precedence: bulk Subject: Risks Digest 20.36 RISKS-LIST: Risks-Forum Digest Saturday 1 May 1999 Volume 20 : Issue 36 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and at ftp.sri.com/risks/ . Contents: Seagulls speak English: Aldershot (John Haseler) Yet another satellite hits the dust (Joan L. Grove Brewer) Titan 4B places military satellite in improper orbit (PGN) No Bell Tolls for thee (Jeremy Ardley) Risks of "smart" MS Internet apps (Andrew Shieh) Re: Dodgy automatic address book resolution (Larry Pryluck) MS-Outlook 98 risk of mislaying messages in Outlook today (Jahn Rentmeister) Bloatware and the Windows API (Diomidis Spinellis) Re: The Bloatware Debate (Henry Baker) Bloatware and Nightlight Saving (R.A. Downes) Update on DejaNews click-through monitoring (Richard M. Smith) Re: WC Watch Company site ... (David B. Horvath) Re: Risks of misaddressed mail (Frederick M Avolio) REVIEW: "A Guide to Virtual Private Networks", Martin W. Murhamm (Rob Slade) CONF: 12th Software Quality Week (Software Research) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sat, 1 May 1999 23:30:44 +0100 From: "John.Haseler@bcs.org.uk" Subject: Seagulls speak English: Aldershot Quote from *Daily Telegraph*, 1 May 1999, Property section - in an article explaining how to keep seagulls from nesting on your chimney-stack: The other day, I got a call from a man complaining that the gulls outside his window were interfering with his voice-activated computer. Apparently, every time a seagull let out a loud squawk, his computer would type up the word 'Aldershot' on this screen. After a while, that kind of thing can drive you mad. [I guess the computer software was gulled into a characteristic AI pattern mismatch. But this is clearly worth some further study. What would one good tern turn into? Gullible's Travels? And what is the domain of discourse that includes Aldershot? PGN] ------------------------------ Date: Sat, 1 May 1999 02:40:30 -0700 From: "Joan L. Grove Brewer" Subject: Yet another satellite hits the dust On 28 Apr 1999 the *Seattle Times* and other new media reported that yet another satellite had mysteriously lost contact. http://www.seattletimes.com/news/nation-world/html98/altsate_19990428.html In the article -- A real-life X-Files case: Where's the satellite? -- John Antczak of The Associated Press "Ikonos 1 (Greek for image) disappeared yesterday almost immediately after it was launched from California's coast." It was going to be only a 400-mile-high orbit, and they are puzzling over what could what could have gone wrong... This was the first private satellite that could take high resolution images of earth. ONLY the military could do this until now. [In 1994, the U.S. Government authorized Space Imaging to launch a private satellite. PGN] There is still that BIG PUZZLE about what happened. In fact, there have been so many problems with private satellites that it does in fact beg the question... Is this an X-File? :-) or is this something else. So many satellites have been messing up that last weeks Dilbert TV show which aired on April 26 they did a bit on satellites. Dilbert messed up and a satellite went out of orbit hit another satellite and they all went so nuts that the whole world shut down... It was really quite funny. Then bingo, two days later yet another satellite bites the dust--perhaps literally. Craig McCaw and Bill Gates put together a company called Teledesic that was originally going to put 840 satellites in low orbits until Boeing talked the down to 280. I wonder what their game score will be. Boeing who is doing the project with them had one of the rocket blow up on the pad as well as their satellite. :-) This could really get to be quite an expensive business, especially if it's due to a natural phenomena like radiation belts or a new sun cycle with massive sun spots. Maybe it will eventually get turned back on. Could this just be due to human error. Low Orbiting satellites have to be piloted by humans. My original concern to the boys was where are you going to find the highly trained and skilled engineers to run that many satellites. We can't even find people to operate our computer systems and the Internet? This is what I think the real problem is. It's like with our older mainframes having to have system engineers sleeping on cots in the back room to baby sit all the time... Now with a lot