precedence: bulk Subject: Risks Digest 22.20 RISKS-LIST: Risks-Forum Digest Thursday 22 August 2002 Volume 22 : Issue 20 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: "Homeland Insecurity" (Monty Solomon) Home overvalued by $200 million affects tax recovery (Fuzzy Gorilla) 103-year-old man told to bring parents for eye test (Arthur Goldstein) Alleged ID thief arrested in NYC (Monty Solomon) Your packets know the way to San Jose. (Malcolm Purvis) Emergency call-center power-supply woes (Dave Stringer-Calvert) YASST: Yet Another Silly Spam Trick (Rob Slade) Re: E-mail content filtering ... (Joe Stoy) E-mail *envelope* filters blocking NDN and DSN (MAtteo HCE Valsasna) Content based e-mail filtering -- timely example (Betsy Schwartz) Klez + html login = no security (Leonard Erickson) Klez: The Virus That Won't Die (Monty Solomon) The left hand of the government asketh ... (Rob Slade) Re: Apple OSX and iDisk and Mail.app (Dave) REVIEW: "Computers and Ethics in the Cyberage", Hester/Ford (Rob Slade) SAFECOMP 2002 & ECCE-11 (Massimo Felici) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 14 Aug 2002 10:16:15 -0400 From: Monty Solomon Subject: "Homeland Insecurity" Charles C. Mann, a top expert, says America's approach to protecting itself will only make matters worse. Forget "foolproof" technology -- we need systems designed to fail smartly... To stop the rampant theft of expensive cars, manufacturers in the 1990s began to make ignitions very difficult to hot-wire. This reduced the likelihood that cars would be stolen from parking lots-but apparently contributed to the sudden appearance of a new and more dangerous crime, carjacking. After a vote against management Vivendi Universal announced earlier this year that its electronic shareholder-voting system, which it had adopted to tabulate votes efficiently and securely, had been broken into by hackers. Because the new system eliminated the old paper ballots, recounting the votes-or even independently verifying that the attack had occurred-was impossible. To help merchants verify and protect the identity of their customers, marketing firms and financial institutions have created large computerized databases of personal information: Social Security numbers, credit-card numbers, telephone numbers, home addresses, and the like. With these databases being increasingly interconnected by means of the Internet, they have become irresistible targets for criminals. From 1995 to 2000 the incidence of identity theft tripled. http://www.theatlantic.com/issues/2002/09/mann.htm [This article is extremely timely, well written, and important for RISKS readers. It also features various insights from Bruce Schneier, whom Charles interviewed while researching the article. PGN] ------------------------------ Date: Mon, 19 Aug 2002 16:20:50 -0700 From: "Fuzzy Gorilla" Subject: Home overvalued by $200 million affects tax recovery In Manhattan, Kansas, a home property valued at $59,500 was inadvertently changed to $200,059,000, and seriously disrupted the calculation of the local budgets for the school district, the city, and Riley County -- resulting in a 6.5% overstatement of the value of county property, and a shortfall in tax revenues of over $2.3 million. [PGN-ed] http://dailynews.yahoo.com/news?u=/ap/20020819/ap_on_fe_st/property_value_2 ------------------------------ Date: Fri, 02 Aug 2002 01:14:55 +0000 From: arthur.goldstein@att.net Subject: 103-year-old man told to bring parents for eye test Another cute medical mix-up (Reuters, 31 Jul 2002): http://news.excite.com/odd/article/ id/256255|oddlyenough|07-31-2002::12:22|reuters.html British pensioner Joseph Dickinson, 103, had a shock when his local hospital called him in for an eye test and told him to bring his parents. "I must be getting younger, in fact much younger," he told his local paper, the Hartlepool Mail. He was born in 1899, but because the hospital computer only read the last two digits it mistook his age as just three years old. ... ------------------------------ Date: Tue, 20 Aug 2002 22:17:56 -0400 From: Monty Solomon Subject: Alleged ID thief arrested in NYC A man captured by the US Marshals Service in New York is accused of stealing the identities of 12 Boston lawyers to buy lavish cars and finance spending sprees, the agency said yesterday. Shawn R. Pelley, 26, had evaded authorities for nearly a year before he was caught after a car chase. Once convicted of fraud, he allegedly began an identity-theft scam shortly after his release from prison last summer. Using information from a law directory, he allegedly obtained his victims' birth certificates and credit reports, opened credit-card accounts, and took bank loans on the stolen IDs. [Source: Thanassis Cambanis, *The Boston Globe*, 20 Aug 2002; PGN-ed] ------------------------------ Date: Wed, 21 Aug 2002 22:32:00 +1000 From: Malcolm Purvis Subject: Your packets know the way to San Jose. The Southern Cross Cable Network, a significant supplier of bandwidth between Australia and the US, recently announced a new access point in San Jose. The Associated Press release says in part: The new San Jose access point is located at Market Post Tower, which currently houses the world's most famous Internet peering point, MAE West. Virtually all of the network access points and data centers in the surrounding San Francisco Bay Area connect to Market Post Tower via high-speed local fiber rings. ... 