Subject: RISKS DIGEST 18.76 RISKS-LIST: Risks-Forum Digest Thursday 16 January 1997 Volume 18 : Issue 76 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** Contents: Taco Bell-issimo (Peter G. Neumann) Telstar 401 catastrophic failure (Lauren Weinstein) More on fired contractor arrested in computer sabotage (Cathy Horiuchi) Five-Million-Dollar Bug (David Kennedy) Redundant virtual circuits lead to single point of failure (Sidney Markowitz) Missing-characters file: Not the only ones with that problem (Mark Brader) Electronic airline ticketing (Robin Burke) More Y2K humor: Split the difference (Mark Brader) Re: April 1 considered harmful (Chuq Von Rospach) Problem with Insight's WWW mail (Christopher G. Holmes) Risks of miskeying e-mail addresses (Gerard A. Joseph) Congress and FBI aided Gingrich's cell-call snoops (Jim Warren) FBI Offers New Proposal for Digital Wiretaps (Edupage) Re: New US regs ban downloadable data-security software (David Holland) FreeWare WORD macro antivirus release: PC/MAC (Padgett Peterson) DIAC '97, Seattle 1-2 March 1997 (Susan Evoy) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 15 Jan 1997 17:07:30 PST From: "Peter G. Neumann" Subject: Taco Bell-issimo Willis Robinson, 22, of Libertytown, Maryland, was sentenced to 10 years in prison (6 of which were suspended) for having reprogrammed his Taco Bell drive-up-window cash register -- causing it to ring up each $2.99 item internally as a 1-cent item, so that he could pocket $2.98 each time. He amassed $3600 before he was caught. [AP item in the *San Francisco Chronicle*, 11 Jan 1997, A11, pointed out to me by Glenn Story.] This is another version of the old salami attack. ------------------------------ Date: Mon, 13 Jan 1997 16:46 PST From: lauren@vortex.com (Lauren Weinstein) Subject: Telstar 401 catastrophic failure On Saturday morning, 11 Jan 1997, AT&T's Telstar 401 satellite, with a full complement of both C and Ku band transponders, went dead. Technicians have been unable to reestablish any contact. The satellite normally carries both broadcast network and syndicated television programming. The networks, as "platinum" customers, were quickly switched to an alternative bird. Almost everyone else has been scrambling to find transponder space for their programming. The risk? Don't assume the satellite will always be there! --Lauren-- Moderator, PRIVACY Forum www.vortex.com ------------------------------ Date: Thu, 16 Jan 1997 11:05:00 PST From: Cathy Horiuchi Subject: More on fired contractor arrested in computer sabotage (RISKS-18.75) This was reported locally in the *Sacramento Bee*, 8 Jan 1997, and is being discussed extensively if informally hereabouts. Unfortunately, the twenty-column-inch long article is not stored at www.sacbee.com's archive page online. The accused saboteur was a subcontractor of a subcontractor of a contractor of a state agency. He spent at least six hours online before being detected, and then crashed the system, which had to be restored from backup. The newspaper article states damages as limited to $10,000, but that number may be invalid. Here in Sacramento the cost of a first-rate security incident audit by an outside firm runs $20 to $30K, plus the cost of system changes based on security weaknesses. The nature of professional services procurement in government lends itself to multiple levels of subcontracting. Most computer technical experts do not work independently, since that would require large insurance bonds and skills writing responses to governmental requests for proposal. Often contracting and outsourcing firms bid for contracts, and only hire contractors once the bid is rewarded, so there is constant staffing churn. The RISK here is starkly stated in the article, in the last few paragraphs, where the opinions of the management team are given: "Department officials claim they did not know Salas was fired because he was a subcontractor and they had no direct dealings with him. John Thomas Flynn, who heads the department, said his staff did everything 'by the book'.... Flynn said, 'We didn't drop our guard.' Since the intrusion, computer security has been improved. But even without the extra precautions, it is unlikely that such an intrusion will ever occur again, department officials said." Isn't it the job of management to know and manage the chain of control? Even if a department employee were tasked with managing all the contractors, there is a big difference between knowing a contractor is working between 8 & 5 and knowing exactly what that person is doing and creating. Traditional