[risks] Risks Digest 21.37

From: RISKS List Owner (riskoat_private)
Date: Thu May 03 2001 - 15:56:47 PDT

  • Next message: RISKS List Owner: "[risks] Risks Digest 21.38"

    RISKS-LIST: Risks-Forum Digest  Thursday 3 May 2001  Volume 21 : Issue 37
    
       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/21.37.html>
    and by anonymous ftp at ftp.sri.com, cd risks .
    
      Contents:
    Microsoft Is Set to Be Top Foe of Free Code (David Farber)
    DMCA: It's Like ... an Analogy Fest! (Monty Solomon)
    Recording industry threatens researcher with lawsuit (NewsScan)
    Hack attacks from China? (NewsScan)
    Space Station software problems predicted four years ago (Philip Gross)
    Incompatibility shuts down Xerox corporate network (Nelson H. F. Beebe)
    Destia shuts down service (Doneel Edelson)
    Mobile phones to prevent car theft? (Yerry Felix)
    CNN censors profane Webby nominee (Jim Griffith)
    Another problem with the DNS (Bob Frankston)
    MS security updates infected with virus (Dave Stringer-Calvert)
    Microsoft error message (Jean-Jacques Quisquater)
    Using calendar reminder service to remember anniversary of sad event (Elinsky)
    Risks of Net-connected appliances (Robert J. Woodhead)
    Re: MSN "upgrade" creates long distance calling (Steve Holzworth)
    The follow-on to James Bamford's *Puzzle Palace* (David Farber)
    Definitions for Hardware and Software Safety Engineers (Meine van der Meulen)
    Abridged info on RISKS (comp.risks)
    
    ----------------------------------------------------------------------
    
    Date: Thu, 03 May 2001 09:43:23 -0400
    From: David Farber <daveat_private>
    Subject: Microsoft Is Set to Be Top Foe of Free Code
    
    John Markoff in *The New York Times*, 3 May 2001:
    
      Microsoft is preparing a broad campaign countering the movement to give
      away and share software code, arguing that it potentially undermines the
      intellectual property of countries and companies.  At the same time, the
      company is acknowledging that it is feeling pressure from the freely
      shared alternatives to its commercial software.
      http://www.nytimes.com/2001/05/03/technology/03SOFT.html
    
        [Dave's IP archives are at
           http://www.interesting-people.org/  
        PGN]
    
    ------------------------------
    
    Date: Wed, 02 May 2001 10:53:14 -0700
    From: Monty Solomon <montyat_private>
    Subject: DMCA: It's Like ... an Analogy Fest!
    
    MEDIA GROK, 2 May 2001
    
    We know, we know: Media coverage of the Digital Millennium Copyright Act
    makes your eyes glaze over. Think that's bad? Imagine the DMCA being
    discussed in a courtroom. This happened yesterday when a New York appeals
    court became ground zero for testimony on whether DVD code-busting software
    violates the DMCA. Reporters tried mightily - and several succeeded - to
    make sense of lawyers' attempts to out- argue each other.
    
    Call yesterday's event a different kind of Hollywood strike. When the e-zine
    2600.com posted DeCSS, a computer program capable of cracking DVDs' security
    code, a coalition of film studios struck back with a lawsuit. The studios
    won, and the lower court based its ruling on the DMCA-based ban on
    code-busting devices. 2600 appealed, its lawyers arguing that DeCSS has fair
    and allowable uses.
    
    Is law so complex that it has to be fed to us in analogies? We grew dizzy
    trying to follow the analogy free-for-all that gripped the appeal hearing
    and its coverage. Let's start with the DMCA. It's like Congress deciding
    that the blueprint for a copying machine can't be published because it might
    be used to violate the copyright laws, said Kathleen Sullivan, Stanford Law
    School dean. Here's one about DeCSS: It should be banned because it's akin
    to software that shuts off smoke detectors or airplanes' navigational
    systems, said DMCA defender and assistant U.S. attorney Daniel Alter,
    according to the New York Law Journal. The First Amendment wouldn't bar the
    government from prohibiting distribution of that kind of software, Alter
    said, and the same goes for DeCSS. No, no, no. DeCSS is "a useful tool for
    scientific study and journalistic inquiry - or a burglar's crowbar designed
    for breaking, entering and stealing," the Law Journal chimed in.
    
