RISKS-LIST: Risks-Forum Digest Monday 8 March 2004 Volume 23 : Issue 26 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://www.risks.org as http://catless.ncl.ac.uk/Risks/23.26.html The current issue can be found at http://www.csl.sri.com/users/risko/risks.txt Contents: U.S. Senate security shenanigans (Kristina Herrndobler via James Bauman) PFIR Conference Announcement: "Preventing the Internet Meltdown" (PFIR) Yet another worm masquerades as Microsoft update (NewsScan) The price of e-mail is constant vigilance (Rob Slade) Firms look to limit liability for online security breaches (Jonathan Krim via Monty Solomon) Smartcards weren't so smart after all, says Target (NewsScan) BBC reports card cloning scam (John Sawyer) An interesting airplane user interface (David Magda) Re: Legal Mercedes driver jailed for 18 months (David Gillett) Extended Call for Papers: Voting, Elections, and Technology (Micah Altman) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 5 Mar 2004 13:41:26 -0500 From: "James Bauman" <James.Bauman@safety-kleen.com> Subject: U.S. Senate security shenanigans If an independent or Justice Department investigation occurs beyond the one by the U.S. Senate sergeant-at-arms, the security issues (and their possible accompanying illegal and/or unethical issues) should be interesting to read about. Right now, there are a lot of questions about the incident and not much clarity. According to a *Chicago Tribune* article, a Senate Republican clerk, Jason Lundell, watched a system administrator gain access to Democratic folders on a network. Then, Mr. Lundell, repeated the administrator's actions and "downloaded more than 4,670 files" from those folders. Lundell gave the files to Manuel Miranda, who was a staffer for Majority Leader Bill Frist (R-Tenn.). Lundell said "Miranda told him that it was common knowledge that staff could access each other's files". [Then, I suppose?... Republican staffers could access Democratic files and Democratic staffers the Republican ones.] A Question" If each side could look at each other's files, then why did Jason Lundell need special knowledge about network security to download the files? Regarding this: "Republican committee Chairman Sen. Orrin Hatch of Utah condemned the actions of the staff members, who no longer work for the Senate." "'I am mortified that this improper, unethical and simply unacceptable breach of confidential files occurred," Hatch said Thursday as he released the report. "There is no excuse that can justify these improper actions.'" Later in the article is this: "Furthermore, Mr. Lundell recalled that Mr. Miranda had told him that Sen. Hatch wanted the staff to use any means necessary to support President Bush's nominees," the sergeant-at-arms reported. Seems that the two Republican staffers took "any means necessary" in the most literal of senses, and Lundell's assertion in the previous paragraph could be an embarrassment for Hatch given Hatch's latest statements of outrage. Anyway, it's got the earmarks of a good future read as more facts develop and the smoke clears. Source: Kristina Herrndobler, GOP staffers accused of taking senators' files, *Chicago Tribune*, 5 Mar 2004 http://www.chicagotribune.com/news/nationworld/ chi-0403050231mar05,1,7561874.story?coll=chi-news-hed ------------------------------ Date: Sat, 06 Mar 2004 18:14:43 -0800 From: PFIR - People For Internet Responsibility <pfir@private> Subject: PFIR Conference Announcement: "Preventing the Internet Meltdown" PFIR Conference Announcement "Preventing the Internet Meltdown" Spring/Summer 2004 Los Angeles, California, USA http://www.pfir.org/meltdown PFIR - People For Internet Responsibility - http://www.pfir.org [ To subscribe or unsubscribe to/from this list, please send the command "subscribe" or "unsubscribe" respectively (without the quotes) in the body of an e-mail to "pfir-request@private". ] People For Internet Responsibility (PFIR) is pleased to preliminarily announce an "emergency" conference aimed at preventing the "meltdown" of the Internet -- the risks of imminent disruption, degradation, unfair manipulation, and other negative impacts on critical Internet services and systems in ways that will have a profound impact on the Net and its users around the world. We are planning for this conference (lasting two or three days) to take place as soon as possible, ideally as early as this coming June, with all sessions and working groups at a hotel in convenient proximity to Los Angeles International Airport (LAX). A continuing and rapidly escalating series of alarming events suggest that immediate cooperative, specific planning is necessary if we are to have any chance of avoiding the meltdown. "Red flag" warning signs are many. A merely partial list includes attempts to manipulate key network infrastructures such as the domain name system; lawsuits over Internet regulatory issues (e.g. VeriSign and domain registrars vs. ICANN); serious issues of privacy and security; and ever-increasing spam, virus, and related problems, along with largely ad hoc or non-coordinated "anti-spam" systems that may do more harm than good and may cause serious collateral damage. All facets of Internet users and a vast range of critical applications are at risk from the meltdown. Commercial firms, schools, nonprofit and governmental