precedence: bulk Subject: Risks Digest 20.03 RISKS-LIST: Risks-Forum Digest Tuesday 13 October 1998 Volume 20 : Issue 03 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://catless.ncl.ac.uk/Risks/20.03.html and at ftp.sri.com/risks/ . Contents: Computerized gas-pump cheat (Conrad Heiney) Trojan Horse infests 15,000 Internet chat users (Monty Solomon) Computer glitch trips up Dow Jones industrial average (Cliff Sojourner) IE4 and its "magical" features (Chenxi Wang) Unreliable reception of e-mailed WP documents (Daniel P. B. Smith) Microsoft web site denies access based upon Windows regional settings (Eric Ulevik) Risks of installing Microsoft's Media Player (Wade Ripkowski via James Love) Insidious SQL interpreter bug messes up files (David Tonhofer) Netscape Netcenter password hint (Dan Pritts) Radio clock blows daylight savings (Ian Macky) The risks of "keep it simple" [Martin D Kealey) Finland: Fraud with copied banking cards (Kimmo Ketolainen) Offensive information warfare deemed offensive? (PGN) Hackers stay a step ahead of China's cyber-police (PGN) LA 911 outage...backup worked! (Thomas Maufer) Some good Y2K news: whisky will be on tap for Hogmanay 1999 (Declan McCullagh) Military preparations to mobilize for Y2K (Declan McCullagh) Void where prohibited by date (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 9 Oct 1998 12:55:06 -0700 From: "Conrad Heiney" Subject: Computerized gas-pump cheat Today's *Los Angeles Times* reports that the county district attorney has filed charges against four men who are alleged to have replaced computer chips in electronic gas pumps, thus cheating customers of between 7%-25% of their gasoline. The url to the full story is http://www.latimes.com/HOME/NEWS/METRO/t000091711.html According to the story, the problem was hard to detect partly because the chips were programmed to generate accurate results in the five- and ten-gallon amounts used for testing the accuracy of pumps. The RISK here is twofold: That misplaced trust in digital technology can lead consumers not to check things like gas pumps, and that it's easier to fool the regulators with an intelligently programmed cheat. Conrad Heiney conrad@universityaccess.com Manager, Systems & Development University Access, Inc. http://www.universityaccess.com [Also noted by David Lesher, heard on NPR, and Richard Schroeppel. PGN] ------------------------------ Date: Fri, 9 Oct 1998 01:22:14 -0400 From: Monty Solomon Subject: Trojan Horse infests 15,000 Internet chat users Due to a Trojan horse on Internet Relay Chat, Back Orifice (see RISKS-19.90) was apparently made available to up to 15,000 IRC users who transferred files. This was discovered by GeoCities when it received thousands of requests for the nfo.zip file. [Source: Trojan Horse Infests 15,000 Internet Chat Users, By Andy Patrizio, TechWeb, 8 Oct 1998, http://www.techweb.com/wire/story/TWB19981008S0019] ------------------------------ Date: Thu, 08 Oct 1998 12:02:46 -0700 From: Cliff Sojourner Subject: Computer glitch trips up Dow Jones industrial average The Dow Jones Industrial Average was erroneous for the first 12 minutes Thursday morning 8 Oct 1998, resulting from the merger of, with the resulting Citigroup using Citicorp's ticker symbol, CCI. The previous night's closing price of Citicorp (in the $70s) was used instead of the Citigroup opening price (31.75). [Source: Computer glitch trips up Dow Jones industrial average, By Margaret Kane, ZDNet, 8 Oct 1998; PGN Abstracting] Cliff Sojourner, Cisco Systems Inc. cls@cisco.com (408) 527-7637 170 W. Tasman Drive, SJ CA 95134 bldg H2/cube E2-7 [Also noted by Doneel Edelson] ------------------------------ Date: Mon, 12 Oct 1998 10:25:34 -0400 From: Chenxi Wang Subject: IE4 and its "magical" features Last week my Windows 95 machine refused to boot, citing a protection error in the IO unit. My system staff, after laboring over my machine for some time, told me that it was due to a bug in the IO, and that according to Microsoft, the only way to fix it was to install IE4! So IE4 was installed, and sure enough, it fixed whatever problem the machine was having. I was doing some disk cleaning up this past weekend, and I accidently deleted some files that appeared to have been installed by the IE installation. Curious to see if IE still worked, I double clicked on the icon. Guess what happened? -- It launched my netscape communicator to the URL of the IE download site! I was incredulous... Chenxi Wang University of Virginia ------------------------------ Date: Fri, 9 Oct 1998 09:55:45 -0400 (EDT) From: "Daniel P. B. Smith" Subject: Unreliable reception of e-mailed WP documents Some unpleasantness occurred in a meeting recently. Person A said that the reasons he hadn't performed a task was because he was still waiting for Person B to supply some needed information. Person B said he'd supplied it a week ago in a specific memo which he'd distributed via e-mail. Person C said, "I got it and I'm almost sure I saw A on the distribution list." Person A said "I got the earlier version where all of those numbers were blank, but I've never gotten anything that had the numbers." Person B said "What version where the numbers were blank?" Person E said "You know, the one you sent out about a week ago. I never got the one with the numbers filled in, either." On comparing notes, it turned out that a single version of the memo had been e-mailed, and when opened by about half the participants a critical table was complete and had information visible in all columns, and about half of them had a column in which all cells were blank. All recipients of the damaged version had simply assumed that the blank cells were intentional. Incidentally, this was a 100%-pure-Microsoft situation, involving no version of Word more than a year old (no version skew of more than one version) and involved RTF format which is the format Microsoft specifically designates for document transfer. There was no obvious pattern to the problem; the originator used Word 97 on a PC, and some receivers using Word 98 on a Mac received it correctly while some receivers using Word 97 on a PC got blank columns. We don't know the full story but it is suspected that the set of fonts installed, the OS version, the screen dimensions and resolution, and the kind of printer the user is connected to may all play some part in this crazy equation. The RISK here is the same as with any other kind of unreliable communication that is falsely _assumed_ to be reliable. Notice that, in general, when you send a word-processing document to someone else, _the sender has no reliable way to confirm what the receiver will ultimately see and print. Unless the user guesses there is something wrong and complains, the problem is likely to go undetected. Even when the problem is detected, it is usually hard to resolve, because nothing in the system logs all the configuration information that would be needed to resolve it. Unless the recipient is a colleague in an adjacent cubicle and is willing to experiment with you in real time, problems of this kind are likely to remain unsolved. Daniel P. B. Smith ------------------------------ Date: Tue, 6 Oct 1998 18:59:44 +1000 From: "Eric Ulevik" Subject: Microsoft web site denies access based upon Windows regional settings I use home.microsoft.com as my home page under Internet Explorer 4.01 SP1 running on Windows NT 4.0. I have customized the data; I like the presentation. Today, I found that I can no longer access my home page. The browser is redirected to ninemsn.com.au - a local web site put together by Microsoft and Channel 9 (an Australian TV station). ninemsn tells me that this is "MSN strategy". But other PCs in the same office are not redirected. The significant difference appears to be that the other PCs are set to US date formats. The risk is that configuring your computer's date format has surprising consequences. Eric Ulevik ------------------------------ Date: Sat, 03 Oct 1998 17:21:44 -0400 From: James Love Subject: Risks of installing Microsoft's Media Player James Love, Consumer Project on Technology, P.O.Box 19367, Washington, DC 20036 http://www.cptech.org love@cptech.org 202.387.8030, fax 202.234.5176 <--begin message from Wade Ripkowski--> Subject: RE: Sony PC & Windows 98 Licensing Date: Fri, 2 Oct 1998 14:21:23 -0400 >From: "Ripkowski, Wade" To: "'James Love'" I just hate being abused by Microsoft. I just encountered a whole new issue with Microsoft's "new" Media Player that you may be interested in as well. I installed it and it changed EVERY multi-media association on the machine to use itself as the player. The problem here is that the media player I was using up until then utilized the hardware based MPEG decoder and subsequently played MPEG video better (no jumping). MS Media Player also redirected the CD Audio player to itself. Again the audio player I used before was much better. To make a long story short. I opted to "uninstall" it think my system would be put back the way it was. Boy was I wrong. It