|
Risks Digest 16.30
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
RISKS-LIST: RISKS-FORUM Digest Tuesday 2 August 1994 Volume 16 : Issue 30
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
***** See last item for information on RISKS (comp.risks) *****
Contents:
Squirrels again bring down Nasdaq (PGN)
MCI inbound internet gateways choked (Mich Kabay)
RISKs of electrical wiring (Robert Rose)
How to clean out a checking account (Paul Dineen)
FBI hunting for Agent Steal, flashy computer hacker (Mich Kabay)
PCMCIA cards (Mich Kabay)
Progress on RFI in aircraft (Mich Kabay)
Porn Peddlers Convicted in Memphis (Mich Kabay)
Re: Video Cameras (Nap van Zuuren)
Computer telephony (Phil Agre)
Re: Crashed bank teller (Ted Lemon, Patrick O'Callaghan)
The Cult of Information by Ted Roszak (WN Peters)
Report Released on Public Key Law and Policy (Michael S Baum)
Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc.
----------------------------------------------------------------------
Date: Tue, 2 Aug 94 7:55:36 PDT
From: "Peter G. Neumann" <[email protected]>
Subject: Squirrels again bring down Nasdaq
Nasdaq once again was shut down by an energetic squirrel who apparently
chomped on a power line near the stock market's computer center in Trumbull,
Connecticut, yesterday. The system failed to perform the automatic
switchover to the temporary backup power supply (designed to last until the
backup system in Rockville, Maryland, could be brought up), and consequently
the market was down for 34 minutes. A similar problem occurred in December
1987. (A 2.5-hour outage on 15 July was reported in RISKS-16.25, due to
risky software upgrades.)
------------------------------
Date: 01 Aug 94 10:47:51 EDT
From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>
Subject: MCI inbound internet gateways choked
According to the Washington Post newswire (94.08.01 via CompuServe's Executive
News Service), MCI's inbound Internet gateways were saturated last month,
resulting in days of delay in delivery to MCI customers.
M. E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn
------------------------------
Date: Mon, 1 Aug 94 17:47:37 EDT
From: [email protected]
Subject: RISKs of electrical wiring
I had a really interesting experience in one of our labs today, an
electrician was adding a new outlet into an office and tied the outlet into a
junction point in the dropped ceiling. While tying in the neutral line he
let the 'home-run' neutral line (the one going back to the main 3-phase
distribution I assume) come loose from the junction. After a minute he
discovered this at reconnected it... he didn't notice a thing. All of us in
our offices however were really charged up.... There was smoke, sparks and
crackling belching from numerous PCs, X terminals, surge protectors and
fluorescent lamps.
One of our programmers who is an EE figured that when he dropped the main
neutral the current instead started to flow between two branches of the three
phase and that one office had very little equipment turned on and the other
had great gobs of stuff powered up so that the office with everything turned
on had almost the full 220V across its outlets. Total body count: 2 surge
protectors, a fan, and one Gateway 2000 (which was spewing sparks out of the
fan opening!) [I'm not a EE-minded person so hopefully I haven't botched this
description too bad]
Lessons:
1. Don't trust your surge protectors blindly, the Gateway that got fried
was plugged into one.
2. Its worth the money to buy an autoswitching 110/220 power supply, the
Gateway was right next to an RS/6000 that has an autoswitching supply.
We figure the RS/6000 was running until the breakers blew... it just thought
it had made a quick trip to Europe. Another IBM machine with an auto
supply made it too.
I would have thought that some type of automatic device could prevent these
type of overvoltages, but given the electrician's actions I guess not. (This
electrical contractor was *real* happy when we discovered the RS/6000 wasn't
toast!)
--Rob Rose OS/2 Development IBM Boca Raton
------------------------------
Date: Fri, 29 Jul 1994 18:01:45 -0600
From: Paul Dineen <[email protected]>
Subject: How to clean out a checking account
I lost my checkbook a couple of weeks ago. Despite turning the house inside
out that evening, I couldn't find it. So, I called the bank and had them put
a watch on the account. Yesterday, I found the checkbook. (Wedged behind the
seat of the lawn mower, must have fallen when I was cleaning the garage.) I
called the bank to cancel the watch, needing to tell them only the account
number and my name (printed on the check, naturally). They didn't ask me my
mother's maiden name or anything. Obviously, what's to stop a finder or thief
from making the same call? I didn't raise this question then because I didn't
want to raise suspicion and have to go through some trouble to get the watch
lifted, but I will raise it with them on the next working day.
