Subject: RISKS DIGEST 18.13 RISKS-LIST: Risks-Forum Digest Friday 17 May 1996 Volume 18 : Issue 13 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** Contents: Netscape 2.02 RISK (Ed Felten, for Tom Cargill, Dirk Balfanz, Drew Dean, himself, and Dan Wallach) Garfinkel/Spafford, Practical UNIX and Internet Security, 2nd ed. (PGN) Static hypertext links to dynamic data (John Light) Notebook theft (Denis Parslow) Post-divorce wage gap statistic turns out to be computer error (Mike Coleman) France ISP issues (Simson L. Garfinkel) WWW "Bandwidth Exceeded" signals (Simon Higgs) Re: Software piracy (Li Gong, [-Alias], Simon Arthur) Re: Troubleshooting ValuJet after the crash (James L. Coffey) Re: Morphing Character 217 in Macintosh Geneva Font (Eric Fischer) Re: "Call Girls" web site (Mike Rose) ABRIDGED info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 17 May 1996 17:11:34 -0400 From: Ed Felten Subject: Netscape 2.02 RISK SECURITY FLAW IN NETSCAPE 2.02 We have discovered an attack that allows a Java applet running under Netscape Navigator 2.02 to generate and execute arbitrary machine code. The attack combines a new security bug found by Tom Cargill with some ideas previously discovered by the Princeton team. We have implemented a demonstration applet that deletes a file. We are not yet releasing technical details. For more information, contact Ed Felten (felten@cs.princeton.edu, 609-258-5906), or see http://www.cs.princeton.edu/sip/News.html Tom Cargill Independent Consultant http://www.csn.net/~cargill/ Dirk Balfanz, Drew Dean, Ed Felten, Dan Wallach Dept. of Computer Science, Princeton University http://www.cs.princeton.edu/sip/ ------------------------------ Date: Fri, 17 May 96 10:19:12 PDT From: "Peter G. Neumann" Subject: Garfinkel/Spafford, Practical UNIX and Internet Security, 2nd ed. Practical UNIX and Internet Security, Second Edition By Simson Garfinkel and Eugene Spafford O'Reilly & Associates, Inc., 1996 1004 pages. ISBN: 1-56592-148-8. $39.95 This book is an extraordinarily successful effort to cram into a mere thousand pages (971+xxix+ORAads) almost everything you need to know about Unix and Internet security. It is a complete rewrite of the First Edition of 1991, and contains much new material. In terms of pages per dollar or cents per page, or much more important, the amount of money it can save you by keeping you away from a horrendous array of potential security problems, it is an incredible bargain. This is a keeper -- at least until the Third Edition comes out, perhaps in 2001. By then, the authors will be able to write much more definitively about Java and web browsers, which are treated only lightly in the Second Edition. (Too much happening, too fast?) Everything else, however, seems well covered and very nicely written. This is a very readable and very useful book, and deserves to be looked at by all of you. [Note: Coincidentally, the first two errors I found in *PUIS2* relate to RISKS: (1) on p.897, the host name for the RISKS archive site (which has been unix.sri.com since 1 Jan 1995) is listed as crvax (which lead me to discover that the old crvax *still* exists, and is what AltaVista picks up, but that it contains only issues through volume 16), and (2) on p.879, a typo! One of the great advantages of on-line books will be that errors will disappear as rapidly as they are found. For example, there are still a few copies of the first printing of my Computer-Related Risks book around with the crvax reference, whereas the third printing correctly has unix.sri.com! THIS PARAGRAPH IS FOR RISKS READERS. Please truncate if this minireview gets redistributed elsewhere. PGN] ------------------------------ Date: Thu, 16 May 96 12:42:00 PDT From: John Light Subject: static hypertext links to dynamic data I was reading the home page of a subsidiary of a *very* high profile WWW player. On it was the phrase "bringing [top rated] ...... capabilities", where the bracketed words were a hypertext link. I followed the link to Stroud's Consumate Winsock Applications (http://cws.wilmington.net), directly into the appropriate category, where I found that the original product is *no longer top rated*!. In fact it had disappeared from the list. I was glad this happened because I had not seen Stroud's site before, and the updated list pointed me at several new products, which probably are better than the original. The obvious risk is that pointing to any data *not* on your web site requires a commitment to a higher level of vigilance and on-going support, or you may be surprised by the consequences. John Light ------------------------------ Date: Mon, 13 May 1996 08:57:35 +0000 From: "Denis Parslow (Almo Distributing)" Subject: Notebook theft PC Week's latest issue (I unfortunately don't have it to quote from) stated that last year 1 out of every 14 notebooks (sold?) was stolen. I wish I could quote the rest. The risks would certainly include the importance of password security, file access, etc. if your data is *that* likely to be stolen/compromised. Denis Parslow, Engineering Mgr, Almo Distributing, Trademark Computers dgp@world.std.com http://www.almo.com http://world.std.com/~dgp/ ------------------------------ Date: Fri, 17 May 96 01:56 CDT From: Mike Coleman Subject: Post-divorce wage gap statistic turns out to be computer error An AP wire story reports that sociologist Lenore J. Weitzman has stated that a widely publicized statistic in her study "The Divorce Revolution" was incorrect. (The statistic was that the standard of living for women's households dropped 73% in the first year following a divorce, while men's households rose 42%.) According to the story, Weitzman "blames the loss of her original computer data file, a weighting error or a mistake in the computer calculations performed by a Stanford University research assistant." Weitzman's data were examined by sociologist Richard R. Peterson, who determined that the correct figures were 27% and 10%, respectively. Without knowing more about the dataset and how it was processed, one can only speculate as to exactly what sort of mistake was made. The magnitude of the error suggests, however, that in this case the error might have been discovered with a rudimentary cross-check, e.g., a histogram of the data or a manageable random subset. (The article is currently available as 'http://www2.nando.net/newsroom/ntn/nation/051696/nation2_5387.html'.) Mike Coleman, Ctr for Telecomputing Research, http://ctr.cstp.umkc.edu/~coleman ------------------------------ Date: Thu, 16 May 1996 10:50:21 -0400 From: simsong@vineyard.net (Simson L. Garfinkel) Subject: France ISP issues As a hobby, I run a small ISP on Martha's Vineyard. We have about 350 customers and have a Usenet feed. However, we specifically block the alt.binaries groups. The principle reason that we do this is to conserve our bandwidth: receiving alt.binaries would require that we triple our off-island throughput. However, even if we did have the alt.binaries groups, I do not think that we would take a few particular groups. These groups are alt.binaries.pictures.erotica.teen and alt.binaries.pictures.erotica.children. From my point of view, these groups exist solely for the carriage of child pornography. US law says that possession of child pornography is a crime. Usenet, unlike the web, places a copy of every message on your server's hard drive. Any organization that has these newsgroups within the United States (including AOL) is in violation of federal law. I do not by the argument that censoring the alt.binaries.pictures.erotica.teen and alt.binaries.pictures.erotica.children newsgroups will make a provider legally liable to any message that is sent over the Usenet because they are now exercising some sort of editorial control. There is a big difference between deleting individual messages for editorial purposes and the wholesale deletion of groups. Simson Garfinkel, President, Vineyard.NET, Inc. ------------------------------ Date: Thu, 16 May 1996 14:19:07 -0700 From: Simon Higgs Subject: WWW "Bandwidth Exceeded" signals It finally happened. The web finally got it's busy signal. No, not the web server saying it's busy, since it's happily serving out other pages. User home-page bandwidth ran out. Is this a sign of metering to come? Or a result of refusing to meter user traffic? Internet Direct have a policy of cutting off a user's web pages when they have exceeded a predetermined amount of web server bandwidth. This creates a substantial risk when renting web server space from an ISP for providing time sensitive, or critical support information. I'm really disappointed at seeing this kind of interference from an ISP. --- begin forwarded text Date: Wed, 15 May 1996 22:31:05 -0700 To: simon@higgs.com Subject: 4x4 X-URL: http://www.indirect.com/www/a4x4/suzuki.html http://www.indirect.com/www/a4x4/suzuki.html Bandwidth Exceeded Unfortunately, due to the extreme load on our user web server, we have been forced to require each user to stay below a certain maximum daily bandwidth limit. User a4x4 has currently exceeded his or her bandwidth limit of 26214400 bytes for the day. This bandwidth limit will be reset and the pages will become available again at 1600 MST. If you are an Internet Direct customer with high web server bandwidth needs, you may want to investigate our GoSite Internet Server product. We apologize for any inconvenience. We feel this new strategy will provide all of our users with increased speed and better overall performance on their web pages. If you have questions or concerns about this policy, please send e-mail to support@indirect.com. --- end forwarded text Simon Higgs e-mail: simon@higgs.com http://www.higgs.com/ ------------------------------ Date: Thu, 16 May 1996 10:22:33 -0700 (PDT) From: Li Gong Subject: Re: Software piracy (RISKS-18.12) PGN in RISKS-18.12 quoted San Francisco Chronicle's report that "Pirated software costs an estimated $12 billion annually worldwide." I do not support piracy and such, but would like to point out the grossly exaggerated nature of such reports. Use China as an example. Suppose there is a total ban of illegal sales of pirated software. The net result is not that the US companies (or others) will immediately make a lot more money on these "sold" software. Instead, not many copies will be sold for the simple, economic reason. A case in point. The Microsoft Visual C++ I bought last year was US$400+. This translates into about Chinese Yen Y3600, which is a decent gross annual salary of a university professor in China. Now how many copies of this software can you sell? In the long run, a total ban may actually help the Chinese software industry to obtain a breathing space and to develop its own software standard/platform and all. This would be extremely bad news for companies such as Microsoft. A reasonable strategy (e.g., for the US software