precedence: bulk Subject: RISKS DIGEST 18.81 RISKS-LIST: Risks-Forum Digest Thursday 6 February 1997 Volume 18 : Issue 81 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** Contents: The (f)e-mail of the PCs is more deadly than the bail (PGN) Difficulties in developing large systems: IRS, etc. (PGN) E-mail saboteurs confuse Columbian kidnapping negotiations (Miranda Mowbray) Dutch bank folly (Sape Mullender) Will-o'-the-w-ISP! More on AOL, Cyber Promotions (PGN) AOL: 45 minutes and Out -- w/glitch (David Kennedy) C++ Committee felled by Concept virus (Nathan Myers) Syntax completion - a bad thing? (Andrew Kelly) Re: Mike Schlier on memory loss by cosmic radiation (Martin Minow) Re: The *Shetland Times* Summary (John Pelan) Maryland Recycles Law On "Annoying" E-Mail (AOP Bulletin via David Farber) Re: Electronic Funds Transfer without stealing PIN/TAN (Dan Wallach, Lloyd Wood) Re: Student takes 3.5 hours to crack RC4 40-bit key (D. Dale Gulledge) Proposed satellite monitoring of car movements in Sweden (Feliks Kluzniak) Car radio "security" KeyCodes (Paddy Spencer) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 6 Feb 97 10:31:37 PST From: "Peter G. Neumann" Subject: The (f)e-mail of the PCs is more deadly than the bail [!] The case involving Adelyn Lee and Oracle's CEO Larry Ellison (see RISKS-18.07-08) resulted in Ms. Lee being found guilty of perjury and falsification of evidence. She had previously won a $100,000 settlement against Oracle, using as evidence an e-mail message (``I have terminated Adelyn per your request.'') supposedly sent to Ellison by her former boss, Oracle VP Craig Ramsey. The prosecutor claimed that Lee had sent the message herself from Ramsey's account. She faces up to four years in jail. Subsequently, the judge ruled that she may not use any of that settlement money to pay her bail. [Source: *San Francisco Chronicle*, 29 Jan 1997, A11, and 31 Jan 1997, E1] [... Another case involving the credibility of digital evidence in penetrable, tamperable, and spoofable environments... Apologies to those of you who do not know the classical poem from whose title the Subject: line takes off. PGN] ------------------------------ Date: Thu, 6 Feb 97 10:20:58 PST From: "Peter G. Neumann" Subject: Difficulties in developing large systems: IRS, etc. The IRS is apparently going abandon its past Tax Systems Modernization effort, on which it has spent $4 billion. In testimony for the National Commission on Restructuring [``reinventing''] the IRS, IRS Assistant Commissioner Arthur Gross (who less than a year ago took on responsibility for IRS computers) stated that the systems ``do not work in the real world.'' (Past criticism has come from the Government Accounting Office and the National Research Council. See also RISKS-17.96, 18.23-25, 18.43.) Gross noted that the IRS lacks the ``intellectual capital'' for carrying out the effort. One system had been cancelled earlier (the program for converting paper returns to electronic form), and 12 more systems are under review. Gross is proposing to contract out the processing of individual returns to commercial firms (which raises all sorts of privacy issues), although that is only a small portion of the processing demands. [Source: An item from *The New York Times*, seen in the *San Francisco Chronicle*, 31 Jan 1997, A1.] A subsequent editorial on the IRS's plight [*Chron*, 2 Feb 1997] also reminds us that the FBI ``threw away'' a $500-million fingerprint-on-demand computer and its crime information database, the State of California spent $1 billion on its nonfunctional welfare database system, along with more millions on BART and the DMV. Readers of RISKS are well aware of the difficulties of developing large systems. The real question is whether anyone is learning from the past experience. If only we were building bridges and Henry Petroski were able to help us! ------------------------------ Date: Mon, 3 Feb 1997 20:21:11 GMT From: Miranda Mowbray Subject: E-mail saboteurs confuse Columbian kidnapping negotiations Last August, sixty Colombian soldiers were kidnapped by the Fuerzas Armadas Revolucionarias de Colombia (FARC), a Marxist-Leninist guerrilla group. The Colombian Government announced a few days ago that they would change from negotiating with the kidnappers through face-to-face meetings with intermediaries, which is slow and dangerous, to negotiating by e-mail. Just after the announcement, the Government received a puzzled message from the FARC, saying that they had already received two e-mail messages claiming to be from the Government. The e-mails are thought to have come from right-wing saboteurs who do not want any negotiations to take place. Source: BBC World Service News, 2/2/97 Miranda Mowbray mjfm@hplb.hpl.hp.com ------------------------------ Date: Mon, 03 Feb 1997 22:31:21 +0100 From: Sape Mullender Subject: Dutch bank folly An interesting scandal concerning electronic banking occurred in Holland. It needs a bit of introduction: Banks have a system