precedence: bulk Subject: RISKS DIGEST 19.28 RISKS-LIST: Risks-Forum Digest Thursday 7 August 1997 Volume 19 : Issue 28 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** Contents: [two trivial spelling corrections made in archive copy] USENET gateway flaw plus immoderation in bypassing moderation (RISKS) Name collision lands robbery victim in jail (PGN) IRS erroneously send out 90,000 tax warnings Hong Kong slip reveals press info (David Kennedy) Four-star general upset with privacy invasion (Glen Roberts) On-line court information system raises access questions (Brian Schimpf) Internet access to criminal records info (Nancy Talner) Is Microsoft distributing viruses? (Gerhard Duennebeil) Bill would make software copying a felony (Edupage) Chicago flooded with counterfeit bills (David Kennedy) Ctrl-Alt-Del (Paul VanDyke) Clean Sweep wasn't quite soon enough (Jim Horning) Electronic airline ticketing (Jordin Kare) E-mail readers and snooping (Bryan C. Hains) Re: What to do about software patents (Anthony E. Siegman, Ray Todd Stevens) Urban legends, in this case a true one: General Mills/AOL (Brad Elmore) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 7 Aug 97 10:57:56 PDT From: RISKS Subject: USENET gateway flaw plus immoderation in bypassing moderation The Berkeley USENET news gateway software was upgraded recently, but a bug was introduced whereby an APPROVED line was automagically added, and everything sent to the RISKS address went out to the USENET distribution. I am told that this has now been fixed. My apologies to those of you who were annoyed, and to those of you who were seriously harassed for unwittingly being in broadcast mode. However, this incident once again provides a reminder of how flaky our infrastructure is, and how small changes can cause new risks. Incidentally, I was copied on correspondence between a spammer who had abused the USENET comp.risks distribution and someone who took very strong objection to the spam. The spammer replied that he was innocent, insisting he was not doing anything bad -- it was not *he* who was forging the "APPROVED" line, it was his spamming tool! Once again, let me add that due to horrendous quantities of e-mail spams, my SysAdmin is filtering out mail from addresses that are predominantly sources of spams. Unfortunately, this may render a few of you incapable of reaching RISKS. (Sorry!) But despite our filtering, we are still receiving vastly too many spams each day. PGN ------------------------------ Date: Thu, 7 Aug 97 10:47:56 PDT From: "Peter G. Neumann" Subject: Name collision lands robbery victim in jail Antonio Picazo Mendoza Jr., was beaten and robbed on his way to a store near his home in Stockton, California. He managed to get home, where his family reported the robbery to police and took him to the hospital. Police discovered that his first and last name, date of birth, and Social Security Number matched those of Antonio Blanco Mendoza, a wanted parolee. Despite his protests that he was not that individual, he was detained in jail -- for three days by the San Joaquin County Sheriff's Office, and for another two weeks at Deuel Vocational Institution. It appears that Blanco was using Picazo's identity. RISKS has had numerous cases in the past of *intentional* identity theft and *accidental* assignment of the same SSN to different individuals. It is not yet clear which is true in this case. ------------------------------ Date: Thu, 7 Aug 97 10:37:22 PDT From: "Peter G. Neumann" Subject: IRS erroneously send out 90,000 tax warnings The IRS, already beset with the woes of trying to modernize its archaic computer systems, has stumbled onto a new glitch. Because of a new software error, warnings were incorrectly sent to 90,000 taxpayers that they were subject to penalties and interest for failing to file proper tax returns for nannies and other household employees. But those taxpayers had already followed new IRS rules by using a new ``simplified`` form. This was another unforeseen aftermath of the Zoe Baird ``Nannygate'' in which the IRS ultimately decided the real problem was that the tax code was overly complex. [Source: Ralph Vartabedian, *Los Angeles Times*, 7 Aug 1997, seen in the *San Francisco Chronicle* of that day, p. A7] [This is a case of Tax Deform! Incidentally, I do not recall anyone heretofore noting a quasiliterary reference to J.D. Salinger's 1966 book, which could alternatively have been titled *Nanny and Zoe*. PGN] ------------------------------ Date: Fri, 11 Jul 1997 02:34:40 -0400 From: David Kennedy <76702.3557@compuserve.com> Subject: Hong Kong slip reveals press info From: http://www.news.com/News/Item/0,4,12161,00.html Hong Kong slip reveals press info, By Reuters, 5 Jul 1997 > HONG KONG--The Hong Kong government has apologized for accidentally > posting the personal information of hundreds of journalists on the > Internet. Local newspapers quickly noticed that the government had posted > a list of almost 1,000 journalists covering Monday night's Hong Kong > handover to China on a Web site, plus passport and identity card details. Mary Leung, chief information officer for the Government Information Services said the release was an accident. People attending the People's Liberation Army arrival in Hong Kong were required to register with their ID number and passport numbers. > The name list was posted on the Internet June 