precedence: bulk Subject: Risks Digest 22.16 RISKS-LIST: Risks-Forum Digest Sunday 21 July 2002 Volume 22 : Issue 16 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: U.S. House approves life sentences for crackers (NewsScan) Expert says Palm Beach's new voting machines have problems (PGN) Palm Beach voters at it again (Dan Scherer) 'Face testing' at Logan is found lacking (Monty Solomon) Japanese service links ATMs to cell phones (Mich Kabay) Yahoo admits changing e-mail text to block hackers (Monty Solomon) IIS Mail exploit (Matthew Byng-Maddick) E-mail content filtering may kill the medium (Derek K. Miller) "You may not have received this e-mail" (Monty Solomon) Forensic programming course outline (Rob Slade) Re: EULA (Derek J. Balling) REVIEW: "The Hacker Diaries", Dan Verton (Rob Slade) REVIEW: "Hacker Attack", Richard Mansfield (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 16 Jul 2002 09:18:43 -0700 From: "NewsScan" Subject: U.S. House approves life sentences for crackers The U.S. House of Representatives has approved the Cyber Security Enhancement Act (CSEA) by a near-unanimous vote [385-3]. Among the Act's provisions are an expansion of police ability to conduct Internet or telephone eavesdropping without first obtaining a court order, and the approval of life prison sentences for malicious computer hackers (crackers) whose acts "recklessly" put others' lives at risk. In the case of wiretaps, the Act would permit limited surveillance without a court order when there is an "ongoing attack" on an Internet-connected computer or "an immediate threat to a national security interest." The surveillance would be limited to collecting a suspect's telephone number, IP address, URLs or e-mail header information -- not the content of an e-mail message or phone conversation. In addition, the Act would permit ISPs to disclose the contents of e-mail messages and other electronic records to police in cases when "an emergency involving danger or death or serious physical injury to any person requires disclosure of the information without delay." The Act is not expected to meet any serious opposition in the Senate. [CNet News.com 15 Jul 2002; NewsScan Daily, 16 July 2002] http://news.com.com/2100-1001-944057.html?tag=fd_top [Declan McCullagh notes that the CSEA had been written before 11 Sep 2001. PGN] ------------------------------ Date: Wed, 17 Jul 2002 00:34:50 -0400 From: Peter G Neumann Subject: Expert says Palm Beach's new voting machines have problems Associated Press item by Jill Barton, 16 Jul 2002 The voting machines that replaced butterfly ballots and hanging chads are checked by an "Enron-style of auditing" and don't provide voters any assurance that their votes are being cast, an expert testified Tuesday. Rebecca Mercuri, a computer science professor at Bryn Mawr College in Pennsylvania, said questions remain about the $14 million machines Palm Beach County purchased to improve its voting system because they are designed to audit themselves. "The problem with the self-auditing machines is if it's broken, how can it tell you that it's broken?" Mercuri said. Mercuri's testimony provided the latest criticism of a county still embarrassed by the 2000 election debacle. She was called in a Tuesday afternoon hearing to bolster a Boca Raton man's claims that he lost a City Council election in March because the new machines malfunctioned. Former Mayor Emil Danciu's suit seeks to have the results overturned and a new election held. The suit includes affidavits from eight voters who said they had trouble casting ballots on the ATM-style machines and says voters should be given paper receipts to confirm their vote was recorded. It also seeks to allow an independent review of the voting machines and related software and security features. Supervisor of Elections Theresa LePore says such a review would void the machines' warranty and that they've been reviewed twice by labs appointed by the federal government and also by a state worker. She says most of the information the plaintiffs are seeking is filed with the state Division of Elections in Tallahassee and even if it were available, she couldn't provide it because it includes trade secrets of Sequoia Voting Systems Inc., which manufactures the machines. "I'm not willing to let anyone take a machine and take it apart," LePore said. "I don't think the taxpayers would appreciate them taking apart a $3,500 machine and voiding the warranty." LePore has said the only problems reported to her office following the March election were screens temporarily freezing when voters chose between English and Spanish, which did not prevent voting. She said the machines further demonstrated that they work Saturday when the county held a mock election in supermarkets and shopping malls allowing voters to try out the machines. ------------------------------ Date: Sat, 20 Jul 2002 11:43:35 -0700 From: "Dan Scherer" Subject: Palm Beach voters at it again As noted in an AP news article http://ap.tbo.com/ap/florida/MGAIFTWBQ3D.html and reviewed on /. http://slashdot.org/articles/02/07/20/0124232.shtml?tid=126 