of `direct debit' whereby a company (originally the utility companies, now almost every company that requires periodic payments for services) can directly charge an amount to a client's bank account. Clients have to agree to this in advance by signing a statement authorizing a company to do such direct debits. The banks guarantee that, up to three weeks after such a debit has occurred, the client can undo the transaction. Companies can use electronic-banking software on their PCs to carry out direct debits. The software package (Girotel) is the same as the one clients can use to do their banking electronically from their homes. Last month, a Friesian church minister who publishes, I believe, a magazine of some sort, requested a direct-debit arrangement so that he could directly debit the accounts of his subscribers. He was vetted by the bank and declared reliable, so he got permission to carry out direct debit -- supposedly from consenting customers. He then set to experimenting with it and discovered that he could direct-debit the account of his sister-in-law without her signed agreement and that he could also completely control the text on her bank statement (except for the amount and the bank-account number). He withdrew Hfl 2.50 from her account and got the text `Waterleidingbedrijf Friesland' (Water utility company Friesland) on her bank statement. Our minister was surprised and informed the press which led to some considerable outrage about bank security. A bank director, confronted with the situation said that `nobody who had ever had money direct-debited from his account wrongfully has not gotten it back' (sorry about the double negative, but that's the way he put it). The news programme in which he said this had just presented results from a poll that showed that 20% of the people interviewed never check their bank statements. One wonders how the bank discovers whether people who do not check their bank statement have had wrongful direct debits. The banks certainly appear to ignore the authorizations. The reporter, unfortunately, was not clever enough to ask the obvious follow-up question. Sape Mullender ------------------------------ Date: Thu, 6 Feb 97 9:47:20 PST From: "Peter G. Neumann" Subject: Will-o'-the-w-ISP! More on AOL, Cyber Promotions 1. AOL's network bombed again, beginning at 2pm on 5 Feb 1997, and was not fully restored until about 4:30pm. The problem was attributed to a "technical glitch" in a software upgrade. [When have we heard that one before?] 2. AOL was inaccessible to new sign-ons for about 20 minutes on 2 Dec 1996, due to a ``software system bug'' in preparing for the influx of users expected when the flat-rate charges went into effect; the 165,000 existing sign-ons were left intact. After fixing the bug at 4:55pm, AOL then blocked about one of every 10 sign-on attempts for the evening. (We note this case retrospectively for the RISKS archives, although it may seem insignificant in light of more recent problems.) 3. Cyber Promotions Inc got dinged twice this week. On 3 Feb 1997, a federal court barred them from sending unsolicited e-mail ads to CompuServe's 5 million subscribers. The next day, a different federal court barred them from falsifying their FROM: addresses. [I presume CPI will still find ways to go through the (pro)motions.] [Sources: Items 1 and 3 were in *San Francisco Chronicle* squibs, 6 Feb 1997. Item 2 was from *The Washington Post*, 3 Dec 1996, C3. [typo fixed in archive copy]] ------------------------------ Date: 03 Feb 97 00:37:44 EST From: David Kennedy <76702.3557@CompuServe.COM> Subject: AOL: 45 minutes and Out -- w/glitch AOL's latest strategy: 45 minutes and out (via COMTEX Newswire 31 Jan 1997) [Courtesy of the COMTEX Newswire via CompuServe's Executive News Service] > PC Week Online (January 30, 1997) - America Online Inc., trying to > alleviate its by now infamous network gridlock, has come up with a new > tactic: After 45 minutes on the service, users are being asked to log > off. If they don't respond in 10 minutes, their session is ended. [...] > But there's one catch: Certain games, such as an AOL contest dubbed > "Neverwinter," disguise the dialog box, resulting in users being kicked > off the system without warning, according to some disgruntled subscribers > and an AOL spokesman. [...] The Dulles, Va., company posted a fix > enabling users to view the dialog box in its AOL Insider area earlier this > week, he said. Dave Kennedy [CISSP] Research Team Chief, National Computer Security Assoc. ------------------------------ Date: Tue, 4 Feb 1997 13:58:10 -0800 (PST) From: ncm@cantrip.org (Nathan Myers) Subject: C++ Committee felled by Concept virus At the November 1996 meeting of the ISO/ANSI C++ Standard committee, the computers provided by the meeting host for document preparation got an infection of the MS Word "Concept" macro virus. Since most attendees bring a laptop, those got infected too. We ended up spending twenty minutes in full committee (~60 