precedence: bulk Subject: Risks Digest 20.15 RISKS-LIST: Risks-Forum Digest Sunday 10 January 1999 Volume 20 : Issue 15 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and at ftp.sri.com/risks/ . Contents: UAL clock wraparound (John Rushby) Risks of old documentation (Richard C. Wolber) Cell-phone surprise (Craig DeForest) Excel CALL function (Padgett Peterson) Phone service outage when computers stolen (Peter Kaiser) Y2K hits Singapore and Swedish taxi meters (Keith A Rhodes) The Windows April Fools 2001 Bug (from Richard Smith via Lloyd Wood) Editors also mitigate page-layout program hazards (Glen Turner) Re: Now you see it, now you don't (Jerry Leichter, Mike Williams) Call for Proposals - CFP99 (Marc Rotenberg) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon 4 Jan 99 23:25:21-PST From: John Rushby Subject: UAL clock wraparound I don't know about Y2K, but United airlines has a problem with H24. This is what www.ual.com provided for the flight status of today's UA63 (scheduled to depart San Francisco at 7:15p and arrive Honolulu at 10:46p) Flight: UA 0063 Date: 01/04/99 Airport Time Status San Francisco Intl Arpt 9:10pm Mon Delayed 1 hr 39 min Honolulu Intl 12:01am Tues Early 22 hr 35 min ------------------------------ Date: Fri, 8 Jan 1999 12:57:08 -0800 From: "Wolber, Richard C" Subject: Risks of old documentation This came from a friend of mine. I dialed the number and it actually works: > I was installing Quickbooks 5.0, dated 1992, for a friend Wednesday. We > had a little trouble, so I thought I would call the 1-800 support number > (1-800-INTUIT-7). Well.... I got support all right. A recording of a > female voice a low, whispering tone starts her sentence with "Hi Baby, > You've just connected with..." I guess Intuit made some extra cash by > selling it's phone number to a phone sex outfit. I wonder, do they get > paid by the minute or number of calls? Needless to say, I did feel a > little better after calling, which motivated me to finally fix the problem > myself. So, everything worked out OK after all ...... Richard C. Wolber, Software Developer/Troubleshooter DCAC/MRM Final Assembly G-4865 (425)965-6797 [Your friend almost really got intuit! PGN] ------------------------------ Date: Wed, 6 Jan 1999 05:22:19 GMT From: zowie@urania.nascom.nasa.gov (Craig DeForest) Subject: Cell-phone surprise A few days ago, I bought a Samsung SPRINT PCS phone at a Radio Shack in Ft. Collins, Colorado. When I pulled it out of the packaging, I noticed that there were some fingerprints on the display window and a scratch on the protective soft-plastic cover (that you're supposed to pull off when you buy the phone). The salesperson laughed and said that it had probably been briefly out of the box for a demo or something. I called Sprint from their wired phone and turned on service, then went home. Like most new cell phones, this one comes with an online directory. Unlike most new cell phones, this one had 6 numbers preprogrammed into it: "Work", "Home", "Cathy", "Lawyer", "Lisa", and "Jess". I'm not especially upset that I was sold a used phone -- it works just fine. But it certainly brings to light a general RISK of information appliances: If you return the appliance, you return the information you've stored in it, too! I deleted the numbers right away -- but if I'd called "Home" and mentioned "Jess", "Lisa", and "Cathy", perhaps the "Lawyer" would've gotten some more business... ------------------------------ Date: Fri, 08 Jan 1999 08:52:13 -0500 From: "Peterson, Padgett" Subject: Excel CALL function There is a lot of press being given to this vulnerability (it is NOT a virus but rather a security "hole"). Data Fellows sums it up best so far: (http://www.datafellows.com/v-descs/rnewyear.htm) . "This vulnerability, related to the CALL function of Excel, allows an attacker to send an HTML e-mail or modify a HTML web page so that when accessed, the HTML page will automatically launch Excel and use that to run any program. This allows the attacker to do pretty much anything he wants on the host machine." What is not well understood is that this exploit is actually multifaceted - there are a number of HTML constructs and a number of applications that can be used. The choke point seems to be in the (Windows) Registry which decides which applications (mostly Microsoft's) are considered "safe", that no warning screen is generated on network download/launch sequences for these applications. EXCEL is just one of these. A similar download sequence can be observed by W98 users when visiting the "Windows Update" page and the check for installed products is made. Note that the download occurs before a screen is displayed.. It would seem that this is necessary for the "Active Desktop" however for over a year various professionals, myself included, have been saying that this concept is flawed and that discovery of intrusion vectors was inevitable. Microsoft has disagreed (but then they disagree with governments also). One problem is that getting information from the company such as exactly *which* applications are considered "safe" by default is like pulling teeth. The only way at present is to seach the Registry as to whether a particular byte in an obscure value is 00 or 01. As expected Microsoft has announced that there is a fix - but it involves disabling the CALL function entirely, applies to EXCEL97 only (95 responds the same way), and if you do not have the OFFICE service packs installed, be ready for a 24 Mb download and make sure that there is at least 50 Mb of free disk space afterwards. As