management practice does not require or expect technical knowledge. That means security, reliability, auditability are dependent on the integrity of the technical workforce, not on the management and quality control processes. The idea that it cannot happen again is naive; the statement itself is an attractive nuisance. No system is static in this day and age. The next DNS server or Internet firewall that is installed will create a situation wherein this may happen again, since it appears, from what has been stated in public, management has learned little from the event. Cathy Horiuchi, Principal IT Analyst, Sacramento Municipal Utility District choriuc@smud.org ------------------------------ Date: 10 Jan 1997 18:30:22 EST From: David Kennedy <76702.3557@CompuServe.COM> Subject: Five-Million-Dollar Bug [DMK: Many of us can remember the $6 Million Man, well....] Electronic Roach Implants Probed, By ERIC TALMADGE Courtesy of Associated Press via America Online's News Profiles: A big brown cockroach crawls across the table in the laboratory of Japan's most prestigious university. The researcher eyes it nervously, but he doesn't go for the bug spray. He grabs the remote. This is no ordinary under-the-refrigerator-type bug. This roach has been surgically implanted with a micro-robotic backpack that allows researchers to control its movements. This is Robo-roach. ... [With a $5 million dollar grant from the Japanese Government -- no Proxmires in the Diet obviously] Professor Isao Shimoyama, head of the bio-robot research team at Tokyo University says, electronically controlled insects carrying mini-cameras or other sensory devices could be used for a variety of sensitive missions -- like crawling through earthquake rubble to search for victims, or slipping under doors on espionage surveillance. ... The controls, however, still have a few serious bugs of their own. Swiss researcher Raphael Holzer, part of the Tokyo University team Holzer jolts a roach with an electric pulse to make it move slightly to the right and keep to an inch-wide path. Instead, the roach races off the edge of a table into Holzer's outstretched hands. ``The placement of the electrodes is still very inexact,'' he admits, setting the bug back on track. ... Holzer is optimistic. ``The technology isn't so difficult,'' he said. ``The difficulty is to really understand what is happening in the nervous system.'' ------------------------------ Date: Tue, 14 Jan 1997 10:48:45 -0800 From: Sidney Markowitz Subject: Redundant virtual circuits lead to single point of failure This note from Finland was passed on to me by a friend. It points out the Risks of working with virtual systems while carrying assumptions and habits from the real (physical) world. ... we had here data line breakdown last week and no Internet connections worked. It happened so that there was heavy icing on the line between Oulu and Kajaani which caused the break.. we had reserve line but that was also broken.. that line was leased from Finnet and it happened that as logically separate it was physically that same line which Finnet had leased from the primary operator! The agreement with Finnet was ended immediately. Sidney Markowitz , Virtual Rocket Scientist Apple Research Labs, Apple Computer *fh ARPAnet loses New England despite 7-trunk ``redundancy''; one accidental cable cut in White Plains knocks out all 7 links, 12Dec86 (S 12 1) [Long-time RISKS readers will recall the event on 12 Dec 1986 (RISKS-4.30) when New England was completely cut off from the ARPAnet because a single cable that was accidentally severed in White Plains, New York, happened to contain all seven trunk lines that had been established to provide physical redundancy! Several other similar cases are also in the RISKS archives, including the backhoe in Annandale VA that on 14 Jun 1991 took out two *separate* cables (RISKS-11.92). Physical, schmysical; but, is it perfectly logical? PGN] ------------------------------ Date: Wed, 15 Jan 1997 04:39:08 EST From: msb@sq.com (Mark Brader) Subject: Missing-characters file: Not the only ones with that problem A *Houston Chronicle* article by Dwight Silverman was forwarded to comp.dcom.telecom by Tad Cook a few weeks ago. It was about various changes that Southwestern Bell, the phone company there, is planning to make in their directories. One of the changes is that they plan to list e-mail and WWW addresses for businesses that want to supply them. However, this will not be possible for residential listings at first -- I swear, this is just how the posting