[1589] in RISKS Forum
Risks Digest 21.37
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Thu May 3 18:57:49 2001
From: RISKS List Owner <risko@csl.sri.com>
Date: Thu, 3 May 2001 15:56:47 PDT
To: risks@mit.edu
Message-ID: <CMM.0.90.4.988930607.risko@chiron.csl.sri.com>
RISKS-LIST: Risks-Forum Digest Thursday 3 May 2001 Volume 21 : Issue 37
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/21.37.html>
and by anonymous ftp at ftp.sri.com, cd risks .
Contents:
Microsoft Is Set to Be Top Foe of Free Code (David Farber)
DMCA: It's Like ... an Analogy Fest! (Monty Solomon)
Recording industry threatens researcher with lawsuit (NewsScan)
Hack attacks from China? (NewsScan)
Space Station software problems predicted four years ago (Philip Gross)
Incompatibility shuts down Xerox corporate network (Nelson H. F. Beebe)
Destia shuts down service (Doneel Edelson)
Mobile phones to prevent car theft? (Yerry Felix)
CNN censors profane Webby nominee (Jim Griffith)
Another problem with the DNS (Bob Frankston)
MS security updates infected with virus (Dave Stringer-Calvert)
Microsoft error message (Jean-Jacques Quisquater)
Using calendar reminder service to remember anniversary of sad event (Elinsky)
Risks of Net-connected appliances (Robert J. Woodhead)
Re: MSN "upgrade" creates long distance calling (Steve Holzworth)
The follow-on to James Bamford's *Puzzle Palace* (David Farber)
Definitions for Hardware and Software Safety Engineers (Meine van der Meulen)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Thu, 03 May 2001 09:43:23 -0400
From: David Farber <dave@farber.net>
Subject: Microsoft Is Set to Be Top Foe of Free Code
John Markoff in *The New York Times*, 3 May 2001:
Microsoft is preparing a broad campaign countering the movement to give
away and share software code, arguing that it potentially undermines the
intellectual property of countries and companies. At the same time, the
company is acknowledging that it is feeling pressure from the freely
shared alternatives to its commercial software.
http://www.nytimes.com/2001/05/03/technology/03SOFT.html
[Dave's IP archives are at
http://www.interesting-people.org/
PGN]
------------------------------
Date: Wed, 02 May 2001 10:53:14 -0700
From: Monty Solomon <monty@roscom.com>
Subject: DMCA: It's Like ... an Analogy Fest!
MEDIA GROK, 2 May 2001
We know, we know: Media coverage of the Digital Millennium Copyright Act
makes your eyes glaze over. Think that's bad? Imagine the DMCA being
discussed in a courtroom. This happened yesterday when a New York appeals
court became ground zero for testimony on whether DVD code-busting software
violates the DMCA. Reporters tried mightily - and several succeeded - to
make sense of lawyers' attempts to out- argue each other.
Call yesterday's event a different kind of Hollywood strike. When the e-zine
2600.com posted DeCSS, a computer program capable of cracking DVDs' security
code, a coalition of film studios struck back with a lawsuit. The studios
won, and the lower court based its ruling on the DMCA-based ban on
code-busting devices. 2600 appealed, its lawyers arguing that DeCSS has fair
and allowable uses.
Is law so complex that it has to be fed to us in analogies? We grew dizzy
trying to follow the analogy free-for-all that gripped the appeal hearing
and its coverage. Let's start with the DMCA. It's like Congress deciding
that the blueprint for a copying machine can't be published because it might
be used to violate the copyright laws, said Kathleen Sullivan, Stanford Law
School dean. Here's one about DeCSS: It should be banned because it's akin
to software that shuts off smoke detectors or airplanes' navigational
systems, said DMCA defender and assistant U.S. attorney Daniel Alter,
according to the New York Law Journal. The First Amendment wouldn't bar the
government from prohibiting distribution of that kind of software, Alter
said, and the same goes for DeCSS. No, no, no. DeCSS is "a useful tool for
scientific study and journalistic inquiry - or a burglar's crowbar designed
for breaking, entering and stealing," the Law Journal chimed in.
Lawyers, of course, love this kind of talk, which is no doubt why, as Inside
reported, the three-judge panel was revved up enough by the legal banter to
allow the session to run an extra 30 minutes. Inside ran a solid and
readable analysis of the ideas that were raised, as did ZDNet, which
included the tidbit that one "hacker-type" wore a T-shirt displaying the
illegal DeCSS code.