usual responding to a symptom and not the cause. However the root problem is the Registry permissions and the fact that these are either not well documented or not documented at all. As long as these remain, further discoveries are sure to follow. Padgett Peterson, P.E., Lockheed-Martin Corporate Information Security 1-407.306.1101 padgett.peterson@lmco.com ------------------------------ Date: Tue, 05 Jan 1999 22:55:14 +0100 From: Peter Kaiser Subject: Phone service outage when computers stolen On 3 Jan 1999, three men wearing ski masks broke into a Sprint telephone office, tied up workers, shot them with stun guns, and removed live telephone relay switching equipment (perhaps to fill a custom resale order?), knocking out service for about 75,000 customers for about 7 hours. [Source: Associated Press, 3 Jan 1999, seen in *The Boston Globe* online on 4 Jan 1999; PGN Abstracting.] This interruption of phone service isn't fundamentally different from utility service disruptions caused by the theft of wiring or pipes. But computers are a lot easier to steal. I believe I reported long ago here on the theft of a computer from an unstaffed area whose exact time was known because there were records of exactly when the computer was taken offline; but the computer was small enough to fit into an athletic bag, and was never found. The thief probably just walked out of the building with it. I wonder who buys stolen telephone exchange computers. And what they say to the people who service them. Pete kaiser@acm.org ------------------------------ Date: Mon, 04 Jan 1999 10:13:06 -0500 From: "Keith A Rhodes" Subject: Y2K hits Singapore and Swedish taxi meters Computerized meters in 300 Singapore taxis failed for about two hours at noon on 1 Jan 1999 in an early Y2K manifestation. Taxi meters in Sweden also acted up on the same day, but passengers there hardly complained. The meters continued to work but gave riders unexpectedly low fares. [Source: Associated Press, 3 Jan 1999, *The Sunday Times*, PGN Abstracting] [NOTE: I guess free parking is one of the new-year's initiatives that the government didn't tell people about. Perhaps we can make certain this happens in San Francisco, D.C., and New York. The problem of moving from 1998 to 1999 has also been found in some of the embedded systems in power plants, mostly in graphical counters for trend analysis. KR] ------------------------------ Date: Thu, 7 Jan 1999 13:16:56 +0000 (GMT) From: Lloyd Wood Subject: The Windows April Fools 2001 Bug (from Richard Smith) This is really a daylight-savings problem in the Visual C++ library - but the last time it would have happened would have been in 1990... More on the webpages. Since it's windows *applications* rather than Windows itself, it can be expected to be widespread. PGP ---------- Forwarded message ---------- Date: Thu, 07 Jan 1999 00:39:30 -0500 >From: glen mccready Subject: The Windows April Fools 2001 Bug [from 0xdeadbeef] >From: "Richard M. Smith" I thought the deadbeef crowd might be interested in this story....... I just got confirmation from Microsoft of the "April Fools 2001" bug that I reported on Monday. Although not technically a Y2K bug, many Windows applications are going to break on April 1, 2001 and start giving the wrong time of day. The bug lasts for a week. Technical details of the bug can be found at: http://security.pharlap.com/y2k/april1.htm A live test page for the bug is available at: http://security.pharlap.com/y2k/demo1.htm With this bug, any technical person involved with Y2K testing has a new date to worry about which April 1, 2001. Richard ------------------------------ Date: Thu, 07 Jan 1999 01:02:17 +1030 From: Glen Turner Subject: Editors also mitigate page-layout program hazards In RISKS-20.14 Jordin Kare gives a number of sensible methods to decrease the risk of not noticing the delimiting characters used to separate text from page layout commands. A most useful method is not mentioned -- use an editor that displays differing syntactic components using differing textual properties. This makes the difference between text and markup commands much clearer. A good editor will also highlight common syntactic errors. Such editors date from at least the Andrew project. I recall the facility being available in 1984 for Pascal when I used DEC's LSE editor running on the VMS operating system. These days, I happen to use the XEmacs editor and the Linux operating system. To take Mr Kare's concrete problem, text in TROFF source appears in a black normal-weight font. TROFF commands, whether indicated by an apostrophe or other characters, appear in a green bold-weight font. Text and markup are much less readily confused. Glen Turner. Network specialist, The University of Adelaide. ------------------------------ Date: Fri, 8 Jan 99 20:01:27 EST From: Jerry Leichter Subject: Re: Now you see it, now you don't (RISKS-20.14) > [Increasingly, much valuable research from the past is being forgotten. > Unfortunately, the operative motto seems increasingly to be > ``If it is not now on the Web, it never existed.'' PGN] Well ... there's more to it than that. Computer science is unique in its reliance on non-traditional means of publication. There's been an over-reliance on conferences and conference proceedings, which are not handled well by libraries. Further, while conference papers are peer-reviewed, the level of review - and the consequent level of the papers - has never matched what you get in the traditional publication venues. There are exceptions - SOSP, to cite one example, has tended to have