appeared -- because # "Right now we have a certain system constraint in our residential # listings database that prevents us from printing certain characters on # a page," Hillyer said. "The biggest problem is that we can't print the # sign." # # The sign is a crucial part of all e-mail addresses, separating the # user's name from the computer system -- or domain -- he uses. -- Mark Brader, msb@sq.com "But I do't have a '' key o my termial." SoftQuad Inc., Toronto -- Ly[nn] Gold [Southwestern Bell evidently needs a noncommercial source for obtaining its commercial-at (@) characters. ------------------------------ Date: Mon, 13 Jan 1997 11:09:26 -0600 (CST) From: Robin Burke Subject: Electronic airline ticketing I have had recent and vivid evidence of the risks of much-hyped "electronic ticketing" systems for air travel. My wife called to confirm her reservation on a return flight, only to discover that, according to the airline she had already flown a week earlier. "You've used that ticket," she was told. Since electronic ticketing procedures require that the agent match the user's ID with the ticket information, she was treated like someone trying to scam the airline by flying twice. Fortunately, the date of usage was different than the date for which the ticket was issued, although the flight number was the same, and she had various records, such as her credit card receipts, through which to assert her identity, but only after many hours on the phone. The supervisor who finally resolved her case seems to be handling a lot of electronic ticketing problems. The agent is supposed to look at the passenger's ID, and pull up the ticket record corresponding to that traveler. However, there is also a receipt for the electronic ticket: "not valid for travel" that has the name and ticket number on it. Apparently, in this case, the gate agent used the ticket number from the receipt, but typed it in wrong, then failed to notice that the ticket record retrieved was for a different passenger than the one named on the receipt. No record is made of the validating transaction (the agent matching the ID against the ticket record), except for the agent marking the record as used, so the airline has no way of knowing who actually traveled on our ticket, and we had no way, within the system, of documenting the fact that the ticket had been used by someone else. I, for one, will stick with a physical ticket. Robin University of Chicago, Computer Science Department http://www.cs.uchicago.edu/~burke/ ------------------------------ Date: Tue, 14 Jan 1997 17:54:22 GMT From: msb@sq.com (Mark Brader) Subject: More Y2K humor: Split the difference In comp.software.year-2000, Darren Berar suggests a compromise for those struggling with converting from 2-digit to 4-digit years. | I suggest the 3 digit year. It puts the whole issue off for another | 1000 years and is only 50% of the work to implement a 4 digit year. :-) Mark Brader "Should array indices start at 0 or 1? My ecumenical msb@sq.com compromise of 0.5 was rejected without, I thought, SoftQuad Inc., Toronto proper consideration." -- Stan Kelly-Bootle [Mark noted that there were two follow-ups (follows-up?) in that newsgroup from people who took this message seriously! Incidentally, the 1996/2001 edition of the annual Denning Newsletter from Peter and Dorothy Denning -- which this time looks back from the future in 2001 -- indicates that the Y2K problem will have been successfully postponed for another 48 years by observing that K is properly equal to 1024, so that COBOL programmers could simply change the representation of the year field from base 10 to base 2. Verrry cute. Happy New Year 2000 to the Dennings for that one. PGN] ------------------------------ Date: Sun, 12 Jan 1997 13:03:14 -0800 From: Chuq Von Rospach Subject: Re: April 1 considered harmful (Evans, RISKS-18.74) >We need to address the risks involved in even _having_ a 1 April in the >calendar. What if a powerful newbie takes a 1 April prank seriously, and >dives in to "fix" something? What are the risks there? Shrug. Christmas offends non-Christians. Should we do away with it? Halloween has satanic roots (according to some; it's actually pagan. Not everyone sees the difference). No offense intended to William Evans, but this seems to me to be well-intentioned but creeping PC-ism. Someone might interpret an April fools joke wrongly. Therefore, do away with April fools. Someone might drink, drive and kill someone in a car. Obviously, do away with drinking and driving. Personally, I'd go for the cars first. They