precedence: bulk Subject: Risks Digest 20.65 RISKS-LIST: Risks-Forum Digest Sunday 21 November 1999 Volume 20 : Issue 65 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: Nasdaq software failure (Keith A Rhodes) Netscape's cookie-preserving behavior (Crispin Cowan) Announcing - PFIR: "People For Internet Responsibility" (Lauren Weinstein) Businesses could owe millions for popular Year 2000 bug fix (Keith A Rhodes) Japan rail ticket system crash due to 11/11/11 11:11 (Dave Fossett, Hiroshi Naito) Computer prompts increase errors? (Ursula Martin) Re: Y2K creates "horseless carriages" (Adam Elman) Possible risks in not examining end-user license agreements? (Anthony Garcia) Microsoft Y2K liability (Lloyd Wood) Risks of Office 2000 (Lloyd Wood) Re: Sarah Flannery (Jean-Jacques Quisquater) Slashes in spreadsheets (Kent Quirk) DVD crypto was intended to be weak (M Seecof) Amazon password change requests poorly authenticated (Andrew R. Thomas-Cramer) Who protects me from the protectors? (David Mediavilla) Risks of advertisements in software (Bill Royds) Workshop on Freedom and Privacy By Design (Lorrie Cranor) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 17 Nov 1999 08:30:22 -0500 From: "Keith A Rhodes" Subject: Nasdaq software failure Traders were unable to buy or sell stocks for 17 crucial minutes on 16 Nov 1999 after Nasdaq officials attempted a software upgrade on the fly in the last half hour of trading. Something went wrong and investors were the ones who paid the price. [Source: Poorly timed software upgrade paralyzes Nasdaq, by Larry Barrett ZDII, 16 Nov 1999] ------------------------------ Date: Thu, 04 Nov 1999 18:09:33 +0000 From: Crispin Cowan Subject: Netscape's cookie-preserving behavior I normally run with cookies completely disabled. Sometimes I hit sites that insist on using cookies (e.g. slashdot's login for non-anonymous posting) and so I temporarily enable cookies. I observed (with joy) that when I disable cookies again, the "cookies" file disappears from my ~/.netscape directory. Good, it appears to delete cookies when I disable them. So I started telling people about this cool feature. However, some time later Gil Niger reported back to me that Netscape is actually preserving cookie information across bouts of disabling cookies. Consider this experiment: * enable cookies * browse a cookie-using site * observe the cookies file--hmmm, it seems to contain an old cookie from the washingtonpost.com * disable cookies * observe that the cookies file is gone, and a grep of the .netscape directory failed to show the washingtonpost.com cookie in any file * re-enable cookies * browse another cookie-using site (not washingtonpost.com) * observe the cookies file again--the washingtonpost.com cookie is back again Not a huge deal, but it seems misleading, at best, to *appear* to be deleting cookie information, while actually preserving it. However, I have never seen any NS documentation that suggested that NS was actually deleting cookie info when cookies are disabled, so it's just my inference from watching the file disappear. I can't wait for Mozilla to stabilize: I really want that "anonymous mode" feature. My version: Netscape Communicator 4.7 for Linux/libc5/strong crypto. Crispin P.S. Amusing note: NS 4.7's spelling checker just flagged "Mozilla" as an unrecognized word :-) Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org ------------------------------ Date: Tue, 16 Nov 99 09:34 PST From: lauren@vortex.com (Lauren Weinstein) Subject: Announcing - PFIR: "People For Internet Responsibility" ANNOUNCING PFIR: "People For Internet Responsibility" http://www.pfir.org November 16, 1999 PFIR is a global, grassroots, ad hoc network of individuals who are concerned about the current and future operations, development, management, and regulation of the Internet in responsible manners. The goal of PFIR is to help provide a resource for individuals around the world to gain an ability to help impact these crucial Internet issues, which will affect virtually all aspects of our cultures, societies, and lives in the 21st century. PFIR is non-partisan, has no political agenda, and does not engage in lobbying. PFIR has been founded in November, 1999 by Lauren Weinstein of Vortex Technology in Woodland Hills, California and Peter G. Neumann of SRI International in Menlo Park, California. Both