precedence: bulk Subject: Risks Digest 20.14 RISKS-LIST: Risks-Forum Digest Sunday 3 January 1999 Volume 20 : Issue 14 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and at ftp.sri.com/risks/ . Contents: Car computer directs couple into river (PGN) Swedish passport system struck by 99 (Ulf Lindqvist) Swedish Giroguide also hit by 99 (Martin Minow) Excel bug (Tom Rowe) Chinese sentence hackers to death (John Knight) Student can criticize school on web site, judge says (Declan McCullagh) Hackers have fun with Furby (Robert Raisch via Dave Farber) Now you see it, now you don't (Jerry Leichter) Y1999: Risk of re-using data fields for error signaling (Daniel A. Graifer) 99-Year retrospective health insurance - or Y2K problem (Fraser McHarg) San Francisco power outage and the risks of signs (Eric Leif) Page-layout program hazards (Jordin Kare) Some new things to try at all.net (Fred Cohen) Privacy Digests (RISKS moderator) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 28 Dec 1998 09:30:46 -0500 From: "Peter G. Neumann" Subject: Car computer directs couple into river A German couple drove their BMW with great confidence under control of its computerized satellite navigation. Indeed, they drove it past a stop sign, down a ferry ramp, and into the Havel River in Caputh, near Potsdam/Berlin, Germany. The computer system reportedly neglected to tell them they needed to wait for the ferry. Ship traffic was stopped for two hours, but the couple was OK. [Sources: PGN Abstracting from numerous multiply submitted similar copyrighted stories, several quoting different officials reminding us that we should not blindly rely on technology. Big surprise to RISKS readers! But for the price of a Beemer, I thought it drove on water. PGN] ------------------------------ Date: Fri, 1 Jan 1999 21:51:10 +0100 (MET) From: Ulf Lindqvist Subject: Swedish passport system struck by 99 In Sweden, the first report about a 99-related computer problem appeared already on 1 Jan 1999. The Swedish police can normally issue provisional passports at the three main international airports in Sweden. But on the first day of 1999, no passports could be issued because the computer system could not handle 99. Four people in Stockholm and two in Goteborg had to cancel their trips because they could not get their passports. The system was reported to have been fixed during the afternoon. [Primary source *Sveriges Televisions Text-TV*, January 1 1999] A couple of things to note: Of course it is a risk to try to travel abroad without having a passport, but there could be good reasons - family emergencies, for example. The ordinary Swedish passports where changed in 1998 to conform with European Union regulations, but in this case the system must be much older or based on old components (if the designers where not extremely shortsighted). Most businesses do not open until Monday 4 Jan - we could expect to hear about more 99-problems then, I guess. Ulf Lindqvist, Department of Computer Eng., Chalmers University of Technology SE-412 96 Goteborg, SWEDEN +46 31 772 17 60 ulfl@ce.chalmers.se [Also reported by Martin Minow, and by Debora Weber-Wulff, who notes that 99 seems to be used often in Sweden to denote "end-of-file"... PGN] ------------------------------ Date: Sat, 2 Jan 1999 10:02:39 -0800 From: Martin Minow Subject: Swedish Giroguide also hit by 99 The New Year provided an early taste of Y2K in Sweden. According to the Stockholm newspaper, *Svenska Dagbladet*, the modem-based "Giroguide" payment service run by the PostGiro refused to process payments "if the payer provided a specific date in 1999". (PostGiro is a convenient payment system run by the Post Office used as widely as checking accounts in the United States.) "It was due to a programming error" ... that can depend on the combination "99" that, in some cases, is used to mark end-of-run. Since you can enter payments up to a year in advance, it may also be due to a year-2000 problem, but Jarl Dahlerus, who is responsible for E-PostGiro, doesn't believe this is the case. If any customer is affected by the error, they will be compensated by PostGiro. Translated and summarized by Martin Minow, minow@pobox.com ------------------------------ Date: Thu, 31 Dec 1998 23:02:41 +0100 From: "Tom Rowe" Subject: Excel bug I imagine this has been discussed some, but in case it hasn't. If you enter a number, say 123456789999 in Excel and save the file as comma delimited (csv I think MS uses) it will be saved as 1.234567E+11. Quite a few programs can't import this properly, including Word. But what's worse, bringing it back into Excel gives you 123456700000. I think the risks are fairly obvious. I wonder if the large bank I work for (which has standardized on Excel) knows about it. When opening an account I guess not only do I need to ask banks the interest rates, fees etc, but also what software they use. Sheesh. Tom Rowe, Atlanta, GA ------------------------------ Date: Thu, 31 Dec 1998 12:38:59 -0500 (EST) From: John Knight Subject: Chinese sentence hackers to death Twin-brother computer hackers sentenced to death in China (Deutsche Presse-Agentur, 28 Dec 1998) Two Chinese computer hackers who illegally transferred 720,000 yuan (about 87,000 dollars) to their own bank accounts have been sentenced to death, the Beijing Chenbao