Subject: RISKS DIGEST 17.74 RISKS-LIST: Risks-Forum Digest Thursday 15 February 1996 Volume 17 : Issue 74 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, etc. ***** Contents: China requires registration of Internet access (Li Gong) GM Plans to Plug Cadillacs into Communication System (Mark Anthony Beadles) Boza virus: knee-jerk media response more hazardous to wallet (George Smith) At-work Web browsing? (Sean Reifschneider) Federal Court enjoins CDA provision (Marc Rotenberg from EPIC Alert 3.04) Correction to CDA article (Stanton McCandlish) A simple solution to the CDA risk (Russ Broomell) Seatbelts and the CDA, history repeats? (A. Padgett Peterson) Re: Wildcard inconsistencies in Windows 95 (George C. Kaplan) 100% not spent on hospitals by a long way (Philip Overy) Re: Lack of Common Sense is Biggest Risk of All (George C. Kaplan) Re: Possible future risk of virtual reality (Michael Brady, Mark Meuer, Barton C. Massey, Brad Davis) ABRIDGED info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 15 Feb 1996 11:16:52 -0800 (PST) From: Li Gong Subject: China requires registration of Internet access The (Chinese) People's Daily (overseas edition, Feb.15, page.4) relays a news report of Feb. 14 by the New China News Agency, which announces that the Chinese Ministry of Public Security (the police) has issued a regulation that requires any institutions and individuals connecting or disconnecting to the Internet must register with the local police authority within 30 days. Non-registration will lead to penalty. The regulation is said to cover all direct and indirect network access to areas outside China (including Taiwan, Hong Kong, and Macau). The report says that as of July of 1995, China has more than 40,000 end-points that are networked [it is unclear if they are all connected to the Internet or just the domestic networks]. It says that the regulation is a first important step towards computer security enforcement, and more regulations are expected. Li Gong, SRI International, http://www.csl.sri.com/~gong/ [Also noted by Al Stangenberger . PGN] ------------------------------ Date: Thu, 15 Feb 96 16:54:58 -0500 From: Mark Anthony Beadles Subject: GM Plans to Plug Cadillacs into Communication System Article: "GM Plans to Plug Cadillacs into Automatic Communication System" WSJ, February 9, 1996, Page B3, Column 1 In summary, GM is introducing a system in its high-end automobiles that will "automatically call for help" in an accident, including flashing lights and honking the horn. Called the OnStar system, it is scheduled to appear as an option in the 1997 front-wheel-drive Caddies. According to the article, it is activated by the air bag being deployed. In addition to honking and flashing, the system will transmit (to whom was not clear) the location of the car in event of accident, theft, or "other emergencies". The system also includes navigational assistance that works throughout the US, using the car telephone as the output device. OnStar's managing director, Chet Huber, is attributed as saying, "the company has done extensive market research that says drivers want a greater sense of security and control." Tying the car into a nationwide communication system that can track your every move and control your car is evidently how they intend to accomplish this. The RISKS here are numerous, in my mind: 1.A `false alarm' condition could cause the emergency transmissions, flashing lights, and honking horns, when there is in fact no emergency. This is similar to the present risks associated with home alarms. 2.Tracking the location of one's car can be a benefit (prevents you from getting lost in the Mojave), but it can also allow people to find you when you don't want them to. Cars have traditionally been seen as private havens in the US. 3.The system could give wrong navigational information to the driver. Who will be verifying the nationwide database of road information? The driver could follow the system's recommendations and become lost. Come to think of it, I guess that's an argument for having item 2. Mark Anthony Beadles beadles@acm.org - http://www.acm.org/~beadles ------------------------------ Date: Thu, 15 Feb 1996 15:46:29 -0600 (CST) From: Crypt Newsletter Subject: Boza virus: knee-jerk media response more hazardous to wallet Recently, the Associated Press newswire triggered another round of ridiculous computer virus alarms with a story on the Boza/Bizatch computer virus, an admittedly barely infectious parasite on Win95 executables. Attributed to the VLAD Australian virus-writing group, due to the equivalent of a computer underground press release embedded in the virus extolling VLAD members and their technical virtuosity vis-a-vis writing them, Associated Press reporter Sue Leeman issued a news brief and it echoed internationally. In a pattern of action and reaction that has become standard for many computer virus stories reported in the mainstream press, the Boza piece generated countless questions from on-line users who thought they were in danger from it, although realistically they were statistically more likely to be hit by an automobile than the virus in their lifetime. The original Associated Press attributed Sophos' Paul Ducklin saying the Boza virus wasn't on the loose, but most subsequent news stories and fragments derived from it, including copycat press releases from other vendors, stripped this from the original. The Associated Press story wound up being printed