Copy Link
Add to Bookmark
Report
RISKS-FORUM Digest Volume 16 Issue 42
RISKS-LIST: RISKS-FORUM Digest Friday 23 September 1994 Volume 16 : Issue 42
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
***** See last item for information on RISKS (comp.risks) *****
Contents:
Power Outage in Russia? (Bradford Wetmore)
The Future of the Internet is Secure: Press Conference (Winn Schwartau)
Telephone background noise RISKS (Michael P. Gerlek)
Re: Uninterruptable Thought Patterns (A. Padgett Peterson)
Re: Computer disk crash causes misprinted ballots (Douglas W. Jones)
Re: Yet More daring tales of address disasters! (Steve Bellovin et al.)
Re: Address disasters (John Cantrell, Martin Ewing)
Re: Highest Quality Company Logos (Jim Prall, Gary Greene, Ray T. Stevens)
Call For Papers: 8th IEEE Computer Security Foundations Workshop 1994 (Li Gong)
Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc.
----------------------------------------------------------------------
Date: Fri, 23 Sep 1994 13:10:08 -0700
From: Bradford.Wetmore@ebay.sun.com (Brad R. Wetmore)
Subject: Power Outage in Russia?
Did you hear about the plug getting pulled in Russia at a major missile site
not too long ago? Apparently, the folks in charge didn't pay their electric
bill, so the company cut them off...backup generators took over. One
wonders what happens if they also don't pay their rent...? :)
It was in The New York Times not too long ago, and in the San Jose Murky News
this morning, Fri the 23rd.
Brad R. Wetmore, Computer Security Engineer, Sun Federal, Inc. MS UMIL06-94
2550 Garcia Ave., Mountain View, CA 94043-1100 (408) 276-5557 ext, x35557 int
[The answer to Brad's wonder: rent asunder instead of rent us under. PGN]
------------------------------
Date: Fri, 23 Sep 94 12:58:12 -0500
From: "Winn Schwartau" <p00506@psilink.com>
Subject: The Future of the Internet is Secure: Press Conference
The Future of the Internet is Secure!
On October 11, 1994, The Internet Will Become
A Safe Place To Do Business.
Sidewinder:
Internet Security That Strikes Back
The Internet is a dangerous place. Ask anyone.
* Between 85-97% of all computer break-ins go undetected.
* Industrial espionage is up 400% since the late 1980's.
* Hacker attacks increase exponentially.
* Over 1 million computer break-ins last year alone.
* Theft of confidential information costs billions to
America's financial infrastructure.
* Privacy is almost nonexistent.
Yet, the Internet is the fastest growing segment of the National Information
Infrastructure. Over 20 million users and businesses conduct global affairs
on the Internet today, and over 125 million will by the year 2000.
Join us to witness the technological breakthrough in internetworking that
finally makes the Internet a safe place to be.
The future of the Internet is secure.
Come see how.
October 11, 1994
10:00 AM
National Press Club
Zenger Room
529 14St. NW
Washington, DC 20045
_Continental Breakfast_
RSVP
Presented by:
Secure Computing Corporation
2675 Long Lake Road
Roseville, MN 55112
For more information contact:
Interpact, Inc., Winn Schwartau, 813.393.6600 P00506@Psilink.Com
Secure Computing: Kevin Sorensen, 1.612.627.2800, 1.800.692.LOCK
Sorensen@Sctc.Com
------------------------------
Date: Thu, 22 Sep 1994 13:57:26 -0700
From: "Michael P. Gerlek" <gerlek@dat.cse.ogi.edu>
Subject: telephone background noise RISKS
Just another horror story:
I called a major airline the other day to make reservations. In the course of
my dialog with the agent she put me on hold for a minute or so while she
checked something, and I listened to the usual canned music interspersed with
promos for the airline. Then, after more dialog with the agent, again she put
me on hold... but this time didn't switch on the music.
As I waited, I could clearly make out another reservations agent working in
the background: "yes, Mr. Smith, flight 234 from Portland to San Francisco..."
<more dialog, and then the best part> "thank you, Mr. Smith -- to confirm,
that was a charge of $567.89 to your Mastercard, account number 1234-5..."