people) on explanations of how to eliminate it, and protect against future infections. The Concept virus, by the way, got its big initial propagation aboard Microsoft Developer CDs. Those of us who never use MS Word (because it's so buggy? see http://www.cantrip.org/nobugs.html) were tickled half to death. If a room full of C++ experts can't keep viruses off their machines, what hope is there for Joe User? (Those of us using Linux were, of course, unaffected.) If ever there were grounds for a class action lawsuit against a software distributor, this would seem to be it: releasing a program with a virus susceptibility switch, with the switch defaulted to "on", and then negligently distributing a sample virus to take advantage of it. Given the great difficulty this has caused many large organizations (I gather the University of Oregon was severely disrupted) I would expect to see many co-plaintiffs on such a suit. (NB: IHNBAL*.) The RISK? The usual: badly-designed software and arrogance lead to angry (or sometimes just embarrassed) customers, and lawsuits. Incidentally, another RISK is causing users who know better than to run the buggy software laughing themselves silly at those who don't, and then getting punched in the nose. Nathan Myers (*) Nota Bene: I Have Never Been A Lawyer. ------------------------------ Date: Thu, 06 Feb 1997 08:14:57 +0900 From: Andrew Kelly Subject: Syntax completion - a bad thing? Looking at Rational's Apex Ada development environment, I am not at all sure I am 100% pleased with the syntax completion it performs. It seems to me that syntax completion, as part of compilation, is not a good thing as it *repairs* errors rather than report them (eg. unpaired begin/ends). The obvious risk being that incorrect code will quite happily be "repaired" (very possibly, incorrectly) and will compile successfully. I believe syntax completion should be available during editing, but not automatically employed during compilation. As far as I can discover, it cannot be switched off in Apex either. This seems, to me, to be more dangerous than it is useful ... eg. If you accidentally delete the "end" from a nested "if", where does the analyser stuff the "end"? Indeed, even if it gets the placement correct (eg. by inference from the indentation Has anybody had any experiences with syntax completion that may confirm or allay my fears? Andrew Kelly (andrewk@vsl.com.au), Software Design Engineer, Vision Systems, Technology Park, Adelaide, SA 5095, AUSTRALIA ph: +61-8-300 4602 ------------------------------ Date: Thu, 30 Jan 1997 15:46:38 -0800 From: Martin Minow Subject: Mike Schlier on memory loss by cosmic radiation (Fischer, RISKS-18.79) > From: Mike Schlier > To: Martin Minow > In RISKS-18.79 you described an article describing research on memory loss > caused by cosmic radiation. I am in possession of a report put out by the > Boeing Corp titled "Single Event Upset In Avionics" detailing a study of > this same effect which was sponsored by the Defense Nuclear Agency and the > Naval Research Laboratory. This paper was submitted for publication to the > Dec 1992 IEEE Trans. Nucl. Sci. > Mike Schlier, F-4 System Support, Hill AFB UT [Ed Fischer remarked on a typo in Martin's message, ``Summerized and translated by Martin Minow, minow@apple.com''. He suggested there must have been "Air[craft] conditioning". PGN] ------------------------------ Date: Tue, 4 Feb 1997 17:59:25 +0000 (GMT) From: John Pelan Subject: Re: The Shetland Times Summary PGN asked me to summarize an overwhelming number of contributions [some not included in RISKS, except for what was in RISKS-18.64,78,79] regarding the *Shetland Times* case. The most significant point to note is that the court case has yet to happen. A judge has merely granted a temporary injunction ("interim interdict") preventing The Shetland News making hyper-text links to *The Shetland Times*, pending a full court case later this year. That decision was passed in October 1996 and no legal precedent has been set in doing so. The case is being fought on the grounds of breach of UK Copyright Law. The final decision will probably rest on what constitutes a headline and whether the headlines in question can be treated as a separate work either individually or en masse, and whether websites fall within the definition of 'cable programme service' in the UK legislation. At this stage the much touted implications of the outcome of the trial are highly speculative, often greatly exaggerated *and* are largely provisional on the complaint being upheld. Thus comments in this forum are best reserved at this stage, pending the actual trial and possible appeal, until the legal and technical RISKS, if any, become known. John Pelan (J.Pelan@qub.ac.uk) [Thanks to Mark Gould for additional comments. Definitive information available via http://www.shetland-times.co.uk/ and http://www.shetland-news.co.uk/ ] ------------------------------ Date: Tue, 04 Feb 1997 17:37:46 -0500 From: David Farber Subject: Maryland