in toto or in fragments in countless newspapers around the country that subscribe to the newswire. A good example, but only one of many, was a prominently displayed bulletin mounted on the Compuserve "What's New" public announcement board. This board is displayed to callers everyday and it contained a warning about the Boza virus and a tip to head to Thunderbyte Anti-virus's spot on the service for a cure. However, the fact that the virus wasn't in circulation or even likely to be so, while present in the original seed AP piece, was gone. The results were predictably confusing. Some PC users on Compuserve who did not even have Windows 95 installed on machines concluded they might have been exposed to Boza. I noted similar results on other networks like FIDO and in Usenet newsgroups. The Boza mini-panic, coming as it does close to the Michelangelo virus anniversary on March 6, illustrated the need for consistent media criticism, particularly when it comes to certain varieties of technology stories, like those dealing with computer viruses. A few rules of thumb to keep in mind when dealing with this type of thing are: 1. Computer virus stories are the best vehicle in which software developers selling cures can pimp for their products. Even if the virus is shown to be pathetic as a public menace, interest in those cited will always peak transiently during the run of the story. This amounts to software sales and on-line time spent through commercial services offering information or software fixes through download, even if it's unnecessary. 2. Being the first vendor mentioned in a story like Boza throws competitors immediately on the defensive, scrambling to recover and fueling the story in the process. Even though competing companies may have known of a virus weeks previously and quietly written cures into software as the usual course of business, the average PC user - after reading this type of story - is given the impression everyone else was asleep at the wheel. This sets off a chain reaction in which competitors quickly release copycat press releases which drive developments and strip more information from the primary seed in an effort to maximize exposure. Those vendors who don't do this often face tons of witless support questions from those needlessly frightened by the news in on-line computer help forums. They also face a transient image that they've been caught flat-footed by competing vendors who've been more successful at generating publicity. From a consumer standpoint, this leads to counter-productive behavior in which some vendors, burned by the lack of exposure, gear up to generate even more press releases on potential future threats _before_ they materialize. 3. It encourages some vendors to increase their contact with known active virus-writers and their groupies so that they will be the first to receive new viruses which, may or may not (more often "not"), work. This is a nasty spiral which tends to encourage virus-writers to produce more than they usually would for their "audience." Having written a book on virus-writers, I've seen this happen more than a few times since 1992. George Smith, Crypt Newsletter ------------------------------ Date: Wed, 14 Feb 1996 23:40:31 -0600 (CST) From: Sean Reifschneider Subject: At-work Web browsing? A company I'm working at has had a lot of growth recently on their WWW proxy servers. Last Friday evening I was finishing business just as a memo started its rounds... It seems that on a given day in January when they monitored the system, 1100+ connections to ESPNet were made, 800+ to Playboy, 600+ to Penthouse, etc... It seems that now that they "have the new proxy servers in place which are able to log all transactions by source and destination address", they are going to start logging all "inappropriate" accesses with source destination IP address and send the appropriate log extracts to the persons boss. The RISKS? Who says that an IP address maps to a person? "Click here to see technical specs on the XYZ Widgitifier" (points to Penthouse -- haha, fooled 'ya) I run a caching proxy server to increase my workgroups performance and reduce load on the company T1 and T3 lines. It's not really an official resource (in that the guys sending out this list don't know about it), so it looks like I spend a LOT of time browsing :-) Have someone you don't exactly like who's machine is turned off? Maybe they didn't get to the PC today. Maybe you just install a redirector on their machine... My NNTP redirector took about an hour to write. Did anyone actually believe their connections that were going through a central proxy were NOT being logged? Perhaps I've just run a proxy site for too long... I'm sure there will be thoughts of "invasion of privacy", but (a) there are notices posted all over that personal use of company equipment is a no-no, and (b) this is a "regulated" industry -- you'd actually be using TAX dollars to do your web browsing. The company can get it BIG trouble for NOT doing everything they can to prevent it from happening. It's a trend I see coming... Sean Reifschneider URL: ------------------------------ Date: 15 Feb 1996 20:11:57 -0500 From: "Marc Rotenberg" Subject: Federal Court enjoins CDA provision (from EPIC Alert 3.04) FLASH: Federal Court Enjoins Internet "Indecency" Provision -- ACLU, EPIC, and Others Score Partial Victory in CDA Challenge A federal judge in Philadelphia has issued a partial temporary restraining order prohibiting