precedence: bulk Subject: RISKS DIGEST 19.79 RISKS-LIST: Risks-Forum Digest Saturday 6 June 1998 Volume 19 : Issue 79 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://catless.ncl.ac.uk/Risks/19.79.html Contents: Radar glitch delays NYC flights (Edelson Doneel via PGN) Air Force One drops off radar again (Edelson Doneel via PGN) FAA orders retraining for air controllers (Peter G. Neumann) Cause of train crash in Germany (Alexandre Sinyakov) 15th century time machine to suffer from millennium bug (Keith Rhodes) UK libel law vs. US free speech (David Wittenberg) Re: Disabling Java and JavaScript (Li Gong) Y2K financial risks (Doneel Edelson) Re: Referer-log security hole (Robert J. Woodhead, Sidney Markowitz, Mark Nottingham, Paul Wright) Re: Navy stops teaching celestial navigation (Danny Burstein, Michael Comiskey) Re: Risks of online phone books (Una Smith) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 5 Jun 1998 14:25:44 -0500 From: "Edelson, Doneel" Subject: Radar glitch delays NYC flights Flights into and out of LaGuardia, Kennedy, and Newark in the NYC area were delayed by an air-traffic control center computer upgrade problem at the Westbury Long Island TRACON (Terminal Radar Approach Control). New TRACON software was first loaded for testing at 5:30 a.m. this morning, but it didn't work properly and the old software was reloaded at 7:10 a.m. Unfortunately, some controllers' screens froze, airspeed, destination, and other information were missing, and operations were slowed down. [USA today, via Associated Press 5 Jun 1998; PGN Stark Abstracting] ------------------------------ Date: Fri, 5 Jun 1998 14:24:35 -0500 From: "Edelson, Doneel" Subject: Air Force One drops off radar again In March, we reported (RISKS-19.63) the momentary outage of the long-range radar unit at Gibbsboro, N.J. (which had been installed in February), with Air Force One disappearing from radar. It happened again over New Jersey twice this morning with the President en route from Washington DC to give the MIT commencement address, the first time for 48 seconds, the second for 36 seconds. (This was reportedly unrelated to the TRACON outage noted in the previous item.) There was also an earlier failure in October 1997 in which radar missed detecting a single-engine plane within 400 feet of a Swissair Boeing 747, forcing the 747 into a steep dive. [USA today, via Associated Press 5 Jun 1998; PGN Stark Abstracting] [At MIT, the President noted that we need better security in our systems. He failed to note (not surprisingly) that Administration policy on encryption is a serious hindrance to better security. PGN] ------------------------------ Date: Sat, 6 Jun 1998 10:01:59 -0500 From: "Peter G. Neumann" Subject: FAA orders retraining for air controllers In light of a 20-foot-separation near-collision of two planes over La Guardia Airport on 3 April 1998, and a 21 May 1998 FAA memo outlining increased errors by controllers (19% increase in operational errors, 49% increase in surface errors), the FAA has ordered retraining of 10,000 of the 18,000 U.S. air-traffic controllers. The significance of the near-disaster came to light only after passenger complaints, whereas tower personnel had failed to report it, and the pilot had notified his regional FAA office rather than the local center. Relating to radar dropouts, Joseph Fruscella (an air-traffic controller, and eastern regional vice president of the National Air Traffic Controllers' Association) said, "Every day we lose approximately 50 planes on the radar" for 30 to 60 seconds. "It's been a problem since day one." [USA today, via Associated Press, and *San Francisco Chronicle* items, p A4, 5 Jun 1998, and p. A1, 6 Jun 1998, PGN Stark Abstracting] ------------------------------ Date: Fri, 5 Jun 1998 22:53:55 +0400 From: "SINIAKOV ALEXANDRE" Subject: Cause of train crash in Germany [The cause of the worst German train disaster in more than 50 years is being blamed on a broken wheel on the first car behind the lead locomotive, according to *The Washington Post*, 6 Jun 1998, noting that investigators had not yet determined whether it was metal fatigue or an outside force. Consequently, this item from Sinyakov seemed worth including as an indication of the diversity of risks that must be considered relating to technology. PGN] The cause of train crash in Germany is a natural phenomenon -- a Local Geophysical Resonance (LGR). LGR is unknown early phenomenon which is connected with an interaction of solar systems planets. It was discovered by professor Alexander Sinyakov. This interaction leads to the excitation of local zone of outerspace. If the frequency of LGR is equal to the critical frequency of crystal structure of object, the failure of objects take place. In the case of train crash in Germany (03 June 1998) the frequency of crystal structure of steel rails and wheels was equal to the frequency of LGR. The crack of rails and may be wheels arose as a result of LGR. Similar cause took place in the crash of train Pendolino in Italy. More detail about LGR look at: http://www.aanet.ru/nauka/siniakov/ http://www.aanet.ru/nauka/siniakov/ Best regards professor Alexander Sinyakov, E-mail san_k11@cit.aanet.ru ------------------------------ Date: Fri, 05 Jun 98 07:12:39 EST From: rhodesk.aimd@gao.gov Subject: 15th century time machine to suffer from millennium bug The oldest time machine in the world destined to suffer from the millennium bug has been found in a museum in Liverpool in northwest England, it was reported Friday. The 400-year-old instrument, which predicts the position of the planets, will