have decades of continual experience with the Internet and its ancestor ARPANET, Lauren originally at the UCLA lab which was the ARPANET's first site, and Peter at the net's second site, located at SRI. Peter is the chairman of the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, and the creator and moderator of the Internet RISKS Forum. Lauren is a member of that same committee, and he is the creator and moderator of the Internet PRIVACY Forum. With the rapid commercialization of the Internet and its World Wide Web during the 1990's, there are increasing concerns that decisions regarding these resources are being irresponsibly skewed through the influence of powerful, vested interests (in commercial, political, and other categories) whose goals are not necessarily always aligned with the concerns of individuals and the people at large. Such incompatibilities have surfaced in areas including domain name policy, spam, security, encryption, freedom of speech issues, privacy, content rating and filtering, and a vast array of other areas. New ones are sure to come! While corporate, political, and other related entities most certainly have important roles to play in Internet issues, it is unwise and unacceptable for their influences to be effectively the only significant factors affecting the broad scope of Internet policies. There are numerous examples. While e-commerce can indeed be a wonderful tool, it is shortsighted in the extreme for some interests to treat the incredible creation that is the Internet as little more than a giant mail order catalog, with ".com" associated hype on seemingly every ad, billboard and commercial. Protection of copyrights in a global Internet environment, without abusive monitoring, is a challenge indeed. The Internet can be a fantastic tool to encourage the flow of ideas, information, and education, but it can also be used to track users' behaviors and invade individuals' privacy in manners that George Orwell never imagined in his "1984" world. PFIR is a resource for discussion, analysis, and information regarding Internet issues, aimed at providing a forum for *ordinary people* to participate in the process of Internet evolution, control, and use, around the entire world. PFIR is also a focal point for providing media and government with a resource regarding Internet issues that is not controlled by entities with existing major vested financial, political, or other interests. This is accomplished through the PFIR Web site, the handling of telephone and e-mail queries, and through digests, discussion groups, reports, broadcast and Internet radio efforts, and other venues. For full details about People For Internet Responsibility, including information regarding how you can participate in or keep informed about PFIR activities (including the PFIR Digest mailing list), please visit the PFIR Web site at: http://www.pfir.org Individuals, organizations, media, etc. who are interested in more information regarding PFIR or these Internet issues are invited to contact: Phone, Fax, or E-mail: Lauren Weinstein TEL: +1 (818) 225-2800 FAX: +1 (818) 225-7203 lauren@pfir.org Please send any physical mail to: PFIR c/o Peter G. Neumann Principal Scientist Computer Science Lab SRI International EL-243 333 Ravenswood Ave. Menlo Park, CA 94025-3493 USA Thank you very much. Be seeing you! Lauren Weinstein Peter G. Neumann 16 November 1999 ------------------------------ Date: Fri, 12 Nov 1999 14:21:46 -0500 From: "Keith A Rhodes" Subject: Businesses could owe millions for popular Year 2000 bug fix It turns out the windowing technique used frequently by Y2K remediators to postpone the Y2K problem (reinterpreting two-digit dates ij: from 00 to xy as 2000+ij, and from xy+1 to 99 as 1900+ij) was patented in 1998 by Bruce Dickens, at McDonnell Douglas Corp, now Boeing. He wants to collect big-time. However, that technique seems to have existed long before the patent application was submitted (for example, in the 1960s on one-digit year software). I guess we'll have to wait and see what happens. (There are apparently also 30 other much more specific patents on Y2K fixes.) [Source: Associated Press item by Anick Jesdanun, 11 Nov 1999; PGN-ed] [NOTE: It will be interesting if the companies then ask Mr. Dickens to fix the problem after the window expires. Keith] [The patent office seems