industry) would be to sell at heavily discounted prices that the local market can bear and wait for the purchasing power to grow. Thus, instead of screaming the piracy nonsense, the US (and other countries) should see the reality and view the current situation as an extended battle to retain market share, with its typical associated cost in lost revenue. Li Gong, SRI Computer Science Laboratory, www.csl.sri.com/~gong ------------------------------ Date: Thu, 16 May 1996 12:46:11 -0700 (PDT) From: [-Alias] Subject: Re: Software piracy (RISKS-18.12) I am amazed that this figure continues to be printed without anyone challenging it. This figure assumes that every person who pirates or purchases a pirate copy of program X would have instead bought the program. Obviously false. > * Two CD-ROMs with more than 100 programs ... valued at $50,000 The industry counts this as $50,000 worth of losses. But in fact, I would be very surprised if anybody who purchased this disk installed both Win95 and WinNT, let alone AutoCad, Notes, or Xing's Mpeg. -Alias ------------------------------ Date: Wed, 15 May 1996 00:31:47 EDT From: Simon Subject: Re: Software piracy (RISKS-18.12) Interesting. CD's cost about $US3 each to manufacture, last I heard. With such a markup, the people manufacturing the CD's must be making a fortune. No wonder they're so hard to stop. > * Pirated software costs an estimated $12 billion annually worldwide. You could also look at it like this: Businesses save about $12 billion annually through flexible adherence to software license agreements. > * "More than half of all software in existence today is lost to piracy." Where'd it disappear to? :-) > according to a chart attributed to Glenco Engineering, Inc. Glenco Engineering, Inc. manufactures and sells copy protection devices. See http://www.glenco.com/ for details and the chart. Not that I think their numbers are too high. In fact, it seems that in small businesses in the US about 60% of all software is pirated. In large corporations, compliance is probably well above 90%. For home users, I'd say that maybe 90% has not been paid for. These are just my estimates from my work as a consultant, having visited many businesses. > [No one seems to mention the devious opportunity for > Trojan horses being added inside the pirate shrinkwrap.] Far be it from me to provide potential warning to software pirates, but a person less honest and law-abiding than me might suggest that the greater danger lies in being swindled by a hot-dog cart guy selling defective disks. If you need it cheap / Don't buy from that creep. If Hong Kong won't cut it / But it can't be legit Think of how much money you'll save / When your software's from Burma (shave). Simon Arthur chroma@mindspring.com ------------------------------ Date: Wed, 15 May 1996 16:15:31 -0700 From: "James L. Coffey" Subject: Re: Troubleshooting ValuJet after the crash (Reed, RISKS-18.12) My experience (as an evaluator of nuclear power plant operators), is people tend to quickly forget that an observer is present, if the observer just watches and doesn't interrupt the operators as they carry out their tasks. Even if they try to do things in a different manner than they normally do, they also tend to lapse back into their normal operating mode after a while. In addition, it is generally pretty obvious to a trained observer when a crew is trying to "put on a show." The RISK there is that they will make mistakes they normally wouldn't because they are not operating like they are used to and that causes communication and coordination problems and increases the chances of making an error. : The RISK is that the FAA will waste a lot of time and energy looking at : something that won't give them useful information. Perhaps it's time for : video cameras in the cockpit? Video cameras, while a useful tool for review and debriefing, will often miss crucial actions. The RISK (or RULE) is that they always point to the wrong spot. ------------------------------ Date: Wed, 15 May 1996 19:32:06 -0500 (CDT) From: eric fischer Subject: Re: Morphing Character 217 in Macintosh Geneva Font (Robinson, 18.12) Paul Robinson reported the surprising behaviour of a Macintosh character which appears as Y-umlaut in most fonts but as symbols which vary with the font size in a few others. The full range of these secret characters was documented in great detail in Volume I, Issue 2 of _Macworld_ (May/June 1984), as a "treasure" that "only luck and wild fingers on the keyboard would have unearthed." The set of characters in current Macintosh fonts is larger than in the ones that were available in 1984 (so the special characters were not taking the spot reserved for Y-umlaut, but were in a location that would otherwise be empty, but happened to be typable with Option-Shift-Tilde) and, since all the fonts were bitmapped rather than scalable, and the only output device, the Imagewriter, matched the screen resolution exactly, there was no confusion caused by rescaling the fonts to match different output devices. So the risk of accidentally misusing these characters didn't come into being when they were placed into the fonts, but was instead when "legacy" fonts weren't updated to match newer notions of what Mac fonts should contain. For the record, here are all the special symbols hidden in the original Mac fonts, not all of which are still shipped with current Macintosh software: New York Toronto Chicago, London, hearts: 