precedence: bulk Subject: Risks Digest 20.74 RISKS-LIST: Risks-Forum Digest Sunday 9 January 2000 Volume 20 : Issue 74 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: Y2K multiple billings (PGN) 100 years overdue (PGN) Sprint PCS network problems on 1 Jan 2000 (Chenxi Wang) MKS Toolkit Y2K glitch (Ray McCormack) Y2K archives (Lindsay Marshall, Keith Rhodes) Pete de Jaeger bit by Y2K (Debora Weber-Wulff) Northwest Airlines may have leaked credit-card numbers (Jeremy Epstein) Risks of assuming a friendly radio environment (Fernando C Pereira) Re: Just found my first Y2K bug! (Dana Carpender) NTSB website has Y2K test data mixed in with real data (John Clarke) Bogus message in live service for Quicken (Stephen Page) Re: Microsoft MSIE Y2K Insanity: The last word? (Andrew D. Fernandes) Teenage computer vandal sentenced to year in jail (NewsScan) What has changed (Bertrand Meyer) Network Associates WebShield -- Mail Content Alert () SSH: an ineffectual "feel-good" security measure (William Colburn) Jail for possessing a debugger? More on DVD encryption cracked (Hamie Marson) CFP: Workshop on Security and Privacy in E-Commerce (Anup K. Ghosh) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sat, 8 Jan 2000 12:20:13 PST From: "Peter G. Neumann" Subject: Y2K multiple billings The approximately 100,000 merchants using CyberCash's IC Verify transaction software were given the opportunity to install a free upgrade for Y2K, but some of the merchants apparently did not get the fixes. Those who did not do so are apparently rebilling each customer transaction in the new year once each day until the fix is installed. Visa and Mastercard have installed software that attempts to catch the multiple transactions, but you'd better check your statements anyway. ------------------------------ Date: Fri, 7 Jan 2000 16:43:45 PST From: "Peter G. Neumann" Subject: 100 years overdue In one of many reports of off-by-one-hundred Y2K effects, a few dozen Florida truckers received bills saying they were 100 years late in payments. Some people received bills for 100 years' back interest. There were even reports of people whose bank accounts temporarily showed 100 years' accumulated interest. No surprises there to long-time RISKS readers. Asymmetrically, we have also had a few reports of people being credited with 100 years worth of interest, although these seem rather specious if you are getting interest from 1900 to 1999, rather than from 1999 to 1900. ------------------------------ Date: Fri, 7 Jan 2000 17:41:35 -0500 (EST) From: Chenxi Wang Subject: Sprint PCS network problems on January 1st I spent the new year in Manhattan and yes, I was in Times Square new year's eve. After the ball dropped, I started calling friends to wish them a happy new year, and I was not able to make a single call on my Sprint PCS phone despite the very strong PCS signal I got. What made it worse was I could not receive any calls or voice mail during the day on the 1st and my outgoing calls (including calls to check voice mail) were switched to digital roaming calls despite the fact that Manhattan was in Sprint's service area. The problem lasted all day on the 1st, and into parts of the morning on the 2nd. A later conversation with a Sprint's service representative revealed that Sprint's network was jammed in several metropolitan areas including New York city during the 1st, and they were routing some of their traffic through Bell Atlantic or AT&T's network, which explained the mysterious roaming calls. Chenxi ------------------------------ Date: Sun, 02 Jan 2000 09:34:40 +0000 From: Ray McCormack Subject: MKS Toolkit Y2K glitch MKS Toolkit Scheduler (Version 6.1) seems to have a problem with the Y2K date rollover. The application runs fine and must work off the system clock which also appears to be fine . The "Next Event" status how ever, shows that the next backup is on June 9, 2005 even though it performs daily backups properly. Ray McCormack, Solutions Consultant, McCormack Consulting 13215-C8 SE Mill Plain blvd. PMB 242 Vancouver, WA 98684 1-360-241-3092 ------------------------------ Date: Wed, 5 Jan 2000 11:31:35 +0000 (GMT) From: Lindsay.Marshall@newcastle.ac.uk Subject: Y2K archives I'm sure you'll know about this, but just in case: http://y2kmistakes.com has a wonderful archive of screenshots of Y2K affected sites. http://catless.ncl.ac.uk/Lindsay ------------------------------ Date: Wed, 05 Jan 2000 09:03:42 -0500 From: "Keith A Rhodes" Subject: Y2K archives Some amusing, generally harmless, Y2K snafus can be seen at the following URL. Look under "affected sites" in the upper left-hand corner. http://kwikware.com/y2kmistakes/ ------------------------------ Date: Thu, 6 Jan 2000 10:43:23 +0100 From: Debora Weber-Wulff Subject: Pete de Jaeger bit by Y2K Sorry, I can' help this: On http://www.year2000.com/y2kbugbytes.html We have the following headline on Jan. 6, 2000: Year 2000 Bug Bytes Updated January 5, 1900 at 23:21 (UTC) Pete de Jaeger has a nice article on "Why no Chaos?" at http://www.year2000.com/y2kchaos.html, however. Prof. Dr. Debora Weber-Wulff, Technische Fachhochschule Berlin 13353 Berlin, Germany weberwu@tfh-berlin.de http://www.tfh-berlin.de/~weberwu/ ------------------------------ Date: Fri, 7 Jan 2000 16:26:03 -0500 (EST) From: Jeremy Epstein Subject: Northwest Airlines may have leaked credit-card numbers I saw the following AP item on InfoBeat, a clipping service, but have not yet located it anywhere else. In particular, I have not located this information on NorthWest's web page. Northwest Airlines is alerting customers who recently made purchases on its Frequent Flier Web site that their credit-card numbers and personal information were unprotected because of a programming glitch. The problem arose when a computer programmer doing maintenance on the site put the system back on line, but forgot to restore the security system. [PGN-ed] Users have come to expect encrypted traffic, and frequently don't check the icon. Guess we need to be more careful! ------------------------------ Date: Fri, 07 Jan 2000 21:53:01 -0500 From: Fernando C Pereira Subject: Risks of assuming a friendly radio environment According to a BBC News story dated Jan 6, 2000 , pirate broadcasters have learned how to use the Radio Data System (RDS) to force car radios that implement the standard to stay tuned to the pirates' broadcasts while within range of their transmitters. A radio with RDS active will switch temporarily to any station that broadcasts the appropriate embedded digital signal. This is intended to allow reception of brief traffic announcements, but the pirates repeatedly send the signal in their broadcasts to keep such radios tuned to them. The problem can be avoided by switching off the RDS feature on a radio, but then of course one loses legitimate traffic information. I only have the slightest acquaintance with RDS so I cannot evaluate the accuracy of the story, but the RDS standards document "SPB 490 Universal Encoder Communication Protocol (UECP)" obtainable from does not mention security at all. Fernando Pereira [Also noted by Aydin Edguer and Russ E. Cage. PGN] ------------------------------ Date: Wed, 05 Jan 2000 17:31:04 -0500 From: Dana Carpender Subject: Re: Just found my first Y2K bug! Newsgroups: alt.fan.cecil-adams [Forwarded to RISKS by msb@vex.net (Mark Brader)] radio2@bigfoot.commm wrote: > I was just in my friendly neighborhood health food store. Got into a brief > discussion with the guy behind the counter, about Y2K. He pointed out a > box of Barbara's Cereal, which carried an expiration date of July 1900! > Guess it's been sitting on the shelf, there at Flanagan's, for a mighty > long time ... > -- Geno I win. Ages ago I realized that my driver's license says it expired in 1000. Boy, what's the penalty for driving on a millennium-overdue license? Dana W. Carpender http://www.holdthetoast.com Author, How I Gave Up My Low Fat Diet -- And Lost Forty Pounds! [In case you wondered, YES, it showed 1000 as a 4-digit year. She lives in Indiana. MSB] ------------------------------ Date: Tue, 4 Jan 2000 11:05:42 -0600 From: "John Clarke" Subject: NTSB website has Y2K test data mixed in with real data The National Transportation Safety Board maintains a database of all aviation incidents in the US, and provides web access to capsule descriptions of various accidents. These are available by month (http://www.ntsb.gov/aviation/months.htm), so I suspected that there might be some issues with the display or breakdown of the data once we rolled into 2000. The website seems to be working correctly, however, with the exception of a strange entry in January 2000. The accident location (normally City,State) shows "TESTVILLE" and the link is http://www.ntsb.gov/aviation/DCA/99A999.htm (note the 99A999.htm is normally an incident number). The link itself fails to be retrieved, so I assume the test data has been removed from part of the database. I'm sure we'll see many similar manifestations of Y2K testing in the coming weeks and months. John Clarke P.S. Apologies to the citizens of TESTVILLE if it really does exist and a plane crashed there this month. ------------------------------ Date: Sun, 02 Jan 2000 19:26:16 +0000 From: Stephen Page Subject: Bogus message in live service for Quicken Intuit, who make Quicken (a popular personal and small business financial management application) provide an online service to update share prices, currency rates etc. Recently users connecting to Intuit's UK server have been automatically offered an application upgrade with the following message: "There is an upgrade available to updated [sic] your current version of Quicken 2000. Would you like to download the update now ? Don't be afraid, it is just a test : My name is Nour". Clicking on "Tell me more" gives the message "This version has some improvements in all the area [sic]". This raises two issues: 1. Either test code has leaked into live service or their site has been hacked. In either case, it is a serious security breach for software which is trusted (e.g., a Trojan horse could create access to users' personal financial data). 