Recycles Law On "Annoying" E-Mail Excerpted from... ============================================================= AOP Bulletin Friday, February 3, 1997 Volume 97:05 ============================================================= The following is information distributed to members of the Association of Online Professionals and others involved in the online communications industry. Contacts and other information about AOP may be found at http://www.aop.org. ***************************************************** Maryland Recycles Law On "Annoying" E-Mail ***************************************************** A Maryland bill that would make it illegal to send "annoying" or "embarrassing" e-mail was introduced this week by Democratic General Assembly member Samuel Rosenberg. The bill got little support when it was introduced last year, but Rosenberg hopes to play off of recent murders involving electronic mail to see the bill passed. Civil liberties groups argue that the law would be unconstitutional, and that the terms "annoy" and "embarrass" are too vague to be meaningful. If passed, House Bill 778 would amend the state's criminal harassment law to prohibit the use of e-mail to annoy, abuse, torment, harass, or embarrass other people, with violators receiving a fine up to $500 and three years in jail. A similar bill introduced last year is quietly progressing through New York's state legislature. Senate Bill 1414, introduced by Democratic State Senator Ray Goodman, could be voted on in the House early this year. Full text of the Maryland bill can be found at http://mlis.state.md.us/1997rs/billfile/HB0778.htm. ------------------------------ Date: Mon, 03 Feb 1997 13:01:00 -0500 From: Dan Wallach Subject: Re: Electronic Funds Transfer without stealing PIN/TAN [Summary: an ActiveX control can add a pending online transfer to your Quicken file] While interesting, this is a great example of "I told you so." When you accept an ActiveX control, you're allowing completely arbitrary code to rummage around your machine and do anything it pleases. That same code could make extremely expensive phone calls (900 numbers or whatever) with your modem; it can read, write, and delete any file on your computer; it can install Trojan horses and viruses. All without any of the subterfuge and hackery required to do it with Java. ActiveX hands away the keys to your computer. That said, ActiveX still has its uses. On a corporate internal network, ActiveX is a nice replacement for custom internal applications, where the internal app would have been completely trusted, anyway. ActiveX across the *Internet*, however, is a disaster that doesn't have to wait very long to happen. The only security barrier is an annoying dialog box that many users will either ignore or configure away [one wrong click and you now trust code signed by each and every key issued by a given CA (e.g., VeriSign)]. The solution? Blocking ActiveX (or Java) at the firewall seems fragile, at best [see Dave Martin et al.]. Ideally you want to install your security policy [e.g., only allow ActiveX signed by your IS department] inside every user's Web browser. I can't speak for any browser vendors, but it's safe to suspect they're working on it. Dan Wallach Princeton University, Computer Science Department dwallach@cs.princeton.edu http://www.cs.princeton.edu/~dwallach/ PGP Ready ------------------------------ Date: Thu, 6 Feb 1997 21:06:59 +0000 (GMT) From: Lloyd Wood Subject: Re: Electronic Funds Transfer without stealing PIN/TAN (RISKS-18.80) > > From: weberwu@tfh-berlin.de (Debora Weber-Wulff) > The newspaper quotes various officials at Microsoft et al. > expressing disbelief 'We left that out of the third-party developer documentation! Who leaked it?' > /outrage 'We've been beaten to market! By Germans! This is unamerican!' > /"we're working on it". 'We'll be giving away our own secretly-siphon-all-your-money-to- Microsoft ActiveX program, currently undergoing final usability tests and stringent quality assurance in our developer labs, at no cost to you - just to try and regain our deserved share of this exciting new emerging market!' Where does your money want to go today? L. multiple mailing lists and resends to me. if we had a decent newsfeed I'd've read it in comp.risks first. +44-1483-300800x3435 ------------------------------ Date: Wed, 5 Feb 97 10:18:00 EST From: ddg@cci.com (D. Dale Gulledge) Subject: Re: Student takes 3.5 hours to crack RC4 40-bit key (RISKS-18.80) Last night, in his State of the Union address, President Clinton advocated placing confidential medical data online, as well as getting schools connected to the Internet. So long as his administration is opposed to strong encryption and insistent on putting sensitive private information on the net, the risks are numerous. This contest offered a $1000 prize. The price for specific data on the net probably runs much higher than that. ------------------------------ Date: Wed, 29 Jan 1997 20:39:29 +0100 (MET) From: Feliks