to be overwhelmed these days, and is issuing many patents for which prior art CLEARLY existed at the time. The entire patent process seems to be getting out of control. PGN] ------------------------------ Date: Fri, 12 Nov 1999 14:18:04 +0900 From: Dave Fossett Subject: Japan rail ticket system crash due to 11/11/11 11:11 Newsgroups: misc.transport.rail.misc The MARS ticket reservation computer system for the nationwide JR network crashed spectacularly at 11:10 on the 11th November 1999. The reason was not initially clear, but while some speculated it was a kind of Y2K-like problem, the most obvious cause seemed to be the overwhelming number of requests for tickets printed with the date and time 11/11/11 11:11. In the Japanese calendar, 1999 is written as Year 11, being the 11th year of the current emperor. Dave Fossett, Saitama, JAPAN [via Andre Sintzoff] ------------------------------ Date: Sat, 13 Nov 1999 21:10:55 +0900 From: Hiroshi Naito Subject: Japan rail ticket system crash due to 11/11/11 11:11 Newsgroups: misc.transport.rail.misc The following is supplemental info of this incident. The JR's ticket reservation and issuing system crashed on the day at around 11:11 because of intensive access caused by ticket collectors who were in favor of a string of 10 "1" letters (11, 11, 11, 11,11) printed on a platform ticket (Nyujo ken in Japanese). The first two digits indicate the year of Heisei 11 in original Japanese era designation still in use as well as the year in the Christian calendar. Regular train tickets have time stamping printed up to date, but a platform ticket is printed up to minutes. At that time, the ticket collectors suddenly started purchasing platform tickets through the MARS system. The rate of platform tickets issued is usually only about three percent of the entire tickets while it reportedly soared up to 75 percent at 11:11 on the day. Besides, the system requires 150% more processing time per transaction for a platform ticket compared to for a regular train ticket. This situation caused a massive load on the central computer beyond its ticket issuing capability and resulted in the computer down. This seems to be a good lesson as to the Y2K issue. The transport-related systems must be well verified and has been fixed for the date processing problem of Y2K, however, this incident suggests implication of system downs all over the world on 2000, 1, 1, caused by unexpected overwhelming transactions. Hiroshi Naito [via Andre Sintzoff] [I also received another take on this problem written by Nina Thorsen, sent via Martin Minow. PGN] ------------------------------ Date: Fri, 12 Nov 1999 18:49:43 -0800 From: Ursula Martin Subject: Computer prompts increase errors? http://www.newscientist.com/ns/19991106/newsstory1.html This is a story about experiment suggesting more errors when relying on computer prompts than when reading instruments manually. ------------------------------ Date: Mon, 8 Nov 1999 21:44:52 -0800 (PST) From: Adam Elman Subject: Re: Y2K creates "horseless carriages" (Doty, RISKS-20.64) "Horseless carriage" is a legal designation used by some states to indicate a particular type of automobile registration, usually for early-20th-century cars. It's not an issue of a DMV programmer picking an odd-sounding category. Of course, this points out a RISK of transient URLs; the San Jose Mercury usually leaves articles up only for a few days before they move them into their archive, where you have to pay to retrieve back content. However, I was able to find this article by searching on "horseless carriage" in both the San Jose Mercury News site and the Portland, ME Press-Herald (http://www.portland.com/) -- which makes it seem much less of an urban legend. Adam [also noted by many other contributors! Thanks. PGN] ------------------------------ Date: Thu, 18 Nov 1999 15:01:49 -0600 (CST) From: Anthony Garcia Subject: Possible risks in not examining end-user license agreements? Dialpad (www.dialpad.com) is a recently launched free net-to-telephone gateway service. The marketing literature on their website states: "Dialpad.com is the world's first free Java-based web-to-phone service. With Dialpad.com, you can make unlimited free phone calls to anybody in the US as long as the other party has a valid phone number." and "There is absolutely no cost involved in using Dialpad.com. The