precedence: bulk Subject: RISKS DIGEST 19.69 RISKS-LIST: Risks-Forum Digest Wednesday 22 April 1998 Volume 19 : Issue 69 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://catless.ncl.ac.uk/Risks/19.69.html Contents: Pentagon to take stronger computer security measures (Edupage) Hackers claim major U.S. defense system cracked (PGN) Risks of placing too much trust in large site operators (Drew Hamilton) Report on new En Route Centre NERC for UK ATC (Pete Mellor) Internet Jurisdiction (Rob Bailey) Euro changeover tougher than Y2K? (David Wittenberg) Re: Only 1/3 of popular Microsoft apps are Y2K compliant (Michael Levi, Mark Stalzer) Y2K on the road (Evan McLain) Re: Y2K and the eagle talon (Paul Thompson) GSM Alliance Clarifies False & Misleading Reports of Cloning (Geoff Goodfellow) Re: Mobile phones in gas stations (Michael Bacon) Re: HP200 data integrity woes (Morten Norman) Risk: Going to jail innocently over a speeding ticket (Steven Murphy) Reminder on Privacy Digests (PGN) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, 19 Apr 1998 12:54:19 -0400 From: Edupage Editors Subject: Pentagon to take stronger computer security measures Learning of numerous vulnerabilities in the security of the computers accessed by its 2.1 million users worldwide, the Department of Defense is formulating new plans to tighten security systems. In a recent military exercise called "Eligible Receiver," cyber attacks were able to access the military's command and control structure in the Pacific (and could have shut it down); the attacks also could have turned off the entire electrical power grid in the U.S. (*Washington Times*, 17 Apr 1998; Edupage, 19 Apr 1998) [Eligible Receiver used well-known penetration techniques. The *WashTimes* article quoted Pentagon spokesman Kenneth Bacon saying "Eligible Receiver was an important and revealing exercise that taught us that we must be better organized to deal with potential attacks against our computer systems and information infrastructure." This should have been no surprise to anyone except perhaps whomever in the Pentagon doesn't read RISKS and security newsgroups. PGN] ------------------------------ Date: Wed, 22 Apr 98 9:45:17 PDT From: "Peter G. Neumann" Subject: Hackers claim major U.S. defense system cracked A Reuters article by Andrew Quinn in today's print and electronic media notes that a group calling itself Masters of Downloading (a new MOD, including members in the U.S., Britain, and Russia) claims that it has been able to obtain secret files from a computer system used to control military satellites, via the Defense Information Systems Network (DISN). The files include the DISN Equipment Manager (DEM), which controls the U.S. network of military Global Positioning System (GPS) satellites. MOD members apparently informed John Vranesevich (who runs the computer security website AntiOnline ) of their exploits. [PGN Stark Abstracting] ------------------------------ Date: Mon, 20 Apr 1998 18:13:16 -0400 (EDT) From: Drew Hamilton Subject: Risks of placing too much trust in large site operators On a web page today, I saw one site had one of those "how to link to us" pages that are getting more popular. You know, the ones with different banners, and the HTML code snippets that you paste into the page in order to get the ad in there. Well, this one had at the bottom: If you don't feel confortable adding that link yourself, we will be happy to do it for you. Email us at link@addme.com with the following information: 1) your ftp address 2) your userid and password. It's scary that it's altogether conceivable that someone might actually fall for that! Drew Hamilton http://winged.anime.net/ [Perchance the Pentagon has been using this wonderful free service? PGN] ------------------------------ Date: Wed, 22 Apr 1998 15:42:19 +0100 (BST) From: Pete Mellor Subject: Report on new En Route Centre NERC for UK ATC (re: Ladkin, R-19.18) Further to the earlier report by Peter Ladkin in RISKS-19.18. The Fourth Report by the Environment, Transport and Regional Affairs committee of the House of Commons was printed on 27th March 1998. It is available on:- http://www.parliament.the-stationery-office.co.uk/pa/cm199798/cmselect/cmenv tra/360iv/et0402.htm However, I had a problem accessing it directly using that URL, and anyone who has difficulty might care to try the general URL ... http://www.parliament.the-stationery-office.co.uk ... and do a keyword search on "NATS", which will call up several sections of the report including the main contents list, together with the answers to some questions asked in parliament on the subject. The gist of the report (which I do not have time to summarise in any greater detail now) is that here is a classic software disaster happening right before our eyes, and the committee have requested an independent review with cancellation as one of the identified options. Peter Mellor, Centre for Software Rel., City University, London EC1V 0HB, UK. +44 (171) 477-8422 p.mellor@csr.city.ac.uk, http://www@csr.city.ac.uk/ ------------------------------ Date: Sat, 18 Apr 1998 15:56:12 -0400 From: Rob Bailey Subject: Internet Jurisdiction Financial risks of technology come in many flavors. In the year 2000, I'll have a dangerous combination: a BS in Comp Sci with 15 years