precedence: bulk Subject: Risks Digest 21.37 RISKS-LIST: Risks-Forum Digest Thursday 3 May 2001 Volume 21 : Issue 37 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: Microsoft Is Set to Be Top Foe of Free Code (David Farber) DMCA: It's Like ... an Analogy Fest! (Monty Solomon) Recording industry threatens researcher with lawsuit (NewsScan) Hack attacks from China? (NewsScan) Space Station software problems predicted four years ago (Philip Gross) Incompatibility shuts down Xerox corporate network (Nelson H. F. Beebe) Destia shuts down service (Doneel Edelson) Mobile phones to prevent car theft? (Yerry Felix) CNN censors profane Webby nominee (Jim Griffith) Another problem with the DNS (Bob Frankston) MS security updates infected with virus (Dave Stringer-Calvert) Microsoft error message (Jean-Jacques Quisquater) Using calendar reminder service to remember anniversary of sad event (Elinsky) Risks of Net-connected appliances (Robert J. Woodhead) Re: MSN "upgrade" creates long distance calling (Steve Holzworth) The follow-on to James Bamford's *Puzzle Palace* (David Farber) Definitions for Hardware and Software Safety Engineers (Meine van der Meulen) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 03 May 2001 09:43:23 -0400 From: David Farber Subject: Microsoft Is Set to Be Top Foe of Free Code John Markoff in *The New York Times*, 3 May 2001: Microsoft is preparing a broad campaign countering the movement to give away and share software code, arguing that it potentially undermines the intellectual property of countries and companies. At the same time, the company is acknowledging that it is feeling pressure from the freely shared alternatives to its commercial software. http://www.nytimes.com/2001/05/03/technology/03SOFT.html [Dave's IP archives are at http://www.interesting-people.org/ PGN] ------------------------------ Date: Wed, 02 May 2001 10:53:14 -0700 From: Monty Solomon Subject: DMCA: It's Like ... an Analogy Fest! MEDIA GROK, 2 May 2001 We know, we know: Media coverage of the Digital Millennium Copyright Act makes your eyes glaze over. Think that's bad? Imagine the DMCA being discussed in a courtroom. This happened yesterday when a New York appeals court became ground zero for testimony on whether DVD code-busting software violates the DMCA. Reporters tried mightily - and several succeeded - to make sense of lawyers' attempts to out- argue each other. Call yesterday's event a different kind of Hollywood strike. When the e-zine 2600.com posted DeCSS, a computer program capable of cracking DVDs' security code, a coalition of film studios struck back with a lawsuit. The studios won, and the lower court based its ruling on the DMCA-based ban on code-busting devices. 2600 appealed, its lawyers arguing that DeCSS has fair and allowable uses. Is law so complex that it has to be fed to us in analogies? We grew dizzy trying to follow the analogy free-for-all that gripped the appeal hearing and its coverage. Let's start with the DMCA. It's like Congress deciding that the blueprint for a copying machine can't be published because it might be used to violate the copyright laws, said Kathleen Sullivan, Stanford Law School dean. Here's one about DeCSS: It should be banned because it's akin to software that shuts off smoke detectors or airplanes' navigational systems, said DMCA defender and assistant U.S. attorney Daniel Alter, according to the New York Law Journal. The First Amendment wouldn't bar the government from prohibiting distribution of that kind of software, Alter said, and the same goes for DeCSS. No, no, no. DeCSS is "a useful tool for scientific study and journalistic inquiry - or a burglar's crowbar designed for breaking, entering and stealing," the Law Journal chimed in. Lawyers, of course, love this kind of talk, which is no doubt why, as Inside reported, the three-judge panel was revved up enough by the legal banter to allow the session to run an extra 30 minutes. Inside ran a solid and readable analysis of the ideas that were raised, as did ZDNet, which included the tidbit that one "hacker-type" wore a T-shirt displaying the illegal DeCSS code. But both Inside and Wired News predicted the appeals court would probably uphold the lower court's ruling. Sometimes pushing new ideas is like an uphill battle. - Deborah Asbrand Second Circuit Weighs DVD Copying