70% of the Internet traffic from the Western United States and 40% of the world Internet traffic passes through the building that houses the new Southern Cross access point. I wonder how well the rest of the Internet would cope if something happened to that building (which has a web site, so you can learn all about it). I also see that MAE West is owned by WorldCom. The press release is at: ------------------------------ Date: Mon, 19 Aug 2002 21:46:05 -0700 From: Dave Stringer-Calvert Subject: Emergency call-center power-supply woes One of North Yorkshire Police's main telephone switchboards was shut down for four hours as the result of a serious control-room power-supply problem in Newby Wiske, Northallerton. Traffic was redirected to the York control room, which had considerable congestion due to the reduced total number of operators. [Source: Article by Tony Tierney, *Yorkshire Evening Press*, 19 Aug 2002; PGN-ed] ------------------------------ Date: Sun, 4 Aug 2002 14:58:43 -0800 From: Rob Slade Subject: YASST: Yet Another Silly Spam Trick At the moment I have a hotmail account, rmslade@hotmail.com. It gets a ton of spam, of course. Recently, as I was cleaning ou the accumulated sludge (Hotmail's "junk" settings are pretty useless), I noted a message that appeared to come from "rmslade." Now, it isn't unusual for spammers to set up the mailing so that the messages have a forged "From" line that contains the same address the message is sent to. Only in this case, the message was from rmslade@yahoo.com, and that is not an address I own. Looking at the headers in detail revealed (along with the fact that the spammer is probably yallddamail.com [65.121.131.5] [Qwest Communications]) that the actual address used is $user@yahoo.com. Now, as I said, spammers spoof addresses all the time. But does Hotmail have to enable such a transparent means of allowing it? rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: Mon, 29 Jul 2002 10:32:34 -0400 From: Joe Stoy Subject: Re: E-mail content filtering ... (Miller, RISKS-22.16) My favourite story along these lines is about the two German musicologists who were having a learned discussion by e-mail about Bach's B Minor Mass, until both simultaneously came to the conclusion that the other side was losing interest towards the end of the Gloria. But it turned out that their e-mail system was simply refusing to let through any mention by name of the magnificent fugue at the end of that section. ------------------------------ Date: Mon, 29 Jul 2002 16:24:00 +0200 (CEST) From: MAtteo HCE Valsasna Subject: E-mail *envelope* filters blocking NDN and DSN Many RISKS readers have already reported about RISKs associated with e-mail filters based on the contents. But serious service RISKs are also associated to envelope-based filters, i.e., filters based on the sender (or recipient) used in SMTP transactions (in contrast with those present in the e-mail headers). Many SMTP servers have started fitering e-mail with an empty envelope sender, their administrators claiming they can block a lot of spam that way. This is in clear contrast with RFC [rfc1123, see quote below]. A reason for this is that an empty envelope sender must be used with NDN (Non Delivery Notification) and DSN (Delivery status notification) messages, which are used to inform the sender that his message couldn't be delivered to the recipient, or to confirm to the sender the delivery or the reading of a message [rfc1891, see quote below]. Filtering those messages could mean that, under certain conditions, a delivery confirmation could fail to reach the sender, or, much worse, a non-delivery notification could never reach the sender. When empty reverse path filtering is applied at the SMTP server receiving messages for the user's address, NDN and DSN messages originated at other servers will be rejected. This can happen for example if the user uses a different SMTP server to send her messages, if the SMTP server that receives a message does not reject it immediately, but rather accepts it and later generates a negative DSN message to inform the reader of the missed delivery, and also happens for DSN messages generated at a different domain than the sender's. SPMT gives no guarantees about the delivery of a message, but makes any possible effort to inform the sender that a message could not be delivered (also these efforts are not generally guaranteed to succeed). Filtering messages with an empty envelope sender risks to render these attempts useless. Users have got accustomed to receive a negative confirmation (NDN) when they send a message that will never reach the recipient, so they may trust that a message for which they received no NDN has actually been delivered (a classical problem of double-negative logic). Filtering empty reverse path messages will void this trust, leaving the sender with the impression that his message