of programming and electrical engineering experience, and a JD. I can't walk anywhere without playing "spot that tort." Have you thought about the risk to your bank account of retaining local counsel in every country on the planet? If you have a web page (or worse, a whole site), have you considered that it might subject you to the pleasures of a no-expenses paid trip to Saudi Arabia to answer in a Saudi court why your web page displays a woman's thigh? Or to Paris to explain why your page isn't translated into French as required of all media available in France to French citizens? Or explain to a Russian court . . . You get the picture. Lawyers call it "personal jurisdiction" - the authorization a court has to hale a person (corporate, natural, or otherwise) who is not a resident of the court's forum into that court to answer charges (criminal or civil) as a defendant. You might call it something else (e.g., a name with only four letters). And you might be surprised at the answer. In the United States, the law is still developing slowly and inconsistently. For example, the level of interactivity your site employs might be a factor in whether or not a court a couple of thousand miles away can haul in your posterior because you offended someone there. [For more information, find a copy of the Washington and Lee University Law Review, Vol. 54, p. 1269, and read "WORLD WIDE WEB ADVERTISING: PERSONAL JURISDICTION AROUND THE WHOLE WIDE WORLD?" by Christopher W. Meyer. (Of course, I'm a little biased about how good Mr. Meyer's legal education has been, but the article has been widely acclaimed as top notch, and cited by some pretty heavy hitters already.) To read the article, go to http://www.wlu.edu/~lawrev/text/543/Meyer.htm, go here http://www.wlu.edu/~lawrev/ for contact information, or write: Washington and Lee Law Review Washington and Lee University School of Law Lexington, Virginia 24450] Rob Bailey, wm8s@pobox.com, Washington and Lee University, School of Law ------------------------------ Date: Tue, 21 Apr 1998 15:42:59 -0400 (EDT) From: David Wittenberg Subject: Euro changeover tougher than Y2K? "Euro changeover makes year 2000 bug look easy", *The New York Times* 21 Apr 1998 (electronic edition, http://www.nytimes.com/) The problems range from the trivial (most computer's OSs have no representation for the euro symbol) to the administrative (everybody is busy with Y2K, so it's hard to find people to work on the euro conversion.) Like Y2K, the euro conversion requires converting historical data so that it can be compared with new data. It also requires running a system which can handle both the euro and the old currency simultaneously. A further complication is that to change from one existing currency (say Italian lira) to another (say French francs), you are required to first convert the lira to euros (rounding to the nearest cent), and then convert from euros to francs. I expect someone to take advantage of the rounding errors. David Wittenberg dkw@cs.brandeis.edu ------------------------------ Date: Fri, 17 Apr 1998 14:55:49 -0400 From: Levi_M Subject: Re: Only 1/3 of popular Microsoft apps are Y2K compliant (R-19.68) According to the Microsoft Web site, 34 products are Y2K compliant 21 are "Compliant with minor issues" 3 are non-compliant. This is not nearly as dire as the previous post implies. The risk: reading too quickly, or perhaps just looking too hard for confirmation that Microsoft really is the devil. Michael Levi [Perhaps, or maybe only 21 (not yet 34) were compliant when the article was written. Incidentally, the MS Web site indicates that "compliant with minor issues" includes the DIR command displaying the date as only 2 digits instead of 4, and dates after 2000 requiring four-digit input. PGN] ------------------------------ Date: Fri, 17 Apr 1998 08:54:26 -0700 From: Mark Stalzer Subject: Re: Only 1/3 of popular Microsoft apps are Y2K compliant (R-19.68) Most of these products have been developed in the last few years by some of the best minds in software (or so we are told). There is simply no excuse for Y2K noncompliance. Perhaps Microsoft's real objective is to force everyone to upgrade next year -- thereby turning the Y2K problem into a profit opportunity. Mark Stalzer, mas@acm.org ------------------------------ Date: Thu, 16 Apr 1998 22:05:10 -0500 From: Evan McLain Subject: Y2K on the road I recently hosted a visit from a group of engineers that are assisting us with Y2K verification. As they were leaving, one of them said, "Say, you don't have a 1979 Toyota, do you?" Apparently the engine computer in these cars uses "00" in the year field as a code for "complete engine shutdown". I wonder if it would cause a moving vehicle to quit, or just one that was turned off overnight on the 31st? ------------------------------ Date: 17 Apr 1998 02:07:19 GMT From: thompson@athenet.net (Paul Thompson) Subject: Re: Y2K and the eagle talon (RISKS-19.68) It seems the reports of Eagle Talon/Mitsubishi Eclipse ECU controller failures was a little premature. Or a late April Fool. Here is the text of the moderator's retraction available at ftp://talon:eclipse@ftp.dsm.org/Archive/980415.txt Date: Wed, 15 Apr 1998 12:00:01 -0700 >From: talon-owner@dsm.org To: talon-digest@dsm.org Subject: Talon Digest for 