Paul Dineen, [email protected]
------------------------------
Date: 01 Aug 94 10:47:38 EDT
From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>
Subject: FBI hunting for Agent Steal, flashy computer hacker
>From the Reuter newswire (94.07.31 @ 21:10 EDST) via CompuServe's Executive
News Service:
"FBI HUNTING FOR AGENT STEAL, FLASHY COMPUTER HACKER.
"LOS ANGELES, July 31 (Reuter) - The FBI is searching for a computer
hacker suspected of committing high-tech crimes at the same time he allegedly
worked undercover for the bureau catching other computer hackers, the Los
Angeles Times reported Sunday.
The hacker, who goes by the moniker "Agent Steal" and whose real name is
Justin Tanner Petersen, vanished last October and is on the run from the very
federal agency -- the Federal Bureau of Investigation -- he told friends was
paying his rent and flying him to computer conferences to spy on other
hackers, the paper said."
Key points from the article:
o Petersen admitted having committed computer crimes even while working
with federal prosecutors.
o He is alleged to have cracked federal computers and stolen information
from a credit card information bureau.
o He was involved in Kevin Poulson's fraudulent successes in radio
phone-in contests in L.A.
o Petersen claimed to have been responsible for "nailing" Kevin Mitnick,
the infamous criminal hacker who is sought by authorities for breaking into
police computers and impersonating a police officer.
o J. Michael Gibbons, an FBI computer crime specialist, is sceptical
that his agency ever hired Petersen: "It's not safe. Across the board, hackers
cannot be trusted to work -- they play both sides against the middle."
o "Petersen was arrested in Texas in 1991, where a grand jury returned
an eight-count indictment accusing him of assuming false names, accessing a
computer without authorisation, possessing stolen mail and fraudulently
obtaining and using credit cards."
o Convicted of six counts after pleading guilty, Petersen faces
imprisonment for up to 40 years plus a fine of $1.5 million.
o "...[O]n Oct. 18, 1993, 15 months after entering his first guilty
plea, Petersen was confronted outside federal court by Assistant U.S. Attorney
David Schindler, who asked if Agent Steal had committed any crimes while free
on bail.
"Petersen said he had, according to the federal prosecutor. Petersen fled
immediately after that meeting."
M. E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn
------------------------------
Date: 01 Aug 94 10:47:47 EDT
From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>
Subject: PCMCIA Cards
The Washington Post newswire (94.08.01; via CompuServe's Executive News
Service) provides an analysis of PCMCIA card problems:
"Add-In Card Standard: Good Plan, Bad Execution," by Brit Hume.
Hume summarizes the situation when the Personal Computer Memory Card
International Association (PCMCIA) was founded in 1990: lack of slot standards
made it difficult for manufacturers and users to have economical add-in
devices. The new association devised three standards, but unfortunately the
bugs are not quite out yet.
The author describes the problems trying to work with a new PCMCIA fax/modem
card. It worked OK with PC-DOS 6.1 but the drivers failed with DOS 6.2.
Even on 6.1, after resuming from both the "suspend" and "hibernate"
operations, the operating system had lost track of its PCMCIA port. After
extensive discussion with IBM support, the writer got function back after
resuming from "suspend" but still lost the I/O port after "hibernate."
M. E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn
------------------------------
Date: 01 Aug 94 11:51:35 EDT
From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>
Subject: Progress on RFI in aircraft
>From the NIST UPDATE for 94.08.01:
ELECTROMAGNETIC FIELDS
Paper Details EMF Shielding Theory
In work supported by the Federal Aviation Administration, NIST
researchers have developed a mathematical model and theory for
predicting the electromagnetic field shielding effectiveness of large
metal enclosures with apertures and interior loading. The model also
should allow for estimations of the average field strength inside
enclosures such as electronic equipment cases and aircraft bodies. It
can be used for any enclosure regardless of size, shape, type of
material and number of apertures, as well as for any frequency above
a lower limit related to the dimensions of the enclosure. The model
was experimentally evaluated using a rectangular aluminum cavity of
about 0.57 cubic meter (approximately 20 cubic feet), with one
aperture, and for a microwave frequency range from 1 gigahertz to 18
gigahertz. The agreement between model and actual measurement was
within 20 percent after a number of additional sources of loss were
incorporated into the original model. A report, "Aperture Excitation
of Electrically Large, Lossy Cavities" (NIST Technical Note 1361), is
available from the National Technical Information Service,
Springfield, Va. 22161, (703) 487-4650, for $19.50 prepaid. Order by
PB 94-145711.