uninstalled itself and changed all the multi-media associations to use Microsoft ActiveMovie! Now I am left with a system in which I must reinstall the Audio/Video applications I want in order to use them, and to top it off, my RealAudio player no longer works either! I spoke with a friend of mine this morning and he ran into the exact same problem I did, although he has a Gateway machine. I think this is somewhat along the lines of the "browser battle". It looks as if Microsoft knows they lost the battle, but if they cant own that, then they will own the multi-media portion of the machine. They advertise "forget all the plug-ins, all media, one player". So I should have read the literal meaning -- my mistake. And they are dumping this product free to everyone on the internet. This will surely hurt Real, Inc., and possibly other similar companies. I am not opposed to one vendor writing all the software for the PC I use, if that software works properly and at an acceptable performance level. If one vender wants all the business, fine, make software that earns it on merit, not on price / availability!!! [...] <--end message from Wade Ripkowski--> ------------------------------ Date: Tue, 13 Oct 1998 12:08:56 +0200 From: David_Tonhofer@ept.lu Subject: Insidious SQL interpreter bug messes up files Recently, the informatics department of our company found out - quite by accident - that the SQL interpreter on our midrange server (made by a well-known manufacturer) exhibited an interesting bug - in interactive and dynamic/compiled-in SQL queries. An UPDATE query with an assignment of a constant value to a numeric field 'a' set 'a' field to '0' in case of a simultaneous assignment with any field on the right-hand side of that assignment and a 'WHERE'-condition, like so: UPDATE table SET a = 10, b = b+b WHERE c > 10 resulted in 'a' having value 0 for all c > 10, whereas UPDATE table SET a = 10.0, b = b+b WHERE c > 10 succeeded. Yuck! With a bug like this, your company database might slowly turn belly-up without anyone noticing. Anyway, after the manufacturer's help-desk had analyzed the problem, we applied patch SF47057 and everything was well ever after (we hope). Risk: Do not forget to apply your patches. Also, the system your are building on or upgrading to might be flakier than you thought. -- DaTo ------------------------------ Date: Mon, 12 Oct 1998 16:02:36 -0400 From: Dan Pritts Subject: Netscape Netcenter password hint My Netscape is part of Netscape Netcenter, the service that Netscape is pushing as its entry to the Net portal business. My Netscape has, like most such services, a new account sign-up form. This form is available via a 320+char URL which i have omitted for the sake of buggy mailers, and via the red "personalize" button in the upper left corner of http://my.netscape.com/ (presumably only if you aren't already a member). On this (non-encrypted) page, next to a field labeled "Enter a password hint:", you're given the following explanation of a password hint: If you forget your password, Netcenter will present you this password hint to help jog your memory. Example hint:"same password as my bank acct.". The risks are obvious. Amusingly, my initial attempt to send this report to Netscape failed; the "Feedback" link at the top of the same page is broken. danno dan pritts ------------------------------ Date: Thu, 8 Oct 98 16:21:25 PDT From: Ian Macky Subject: Radio clock blows daylight savings For the first time in many years I foolishly purchased a new high-tech consumer product: a clock with built-in radio receiver which listens to broadcast time standard and keeps synchronized. It's been accurate to the second since I turned it on... until last week, when one morning it was exactly one hour early. It ended daylight savings time too soon! Naturally, you can't force this clock in any way. You can't set the time, or change whether it honors daylight savings. You're at the mercy of a distant radio transmitter. KISS! I should have known better. It's too bad noone is manufacturing any of Harrison's old designs (has everyone read "Longitude"?). --ian ------------------------------ Date: Mon, 05 Oct 1998 12:40:46 +1300 From: Martin D Kealey Subject: The risks of "keep it simple" [Re: Cohen, RISKS-20.02) Sometimes simplicity can be deceptive; once again an example of making a simple stand-alone system in the present, without considering how it shifts complexity into other systems, either now or in the future. Fred Cohen wrote: > Rule 2: You can sign up