newspaper said in its Monday edition. The hackers, twin brothers, had used inside information to rob a bank in the city of Zhenjiang, the report said. One of the brothers, Hao Jingwen, opened 16 accounts under false names in September, the report said. Then he entered a branch of the Trade and Industry Bank in Zhenjiang, in Jiangsu province, and installed a piece of equipment in the bank's computer system. http://web.lexis-nexis.com/more/cahners-chicago/11407/4120740/4 [Extracted from NMIA ZGram, zhi@zgram.net (Zhi Hamby)] ------------------------------ Date: Tue, 29 Dec 1998 18:02:45 -0500 From: Declan McCullagh Subject: Student can criticize school on web site, judge says This case reminds me of another I wrote about earlier this year -- but with a happier ending: http://cgi.pathfinder.com/time/digital/daily/0,2822,12983,00.html http://www.wired.com/news/news/politics/story/17068.html [Also AP item 28 Dec 1998] School Dazed by Speech Ruling, by Declan McCullagh A Missouri high school cannot punish a student for criticizing a teacher on a personal Web page, a federal judge ruled Monday. Saying the school violated free speech rights protected by the First Amendment, District Judge Rodney Sippel ordered the Woodland School District to let the student publish his site from a home computer. "Disliking or being upset by the content of a student's speech is not an acceptable justification for limiting student speech," Sippel wrote in a 17-page opinion. POLITECH -- the moderated mailing list of politics and technology To subscribe: send a message to majordomo@vorlon.mit.edu with this text: subscribe politech More information is at http://www.well.com/~declan/politech/ ------------------------------ Date: Sun, 27 Dec 1998 11:05:23 -0500 From: Dave Farber Subject: IP: Hackers have fun with Furby (from Robert Raisch) See Also: Reverse Engineering the LEGO RCX http://graphics.stanford.edu/~kekoa/rcx/talk/ >From: "Robert Raisch" (When you provide technically capable, questing minds with simple, cheap and effective communications channels, they do what come naturally. This is why DIVX is doomed. /rr) Hackers have fun with Furby, BY MARGIE WYLIE, Newhouse News Service http://www7.mercurycenter.com/business/top/080145.htm Excerpt: While some people see a lovable little friend in this year's answer to Tickle Me Elmo, toy hackers like the 25-year-old programmer see a challenge: make Furby do as they command. Why? Why not? ``I figured it would be neat,'' said Tokash, who has created a Web site for Furby hackers to swap information (http://www.homestead.com/hackfurby). ``Somebody's going to hack this thing; I might as well be one of them.'' The Furby was designed by Tiger Electronics of Illinois to squeal, sneeze or snore and speak 200 words in a language called Furbish. And since its October introduction, hackers have skinned, autopsied and beamed the cloyingly sweet animatronic fur-ball with different infrared signals. The results, in excruciating detail, are posted on the Web. Rob Raisch, Internet Technical Hired Gun ------------------------------ Date: Fri, 25 Dec 98 08:34:22 EST From: Jerry Leichter Subject: Now you see it, now you don't The Net remembers everything; the Net forgets everything. What's the effect on traditional ideas of research? The Web these days relies on search engines. These are commercial ventures, whose distinguishing features are in the technologies used to implement the Web crawlers, indexers, and other components. Details of these technologies have remained closely guarded trade secrets. A group at Stanford University set out to do research on some nice new ideas for search engines, applying and extending some traditional ideas from library science to estimating relevance and importance of various Web pages. The algorithms used, the architecture of the system, and other interesting stuff, was published as a series of reports, which appeared - naturally enough - on the Web at the group's Web site (http://google.stanford.edu/about.html). If you're interested in learning more ... you're too late. If you go to that site, you'll find that the research group no longer exists. It's been reconstituted as a corporation, Web site http://www.google.com/company.html. That site currently has very little on it. The research papers are no longer on the Web. Now, I have no objection to the researchers going off to start a company. I wish them the best of luck, even as I worry about the effect the drain of talent from the academic world will ultimately have. However, I am concerned about the removal of previously-public research material. We hear repeated complaints that traditional journals don't accept URL's as bibliographic citations. If *even a university research department* approves the removal of on-line versions of its own research papers, how can we take the Web seriously as a resource for scholarship? Note that, even if the commercial venture decides to put the papers on-line at its site, that would not be good enough. First of all, if anyone has a citation to the papers at the old cite, the citation should be good on its own - it should not require a chase to another site. More important, however, commercial Web sites come and go. Even with the best of intentions, a com- mercial Web site is not a stable academic reference. If