    Lawyers, of course, love this kind of talk, which is no doubt why, as Inside
    reported, the three-judge panel was revved up enough by the legal banter to
    allow the session to run an extra 30 minutes. Inside ran a solid and
    readable analysis of the ideas that were raised, as did ZDNet, which
    included the tidbit that one "hacker-type" wore a T-shirt displaying the
    illegal DeCSS code.
    
    But both Inside and Wired News predicted the appeals court would probably
    uphold the lower court's ruling. Sometimes pushing new ideas is like an
    uphill battle. - Deborah Asbrand
    
    Second Circuit Weighs DVD Copying 
    http://www.law.com/cgi-bin/gx.cgi/AppLogic+FTContentServer?pagename=law/View&c=Article&cid=ZZZ9P7GD8MC&live=true&cst=1&pc=5&pa=0&s=News&ExpIgnore=true&showsummary=0 
    
    In Lively Oral Arguments, Lawyers Put Digital Copyright Act on Trial
    http://www.inside.com/jcs/Story?article_id=29820&pod_id=13 
    
    Throwing the Book at DeCSS 
    http://www.zdnet.com/zdnn/stories/news/0,4586,5082131,00.html 
    
    DVD Piracy Judges Resolute 
    http://www.wired.com/news/digiwood/0,1412,43470,00.html 
    
    Court Hears Appeal of Hacker Wanting to Post Descrambling Code on Internet
    http://interactive.wsj.com/articles/SB988759509262167525.htm 
    (Paid subscription required.) 
    
    Judges Weigh Copyright Suit on Unlocking DVD Shield 
    http://www.nytimes.com/2001/05/02/technology/02CODE.html 
    (Registration required.) 
    
    ------------------------------
    
    Date: Tue, 24 Apr 2001 09:20:08 -0700
    From: "NewsScan" <newsscanat_private>
    Subject: Recording industry threatens researcher with lawsuit
    
    The litigation department of the Recording Industry Association of America
    (RIAA) has threatened legal action against a Princeton University computer
    scientist if he and his colleagues give a conference presentation this week
    explaining how to get around a system developed by the industry to protect
    copyrighted music. The researcher, Dr. Edward W. Felton, works in the field
    of steganography, which develops techniques such as digital watermarking.
    The head of RIAA's litigation department insists: "There is a line that can
    get crossed, and if you go further than academic pursuit needs to go, you've
    crossed the line and it's bad for our entire community, not just for artists
    and content holders, it's everyone who loves art, and it's also bad for the
    scientific community." [*The New York Times*, 24 Apr 2001; NewsScan Daily,
    24 April 2001  http://www.nytimes.com/2001/04/24/technology/24MUSI.html]
    
    ------------------------------
    
    Date: Mon, 30 Apr 2001 08:52:04 -0700
    From: "NewsScan" <newsscanat_private>
    Subject: Hack attacks from China?
    
    The FBI cybercrime division called the National Infrastructure Protection 
    Center is warning that Chinese hackers have publicly discussed increasing 
    their activities in the first week of May, in celebration of two Chinese 
    holidays and in memory of the two-year anniversary of the U.S. accidental 
    bombing of the Chinese embassy in Belgrade. The Internet security company 
    Vigilinx warns that it has the potential to escalate into something very 
    damaging if emotions run unchecked. There is no evidence that attacks have 
    been approved by the Chinese government. (AP/*USA Today*, 27 Apr 2001)
    http://www.usatoday.com/life/cyber/tech/2001-04-27-chinese-hack.htm
    NewsScan Daily, 30 April 2001
    
    ------------------------------
    
    Date: Sat, 28 Apr 2001 15:20:16 -0400
    From: "Philip Gross" <png3at_private>
    Subject: Space Station software problems predicted four years ago
    
    I contributed an article to RISKS on December 8, 1997, (RISKS-19.49) about
    the enormous risks involved with the software of the International Space
    Station.  3.5 million lines of code, coming from multiple countries, with
    little indication of the verification methodologies.  In the two subsequent
    issues RISKS-19.50 and 19.51, anonymous posters with connections to the
    program agreed with and amplified these concerns.
    