9, 18pt boxes: 9, 18pt Monaco: robots: 12, 24pt vines: 12, 24pt undefined musical notes: 14pt apples: 14pt Geneva: all sizes: sheep: 9, 18pt Venice: chains rabbits: 12, 24pt San Francisco: cars birds: 14pt Athens: footprints Eric enf1@midway.uchicago.edu ------------------------------ Date: Thu, 16 May 96 12:29:27 EDT From: Mike Rose Subject: Re: "Call Girls" web site (RISKS-18.12) The risk that call-back phone-sex will bring censorship to the net seems far-fetched. For starters, I'd bet a big bottle of crisco that those sexy voices won't be saying anything until they've got a credit card number. Why would a politician receiving such a call, assuming he or she objects, blame the internet? The recipient doesn't know how the transaction to the call-back service was initiated and, even if they do know, does it really matter? Any legal restrictions should be placed on the actual service, not the ordering mechanism. Mike ------------------------------ Date: Fri, 17 May 1996 12:26:41 -0700 From: Mike Crawford Subject: Re: Internet in danger (RISKS-18.11) There were two things that happened in Germany. In one case a local prosecutor got CompuServe to censor a couple hundred newsgroups. In the other case, Web Communication's entire web server has been censored by Germany. I think they use packet filters to drop packets with www.webcom.com's IP address. This was done because a Canadian customer of Webcom's is a historical revisionist - his web page argues that the Holocaust never happened, and promotes Nazi politics, etc. Germany does not have complete freedom of speech - promoting Nazism is illegal there. Germany's effort largely backfired because a number of other sites immediately provided mirrors for the Nazi. Webcom's other customers, mostly ordinary businesses, are blocked out from the whole nation of Germany. Mike Crawford crawford@scruznet.com http://www.scruznet.com/~crawford [This is an old story, but has not run in RISKS before. PGN] ------------------------------ Date: Thu, 16 May 1996 15:37:39 -0400 From: "Jim Carroll" Subject: Re: Internet in danger Since my comment questioning the 80% figure attributed to hate literature originating in Canada, I'd like to make some further comments in the hope of stifling further e-mail. Has nobody but me stopped to consider what 80% means? To me, at least, this implies that out of people connected to the Internet *worldwide*, Canada is implied to have the dubious honour of being Number One in providing hate literature to Germany, with Number Two placing a very distant second, whatever country that might be. Does this make sense? Am I the only one wondering who took these stats, and what methodologies they used to collect them? I thought one of the fundamental mandates for this newsgroup was to question the reliability of certain assumptions, especially if technology is involved. In fact, let me go so far as to say that one RISK in listening to rhetoric is to take as gospel when one throws around figures like "80% of Canadians," or "4 out of 5 dentists", when we pooh-pooh claims that use phrases like "a lot". Numbers and statistics somehow validate and ennoble what we might otherwise question. I had hoped that RISKS readers would be familiar with this. Jim Carroll ------------------------------ Date: 18 March 1996 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: ABRIDGED info on RISKS (comp.risks) The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. [...] DIRECT REQUESTS to (majordomo) with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] INFO [for unabridged version of RISKS information] CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, nonrepetitious, and without caveats on distribution. Diversity is welcome, but not personal attacks. [...] ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Particularly relevant contributions may be adapted for the RISKS sections of issues of ACM SIGSOFT Software Engineering Notes or SIGSAC Review. * Submissions: By submitting an item that is accepted for publication in RISKS, the author grants permission for unlimited public distribution and redistribution in electronic or other form. * Reuse: Blanket permission is hereby granted for reuse of all materials in RISKS, under the following conditions. All redistributed items must include the Risks-Forum masthead line. All reuse must be accompanied by the following statement: Reused without explicit authorization under blanket permission granted for all Risks-Forum Digest materials. The author(s), the RISKS moderator, and the ACM have no connection with this reuse. As a courtesy, reusers of individual items (as opposed to forwardings of entire issues) should notify the authors, and should pay particular attention to any subsequent corrections. RISKS ARCHIVES: "ftp ftp.sri.comlogin anonymous[YourNetAddress] cd risks or cwd risks, depending on your particular FTP. [...] [Back issues are in the subdirectory corresponding to the volume number.] Individual issues can be accessed using a URL of the form http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue] ftp://ftp.sri.com/risks The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS PRIVACY: For info on the PRIVACY Forum Digest and Computer PRIVACY Digest, see the unabridged INFO file at RISKS-Request (send one-line message INFO to risks-request@CSL.sri.com as noted above). ------------------------------ End of RISKS-FORUM Digest 18.13 ************************