has reached someone. The RISKs associated with this false assumption are obvious. The assumption is actually false basing on SMTP's absence of guarantees, not on the improper loss of NDN messages due to empty smtp sender filtering, but users do not read manuals, they look at how the service actually works and build their assumptions accordingly. Another general-purpose RISK (assuming that a system that usually works will *always* work). MAtteo HCE Valsasna - Network & Linux Administrator Centro SIC - Univ. degli Studi dell'Insubria http://www.faqs.org/rfcs/rfc1123.html (Requirements for Internet Hosts -- Application and Support) 5.2.9 Command Syntax: RFC-821 Section 4.1.2 The syntax shown in RFC-821 for the MAIL FROM: command omits the case of an empty path: "MAIL FROM: <>" (see RFC-821 Page 15). An empty reverse path MUST be supported. http://www.faqs.org/rfcs/rfc1891.html (SMTP Service Extension for Delivery Status Notifications) 7.1 SMTP Envelope to be used with delivery status notifications The DSN sender address (in the SMTP MAIL command) MUST be a null reverse-path ("<>"), as required by section 5.3.3 of [9]. The DSN recipient address (in the RCPT command) is copied from the MAIL command which accompanied the message for which the DSN is being issued. [...] ------------------------------ Date: Sun, 11 Aug 2002 12:59:17 -0400 From: Betsy Schwartz Subject: Content based e-mail filtering -- timely example Another problem is that it's impossible for any one sysadmin to know, for a given string, whether it's a legitimate word or name in some contexts. I've had several people say to me recently: "but, what legitimate e-mail could possibly contain the word 'klez' "? Well, I am a big fan of klezmer music and there will be some sad wedding parties if "klez" is filtered out! See http://www.klezmershack.com [And this will undoubtedly get THIS issue filtered for some readers. PGN] ------------------------------ Date: Tue, 20 Aug 2002 03:12:14 PST From: shadow@krypton.rain.com (Leonard Erickson) Subject: Klez + html login = no security I mostly use a DOS based mail reader program, so I often get MIME encoded mail or other mail that may or may not have viral payloads (or just typical Microsoft "everyone uses our mailer" dreck). I move the messages to a directory to be checked out later. Today I was going thru the message that'd piled up there over the last couple of weeks. And I was looking at the other files included in Klez infected messages. One was a file that had "login" as part of the name, and no extension. A quick check with LIST showed it to be an HTML file. Out of curiosity, I added an HTML extension, and looked at it on a Windows system. I found myself on a website for a company I won't name. With the username and password having just been entered on a login screen! A password that seems to still be valid. I found a "technical problems" email address on the web site and mailed the contact the info about the problem. And I deleted the file. But whatever program created this login "file" (I think html had embedded Javascript) is *really* a bad idea to have in this world that has viruses that email random files from infected systems to the world. Anybody care to bet that my report to the company gets ignored? Leonard Erickson (aka shadow{G}) shadow@krypton.rain.com ------------------------------ Date: Thu, 22 Aug 2002 09:15:25 -0400 From: Monty Solomon Subject: Klez: The Virus That Won't Die Already the most prolific virus ever, Klez continues to wreak havoc. By Andrew Brandt, Sep 2002 issue of *PC World* magazine, 1 Aug 2002 The Klez worm is approaching its seventh month of wriggling across the Web, making it one of the most persistent viruses ever. And experts warn that it may be a harbinger of new viruses that use a combination of pernicious approaches to go from PC to PC. Antivirus software makers Symantec and McAfee both report more than 2000 new infections daily, with no sign of let-up at press time. The British security firm MessageLabs estimates that 1 in every 300 e-mail messages holds a variation of the Klez virus, and says that Klez has already surpassed last summer's SirCam as the most prolific virus ever. And some newer Klez variants aren't merely nuisances--they can carry other viruses in them that corrupt your data. ... http://www.pcworld.com/news/article/0,aid,103259,00.asp ------------------------------ Date: Thu, 1 Aug 2002 08:34:19 -0800 From: Rob Slade Subject: The left hand of the government asketh ... Despite the reports being a day apart, the following two stories appeared next to each other in last evening's Edupage from EDUCAUSE. EDUCAUSE made no comment on the juxtaposition. However, I suspect that pretty much anyone can see the cause for concern here. Poorly thought out "quick fix" legislative solutions, such as the DMCA, can definitely be much more trouble than they are worth. ------- Forwarded message follows ------- >Date sent: Wed, 31 Jul 2002 17:43:42 -0600 >From: EDUCAUSE@EDUCAUSE.EDU >Subject: Edupage, July 31, 2002 [...] TOP STORIES FOR WEDNESDAY, JULY 31, 2002 Clarke Urges Hackers to Find and Report Bugs H-P Uses DMCA Against Bug Finders [...] CLARKE