http://www.law.com/cgi-bin/gx.cgi/AppLogic+FTContentServer?pagename=law/View&c=Article&cid=ZZZ9P7GD8MC&live=true&cst=1&pc=5&pa=0&s=News&ExpIgnore=true&showsummary=0 In Lively Oral Arguments, Lawyers Put Digital Copyright Act on Trial http://www.inside.com/jcs/Story?article_id=29820&pod_id=13 Throwing the Book at DeCSS http://www.zdnet.com/zdnn/stories/news/0,4586,5082131,00.html DVD Piracy Judges Resolute http://www.wired.com/news/digiwood/0,1412,43470,00.html Court Hears Appeal of Hacker Wanting to Post Descrambling Code on Internet http://interactive.wsj.com/articles/SB988759509262167525.htm (Paid subscription required.) Judges Weigh Copyright Suit on Unlocking DVD Shield http://www.nytimes.com/2001/05/02/technology/02CODE.html (Registration required.) ------------------------------ Date: Tue, 24 Apr 2001 09:20:08 -0700 From: "NewsScan" Subject: Recording industry threatens researcher with lawsuit The litigation department of the Recording Industry Association of America (RIAA) has threatened legal action against a Princeton University computer scientist if he and his colleagues give a conference presentation this week explaining how to get around a system developed by the industry to protect copyrighted music. The researcher, Dr. Edward W. Felton, works in the field of steganography, which develops techniques such as digital watermarking. The head of RIAA's litigation department insists: "There is a line that can get crossed, and if you go further than academic pursuit needs to go, you've crossed the line and it's bad for our entire community, not just for artists and content holders, it's everyone who loves art, and it's also bad for the scientific community." [*The New York Times*, 24 Apr 2001; NewsScan Daily, 24 April 2001 http://www.nytimes.com/2001/04/24/technology/24MUSI.html] ------------------------------ Date: Mon, 30 Apr 2001 08:52:04 -0700 From: "NewsScan" Subject: Hack attacks from China? The FBI cybercrime division called the National Infrastructure Protection Center is warning that Chinese hackers have publicly discussed increasing their activities in the first week of May, in celebration of two Chinese holidays and in memory of the two-year anniversary of the U.S. accidental bombing of the Chinese embassy in Belgrade. The Internet security company Vigilinx warns that it has the potential to escalate into something very damaging if emotions run unchecked. There is no evidence that attacks have been approved by the Chinese government. (AP/*USA Today*, 27 Apr 2001) http://www.usatoday.com/life/cyber/tech/2001-04-27-chinese-hack.htm NewsScan Daily, 30 April 2001 ------------------------------ Date: Sat, 28 Apr 2001 15:20:16 -0400 From: "Philip Gross" Subject: Space Station software problems predicted four years ago I contributed an article to RISKS on December 8, 1997, (RISKS-19.49) about the enormous risks involved with the software of the International Space Station. 3.5 million lines of code, coming from multiple countries, with little indication of the verification methodologies. In the two subsequent issues RISKS-19.50 and 19.51, anonymous posters with connections to the program agreed with and amplified these concerns. Now we see that, indeed, difficult-to-diagnose software problems are starting to plague the craft. "Computer problems have kept the Endeavour at the station longer than expected as astronauts try to carry out operations of a critical robot arm. The ISS has suffered a series of glitches since Tuesday that left ground controllers with only tentative command," says CNN. (http://www.cnn.com/2001/TECH/space/04/28/shuttle.launch.02/index.html) The RISKS here involve the well-known dangers of leaving debugging until the system is already in use. Although critical safety and control mechanisms may be compromised until the problems are fixed, "Russian space officials refused to delay Saturday's launch but agreed to put the Soyuz in a holding pattern if the shuttle was still at the space station on Monday. Russia said it had been unwilling to postpone the Soyuz mission because the cosmonauts must replace the space station's escape craft, whose service lifetime expires at the end of the month." The world's first space tourist may have an interesting ride... ------------------------------ Date: Mon, 23 Apr 2001 14:02:12 -0600 (MDT) From: "Nelson H. F. Beebe" Subject: Incompatibility shuts down Xerox corporate network *Computerworld* (16-Apr-2001, p. 6 and 78) has two articles on how an incompatibility between a beta release of Microsoft Windows XP and Cisco 5000 routers shut Xerox's corporate network down several times. According to the page-long column on p. 78, ``It got so bad that Xerox warned all 50,000 of its U.S. employees not to installed XP betas without permission or they'd face disciplinary action.''