    Now we see that, indeed, difficult-to-diagnose software problems are
    starting to plague the craft.
    "Computer problems have kept the Endeavour at the station longer than
    expected as astronauts try to carry out operations of a critical robot arm.
    The ISS has suffered a series of glitches since Tuesday that left ground
    controllers with only tentative command," says CNN.
    (http://www.cnn.com/2001/TECH/space/04/28/shuttle.launch.02/index.html)
    
    The RISKS here involve the well-known dangers of leaving debugging until the
    system is already in use.  Although critical safety and control mechanisms
    may be compromised until the problems are fixed,
    "Russian space officials refused to delay Saturday's launch but agreed to
    put the Soyuz in a holding pattern if the shuttle was still at the space
    station on Monday. Russia said it had been unwilling to postpone the Soyuz
    mission because the cosmonauts must replace the space station's escape
    craft, whose service lifetime expires at the end of the month."
    
    The world's first space tourist may have an interesting ride...
    
    ------------------------------
    
    Date: Mon, 23 Apr 2001 14:02:12 -0600 (MDT)
    From: "Nelson H. F. Beebe" <beebeat_private>
    Subject: Incompatibility shuts down Xerox corporate network
    
    *Computerworld* (16-Apr-2001, p. 6 and 78) has two articles on how an
    incompatibility between a beta release of Microsoft Windows XP and Cisco
    5000 routers shut Xerox's corporate network down several times.  According
    to the page-long column on p. 78, ``It got so bad that Xerox warned all
    50,000 of its U.S. employees not to installed XP betas without permission or
    they'd face disciplinary action.''.
    
    Nelson H. F. Beebe, Center for Scientific Computing, University of Utah
    Department of Mathematics, Salt Lake City, UT 84112-0090  +1 801 581 5254  
    
    ------------------------------
    
    Date: Thu, 3 May 2001 17:47:14 -0400
    From: "Edelson, Doneel [euler:aci]" <doneel.edelsonat_private>
    Subject: Destia shuts down service
    
    Destia (known as EconoPhone), a part of Viatel, shut down service to all
    customers Monday night or Tuesday.  Thousands of people with direct-dial
    service (1+) are scrambling to get an alternate long-distance provider.
    Until then, they cannot make any long-distance calls except to 800 numbers.
    Also inbound 800 number service and calling cards provided by this company
    do not work.
    
    ------------------------------
    
    Date: 27 Apr 2001 23:59:44 +0100
    From: Yerry Felix <1iat_private>
    Subject: Mobile phones to prevent car theft?
    
      Econet Wireless brand manager David Dzumbira said in the unfortunate event
      of the vehicle being violated or vandalised, Cellstop will alert the owner
      by calling on his/her cellphone within seconds of the incident happening.
      Cellstop will dial the number three times and if these calls are
      unanswered or responded to, the Cellstop unit will automatically starve
      fuel to the engine, making it impossible to drive the vehicle, said
      Dzumbira.
    
    But what if the owner forgets the phone, loses it or the phone is stolen?
    Or, if the phone runs out of power? And what happens if the device springs
    into action whilst the car is being driven by the legitimate owner?
    
    Note that the vehicle is stopped regardless of whether the phone is ignored
    or answered!
    
    Moreover, given the amount of false car alarms that seem to occur, this
    could be very annoying, although, being the victim of nightly car alarms in
    my street, I don't have much sympathy here :-)
    
    The full article:
      http://www.mweb.co.zw/zimin/index.php?id=3176&pubdate=2001-04-27
    
    ------------------------------
    
    Date: Thu, 26 Apr 2001 20:17:34 -0500
    From: Jim Griffith <griffithat_private>
    Subject: CNN censors profane Webby nominee
    
    An interesting aspect of this year's Webby's nominees is the nomination
    of www.f**kedcompany.com in the Humor category (for which I was a nominating
    judge).  When reading the CNN article about the nominations, at
      http://www.cnn.com/2001/TECH/internet/04/26/webby.awards.reut/index.html#12
    I was interested to find that the above-mentioned site was apparently
    deliberately excluded from the list of nominees, probably for the profane
    name.  The *San Jose Mercury News* site reported the complete list, however.
    