kill a lot more people than April Fools jokes do. I think we need to keep perspective. Just because there *is* a risk doesn't necessarily mean we have to obliterate anything that causes a risk. Life is not about removing risks. Life is about understanding and managing risks, and resolving SERIOUS risks. Just because something might be a problem doesn't mean it is, or is worth fixing.... Now, having said that, folks who pull stunts like this (not that I'd know anyone who has, not me. nope) have a responsibility to do so in a non-destructive manner. It's sort of like drinking and driving -- it's not the drinking that's the problem, it's the idiot who doesn't know enough not to drive drunk. A good April Fools joke merely causes embarrassment when someone falls for it. That's half the fun of designing those things. If they cause damage by design or accident, then the writer of the joke ought to be responsible for the impact of it. Doesn't matter if you meant to throw a firecracker at someone or not, if you blow off a finger, "I didn't mean to" isn't a valid defense... I think this piece brings up an interesting meta-question: the risk of RISKS: by focusing on risks in this forum, do we run the risk of losing perspective on risk? Because if we are just as seriously talking about doing away with April 1 over the risks of a misplayed joke as we are bugs in air traffic control systems and the risks to human life, then we sure have lost our sense of perspective. All risk is not created equal, and sometimes we seem to forget that... Chuq Von Rospach (chuq@solutions.apple.com) Software Gnome Apple Server Marketing Webmaster [NOTE: This message is from the unidentified creator of one of the best April-Fools spoofs ever: the SPAFFORD SPOOF, RISKS-6.52, 1 Apr 1988, and a follow-up from Spaf in RISKS-6.54. PGN] [typo corrected in archive] ------------------------------ Date: Thu, 16 Jan 97 15:23:00 EST From: holmes@papillonres.com (Christopher G. Holmes) Subject: Problem with Insight's WWW mail I just discovered a problem with Insight's new WWW based on-line purchasing system. Insight sells personal computers & peripherals. When purchasing an item, the system asks you to set up an account first. Setting up an account is simply filling in a form with name, address, and phone #. An account # is then assigned. A coworker set up an account with them a few weeks ago and bought something for his personal use, though he gave the office phone #. I set up an account a few days ago to buy something for work and gave the same office phone #. The system gave me the coworker's account #, but gave no indication that this was an existing account. All information needs to be entered again at "check-out" in addition to supplying a credit card # & shipping address. I received my order today with my coworker's name & home address on the bill. I called and explained the situation. The service rep told me that account #'s are keyed to the phone #. She checked and told me that the proper credit card had been billed, but that the credit card co. had not checked the order for a correct billing address, etc. (This check is pretty standard for mail order these days. In fact, most outfits will only ship to the CC billing address). So no harm done, but I had a hard time convincing the rep that this was a problem that needed to be addressed. I can imagine a scenario where a someone's home address is given to some jerk in the same office who's been harassing him/her. And what if my phone # changes? And the old number is reassigned? The phone # is also used as a "password" to help verify the account # when checking order status. Will we never learn? Christopher Holmes ------------------------------ Date: Thu, 02 Jan 1997 10:45:01 -0800 From: "Gerard A. Joseph" Subject: Risks of miskeying e-mail addresses Most users have learned at least once that a computer will do what it's told, even if it's not what the user intended (provided the input is valid). It would appear that many users are careless about handling and entering e-mail addresses. If such carelessness results in an invalid e-mail address, no real harm is done; the originating user will probably get a message back to that effect, realize his error, and resend the message with the destination address duly corrected. However, an error that results in a valid e-mail address has potentially more serious consequences. It can result in a significant and embarrassing breach of privacy, and, depending on the honesty and the diligence of the unintended receiver, may remain unknown to the sender until it