But both Inside and Wired News predicted the appeals court would probably
uphold the lower court's ruling. Sometimes pushing new ideas is like an
uphill battle. - Deborah Asbrand
Second Circuit Weighs DVD Copying
http://www.law.com/cgi-bin/gx.cgi/AppLogic+FTContentServer?pagename=law/View&c=Article&cid=ZZZ9P7GD8MC&live=true&cst=1&pc=5&pa=0&s=News&ExpIgnore=true&showsummary=0
In Lively Oral Arguments, Lawyers Put Digital Copyright Act on Trial
http://www.inside.com/jcs/Story?article_id=29820&pod_id=13
Throwing the Book at DeCSS
http://www.zdnet.com/zdnn/stories/news/0,4586,5082131,00.html
DVD Piracy Judges Resolute
http://www.wired.com/news/digiwood/0,1412,43470,00.html
Court Hears Appeal of Hacker Wanting to Post Descrambling Code on Internet
http://interactive.wsj.com/articles/SB988759509262167525.htm
(Paid subscription required.)
Judges Weigh Copyright Suit on Unlocking DVD Shield
http://www.nytimes.com/2001/05/02/technology/02CODE.html
(Registration required.)
------------------------------
Date: Tue, 24 Apr 2001 09:20:08 -0700
From: "NewsScan" <newsscan@newsscan.com>
Subject: Recording industry threatens researcher with lawsuit
The litigation department of the Recording Industry Association of America
(RIAA) has threatened legal action against a Princeton University computer
scientist if he and his colleagues give a conference presentation this week
explaining how to get around a system developed by the industry to protect
copyrighted music. The researcher, Dr. Edward W. Felton, works in the field
of steganography, which develops techniques such as digital watermarking.
The head of RIAA's litigation department insists: "There is a line that can
get crossed, and if you go further than academic pursuit needs to go, you've
crossed the line and it's bad for our entire community, not just for artists
and content holders, it's everyone who loves art, and it's also bad for the
scientific community." [*The New York Times*, 24 Apr 2001; NewsScan Daily,
24 April 2001 http://www.nytimes.com/2001/04/24/technology/24MUSI.html]
------------------------------
Date: Mon, 30 Apr 2001 08:52:04 -0700
From: "NewsScan" <newsscan@newsscan.com>
Subject: Hack attacks from China?
The FBI cybercrime division called the National Infrastructure Protection
Center is warning that Chinese hackers have publicly discussed increasing
their activities in the first week of May, in celebration of two Chinese
holidays and in memory of the two-year anniversary of the U.S. accidental
bombing of the Chinese embassy in Belgrade. The Internet security company
Vigilinx warns that it has the potential to escalate into something very
damaging if emotions run unchecked. There is no evidence that attacks have
been approved by the Chinese government. (AP/*USA Today*, 27 Apr 2001)
http://www.usatoday.com/life/cyber/tech/2001-04-27-chinese-hack.htm
NewsScan Daily, 30 April 2001
------------------------------
Date: Sat, 28 Apr 2001 15:20:16 -0400
From: "Philip Gross" <png3@cs.columbia.edu>
Subject: Space Station software problems predicted four years ago
I contributed an article to RISKS on December 8, 1997, (RISKS-19.49) about
the enormous risks involved with the software of the International Space
Station. 3.5 million lines of code, coming from multiple countries, with
little indication of the verification methodologies. In the two subsequent
issues RISKS-19.50 and 19.51, anonymous posters with connections to the
program agreed with and amplified these concerns.
Now we see that, indeed, difficult-to-diagnose software problems are
starting to plague the craft.
"Computer problems have kept the Endeavour at the station longer than
expected as astronauts try to carry out operations of a critical robot arm.
The ISS has suffered a series of glitches since Tuesday that left ground
controllers with only tentative command," says CNN.
(http://www.cnn.com/2001/TECH/space/04/28/shuttle.launch.02/index.html)
The RISKS here involve the well-known dangers of leaving debugging until the
system is already in use. Although critical safety and control mechanisms
may be compromised until the problems are fixed,
"Russian space officials refused to delay Saturday's launch but agreed to
put the Soyuz in a holding pattern if the shuttle was still at the space
station on Monday. Russia said it had been unwilling to postpone the Soyuz
mission because the cosmonauts must replace the space station's escape
craft, whose service lifetime expires at the end of the month."
The world's first space tourist may have an interesting ride...
------------------------------
Date: Mon, 23 Apr 2001 14:02:12 -0600 (MDT)
From: "Nelson H. F. Beebe" <beebe@math.utah.edu>
Subject: Incompatibility shuts down Xerox corporate network
*Computerworld* (16-Apr-2001, p. 6 and 78) has two articles on how an
incompatibility between a beta release of Microsoft Windows XP and Cisco
5000 routers shut Xerox's corporate network down several times. According
to the page-long column on p. 78, ``It got so bad that Xerox warned all
50,000 of its U.S. employees not to installed XP betas without permission or
they'd face disciplinary action.''.