      [comp.risks censors "CNN censors profane Webby nominee" as well.  PGN]
    
    ------------------------------
    
    Date: Mon, 30 Apr 2001 15:16:55 -0400
    From: "Bob Frankston" <rmf2gOtherat_private>
    Subject: Another problem with the DNS
    
    I e-mailed a URL, http://www.washtech.com/news/media/9387-1.html. The
    spelling corrector apparently chanted washtech to washes which is a porno
    site! The risk here isn't so much spelling correction as the current attempt
    to use the DNS as a directory. The density of the namespace is just one of
    the many problems.
    
    Bob Frankston  http://www.Frankston.com
    
    ------------------------------
    
    Date: Sun, 29 Apr 2001 19:18:28 -0700
    From: Dave Stringer-Calvert <dave_scat_private>
    Subject: MS security updates infected with virus
    
    Microsoft security fixes infected with FunLove virus
    
    A virus infection of security fix files on Microsoft's partner and premier
    support Web sites has forced the software giant to suspend certain
    downloads for more than a fortnight. Microsoft issued an alert on Monday,
    which states that various Hotfix files on its Premier Support and
    Microsoft Gold Certified Partners Web sites are infected with the FunLove
    virus. A copy of the notice said Microsoft has stopped access "in order to
    protect customers" to an unspecified number of files, and expects to be
    able to restore access later today.  Customers were advised to contact
    their technical account manager in the interim.
      [http://www.theregister.co.uk/content/8/18516.html]
         [Also noted by Jeremy Epstein.  PGN]
    
    ------------------------------
    
    Date: Mon, 30 Apr 2001 22:11:37 +0200
    From: Quisquater <jjqat_private>
    Subject: Microsoft error message
    
    Q276304 - Error Message: Your Password Must Be at Least 18770 Characters 
              and Cannot Repeat Any of Your Previous 30689 Passwords
    
    New level of security at Microsoft.  Jean-Jacques Quisquater, 
    
      [The password must be Macrohard?  PGN]
    
    ------------------------------
    
    Date: Tue, 24 Apr 2001 16:46:05 EDT
    From: Elinskyat_private
    Subject: Using calendar reminder service to remember anniversary of sad event
    
    This is from the "Metropolitan Diary" section of *The New York Times*, 23
    Apr 2001.  The writer unknowingly set herself up for an eerie reminder mail,
    by not entering the event as "Anniversary of Grandpa's death".  Even if she
    had, the mail probably would've still contained the (presumably
    inappropriate) gift suggestions.
    
    Harriet Inselbuch signed up for a calendar reminder service on the Internet
    and duly entered important dates like birthdays and anniversaries.  The
    service notifies her by e-mail a few days before an important event.  One
    anniversary she listed was of a family death, a reminder to her to light a
    candle.  A few days before that particular date, she did receive a message
    and it provided somewhat of a shock.  It read, "Reminder: Grandpa's death is
    just around the corner" followed by three or four gift suggestions for the
    occasion.
    
    ------------------------------
    
    Date: Mon, 23 Apr 2001 17:12:45 -0400
    From: "Robert J. Woodhead (AnimEigo)" <treborat_private>
    Subject: Risks of Net-connected appliances
    
    After watching a breathless CNN report about Internet-enabled espresso
    machines, it occurs to me that one of the greatest risks of having
    appliances connected to the Internet is that one's refrigerator might start
    forwarding spam instead of simply storing it.
    
