Slashdot Mirror

• Steven Bellovin, AT&T
• Matt Blaze, AT&T
• David Farber U of Pennsylvania
• Peter Neumann, SRI International
• Eugene Spafford, Purdue University CERIAS

And Peter Neumann I know very well in an online way, as he is the moderator of the Forum on Risks to the Public in Computers and Related Systems which discusses all kinds of topics in software reliability and security, and provides an ongoing archive of known software bugs.

It is also available on the Usenet News as comp.risks and I consider it required reading for anyone wishing to take themselves seriously as a programmer.

This means you.

Neumann also wrote the book Computer Related Risks which draws on material from the forum but discusses it in more depth.

He is also a frequent consultant to the government and military on computer reliability, security and computer policy as you can see from Neumann's home page.

He writes great puns too, which are often found added to Risks submissions.

Now for my contribution - I'd like to suggest you read my page Why You Should Use Encryption.

This page discusses in a way that I hope is clear, approachable and compelling, why everyone - even your mom, even your kids, should use encryption.

Michael D. Crawford
GoingWare Inc

So is Peter Neumann, who has run the ACM Risks Digest for oodles of years.

elocution e-locution Peculiar expression that results from use of spelling and grammar checkers
email e-mail Electronic mail [Distinguishing itself from every other term on this list, the unhyphenated version has no natural meaning whatever, but spelling checkers might suggest Emile or Ismail.]
emend e-mend To make a hex or binary patch
emerge e-merge To combine different input streams

There is a lot more, and it's all funny. If you don't know who Peter Neumann is, go to his page, and learn about the guy who has been talking about security risks since before you were born, and has been doing it well.

elocution e-locution Peculiar expression that results from use of spelling and grammar checkers
email e-mail Electronic mail [Distinguishing itself from every other term on this list, the unhyphenated version has no natural meaning whatever, but spelling checkers might suggest Emile or Ismail.]
emend e-mend To make a hex or binary patch
emerge e-merge To combine different input streams

There is a lot more, and it's all funny. If you don't know who Peter Neumann is, go to his page, and learn about the guy who has been talking about security risks since before you were born, and has been doing it well.

What's discussed there is quite relevant here; poor engineering or attempting to overextend what may have originally been a good design appropriate to simpler tasks will result in terrible software problems - security holes, safety hazards and the like.

Also recommended is the book Computer Related Risks by Risks Forum moderator Peter Neumann (ISBN 020155805X). It draws on material from the forum but discusses it in greater detail.

• I quite like the introduction of augmented assignments; as observed, this allows the outright elimination of some evaluations of values.

  This isn't a big deal for a += 1 , but certainly is for a more complex assignment like a[index].attribute += 1

  Definitely a good thing...

• The new "list comprehensions" looks a whopping lot like the Common Lisp LOOP Macro; that is by no means a bad thing...
• Extended print sounds controversial; it will be unpopular with anyone prejudiced against C++...

A little known fact in the general computing public is that problems in secure communications lie more often in the communication protocol than in the encryption primitives.

There are some classical attacks:

• Man-in-the-middle Idea: I can prove to both Karpov and Kasparov that I'm a great chess player. I challenge them both in a play through mail. I use the moves of each one against the other. Both think I play like a grandmaster.
• Use of old keys Idea: recover some secret data of a previous session (for instance from old temporary files on a common machine - after all, many operating systems do not really erase erased data). Use it in a current session.

It is possible to prevent those attacks by clever design of the protocol. For instance, the use of old keys can be prevented by some "nonce" numbers (generated once) or some clock data.

It is very difficult to analyse protocols and prove them correct.

First, a formal model of the protocol, its environment and what it means for it to be correct. This is nontrivial, since some models may just ignore some kinds of attacks.

Then the protocol must be proved correct with respect to the formal specification. Alas:

• manual theorem proving is error-prone
• formal theorem proving is tedious
• automatic analysis tools are not so powerful

I have made some research on these topics. For more information, see for instance Jon Millen's page.

But after a sailor entered a zero into a data entry field aboard the Yorktown, the whole ship's NT network went down and our nation's proud vessel had to be towed into port, as seen here.

Of course there's no guarantee that this wouldn't happen with Linux too, but what would make a lot of sense is to use it's open-source nature to create a military distribution, which has been audited for both security holes and reliability defects.

I'm sure many of the distribution vendors would be happy to do that for a price, but I suggest the military do it for yourselves - but remember the GPL!