04/15/98 Sender: owner-talon@dsm.org Reply-To: talon@dsm.org [Well, it looks like some of you took the Y2K thing a bit too seriously. Being the computer geek I am, I sometimes forget what is common knowledge and what is not. I was just a little sick of the "me too" posts on the Y2K thing and wanted to add a little DSM content. By the time I was done, I once again figured out a good prank for April 1 a few days too late (happens to me every year). I'm getting sick of the press overstating the Y2K problem. They often mention "planes falling from the sky" and "intersections with all lights green". As if there weren't a million other possible bugs in the software that control these insanely complex systems that could cause problems, right here, right now. At my day job, we have to certify that we are "Year 2000" compliant - huge amounts of paperwork - meanwhile, we have several other bugs in our code that we *don't* need to sign paperwork about... Just doesn't make too much sense to me. A bug is a bug - how come people don't go around talking about stack overflow problems in the same tone of voice? A lot of the problems surrounding Y2K problems involve the abbreviation of the year 19xx into just xx. Bytes don't overflow at 100 or 2000. They overflow at 256 or 65536, etc. Almost all computers since the invention of Unix seem to mark time as some number of seconds past a baseline like 1970 or 1980. These systems don't overflow years at nice round numbers - a lot of the Microsoft DOS stuff will roll at 2036 or 2047. As far as I know, there are currently *no* ECUs on the market that keep track of time. Most of them keep track of mileage if they are trying to stamp the error codes, or maybe seconds elapsed since car started. The problem is that the ECU could never have any concept of what time it really is unless the driver could update it somewhere. Also, I have yet to see a PC clock that didn't lose less than 3 seconds/day. Given the temperature extremes inside a car, I don't think it could be done easily. Even at a conservative 3 secs/day, you'd be +/- 3 hours at the end of ten years. Not really useful except for relative time. I thought the placement of the article after a Mac/Tandy love- note would tip people to the comment being phony. I guess my pointing it out at the top of the digest kinda backfired (no pun intended). Sorry if I scared anyone... Best comment received: Someone wondering when the Galant VR4s would roll since they were built in Japan... -talon mgr] ------------------------------ Date: Fri, 17 Apr 1998 22:08:41 -0700 From: "the terminal of Geoff Goodfellow" Subject: GSM Alliance Clarifies False & Misleading Reports of Cloning [Sent by Geoff_Goodfellow@Iconia.com, s.r.o. tel/mobil +420 (0)603 706 558 Vsehrdova 2, 110 00 Praha 1, Czech Republic fax +420 2 5732 0623] [Because this item is based almost entirely on an open press release, we do not feel that reproducing it in its entirety constitutes any copyright infringement. PGN] GSM Alliance Clarifies False & Misleading Reports of Digital Phone Cloning GSM Remains the Most Secure Commercial Wireless Technology (Business Wire; 04/17/98) A coalition of wireless Personal Communications Services (PCS) providers has released [on 17 Apr 1998] facts to correct some misconceptions generated by the recent claim that several California researchers had found a weakness in the security of Global System for Mobile communications (GSM) technology, the world's most popular digital wireless standard. The North American GSM Alliance, LLC - consisting of the eight largest GSM network operators in the United States and Canada - provided the following information in response to a number of erroneous published reports. 1. GSM phones are not vulnerable to cloning. Researchers only claimed that, through a process of trial and error, they figured out how to copy information from the Subscriber Identity Module (SIM) card - a unique GSM feature that contains a customer's individual network access code. Duplicating a SIM card is not like cellular cloning since the network only recognizes one copy of a GSM phone number at a time. This is an important distinction, since it does not permit would-be thieves to fraudulently capture, duplicate and utilize a customer's phone number and account information by intercepting over-the-air transmissions and deciphering the data. By contrast, information from ordinary analog cellular phones can be pulled out of the airwaves, copied and re-used multiple times. This illegal process, also known as "sniffing," is still not possible to do with GSM technology. The California group said that it needed physical access to a SIM card in order to duplicate it. While they believed copying theoretically could be done remotely, the group admitted that it was, in fact, unable to do so. 2. There is no risk to subscribers. GSM's design process and proven functionality continues to offer the strongest level of commercial wireless security. GSM customers can have the highest degree of confidence that they are protected from over-the-air cloning. In fact, thieves can more easily steal GSM phone service simply by stealing wireless handsets rather than producing counterfeit SIM cards. Once someone steals a SIM card, there's no need to copy it. The notion is as ridiculous as a someone stealing an armored car full of money, then copying the bills inside! And since the GSM networks allow only one call at a time from any phone number, having multiple copies of a SIM is worthless. As an additional level of security GSM operators have procedures in place which would quickly detect and shut down attempted use of duplicate SIM card codes on multiple phones. Nevertheless, customers should protect their wireless phones and SIM cards the same way they would protect their wallets and bank cards. Subscribers who lose their phone or SIM card should report it immediately to their wireless service company. The lost or stolen SIM can be de-activated to prevent others from using the account. 