Kluzniak Subject: Proposed satellite monitoring of car movements in Sweden The new issue of "Dagens IT", no. 3, dated 28 Jan - 3 Feb 1997 (a Swedish paper aimed at information technology professionals), contains an item that might be of some interest to those RISKS readers who followed discussions about automatic highway toll booths in the US and related subjects. My (probably imperfect) translation follows. Car users will be be put in "feetcuffs" (written by Margaretha Sundstroem) With the help of a new satellite system car users might pay different taxes, depending on when and where they drive. This is what the State communications commission is said to be discussing. According to (the newspaper) "Dagens Politik", the State communications commission is discussing a proposal to use satellites for determining car taxes in the future. It is proposed that all of Sweden's 3.5 million cars should be equipped with a little reader fastened to the instrument board. Car users would then buy cards that can be inserted into the reader. The card would communicate with a satellite that would register where you drive and for how long. The car tax would then be withdrawn from the card. The proposal has been put forward by the State institution for communication analysis. They estimate that just the Stockholm (tax) authorities would be able to earn six billion crowns by using this system. The costs for car users would thereby increase. - - - - The reference to "feetcuffs" (by analogy to "handcuffs" - ankle shackles?) is an allusion to radio transmitters that are irremovably fastened to the ankles of some criminals in this country so that the authorities can monitor their compliance with the rules of house arrest. The word "communication" is meant to include car traffic etc. The word "billion" is given in its US meaning: a thousand million. The risks? Apart from the risks of having very complex systems automatically determine how much you have to pay, there are the usual privacy considerations. Some cry out "big brother". Others say you are already in this situation if you carry a cellular phone. Feliks Kluzniak, Carlstedt Research & Technology, Gothenburg ------------------------------ Date: Tue, 04 Feb 1997 12:41:30 GMT From: paddy.spencer@parallax.co.uk (Paddy Spencer) Subject: Car radio "security" KeyCodes Some time ago I managed to run the battery down on my car and after getting a jump start I found the radio, instead of displaying the station frequency showed three bars (---) flashing. I didn't know what the hell this was about so started randomly pressing buttons (the radio has 4 pre-set station buttons) and found that buttons 1-3 changed the number but 4 didn't appear to do anything. Eventually the display stopped flashing and wouldn't accept any more button presses. I was bemused. Lying awake that night I realised that this was of course the security system that Ford introduced into their audio systems: disconnect the power source (here done by running the battery flat) and you need to enter a security code to regain access to your system. I asked around various Ford garages and eventually found one that offered to give me the code -- apparently there is a database of all security codes that is sorted by the serial code on the radio. I took it along and the guy quite happily took the radio off and dug out the code and told me what to do to set it; you get ten goes to put the right code in, after this you have to leave it in the car with the ignition on, but the engine not running for 1 hour, after which you get to try again. So where are the RISKS? 1. I received about half a dozen different sets of instructions on how to reset the radio -- all from Ford staff! Introducing a technology throughout your entire product spectrum and not making sure your staff know how to use it... 2. The guy who found the code for me made no effort to ascertain that I had a legitimate right to own the radio or retrieve the code. For all he knew, I might have nicked it from a car that morning and be wanting to have it reset in order to sell it later. 3. After finding out the code, he then wrote it on the case of the radio -- on a label provided by Ford for this purpose! So Ford on the one hand say "If a thief removes the radio he can't use it because he doesn't know the code" and on the other they're saying "If you need to know the code just take the radio out and have a look on the case." Not the most secure scurity system I've ever come across! Paddy Spencer Parallax Solutions Ltd (http://www.parallax.co.uk/) ------------------------------ Date: 15 Aug 1996 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Or use Bitnet LISTSERV. Alternatively, (via majordomo) DIRECT REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] => The INFO file (submissions, default disclaimers, archive sites, .mil/.uk subscribers, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS ------------------------------ End of RISKS-FORUM Digest 18.81 ************************