    Robert Woodhead, Webslave & Mad Overlord    http://selfpromotion.com/
    
    ------------------------------
    
    Date: Fri, 27 Apr 2001 14:17:46 -0400
    From: Steve Holzworth <schat_private>
    Subject: Re: MSN "upgrade" creates long distance calling (RISKS-21.32)
    
    WRAL-TV Online reports that the Microsoft Network (MSN) has agreed to pay
    back dozens of people who received huge Internet phone bills by mistake.
    
    http://www.wral-tv.com/features/5onyourside/2001/0426-msn-second-folo/
    
    "Combined, complainants were billed more than $13,000 in unexpected charges. 
    
    For about a month when the Wake County customers accessed the Internet, they
    were routed to a long distance Chapel Hill number -- a number they did not
    know they had been switched to.
    
    John Bason, a spokesman for the North Carolina Department of Justice, says
    the situation definitely needs to be addressed." ...  "Microsoft is telling
    the Attorney General's office that the error was theirs and agreed to pay
    back consumers. Any MSN customers who were erroneously billed must file a
    complaint with the Attorney General's office at 919-xxx-xxxx."
    
    Steve Holzworth, Senior Systems Developer, SAS Institute, Cary, N.C.
    Open Systems R&D VMS/MAC/UNIX    <schat_private>
    
    ------------------------------
    
    Date: Wed, 25 Apr 2001 15:04:56 -0400
    From: David Farber <daveat_private>
    Subject: IP: The follow-on to James Bamford's *Puzzle Palace*
    
    James Bamford
    Body of Secrets: Anatomy of the Ultra-Secret National Security Agency: 
      From the Cold War Through the Dawn of a New Century
    
      [Good review in *The New York Times* Sunday Book Review section,
      29 April 2001.  PGN]
    
    ------------------------------
    
    Date: Thu, 3 May 2001 09:50:50 +0200 
    From: Meine van der Meulen <M.van.der.Meulenat_private>
    Subject: Definitions for Hardware and Software Safety Engineers
    
    I would like to bring the book 'Definitions for Hardware and Software Safety
    Engineers' under your attention. It quotes definitions in the field of
    hard-and software dependability engineering from over a hundred sources.
    When more definitions exist it quotes these to enable comparison. Much
    attention has been paid to cross-referencing.
    
      M.J.P. van der Meulen, Definitions for Hardware and Software Safety
      Engineers, ISBN 1-85233-175-5, Springer, London, hardcover, 342 pages.
    
    URL: http://www.springer.de/cgi-bin/search_book.pl?isbn=1-85233-175-5
    
    Meine van der Meulen, Max Euwelaan 60, 3062 MA Rotterdam  Tel 010-4535959 
    SIMTECH Engineering: www.simtech.nl  <m.van.der.meulenat_private>
    
    ------------------------------
    
    Date: 12 Feb 2001 (LAST-MODIFIED)
    From: RISKS-requestat_private
    Subject: Abridged info on RISKS (comp.risks)
    
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) 
     if possible and convenient for you.  Alternatively, via majordomo, 
     SEND DIRECT E-MAIL REQUESTS to <risks-requestat_private> with one-line, 
       SUBSCRIBE (or UNSUBSCRIBE) 
     which now requires confirmation to majordomoat_private (not to risks-owner)
     [with option of E-mail address if not the same as FROM: on the same line,
     which requires PGN's intervention -- to block spamming subscriptions, etc.] or
       INFO     [for unabridged version of RISKS information]
     .MIL users should contact <risks-requestat_private> (Dennis Rears).
     .UK users should contact <Lindsay.Marshallat_private>.
    => The INFO file (submissions, default disclaimers, archive sites, 
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All 
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
    => ARCHIVES are available: ftp://ftp.sri.com/risks or
     ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
       [volume-summary issues are in risks-*.00]
       [back volumes have their own subdirectories, e.g., "cd 20" for volume 20]
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
       Lindsay Marshall has also added to the Newcastle catless site a 
       palmtop version of the most recent RISKS issue and a WAP version that
       works for many but not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing, 
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    
    ------------------------------
    
    End of RISKS-FORUM Digest 21.37
    ************************
    



    This archive was generated by hypermail 2b30 : Thu May 03 2001 - 16:29:43 PDT