or off the list in the same way as you > make submissions to the list. With respect, I'd like to suggest this isn't such a good idea. > Because we are fully moderated, it all goes to the same place anyway. In short, this is a non-sequitur, and irrelevant from the list subscribers' point of view... It is always possible to start with multiple addresses aliased together; it's a lot harder to start with one address and later get everyone out there to stop using it for everything, especially as most of the people you would want to stop will be people you've never heard from before (new subscribers) and therefore won't have had the chance to tell them that it's changed. It's very difficult to un-make an omelet. At some point in the future you may wish to revise your configuration; there are many reasons why it might need to be changed, but, for example, you may wish to have multiple moderators, while keeping list management under the control of a smaller group (even just one person). When that happens, it will be a lot easier to maintain the list with separate addresses for the separate functions. As a secondary effect, not publishing such a standard address indirectly impacts on other mailing lists -- which necessarily may have separate addresses for some or all of submissions, subscriptions, administration, anonymizing, accounting and transport -- by not discouraging people from sending requests to the submissions addresses. Not everyone running a mailing list has the time or dedication to hand-moderate everything, so I'd rather not encourage newcomers to make random broadcasts; "please add me to your list" gets to be quite an irritation to subscribers who are quite unable to do anything about it, while the list maintainer won't even see such a request unless they read (or moderate) the list. -Martin ------------------------------ Date: Thu, 8 Oct 1998 07:47:27 +0300 (EET DST) From: kk@sci.fi (Kimmo Ketolainen +358 40 55555 08) Subject: Finland: Fraud with copied banking cards Someone apparently succeeded last Saturday in the old trick of copying banking cards' magnetic stripes and reading then the PIN codes from the keypad over the shoulder. What makes this scam spectacular is that the artist(s) had attached an additional "small black" card reader on top of the opening of the real reader in the cash dispenser. They managed emptying some 60 accounts worth roughly 180 000 FIM (36 600 USD). In all, 500 customers have to renew their cards after using that particular cash dispenser on Aleksanterinkatu in Helsinki during the evening. No one has been arrested yet. The three largest banks started to issue banking cards with a chip on top last year, but all cards still come with a magnetic stripe as well. Using a banking card in the chip card slot instead of the other one would have prevented this type of attack. Kimmo Ketolainen, Finland +358 40 55555 08 [GREAT address: sci.fi! PGN] ------------------------------ Date: Tue, 13 Oct 1998 7:12:13 PDT From: "Peter G. Neumann" Subject: Offensive information warfare deemed offensive? ``Hackers calling themselves the Electronic Disruption Theater allege the Pentagon used illegal offensive information warfare techniques -- a charge DoD officials deny -- to thwart the group's recent computer attack. At issue is whether in fighting back against the hackers, the Pentagon crossed the line into so-called offensive information warfare, and perhaps violated US laws that prohibit anyone from covertly accessing another's computer. The issue of computer crimes, however, is highly controversial because US legislation has not kept up with the capabilities of computer technology.'' This arose after a 9 Sep 1998 attack against DefenseLink, DoD's primary public information Internet site. The Pentagon apparently created Java applet (``Hostile Applet'') that shut down targeted browsers of hackers contributing to the collaborative attack. [Source: Hackers take offense at Pentagon defense; Experts Say DoD response treads fine legal line, *Defense News*, By George L. Seffers, 7 Oct 1998; PGN Very Stark Abstracting] ------------------------------ Date: Tue, 13 Oct 98 5:52:01 PDT From: "Peter G. Neumann" Subject: Hackers stay a step ahead of China's cyber-police Computer crime is increasing in China, with more than 100 cases in the past two years, one involving theft of $1.2M. As a result, China is ratcheting up its Internet police and surveillance capabilities. Previous efforts have concerned pornography and undesirable political