URGES HACKERS TO FIND AND REPORT BUGS Richard Clarke, the cybersecurity advisor to President Bush, told attendees of the Black Hat conference in Las Vegas that they should find and report software bugs that compromise computer security. [...] Associated Press, 31 July 2002 http://www.nandotimes.com/technology/story/484376p-3867743c.html H-P USES DMCA AGAINST BUG FINDERS In an apparent first, Hewlett-Packard has invoked the controversial Digital Millennium Copyright Act (DMCA) to stop researchers from releasing information about software bugs. [...] But H-P sent a letter to SnoSoft, a group of researchers, saying that the group faces fines of $500,000 and jail time for releasing information about a bug in an H-P Unix application. SnoSoft said that they notified H-P of the flaw early enough that a patch should have been available before public disclosure of the bug. [...] CNET, 30 July 2002 http://news.com.com/2100-1023-947325.html [...] EDUPAGE INFORMATION To subscribe, unsubscribe, or change your settings, visit http://www.educause.edu/pub/edupage/edupage.html ------------------------------ Date: Sat, 27 Jul 2002 21:08:50 -0400 From: Dave Subject: Re: Apple OSX and iDisk and Mail.app from Volume 22 : Issue 18: > Net effect: your iDisk password is transmitted in the clear without > your awareness, albeit as a mail password. > Problems: ... > - mac.com's mail password is *always* identical to iDisk password Yes, by definition. mac.com mail and iDisk are part of iTools (now ".Mac") which uses a single account/password to access all of its services. > - OSX's "do what I mean" friendliness saves passwords without knowledge Users enter their iTools info in the Internet preferences panel which states: "Enter your member name and password. This information is used to access iTools, including your iDisk and your e-mail account." Hard to misinterpret that. > then connects to mac.com which *does not* support any method of > encrypted password transmission. That's the real problem which Apple will correct quickly (right guys?) ------------------------------ Date: Tue, 20 Aug 2002 15:12:27 -0800 From: Rob Slade Subject: REVIEW: "Computers and Ethics in the Cyberage", Hester/Ford BKCMETCB.RVW 20020606 "Computers and Ethics in the Cyberage", D. Micah Hester/Paul J. Ford, 2001, 0-13-082978-1, U$41.00 %A D. Micah Hester %A Paul J. Ford %C Scarborough, Ontario %D 2001 %G 0-13-082978-1 %I Prentice Hall %O U$41.00 800-576-3800 416-293-3621 fax: 201-236-7131 %P 498 p. %T "Computers and Ethics in the Cyberage" This volume is a collection of essays, arranged in a rather complex fashion. There are parts, subdivided into chapters, with each chapter containing about four papers. It isn't necessarily difficult to find the theme running through each set of papers, but neither does the conjunction of ideas support the individual discussions. The preface, interestingly, states that the book provides no general introduction to ethics. There are also lists of alternative orderings and selections of the papers included in the volume, suggested to address additional topics. Part one is an introduction to technology, computers, and values which last is rather in contradiction to the assertion that the work contains no such introduction. In any case, there is no introduction to values. The essays in chapter one look at how the machine affects personality (a poetic but unconvincing piece), a review of various (both positive and negative but primarily religious) views of technology, opinions on technology and moral responsibility, and the ethical problems presumed to be unique to computers. Chapter two views computer technology as value-laden. The first paper insists that computers should be improved by the addition of abilities for responding to simple requests in natural language, apparently implying that the search for the "user-friendly" chimera has an ethical driver. (A common desire, but one that flies in the face of user-interface research that indicates people are, in fact, unable to frame requests accurately even in natural language.) Others assert that computers fail to distinguish between numbers and data (and between information and reason), that work with Boolean algebra molds the thinking process, and that computers are fun because they are magic. Part two purports to review computers and quality of life. Chapter three looks at technology and relations with other people. One paper points out that the attitude of the Amish towards the telephone is supportive of community living, but admits that the example has almost no relation to other technology. Others discuss various things you can do online, how much Howard Rheingold likes the WELL service, and that John Perry Barlow doesn't know whether community actually exists (online or in real life). Computer and individuality is addressed, in chapter four, with an unsupported assertion that technology has some normative value, wild speculation on implantable brain chips, a fictional short story about artificial personality, and vague thoughts about the anthropomorphizing effect of the changing language with regard to computers. A look at computers in developing