organizations, home users, and everybody else around the world whose lives are touched in some way by the Internet (and that's practically everyone) are likely to be seriously and negatively impacted. Most of these problems are either directly or indirectly the result of the Internet's lack of responsible and fair planning related to Internet operations and oversight. A perceived historical desire for a "hands off" attitude regarding Internet "governance" has now resulted not only in commercial abuses, and the specter of lawsuits and courts dictating key technical issues relating to the Net, but has also invited unilateral actions by organizations such as the United Nations (UN) and International Telecommunications Union (ITU) that could profoundly affect the Internet and its users in unpredictable ways. Representatives from commercial firms, educational institutions, governmental entities, nonprofit and other organizations, and any other interested parties are invited to participate at this conference. International participation is most definitely encouraged. The ultimate goal of the conference is to establish a set of *specific* actions and contingency plans for the Internet-related problems that could lead to the meltdown. These may include (but are not limited to) technical, governance, regulatory, political, and legal actions and plans. Scenarios to consider may also include more "radical" technical approaches such as "alternate root" domain systems, technologies to bypass unreasonable ISP restrictions, and a wide range of other practical possibilities. It is anticipated that the conference will include a variety of panels focused on illuminating specific aspects of these problems, along with potential reactions, solutions, and contingency planning for worst-case scenarios. Breakout working groups will be available for detailed discussion and planning efforts. Formal papers will not be required, but panel members may be asked to submit brief abstracts of prepared remarks in advance to assist in organizing the sessions. The ability of this conference to take place, and necessary conference details such as the specific program, costs, etc. will depend largely on the response to this announcement and particularly on the number of persons and organizations who express a potential interest in attending. If you may be interested in participating (no obligation at this point, of course) or have any questions, please send an e-mail as soon as possible to: meltdown@private or feel free to contact Lauren at the phone number below. As appropriate, please be sure to mention how many people from your organization may be interested in attending. If you express an interest in attending, you will be added to a private mailing list for upcoming announcements regarding this conference unless you ask not to be so notified. Together, we may be able to stop the Internet meltdown. But we need to act now. Thank you for your consideration. - - - Lauren Weinstein lauren@private or lauren@private or lauren@private Tel: +1 (818) 225-2800 Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org Co-Founder, Fact Squad - http://www.factsquad.org Co-Founder, URIICA - Union for Representative International Internet Cooperation and Analysis - http://www.uriica.org Moderator, PRIVACY Forum - http://www.vortex.com Member, ACM Committee on Computers and Public Policy http://www.pfir.org/lauren Peter G. Neumann neumann@private or neumann@private or neumann@private Tel: +1 (650) 859-2375 Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org Co-Founder, Fact Squad - http://www.factsquad.org Co-Founder, URIICA - Union for Representative International Internet Cooperation and Analysis - http://www.uriica.org Moderator, RISKS Forum - http://risks.org Chairman, ACM Committee on Computers and Public Policy http://www.csl.sri.com/neumann David J. Farber dave@private Tel: +1 (412) 726-9889 Distinguished Career Professor of Computer Science and Public Policy, Carnegie Mellon University, School of Computer Science Member of the Board of Trustees EFF - http://www.eff.org Member of the Advisory Board -- EPIC - http://www.epic.org Member of the Advisory Board -- CDT - http://www.cdt.org Member of Board of Directors -- PFIR - http://www.pfir.org Co-Founder, URIICA - Union for Representative International Internet Cooperation and Analysis - http://www.uriica.org Member of the Executive Committee USACM http://www.cis.upenn.edu/~farber (Affiliations shown for identification only.) ------------------------------ Date: Mon, 08 Mar 2004 09:23:00 -0700 From: "NewsScan" <newsscan@private> Subject: Yet another worm masquerades as Microsoft update The latest variation on the Sober worm -- Sober.D -- tries to trick recipients into opening it by disguising itself as a Microsoft Update message. "It arrives in an e-mail that pretends to be a patch to protect against a version of MyDoom," says a senior consultant at antivirus firm Sophos. "The e-mail appears to be a Microsoft patch so people will of course double-click on that attachment." Once a user clicks on the file, the worm scans the PC to see if it's already infected -- if not, it installs itself and uses its own SMTP engine to send copies of itself to e-mail addresses found on the victim's PC. Microsoft emphasizes that it does not send patches via e-mail and that