For more such informative anecdotes of computer reliability, please read The Forum on Risks to the Public in Computers and Related Systems

Also, the moderator of Risks, Peter G. Neumann is a computer reliability expert that is held in high esteem by the defense establishment - see for example Practical Architectures for Survivable Systems and Networks which he did for the Army Research Lab.

He presented a keynote talk for the April 2000 NATO Symposium "The Potentials of Open-Box Source Code in Developing Robust Systems". At the NATO Symposium he handed out a preprinted entitled "Robust Nonproprietary Software" which is available in PDF format.

I suggest you drop Dr. Neumann a Line.

But after a sailor entered a zero into a data entry field aboard the Yorktown, the whole ship's NT network went down and our nation's proud vessel had to be towed into port, as seen here.

Of course there's no guarantee that this wouldn't happen with Linux too, but what would make a lot of sense is to use it's open-source nature to create a military distribution, which has been audited for both security holes and reliability defects.

I'm sure many of the distribution vendors would be happy to do that for a price, but I suggest the military do it for yourselves - but remember the GPL!

For more such informative anecdotes of computer reliability, please read The Forum on Risks to the Public in Computers and Related Systems

Also, the moderator of Risks, Peter G. Neumann is a computer reliability expert that is held in high esteem by the defense establishment - see for example Practical Architectures for Survivable Systems and Networks which he did for the Army Research Lab.

He presented a keynote talk for the April 2000 NATO Symposium "The Potentials of Open-Box Source Code in Developing Robust Systems". At the NATO Symposium he handed out a preprinted entitled "Robust Nonproprietary Software" which is available in PDF format.

I suggest you drop Dr. Neumann a Line.

But after a sailor entered a zero into a data entry field aboard the Yorktown, the whole ship's NT network went down and our nation's proud vessel had to be towed into port, as seen here.

Of course there's no guarantee that this wouldn't happen with Linux too, but what would make a lot of sense is to use it's open-source nature to create a military distribution, which has been audited for both security holes and reliability defects.

I'm sure many of the distribution vendors would be happy to do that for a price, but I suggest the military do it for yourselves - but remember the GPL!

For more such informative anecdotes of computer reliability, please read The Forum on Risks to the Public in Computers and Related Systems

Also, the moderator of Risks, Peter G. Neumann is a computer reliability expert that is held in high esteem by the defense establishment - see for example Practical Architectures for Survivable Systems and Networks which he did for the Army Research Lab.

He presented a keynote talk for the April 2000 NATO Symposium "The Potentials of Open-Box Source Code in Developing Robust Systems". At the NATO Symposium he handed out a preprinted entitled "Robust Nonproprietary Software" which is available in PDF format.

I suggest you drop Dr. Neumann a Line.

If you visit TPC.org , you will find that they don't have one benchmark, but rather about four, with substantially different purposes:

• TPC-C is intended to determine throughput of a transaction processing system in creating transactions;
• TPC-H measures performance on what is intended to be an "ad-hoc DSS environment."
• TPC-R measures performance on "business reporting," intended to be more like "typical DSS reports."
• TPC-W measures performance on a "web transaction" workload.

The notion that there can be a comparable benchmark between the databases is something of which people should disabuse themselves.

If you need to have high performance transactional behaviour, I would point out that ODBC is NOT the issue; regardless of whether the SQL-CLI drivers suck, the important point is that neither database fully supports the industry standard SQL/XA or X/Open DTP and XA standards.

Serious transaction systems commonly use transaction monitors like BEA Tuxedo or Encina, interfacing via XA to a relational database (like Oracle, Sybase, DB/2, Sleepycat DB, TimesTen, ...). From that perspective, MySQL and PostgreSQL are both still "toys," although SDTP - A Multilevel-Secure Distributed Transaction Processing System outlines how an XA interface to PostgreSQL was constructed in Common Lisp for use in a set of applications running on FreeBSD.

If you build a benchmark based on an application exercising the strengths of MySQL, it will probably perform badly when used with PostgreSQL, and vice-versa.

Take these systems seriously when they start supporting things like XA, and when BEA makes Tuxedo available for use with them.

The "Hands Off X!" which is mentioned apparently was a talk about how Scheifler had helper programs interface to X. I think the software is used in Xtalk and a2x

The Risks forum should be read by:

• Anyone who uses or depends on computers in their daily lives
• Anyone who programs computers
• Anyone who makes policy decisions involving computers or software
• Anyone who ever depends on the correct functioning of computers for their lives or safety (flown on a modern airplane lately?)
• Anyone who operates computers that affect safety (piloted one?)