of people raised on computers do we really have the brain power to react fast enough in a crisis situation? Joan Brewer -- retired systems engineer ------------------------------ Date: Sat, 1 May 99 10:39:45 PDT From: RISKS List Owner Subject: Titan 4B places military satellite in improper orbit The U.S. Air Force is on another rough road in the sky. A Titan 4B rocket (cost about $433.1 million) was launched from Cape Canaveral on 30 Apr 1999 carrying a Milstar military satellite (worth about $800 million). Both were built by Lockheed Martin. The three firings of the Centaur upper-stage booster apparently occurred prematurely, resulting into the satellite separating four hours early into an elliptical orbit from 460 miles to 3,105 miles up, rather than the intended stationary geocentric orbit at 22,300 miles above the equator. This was the third failure in a row -- following the Titan 4A with a Vortex satellite last August 1998 in a mission with comparable costs (RISKS-19.91), and a missile warning satellite on 9 Apr 1999 stuck in a useless orbit. ------------------------------ Date: Sat, 1 May 1999 20:07:05 +0800 From: "J&J Ardley" Subject: No Bell Tolls for thee The following text is part of http://www.microsoft.com/security/resources/NATOCaseStudy.asp dated February 1999 as an example of a high security implementation of NT for military purposes. The CRONOS system is a wide area network of NT computers used in NATO in Europe in the present conflict in the Balkans. Steakley is David Steakley, Cronos Project Leader at NC3A. Jeremy Ardley Quote: Security of Windows NT Crucial to Cronos Because Cronos carries classified information, security was a top requirement. Specifically, NATO regulations required that Cronos use an operating system that carried the imprimatur of an independent security evaluation. "We had to have assurance that security rules could be enforced-to make sure that when anyone logs onto the system, he is authorized to log on and has security clearance at the level the system requires," says Steakley. "We insist that all of our systems meet the C2 level of security when they're used for classified information, on both the client and the servers," says Steakley, referring to a security rating level in the US Government's Trusted Computer Security Evaluation Criteria. Windows NT 3.5 has been successfully evaluated by the US Government at the C2 level and Windows NT 3.51 has been successfully evaluated by the UK Government at a comparable level of E3/FC-2. Because of this lineage and the fact that Windows NT 4.0 had been submitted for its own C2 evaluation, Windows NT 4.0 met NATO's security requirements." In contrast to this is the following from http://www.gcn.com/gcn/1998/October26/8.htm dated October 26, 1998 which includes Quote : NT 4.0 is not certified at the C2 level by NSA. Microsoft, however, is in the process of getting C2 certification for NT 4.0 with Service Pack 4 in a closed network configuration. The essential element is that C2 certification to date applies to non-networked configurations of NT 3.51 on a specific set of hardware. Clearly the client and server configuration of NT 4.0 referred to by Steakey are not covered by the existing C2 certification. Extrapolation by Steakley of the certification of 3.51 to 4.0 is also a non-sequitur, especially as he claims that submission for evaluation equates to granting of a certificate. Under his logic I should claim a Nobel prize when I next submit my name to the committee. ------------------------------ Date: Sat, 1 May 1999 01:41:19 -0700 From: andrew shieh Subject: Risks of "smart" MS Internet apps Recently, in response to a simple question about perl, i posted the answer of: //i This worked fine. The person who i was responding to was using Microsoft Outlook Express to read the newsgroup. He couldn't seem to figure out what that meant. He quoted my message, and the "//i" showed up as "file://i", and i guessed that that was how it also appeared to him on screen. What you get is not what you see. ------------------------------ Date: Thu, 29 Apr 1999 12:38:41 -0400 From: "Pryluck, Larry" Subject: Re: Dodgy automatic address book resolution (Liddicott, RISKS-20.34) I had an experience similar to Samuel Liddicott's. Our office uses MSexchange 5.0 running on Windows NT Workstation 4.0. I tried to forward a leave form to our secretary, Ann