. Nelson H. F. Beebe, Center for Scientific Computing, University of Utah Department of Mathematics, Salt Lake City, UT 84112-0090 +1 801 581 5254 ------------------------------ Date: Thu, 3 May 2001 17:47:14 -0400 From: "Edelson, Doneel [euler:aci]" Subject: Destia shuts down service Destia (known as EconoPhone), a part of Viatel, shut down service to all customers Monday night or Tuesday. Thousands of people with direct-dial service (1+) are scrambling to get an alternate long-distance provider. Until then, they cannot make any long-distance calls except to 800 numbers. Also inbound 800 number service and calling cards provided by this company do not work. ------------------------------ Date: 27 Apr 2001 23:59:44 +0100 From: Yerry Felix <1i@esperi.demon.co.uk> Subject: Mobile phones to prevent car theft? Econet Wireless brand manager David Dzumbira said in the unfortunate event of the vehicle being violated or vandalised, Cellstop will alert the owner by calling on his/her cellphone within seconds of the incident happening. Cellstop will dial the number three times and if these calls are unanswered or responded to, the Cellstop unit will automatically starve fuel to the engine, making it impossible to drive the vehicle, said Dzumbira. But what if the owner forgets the phone, loses it or the phone is stolen? Or, if the phone runs out of power? And what happens if the device springs into action whilst the car is being driven by the legitimate owner? Note that the vehicle is stopped regardless of whether the phone is ignored or answered! Moreover, given the amount of false car alarms that seem to occur, this could be very annoying, although, being the victim of nightly car alarms in my street, I don't have much sympathy here :-) The full article: http://www.mweb.co.zw/zimin/index.php?id=3176&pubdate=2001-04-27 ------------------------------ Date: Thu, 26 Apr 2001 20:17:34 -0500 From: Jim Griffith Subject: CNN censors profane Webby nominee An interesting aspect of this year's Webby's nominees is the nomination of www.f**kedcompany.com in the Humor category (for which I was a nominating judge). When reading the CNN article about the nominations, at http://www.cnn.com/2001/TECH/internet/04/26/webby.awards.reut/index.html#12 I was interested to find that the above-mentioned site was apparently deliberately excluded from the list of nominees, probably for the profane name. The *San Jose Mercury News* site reported the complete list, however. [comp.risks censors "CNN censors profane Webby nominee" as well. PGN] ------------------------------ Date: Mon, 30 Apr 2001 15:16:55 -0400 From: "Bob Frankston" Subject: Another problem with the DNS I e-mailed a URL, http://www.washtech.com/news/media/9387-1.html. The spelling corrector apparently chanted washtech to washes which is a porno site! The risk here isn't so much spelling correction as the current attempt to use the DNS as a directory. The density of the namespace is just one of the many problems. Bob Frankston http://www.Frankston.com ------------------------------ Date: Sun, 29 Apr 2001 19:18:28 -0700 From: Dave Stringer-Calvert Subject: MS security updates infected with virus Microsoft security fixes infected with FunLove virus A virus infection of security fix files on Microsoft's partner and premier support Web sites has forced the software giant to suspend certain downloads for more than a fortnight. Microsoft issued an alert on Monday, which states that various Hotfix files on its Premier Support and Microsoft Gold Certified Partners Web sites are infected with the FunLove virus. A copy of the notice said Microsoft has stopped access "in order to protect customers" to an unspecified number of files, and expects to be able to restore access later today. Customers were advised to contact their technical account manager in the interim. [http://www.theregister.co.uk/content/8/18516.html] [Also noted by Jeremy Epstein. PGN] ------------------------------ Date: Mon, 30 Apr 2001 22:11:37 +0200 From: Quisquater Subject: Microsoft error message Q276304 - Error Message: Your Password Must Be at Least 18770 