29 because of a technical > oversight and was removed by the government July 2 after the mishap was > spotted. Leung believes the list might not have been seen by many surfers, > though the government's Web site is open to everyone. > Apologizing Thursday for the error, she said she believed it was an > isolated incident that would not affect people's confidence in the > protection of their personal information. "The oversight is regretted," > Leung said. [dmk: I suppose that's one way to get the media interested in privacy matters.] Dave Kennedy [CISSP] Research Team Chief, National Computer Security Assoc. ------------------------------ Date: 2 Aug 1997 18:07:01 GMT From: glr@ripco.com (Glen Roberts) Subject: Four-star general upset with privacy invasion Maj. Tom Rheinlander, a spokesman for Griffith [four-star general and the U.S. Army Vice Chief of Staff], said the general was unhappy when told Friday his Social Security number was out there for all the world to see. "As would most Americans, General Griffith views the publication of his Social Security number on the internet as an invasion of his privacy," Rheinlander, said. [Source: the *Oil City Derrick,* 2 Aug 1997 (my home town newspaper). PGN Abstracting] http://www.fulldisclosure.org/govtssn.html [This is one of the messages that slipped through into comp.risks. PGN] ------------------------------ Date: Wed, 06 Aug 1997 09:47:10 -0400 From: Brian Schimpf Subject: On-line court information system raises access questions An article in *The Boston Globe* (5 Aug 1997, B1) reports on litigation concerning access to an on-line service to provide information about court dockets for a number of superior courts in Massachusetts. The system is called SCRIB, or Superior Court Remote Inquiry for the Bar, and allows participants to court actions to view the court dockets so they can easily schedule their appearances without burdening court staff. Mr. Ross Mitchell is not a lawyer but is representing himself in a civil lawsuit. He found out about the system and requested access, but was told that the system is only available for lawyers, including the attorney representing the man who is suing him. So Mr. Mitchell filed suit in federal court arguing that he had a right to the same access to public information. He has lost several rounds and his case is now before the US Court of Appeals. A key problem in the case is the capacity of the system, which was designed only for lawyers, judges and court staff. James Klein, administrator of the Superior Court, says the system is already near capacity. " 'If we were to open it up to the general public, we would have to shut it down entirely very quickly because the lines would be jammed,' said Klein. And the system cannot be expanded because it is scheduled to be replaced when a new court computer system goes on line in the next five to six years." The Risks here are pretty familiar: a system which was designed without adequate consideration for the demands which would be placed on it, leading to the danger that a system which uses new technology to provide a real benefit may be shut down completely due to insufficient capacity. And a reluctance to address problems in an information system today based on an expectation that a new system will solve all the problems quite some time (five to six years) in the future. Brian C. Schimpf, Gradient Technologies, Inc., 2 Mt. Royal Ave., Marlboro, MA 01752 schimpf@gradient.com (508) 624-9600 x214 http://www.gradient.com/ ------------------------------ Date: Tue, 5 Aug 1997 21:22:00 -0400 (EDT) From:NTalner@aol.com To: wa-info-policy@eskimo.com Subject: Internet access to criminal records info [Courtesy of Bob Jacobson ] The Washington State Patrol is starting a pilot project called the WATCH program, which was authorized by the 1997 legislature. The program will make criminal history information available on the Internet so that anyone who wants to run a background check on someone for employment purposes (or to deny housing rental or just to snoop) can do so without going through the state patrol. This raises some dilemmas regarding privacy, public records access, and allowing people to rehabilitate themselves from a criminal conviction. For example, under current law, you can get a conviction vacated after a certain period of time and then answer "no" when asked by employers if you have a conviction, but this is useless if anybody can find the record anyway. Also, current law allows background checks on criminal records to be done for certain jobs, but not for every job. Under the new system, anyone who has ever had a criminal case may risk having jobs, housing, and many other things denied to them because of that case. It is further clear that under current public disclosure law, most conviction records are public. Can anybody help me analyze these issues and propose a remedy that maintains access to public records while at the same time lessens the ongoing punishment of individuals who can never escape their past? Thanks. Nancy Talner ------------------------------ Date: Wed, 6 Aug 1997 09:11:09 +0200 From: Gerhard.Duennebeil@FZMAIL.arcs.ac.at Subject: Is Microsoft distributing viruses? A more or less happy user of Microsoft's Word 6.0a, I decided some days ago to peek into the new Office97 package. Working with huge text documents I didn't want to take the risk of migrating to