Nelson H. F. Beebe, Center for Scientific Computing, University of Utah
Department of Mathematics, Salt Lake City, UT 84112-0090 +1 801 581 5254
------------------------------
Date: Thu, 3 May 2001 17:47:14 -0400
From: "Edelson, Doneel [euler:aci]" <doneel.edelson@eulergroup.com>
Subject: Destia shuts down service
Destia (known as EconoPhone), a part of Viatel, shut down service to all
customers Monday night or Tuesday. Thousands of people with direct-dial
service (1+) are scrambling to get an alternate long-distance provider.
Until then, they cannot make any long-distance calls except to 800 numbers.
Also inbound 800 number service and calling cards provided by this company
do not work.
------------------------------
Date: 27 Apr 2001 23:59:44 +0100
From: Yerry Felix <1i@esperi.demon.co.uk>
Subject: Mobile phones to prevent car theft?
Econet Wireless brand manager David Dzumbira said in the unfortunate event
of the vehicle being violated or vandalised, Cellstop will alert the owner
by calling on his/her cellphone within seconds of the incident happening.
Cellstop will dial the number three times and if these calls are
unanswered or responded to, the Cellstop unit will automatically starve
fuel to the engine, making it impossible to drive the vehicle, said
Dzumbira.
But what if the owner forgets the phone, loses it or the phone is stolen?
Or, if the phone runs out of power? And what happens if the device springs
into action whilst the car is being driven by the legitimate owner?
Note that the vehicle is stopped regardless of whether the phone is ignored
or answered!
Moreover, given the amount of false car alarms that seem to occur, this
could be very annoying, although, being the victim of nightly car alarms in
my street, I don't have much sympathy here :-)
The full article:
http://www.mweb.co.zw/zimin/index.php?id=3176&pubdate=2001-04-27
------------------------------
Date: Thu, 26 Apr 2001 20:17:34 -0500
From: Jim Griffith <griffith@olagrande.net>
Subject: CNN censors profane Webby nominee
An interesting aspect of this year's Webby's nominees is the nomination
of www.f**kedcompany.com in the Humor category (for which I was a nominating
judge). When reading the CNN article about the nominations, at
http://www.cnn.com/2001/TECH/internet/04/26/webby.awards.reut/index.html#12
I was interested to find that the above-mentioned site was apparently
deliberately excluded from the list of nominees, probably for the profane
name. The *San Jose Mercury News* site reported the complete list, however.
[comp.risks censors "CNN censors profane Webby nominee" as well. PGN]
------------------------------
Date: Mon, 30 Apr 2001 15:16:55 -0400
From: "Bob Frankston" <rmf2gOther@bobf.Frankston.com>
Subject: Another problem with the DNS
I e-mailed a URL, http://www.washtech.com/news/media/9387-1.html. The
spelling corrector apparently chanted washtech to washes which is a porno
site! The risk here isn't so much spelling correction as the current attempt
to use the DNS as a directory. The density of the namespace is just one of
the many problems.
Bob Frankston http://www.Frankston.com
------------------------------
Date: Sun, 29 Apr 2001 19:18:28 -0700
From: Dave Stringer-Calvert <dave_sc@csl.sri.com>
Subject: MS security updates infected with virus
Microsoft security fixes infected with FunLove virus
A virus infection of security fix files on Microsoft's partner and premier
support Web sites has forced the software giant to suspend certain
downloads for more than a fortnight. Microsoft issued an alert on Monday,
which states that various Hotfix files on its Premier Support and
Microsoft Gold Certified Partners Web sites are infected with the FunLove
virus. A copy of the notice said Microsoft has stopped access "in order to
protect customers" to an unspecified number of files, and expects to be
able to restore access later today. Customers were advised to contact
their technical account manager in the interim.
[http://www.theregister.co.uk/content/8/18516.html]
[Also noted by Jeremy Epstein. PGN]
------------------------------
Date: Mon, 30 Apr 2001 22:11:37 +0200
From: Quisquater <jjq@dice.ucl.ac.be>
Subject: Microsoft error message
Q276304 - Error Message: Your Password Must Be at Least 18770 Characters
and Cannot Repeat Any of Your Previous 30689 Passwords
New level of security at Microsoft. Jean-Jacques Quisquater,
[The password must be Macrohard? PGN]
------------------------------
Date: Tue, 24 Apr 2001 16:46:05 EDT
From: Elinsky@aol.com
Subject: Using calendar reminder service to remember anniversary of sad event
This is from the "Metropolitan Diary" section of *The New York Times*, 23
Apr 2001. The writer unknowingly set herself up for an eerie reminder mail,
by not entering the event as "Anniversary of Grandpa's death". Even if she
had, the mail probably would've still contained the (presumably
inappropriate) gift suggestions.