3. There is no risk of over-the-air eavesdropping. The level of encryption used by GSM makes over-the-air eavesdropping nearly impossible. So far, no one claims that they can listen to the content of conversations or monitor data transmitted over the air on the GSM network, including governments and network operators. Confidentiality of GSM customer conversations remains intact and uncompromised. 4. The ability to copy a SIM card is nothing new. It was always known that this could be done. Last weekend's announcement is really no different from processes GSM providers use all the time to encode smart chips. For several years now, educational institutions and scientific laboratories have demonstrated the capability to extract data from, and copy, smart cards. But it is an extremely complex task and would not be practical for stealing wireless phone service. Besides, even if a handset or SIM card were stolen, GSM operators have the ability and technological tools to shut down fraudulent service quickly. 5. The key code which protects a subscriber identity is not "fatally flawed." This is a somewhat complicated subject. There are two different key codes: first, an authentication code - the A3 algorithm- that protects the customer's identity; second, an encryption code - the A5 algorithm - that ensures the confidentiality of conversations. It has been alleged that the authentication code (A3 algorithm) is weakened because only 54 of the 64 bits are used, with 10 bits being replaced by zeroes. In reality, those final 10 bits provide operators with added flexibility in responding to security and fraud threats. Additionally, the GSM algorithm that the researchers claimed to have broken is the "example" version provided by the international organization that governs the use of GSM technology to its approved carriers for them to create their own individual version. It may not be what is deployed in the market. Several operators have already decided to customize their codes, making them more sophisticated. There has been some confusion about the various types of code used by GSM. In addition to the 64-bit authentication cipher, there is a more powerful voice encryption code (A5 algorithm) which helps keep eavesdroppers from listening to a conversation. This code was not involved in last weekend's announcement. Also, the speculation that GSM's encryption algorithms have been deliberately weakened because of pressure by the U.S. intelligence community is absolutely false. Conclusion While no human-made technology is perfect, customers can still rely on the privacy features and security of GSM's transmission technology. It remains the most secure commercial wireless communications system available today. More than 80 million customers in 110 countries use GSM phones and not one handset has been cloned since the first commercial service was launched in 1992. North American GSM Alliance, L.L.C. is a consortium of U.S. and Canadian digital wireless PCS carriers, which helps provide seamless wireless communications for their customers, whether at home, in more than 1,000 U.S. and Canadian cities and towns, or abroad. Using Global Systems for Mobile (GSM) communications, GSM companies provide superior voice clarity, unparalleled security and leading-edge wireless voice, data and fax features for customers. Current members of the GSM Alliance include: Aerial Communications, Inc., BellSouth Mobility DCS, Cook-Inlet Western Wireless; Microcell Telecommunications Inc., Omnipoint Communications, LLC, Pacific Bell Mobile Services, Powertel, Inc., and Western Wireless, Corp., which continue to operate their own businesses and market under their own names. CONTACT: For Additional Information: Terry Phillips, Omnipoint, (973) 290-2533 OR Mike Houghton, Communicreate, (703) 799-7383 ["What, Me Worry?" -- A.E. Neuman] ------------------------------ Date: Sat, 18 Apr 1998 07:17:02 +0100 From: "Streaky_Bacon" Subject: Re: Mobile phones in gas stations (RISKS-19.68) The Czechs are catching up. Clearly there *is* potential for a mobile telephone (which radiates in the electro-magnetic spectrum) to cause interference. Usually it would have to be pretty close to another device to affect it, or be within a 'Faraday cage' with the other device - hence their ban in crypto rooms (and battery rooms BTW). More concerning (and I think posted here previously) is the RISK of causing an explosion in a gas/petrol station by a spark from the aerial to ground (say the canopy metalwork). That's why their use in petrol stations in banned by law in the