2. Intuit has a policy of sell-cheap / charge-lots-for-support which means that there is no way to find out what has happened without waiting for the New Year holiday period to be over, then paying $1/minute. How nice: the opportunity to pay to get information about their operational failures :-) This is a major breach of trust and it is to be hoped that Intuit will take it seriously. Perhaps a public apology via RISKS? ------------------------------ Date: Wed, 05 Jan 2000 15:11:36 -0500 From: "Andrew D. Fernandes" Subject: Re: Microsoft MSIE Y2K Insanity: The last word? I guess I'd only say that if a web developer wanted to use dates in JavaScript, they would: 1) have to do a lot of nit-picky detective work, reading documentation from Netscape, Microsoft, and the EMCA, to discover the "correct" way to display the year, 2) end up with a script that still wouldn't work on most people's browsers, and, 3) learn that they shouldn't have bothered anyway, since some standards group will no doubt later change the "standard" yet again in a way that breaks all previously written scripts. Yeesh. All this pain, sweat, and confusion just to display a bloody date on a bloody web browser. Small wonder that software reliability issues are gaining attention in the new century... Andrew D. Fernandes , Cryptonym Corporation Telephone +1 919 469 4714 ------------------------------ Date: Wed, 22 Dec 1999 07:31:37 -0700 From: "NewsScan" Subject: Teenage computer vandal sentenced to year in jail Described by his lawyer as "a disturbed young man" suffering from depression, 19-year-old Jay Satiro of New Rochelle, NY, has been sentenced to one year in jail for cracking into America Online computers and causing an estimated $50,000 in damages. Satiro had been an AOL technical support volunteer and had used knowledge obtained from his job to break into the company's systems and replace AOL programs with his own. [AP/*USA Today*, 21 Dec 1999) http://www.usatoday.com/life/cyber/tech/ctg955.htm; NewsScan Daily, 22 Dec 1999, reproduced with permission] ------------------------------ Date: Thu, 30 Dec 99 13:57:45 PST From: Bertrand_Meyer@eiffel.com Subject: What has changed Call me naive, but I can't help marvel, risks or not, at what is going on. Here I am, on the penultimate day of the millennium (OK, I know, that will be next year, but what's wrong with celebrating twice?), listening through minuscule speakers on my computer to a broadcast of perfect sound quality from a site half-way around the world. It's playing something I know, but I can't just recall what it is. So I catch four Italian words on the fly and type "senza perdere un momento", not forgetting the quotes, into AltaVista. A second later, and perhaps fifteen seconds after I first asked myself the question "what is this?", I have the answer, thanks to someone at Stanford who keeps the full text of Donizetti's "Don Pasquale" on his Web pages. Just a few years ago none of this would have been possible. I wouldn't have had a clue where to begin my search. Even a trip to the UCSB library would have been unlikely to help. The prospects of using computers for advancement of human knowledge are all around us; they are staggering. Let's remember this as we continue (as well we should) worrying about the associated risks. Bertrand Meyer, Interactive Software Engineering/Monash University http://eiffel.com, http://tools-conferences.com ------------------------------ Date: Tue Jan 04 04:17:31 2000 From: [irrelevant] Subject: Network Associates WebShield -- Mail Content Alert Network Associates WebShield SMTP V4.5 Beta 2 on prometheus2 intercepted a mail from which caused the Content Filter HTTP to be triggered. [Lots of RISKS issues lately have been blocked. Perhaps Y2K is now considered to be a dirty word. In some other cases RISKS copies were rejected because they were too long. Apparently some temporary Y2K virus filters believe that if mail is longer than 10K, it might contain a virus or Trojan horse. The assumption that viruses are bigger than 10K seems specious. PGN] ------------------------------ Date: Mon, 20 Dec 1999 00:34:14 -0700 From: "Schlake ( William Colburn )" Subject: SSH: an ineffectual "feel-good" security measure When I first read the report of RST breaking the netscape algorithm I was caught up in the moment. Netscape should have known better than do something so foolish! Then I read the next comp.risks and I felt like a fool. There is a great risk in pretending to have security when you really have none. I think many people believe that ssh protects them from wrong-doers, and that nothing bad can happen to them if they use ssh. The authors of the Internet Auditing Project(1) have a good story to tell about ssh, as do the people who run the web site for rootshell.org(2). Some sys-admins here at work are rabid about ssh. They have disabled telnet and rlogin for "security" reasons, and naively believe that ssh is somehow more secure. Ssh protects the data stream between two secure machines. Anyone sitting between the two machines can't tell what is going on in the ssh stream because of the encryption. The risk to the user is assuming that either end is secure. Where I work, the important servers don't run telnet or rlogin, because those protocols are "insecure". The servers only run ssh. Our network is switched. In order to sniff packets an attacker either needs to be in the machine room with a cable plugged into the switch, or they need to be on either of the two machines that the traffic is going between AND they need to be root. If they are root on either machine, then they can: a) read the unencrypted TTY instead of the encrypted stream