users should ignore such messages. [ZDNet 8 Mar 2004; NewsScan Daily, 8 Mar 2004] http://zdnet.com.com/2100-1105_2-5171243.html ------------------------------ Date: Sat, 6 Mar 2004 16:37:18 -0800 From: Rob Slade <rslade@private> Subject: The price of e-mail is constant vigilance Peter Wilson's article on spam and viruses (on Saturday, March 6, 2004) lists a number of antispam measures that are currently being promoted. He also retails Bill Gates' confident prediction that spam will be a thing of the past by 2006. Remember that prophecy, because Bill Gates is going to be proven wrong. An examination of the measures listed in the article demonstrates why. SPF (sender-permitted format) is currently garnering the greatest interest. The description of SPF as a kind of caller-ID is not quite correct. All e-mail carries caller-ID in the form of the information about who the message is from, and information about the Internet Protocol (IP) address that originated the message. SPF is actually an attempt to contact the site that is supposed to have originated the message, and verify that these two pieces of information match, or, at least, are likely. Spammers, when creating spoofed addresses, don't bother to make sure that they do. Or, at least, they haven't up until now. Microsoft's own version seems to be either an attempt to compete or an attempt to derail SPF: SPF is primarily promoted by AOL, and the two companies have never played particularly well together. Microsoft's plan is derided by the SPF camp for being proprietary. It is true that SPF uses features and functions that make more effective use of the e-mail protocols that are currently in use on the Internet. The configuration of factors is not universal, though, and some of the activities will require new programming for everyone who participates in SPF. Which may mean that the Internet might become split into the camp of those who use SPF, and those who don't. I have seen this in action already. I have a number of accounts. (And, of course, get tons of spam.) One is through Vancouver CommunityNet, which does not have very much in the way of spam detection or prevention. Because of the volume of spam this account receives (particularly during the Sobig flood last summer), I forwarded the account to a service that does spam and virus filtering. One of the functions that the service uses is similar to the SPF protocol. A great deal of the spam that was being forwarded was unverifiable, and so the service simply refused to accept it. This meant that a volume of e-mail built up on Vancouver CommunityNet, to the point that it affected the mail system as a whole. (Vancouver CommunityNet, despite being informed of all the details, and my own actions to rectify the situation, has handled the whole matter in a very sloppy manner.) SPF has promise, and it may be possible (unlike the Microsoft proposal) to provide workarounds for a variety of systems, platforms, and applications. However, there are a number of issues that still have to resolved, such as e-mail aliases, third-party services, and applications such as mailing lists, which operate in a wide variety of forms. The difficulties are not insurmountable, but an enormous amount of work still has to be done. Microsoft's micropayments strategy is apparently the most recent one, but has been raised many times over the history of the nets. (One of the popular programs providing Usenet news, a type of topical discussion, used to remind anyone who attempted to post a message that it would possibly cost thousands of dollars to send this to everyone: did they really want to do that?) Unfortunately, the issue of mailing lists comes up almost immediately. Even if we assume one cent per message, if I send a message to a popular list such as the RISKS-FORUM Digest, with a possible hundred thousand subscribers, am I charged a thousand dollars for that message? Is the list moderator charged? In the case of RISKS, it is also redistributed by a number of sub-mailing lists: do those costs get charged to the accounts of the local administrators? The list moderator? Me? (The obvious second question is: who *gets* the money? The Internet Engineering Task Force? Some bloated bureaucracy parcelling out the cash to the various national telecom carriers? Charity? Microsoft? The recipient? Hmmm. Maybe I should rethink my objection to the micropayment system. At one point I was getting 8,000 [yes, eight thousand] copies of spam from one system in China. Per hour. Same message.) And, of course, in order to provide for such a micropayment system, everybody is going to have to use a Microsoft mailer. With a Microsoft payment system. And a Microsoft account. This sounds like an attempt to resurrect the (justly derided and roundly condemned) Passport and Palladium systems. The challenge-response system is already being used by a number of outfits providing spam filtering and other services. It is a nuisance. It can create a great deal of annoyance in a number of situations, not least being mailing lists. It also doesn't work. The most common challenge response systems present a graphical image of a word. This word is supposed to be entered in a field on a web page in order to create permission for the message to go through. People can read the word easily, but machines have difficulty with