precedence: bulk Subject: Risks Digest 20.95 RISKS-LIST: Risks-Forum Digest Wednesday 19 July 2000 Volume 20 : Issue 95 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: Anti-spam legislation (NewsScan) Google allows anonymous spam (Lloyd Wood) British law would allow police to intercept e-mail (NewsScan) Clinton administration plans on wire taps & encryption (NewsScan) ID theft finally coming to the fore (PGN) Mother's maiden name as security check (Bill Tolle) Navy to use Windows 2000 on aircraft carriers (Nancy Leveson) House rejects Internet gambling bill (NewsScan) Italian crash exposes risks of online stock trading (Keith A Rhodes) DC Metro can't label rerouted trains (Wm. Randolph Franklin) Illinois man dies after utility cuts power (Bill Higgins) Fox network misprograms time on US VCRs for a year (Michael D. Crawford) Company lost domain name (Arthur J. Byrnes) Royal Mail claims web orders encrypted when they aren't (Gary Barnes) London Underground magnetic ticket bug (Boyd Roberts) Man charged with breaking into NASA computers (Keith A Rhodes) A self-referential risky accident (Michael L. Cook) Re: Australian DST rules changed for Olympics (Fraser McHarg) Re: Software upgrade cancels train tickets (Matt Fichtenbaum) Re: UK Millennium Bridge instability (Charles Arthur) Re: Another Win95/DOS interaction (Lloyd Wood) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 19 Jul 2000 12:28:55 -0700 From: "NewsScan" Subject: Anti-spam legislation The U.S. House of Representatives passed 427-1 a bill that would require senders of unsolicited commercial e-mail messages to provide a valid return e-mail address that recipients of the messages could use to take them off the mailing list. Under the law, the Federal Trade Commission could bring legal actions again spammers who willfully ignore it. Violators could also be sued by Internet service providers. [AP/*USA Today*, 19 Jul 2000) http://www.usatoday.com/life/cyber/tech/cti244.htm; NewsScan Daily, 19 July 2000] ------------------------------ Date: Wed, 12 Jul 2000 18:23:16 +0100 (BST) From: Lloyd Wood Subject: Google allows anonymous spam http://services.google.com/cgi-bin/emailresults?/search?q= In providing an 'e-mail these results to friends' service, Google is allowing completely anonymous mail delivery; just delete the filled-in search text and go. The risk is that this will be used for spam or for harassment; Google headers and footers mean that Google will get any blame. If you're ranked highly on a particular google search, this becomes an obvious and convenient promotional tool for you: you're 'recommended by Google!'. Or, if you miss anon.petit.fi, this may be good news, since tracing the source without contacting Google is made less straightforward. Received: from services.exo.google.com (crawler.googlebot.com [209.185.253.175] (may be forged)) by ns.google.com (8.9.3/8.9.3) with ESMTP id JAA11738 for ; Wed, 12 Jul 2000 09:58:25 -0700 Unlike hotmail et al, Google doesn't even append an initial Received: header providing the IP address of the originating machine or proxy; just a somewhat useless 'may be forged' warning. I can't see this service staying in its current state long. PGP ------------------------------ Date: Wed, 19 Jul 2000 12:28:55 -0700 From: "NewsScan" Subject: British law would allow police to intercept e-mail The British government appears likely to enact legislation that would allow law enforcement authorities to intercept personal and corporate e-mail messages and would require Internet service providers to install, at their own expense, surveillance equipment that would resend some of their customers' messages to a monitoring center run by the domestic security service, MI5. A government official argued that "the powers in the bill are necessary and proportionate to the threat posed by 21st century criminals, no more, no less." The bill has angered civil libertarians, and a spokesperson for Amnesty International in London said: "What this does is contravene a large number of fundamental rights in the European convention on human rights and other international standards, which include the right to privacy, the right to liberty, the right to freedom of expression, and the right to freedom of association." [*The New York Times*, 19 Jul 2000 http://www.nytimes.com/library/tech/00/07/biztech/articles/19britain.html; NewsScan Daily, 19 July 2000] ------------------------------ Date: Tue, 18 Jul 2000 08:49:33 -0700 From: "NewsScan" Subject: Clinton administration plans on wire taps & encryption A speech by White House chief of staff John D. Podesta has pleased the business community with the Administration's new software encryption policy, which will loosen export controls on encryption technology, but upset civil libertarians with the Clinton Administration's position on allowing law enforcement agencies to monitor Internet traffic. Barry Steinhardt of the American Civil Liberties Union said the government's attempt to expand wiretapping on the Internet "represents a grave threat to the privacy of all Americans by giving law enforcement agencies unsupervised access to a nearly unlimited amount of communications traffic." [*The