enforcement of the "indecency" provision of the Communications Decency Act (CDA). The judge declined to enjoin those provisions of the Act dealing with "patently offensive" communications. The court agreed with the plaintiffs' claim that the CDA will have a chilling effect on free speech on the Internet and found that the CDA raises "serious, substantial, difficult and doubtful questions." The court further agreed that the CDA is "unconstitutionally vague" as to the prosecution for indecency. But the court left open the possibility that the government could prosecute under the "patently offensive" provisions The court has recognized the critical problem with the CDA, which is the attempt to apply the indecency standard to on-line communications. Nonetheless, online speech remains at risk because of the sweeping nature of the CDA. The entry of the court order is a strong indication that the "indecency" provision of the legislation that went into effect on February 8 will not survive constitutional scrutiny by a three- judge panel that has been empaneled in Philadelphia. The panel will fully evaluate the constitutional validity of the legislation and consider entry of a permanent injunction against enforcement of the new law. The temporary restraining order (TRO) was issued in a lawsuit filed by the Electronic Privacy Information Center (EPIC), the American Civil Liberties Union and a broad coalition of organizations. EPIC is also participating as co-counsel in the litigation. The court ruling comes in the wake of widespread denunciation of the CDA, which was included in the telecommunications reform bill signed into law last week. According to EPIC Legal Counsel David Sobel, one of the attorneys representing the coalition, "The court's decision is a partial victory for free speech, but expression on the Internet remains at risk. This is destined to become a landmark case that will determine the future of the Internet." Looking ahead to proceedings before the three-judge panel, Sobel said "we are optimistic that further litigation of this case will demonstrate to the court that the CDA, in its entirety, does not pass constitutional muster." EPIC has maintained since its introduction in Congress that the ban on "indecent" and "patently offensive" electronic speech is a clear violation of the free speech and privacy rights of millions of Internet users. Comprehensive information on the CDA lawsuit, including plaintiffs' brief in support of the TRO, is available at: http://www.epic.org/free_speech/censorship/lawsuit/ ------------------------------ Date: Wed, 14 Feb 1996 19:40:55 -0800 (PST) From: Stanton McCandlish Subject: Correction to CDA article (RISKS-17.72) Due to a mis-paste [mis-spaced!], I gave out misinformation on who voted against the CDA in my recent article. The correct version is: Earl Hilliard (D-AL), Pete Stark (D-CA), Pat Schroeder (D-CO), Neil Abercrombie (D-HI), Lane Evans (D-IL), Sidney Yates (D-IL), Barney Frank (D-MA), John Conyers (D-MI), Collin Peterson (D-MN), Harold Volkmer (D-MO), Pat Williams (D-MT), Maurice Hinchey (D-NY), Jerrold Nadler (D-NY), Peter DeFazio (D-OR), Timothy Johnson (D-SD), Bernard Sanders (independent-VT) Senators Dianne Feinstein (D-CA), Patrick Leahy (D-VT), Paul Simon (D-IL), Paul Wellstone (D-MN), Russ Feingold (D-WI), and John McCain (R-AZ). [As you'll note, the string "MN), Russ Feingold (D-" was some how left out, leaving out Feingold, and making it look as if Wellstone is D-WI! Many apologies for the error. SMcC] [Yes, it was also mis-spaced. PGN] [Stanton's message in RISKS-17.72* was too polemic and slanted for some readers, who wondered about why I included it in RISKS. I had a similar reaction, but chose to include it anyway rather than try to censor it (!) -- because I had not seen any other appropriate submissions on this subject and felt that the subject itself was without doubt worthy of mention in RISKS. Had I written the analysis myself, it would have been quite different, but I try to keep RISKS as open a forum as possible within the posted guidelines, and very seldom try to edit for content -- apart from adding interstitial notes such as this one. PGN] [*Typo fixed in archive copy.] ------------------------------ Date: Thu, 15 Feb 96 09:45 EST From: "Broomell, Russ" Subject: A simple solution to the CDA risk (McCandlish, RISKS-17.72) What we have in the CDA as has been said by many before is the consequence of non-technical people making decisions on technology without technical information. The internet itself is a complex technological system, but the content the CDA seeks to regulate is easily understood, with even the quickest training (i.e. Look, Senator, if you click here you get the Mona Lisa, but if you click here, you get the Moaning Lisa). It seems that our elected officials are too busy even for this brief glimpse. What many people have overlooked is a simple effective solution that almost everyone uses - passwords. While simple password protection is not enough to ward off a "high-tech" attack, it is usually enough to discourage your teenager from delving into the sometimes objectionable world of alt.*.