per call cost of Internet telephony is much lower than that of regular telephony. We bear the costs of calls you make and cover them with the revenue generated from banner ads." To use the service, you have to download a Java applet that runs on your machine. Downloading the Dialpad client program requires that you click an "I Accept" button at the bottom of a web page containing their End User License Agreement, at http://www.dialpad.com/license_agreement.html The Dialpad EULA starts off by identifying "The Dialpad.com Website" as "(the "Website" or "Site")" and continues off into the usual sort of EULA verbiage. However, about halfway thru, it includes an interesting clause I've never noticed before on any other EULA: Dialpad.com cannot and does not guarantee or warrant that the files available for downloading from the Site will be free of infection or viruses, worms, trojan horses or other code that manifest contaminating or destructive properties. You are responsible for implementing sufficient procedures and checkpoints to satisfy your particular requirements for accuracy of data input and output, and for maintaining a means external to the Site for the reconstruction of any lost data. YOU ASSUME TOTAL RESPONSIBILITY AND RISK FOR YOUR USE OF THE SITE, SOFTWARE, SERVICE AND THE INTERNET. It seems rather strange for Dialpad to make this disclaimer about their own software's behavior. Should we beware of Greeks bearing gifts, in this case? Can such a clause in an agreed-to EULA successfully indemnify someone who installs a Trojan Horse program on your machine, allowing them to claim your consent? Anthony Garcia ------------------------------ Date: Tue, 16 Nov 1999 15:56:29 +0000 (GMT) From: Lloyd Wood Subject: Microsoft Y2K liability I didn't know I _was_ a Microsoft (UK) customer. Must be because they own Apple. And I refuse to take seriously any Y2K statement ending with: MOREOVER, MICROSOFT DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE USE OR THE RESULTS OF THE USE OF ANY MICROSOFT YEAR 2000 STATEMENT IN TERMS OF ITS CORRECTNESS, ACCURACY, RELIABILITY, OR OTHERWISE. disclaiming everything previously said, and sent by some clueless organisation that can't wrap to less than 80 chars. PGP [Get the full message from Lloyd if you are curious. PGN] ------------------------------ Date: Wed, 17 Nov 1999 19:24:52 +0000 (GMT) From: Lloyd Wood Subject: Risks of Office 2000 (Pointed out to me by Adam Kirby.) Try this in Office 2000. Open a new document. Type 'Hello World'. Save as HTML. View source of the saved document. The length of the resulting document (three pages!) firmly places this in the 'extend' part of 'embrace and extend'. Risk? We're going to be drowning networks in even more redundant crud. PGP ------------------------------ Date: Thu, 11 Nov 1999 19:02:56 +0100 From: Jean-Jacques Quisquater Subject: Re: Sarah Flannery (RISKS-20.16) Do you remember Sarah Flannery and her new cryptoalgorithm? Here are some links: http://jya.com/flannery.htm http://www.intel.com/pressroom/archive/backgrnd/co51198a.HTM (including Gordon Moore and George Bush!) http://www.girlscientist.org/links.html See also comp.risks 20.16 (15 J. 99) Subject: 16-yr-old Irish girl's crypto system With comments by PGN The story continues: http://www.esat.ie/youngscientists/new/students/eu.htm http://www.cordis.lu/improving/src/hp_ys.htm http://europa.eu.int/comm/dg12/press/1999/pr2509en.html http://europa.eu.int/comm/dg12/press/1999/pr2509en_ann.pdf And the paper http://cryptome.org/flannery-cp.htm Thanks to John Young. ------------------------------ Date: Sun, 07 Nov 1999 17:38:33 -0500 From: Kent Quirk Subject: Slashes in spreadsheets (Re: RISKS-20.64) > From: Vicky Larmour > ...why should forward slash be treated as an ALT press, but not if I > am already editing text in a cell? Ah, bitten by "ancient" history. See, back in the days when Lotus was King and Microsoft a wannabe, Lotus 1-2-3 was effectively an operating system on a lot of computers. There were huge numbers of people who started it up in the morning and used it all day long for everything -- not just spreadsheets, but letters, graphics, etc. 1-2-3's menu system (before any attempt at GUI standards and before the mouse was common) was invoked by hitting slash. Once you got used to it, you really really liked it. So /fr was "menu file