some West Palm County voters and politicians are upset that their new "ATM style" voting machines have an internal auditing system that doesn't allow access to the "self-auditing" side of the software. Voters are claiming that the machine didn't register their votes, and that an election hangs in the balance because of the discrepancies. The Slashdot crowd is holding this up as an example of where open source needs to be used while the equipment manufacturer refuses to disclose their trade secrets on the "self auditing" software. The RISKS are obvious. ------------------------------ Date: Wed, 17 Jul 2002 23:08:15 -0400 From: Monty Solomon Subject: 'Face testing' at Logan is found lacking A test at Boston's Logan International Airport has found that computerized facial-recognition systems, one of the most trumpeted new technologies in the war on terrorism, may not be a practical tool for airport security. The machines were fooled when passengers turned their heads in certain directions, and screeners became overtaxed by the burdens of having to check passengers against a large pool of faces that closely resemble theirs. Hiawatha Bray, *The Boston Globe*, 17 Jul 2002. http://www.boston.com/dailyglobe2/198/metro/_Face_testing_at_Logan_is_found_lacking+.shtml ------------------------------ Date: Wed, 17 Jul 2002 18:56:07 -0400 From: Mich Kabay Subject: Japanese service links ATMs to cell phones NTT DoCoMo is set to launch the world's first service that enables cell phone users to withdraw cash from automated teller machines located in convenience stores and supermarkets. Instead of inserting a bank card into the designated slot, users of DoCoMo's 504i handsets would push a few buttons on their phones in order to complete an ATM transaction. Analysts said the system was certainly novel, but it's still unclear how user-friendly it will prove. "Younger people may be more receptive, but people generally already have cash cards," says on analyst at a foreign securities firm. DoCoMo says the new system, which it is offering in partnership with IY Bank, likely will launch sometime in early 2003. (Reuters/Yahoo, 16 July 2002) http://story.news.yahoo.com/news?tmpl=story2&cid=581&ncid=581&e=9&u=/nm/20020716/tc_nm/financial_japan_iybank_dc_2 I think no comment is necessary on the RISKS of linking banking systems to wireless phone systems. It will be worth watching developments. M. E. Kabay, PhD, CISSP, Dept CompInfoSys, Norwich University, Northfield VT http://www2.norwich.edu/mkabay/index.htm ------------------------------ Date: Wed, 17 Jul 2002 23:09:10 -0400 From: Monty Solomon Subject: Yahoo admits changing e-mail text to block hackers ... Yahoo! Inc. has confirmed that its e-mail software automatically changes certain words -- including "evaluate" -- in a bid to prevent hackers from spreading viruses. Although the company declined to list the words its software had been changing, a report on the technology news Web site, News.com, reported that the program changes "mocha" to "espresso," and the phrase "eval" to "review." [Article by Andrea Orr, Reuters, 17 Jul, 2002, noting that your applications for employment may have been altered! PGN] http://finance.lycos.com/home/news/story.asp?story=27883602 ------------------------------ Date: Sun, 14 Jul 2002 23:50:55 +0100 From: Matthew Byng-Maddick Subject: IIS Mail exploit The recent IIS Mail encoding bug has not yet made it into RISKS. The bug in question was an encoding error in the mail component of IIS, but unlike a lot of the other encoding bugs in IIS, which, as far as I understand it, only allow the server in question to be compromised, this bug makes the server into an open relay. What's the difference, you may ask. Spammers have been looking at exploiting mail relays for some time in an effort to avoid some of the audit trail used in the message (the Received: headers, inserted by the MTAs), they've tried with buffer overflows and other such things. Now they suddenly have a trivial way of trying to relay a message. Of course, all that will happen is that the test should get added to a half of the current Open Relay Blacklists (ordb, orbz etc.), but then we risk blackholing a fair amount of the Internet, because, like it or not, large numbers of Microsoft servers are appearing and being used. When will it all stop? Matthew Byng-Maddick http://colondot.net/ ------------------------------ Date: Wed, 17 Jul 2002 12:48:18 -0700 From: "Derek K. Miller" Subject: E-mail content filtering may kill the medium E-mail filtering, in an effort to stop spam, has become insidious. Used properly -- especially by individual users -- it can be quite helpful. Used sloppily to filter for semi-arbitrary spamlike content (as it often is by server administrators and others), it risks killing e-mail as a useful form of communication. I'd highly recommend the following articles and discussion at the TidBITS mailing list site, which cover the issue and its hazards in clear and useful detail: Killing the Killer App http://db.tidbits.com/getbits.acgi?tbart=06866 Content Filtering Exposed