Calif., June 20 (UPI) -- Two men have been arrested > and three others are at large after they allegedly held a family hostage > while the father was forced to go to his business and turn over $800,000 > in computer chips. > Police say five heavily armed men drove up to the Hacienda Heights home of > the unidentified victim at about 10:30 p.m. Thursday. When they got > inside, they herded a woman, her 11-year-old son and 14-year-old daughter > into one room, and forced the husband to drive to his business in the City > of Industry. o Someone called the police, SWAT shows up (special weapons and tactics police unit specializing in high-risk police operations), after t= wo hours, 2 gunmen surrender. o Three who went with the business owner are at large. They tied h= im up in his business and left him there. Dave Kennedy [CISSP] Research Team Chief, National Computer Security Assoc. ------------------------------ Date: Fri, 13 Jun 1997 14:42:29 -0400 From: denning@cs.georgetown.edu (Dorothy Denning) Subject: Re: Company blackmails Netscape for details of browser bug I read the document at the cited URL and it says . "Cabocomm said it would accept "reasonable compensation" for the technical information -- or they can send a Netscape representative and get it for free." That doesn't sound like blackmail to me. Dorothy Denning [Apparently Netscape was able to get a copy of the script of the demo session and from that infer what the flaw was. No money changed hands. PGN] ------------------------------ Date: Mon, 16 Jun 1997 15:50:31 -0700 (PDT) From: awaldis@ic.net (Andy Waldis) Subject: Netscape vs. Cabocomm Regarding the finding of a defect in Netscape's browser by the Danish company Cabocomm, I find it disturbing that so many reports use the terms "blackmail" and "extortion" to describe Cabocomm's actions. The use of these terms imply that Cabocomm was obligated to report the defect it had found and should not expect to be compensated for their trouble. This suggests a risk of using software that I had not been aware of: that we are obligated to report any defects we find and have no right to expect compensation. I guess I should be reading those license agreements a little more carefully. Cabocomm did not create the problem, Netscape did. Cabocomm proposed a solution which Netscape was free to accept or reject. This wasn't a case of blackmail, just good old-fashioned capitalism. Regards, Andy Waldis awaldis@ic.net ------------------------------ Date: Thu, 26 Jun 1997 15:18:21 -0400 From: "Betty G.O'Hearn" Subject: "Secret Power" Claims to Expose Secret International Spying Networks "Secret Power" by Nicki Hagar The International Spying Networks UKUSA and ECHELON 301pp ISBN: 0-908802-35-8 According to this remarkable book, that has somehow escaped the flames of book banners crying "national security," the United States NSA and the United Kingdom's GCHQ (Government Communications Headquarters) operate a global spying network called UKUSA. To listen in on conversations across the planet, a massive eavesdropping apparatus was built, with tentacles which reach into dozens of different countries beyond the shores of either the US or UK as well as across the skies. Describing the nature of UKUSA, its global affiliations, and operations represents a huge effort on the part of author Nicki Hager. He states early on in 'Secret Power': "Many people are vaguely aware that a lot of spying occurs, maybe even on them, but how do we judge if it is ubiquitous or not a worry at all? Is someone listening every time we pick up the telephone? Are all of our Internet or fax messages being pored over continuously by shadowy figures somewhere in a windowless building? "What follows explains as precisely as possible - and for the first time in public - how the worldwide [spy] system works, just how immense and powerful it is and what it can and cannot do. "The global system has a highly secret codename: ECHELON." And that is the foundation of a tremendous amount of research that describes in detail how the vast global spying network "collects all the telephone calls, faxes, telexes, Internet messages and other electronic communications that its computers have been pre-programmed to select," and then analyzes the contents and distributes it to members UKUSA and ECHELON partners world-wide. The operational details of how the US (NSA), UK (GCHQ), Canada (CSE), Australia (DSD) and New Zealand (GCSB) intercepts signals, throws high power computing behind ECHELON 'KeyWord' dictionary attacks and what they do with that information is potentially alarming; especially since so much of this decades old practice has been kept under the wraps of security. Secret Power names the names, provides the dates and the technical details on the world's largest, best financed and coordinated global spying apparatus ever conceived. Full of pictures, maps and charts, the reader will get a complete picture of just how much effort and resources go into international security, long distance eavesdropping, and spying. From the Cold War to today, UKUSA and ECHELON have been fascinating and powerful intelligence functions to spy both on enemies and friends. "Secret Power" provides the first peek inside the world's most secretive and powerful electronic spy organization. "Secret Power" reads like a thriller, except that it's true. It should be read by everyone with an interest in intelligence, espionage and the technology that modern spies use. "An astonishing number of people have told him [author Nicki Hager] things that I, as Prime Minister in charge of the intelligence services, was never told...It is an outrage that I and other ministers were told so little." -David Lange, Prime Minister of New Zealand 1984-89 "...the most detailed and up to date account of the work of any signals intelligence agency in existence. It is a masterpiece of investigative reporting, and provides a wealth of information." -Jeffrey T. Richelson, leading authority on United States intelligence agencies and author of America's Secret Eyes in the Sky, and co-author of 'The Ties that Bind.' ------------------------------ Date: 1 Apr 1997 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Or use Bitnet LISTSERV. Alternatively, (via majordomo) DIRECT REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] => The INFO file (submissions, default disclaimers, archive sites, .mil/.uk subscribers, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 18" for volume 18] or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS ------------------------------ End of RISKS-FORUM Digest 19.23 ************************