I discussed this with my agent when she came back on the line. She said it
was her mistake (she didn't press the right button or something), and that the
official policy was to switch the line to hold, so as to allow the customer to
hear the promotional ads while waiting. I pointed out the privacy advantages,
too, and she agreed this was a good thing and promised to be more careful next
time. :-)
-[mpg]
------------------------------
Date: Fri, 23 Sep 94 15:23:12 -0400
From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: Re: Uninterruptable Thought Patterns (Agre, RISKS-16.41)
The falling ladder problem reminded me of something that happened at a
facility I was working at in Texas a number of years ago. Disaster planning
was taken very seriously and the facility had an emergency diesel generator
*and* backup battery supplies to hold the data center up in case the diesel
was hard to start.
Except for the dump truck that lost control while descending a rise, left the
road and slammed into the adjacent power pole.
The pole broke off at the base and fell onto the generator building, doing
grievous damage to the generator. The broken engine cooling & fuel lines added
to broken water mains to flood the battery room with a noxious mess (the
engine bay had a fuel loss containment system but it was not designed to cope
with a water main). Along the way, the fire control system triggered adding to
the mayhem.
Needless to say, the data center lost power rather suddenly.
Padgett
[Rube Goldberg Strikes Again! PGN]
------------------------------
Date: 22 Sep 1994 19:10:18 GMT
From: jones@pyrite.cs.uiowa.edu (Douglas W. Jones)
Subject: Re: Computer disk crash causes misprinted ballots
Lani Teshima-Miller, writing on Tue, 13 Sep 1994, commented on a computer
crash that led to misprinted ballots. I'm a member of the Iowa State
Commission on Electronic Voting Machines (actually, the name is longer)
-- we oversee the approval by the state of voting systems. Anyway ...
Last night, as it happens, I was reading the Federal Election Commission
standards document for electronic voting machinery, and I note that these
standards are generally very well thought out. There were a few places
where, if anything, they seemed to require excessively expensive solutions
to problems, but few places where they seemed to be open to failures.
The standards mandate considerable fault tolerance in the systems actually
installed in polling places, whether they be mark-sense machines, punched card
machines, or direct recording computerized voting systems. These have a
serious real-time response requirement -- they must work on election day, all
day.
The standards do not mandate a similar degree of fault-tolerance in
off-line systems, such as those used to prepare ballots. What they do
mandate is a clear audit trail and strong safeguards against tampering.
In addition, they mandate provisions for many manual checks. It is in
the latter area where the system in Hawaii clearly failed!
On taking delivery of a shipment of printed ballots, they should have been
inspected -- this means examining a sample ballot from every press run,
preferably from both ends of the run! (Different press runs may have required
different ballot layouts, for example, by permuting the orders of candidate
names, as required in some contexts). Furthermore, the workers at the polling
places, at setup time, are required to perform certain inspection tasks, for
example, by assuring themselves that the voting machine counters are all reset
to zero.
The system seems to be designed well; this error in Hawaii seems to be a human
error. The risk we face is complacency "it's all computerized, these checks
in the system are just bureaucratic requirements, nothing ever goes wrong, so
we can skip this". One of the fundamental requirements of a democratic system
is a corps of election workers who take the requirements for running an honest
election very seriously! I cannot imagine any way to use automation to
eliminate this requirement.
Doug Jones jones@cs.uiowa.edu
------------------------------
Date: Thu, 22 Sep 94 13:46:14 EDT
From: smb@research.att.com
Subject: Re: Yet More daring tales of address disasters!
[...] He moved and sent an address correction to a company in which he
holds some stock. The company acknowledged his change of address, but sent
it to his *old* address. [...]
In fact, in this case the company did exactly the right thing. This is their
mechanism for discovering forged address changes. If the request is false,
the true owner will receive a notice, and can take corrective action. If the
request is genuine, the Post Office will forward the acknowledgment to the
proper place.