You might think such spy stuff as this article is about is out of your realm, but consider this example which likely could have affected most of us:

The scary MSWord residue feature

I recently received a legal document as part of a personal negotiation that I am doing. The document was e-mailed to me in MSWord format. As I was showing it to my lawyer (who happens to be my wife), we decided to put our thoughts inline using the track changes feature of word. After selecting Tools, and Track Changes, we clicked on "Highlight changes in document" and voila, suddenly a whole bunch of red appeared on the screen. We looked at it closely and realized that everything in red represented changes in the document that my counterpart's lawyer had written. We got a good look at the previous version of the contract, as well as a bunch of comments and justifications that the lawyer wrote to his client. It was an eye opening experience.

It appears that instead of selecting "Accept all changes" before sending it to me, the other party to the contract simply turned off the highlighting to the track changes feature.

This is obviously a case of an unsophisticated person misusing a feature. However, it is very dangerous. Lawyers send word documents around all the time, and many of them do not really understand all the features that they use, nor should they have to. I imagine that I was not the first person to see some behind the scenes conversation in an important word document, that I was never intended to see.

• http://www.fatbrain.com
• http://www.barnesandnoble.com
• http://www.amazon.com
• http://www.chapters.ca - in Canada

If you're a computer user, you need to read The Forum on Risks to the Public in Computer and Related Systems, available on the web at http://catless.ncl.ac.uk/Risks/ on on the Usenet news as comp.risks

The Risks forum is part of the ACM Committee on Computers and Public Policy.

You should make a special effort to read Risks if you:

• Program computers
• Make policy decisions involving computers (managers, government etc.)
• Depend on computers for your life or safety (do you fly on airplanes?)
• Operate computers in situations where they affect life or safety

USS Yorktown dead in water after divide by zero

The Navy got rid of its more robust warship operating systems and replaced them with Windows NT. As a result of this, when a sailor typed a "0" in a data entry field, the whole shipboard network went down and the proud Yorktown had to be towed back into port.

Security concerns, viruses and the like are discussed extensively in Risks.

Do you use Microsoft Word on Mac or Windows? Do you use it to type confidential documents? Consider this post from a fellow who received a contract from an attorney in Word format:

The scary MSWord residue feature

I recently received a legal document as part of a personal negotiation that I am doing. The document was e-mailed to me in MSWord format. As I was showing it to my lawyer (who happens to be my wife), we decided to put our thoughts inline using the track changes feature of word. After selecting Tools, and Track Changes, we clicked on "Highlight changes in document" and voila, suddenly a whole bunch of red appeared on the screen. We looked at it closely and realized that everything in red represented changes in the document that my counterpart's lawyer had written.

We got a good look at the previous version of the contract, as well as a bunch of comments and justifications that the lawyer wrote to his client. It was an eye opening experience. It appears that instead of selecting "Accept all changes" before sending it to me, the other party to the contract simply turned off the highlighting to the track changes feature.

This is obviously a case of an unsophisticated person misusing a feature. However, it is very dangerous. Lawyers send word documents around all the time, and many of them do not really understand all the features that they use, nor should they have to. I imagine that I was not the first person to see some behind the scenes conversation in an important word document, that I was never intended to see.

New HDTV signal shuts down Baylor heart monitors

On 26 Feb 1998, WFAA TV (Channel 8) in Dallas turned on their new digital HDTV signal. As a result, 12 heart monitors stopped working in a Baylor University Medical Center heart surgery recovery unit; they happened to be on the same frequency. The monitors were made in the mid-1980s, and were slated for replacement. [But the patients weren't?] In the interim, WFAA has stopped transmitting -- because there are no commercial receivers yet anyway. [Source: * Dallas Morning News*, 5 Mar 1998. PGN Abstracting]

It has ISBN 020155805X and you can purchase it online from:

• http://www.fatbrain.com
• http://www.barnesandnoble.com
• http://www.amazon.com
• http://www.chapters.ca - in Canada

Mike

Tilting at Windmills for a Better Tomorrow

It has ISBN 020155805X and you can purchase it online from:

• http://www.fatbrain.com
• http://www.barnesandnoble.com
• http://www.amazon.com
• http://www.chapters.ca (Canadian bookseller)

Mike

Tilting at Windmills for a Better Tomorrow

I just thought I would point out the review here a few weeks back of Database Nation: The Death of Privacy at the End of the 21st Century. by Simson Garfinkel. He gives some attention to the possible consequences of the increasing coalescing of information about us. I'm about two thirds of the way through it and there are no general ideas that aren't familiar ground for long time readers of the Risks Forum and the Privacy Forum, although there are some frighten examples that were new to me. However, if you need a book to explain to Mom why you are concerned about privacy issues, this is a good one.