unusually good papers - but by and large a conference paper is a good first draft for a journal paper (but most never appear in journals). Things have historically been even worse in CS theory, where often all you find in the conference proceedings is an extended abstract - and the final paper somehow never gets published. The other over-reliance has been on technical reports. Some technical report series are excellent - I've got a pile of old PARC reports that are wonderful; many of the MIT reports were great when I was looking at them. Most tech report series are of very variable quality, however - and of course you can't find *them* either. All of this was the case before the Web came along. It all of a sudden appeared to be the solution to the CS publications problem. Just put all the tech reports and whatever on-line, and they'll be available to everyone everywhere. Except that (a) they disappear anyway; (b) the quality is extremely variable. I've been out of academia for over 3 years now, and I let my ACM and IEEE memberships lapse - the stuff was piling up way faster than I could find time to read it, between a non-academic job and an infant (now youngster). I do follow papers in a number of areas, and indeed they are much more accessible now than they used to be. But serious research - in the sense of finding the work already done in a field - can be tricky. Stuff is unorganized, un- reviewed, of unpredictable quality - and it disappears. Then again, we don't respect the history of our own field. Books go out of print rapidly - and libraries can't keep up. I collect the classics when I can get my hands on them; they're irreplaceable, and often still valuable. (I'm also always amazed by the quality of writing of papers from the 60's and early '70's. We've lost that.) We like to think that we in CS are on the leading edge of a revolution, but the fact is *it* is driving *us*. Things are different in other fields. Physicists have done a much better job of integrating the Internet and the Web with their research and publications. It helps to have an established way of working, not just make everything up on the fly. (And, of course, it was the physicists - not us CS types - who invented the Web.) Jerry ------------------------------ Date: Fri, 08 Jan 1999 18:59:05 -0500 From: Mike Subject: Re: Now you see it, now you don't (Leichter, RISKS-20.14) Is it still on the web if it's locked down? ACM used to have the ACM Turing Award Lectures, including Ken Thompson's classic, seminal "Reflections on Trusting Trust," on the web available at no charge. Now, as an ACM member since '64, I have to pay a high premium to get it, or to pass it on others who need it more than they know. Fat chance. Mike Williams ------------------------------ Date: Tue, 5 Jan 1999 17:26:32 -0500 From: Marc Rotenberg Subject: Call for Proposals - CFP99 [I could have titled this CFP for CFP99, but that would be confusing. PGN] Computers, Freedom + Privacy 1999 THE GLOBAL INTERNET Omni Shoreham Hotel Washington, DC April 6-8, 1999 The Program Committee of the conference on Computers, Freedom, and Privacy (CFP99) is seeking proposals for the ninth annual CFP, which will be held in Washington DC between April 6th and April 8th 1999 at the Omni Sheraton Hotel. CFP is the leading Internet policy conference. For almost a decade, CFP has shaped the public debate on the future of privacy and freedom in the online world. The CFP audience is diverse with representatives from government, business, education, non-profits and the media. The themes are broad and forward-looking. CFP explores what will be, not what has been. It is the place where the future is mapped. The theme of the 1999 CFP conference is "The Global Internet." Proposals are welcomed on all aspects of privacy and freedom. The 1999 Program Committee is particularly interested in receiving proposals that deal with: ACCESS TO THE INTERNET, particularly those relating to globalization and governance. Of particular interest are issues of privacy, censorship, free speech and access. INTERNATIONAL ISSUES, especially the emerging issues of global privacy protection, encryption policy, international principles of human rights, regulation, legislation, and copyright. ELECTRONIC COMMERCE, including the impact of payment systems, regulations, and technical standards on personal freedom and privacy. CULTURE AND LANGUAGE ON THE INTERNET, such as the significance of diversity, multilingualism, and cultural representation We strongly encourage proposals that involve leading experts, innovators, policymakers, and thinkers. The CFP99 Program Committee will finalize the selection of proposals by February 1, 1999, proposals should be received by 15 Jan 1999 by e-mail to proposals@cfp99.org [Apparently, slightly late proposals will be considered if they are good, which is why I am running this notice on 15 Jan 1999! PGN] For more information on the Computers, Freedom, and Privacy Conferences, please visit the conference Web page http://www.cfp99.org. If your have further questions about CFP, please feel free to contact a member of the Program Committee. PROGRAM COMMITTEE chair: Marc Rotenberg, EPIC and ACM, Washington, DC. ------------------------------ Date: 23 Sep 1998 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 19" for volume 19] or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. PostScript copy of PGN's comprehensive historical summary of one liners: illustrative.PS at ftp.sri.com/risks . ------------------------------ End of RISKS-FORUM Digest 20.15 ************************