Media Contact: Collier Smith (Boulder), (303) 497-3198
[email protected]
M. E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn
------------------------------
Date: 31 Jul 94 19:54:57 EDT
From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>
Subject: Porn Peddlers Convicted in Memphis
The Associated Press newswire (94.07.28 and 29) via CompuServe's Executive News
Service) reported on the recent conviction of Internet porn peddlers
The following summary is based on reports by WOODY BAIRD and ELIZABETH WEISE,
Associated Press Writers. The first, by Baird, deals with the legal issues.
"MEMPHIS, Tenn. (AP) -- A husband and wife were convicted of distributing
pornography via computer Thursday in a case that raised questions about how to
apply federal obscenity law to the information superhighway.
Robert and Carleen Thomas, both 38, of Milpitas, Calif., were each
convicted of 11 counts of transmitting obscenity through interstate phone
lines via their members-only computer bulletin board. Each count carries up to
five years in prison and $250,000 fine."
Apparently the Thomases sold pornographic graphics files on their BBS. A
Memphis postal inspector deliberately joined the BBS under an assumed name,
downloaded some of the pics to his system and then complained to law
enforcement authorities.
There's discussion of just what it means to try someone on the Internet under
local pornography laws which refer to "community standards." "The opinion was
designed to let local citizens say whether they want X-rated bookstores or
movie theaters in their communities and get judges out of the business of
deciding what is obscene, said Stephen Bates, a senior fellow with the
Annenberg Washington Program, a communications think tank."
However, if this approach is applied to the Internet, "federal juries in the
most conservative parts of the country could decide what sexually explicit
images and words get on the information superhighway, Bates said."
Weise's article covers reactions on the Internet:
"SAN FRANCISCO (AP) -- Hours after a couple were convicted of sending images
of bestiality and sexual fetishes over a computer bulletin board, the Internet
was humming with warnings and protests.
"`If this case stands, you can bet there will be a hell of a lot more
prosecutions on the same basis in extremely short order," Karl Denninger of
Chicago wrote Friday on the computer network.'"
The EFF's Mike Godwin is reported as saying, "This case ... has one community
attempting to dictate standards for the whole country."
At least one BBS operator has stated that he'll quit as a result of the ruling,
although he didn't explain what kind of files his BBS stocks....
Michel E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn
------------------------------
Date: 29 Jul 94 05:44:02 EDT
From: Nap & Erik van Zuuren <100042.3164@compuserve.com>
Subject: Re: Video Cameras (RISKS-16.20)
Assume, that we need a 'balance' in the RISK Digest, the balance between
"benefits" of certain techniques against their "risks"
I have to react, as we are in a limbo on this issue. As a Dutchman, living in
Belgium, I follow the outcome of a weekly T.V. program, called "Opsporing
verzocht" (Help sought on Criminal Investigation), a program in which the
Police Forces try to get necessary input for solving serious crimes. In that
program, the presence of video-material from shopping malls and within shops
has proven to be a big help in getting required input, and so we have to
accept that we are "video-ed" when we are, for example, shopping; also for our
"own" protection.
- Would not you feel better, with a camera 'at your shoulder',
as e.g. a cashier in a petrol station at a highway ?
So: Benefits appear to outweigh risk !
Note: Apparently the Dutch Police Forces, and related Forces,
are still considered -- in general -- to be the "friends" of
the population by the Dutch population.
I thought that the same attitude towards the Police Forces
was true for the U.K.; the relation to the "Bobbie".
(As the original "risks message" originated in the U.K.,
I also refer to the "Bobbie")
I wish, this would be the case in other countries as
well; but the requirements for reaching such a
relation with the 'public' are:
- to be "of assistance to the public"
- to be trustworthy, accompanied by a free press
and political will
- to be supported by the judicial apparatus, for
the Forces to stay motivated
- a "quality of life" worth defending it
We will need a lot of "trustworthy" energy to protect us --
and our children -- against the "criminal" energy.
Do NOT get me wrong:
- I also fell victim to injustice (in my opinion) in a case
versus an 'official'
- I even have been insulted in writing by a member of the Council
of Ministers
But, we have to trust (and at the same time: control) the forces which
should protect the "law-abiding" (or = sullen ?) citizen, and are paid by
that same citizen to do so ! Might the price of "democracy".
Nap van Zuuren, CompuServe 100042,3164
------------------------------
Date: Sun, 24 Jul 1994 14:09:10 -0700
From: Phil Agre <[email protected]>
Subject: Computer telephony
The July issue of Byte has a good technical review of systems for integrating
PC's and telephones. The full reference is:
Jon Udell, Computer telephony, Byte 19(7), 1994, pages 80-96.