http://db.tidbits.com/getbits.acgi?tbart=06869 Various discussion threads: http://db.tidbits.com/getbits.acgi?tlkthrd=1679 http://db.tidbits.com/getbits.acgi?tlkthrd=1680 http://db.tidbits.com/getbits.acgi?tlkthrd=1681 http://db.tidbits.com/getbits.acgi?tlkthrd=1683 http://db.tidbits.com/getbits.acgi?tlkthrd=1684 Here's a pertinent excerpt: > * Email is increasingly being filtered for its content; > > * That filtering is often being done without the knowledge or > consent of affected users; > > * Over time, inaccurate filtering will substantially reduce > the general utility of email. > > In short, we're starting to see signs that email, often hailed > as the Internet's "killer app," is in danger of becoming an > unreliable, arbitrarily censored medium - and there's very little > we can do about it. Derek K. Miller, Vancouver, BC, Canada dkmiller@pobox.com http://www.penmachine.com ------------------------------ Date: Wed, 17 Jul 2002 23:10:26 -0400 From: Monty Solomon Subject: "You may not have received this e-mail" Web Informant #293, 9 July 2002: You may not have received this e-mail George Carlin once had a bit about the seven dirty words that couldn't be said on TV: if only our email systems were as discrete and predictable about the nature of their censorship. Indeed, I can almost guarantee that if I include certain words in this message (such as viag--, -orn, make -oney -ast, or any of Carlin's seven choice words), many of you won't ever get this email. The trouble is that spammers, virus authors (or whatever deriding term you would like to use to call the scum that create these annoyances), and others have become too clever at creating their garbage. And in the ever escalating war of technology, email filtering products have become too good at cutting off legitimate messages, just because they contain the equivalent of Carlin's list. The best research on this was an article that was posted to the TidBITS mailing list this past week. If you are interested in Macs and in general the Internet, this is a weekly series of essays that Adam Engst and other write and distribute for free via e-mail to over 40,000 people, along with posting it to tidbits.com and many other web sites. Geoff Duncan concludes several trends: http://strom.com/awards/293.html ------------------------------ Date: Sun, 21 Jul 2002 14:15:51 -0800 From: Rob Slade Subject: Forensic programming course outline I am currently teaching forensic programming, at roughly the third-year college/university level, at BCIT, and the course will also be run in the fall and again in the spring. Since this is the first course of its kind (as far as I have been able to determine), and since most of the resources (somewhat by necessity) are online, I am beginning to put together the course outline and resources as a set of Web pages. This is not (so far) anything like a full online course: for one thing, I have not (so far) written out complete lecture notes. However, for those interested, the "table of contents" page is available at http://victoria.tc.ca/techrev/fptoc.htm or http://sun.soci.niu.edu/~rslade/fptoc.htm (and also http://cstbtech.bcit.ca/FP/index.html). This is very much a work in progress, and will be updated and expanded frequently in the coming weeks. rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: Mon, 15 Jul 2002 10:58:08 -0400 From: "Derek J. Balling" Subject: Re: EULA Something which occurred to me, working in the healthcare industry these days, is that I'm not sure - given HIPAA compliancy regulations and the like - that I *can* agree to allow companies permission "to install random software on random machines without any notice or confirmation". As security concerns, especially in terms of personal information protection and such, get more and more codified into law, the chance that a business will run afoul of the "Choose between obeying the law and obeying the EULA" dilemma are going to be on the increase. Given certain Pacific Northwest companies' love for deep-pockets litigation to enforce EULA's after the fact, whichever choice is made is certain to be costly in one manner or another. I've already pointed out to the head our IT department that from my cursory, non-lawyer, reading of the WinXP EULA, we have to move it from the "we don't support this" category to the "this is explicitly forbidden from our machines" category. Derek J. Balling www.megacity.org/blog/ ------------------------------ Date: Mon, 15 Jul 2002 07:59:32 -0800 From: Rob Slade Subject: REVIEW: "The Hacker Diaries", Dan Verton BKHCKDRY.RVW 20020519 "The Hacker Diaries", Dan Verton, 2002, 0-07-222364-2, U$24.99 %A Dan Verton %C 300 Water Street, Whitby, Ontario L1N 9B6 %D 2002 %G 0-07-222364-2 %I McGraw-Hill Ryerson/Osborne %O U$24.99 905-430-5000 +1-800-565-5758 fax: 905-430-5020 %P 219 p. %T "The Hacker Diaries: Confessions of Teenage Hackers" Teenaged hackers are misunderstood. Definitions are for lamers, morality is a "bogus" concept. These noble idealists are questers after the Holy Grail of knowledge: problem solvers who are attempting to enlighten the masses. Given a little