the new products without having at least some know how about it. So I decided to make an installation running from CD and play around with it. I also decided (and did so) never to store an important old document with the new software until my decision to migrate and the way to do so was clear. Now, a few days later, I tried to work with a WORD6.0a document I never have stored with the new WORD. Imagine my surprise when I suddenly found out that I was not able to access an embedded MSGraph object. For your information: The Office97 CD was not inserted at this moment. Looking for some reasons I found the embedded object having a format of MSGraph 5.0. When I created that object it had MSGraph (1.0?) format. It looks like someone changed the format without asking me. I also peaked around in the registry and found an entry related to MSGraph that said "AutoConvertTo: xxx-xxx-xxxx-xxxxxxxxx-xxxxx" (some of these GUID). Guess, what was behind this GUID? Right, MS-Graph 5.0. So to me it looks like MS is distributing software, that manipulates my data without my knowledge and makes it unusable this way. That is at least one important property also expected from viruses, right? The risk? Obvious, isn't it? Gerhard Duennebeil, Austria Subject: Bill would make software copying a felony (Edupage) A bill sponsored by Rep. Robert Goodlatte (R-Va.) and supported by the Software Publishers Association would make it a felony to copy more than $5,000 worth of software. The "No Electronic Theft Act" stipulates that any person who reproduces 10 or more copies of copyright software totaling more than $5,000 could land a three-year jail sentence. A second offense could net six years in a federal prison. The bill is designed to close the current loophole that exempts software copying from criminal prosecution unless it is willful and for profit. The U.S. Senate is considering a similar bill. (*PC World Online*, 4 Aug 1997; Edupage, 5 Aug 1997) ------------------------------ Date: Tue, 5 Aug 1997 12:40:46 -0400 From: David Kennedy <76702.3557@compuserve.com> Subject: Chicago flooded with counterfeit bills Counterfeit bills (particularly twenties, and about one-fifth of them computer-generated) are flooding the Chicago area, made by what the Secret Service calls ``casual counterfeiters'' -- despite the possibility of a 15-year Federal sentence. Many suspects are computer-literate young adults and even high-school students. [Counterfeit dollars flood Chicago area (UPI, 1 Aug 1997, via CompuServe's Executive News Service), PGN Abstracting] ------------------------------ Date: Tue, 05 Aug 1997 08:50:23 -0800 From: Paul VanDyke Subject: Ctrl-Alt-Del With Windows NT, this is the method of logging onto the console at the server. This is also the famous three-finger salute that reboots a computer not running NT. Last night we did some system maintenance and moved an NT server close to an OS/2 Warp Server. The monitor for the NT server is sitting on a shelf above the other monitor. The keyboard is in a drawer right under the monitor. Our LAN admin wanted to log onto the NT server, but used the wrong keyboard. OOPS! Well it rebooted the OS/2 server just as commanded. Too bad it was only 10 minutes till 8:00am. He didn't knock too many people off. The risk? He got too familiar with a key sequence that should be guarded. I used to think that is was neat to hit C-A-D and not have the computer reboot, but not anymore. Bad programming Microsoft! ------------------------------ Date: Fri, 01 Aug 97 19:54:00 P From: Jim Horning Subject: Clean Sweep wasn't quite soon enough There's another use for those forged driver's licenses. This seems to be not so much a computer-related risk, as a risk that could have been ameliorated with a little more intelligent application of computers: I am in the process of getting my checking world back in order after a Southern California ring made off with a total of about $7,000 in cash from my account one day last week. * The ring is well-organized and efficient. My branch manager in Palo Alto says that there are already three other customers of her branch that she's currently working with -- creating new accounts, getting new checks, recovering missing funds, etc., etc., etc. One customer's account was hit for $12,000. * All they need is your name and checking account number (everyone who handles any check you write has this information). They then forge a "good quality" California driver's license, with your name and their picture, to use as ID for over-the-counter bank transactions. * They know the bank's fraud prevention procedures and thresholds. They "deposited" four bad checks, taking most of the amount in cash, but each check was just under $1,000.00. They hit multiple branches, all in Southern California. They also made two cash withdrawals. * The amount they can take is not limited by the balance in your account: - If you have overdraft protection, they can go to the limit on that (e.g., the limit on your Visa account). - When they deposit a check with "cash back," they take the amount of the phony check, not the amount left in your account. - Checks and over-the-counter transactions are processed overnight, not online, so by working a number of different branches, they can take multiples of your account. * There doesn't seem to be any reasonable way (at Wells Fargo Bank) to limit over-the-counter cash withdrawals