retrieve", etc. Lotus was forced by its customers to support this mode of usage in future spreadsheets. It did so by popping up a little dialog box containing nothing but the original 1-2-3 menu when you hit the slash key; whatever command you typed would then be translated to Windows GUI commands for you. (During the internal development process of the Windows version of 1-2-3, when this feature was introduced, the dialog box was labeled "Same as it ever was.") Microsoft was busy watching the Lotus look-and-feel lawsuit around this time, and they presumably didn't wish to be *quite* as obvious as popping up a 1-2-3 menu system. So instead, they made the slash key invoke the windows menu in the same way that Alt does. > Why isn't this listed in the keyboard shortcuts in the Excel help? Probably because they had hopes of making it go away someday, and they didn't want to create a generation of users that depended on it. Kent Quirk, Game Designer, kent_quirk@cognitoy.com http://www.cognitoy.com/ ------------------------------ Date: Tue, 09 Nov 1999 15:11:00 -0800 From: mseecof@seatimes.com Subject: DVD crypto was intended to be weak Sure, the DVD CCS encryption scheme was weak. Weak methods are cheap and easy to implement. Since people analyzing licensed software decoders would've broken even strong encryption of DVD movies, movie vendors had no incentive to pay for anything but weak encryption. They prefer to fight piracy with jackbooted enforcement of ill-conceived laws like the "Digital Millennium Copyright Act," an interesting Herman-Kahn'ian case of relying on deterrence rather than defence. ------------------------------ Date: Mon, 15 Nov 1999 11:37:28 -0600 From: "Andrew R. Thomas-Cramer" Subject: Amazon password change requests poorly authenticated The Web business Amazon.com will provide new account passwords over the phone given only heavily-distributed public knowledge. Access to the account allows ordering with its credit-card number. Because I'd forgotten my Amazon password, I called via voice to change it. I was asked first for: * My e-mail address. * The last purchase. Since I didn't recall my last purchase, I was asked instead for: * My e-mail address. * My name. * My zip code. * The last four digits of my phone number. I think it's in the realm of possibility that one or two other people might know my e-mail address, name, zip code, and phone number. I haven't yet received an e-mail notice that my password has changed, but it's been only ten minutes. Fortunately, the shipping address for an order can't be changed unless the credit card number is re-entered. However, this only reduces, not eliminates, the risk of theft, and it doesn't forestall pranks. BTW, this e-mail was *not* sent from the same address referenced by my Amazon account. ------------------------------ Date: Tue, 9 Nov 1999 14:32:46 +0100 From: David Mediavilla Subject: Who protects me from the protectors? The Agencia de Protección de Datos ( http://www.ag-protecciondatos.es/ ) is the Spanish authority that registers and oversees use of personal data (names, addresses,...) in private and official files. They offer a form ( http://www.ag-protecciondatos.es/dato4.htm ) for requests from citizens. The form redirects to a ~secure~ server https://wwws.servicom.es/ag-protecciondatos/dato4.htm . There, you _must_ (according to standard procedure https://wwws.servicom.es/ag-protecciondatos/por_que.htm ) provide your personal data (name, postal address, e-mail address). It is the first time an official organization requests my postal address and e-mail address at the same time. But I may think that since these people are the ones who defend me against privacy breaches, they will keep my privacy. All this trust is lost because, in the jump to secure HTTP, they used an SSL 2.0 certificate from RSA Data Security valid until _12/10/99_ 23:59:59. David Mediavilla Ezquibela ------------------------------ Date: Sun, 14 Nov 1999 22:51:27 -0500 From: "Bill Royds" Subject: Risks of advertisements in software A company called Conducent (http://www.conducent.com also called TimeSink) is offering to pay creators of free Microsoft Windows software if the software contains modules to display banner ads when the software is used. These modules are installed on the client's machine when the freeware is installed and is added to the user's start-up