surfaces through some other means. I often receive misaddressed e-mail, some of it intensely private in nature. While courtesy and common sense dictate that I return it promptly to the sender and inform him of the error, nothing about the Internet can guarantee the sender that any private information he unintentionally disclosed to me will not be abused. E-mail addresses, like telephone numbers, can be wrongly transcribed or miskeyed. With a burgeoning user population, it would seem that there is an increasing probability that a randomly miskeyed e-mail address will actually be someone else's e-mail address. Users should develop an awareness of the risks to their privacy (as well as to the effectiveness of their communication!) of getting e-mail addresses wrong. ------------------------------ Date: Wed, 15 Jan 1997 17:09:31 -0800 From: jwarren@well.com (Jim Warren) Subject: Congress and FBI aided Gingrich's cell-call snoops (Re: RISKS-18.75) Please note that it is the U.S. Congress that aided the cell-phone industry's initially remaining unsecure by making it unlawful to intercept calls that thus allowed cell peddlers to tell tech-naive prospects that cell calls were "safe". But it is our federal enforcers -- led by the FBI -- who have zealously and diligently *BLOCKED* installation in U.S. cellphones of often-proposed, repeatedly-urged, readily-available automated scrambling technology to uncrackably protect the privacy of personal cell-phone calls, and also protect cell-phone id numbers -- that are *still* broadcast in the clear and thus trivially intercepted and cloned, costing the cell industry "billions" of dollars (that is, *if* the folks using cloned fones would actually pay for the calls that they make for free). My information is that our FBI even had a major hand, earlier this decade, in keeping the European cell-phone standards committee from finally adopting cell-phone standards that they ready to accept, that included automated uncrackable voice scrambling for *all* new cell phones. Seems our FBI told the French security folks how awful that would be for government snoops (i.e., all cell-users must be considered potentially guilty of something), and the French instantly demanded that the call-security aspects of Euro cell-phone standards be trashed. They were. Jim Warren ------------------------------ Date: Thu, 16 Jan 1997 18:10:07 -0500 (EST) From: Edupage Editors Subject: FBI Offers New Proposal for Digital Wiretaps The Federal Bureau of Investigation has released for public comment a new proposal for facilitating tapping of digital phone calls by law enforcement officials armed with court orders. Under the new proposal, which is significantly more modest than what the Bureau had asked for in a earlier plan, law enforcement officials would operate under a formula in which (for example) 523 phone lines could be monitored simultaneously in a place such as Manhattan. Privacy advocates oppose the FBI's plan as an unacceptable expansion of electronic surveillance. (*The New York Times*, 15 Jan 1997, A8; Edupage, 16 January 1997) ------------------------------ Date: Thu, 16 Jan 1997 17:12:15 -0500 (EST) From: David Holland Subject: Re: New US regs ban downloadable data-security software (RISKS-18.75) "Lucky Green" (shamrock@netcom.com) wrote: > [Federal Register: December 30, 1996 (Volume 61, Number 251)] > [makes it illegal to export without a license:] > > c.3. ``Software'' designed or modified to protect against malicious > computer damage, e.g., viruses; > > [For the full text, see > http://www.epic.org/crypto/export_controls/interim_regs_12_96.html] The cited text is not to be found on that page. (Standard RISK...) I found it at http://jya.com/ke121396.htm using Altavista. It does appear that the language in question appears in the list of controlled items, even though in most previous documents of this sort virtually identical language appears as an exception to export controls. Did somebody goof when preparing the new regulations? In any event, it appears that later language Note: 5D002 does not control: a. ``Software'' required'' for the ``use'' of equipment excluded from control under the Note to 5A002. b. ``Software'' providing any of the functions of equipment excluded from control under the Note to 5A002. exempts anything that uses encryption only for access control or uses only message digests. Since this describes most existing virus protection software, I think some major legal wrangling will be necessary. Note that almost all system software is designed to protect against malicious