from an account (unlike ATM withdrawals). * The best protective measure seems to be to monitor your account frequently (via the Web, telephone banking, Quicken online, or whatever) and IMMEDIATELY report anything suspicious. * Everyone at Wells Fargo has been very nice and helpful, but it's a real nuisance to deal with this. To their credit, their Loss Prevention unit spotted the anomalies and notified me in less than a week -- well before I would have received my statement. I'll get all my money back, but no reimbursement for the time I'm spending. Jim H. [Added note from Jim:] There is one defense against over-the-counter raids, but it's pretty drastic. It's what they did to my old account as soon as they recognized "unusual activity": Flag the account so that all over-the-counter cash transactions require approval by a specific person in the Loss Prevention unit. This includes third parties, like our cleaning lady, who was unable to cash our $60 check, because she wanted cash -- a deposit to an account would have gone through. * I would have thought that one could restrict an account so that cash withdrawals were limited for over-the-counter as well as ATM transactions, but, no, the computer isn't programmed for that. * I would have thought that, by now, over-the-counter cash withdrawals were totalled bankwide, not just per branch, in real time, but no, screening for unusual activity apparently happens overnight. [The ring apparently knows this: There has been no further attempted fraudulent activity since the one day.] * I would have thought that a $2,100 cash withdrawal (the largest single transaction) would require more ID than a California driver's license, but apparently not. On the bright side, my money (including my July payroll deposit) has supposedly just been transferred to my new account. Of course, there's no easy way to test this, since my online banking access has been shut down to prevent fraud... Jim H. ------------------------------ Date: Mon, 04 Aug 1997 00:12:59 +0000 From: Jordin Kare Subject: Electronic airline ticketing The discussion in RISKS-19.27 of problems with an online ticketing service reminded me of a recent "adventure" a colleague and I had with a major airline. My name is Jordin Kar_e_. My colleague is Thomas Kar_r_. We were travelling together on business from Oakland, CA to Los Angeles. Our (L.A.-based) travel agency had gotten us both electronic tickets on (we thought) a 7 a.m. flight. For those who have not used e-tickets, you do not get a physical ticket in advance of your flight. Instead, you show a photo ID at checkin and receive a boarding pass only. Airlines are heavily promoting this "ticketless travel", noting that, among other things, it keeps you from "losing tickets". Tom and I arrived at the airport together. Two clerks were working the gate counter. Both clerks ask to see "photo ID and the credit card the ticket was bought with". Hmm -- we don't have any such credit card, since the travel agency bought the tickets for us. My clerk merely says, "Is this a business trip?" and when I say yes, she checks her screen, taps a few keys, and hands me a boarding pass. Tom's clerk, however, refuses to issue him a boarding pass if he doesn't have the credit card the ticket was purchased with, and an argument ensues. Neither clerk asks for the e-ticket tracking number (a unique index number which is given to the buyer at the time an e-ticket is bought and is supposed to be used like a reservation confirmation number, to make sure the transaction is not "lost in the computer"). While Tom is arguing, I sit down to wait for boarding. As I get up to board the flight, I happen to check my boarding pass to make sure my Frequent Flyer number is shown, so I'll get mileage credit. To my surprise, the FF# is not mine. A quick look shows that the boarding pass has someone else's name on it. I take it back to the desk, and my clerk says, more or less, "Oh, I'm glad you noticed." and takes back the boarding pass. The other clerk is still talking to Tom, but has apparently resolved the argument. He sees the returned boarding pass, says something like, "Oh, there's what I was looking for", grabs it, and (although I didn't notice what he did at the time) hands it to Tom! Meanwhile, my clerk asks my name again, looks at her computer, and says they have no record of an e-ticket or even a reservation for me! After some discussion, she eventually looks up my return flight, finds a reservation, and is able to find my missing e-ticket -- I'm on the 8:30 flight out, not the 7 a.m. flight. (Fortunately, the return flight was the one I thought it was, as she apparently could not search for an e-ticket record by name alone). So Tom commiserates with me on how the travel agency screwed up, and boards the 7 a.m. flight, leaving me to sit in the airport for an hour or so. So far the RISK is that the airline quite happily gave me someone else's boarding pass, for a flight on which I had no ticket, electronic or otherwise, simply because I had a similar last name. Had I not happened to check it, I could have flown on someone else's ticket. In addition to the obvious RISKs of screwed-up travel arrangements, it is worth noting that, had I boarded the 7 a.m. flight and had it crashed, the wrong next-of-kin would have been notified. (A secondary RISK (or at least irritation) is that a major airline seems