The applications are still pretty primitive, since the necessary capabilities
within the phone system itself don't quite exist yet, are just coming on-line,
or are just receiving regulatory approval. Still, enough stuff is just over
the horizon that non-trivial architectures are being built. Many of them
use Caller-ID, for which the FCC just set US national standards over the dead
bodies of several state utilities commissions; and despite the strange idea
that Caller-ID is mostly for residential use, the article makes clear that
developers see a world of commercial applications. In general, as the article
points out in the case of sales and collections systems,
"As these tools find their way into the hands of smaller, more mainstream
businesses, you can expect better service in some cases and more efficient
harassment in others."
Indeed.
Phil Agre, UCSD
------------------------------
Date: Thu, 21 Jul 94 18:03:51 PDT
From: Ted Lemon <[email protected]>
Subject: Re: Crashed bank teller (Murray, RISKS-16.27)
> [...] Setuid has hurt instead of helped. [...] While it is
> appropriate for my program to fail by returning ME to the operating
> system, my program should not fail by returning YOU to the operating
> system prompt with privileges that are different from those that you
> have on your own.
Mr. Murray's article on the behaviour of various historical systems is
interesting, but makes a rather bizarre claim about the behaviour of setuid
under Unix. In fact, a setuid program only has privileges in the process in
which it is running and any child processes that it creates without first
disabling the setuid privilege.
The problems we've seen on the Internet with setuid programs generally are the
result of poor coding which leaves loopholes in the executing setuid program
that a clever cracker can exploit. I don't see any reason to believe that
OS/400 setuid-like programs are any safer from this sort of exploitation. The
proper solution to this problem is probably either to program more carefully,
or to set up an environment in which it's harder to make mistakes like this.
_MelloN_
------------------------------
Date: Fri, 22 Jul 1994 08:14:13 -0400
From: "Patrick O'Callaghan" <[email protected]>
Subject: Re: Crashed bank teller (Murray, RISKS-16.27)
From his description, Mr. Murray appears to think that setuid was introduced
in order to restrict access rights, and has been abused by lazy programmers.
Quite the contrary. The purpose of the `setuid' bit is to allow a program to
run with the permissions afforded to the program's owner, rather than those of
the user. To say that `setuid has hurt rather than helped' is like saying
`electricity has hurt rather than helped'. Setuid is *fundamental* to how Unix
operates and its invention by Dennis Ritchie has been described as the only
genuinely original idea in the Unix design (which is not to say it doesn't
have problems).
William> ... However, they do not permit the user to retain
William> those privileges across the failure of the application.
Neither does Unix. If my setuid program fails, I fall back to whatever
invoked it, usually a Shell. I do *not* retain setuid privileges.
Prof. Patrick O'Callaghan, Departamento de Computacion, Universidad Simon
Bolivar, Caracas, Venezuela [email protected] +058 (2) 906-{3241,3242,3254}
------------------------------
Date: Fri, 29 Jul 1994 11:17:37 -0400 (EDT)
From: [email protected]
Subject: The Cult of Information
I highly recommend a book entitled The Cult of Information: a Neo-Luddite
Treatise on High-Tech, Artificial intelligence, and the True Art of Thinking,
by Theodore Roszak (second edition, c1994). Roszak, in this book, is not
attacking the idea of computerization, but he is warning our society against
equating information with knowledge (the idea that if one can access
information one, therefore, has knowledge on that given subject) and against
over-computerization of our society. I found it to be a very readable book and
quite illuminating.
University of California Press, ISBN: 0-520-08584-1
------------------------------
Date: Sun, 31 Jul 1994 08:51:33 -0400 (EDT)
From: Michael S Baum <[email protected]>
Subject: Report Released on Public Key Law and Policy
**NEW INFO. SECURITY BOOK ON PUBLIC KEY LAW & POLICY**
TITLE: FEDERAL CERTIFICATION AUTHORITY LIABILITY AND POLICY --
Law and Policy of Certificate-Based Public Key and Digital Signatures
AUTHOR: MICHAEL S. BAUM, J.D., M.B.A.
Independent Monitoring
Report No. NIST-GCR-94-654
450+ pages, highly annotated; multiple appendices; indexed.
U.S. DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
Produced in support of the Federal Government's public key infrastructure
study, this book identifies diverse technical, legal and policy issues
affecting a certificate-based public key cryptographic infrastructure
utilizing digital signatures supported by "trusted entities." It examines
potential legal implications, surveys existing legal paradigms and the
structures and roles of relevant governmental agencies and presents various
institutional approaches to controlling liability. It considers the
underpinnings of a legal and policy framework which might serve as a
foundation for security policies and their implementation and concludes with
a series of recommendations, both general and specific concerning
certificate-based public key. Both public and private sector issues are
addressed.