Jack, who's e-mail address is resolved on the Global Address List. I was chagrined to find out a day or two later that the mail went instead to my friends Jack and Anne, whose e-mail address is in my personal address book, which is first on the list. This was even after selecting "Ann Jack" from the global address list. I may have even put in the address to the right of the @ as well. I finally gave in to the dark side and made "AJ" an entry in my personal book. No problems now, but it continues to amaze me how what used to be a simple thing has been made complex by software that tries to out think the user. Larry Pryluck, US Army Information Systems Software Center Executive Software Systems Directorate ------------------------------ Date: Mon, 26 Apr 1999 18:32:43 +0200 (MES) From: Jahn Rentmeister Subject: MS-Outlook 98 risk of mislaying messages in Outlook today MS-Outlook as an MS-Exchange client uses a hierarchical folder list to store e-mail messages in. Folders can contain mail messages, but also other folders. The top-level folder is the "mailbox", which contains, among other folders, a folder for incoming mail. In Outlook 97, the top-level folder is just a folder like any other, in particular, it can contain folders and mail messages, and activating the folder shows its contents. In Outlook 98, however, displaying the top-level folder of a mailbox displays an "Outlook today" screen, featuring "links" to the user's calendar, task lists, e-mail drafts and inbox as well as a search facility. However, the contents of the folder are not displayed in Outlook 98. But it is still possible to move e-mail messages into that folder. This creates a situation where it is possible for a user to move a message to that folder, but is later unable to access that message. (Unless the e-mail message is found by a search of all folders.) Moving messages into folders is commonly done with the mouse, and accidentally moving messages to the wrong destination folder is not uncommon (at least not for me). This can create (and has created) situations where e-mail messages "magically" disappear, possibly before they have been acted upon or even before they have been read. To my knowledge, there is no way accessible to the average user to check the contents of this folder in Outlook 98, or to disable the "Outlook today" display. The fact that contents of the folder are not displayed together with the "Outlook today" screen is not obvious to the user, except if a user tests this by deliberately moving mail into that folder. This "feature" was not present in Outlook 97, and it is possible to check the folder contents using Outlook 97. (With MS-Exchange, e-mail messages and folder structure are usually stored on the server) There is a way to disable the "outlook today" feature, described at http://support.microsoft.com/support/kb/articles/q184/8/56.asp (create and set a special key in the Windows registry) Jahn Rentmeister ------------------------------ Date: Sat, 01 May 1999 15:19:23 +0300 From: Diomidis Spinellis Subject: Bloatware and the Windows API A number of contributors to previous digests have stressed the risks associated with increasingly bloated software applications. I believe that a part to the complexity and unreliability of many modern software applications can be attributed to their use of the Windows Application Programming Interface (API). I recently wanted to read - using C code - the name of the file pointed by a Windows shortcut: a shell-level equivalent of the Unix symbolic link. Unix symbolic links can be read by using readlink(2) - a simple three argument system call. The code I had to write to examine the Windows shortcut spanned over 100 lines of C and included initialisation of the COM (component-object model) library, checking for Unicode filenames, getting pointers to two COM interfaces, and releasing all the associated handles at the end. Seven of the API functions could return with an error which had to be checked. I am sure other readers can point to other similar examples. The architecture, interface, and functionality of the Windows API make it difficult to master and use effectively, and contribute negatively to the safety, robustness, and portability of the applications developed under it. The API is structured around a large and constantly evolving set of functions and is based on a problematic