nations assumes that the purpose of computer use is control, asserts (but does not support) the idea that western (and therefore somehow "authoritative") computers are unsuited to Africa (the entire continent is assumed to have unreliable data), that information technology can help in Latin America but there are problems, presents random memories of email use in Jamaica, and asserts, in chapter five, that transferring technology to the third world can create problems. Part three concentrates on the uses, abuses (and maybe consequences) of technology. Chapter six looks at professionals and ethics, with various views of whether professions have special obligations (and a final decision that computing is not a profession), scenarios emphasizing conflicting loyalties, and some factors that might help reduce computer misuse. Freedom, privacy and control is the topic of chapter seven, discussing problems with direct democracy, reprinting a political speech nominally about privacy, and attempting to determine a definition and some characteristics of privacy. A review of intellectual property ownership and piracy has an interesting examination of the differences in attitudes to copyright between western (stressing ownership and roles) and Asian (emphasizing social benefits and outcomes) cultures, as well as a student survey, a statement that the arguments in favour of copyright are at best unproven, and an opinion promoting copy protection cracking and the distribution of "cracked" commercial programs (with the usual lack of logic and writing skills). (Despite this last essay, chapter eight is possibly the best in the book.) Chapter nine has some sensationalistic material on hacking (and a very poor introduction to viruses) with no real conclusions, a hacker "manifesto," a strong (but no perfect) analysis deciding that computer intrusions cannot be held to be "victimless," an interview with a self-styled "hacker" (as self- serving as most such), and a weak examination of the Morris Worm. Part four seems to assume that it is moving into more advanced or futuristic technologies, although the discussions don't change much. Chapter ten has another fictional short story implying that computers are false gods, a replay of "What Computers Can't Do," and a vague wondering about the definition of life. One essay, very much in contradiction to the thesis of Rosalind Picard's excellent "Affective Computing" (cf. BKAFFCMP.RVW) maintains that a computer which is "superior in every way" (to us) must be a "monster," and assumes that artificial intelligence will be devoid of compassion. (Even if one does accept that intelligence must be emotionless, there is no mention of the fact that such a system would also lack cruelty.) The overview of virtual reality (VR) has an interesting examination of the health and safety effects (limited) and benefits of the technology, and two assertions of the need for a VR ethic, in chapter eleven. In chapter twelve, Al Gore sells the GII (Global Information Infrastructure), we are told that there is pornography on the Internet, Dibbell's classic "Rape in Cyberspace" is reprinted, and an article on cyberstalking seems to void its premise by repeatedly demonstrating that most of the activities take place in the real world, not the net. Many of the papers in this collection are lifted wholesale from their origin. Although ellipses seem to indicate that material has been cut in a number of places, there are still some very odd references to other papers or presentations no longer "present," and even comments directed at people who are no longer in the audience. Much of this material is quite seriously flawed by a lack, on the part of the authors, of a technical background. This is not to say that non-technical people cannot comment on the social aspects of technology, nor that discussions of technical ethics could not benefit from the input of philosophers, ethicists, sociologists, and the like. However, many of the speculations bear little relationship to technical reality, and therefore the arguments and decisions are invalid. Overall, there is a lack of direction to the work. In the end, it gives an impression of a vague complaint that computers aren't moral, and aren't taking the burden of ethical decisions away from mankind. Personally, I find this position not only unhelpful, but extremely odd. copyright Robert M. Slade, 2002 BKCMETCB.RVW 20020606 rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: Tue, 20 Aug 2002 18:30:11 +0100 From: Massimo Felici Subject: SAFECOMP 2002 & ECCE-11 SAFECOMP 2002 The 21st International Conference on Computer Safety, Reliability and Security Catania, Italy, 10-13 September 2002, Catania, Italy http://www.safecomp.org/ contact safecomp2002@safecomp.org Co-located and Coordinated with ECCE 11 - Cognition, Culture and Design Eleventh European Conference on Cognitive Ergonomics Catania, Italy, 8-11 September 2002 http://www.ecce.info/ ------------------------------ Date: 29 Mar 2002 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 21" for volume 21] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 22.20 ************************