* and some of those chat groups. I have an on-line service account on one of the major services, and at least once a week, my teenage son and I "surf the net" - the 1996 equivalent of "watch TV with your children". My son does not know my online password and I change it regularly. Can he defeat this code? Sure, but he can walk down to the corner store and pick up any one of a dozen "objectionable" publications much easier. This seems to me an acceptable risk. He has learned to be a responsible online citizen. I feel that I have handled the risk that the CDA sought to eliminate. ------------------------------ Date: Thu, 15 Feb 96 11:00:48 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Seatbelts and the CDA, history repeats? Over twenty years ago, Congress passed a resolution that required automobile manufacturers to restrict use of automobiles unless seatbelts were fastened and the seatbelt interlocks of 1974 ensued. Such a public outcry ensued that the requirement was removed in time for the next year's models. Fortunately for those with '74s (not a great year for cars in general) unplugging a single connection on each front seat disabled the mechanism. In its wake, a more rational system followed with a dashboard warning light and state laws mandating seat belt use to take the onus of compliance from the manufacturers, and placing it on the users of the automobiles in states where prodding was felt appropriate. I predict a similar fate for the CDA: the US Gov getting out of the conflict, removing the onus from the service providers, while placing the bulk of the responsibility back onto users/parents and permitting definition of community standards *within the communities* and not for the entire net. To accomplish this, some control mechanism is needed -- but, like the warning light on the dashboard, a flag could be placed on sites containing potentially offensive material, a flag for which the software vendors could provide a "parental control" switch. Not difficult to do just not done, yet. In Florida, a parent is held responsible if a child gains access to a gun. Similarly only an adult can purchase a firearm and must show "proof of age". Along the way we are going to need some sort of Internet "proof of age" - in the form of a cryptographic ID in which some agency verifies that the holder is of legal age in the state of residence. True, there will be screams from the rabid right but is necessary like a drivers license - you do not have to have one, but if you want to drive a car... Also suspect that since states have different ideas about what constitutes an adult, the mechanism should be driven by the states and not the federal government - this would again defuse many objections. This prevents the customs peculiar to New York City from affecting the different cultures of Florida or Texas. Similarly we need to prevent local mores of Memphis from affecting what works in San Francisco. (I suspect that some public health warnings I have seen on SF buses might be illegal in Memphis.) I do expect good to come from the CDA in that the Supreme Court will have the opportunity to say "STOP THAT" to some of the more radical elements. It seems that in some things we must go overboard just to verify that we do not ever want to do that again. Somehow it works 8*). Padgett ------------------------------ Date: Thu, 15 Feb 1996 10:17:36 -0800 From: "George C. Kaplan" Subject: Re: Wildcard inconsistencies in Windows 95 (RISKS 17.73) I've never written a program for Windows, but my dimly remembered experience with MS-DOS indicates that programs get the raw command line parameters, and it's up to the program to expand the wildcards according to the rules. It's not surprising that sooner or later someone would get it wrong on one command or another. In contrast, the Unix shell handles the wildcard expansion, and programs only see the expanded parameter list. Of course, there are risks here, too, since there are multiple shells available, each with slightly different wildcard rules. George C. Kaplan gckaplan@cea.berkeley.edu 1-510-643-5651 ------------------------------ Date: Thu, 15 Feb 1996 07:39:18 -0800 (PST) From: pjo33@mailbox.rl.ac.uk (Philip Overy) Subject: 100% not spent on hospitals by a long way (Zehr, RISKS-17.73) There are some quaint ideas in "the measurement of risk" by tada@MIT.EDU - I got a good laugh out of the comment about priorities on health spending: The following type of example should be borne in mind when comparing safety propaganda and safety spending with "common sense solutions": Asthma is generally reckoned to be a disease caused by vehicle pollution: In the UK last year 4m pounds was spent on asthma research 6m pounds was spent on POLICING demonstrations against the proposed new M11 road. The real RISK is that someone like tada@MIT.EDU works for the risk assessor who decides whether your local hospital stays open! - tada forgets that when the individual decides whether to spend all of his or her income on health, the taxman grabs the Star Wars, the road, the import surcharge/export subsidy and the MP/congressmen's salary increases before minor problems like literacy in the local secondary schools are even debated. I am afraid that example stopped me so dead in my tracks, I was unable to focus on a line of the remaining eMail, so there's a risk of making statements of "obvious facts" early on in a technical presentation. I should think that the size of the drug problem in our two countries demonstrates that quite a large chunk of the population have no respect whatsoever for their personal safety, although I am sure their representatives in congress/the Commons think they have. As for Telstra's radio emissions, well, I suppose the main problem is that the last time the electorate