to have no clear policy regarding the matching of credit cards to e-tickets, and seems to have trouble with the notion that an e-ticket traveller might not be the purchaser of the ticket. Yet another RISK is that, had my return flight also been wrong, the airline apparently couldn't have found my e-ticket at all, at least until my travel agent's office opened and I could get the tracking number.) But the story is not complete. *After* Tom Karr reached LA, he discovered that the stub of his boarding pass did not say "Thomas Karr" -- it said "_Harold_ Karr". A check with the airline revealed that Tom Karr, like Jordin Kare, had a reservation on the 8:30 flight, not the 7 a.m. flight. So Tom *did* fly on someone else's ticket, and had to do some fast talking to the airline to make sure that his return flight wasn't cancelled (since "Thomas Karr" never picked up his e-ticket on the 8:30 flight). So the same boarding pass was issued to *two different* *wrong* passengers. What happened to poor Harold Karr, the legitimate 7 a.m. passenger, we can only speculate.... Jordin Kare ------------------------------ Date: Mon, 04 Aug 1997 00:05:19 -0400 From: "Bryan C. Hains" Subject: E-mail readers and snooping With the availability and ease of installation, e-mail software such as Pegasus and Eudora the potential for abuse exists with the latest round of features. With both of these packages an internal parser scans the text of your e-mail's body and highlights predetermined "phrases" that begin with "http://" and "mailto:" for ease of web browsing and reply. Obviously the specifics of these scans are coded into the guts of the software. The risk? If the source were obtained by a not-so-friendly entity and modified to look for other more valuable information within the message, this info could be stealthily usurped and sent to a third party. A modified "new version" or "update" could be released onto the net (somewhere such as windows95.com) and thousands of unsuspecting users could become extremely vulnerable extremely quickly. Bryan C. Hains, Dept of Neuroscience, University of Florida Coll. of Medicine and Brain Inst. http://www.naples.net/~nfn02711 hains@neocortex.health.ufl.edu ------------------------------ Date: Sat, 02 Aug 1997 13:49:37 -0700 From: siegman@ee.stanford.edu (AES) Subject: Re: What to do about software patents (RISKS-19.27) (A copy of this message has also been posted to the following newsgroups: comp.risks) > Seeing the vast numbers of non-novel and obvious software patents issuing in > my area (financial services), a number of unorthodox ideas are crossing my > mind, such as ... > > Are we reaching the point where we should ask a judge to place the Patent > Office, or the software art areas, under a court-appointed receiver or > administrator, due to its manifest ongoing failure to carry out its official > duties under Federal Law with respect to 35 U.S.C. 101, 102, 103, Rule 56 > and so on? I'm not sure if you've been following the fervid discussion of this issue in misc.int-property. Speaking as a reasonably competent scientist and engineer, my view is there are vast numbers of non-novel and obvious patents in every field in which I'm competent to judge, although non-novel software patents may have the potential to do a lot more immediate damage. Given the competence expected of and resources available to patent examiners, it could hardly be otherwise. Patent attorneys, however -- at least those whose post to misc.int-property -- seem to vehemently disagree with this view. [This item was another one that slipped through into comp.risks. PGN] ------------------------------ Date: Thu, 7 Aug 1997 05:49:27 -0700 (PDT) From: "Ray Todd Stevens" Subject: Re: What to do about software patents (RISKS-19.27) You really have faith in the courts or Congress doing a better job. Want to buy some high value swamp, too? ------------------------------ Date: Mon, 04 Aug 1997 10:17:00 -0400 From: Brad Elmore Subject: Urban legends, in this case a true one (Re: General Mills & AOL in sleazy partnership: Chex Quest CD-ROM game) | ... the children's program host who told his viewers to go to daddy's | wallet, take out the money, put it in a envelope, and send it in. This is of course an urban legend (see the full story with references at http://snopes.simplenet.com/radiotv/tv/soupy1.htm); here's the summary: Claim: Soupy Sales asked his young television viewers to send him "little green pieces of paper" from their parents' wallets. Status: True. Synopsis: Yes, Soupy Sales really did jokingly make this request to his television audience on 1 January 1965, but two commonly-believed aspects of this legend -- that Soupy subsequently received tens of thousands of dollars in the mail, and that his show was cancelled as a result of the prank -- are untrue. The RISKS of urban legends should be well-known by now. ------------------------------ Date: 1 Apr 1997 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Or use Bitnet LISTSERV. Alternatively, (via majordomo) DIRECT REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] => The INFO file (submissions, default disclaimers, archive sites, .mil/.uk subscribers, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 18" for volume 18] or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS ------------------------------ End of RISKS-FORUM Digest 19.28 ************************