shared library implementation (the infamous Dynamic Link Libraries - DDLs). The provided interfaces are complicated, non-orthogonal, abuse the type system, cause name-space pollution, and use inconsistent naming conventions. In addition, the functionality of the interface suffers from inconsistency, incompleteness, and inadequate documentation [1]. I foresee that problems associated with the use or misuse of the Windows API will provide material for many future RISKS digests. [1] Diomidis Spinellis. A critique of the Windows application programming interface. Computer Standards & Interfaces, 20:1-8, November 1998. http://kerkis.math.aegean.gr/~dspin/pubs/jrnl/1997-CSI-WinApi/html/win.html Diomidis Spinellis, University of the Aegean ------------------------------ Date: Sat, 01 May 1999 06:51:36 -0700 From: Henry Baker Subject: Re: The Bloatware Debate (Downes, RISKS-20.35) > One of the chief hallmarks of early UNIX was how simple, compact programs > worked well together.... The biggest productivity losses due to bloatware are IMHO the enormous intellectual effort of the compiler people to 'optimize' bad code into good code, and of the CPU hardware architects to make 'legacy' bad code run fast. I would estimate that 50-70% of the size of compilers and 50-70% of the size of CPU chips is devoted to protecting the investment in code that never should have seen the light of day. On another note, though, Unix itself inspired a generation of programmers to write bad, buggy code that never bothered to check error codes, and assumed that all input was error-free. There was a wonderful paper in the Communications of the ACM a number of years ago about feeding 'line noise' into various standard (and presumably well-debugged) Unix utilities and seeing the spectacular crashes that ensued. ------------------------------ Date: Sat, 01 May 1999 07:58:09 +0000 From: main@radsoft.net Subject: Bloatware and Nightlight Saving While we're on the bloatware debate, let's look at some wonderful features that have come our way via that Mecca of intellectual happiness, Redmond Washington. The incident below takes place soon after the Premium Release of Windows 95 and about one week before my corporation scrapped it altogether. I had 95 installed in my home and it was Saturday night and time for bed. I kicked in the screen saver and joined my wife under the covers. Some hours later I was wakened from a sound sleep by a commotion in the next room. The wife did not wake, but I did, and I was curious what had cause the noise and went in to check. It was the computer. The monitor screen had a big message box planted on it. The wording was something to the effect: "Microsoft Window 95 has detected that you have now gone over to standard time from daylight savings time and has adjusted your computer's clock accordingly. Thank you for choosing Microsoft Windows 95." I was impressed! When I returned to bed the wife was stirring and protesting my being up and about. I told her "you'll never believe what that Bill Gates did now!" and as she drifted off again to sleep I gave her the whole story. But my sleep and mirth with Microsoft did not last long. It was exactly one hour later that I was awakened again - and for the same reason! The computer's clock, put back from 3 AM to 2 AM by Wonderful Windows, had again hit 3 AM, and - you guessed it - Wonderful Windows again put it back to standard time. At this rate Sunday would never occur! Even though I knew better I passed it off as a fluke and went back to bed. And both one hour later and two hours later (my time, not Microsoft's) I was rudely disturbed by the collective alternative intelligence of Redmond. At that point I turned the machine off, had a few moments of black insight into how things are done and tested in that cauldron of cerebral superiority, and decided then and there that Microsoft Windows 95 could never be taken seriously. RA Downes Radsoft Laboratories http://www.radsoft.net ------------------------------ Date: Sat, 01 May 1999 17:23:26 -0400 From: "Richard M. Smith" Subject: Update on DejaNews click-through monitoring I just wanted to give an update on the DejaNews ruckus that got started in the comp.security.misc, alt.privacy, and comp.risks newsgroups earlier this week. As reported by myself and a number of other folks, DejaNews is monitoring when people click on links to external