the new company fails; or if it succeeds, but is acquired by a larger company and disappears as a separate entity; the papers will likely vanish forever. [Increasingly, much valuable research from the past is being forgotten. Unfortunately, the operative motto seems increasingly to be ``If it is not now on the Web, it never existed.'' PGN] ------------------------------ Date: Wed, 30 Dec 1998 13:12:25 -0500 From: "Daniel A. Graifer" Subject: Y1999: Risk of re-using data fields for error signaling "1999 problems with medical device clocks found" discusses two medical devices that the FDA is warning hospitals of non-health threatening failure in 1999. The HP defibrillator will print "set clock" instead of the date on its printed record. The other, a patient monitor, will also fail to correctly report the date in it's logs. Obviously, somebody made "99" mean "clock needs to be reset". These are relatively new devices. We they really so short of memory that they couldn't find a bit somewhere for this flag? Daniel A. Graifer, Parker & Company 1-888-426-6548 Andrew Davidson & Company, 588 Broadway, Ste 610, NY 10012 1-212-274-9075 [Note: relating to Jerry Leichter's Y2K item in RISKS-20.13, various folks observed that 9 Apr 99 is the 99th day of 1999, which in some programs is represented as 9999, an erstwhile stopcode. PGN] ------------------------------ Date: Tue, 29 Dec 1998 13:40:58 +1000 From: Fraser_McHarg@nag.national.com.au Subject: 99-Year retrospective health insurance - or Y2K problem Last week I received my Health Insurance renewal notice with the period of cover listed as "From: 4 January 1999 To: 4 January 1900". Since I was not alive for most of the 99-year period I am intending to decline their generous retrospective insurance offer. It does not bode well, that in December 1998, HBA, one of the larger Health Insurance companies in Australia can presumably be so far behind in its Year 2000 project that they have not tested the production of their primary revenue collection document. Many other companies have already finished their Year 2000 projects. Now is the time that annual renewals for all sorts of things will be issuing that should have expiry dates falling in January 2000, it will be interesting to see how many other 1999 to 1900 renewals appear. [Many people are actually expecting some serious problems beginning next week for insurance companies and others who have to deal with dates a year ahead. PGN] ------------------------------ Date: Wed, 23 Dec 1998 03:10:26 -0500 From: REMOVE_ericleif@mindspring.com (eric leif) Subject: San Francisco power outage and the risks of signs (Horiuchi, R-20.13) The mention of a pipe and the risk of not having a sign reminded me of an incident. Some background information, this took place in a nuclear training facility. For the most part a "real" plant wouldn't have as many tags and signs as this plant, but every pipe, wire, machine was labeled. So that's the stage and the pipe in question had the label CPW, the meaning of that pipe was taught early, and everyone there knew what it was, so much in fact that an ongoing joke about its meaning as Coffee Pot Water, however the real meaning of that acronym is Controlled Pure Water. And what that means is this water could be potentially contaminated. Anyway you can probably guess the conclusion of this story, but I will continue anyway. A new trainee, had apparently heard the joke before the lesson, and used CPW to fill up a coffee pot. The risks here are many. The joke definition of the above incident is really a risk with human nature or boredom of being over trained perhaps, but that aside. The use of acronyms is certainly a risk and I'm sure its been seen on this list many times. Even without using acronyms, the above sign could still be misinterpreted, Controlled Pure Water sounds at first like its pure and guaranteed to be so. Most people at this plant knew what controlled meant in context of this plant, but others? And back to the SF power outage, had that pipe been labeled substation ground, would that have meant anything to a construction crew? The real risk of this power outage would seem to me a physical security risk, as with the CPW incident. Neither of these things needed to be easily accessible, but once they are humans will err. -eric leif ------------------------------ Date: Tue, 29 Dec 1998 10:54:49 -0800 From: jtkare@ibm.net (Jordin Kare) Subject: Page-layout program hazards In RISKS-20.13, Ben Sherman noted that Quark Xpress, as part of a "feature" allowing embedded ASCII string commands, would silently convert >> to >, mangling published UNIX listings. This is by no means a new problem, and is, I think, inherent in the use of embedded commands. Circa 1981, I was typesetting a songbook using TROFF, the UNIX typesetting program in which one flags command lines embedded in text by starting them with a period (.), e.g., .PP signals a new paragraph. After some 2000 copies of the book had been printed and put on sale, we discovered that, in perhaps a dozen places, entire lines of text had vanished. (This is remarkably difficult to detect when proofreading familiar songs, similar to losing complete sentences out of prose text). On close examination, we found that TROFF had silently "eaten" every line beginning with an apostrophe ('). VERY close reading of the TROFF manual revealed that the apostrophe is an alternate command line marker, so that any line starting with an apostrophe will be treated as a command. This fact was noted in one obscure footnote, and not referenced anywhere else. Why the programmers thought the apostrophe was a "safe" character to use is unclear, but seems to follow the same logic that caused the Quark Xpress bug: in "normal" writing, one does not use >>, nor start a line with an apostrophe. However, these occur frequently in specific types of writing: in UNIX shell scripts for >>, and in poetry or song lyrics for lines starting with apostrophes (which frequently use contractions like 'Til and 'Tis). The consistent Risk is that any reserved character combination, no matter how obscure, may occur in someone's text, quite possibly without them realizing it. If there is a solution (other than really careful proofreading of typesetting-program output) it presumably includes conspicuously documenting such combinations, ruthlessly minimizing their number, and trying very hard to avoid anything even remotely likely to be entered other than deliberately. Jordin Kare ------------------------------ Date: Thu, 24 Dec 1998 17:52:22 -0800 (PST) From: Fred Cohen Subject: Some new things to try at all.net Just thought RISKS readers would like to know about a few New Year's gifts from all.net: I thought many of you might be interested in the newest "game" on http://all.net/ The Cracking Game In this 'game', we teach defenders about attack and defense techniques by having them try to tell us how they would crack into a variety of different sorts of systems and having various defensive things happen to them along the way. It is also a lot of fun and somewhat of a challenge. Just select it from the "Would you like to play a game?" Menu and press Go. Please note that the game is still under development and your comments will be greatly appreciated. I have also put up a beta-test version of an automatic game: The Network Security Simulator This simulator is intended for design, attack, and defense analysis for computer networks, but it may also be of some interest from a gaming viewpoint. It has just been added to the games menu at http://all.net/ Just select "Network Security Simulator", select inputs from the menus, press go, and see the results. Press "reload" to simulate again - with different results of course. Your comments again will be appreciated. Fred Cohen & Associates: http://all.net - fc@all.net - tel/fax:925-454-0171 [Standard RISKS disclaimer. In this case, FC's work at FC&A is separate and independent from any work he does for at Sandia. PGN] ------------------------------ Date: 17 Apr 1997 From: RISKS moderator Subject: Privacy Digests Periodically I will remind you of TWO useful digests related to privacy, both of which are siphoning off some of the material that would otherwise appear in RISKS, but which should be read by those of you vitally interested in privacy problems. RISKS will continue to carry general discussions in which risks to privacy are a concern. * The PRIVACY Forum is run by Lauren Weinstein. It includes a digest (which he moderates quite selectively), archive, and other features, such as PRIVACY Forum Radio interviews. It is somewhat akin to RISKS; it spans the full range of both technological and nontechnological privacy-related issues (with an emphasis on the former). For information regarding the PRIVACY Forum, please send the exact line: information privacy as the BODY of a message to "privacy-request@vortex.com"; you will receive a response from an automated listserv system. To submit contributions, send to "privacy@vortex.com". PRIVACY Forum materials, including archive access/searching, additional information, and all other facets, are available on the Web via: http://www.vortex.com * The Computer PRIVACY Digest (CPD) (formerly the Telecom Privacy digest) is run by Leonard P. Levine. It is gatewayed to the USENET newsgroup comp.society.privacy. It is a relatively open (i.e., less tightly moderated) forum, and was established to provide a forum for discussion on the effect of technology on privacy. All too often technology is way ahead of the law and society as it presents us with new devices and applications. Technology can enhance and detract from privacy. Submissions should go to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. (For example, vol 13, issue 031, 23 Dec 1998, has a long item on random credit-card fraud via small charges.) There is clearly much potential for overlap between the two digests, although contributions tend not to appear in both places. If you are very short of time and can scan only one, you might want to try the former. If you are interested in ongoing discussions, try the latter. Otherwise, it may well be appropriate for you to read both, depending on the strength of your interests and time available. PGN ------------------------------ Date: 23 Sep 1998 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 19" for volume 19] or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. PostScript copy of PGN's comprehensive historical summary of one liners: illustrative.PS at ftp.sri.com/risks . ------------------------------ End of RISKS-FORUM Digest 20.14 ************************