read about something with the string "radio" in it, it was the technical world telling them that radioactivity was good for you, so it's more a case of "once bitten, twice shy" than "Us vs. Them". Phil Overy ------------------------------ Date: Thu, 15 Feb 1996 10:34:26 -0800 From: "George C. Kaplan" Subject: Re: Lack of Common Sense is Biggest Risk of All (Gunderson, -17.73) > Amazing. I wonder how many people are out there, right now, trying to be > the first to drive a NASA satellite from home. [...] I suppose continued "security through obscurity" is better? Contrary to what "name deleted" said, I'm sure there are people who have already tried to hack into a satellite control system, even before these remarks were published. Better to sound a public alarm; it might shake people who can do something about the problem into action. George C. Kaplan gckaplan@cea.berkeley.edu 1-510-643-5651 ------------------------------ Date: 15 Feb 1996 18:19:07 GMT From: michaelb@gemsbok.corp.sgi.com (Michael Brady) Subject: Re: Possible future risk of virtual reality (Cohen, RISKS-17.73) It seems to me that if we take credit for the good habits developed while training in VR, we have to consider that bad habits can be developed there too. As habits are developed through repetition it seems reasonable that compulsive video-gamers would be much more susceptible to such a phenomenon. Some time ago I read (Scientific American? Wired?) that military aviators were not allowed to operate real aircraft for some interval after using a VR simulator. Michael Brady -- michaelb@corp.sgi.com -- "We are what we do." ------------------------------ Date: Thu, 15 Feb 1996 10:11:39 -0600 From: markm@endo.com (Mark Meuer) Subject: Re: Possible future risk of virtual reality (Cohen, RISKS-17.73) This is related to a more generic risk relating to trained reflexes. I once heard an airline pilot give a talk where he said that he always has his wife drive him home from the airport when he is done flying for the day. The reason for this was that when a plane is on the ground, the rudder controls (which are foot pedals) are used for steering, and the "steering wheel" of the plane is not used at all. This pilot said that on more than one occasion he came close to having an accident in his car because he instinctively tried to steer with his feet. Mark Meuer <>< |Endocardial Solutions, Inc.|(612) 644-7890| markm@endo.com ------------------------------ Date: Thu, 15 Feb 1996 11:49:34 -0800 (PST) From: "Barton C. Massey" Subject: Re: Possible future risk of virtual reality (Cohen, RISKS-17.73) Sad to admit, this has almost happened to me already. My institution of higher education got an SGI Power Challenge a couple of years ago. Lovely machine, which includes a very good flight simulator/dogfight game. A couple of times, driving home after 4 hour sessions, I found myself reflexively flooring the gas pedal, crossing three lanes of traffic, and cutting in front of a car: there was "obviously" room, as my simulator-trained perceptions would have it. I no longer play that game. Bart Massey bart@cs.uoregon.edu ------------------------------ Date: Thu, 15 Feb 1996 15:46:36 -0700 (MST) From: Brad Davis Subject: Re: Possible future risk of virtual reality (Cohen, RISKS-17.73) This risk has already happened. A few years ago one of the branches of of the US Military created computerized training material using video, computer graphics overlays, and a touch screen to train technicians how to repair a piece of radio equipment. The actual equipment was shown by video and a "fault" generated with the graphical overlay. The student would then "touch" (using the touch screen) a part to test or remove. The training software was changed and the touch screen removed after a number of graduates were injured (shocked/burned) while touching the real (live) radio. Brad Davis, Zinc Software Inc., 405 S 100 E #201, Pleasant Grove, UT 84062 bdavis@zinc.com Voice: 1 (801) 785-8900 Fax: 1 (801) 785-8996 ------------------------------ Date: 14 February 1996 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: ABRIDGED info on RISKS (comp.risks) The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. [...] DIRECT REQUESTS to (majordomo) with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] INFO [for further information] CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, nonrepetitious, and without caveats on distribution. Diversity is welcome, but not personal attacks. [...] ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. By submitting an item that is accepted for publication in RISKS, the author grants permission for unlimited noncommercial public distribution and redistribution in electronic and print form. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT Software Engineering Notes or SIGSAC Review. RISKS can also be read on the web at URL http://catless.ncl.ac.uk/Risks RISKS ARCHIVES: "ftp ftp.sri.comlogin anonymous[YourNetAddress] cd risks or cwd risks, depending on your particular FTP. [...] [Back issues are in the subdirectory corresponding to the volume number.] Individual issues can be accessed using a URL of the form http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue] ftp://ftp.sri.com/risks PRIVACY: For info on the PRIVACY Forum Digest and Computer PRIVACY Digest, see the INFO file at RISKS-Request (one-line message INFO noted above). ------------------------------ End of RISKS-FORUM Digest 17.74 ************************