--Steve Bellovin
[This was also noted by
Jim Horning <horning@src.dec.com>,
Alan Miller <millera@mcs.com>,
Craig_Everhart@transarc.com,
Martin Ewing <martin.ewing@yale.edu>,
Robert.L.Drysdale@dartmouth.edu,
Patricia Shanahan <pats@equalizer.cray.com>,
Nevin Liber <nevin@cs.arizona.edu>,
James E. Leinweber <jiml@stovall.slh.wisc.edu>,
ROBINSON_PAUL@tandem.com,
Crystal Linn Trexel <ct2f+@andrew.cmu.edu>,
Clark <MERRILL@stsci.edu>,
John Sullivan <sullivan@geom.umn.edu>,
Jim Berets <jberets@bbn.com>,
Geoff Kuenning <geoff@ficus.cs.ucla.edu>,
and they are still coming in... But thus far NO ONE remarked
on the problem that a bogus Change of Address form previously sent
to the local Post Office would result in the acknowledgment being
forwarded to the imposter instead of the victim. Correction:
Just after I wrote the above lines, I found a note from
Charles Reichley <creichley@VNET.IBM.COM>,
who suggested that the acknowledgement should be sent to BOTH the
OLD and NEW addresses. Congratulations to Charles, who gets the
RISKS-ALERTNESS prize for today. PGN]
------------------------------
Date: Thu, 22 Sep 94 12:21:31 PDT
From: cantrell@sparky1.aero.org (John Cantrell)
Subject: Re: Address disasters
After reading Paul T. Keener's comment about a friend's receiving a change of
address acknowledgement from a company that was sent to his *old* address, I
was overcome with deja vu.
Wasn't it here in RISKS that I read about the scam of changing the address
for your credit-card bills so a thief could run up $$$$ without your
ever knowing about it (until it was too late, that is)?
I would rather get the info at the old address and then forwarded by the post
office than run the risk of having to correct an "unauthorized" change of
address with the trouble that goes with it.
cantrell@aero.org
------------------------------
Date: Thu, 22 Sep 1994 15:22:27 -0400
From: martin.ewing@yale.edu (Martin Ewing)
Subject: Postal address disasters
[...] We had a related problem recently, when the US Post Office decided on
its own to return all our mail with a yellow computer-printed sticker saying
"Addressee moved - no forwarding address". We only found out when my parents
called up to ask where we had gone. Of course, our mail box being empty for
several days was definitely suspicious. Our credit card company thought we'd
absconded, when they got their statement back, and there were other unpleasant
effects.
The P.O. was non-repentant, saying only they had had a new man on the
route. At least they didn't blame it on the computer.
-Martin Ewing (martin.ewing@yale.edu) Yale University
------------------------------
Date: Fri, 16 Sep 1994 14:15:09 -0400
From: sq!trigraph!jimp@uunet.uu.net (Jim Prall)
Subject: Re: Highest Quality Company Logos (Lawrence, RISKS-16.41)
>What a wonderful gift for con artists!
Well, it's not as crazy as it sound. Lots of stores use the logos and company
identities of their suppliers in advertising. E.g. if WalMart sells, say,
Timex watches, their flyer uses the official Timex logo on ads on the watch
page.
Service bureaus can get a substantial amount of work creating good, clean,
accurate electronic versions of such corporate identities for such
advertisers. Once in a while a corporation actually supplies its corporate
identity in electronic form, but so far this is rare. More common is a printed
identity book with specs and samples for several fixed sizes, vertical and
horizontal arrangement, and the Pantone color specs for corporate colors. Also
common is trying to get by working from old output; this makes a lot harder to
get a clean electronic logo.
Heaven help the creative director who starts to get creative with a supplier's
corporate identity. This is greatly frowned upon. The one risk is not knowing
the trade standards. If you display another company's identity, you better
match it 100%.
Jim Prall, Trigraph, Inc., Toronto, CANADA jimp%trigraph.uucp@csri.utoronto.ca
------------------------------
Date: 23 Sep 1994 17:11:02 GMT
From: garyg@unity.sj.unisys.com (Gary Greene)
Subject: Re: Digital Logos (Denning RISKS-16.41 on Lawrence, RISKS-16.40)
Peter Denning writes:
> ... If TigerDirect has the explicit permission of the owners of
>the logos, all is well. If not, then not only they, but anyone else using
>the logo without authorization, is breaking the law. Anyone who would use
>a logo, authorization or no, to commit a fraud is also breaking the law.