stop working at the dawn of the new millennium, unable to accept the date of 1 Jan 2000, like many unadjusted computers around the world, museum curators said. The equatorium, built by an unknown craftsman in 1600, predicts the position of the Sun, Moon, other planets and even eclipses through a system of rotating discs and arms. But the last date inscribed was 1999. "It must have seemed like an eternity at the time," said curator Martin Suggett. [NOTE: These short-sighted engineers. No wonder we have all these problems. From the Japanese press, 5 June 1998.] ------------------------------ Date: Fri, 5 Jun 1998 16:44:46 -0400 (EDT) From: David Wittenberg Subject: UK libel law vs. US free speech Dr. L. Godfrey is suing Cornell university and a former Cornell grad student for libel in London complaining about messages posted by the student (M. Dolenga) on the usenet group soc.culture.canada 3 years ago. Dr. Godfrey has previously settled a case in which he sued a British physicist and won a libel suit against an Australian ISP. He also has two other Internet defamation cases he is pursuing. The general issue here is that UK libel law often prohibits speech which in the US is protected by the first amendment. If the usenet articles were written in the US and transmitted to the UK, which laws apply? "English Court May Test U.S. Ideals on Online Speech" -- *The New York Times* (5 Jun 1998, electronic edition) ------------------------------ Date: Fri, 5 Jun 1998 14:58:23 -0700 From: Li Gong Subject: Re: Disabling Java and JavaScript (Byrd, RISKS-19.78) If you are worried enough about the level of risk that the Java technology (allegedly) brings to you, I wonder why you are brave enough to use a browser, a MIME-enabled e-mail reader, a postscript viewer, or a PC. Li Gong, Java Software Division, Sun Microsystems Inc. ------------------------------ Date: Fri, 5 Jun 1998 15:53:38 -0500 From: "Edelson, Doneel" Subject: Y2K financial risks My company is the major credit insurer in the the USA (and the parent company is the world's largest credit insurer). The marketing department issued a bulletin today outlining the Y2K financial risks in selling on credit to other companies, both domestic and foreign. The focus of the article, of course, is that through the purchase of credit insurance from our company, a business can protect itself against the risks of non-payment, slow payment, and insolvencies. What this means to Risks readers is that the large insurance companies will monitor the main industries and businesses and provide early warnings of financial problems to their clients to reduce or stop selling to those businesses that are at risk of becoming a problem. (After the proper warning, the insurance company is not responsible for any further sales to those businesses). ------------------------------ Date: Thu, 4 Jun 1998 20:59:47 -0400 From: "Robert J. Woodhead (AnimEigo)" Subject: Re: Referer-log security hole (Barger, RISKS-19.78) The difficulty of suppressing the Referer: field is a long-standing problem that has caught people many times in the past. And it is much worse than people think! For example, if you are on an Excite page and TYPE a new URL into the Location: line of your browser, the Referer: field contains the URL of your current page, even though you (logically) didn't come from there! This is a massive security hole that has been reported many times to both Netscape and Microsoft, and never fixed. The only way to prevent such information from being passed is as follows: 1) Make sure that there are no off-site image references on your page; they get the referer too. If you're using a banner exchange service, better hope they are trustworthy! 2) Make all your links to off-site locations indirect through a CGI that returns a page that uses the Refresh Meta tag to load the final destination. A CGI that merely redirects to the destination page will NOT be sufficient; the Referer: of the original page is not changed when a Redirect occurs! You can see the proper technique in operation at http://selfpromotion.com/queue.t ------------------------------ Date: Thu, 4 Jun 1998 19:30:57 -0700 From: "Sidney Markowitz" Subject: Re: Referer-log security hole (Barger, RISKS-19.78) In RISKS-19.78 Jorn Barger talked about referer logs capturing people's Excite passwords and implied that the web search string he mentioned would find such logs. Perhaps this is what he meant when he said "it gets worse and worse", but the problem really is much worse than referer logs. The actual problem is that Excite includes an encoded password in the URL and that encoded password is all that is needed to access and change the personal information that one keeps on the Excite site. Many of the hits on the search string that Jorn mentioned are not referer logs but are pages such as "John Doe's Bookmark List" where someone has published their bookmarked link to Excite, probably not realizing that their password is encoded in it. The resulting URL allows anyone to view the personal information that was entered into the profile and even change the password as a denial of service attack. On the page where I could see one of these John Doe's name, e-mail address, zip code, gender, birthdate and marital status was a link to Excite's "Privacy Policy" where they displayed in bold letters: "Excite will never willfully disclose individually identifiable information about its customers to any third party without first receiving that customer's permission." Other companies provide customizable home pages without creating URLs that when bookmarked give full