this type of task, so this makes it impossible for spammers to automate the sending of e-mail: they have to read and respond to every challenge. That's the theory. In fact, spammers have already been found to be "automating" the process--using Internet web surfers. A number of web pages have been set up promising access to pornography. In order to access the files, you have to respond to a challenge. The challenges are, of course, those that are being presented on the antispam filtering sites. Those challenges are simply extracted, presented to the surfers wanting access to pornographic images, solved by the user, and the solution fed back to the antispam site. The same problems apply to computational puzzles: they are simply another form of challenge-response. In fact, most of these antispam technologies fail in the face of the problem of spam nets set up by viruses. Spam sent from infected machines could simply use the name of the owner, thus verifying the identity. Spam sent from infected machines could use the micropayment "wallet" on the infected machine, thus creating not only problems of clean-up for the owner, but also a real cost. Infected machines could be used to crack computational puzzles, or the owner could be presented with challenges to respond to, in a variety of ways. Spam has passed the stage of being a nuisance. E-mail is a means of communication that is starting to rival the phone, and spam is seriously degrading the effectiveness and utility of e-mail. Antispam measures are badly needed, but we cannot accept any proposed solution uncritically. Dividing the Internet into isolated camps of incompatible (and rival) antispam technologies takes us back to the early days of online systems, when lots of people had e-mail, but nobody could talk to each other. There is no easy fix, and there is no easy answer. Administrators have to ensure that they are not providing open relays that can be used for spam. E-mail filtering services are checking for inappropriate inbound e-mail, but must also check what is going out. ISPs (Internet Service Providers) must be more vigilant in regard to the use being made of the net to which they provide access. Computer users at all levels have to check for malicious software, unpatched vulnerabilities, open ports and services, and what is going out of their systems as well as what is coming in. Everybody needs to become more aware of what is going on, and keep up with the changes in threats around us all. And anyone who tells you it is not going to be painful is selling something. rslade@private slade@private rslade@private http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: Fri, 5 Mar 2004 09:30:15 -0500 From: Monty Solomon <monty@private> Subject: Firms look to limit liability for online security breaches (Krim) Firms Look to Limit Liability for Online Security Breaches Jonathan Krim, *The Washington Post*, 5 Mar 2004; Page E01 In the face of ongoing attacks by computer hackers, some companies that store their customers' personal data are adopting a new defensive tactic: If your information is stolen, they're not legally responsible. Across the Internet, retailers and other service providers that handle consumer transactions are requiring customers to agree to waive any right to sue the companies if the businesses are hacked, regardless of how secure their systems are. The waivers are contained in lengthy terms-of-use agreements that consumers often click to accept without reading closely. ... http://www.washingtonpost.com/wp-dyn/articles/A31874-2004Mar4.html ------------------------------ Date: Thu, 04 Mar 2004 10:33:54 -0700 From: "NewsScan" <newsscan@private> Subject: Smartcards weren't so smart after all, says Target Target is phasing out the computer chips embedded in its branded Visa cards less than three years after they were first introduced, citing "limited use" by shoppers. The technology allowed cardholders to download coupons from the Internet or in-store kiosks in order to receive discounts on merchandise, but few customers took advantage of the feature. Only 3.5% of Americans 18 years or older said they had used a smart payment card like Target's, according to a survey conducted by Financial Insights in March 2004. John Gould, director of consumer lending and bank cards at TowerGroup, says Target had been on the right track with its smartcard rollout and perhaps was overhasty in its decision to curtail the program. "I don't think they gave it time to mature," he says. [Reuters, 3 Mar 2004; NewsScan Daily, 4 Mar 2004] http://www.reuters.com/newsArticle.jhtml;jsessionid= JPT5K1DAV2VEACRBAEKSFEY?type=technologyNews&storyID=4491160§ion=news ------------------------------ Date: Fri, 5 Mar 2004 14:28:34 +0000 (GMT) From: John Sawyer <jpgsawyer@private> Subject: BBC reports card cloning scam The BBC is reporting that a Automatic Teller Machine Scam that records card and password details to allow card cloning is spreading in Cardiff and other parts of West Wales. http://news.bbc.co.uk/1/hi/wales/3535473.stm Risks has seen this kind of thing before but perhaps not to this level of sophistication. Dr John Sawyer, Department of Mechanical and Design Engineering University of Portsmouth ------------------------------ Date: Sat, 6 Mar 2004 08:50:20 -0500 From: David Magda <dmagda@private> Subject: An