For the remote hosts, we need protocols that do not allocate resources unless they are absolutely necessary. Look at upcoming protocols like SCTP. The protocol mandates that the initial connection sequence be stateless on the server side. So at levels below the application, DDoS attacks become much, much harder. This is essentially the SYN cookie hack, but made official.

So what about the application level? Well, applications need written to allocate state only when absolutely necessary. This doesn't necessarily imply pushing all state to the client side, however. Mainframe folks have been doing some this for a long time. It'd be interesting to see just how much carries over to a networked system.

And NI / bus bandwidth on the receiving host? This one's a cool problem. How much processing can be done in the NI to reduce host bus traffic? And how can one reserve resources in the NI to statistically guarantee that proper sessions work during a bombardment with bogus sessions? (Extra credit: How does one move some of the app-level down to the NI to help? Or out to the routers?)

These are the interesting areas for server-side DoS defenses, not DNS and router games. Then things like CIDF and/or the idwg work for detecting and squelching DDoS attacks... Imagine if every Gnutella, SETI@home, and distributed.net client and server also helped with DDoS detection... Much more interesting and practical than DNS and router tricks.

And then there's the boost in performance SETI and distributed.net would get from the new IMPS protocol...

Check out the tsmApi Public License. It is essentially the Mozilla PL with a few more guarantees as far as extension of patent rights by developer, notification of the original developer, and API compatibility.

We have not as yet sought OSI certification, but it definitely conforms to the Open Source Definition.

You make it sound as if making a Windows product available for Linux is a matter of taking a tarball of the source over to a Linux box and running make. Well, it isn't. The technical reason there's no Office for Linux suite is that it simply can't be done without either stabilizing the Win32 API long enough to develop a good compatiblity library or ending up with two completely separate code bases for the same product. Neither is desirable for Microsoft because the former would stifle their God-given right to (Ahem!) innovate and the latter would simply be a big mess.

Microsoft likes to brag about the low average age of its software staff (the figure I heard was around 25). That explains why their products are of low technical quality: they're being built by people without the experience to know better. Before you reach for the flamethrower, I'm not saying that younger people aren't any good at doing software, because there are plenty that are. I'm saying that a horde of inexperienced people developing software without the leadership of people who've been there, done that and got the tee shirt is a bad thing. Rick Downes did an interesting analysis of Microsoft's RegClean app in the RISKS-FORUM digests Volume 35 and Volume 37. The long and the short of it is that he found tons of unnecessary left-overs in the program that go a long way to prove that someone smart at Microsoft built an app template and people are boilerplating apps from it without taking the time to understand what they were doing.

Lest anyone think this scores more points for the open source movement, it happens on this side of the fence, too. The difference is that others have the opportunity to find these problems and correct them.

I met her briefly at RSA2000 (...and got a signed copy, heh.) (should I ebay it?).

Anyway, when I met her, Peter Neumann (yes, /that/ Peter Neumann, borrowed my copy to flip through and see the references to him and to check the TOC for topics covered. He seemed pleased... I haven't had time to read the book yet, though I've flipped through and seen various references to SATAN and similar...

I think I'd rather help bring it around than just sit and hope.

An excellent area for contribution is design software. Currently there are a number of excellent free molecular modeling packages: MMTK, NAMD, Moldy, NWchem. There are also several excellent display programs: RasMol, VMD, Midas, and my own feeble effort, xyz2rgb. What is still lacking is:

• Software to generate structures painlessly. Two efforts in this area are CavityStuffer by Markus Krummenacker, DiamondCAD by Chris Phoenix and John Michelsen, and some tinkering of mine.
• Some kind of wrapper that makes all this stuff easy to use. There is a commercial package called HyperChem, and the DiamondCAD folks are working on an open-source version called OpenChem.

ftp://ftp.sri.com/risks

That makes the task of sending threatening letters, religious panphlets, and nazi hate propaganda to my neighbors that much easier. With the task automated like this I'll have much more time to devote towards gathering memebers for my death cult. Laugh...

Seriously though... I thought there was already an accepted standard for printing via tcp/ip. Just about every device and operating system has direct support for LPR printing. Even the Neoware network computers can emulate an LPR printer for the LPT port they have on the back of them. Isn't that the whole point of RFC1179?