Characters and Cannot Repeat Any of Your Previous 30689 Passwords New level of security at Microsoft. Jean-Jacques Quisquater, [The password must be Macrohard? PGN] ------------------------------ Date: Tue, 24 Apr 2001 16:46:05 EDT From: Elinsky@aol.com Subject: Using calendar reminder service to remember anniversary of sad event This is from the "Metropolitan Diary" section of *The New York Times*, 23 Apr 2001. The writer unknowingly set herself up for an eerie reminder mail, by not entering the event as "Anniversary of Grandpa's death". Even if she had, the mail probably would've still contained the (presumably inappropriate) gift suggestions. Harriet Inselbuch signed up for a calendar reminder service on the Internet and duly entered important dates like birthdays and anniversaries. The service notifies her by e-mail a few days before an important event. One anniversary she listed was of a family death, a reminder to her to light a candle. A few days before that particular date, she did receive a message and it provided somewhat of a shock. It read, "Reminder: Grandpa's death is just around the corner" followed by three or four gift suggestions for the occasion. ------------------------------ Date: Mon, 23 Apr 2001 17:12:45 -0400 From: "Robert J. Woodhead (AnimEigo)" Subject: Risks of Net-connected appliances After watching a breathless CNN report about Internet-enabled espresso machines, it occurs to me that one of the greatest risks of having appliances connected to the Internet is that one's refrigerator might start forwarding spam instead of simply storing it. Robert Woodhead, Webslave & Mad Overlord http://selfpromotion.com/ ------------------------------ Date: Fri, 27 Apr 2001 14:17:46 -0400 From: Steve Holzworth Subject: Re: MSN "upgrade" creates long distance calling (RISKS-21.32) WRAL-TV Online reports that the Microsoft Network (MSN) has agreed to pay back dozens of people who received huge Internet phone bills by mistake. http://www.wral-tv.com/features/5onyourside/2001/0426-msn-second-folo/ "Combined, complainants were billed more than $13,000 in unexpected charges. For about a month when the Wake County customers accessed the Internet, they were routed to a long distance Chapel Hill number -- a number they did not know they had been switched to. John Bason, a spokesman for the North Carolina Department of Justice, says the situation definitely needs to be addressed." ... "Microsoft is telling the Attorney General's office that the error was theirs and agreed to pay back consumers. Any MSN customers who were erroneously billed must file a complaint with the Attorney General's office at 919-xxx-xxxx." Steve Holzworth, Senior Systems Developer, SAS Institute, Cary, N.C. Open Systems R&D VMS/MAC/UNIX ------------------------------ Date: Wed, 25 Apr 2001 15:04:56 -0400 From: David Farber Subject: IP: The follow-on to James Bamford's *Puzzle Palace* James Bamford Body of Secrets: Anatomy of the Ultra-Secret National Security Agency: From the Cold War Through the Dawn of a New Century [Good review in *The New York Times* Sunday Book Review section, 29 April 2001. PGN] ------------------------------ Date: Thu, 3 May 2001 09:50:50 +0200 From: Meine van der Meulen Subject: Definitions for Hardware and Software Safety Engineers I would like to bring the book 'Definitions for Hardware and Software Safety Engineers' under your attention. It quotes definitions in the field of hard-and software dependability engineering from over a hundred sources. When more definitions exist it quotes these to enable comparison. Much attention has been paid to cross-referencing. M.J.P. van der Meulen, Definitions for Hardware and Software Safety Engineers, ISBN 1-85233-175-5, Springer, London, hardcover, 342 pages. URL: http://www.springer.de/cgi-bin/search_book.pl?isbn=1-85233-175-5 Meine van der Meulen, Max Euwelaan 60, 3062 MA Rotterdam Tel 010-4535959 SIMTECH Engineering: www.simtech.nl ------------------------------ Date: 12 Feb 2001 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) which now requires confirmation to majordomo@CSL.sri.com (not to risks-owner) [with option of E-mail address if not the same as FROM: on the same line, which requires PGN's intervention -- to block spamming subscriptions, etc.] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 20" for volume 20] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 21.37 ************************