messages. Penetrations are now illegal, subject to up to five-year sentences. [Source: *People's Daily*, via Reuters News Service, 12 Oct 1998; PGN Abstracting] ------------------------------ Date: Mon, 12 Oct 1998 13:37:44 -0700 From: Thomas Maufer Subject: LA 911 outage...backup worked! Wow, a backup system that actually worked. Of course, if the 911 sytem had had more than one source of electrical power, the backup might never have needed to be activated. Tom >L.A.'s 911 Goes Out For 17 Hours - (LOS ANGELES) -- Los Angeles police >are pleased their 911 backup system works...following a 17-hour >breakdown in the 911 system. Not a single emergency call was lost >during the switch-over. The emergency system was knocked out during a >fire in an underground storage area at City Hall on Saturday afternoon, >when water from the sprinklers seeped into the electrical system below. >Authorities shut down power to the system, and the backup system kicked >in...re-routing all calls to either individual police stations or the >California Highway Patrol. The fire began in some unstable, illegal >fireworks being kept for an investigation. ------------------------------ Date: Fri, 25 Sep 1998 06:13:45 -0700 (PDT) From: Declan McCullagh Subject: Some good Y2K news: whisky will be on tap for Hogmanay 1999 http://www.scotsman.com/interactive/it16nips980923.1.html Distiller is 100% millennium proof Whisky drinkers should be assured of their tipple being on tap for Hogmanay 1999, says Alan Crawford Whisky tipplers can rest easy after the announcement last week that a technological crisis that had threatened to halt the flow of Scotch has been narrowly averted. Burn Stewart Distillers, whose brands include Tobermory Single Malt and Wallace Liqueur, has declared that its computer systems will be millennium compliant by the end of the year. Although the whisky industry is steeped in tradition, it relies heavily on computers to control many aspects of production and marketing. Burn Stewart alone sells about 18 million bottles a year to 500 major customers. Failure to deal with the millennium bug - which threatens global computer meltdown due to an inability to recognise the date change from 1999 to 2000 - could result in widespread disruption of the distilling, bottling and marketing processes. [...] POLITECH -- the moderated mailing list of politics and technology To subscribe: send a message to majordomo@vorlon.mit.edu with this text: subscribe politech More information is at http://www.well.com/~declan/politech/ ------------------------------ Date: Sat, 10 Oct 1998 14:30:52 -0700 (PDT) From: Declan McCullagh Subject: Military preparations to mobilize for Y2K [Declan notes that the Wisconsin National Guard is preparing to mobilize for Y2K http://www.jsonline.com/news/1007y2k.asp, as are Toronto-area army reservists, considering stockpiling food and generators. 2000 cyberglitch the major concern for Canadian forces, By Patrick Cain] ------------------------------ Date: Wed, 7 Oct 1998 14:48:02 -0800 From: Rob Slade Subject: Void where prohibited by date Yesterday my wife brought home a copy of a letter that her organization had received from their insurance broker. As could be expected, this document, produced by the Insurance Bureau of Canada, warns that insurance is probably not going to pay out if something happens that is related to a Y2K bug. (They use more words to say it, of course.) The pamphlet warns about a number of things that should be checked, and could be used to generate a reasonable list of items to be confirmed. Unfortunately, how you might go about checking them isn't covered. (There is one sidebar on checking the BIOS clock for a PC.) However, that wasn't all that came in the mail yesterday. There was a catalogue from a company that sells promotional material related specifically to anniversaries. With it was a covering letter congratulating them on their tenth year in business, coming up this spring. The institution my wife works for was founded in 1889. rslade@vcn.bc.ca rslade@sprint.ca slade@freenet.victoria.bc.ca virus, book info at http://www.freenet.victoria.bc.ca/techrev/rms.html ------------------------------ Date: 23 Sep 1998 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 19" for volume 19] or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. PostScript copy of PGN's comprehensive historical summary of one liners: illustrative.PS at ftp.sri.com/risks . ------------------------------ End of RISKS-FORUM Digest 20.03 ************************