Harriet Inselbuch signed up for a calendar reminder service on the Internet
and duly entered important dates like birthdays and anniversaries. The
service notifies her by e-mail a few days before an important event. One
anniversary she listed was of a family death, a reminder to her to light a
candle. A few days before that particular date, she did receive a message
and it provided somewhat of a shock. It read, "Reminder: Grandpa's death is
just around the corner" followed by three or four gift suggestions for the
occasion.
------------------------------
Date: Mon, 23 Apr 2001 17:12:45 -0400
From: "Robert J. Woodhead (AnimEigo)" <trebor@animeigo.com>
Subject: Risks of Net-connected appliances
After watching a breathless CNN report about Internet-enabled espresso
machines, it occurs to me that one of the greatest risks of having
appliances connected to the Internet is that one's refrigerator might start
forwarding spam instead of simply storing it.
Robert Woodhead, Webslave & Mad Overlord http://selfpromotion.com/
------------------------------
Date: Fri, 27 Apr 2001 14:17:46 -0400
From: Steve Holzworth <sch@unx.sas.com>
Subject: Re: MSN "upgrade" creates long distance calling (RISKS-21.32)
WRAL-TV Online reports that the Microsoft Network (MSN) has agreed to pay
back dozens of people who received huge Internet phone bills by mistake.
http://www.wral-tv.com/features/5onyourside/2001/0426-msn-second-folo/
"Combined, complainants were billed more than $13,000 in unexpected charges.
For about a month when the Wake County customers accessed the Internet, they
were routed to a long distance Chapel Hill number -- a number they did not
know they had been switched to.
John Bason, a spokesman for the North Carolina Department of Justice, says
the situation definitely needs to be addressed." ... "Microsoft is telling
the Attorney General's office that the error was theirs and agreed to pay
back consumers. Any MSN customers who were erroneously billed must file a
complaint with the Attorney General's office at 919-xxx-xxxx."
Steve Holzworth, Senior Systems Developer, SAS Institute, Cary, N.C.
Open Systems R&D VMS/MAC/UNIX <sch@unx.sas.com>
------------------------------
Date: Wed, 25 Apr 2001 15:04:56 -0400
From: David Farber <dave@farber.net>
Subject: IP: The follow-on to James Bamford's *Puzzle Palace*
James Bamford
Body of Secrets: Anatomy of the Ultra-Secret National Security Agency:
From the Cold War Through the Dawn of a New Century
[Good review in *The New York Times* Sunday Book Review section,
29 April 2001. PGN]
------------------------------
Date: Thu, 3 May 2001 09:50:50 +0200
From: Meine van der Meulen <M.van.der.Meulen@simtech.nl>
Subject: Definitions for Hardware and Software Safety Engineers
I would like to bring the book 'Definitions for Hardware and Software Safety
Engineers' under your attention. It quotes definitions in the field of
hard-and software dependability engineering from over a hundred sources.
When more definitions exist it quotes these to enable comparison. Much
attention has been paid to cross-referencing.
M.J.P. van der Meulen, Definitions for Hardware and Software Safety
Engineers, ISBN 1-85233-175-5, Springer, London, hardcover, 342 pages.
URL: http://www.springer.de/cgi-bin/search_book.pl?isbn=1-85233-175-5
Meine van der Meulen, Max Euwelaan 60, 3062 MA Rotterdam Tel 010-4535959
SIMTECH Engineering: www.simtech.nl <m.van.der.meulen@simtech.nl>
------------------------------
Date: 12 Feb 2001 (LAST-MODIFIED)
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. Alternatively, via majordomo,
SEND DIRECT E-MAIL REQUESTS to <risks-request@csl.sri.com> with one-line,
SUBSCRIBE (or UNSUBSCRIBE)
which now requires confirmation to majordomo@CSL.sri.com (not to risks-owner)
[with option of E-mail address if not the same as FROM: on the same line,
which requires PGN's intervention -- to block spamming subscriptions, etc.] or
INFO [for unabridged version of RISKS information]
.MIL users should contact <risks-request@pica.army.mil> (Dennis Rears).
.UK users should contact <Lindsay.Marshall@newcastle.ac.uk>.
=> The INFO file (submissions, default disclaimers, archive sites,
copyright policy, PRIVACY digests, etc.) is also obtainable from
http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info
The full info file will appear now and then in future issues. *** All
contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line.
=> ARCHIVES are available: ftp://ftp.sri.com/risks or
ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
[volume-summary issues are in risks-*.00]
[back volumes have their own subdirectories, e.g., "cd 20" for volume 20]
http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue].
Lindsay Marshall has also added to the Newcastle catless site a
palmtop version of the most recent RISKS issue and a WAP version that
works for many but not all telephones: http://catless.ncl.ac.uk/w/r
http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
http://www.csl.sri.com/illustrative.html for browsing,
http://www.csl.sri.com/illustrative.pdf or .ps for printing
------------------------------
End of RISKS-FORUM Digest 21.37
************************