Washington Post*, 18 Jul 2000, http://www.washingtonpost.com/wp-dyn/articles/A57330-2000Jul17.html; NewsScan Daily, 18 July 2000] ------------------------------ Date: Thu, 22 Jun 2000 09:59:00 PDT From: "Peter G. Neumann" Subject: ID theft finally coming to the fore The RISKS archives are chock full of reported cases of people being victimized by identity theft. An article in *The Washington Post*, 13 Jul 2000, notes that the Federal Trade Commission has logged at least 20,000 phone calls since starting its toll-free hotline eight months ago. Complaints include masquerading with other people's Social Security numbers -- fraudulent loans, setting up bogus credit-card accounts, and so on. The Internet is clearing creating new opportunities, partly because of the huge amount of information available. The pending Kyl-Feinstein Senate legislation would outlaw the sale of SSNs, require better validation of credit-card address change requests, make fraud-alert notations part of credit reports once you have reported an identity theft, and provide you with free yearly credit reports (presumably only YOURS). [How about forbidding the ubiquitous use of SSNs and other easily attainable information as authenticators, not just identifiers? And while we are at it, how about getting rid of reusable passwords floating around in the clear? PGN] ------------------------------ Date: Tue, 18 Jul 2000 21:39:25 -0500 From: "Bill Tolle" Subject: Mother's maiden name as security check When you call many credit-card companies [and banks], they ask for your Mother's Maiden Name as verification when you want to obtain information about the account. The State of Texas has now placed many birth records on the Internet, including the mother's maiden name. Go to http://userdb.rootsweb.com/tx/birth/general/search.cgi Enter "Smith" as Surname Leave all other fields blank. The search engine will return 35,072 names (first, last, and middle) with birth dates and the Mothers Maiden name (first, last, and middle) and Father's name (first, last, and middle). Bill Tolle [Of course, the real crime is that the SSN and MMN are used as AUTHENTICATORS, as we have noted here many times. But this database really escalates the identity-theft problem. PGN] ------------------------------ Date: Thu, 13 Jul 2000 18:30:26 -0400 From: leveson@sunnyday.mit.edu Subject: Navy to use Windows 2000 on aircraft carriers A press release on 13 Jul 2000 says that "Lockheed Martin Naval Electronics systems announced that Microsoft Federal Systems is joining the Integrated Warfare Systems Team supporting the design and development of the CVN 77, the nuclear-powered aircraft carrier Newport News Shipbuilding is providing to the U.S. Navy. Microsoft Federal Systems, based in Washington D.C., will help design the ship's information technology architecture based on the company's Windows 2000 platform." The Navy never seems to learn (remember the fiasco they had using Windows NT on their cruisers). [Yorktown, RISKS-19.88, 20.37] Prof. Nancy G. Leveson, Software Engineering Research Lab (SERL), Aero/Astro Dept., MIT, Cambridge, MA 02139-4307 1-617-258-0505 http://sunnyday.mit.edu "Information technology is becoming a key part of everything the aerospace and defense industry does for a living, and as the century closes it is computers and software that hold the keys to the future ... Companies that exploit information technology most effectively will be the most likely to dominate the aerospace landscape in the 21st century." David Hughes, *Aviation Week & Space Tech.*, 21/28 Dec 1998 ------------------------------ Date: Tue, 18 Jul 2000 08:49:33 -0700 From: "NewsScan" Subject: House rejects Internet gambling bill The U.S. House of Representatives gave the Internet gambling industry a victory by failing to muster the two-thirds majority set as a requirement by House leaders in its 245 to 159 vote on a bill to ban online casinos. The votes in favor of the ban fell 25 short of the requirement. Sue Schneider of the Interactive Gaming Council said: "It appears that cooler heads have prevailed here. We have a brand new medium we're dealing with. We don't have the same kind of borders we had before." But Rep. Robert Goodlatte (R-Va.), who sponsored the bill, scoffed at the notion that it was anti-Internet: "One way to promote the Internet is to make sure that the seamy side of life is dealt with on the Internet. Just like child pornography has to be dealt with on the Internet, so does unregulated, out-of-control, illegal gambling." [AP/*San Jose Mercury News*, 17 Jul 2000, http://www.sjmercury.com/svtech/news/breaking/ap/docs/206358l.htm; NewsScan Daily, 18 July 2000] ------------------------------ Date: Mon, 10 Jul 2000 15:54:03 -0400 From: "Keith A Rhodes" Subject: Italian crash exposes risks of online stock trading Milan's stock exchange (Europe's fourth largest) opened 8 hours late on 5 Jul 2000, after corruption of the authorized-dealer database resulting from testing of a new covered-warrants market the previous evening -- evidently a maintenance glitch. Brokers claimed losses of 20 billion lire (US$9.9M) from lost commissions. (The London exchange had an 8-hour blackout