authenticated access under a user's id. I'll leave the details on how to do it as an exercise for the people who get paid to think them up. sidney markowitz ------------------------------ Date: Fri, 05 Jun 1998 18:45:04 +1000 From: mnot@pobox.com (Mark Nottingham) Subject: Re: Referer-log security hole (Barger, RISKS-19.78) This is due to the poor planning on Excite's part, not any flaw in the protocol. After all, a URL is a UNIFORM resource locator, and shows the path to any definable object. Excite has just misused it; it's perfectly acceptable to use the query component to specify user-specific info (so they can 'log in' from anywhere). To have the authentication in there as well is lunacy; it shows up not only in the referer, but the History, any bookmarks, local cache and any proxies (and their logs) between the user and the server. Mark Nottingham, Melbourne, Australia http://www.pobox.com/~mnot/ Web architecture, design and programming mnot@pobox.com ------------------------------ Date: Fri, 5 Jun 1998 20:31:22 +0100 (BST) From: Paul Wright Subject: Re: Referer-log security hole (Barger, RISKS-19.78) Jorn Barger points out something which people who run their own web-servers have known for a while. Last year, a friend of mine ran a server with the host name of "tickle", named after the Mr Tickle character in Roger Hargreaves' books for children. The site had multiple occurrences of the word "tickle" on its pages, as well, of course, as in the URL. The referer logs from the web server frequently cited search engine pages with query strings which were fairly revealing: it seems adults associate tickling with things that children wouldn't even dream about! I suppose a serious situation could arise from this if an unscrupulous webmaster combined this information with ident daemon logs the server also keeps. Paul Wright, Churchill College, Cambridge http://www.chu.cam.ac.uk/home/pw201/ ------------------------------ Date: Fri, 5 Jun 1998 16:49:20 -0400 (EDT) From: danny burstein Subject: Re: Navy stops teaching celestial navigation (RISKS-19.78) Numerous folk commented on the US Navy plans for dropping most of their "celestial navigation" courses, in favo[u]r of additional training in use of, for example, the Global Positioning Satellite (GPS) system. Much concern was expressed by RISKS contributors as to the dangers inherent in this reliability on high technology - a story well known to all readers here. Might I suggest the obvious solution to this quandary? There is, indeed, a completely separate and fully functional backup to GPS currently in place, namely the GLONASS system placed in orbit by the Russians (and their friends). Given the fiercely competitive, yet complementary, nature of this second system, it's highly unlikely that anything short of our sun going nova would knock them both out. In which case, of course, loss of GPS would be the least of our worries. And as an added benefit GLONASS doesn't suffer from the deliberate degradation placed on the US signal. Danny 'overhead, without any fuss, the satellites guide the way' burstein ------------------------------ Date: Fri, 5 Jun 1998 17:48:08 +0100 (BST) From: michael.comiskey.um@nics.gov.uk (Michael Comiskey) Subject: Re: Navy stops teaching celestial navigation (Kuenning, RISKS-19.78) To add to the fray on the navigation issue: > ... but I'd bet they can get a new GPS broadcaster online in > minutes if they *really* need to. This sounds dubious. The USAF and USN ballistic missiles are relatively small suborbital rockets compared to those used to put satellites into orbit. The Navstar satellites used for GPS are pretty hefty beasts, requiring a large launcher. They also are in a high earth orbit. I cannot see how any of the US ballistic missile fleet, (even the Peacekeeper) could be used to get a navstar into a usable orbit. While there may be some emergency system about, I can't see it being as accurate as GPS. Michael Comiskey michael.comiskey.um@nics.gov.uk Systems Manager, Ulster Museum ------------------------------ Date: Fri, 5 Jun 1998 16:36:48 -0400 (EDT) From: Una Smith Subject: Re: Risks of online phone books (Epstein, RISKS-19.78) Regarding Jeremy Epstein's report of a false alarm gunshot wound, I have had similar but not as frightening experiences. I have a very common surname and a rare given name (it is so rare in the US that I am constantly asked about it). On two occasions, I have received personal e-mail from total strangers who assumed they had "found" a long-lost friend or relative on the Internet. The highly personal nature of this mail was disturbing to me, and the authors were more than a little embarrassed to discover that they had disclosed such personal information about themselves to a complete stranger. And let us not forget the innocent third party: the intended recipient of this mail, some of whose personal affairs were also disclosed to me in these letters. Or maybe these letters were just a new kind of sucker ploy meant to get me, a woman by my given name, to exchange personal mail with the sender. I almost miss the old days when undergraduates at sites in another state would send me Unix talk requests that began with "hey babe, I am watching you across the terminal room", assuming a "babe" would not know where the talk request was coming from, or something... Una Smith ------------------------------ Date: 31 Mar 1998 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 18" for volume 18] or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS ------------------------------ End of RISKS-FORUM Digest 19.79 ************************