b) read the local secret keys and decode the stream on the fly c) replace ssh with a Trojan d) trace the program and extract the unencrypted data from the write()s e) many more things I can't think of right now If no one has compromised my system, then it is safe to use telnet to login between machines. If someone has compromised my system however, I might as well use telnet since I can't trust ssh anymore. If no one has compromised my system, and I need to login over an untrusted network, and I have a secure machine to login from, then ssh is the perfect tool. Where am I going to find a secure machine outside my network? I bet there are lots of secure machines all over the place, but I will never know which ones they are. If security is really important to me, I will never log in to any computer from any other computer I don't own (and hence trust) myself. That means I that if I need to login to work when I am off site, that I need to have my own laptop that I keep powered down, encased in cement, buried in a vault, and guarded by an army (and even then can I really be sure it is secure)? Last week I spent an entire day at work wondering how to protect my mail server from all the trouble that is expected from people trying to hide under the veil of Y2K. I took ssh out of the inetd.conf, and told everyone that they have to log in on console from now on. (1): http://www.securityfocus.com/templates/forum_message.html?forum=2&head=32&id=32 (2): http://www.rootshell.org/mailinglist-archive/rs-25 ------------------------------ Date: Fri, 17 Dec 1999 08:29:03 +0000 From: Hamie Subject: Jail for possessing a debugger? More on DVD encryption cracked (20.66) "Daniel A. Graifer" makes an interesting point that a debugger & a screwdriver may be analogous when comparing intent to commit a crime. But I believe that the menace behind the law & the practice of encrypting region coded disks is far more insidious... It's not about stopping casual, or even determined piracy. They can encrypt & degrade all they like to try & foil copying. But at the end of the day, a picture has to appear on a screen somewhere for someone to see it. There is no way they can stop a determined person or corporation from taking a copy of that unless they own & control everything in between. Their attempt to push this law through is more akin to denying you access to a screwdriver to fix your own lock in case it breaks, or because you don't like the colour of the door... Why shouldn't I have the means to play a legally bought DVD on my laptop using Linux? Why should I have to pay money (If it were possible) to some faceless company who may perhaps come out with a DVD player, that may create a player for my favourite OS, on my favourite hardware? ------------------------------ Date: Wed, 5 Jan 2000 09:26:56 -0500 From: "Anup K. Ghosh" Subject: CFP: Workshop on Security and Privacy in E-Commerce The First Workshop on Security and Privacy in E-Commerce Athens, Greece, 4 Nov 2000 http://www.rstcorp.com/conferences/wspec00/ held in conjunction with the ACM Conference on Computer and Communications Security, http://www.ccs2000.org Preliminary Call for Papers The First Workshop on Security and Privacy in E-Commerce seeks to bring together practitioners and researchers to address the real-world security and privacy concerns in e-commerce. We are seeking contributions on topics in security and privacy that will enable the e-commerce systems of tomorrow to be developed more securely and robustly without compromising individual privacy rights. The workshop will focus on group discussion and collaboration in identifying the important problems and potential solutions in this important topic area. Proceedings from the workshop will be published and distributed to attendees. Highest quality papers will be published in a book and widely distributed after the workshop. We are seeking research papers, business case studies, or system designs that address security and privacy concerns in any of the following topic non-exclusive areas: - anonymizing e-commerce/Web transactions - component-based software in e-commerce - databases access control - denial of service attacks and countermeasures - detecting anomalous database transactions - detection and recovery from Internet-based attacks - e-commerce protocols - e-commerce systems - Internet client risks - malicious software or Trojan functionality - mobile agents in e-commerce - novel attacks and countermeasures - privacy negotiation/bartering - privacy risks with cookies/tokens/identifiers - software analysis and certification. Submissions will be accepted for regular research papers, case studies, and panel proposals. Abstract submission deadline: May 1, 2000. See http://www.rstcorp.com/conferences/wspec00/ for complete Call for Papers. Anup K. Ghosh, Ph.D., Program Chair ------------------------------ Date: 13 Dec 1999 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 19" for volume 19] or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Also, new AUSTRALIAN archive http://mirror.aarnet.edu.au/risks/ PostScript copy of PGN's comprehensive historical summary of one liners: illustrative.PS at ftp.sri.com/risks . ------------------------------ End of RISKS-FORUM Digest 20.74 ************************