interesting airplane user interface I found the following anecdote in Edward Tufte's message board: http://www.edwardtufte.com/bboard/q-and-a-fetch-msg? msg_id=0001Gl&topic_id=1&topic=Ask%20E%2eT%2e Alan Kay and User Interfaces I attended the course in Boston yesterday, and enjoyed it very much. Made me think about the following story which might spur some discussion or comments here. It seems related to the overall theme here. In 1985 I attended an OOPSLA (Object oriented programming languages ...) conference. Alan Kay (PARC/Smalltalk/ Apple/Macintosh/...) gave a presentation. Alan told the following true story: He once flew down to Mexico on vacation, to some lonely place on the California peninsula for surfing etc. A pilot was supposed to come in a week to pick him up at a rural landing strip. Alan got there on time, waited, and eventually the plane, an older DC3, came. When Alan entered the plane he noticed that almost all the instruments had been unscrewed from the panels, pulled out and twisted around in various positions, and were basically standing (or waving) on their cable hoses like flowers on their stems. He got worried, considered exiting the plane, but decided to stay. The pilot, a younger fellow, seemed trustworthy. When the plane had reached cruising altitude and speed Alan suddenly "got it" wrt. the instruments. As long as everything was operating correctly, all the needles on the instruments was pointing in the same direction! It was very easy to spot if anything out of the ordinary was going on, and what that might be. This story has stuck with me as a super example of adapting the technology to what we people are good at, as opposed to the other way around which is too often the case. Enjoy, Harald With the multitude of gauges in a cockpit this is a brilliant way to quickly scan the status of the various components of the airplane. The display of information is quite important in complex systems and has been discussed in RISKS before (e.g., RISKS-23.12, the whole "Bubba" debate). ------------------------------ Date: Fri, 05 Mar 2004 00:13:36 -0800 From: David Gillett <dgillett@private> Subject: Re: Legal Mercedes driver jailed for 18 months (Lesser, RISKS-23.2x) A few years back, before my father retired from traffic engineering, his was one of several cars narrowly missed by a vehicle operated with excessive speed and careless disregard for others on the road. He told me that the driver, when he appeared in court, argued that as the holder of a racing driver's permit, he had been in perfect control of his vehicle at all times. The judge ruled that it was entirely UNreasonable to assume a similar level of skill and coordination on the part of other drivers using the roadway, and imposed the maximum available sentence. Yes, you can be liable for provoking foreseeable mis-reactions.... ------------------------------ Date: Thu, 4 Mar 2004 19:22:28 -0500 (EST) From: Micah Altman <Micah_Altman@private> Subject: Extended Call for Papers: Voting, Elections, and Technology Due to the scheduling of other journal issues, the SSCORE editor has given us an opportunity to extend the original deadline for submissions to this special issue until June 15. Call for Papers: *Voting, Elections, and Technology* a special issue of _Social_Science_Computer_Review_ This special issue of Social Science Computer Review will bring together a collection of high quality academic work that extends, refines and challenges our understanding of the use, state of the art, and challenges associated with voting and election technology, broadly conceived. This special issue will bring together papers that investigate specific cases of the use of technology in voting and elections, as well as analysis of policy, and reviews of the state of the art. Papers from a broad range of social science perspectives are encouraged. Submissions can be in the form of full papers (maximum 20 printed pages) or in the form of short papers (5 printed pages). Post-graduate students are particularly encouraged to submit early work in the form of short papers. *Sample Topics*: E-voting, Online voter survey methods, Technologies for election forecasting, Agent,based models of voting behavior, Web,based campaign fundraising, Redistricting technology, Policy implications [Abridged for RISKS. For more on SCORE, see this URL: http://hcl.chass.ncsu.edu/sscore/sscore.htm ] ------------------------------ Date: 28 Jan 2004 (LAST-MODIFIED) From: RISKS-request@private Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to <risks-request@private> with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@private . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address <x@y>" ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .UK users should contact <Lindsay.Marshall@private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html The full info file may appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@private with meaningful SUBJECT: line. *** NEW: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks [subdirectory i for earlier volume i] http://www.risks.org redirects you to the Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue] Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 23.26 ************************
This archive was generated by hypermail 2b30 : Mon Mar 08 2004 - 18:12:23 PST