UK. ------------------------------ Date: Fri, 17 Apr 1998 02:22:15 -0700 (PDT) From: Morten Norman Subject: Re: HP200 data integrity woes (Cohen, RISKS-19.68) The HP200 story also points out the fact that even a small computer may keep a lot of important information. And thus should be on a regular backup schedule. ------------------------------ Date: Mon, 20 Apr 1998 10:58:16 -0600 From: Steven Murphy Subject: Risk: Going to jail innocently over a speeding ticket The Internet has brought forth several positive things in the world over the past few years, and as most of us know, more and more negative things continue to surface. I was in an unfortunate position to be a "victim" of one of these negatives that has been brought to light the hard way. To make this long story a bit shorter, here's what happened: On November 29, I was traveling from St. Louis to Nashville, Tn. In Paducha, Ky I was stopped for speeding (81 in a 65). Kentucky doesn't have "traffic lawyers", so it was pay or be a fugitive. Well, the Christmans season is always a little short on cash, so I asked for an extension from the court clerk, and was granted until late January to pay the $90 fine. In mid January, a check was written to the Court Clerk for the full amount. End of story, or so I thought. Here's where the risk comes in, and it very well could be happening in your own home state. On April 15, 1998, I received a letter from the state of Missouri saying that my license would be suspended on April 14 if this issue with Kentucky was not resolved due to a "violator's non-compliance pact" that was setup via the internet. The suspension date had already passed, and the state of Missouri would need proof from KY that the ticket had been paid and a $20 reinstatement fee. This letter came via regular U.S. Mail. I contacted KY, and was told payment was never received, then checked with my bank and found out the check had not cleared. I overnighted the check, got a fax of the receipt, and had my license reinstated by April 17, 1998. The kicker is, in the state of Missouri, you are subject to an automatic 90 days in jail for driving on a suspended license. The obvious risk here is simple. Because of the internet communications between states, a person in Missouri can have their license suspended without even knowing it and wind up in jail for it! If the letters announcing suspension were sent via certified mail, that could fix part of the risk, but it's still a dangerous policy to have in place, and it may be the same where you live. Heck, my check to the State of Kentucky was lost- what if the letter from Missouri to me had been lost as well?? My license would still be suspended, I wouldn't know it, and county lockup might have a bed with my name on it just waiting for me! With this in mind, I vote for shutting the Internet down. ;-) Steve Murphy, St. Louis, Mo. ------------------------------ Date: 17 Apr 1997 From: RISKS moderator Subject: Reminder on Privacy Digests Periodically I remind you of TWO useful digests related to privacy, both of which are siphoning off some of the material that might otherwise appear in RISKS, but which should be read by those of you vitally interested in privacy problems. RISKS will continue to carry general discussions in which risks to privacy are a concern. * The PRIVACY Forum is run by Lauren Weinstein. It includes a digest (which he moderates quite selectively), archive, and other features, such as PRIVACY Forum Radio interviews. It is somewhat akin to RISKS; it spans the full range of both technological and nontechnological privacy-related issues (with an emphasis on the former). For information regarding the PRIVACY Forum, please send the exact line: information privacy as the BODY of a message to "privacy-request@vortex.com"; you will receive a response from an automated listserv system. To submit contributions, send to "privacy@vortex.com". PRIVACY Forum materials, including archive access/searching, additional information, and all other facets, are available on the Web via: http://www.vortex.com * The Computer PRIVACY Digest (CPD) (formerly the Telecom Privacy digest) is run by Leonard P. Levine. It is gatewayed to the USENET newsgroup comp.society.privacy. It is a relatively open (i.e., less tightly moderated) forum, and was established to provide a forum for discussion on the effect of technology on privacy. All too often technology is way ahead of the law and society as it presents us with new devices and applications. Technology can enhance and detract from privacy. Submissions should go to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. There is clearly much potential for overlap between the two digests, although contributions tend not to appear in both places. If you are very short of time and can scan only one, you might want to try the former. If you are interested in ongoing discussions, try the latter. Otherwise, it may well be appropriate for you to read both, depending on the strength of your interests and time available. PGN ------------------------------ Date: 31 Mar 1998 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 18" for volume 18] or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS ------------------------------ End of RISKS-FORUM Digest 19.69 ************************