What Peter says is technically true but ignores the doctrine of "fair use."
I've been a graphic artist for over 25 years. Throughout that time there have
been clip-art books, either print and lately digital that provide libraries of
such logos for use in authorized situations. Virtually all such books I am
aware of get their material directly from the trademark owners and therefore
are authorized, but a few have not.
A company certainly may impose and require that their logo not be distributed
within the trade in this manner. But what does that gain them? Then they
must supply such clip art to the artist. In practice, many people authorized
to let advertising or some other use do not have easy access to their
company's style sheets, or simply don't think to provide them. When the
advertising is created in-house this is not a problem since the art department
always has access to the style sheets, but a great deal of advertising is
created by contractors and specialty houses.
When that happens the artist is reduced to drawing them from memory or
making a fuzzy copy from the yellow pages. Drawing from memory is usually
unsatisfactory. The yellow pages are hardly much better. And I have often
done both in my time. Inclusion of such logos in a library is usually
considered "fair use" under the copyright law unless the copyright owner
specifically objects to the publisher. Only the subsequent unauthorized
reuse of the logo in a specific advertisement or other publication would
constitute a violation of copyright and/or trademark. Further, there are
other "fair use" situations that are also excepted, such as news and
personal photography (Amtrak derails! ...accompanied by footage of an
Amtrak emblazoned passenger car on its side... News at 11).
I will reiterate what Peter very rightly points out: anyone using a company's
logo in a fraudulent manner is breaking the law.
Gary Greene Santa Clara, CA.
------------------------------
Date: 22 Sep 94 20:06:22 EDT
From: "Ray T. Stevens" <74074.1746@compuserve.com>
Subject: Re: Digital Logos (Peter J Denning, Risks 16.41)
It may very well be that the DISTRIBUTION of these logos without the owner's
permission is legal [although USE may not be]. It would take a lawyer to
figure it out (and most likely two lawyers to make a debate on the subject).
In the printing industry we get books of clip art, and some of these books
contain a large number of Logos. I can't believe that the people putting out
the books really got permission from everyone. In fact, all of these books
that contain trademarks contain a disclaimer that says in legal gibberish that
you and darn well better have permission from the trademark holder before
using them.
The real risk I see is to the user who may not realize what they need to do
in order to be legal. This is another case where technology has brought a
tool, which in the past required a specialist, directly to the users without
bringing with it the knowledge of using it properly.
[This interpretation may indeed violate copyright law. However, we
are drifting beyond the scope of RISKS... PGN]
------------------------------
Date: Thu, 22 Sep 94 15:45:53 -0700
From: Li Gong <gong@csl.sri.com>
Subject: Call For Papers: 8th IEEE Computer Security Foundations Workshop 1994
Call For Papers
8th IEEE Computer Security Foundations Workshop
June 13-15, 1995
County Kerry, Ireland
Sponsored by the IEEE Computer Society
This workshop series brings together researchers in computer science to
examine foundational issues in computer security. We are interested both in
papers that describe new results in the theories of computer security and in
papers and panels that explore open questions and raise fundamental concerns
about existing theories.
Possible topics include, but are not limited to:
access control authentication data and system integrity
database security network security distributed systems security
security protocols security models formal methods for security
as well as foundational issues relating to other critical system
properties and in emerging areas such as ubiquitous computing.
The proceedings are published by the IEEE Computer Society and will be
available at the workshop. Selected papers will be invited for
submission to the Journal of Computer Security.
Instructions for Participants: Workshop attendance will be by invitation only
and limited to about 35 participants. Prospective participants should send 5
copies of a paper (limit 7500 words) or proposal for panel discussion to Li
Gong at the address below. Please clearly identify the contact author and
provide email addresses and telephone numbers (both voice and fax).
Important Dates: Author's submission: February 3, 1995
Notification of acceptance: March 14, 1995
Camera-ready final papers: April 3, 1995
Workshop Location: The Computer Security Foundations Workshop is known for its
peaceful rural setting, and in 1995 the workshop will be held at Dromquinna
Manor, County Kerry, which is situated on the South West coast of Ireland.