Web sites and e-mail addresses in newsgroup messages displayed by DejaNews. DejaNews issued a statement on Friday afternoon saying that they plan to stop monitoring click-throughs of e-mail addresses. *ComputerWorld* and *Wired* both have stories on this announcement: http://www.computerworld.com/home/news.nsf/all/9904305dejanews http://www.wired.com/news/news/politics/story/19435.html This is good news, as there was no particular reason in the first place for DejaNews doing this sort of thing. The software changes on the DejaNews servers should be pretty trivial to make. According to *ComputerWorld*, DejaNews may continue to track when people click on a link to external Web site in a newsgroup message. This is somewhat of an unusual practice for a search engine to be doing. To my knowledge only Hotbot does this same sort of tracking. For people concerned about this, a simple solution is to copy the link text and paste it into the location or address window of a browser. This solution bypasses the redirect trick being used by the server to do the monitoring. The larger issue that I see here is something that can affect any Web site or ISP. The more information that a Web site or ISP chooses to track and save away, the more likely they are to be dragged into legal disputes. Lawyers and law enforcement people are increasely asking for and getting log files from both ISP and Web site operators. Here are some interesting articles on this subject: "Arrest made in Bloomberg story hoax" http://www.news.com/News/Item/0,4,35201,00.html ---------------------- "Internet chat faces new suit" http://www.boston.com/dailyglobe2/119/business/Internet_chat_faces_new_suit+ .shtml" ---------------------- "Spouses may delete their marriage, but e-mail lives on as evidence" http://archives.seattletimes.com/cgi-bin/texis.mummy/web/vortex/display?stor yID=372780441&query=divorce ---------------------- "Online, both the guilty and innocent are easy to spy" http://www.boston.com/dailynews2/120/economy/Online__both_the_guilty_and_in: .shtml Things will get really interesting if information from server logs is turned over in a civil case about some individual and this individual thinks that the Web site operator or ISP shouldn't have been collecting and archiving the information in the first place. Richard M. Smith ------------------------------ Date: Fri, 30 Apr 1999 21:58:58 -0400 (EDT) From: dhorvath@cobs.com (David B. Horvath, CCP) Subject: Re: WC Watch Company site ... (Ziglar, RISKS-20.35) >IWC, a Swiss manufacturer of high-end wristwatches, ... Ahh, the risks of common TLA domains. www.iwc.com is InLink Web Creations (actually refreshes to www.inlink.com - Inlink Communications, an ISP in St Louis). http://www.iwc.ch gets you the watch manufacturer. There were three people listed: "Mrs. Privacy Invasion (anon@127.0.0.1)", "Mr. up (yours)", and "Mr. Prinya Sivasirikarul (no e-mail address)". I wonder if Mrs. Invasion reads RISK Digest? David B. Horvath, CCP dhorvath@cobs.com Consultant, Author, International Lecturer, Adjunct Professor [Also noted by Mike Durkin. But it seems people are not necessarily giving the requested information. That seems like a very good idea, although may not be good enough. PGN] ------------------------------ Date: Fri, 30 Apr 1999 19:22:33 -0400 From: Frederick M Avolio Subject: Re: Risks of misaddressed mail (Thompson, RISKS-20.35) The bigger problem, and I think more problematic, is our total dependence on e-mail when a telephone call could clear things up nicely. We assume because e-mail almost always works, that it *will*. Sometimes a telephone call to clear things up or to inquire as to status will save days of time and e-mail. I suspect we have all been in exchanges of e-mail that would have beeter and more quickly been done via the telephone. I love e-mail. Love using it. I believe I fully understand and appreciate its utility. But it is not the ultimate communication tool. Sometimes a call, "did you ever send that document to me?" saves time and effort. Fred, Avolio Consulting, 16228 Frederick Road, PO Box 609, Lisbon, MD 21765 410-309-6910 (voice) 410-309-6911 (fax) http://www.avolio.com/ ------------------------------ Date: Fri, 30 Apr 1999 08:20:06 -0800 From: Rob Slade Subject: REVIEW: "A Guide to Virtual Private Networks", Martin W. Murhamm BKAGTVPN.RVW 990321 "A Guide to Virtual Private