computer damage; if legal wrangling results in such software in fact becoming subject to export control, most operating systems projects are going to have major problems. David A. Holland dholland@hcs.harvard.edu ------------------------------ Date: Wed, 15 Jan 1997 21:45:16 -0500 From: Padgett 0sirius Subject: FreeWare WORD macro antivirus release (PC/MAC) Many people said it could not be done, but that just gets me interested and after literally months of obsessive programming (fortunately do not need much sleep 8*) on 14th January I posted for release as FreeWare (no charge for non-commercial use): MacroList. Like the WORD macro viruses, this defense is designed to work on both MAC and PC platforms and anything from a 386/SE 30 to Pentium Pro 200/Power PC 100. A macro itself, it builds on the concept that some things in WORD are not subvertable by a document/template and provides a mechanism for detection of any abnormalities. Like the rest of my programs, it has not a clue what a virus is, instead it gives users visibility into the areas where viruses reside and allows the user to decide what to do (DELETE ALL is an option). I have designed it to be compatible with other anti-virus programs (even SCANPROT) though MacroList is effective even against E-Mail launches of encrypted messages. Enough said: it may be downloaded from http://www.netmind.com/~padgett/ - select "AntiVirus Hobby" and coming soon to sites near you. Warning: there is a message in the ABOUT. [A. Padgett Peterson] ------------------------------ Date: Tue, 14 Jan 1997 11:09:26 -0800 From: Susan Evoy Subject: DIAC '97, Seattle 1-2 March 1997 Community Space & Cyberspace What's the Connection? http://www.scn.org/tech/diac-97 March 1 - 2, 1997, 9:00 am - 5:00 pm University of Washington HUB Seattle, WA USA Will cyberspace destroy society by turning us all into high-tech couch potatoes? Or will it provide unprecedented opportunities for community involvement? On March 1 and 2, 1997, Computer Professionals for Social Responsibility (CPSR) will present its sixth DIAC ("Directions and Implications of Advanced Computing") conference to help answer those questions. The theme is "Community Space and Cyberspace: What's the Connection?" and our aim is to challenge some of the cyber-spacy hype and bring the discussion back to earth to the communities we live in. Howard Rheingold, best-selling author of "The Virtual Community: Homesteading on the Electronic Frontier" will give the keynote address on March 1. Howard's presentation will be followed by panel discussions on economics, education, high-technology social mediation, and other topics. In these panels computer pioneers, activists, and other thinkers and doers will describe their experiences and ideas on what has changed, what may change, and, most importantly, what citizens can do to make the technology more responsive to community needs. Some of the Panelists include (among others) + Peter van den Besselaar, Social Science Informatics, University of Amsterdam and De Digitale Stad (the Digital City), Amsterdam + Amy Borgstrom, Executive Director, ACENET, OH + Amy Bruckman, Researcher, MIT Media Lab, Cambridge, MA + Steve Cisler, Senior Librarian, Apple Computer, Cupertino, CA + Jamie McClelland, Libraries for the Future, New York, NY + Peter Miller, Network Director, Community Technology Center's Network (CTCNet), Newton, MA + Kevin Rocap, California State University at Long Beach + Roland Waters, CEO, RTIME, Inc. The second day, March 2, will feature workshops on a variety of topics presented by practitioners from the Pacific Northwest, Boston, Amsterdam, New York City, and many other places. Workshop Topics include + Libraries in Cyberspace + Community Voice Mail for Homeless Clients + Networking for Non-Profits + City Government Programs On-Line + Telecommunications and Educational Reform + On-Line Services: Forum for Collaboration or Technology of Isolation? + Safety in Cyberspace + Civil Liberties in Cyberspace + Navigating the Maze of Telecommunications Policy Changes + ... For more information: Doug Schuler, douglas@scn.org, 206.634.0752 ------------------------------ Date: 15 Aug 1996 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Or use Bitnet LISTSERV. Alternatively, (via majordomo) DIRECT REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] => The INFO file (submissions, default disclaimers, archive sites, .mil/.uk subscribers, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS ------------------------------ End of RISKS-FORUM Digest 18.76 ************************