Built in 1850, and located in quiet picturesque countryside about 3 miles from
Kenmare town, Dromquinna Manor has its own private grounds of woodland and
lawns that sweep down to the sea. The South West coast of Ireland claims some
of the most varied and spectacular scenery in the country, and the coastline,
sculptured by the ice-age and influenced by the warm waters of the Gulf
Stream, is steeped in ancient history and folklore. This mountainous area has
an abundance of natural beauty and is enriched by sub-tropical flora produced
by the unusually warm and temperate climate.
The nearest international airports are Shannon and Cork. There are direct
flights from North America to Shannon and Dublin, and from major European
cities (for example, London and Amsterdam) to Cork. Connections from many
other cities can be best made by using London or Amsterdam or by availing of
the scheduled services from Dublin to Cork. There are also car/passenger
ferries from the United Kingdom and Europe to Cork, Dublin and Rosslare.
For further information contact:
General Chair Program Chair Publications Chair
Simon Foley Li Gong Joshua Guttman
Dept of Computer Science SRI Computer Science Lab The MITRE Corp.
University College 333 Ravenswood Avenue 202 Burlington Road
Cork Menlo Park, CA 94025 Bedford, MA 01730-1420
Ireland U.S.A. U.S.A.
+353 21-276871 x2929 +1 415-859-3232 +1 617-271-2654
s.foley@cs.ucc.ie gong@csl.sri.com guttman@mitre.org
More information at http://www.csl.sri.com/ieee-csfw/csfw.html.
------------------------------
Date: 31 May 1994 (LAST-MODIFIED)
From: RISKS-request@csl.sri.com
Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc.
The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks.
Undigestifiers are available throughout the Internet, but not from RISKS.
SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on
your system, if possible and convenient for you. BITNET folks may use a
LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. U.S.
users on .mil or .gov domains should contact <risks-request@pica.army.mil>
(Dennis Rears <drears@pica.army.mil>). UK subscribers please contact
<Lindsay.Marshall@newcastle.ac.uk>. Local redistribution services are
provided at many other sites as well. Check FIRST with your local system or
netnews wizards. If that does not work, THEN please send requests to
<risks-request@csl.sri.com> (which is not automated).
CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject:
line, otherwise they may be ignored. Must be relevant, sound, in good taste,
objective, cogent, coherent, concise, and nonrepetitious. Diversity is
welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS
MESSAGES in responses to them. Contributions will not be ACKed; the load is
too great. **PLEASE** include your name & legitimate Internet FROM: address,
especially from .UUCP and .BITNET folks. Anonymized mail is not accepted.
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.
All other reuses of RISKS material should respect stated copyright notices,
and should cite the sources explicitly; as a courtesy, publications using
RISKS material should obtain permission from the contributors.
ARCHIVES: "ftp crvax.sri.com<CR>login anonymous<CR>YourName<CR> cd risks:<CR>
Issue j of volume 16 is in that directory: "get risks-16.j<CR>". For issues
of earlier volumes, "get [.i]risks-i.j<CR>" (where i=1 to 15, j always TWO
digits) for Vol i Issue j. Vol i summaries in j=00, in both main directory
and [.i] subdirectory; "dir" (or "dir [.i]") lists (sub)directory; "bye<CR>"
logs out. CRVAX.SRI.COM = [128.18.30.65]; <CR>=CarriageReturn; FTPs may
differ; UNIX prompts for username, password; bitftp@pucc.Princeton.EDU and
WAIS are alternative repositories. See risks-15.75 for WAIS info.
To search back issues with WAIS, use risks-digest.src.
With Mosaic, use http://www.wais.com/wais-dbs/risks-digest.html.
FAX: ONLY IF YOU CANNOT GET RISKS ON-LINE, you may be interested in receiving
it via fax; phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for info
regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL
RISKS COMMUNICATIONS; as a last resort you may try phone PGN at
+1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM .
------------------------------
End of RISKS-FORUM Digest 16.42
************************