entry in the Windows Registry file without informing the user of the fact. This is an entry for TSADBOT.exe in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run entry. Shareware the does this includes PKZipW and Cute-FTP. When the user runs the software, an Internet connection is attempted to a bank of computers controlled by Conducent, posting information about what program is running and other information about the user. This seems to be the method by which Conducent determines which software is running for royalty payments. It also uses the information to determine which advertising to show the user. This is very similar to the Trojan horses that worry people so much and is probably illegal in countries with strong privacy laws. If someone was able to intercept these transmissions they could determine internal network and personal information about a user. Many users would not install these programs if the realised the nature of how the advertising works. But an even worse fate occurs if the AdBot is thwarted in its attempts to connect to Conducent by a firewall or other controls. It starts to attempt to connect continually, about 10 times/second causing a huge load on local network facilities. If it can't connect even then, it tries to connect using Telnet and other ports with the background AdBot retrying the HTTP connects after several hours. Bill Royds, 3414 McCarthy Road, Ottawa, ON K1V 9A1 Canada 1-513-733-7727 BRoyds@home.com ------------------------------ Date: Fri, 12 Nov 1999 17:30:33 -0500 From: Lorrie Cranor Subject: Workshop on Freedom and Privacy By Design (Note the extended deadline) DEADLINE REMINDER, CALL FOR PARTICIPATION WORKSHOP ON FREEDOM AND PRIVACY BY DESIGN COMPUTERS, FREEDOM, AND PRIVACY 2000 --> Submissions due November 30, 1999 <-- Westin Harbor Castle Hotel, Toronto, Canada, 4-7 April 2000 http://www.cfp2000.org/ This announcement is at http://www.cfp2000.org/workshop PURPOSE: CFP has traditionally focused strongly on legal remedies as essential instruments in the fight to ensure freedom and privacy. But law is often very slow to catch up to technology, and has limited reach when considering the global scope of modern communication and information technologies. This workshop instead explores using -technology- to bring about strong protections of civil liberties which are guaranteed by the technology itself---in short, to get hackers, system architects, and implementors strongly involved in CFP and its goals. Our exploration of technology includes (a) implemented, fielded systems, and (b) what principles and architectures should be developed, including which open problems must be solved, to implement and field novel systems that can be inherently protective of civil liberties. We aim to bring together implementors and those who have studied the social issues of freedom and privacy in one room, to answer questions such as: o Implementation o How can we avoid having to trade off privacy for utility? o What sorts of tools do we have available? o What sorts of applications may be satisfied by which architectures? o What still needs to be discovered? o What still needs to be implemented? o Is open source software inherently more likely to protect civil liberties, or not? Should we push for its wider adoption? o Motivation o How do we motivate businesses to field systems that are inherently protective of their users' civil liberties---even or especially when this deprives businesses of commercially-valuable demographic data? o How can we encourage users to demand that implementors protect users' rights? o Evaluation criteria o Given some particular goal(s) for a particular project or technology--- such as protecting privacy---can we tell in advance if the end result is likely to help? o How can we tell if a system, once fielded, has achieved its goal(s)? The intended end products of this workshop are: o Ideas for systems that we should field, and o Implementation strategies for fielding them. ------------------------------ Date: 23 Sep 1998 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 19" for volume 19] or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. PostScript copy of PGN's comprehensive historical summary of one liners: illustrative.PS at ftp.sri.com/risks . ------------------------------ End of RISKS-FORUM Digest 20.65 ************************