Networks", Martin W. Murhammer et al, 1998, 0-13-083964-7 %A Martin W. Murhammer %A Tim A. Bourne %A Tamas Gaidosch %A Charles Kunzinger %A Laura Rademacher %A Andreas Weinfurter %C One Lake St., Upper Saddle River, NJ 07458 %D 1998 %G 0-13-083964-7 %I Prentice Hall %O 800-576-3800 416-293-3621 fax: 201-236-7131 %P 174 p. %T "A Guide to Virtual Private Networks" You don't have to look very far to figure out that this book is by IBM, of IBM, and probably for IBM. All of the authors (even those that don't rate the front cover) work for IBM, and ... well, lookee here! IBM just happens to make products that relate to virtual private networks (VPNs)! Chapter one is a reasonable overview of the basic concepts behind VPNs. However, the level of the writing is inconsistent, some parts of the explanation are a bit confused (they tend to use the term "tunnel" a lot, even where "circuit" might be more fitting), and overall one gets the feeling that this should be presented on a big screen in a dark auditorium, with a suit droning on and on. There is a tendency to illustrate (with not very illuminating figures) rather than explain, when it comes to the technical bits. Either that, or just start to list off protocols. Encryption is explained fairly well in chapter two. There is some detail as to the actual operation of some algorithms. (I notice that DES [Data Encryption Standard] is not among them, and that it is claimed fully, and not just derivatively, for IBM.) The discussion of key and algorithm strength is weak, however, and there is no discussion of the basic problems or concerns of key management. Chapter three provides format details of the IPsec (Internet Protocol security) AH (Authentication Header) and ESP (Encapsulating Security Payload) protocols. References for the appropriate draft documents are given at the end of the chapter. The Internet Key Exchange (IKE) (also known as Internet Security Association and Key Management Protocol [ISAKMP]) is discussed in chapter four. Chapters five to seven look at scenarios for branch offices, business partners, and remote access, respectively. There is little new content, and most of the material could be inferred from the text of earlier chapters. Showing admirable forbearance, most of the detail of IBM products is held for the appendices. While not all parts are particularly readable, the book does, at least, have the advantage of being short. The fundamental concepts of VPNs are given, enough so that a technical manager could get a basic grasp of what was required. Possible attacks, and the complexities of implementation, are not dealt with very well. copyright Robert M. Slade, 1999 BKAGTVPN.RVW 990321 rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: Fri, 30 Apr 1999 20:25:40 GMT From: sr@netcom.com (Software Research) Subject: CONF: 12th Software Quality Week (QW'99; edited for RISKS) The 12th Annual International Software Quality Week (QW'99) will be held 26-28 May 1999 in San Jose, California USA. Two days of pre-conference tutorials are 24-25 May 1999. The complete program for QW'99 can be found at the QW'99 Conference WebSite: KEYNOTE SPEAKERS (26-28 May 1999) address the Conference Theme "Facing the Future" in a coordinated sequence of talks: * Martin Pol (IQUIP Informatica BV) "Facing the Future Means Facing Test Maturity" * Jeff Schuster (Rational) "Facing the Future: E-Commerce Quality and YOU!" * Cem Kaner (Attorney at Law) "Facing the Future: The Law" * Roger Sherman (Independent Consultant) "Facing the Future: Commercial Product Testing" * Jakob Nielsen (Nielsen Norman Group) "Facing the Future: Usability Aspects of Quality" * Brian Marick (RST) "Facing the Future: New Models for Test Development" * Boris Beizer (Independent Consultant) "The Mavin" COMPLETE INFORMATION or to register by phone or by mail is available from: SR/Institute 901 Minnesota Street San Francisco, CA 94107 USA Phone: +1 (800) 942-SOFT (7638) or +1 (415) 947-1441 FAX: +1 (415) 957-0730 E-Mail: qw@soft.com Web: ------------------------------ Date: 23 Sep 1998 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 19" for volume 19] or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. PostScript copy of PGN's comprehensive historical summary of one liners: illustrative.PS at ftp.sri.com/risks . ------------------------------ End of RISKS-FORUM Digest 20.36 ************************