dedication, you too can, inside of six months, go from being a technopeasant to "knowing everything there [is] to know" about computers. Thus it is written in the Gospel of Verton. (While we are at it, I have this nice bridge you might want to purchase ...) Even if you ignore questions about the definition of what "hacking" actually is, and even if you leave aside the author's biased sympathy for rebels-without-a-clue, the introduction alone points out that Verton has not performed the research one would think minimal to such a project: reading the "popular" literature on the subject, never mind the more serious analyses by researchers like Denning and Gordon. How else can he make the statement that this book is the first ever to try and penetrate the veil of secrecy surrounding the computer vandal community, an assertion that must come as a bit of a shock to authors like Levy ("Hackers," cf. BKHACKRS.RVW), Sterling ("Hacker Crackdown," cf. BKHKRCRK.RVW), Taylor ("Hackers," cf. BKHAKERS.RVW), Dreyfus ("Underground," cf. BKNDRGND.RVW), and a host of others. It is, therefore, no surprise that this author gets basic factual information wrong, such as the confusion of the infamous Operation Sundevil with more successful prosecutions of computer crime. Verton decries the blind and ignorant stereotyping of loners who are more comfortable with computers than with their peers, but he is, himself, guilty of promoting the same kind of confusion. The group targeted after the Columbine shootings was not the computer community but the Goths, who share almost no characteristics with hackers except for a slightly obsessive interest in an esoteric topic and a position outside the mainstream. (Well, possibly also an aversion to sunlight ...) Verton has attempted to include "representative" examples of both maladjusted criminals and ethical hackers, but draws no distinctions between them and, indeed, seems to be trying to lump them all together. No, I've changed my mind. Let's not leave aside the question of a definition of hacking. Like too many authors, Verton also wants to continue the confusion of the original idea of a hacker as a skilled technologist with the more recent concept of the vandals of computer systems. But he also immediately destroys his position by pointing out that a cracker cannot change his "handle," the (usually offensive) nickname used to achieve both identity and anonymity online. If an underground "hacker" changes his handle, he loses his status and becomes just another wannabe. Verton does not seem to realize the import of this statement. A cracker's credibility is tied to his nickname, since he is only as good as his "rep," the record of defacements or intrusions he is able to boast about. There is no actual skill set behind such a reputation. In opposition, if true hackers like Richard Stallman or Eric Raymond were to change their names, and were then to write new programs and release them to the world, those programs would still be useful and of good quality. (Top programmers would, in fact, probably be able to identify the authors of emacs and fetchmail by programming excellence and style.) Verton's writing seems clear and readable unless you start to think about it. A story will say that A happened, then B happened, then C happened, then B happened, then D happened, then B happened. Times are quite indefinite, but since the narrative is unclear even about simple sequences it is not any real shock to find out that the author does not know larger items of technical history, such as that UNIX predates VMS. Likewise, Verton isn't interested in having consistency get in the way of a good story, even if the story doesn't make any sense. Directions and motivations change suddenly and without apparent reason: reading between the lines indicates that there is a lot that we aren't being told. Probably the author wasn't told, either. It sounds like he didn't even ask. (The interview subjects seem to have realized that they were dealing with a credulous author: Verton retails stories out of common urban legends and jokes without seeming to have identified them as such. Despite his credentials as a reporter for a computer trade magazine Verton's technical knowledge is questionable--he doesn't know a denial of service attack from a reformat nor that the Macintosh doesn't have a Windows Registry.) Despite tidbits of trivia, ultimately the book is boring. One can only read so many times that Amanda (or Betty or Cathy) accidentally touched a computer on her seventh birthday and thereafter became obsessed with re-writing the CP/M kernel before one loses interest. The names may change, the hacks may change, the outcomes and choices of whether or not to be useful or messed up may change, but in the end, the lessons are the same: non-existent. copyright Robert M. Slade, 2002 BKHCKDRY.RVW 20020519 rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: Thu, 18 Jul 2002 15:30:41 -0800 From: Rob Slade Subject: REVIEW: "Hacker Attack", Richard Mansfield BKHCKATK.RVW 20020519 "Hacker Attack", Richard Mansfield, 2000, 0-7821-2830-0, U$29.99/C$44.95/UK#19.99 %A Richard Mansfield earth@worldnet.att.net %C 1151 Marina Village Parkway, Alameda, CA 94501 %D 2000 %G 0-7821-2830-0 %I Sybex Computer Books %O U$29.99/C$44.95/UK#19.99 510-523-8233 Fax: 510-523-2373 %P 293 p. %T "Hacker Attack: Shield Your Computer from Internet Crime" "FACT: It's unlikely that you'll ever personally experience a computer virus in your home computer." Ah, those glowing, carefree days of yore when ... wait a minute. This book wasn't published all THAT long ago ... This work is intended to address three issues: intrusions, privacy, and viruses. The author hopes that it will be as much fun to read as it was to write. Given the unrealistic assessment of risk levels, the almost random choice of topics, and the lighthearted approach, I did not start out feeling confident of the chances of finding useful information herein. (While we may agree that script kiddies and such cracker wannabes are grubs and insects, the security community does *not* refer to them as "larvae.") Part one is entitled "Hackers, Crackers, and Whackers." Chapter one is a generic warning about the fact that some people may be trying to probe you. Some information (such as directions on turning file and print sharing off) are useful, others (such as the need to share IP addresses--assuming you even know them--with friends for chatting and instant messages) are either wrong or not very useful. Port scanning gets mentioned, and, aside from the fact that there are more reliable ways of determining open ports, the specific example of an open port used isn't terribly handy since we are told neither what it is nor how to turn it off. Phone phreaks are discussed in chapter two--without mention of the fact that in-band signalling is now obsolete. Hackers are academics studying decryption, viruses can harvest your passwords, and munging your e-mail address is an effective tool against spam, or so we are told in chapter three. Chapter four gives names to some really silly cracking techniques. Some equally silly defences are suggested in chapter five. Chapter six does say that there are better protections available, but doesn't talk about how to implement them. High-speed connections are said to be security risks (the real culprit being static IP addresses) in chapter seven. A variety of URLs are given for the ZoneAlarm product, and instructions for getting warnings about cookies from one version of the Internet Explorer browser are provided in chapter eight. Part two is supposed to deal with privacy. Chapter nine does, with a rapid race through a number of related issues. Chapters ten through thirteen, however, examine a number of encryption technologies that are no longer used. The algorithm central to DES (Data Encryption Standard) is used as an example of a symmetric encryption system in chapter fourteen. Chapter fifteen explains the use of prime numbers to create asymmetric (public key) systems. Both of these chapters are remarkably unhelpful in terms of the actual use of encryption. Chapter sixteen explains digital signatures, but very briefly. The dialogue boxes involved in using the Encrypting File System of Windows 2000 are displayed in chapter seventeen. Chapter eighteen speculates on quantum computers. Source code for a random number generator for a one-time pad is given in chapter nineteen. Part three looks at viruses. (Ready?) Chapter twenty gives a brief account of the Internet/Morris/UNIX Worm of 1988, informing us that viruses had been used for years for network administration (untrue) and failing to explain what defrauding your girlfriend has to do with the worm. Some basics of virus structure are correct in chapter twenty one, but there is also confusion of pranks and trojans, and the discussion of virus functions applies only to boot sector infectors. Chapter twenty two provides an overview of Melissa and Loveletter. Useless means of defending against Microsoft Word macro viruses (known to have been bypassed long before this book was written) are given in chapter twenty three. Chapter twenty four tells us that viruses are mainly hype. Well, there are a few tips in this work that might help you to prevent intrusions, protect your privacy, and avoid viruses. Very few. The material is scant, and is padded out to book length with random insertions only nominally related to the topics at hand. Although not stated, it is fairly clear that the volume is intended for the average computer user rather than the security specialist. In terms of that general audience, the text is nowhere near detailed enough in those areas that the typical user can address. The material on network intrusions has some points, but many gaps. The section on cryptography might be interesting to a few, but is of little practical use. The opining on viruses is too often flatly wrong. copyright Robert M. Slade, 2002 BKHCKATK.RVW 20020519 rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: 29 Mar 2002 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 21" for volume 21] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 22.16 ************************