This publication is the result of legal, business and security management
research, as well as interviews and analysis predominantly with public- and
private-sector lawyers, policy makers, managers and management information
system and security professionals in the United States and abroad.
SUMMARY OF CONTENTS:
- PREFACE
- ACKNOWLEDGMENTS
- TABLE OF CONTENTS
I. INTRODUCTION
II. SCOPE
III. DEFINITIONS
IV. ASSUMPTIONS
V. SURVEY OF FCA ACTIVITIES CREATING LIABILITY EXPOSURE
VI. LEGAL CONSIDERATIONS
VII. FCA INFRASTRUCTURE - PROPOSALS AND PARADIGMS
VIII. SURVEY OF, AND APPROACHES TO, TRUSTED ENTITY LIABILITY
IX. OTHER APPROACHES TO MITIGATE LIABILITY
X. CONCLUSIONS AND RECOMMENDATIONS
XI. APPENDICES
XII. GLOSSARY
XIII. INDEX
OBTAINING COPIES: Copies may be purchased through the National Technical
Information Service, Springfield, Virginia 22161, U.S.A., Phone +1 (703)
487-4650 or 1-800-553-6847. Request NTIS Document No: PB94-191-202. Cost:
$61.00
ABOUT THE AUTHOR: Michael S. Baum is Principal of Independent Monitoring, a
consultancy focused on electronic commerce and information security law. He
serves as a Delegate from the International Chamber of Commerce (ICC) to the
United Nations Commission on International Trade Law (UNCITRAL); Chair of the
EDI and Information Technology Division, Section of Science and Technology,
American Bar Association (ABA) and its Information Security Committee; and
Chairman of the ICC Working Party on Legal Aspects of Electronic Commerce.
Michael S. Baum, Independent Monitoring, Cambridge, Massachusetts [email protected]
[RISKS normally does not run advertising for books. However, this is
a NIST/NTIS report. (Yes, NITS, ISN'T, SNIT are also anagrams.) It is
also fair game for a review, in case someone wants to submit one. PGN]
------------------------------
Date: 31 May 1994 (LAST-MODIFIED)
From: [email protected]
Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc.
The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks.
Undigestifiers are available throughout the Internet, but not from RISKS.
SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on
your system, if possible and convenient for you. BITNET folks may use a
LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. U.S.
users on .mil or .gov domains should contact <[email protected]>
(Dennis Rears <[email protected]>). UK subscribers please contact
<Lindsay.Marshall@newcastle.ac.uk>. Local redistribution services are
provided at many other sites as well. Check FIRST with your local system or
netnews wizards. If that does not work, THEN please send requests to
<[email protected]> (which is not automated).
CONTRIBUTIONS: to [email protected], with appropriate, substantive Subject:
line, otherwise they may be ignored. Must be relevant, sound, in good taste,
objective, cogent, coherent, concise, and nonrepetitious. Diversity is
welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS
MESSAGES in responses to them. Contributions will not be ACKed; the load is
too great. **PLEASE** include your name & legitimate Internet FROM: address,
especially from .UUCP and .BITNET folks. Anonymized mail is not accepted.
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.
ARCHIVES: "ftp crvax.sri.com<CR>login anonymous<CR>YourName<CR> cd risks:<CR>
Issue j of volume 16 is in that directory: "get risks-16.j<CR>". For issues
of earlier volumes, "get [.i]risks-i.j<CR>" (where i=1 to 15, j always TWO
digits) for Vol i Issue j. Vol i summaries in j=00, in both main directory
and [.i] subdirectory; "dir" (or "dir [.i]") lists (sub)directory; "bye<CR>"
logs out. CRVAX.SRI.COM = [128.18.30.65]; <CR>=CarriageReturn; FTPs may
differ; UNIX prompts for username, password; [email protected] and
WAIS are alternative repositories. See risks-15.75 for WAIS info.
To search back issues with WAIS, use risks-digest.src.
With Mosaic, use http://www.wais.com/wais-dbs/risks-digest.html.
FAX: ONLY IF YOU CANNOT GET RISKS ON-LINE, you may be interested in receiving
it via fax; phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for info
regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL
RISKS COMMUNICATIONS; as a last resort you may try phone PGN at
+1 (415) 859-2375 if you cannot E-mail [email protected] .
------------------------------
End of RISKS-FORUM Digest 16.30
************************
|
|