in April 2000.) [PGN-ed from http://www.cnn.com/2000/TECH/computing/07/10/system.crash.idg/index.html; ------------------------------ Date: Tue, 11 Jul 2000 16:02:33 -0400 From: wrf@ecse.rpi.edu (Wm. Randolph Franklin) Subject: DC Metro can't label rerouted trains On 4 Jul 2000, the Washington DC Metro (subway) system changed the routes of the several of their lines to accommodate the large number of passengers expected to see the fireworks. This was a major effort, involving taping a replacement route map over every route map in the whole system (trains and stations), printing flyers, and stationing people at the entrances to answer questions. Unfortunately, the SW wouldn't let them couldn't change the destinations listed on the computerized signs on the trains themselves. So, the trains from Reagan airport that went to Rosslyn were labeled SPECIAL YELLOW, instead of ROSSLYN, and staff had to make frequent announcements telling what that meant. Apparently, the list of possible destinations, which the computerized signs could display for each route, was hardcoded into the trains, and couldn't be changed. That is, the old, cardboard, signs were more flexible than the new, computerized signs. I'll let you draw the moral. Wm. Randolph Franklin, Electrical, Computer, and Systems Engineering Dept., Rensselaer Polytechnic Institute ------------------------------ Date: Wed, 12 Jul 2000 18:18:53 -0500 From: Bill Higgins-- Beam Jockey Subject: Illinois man dies after utility cuts power I found the following story at the *Chicago Sun-Times*. > Man dies after ComEd cuts power > > July 12, 2000 > > BY DAN ROZEK AND STEVE WARMBIR SUBURBAN REPORTERS > > An elderly Aurora man who used an electrically powered oxygen system > to help him breathe died in his home several hours after ComEd shut > off the power because he was behind in his bills. In Aurora, Illinois, Eric Shackelford, an 81-year-old man, used oxygen 24 hours a day to help him breathe; he suffered from "severe heart disease." His daughter, Renia Thomas of Chicago, claims that the power cutoff shut his oxygen down, and may bring a wrongful-death lawsuit against the power company, Commonwealth Edison. The story reports, however, that a roommate says Shackelford had two oxygen systems, one of which did not depend on electrical power. The RISKS relevance is in the dispute over record-keeping. The family says that Shackelford's doctor had sent at least two letters to ComEd asking that power not be shut off. > A ComEd spokesman, however, said the utility had never received enough > information to determine that Shackelford was entitled to be added to > a list of about 1,000 customers who needed continuous electric power > for medical equipment. ComEd files contain only one letter from a > doctor regarding Shackelford, ComEd spokesman Don Kirchoffner said. > > "We would never, ever cut the power to anyone we thought was on life > support," Kirchoffner said. [...] > A final notice sent in June said > Shackelford should notify ComEd if he had medical equipment that > required electricity, and there's no record anyone contacted the > utility, Kirchoffner said. [...] > Kane County Coroner David Moore said it was unclear whether the power > shutdown caused or contributed to Shackelford's death. It would be interesting to know more about the process by which a power company keeps track of customers who are dependent on power. How do you make such a process fail-safe? Bill Higgins Fermi National Accelerator Laboratory ------------------------------ Date: Sat, 15 Jul 2000 11:58:26 -0700 From: "Michael D. Crawford" Subject: Fox network misprograms time on US VCRs for a year http://dailynews.yahoo.com/h/nm/20000714/tc/life_vcr_dc_2.html describes how Fox Broadcasting Corp. sent out a signal that programmed the time for VCRs with an automatic time setting feature to be US Pacific time for about a year, regardless of whether the VCR was located in another time zone. The result was that VCR owners across the country found the time set on their machines wrong and they couldn't figure out why. The problem was uncovered by the San Jose Mercury News. Apparently one is supposed to defer to local stations to set the time. The *Mercury News* article is here: http://www.mercurycenter.com/svtech/news/breaking/merc/docs/001688.htm Apparently also a northern California PBS station reprogrammed viewers' VCRs 24 minutes fast for about two years. > ``We don't really know how much simpler to make it,'' Tom Hantson, > national product manager for Panasonic Consumer Electronics Co., a > prominent VCR manufacturer, told the Mercury News. ``But no matter how > simple you make it, it's not simple enough.'' Michael D. Crawford crawford@goingware.com http://www.goingware.com [Also noted by Tom Van Vleck. PGN] ------------------------------ Date: Mon, 10 Jul 2000 00:39:18 -0400 From: "Arthur J. Byrnes" Subject: Company lost domain name >J.P. Morgan & Company (worth $21 billion) lost its Internet connectivity on >13 Jun 2000 because they failed to pay their $35 bill from Network Solutions >for their jpmorgan.com domain: three bills ignored over six weeks. Since reading these type of stories, and not wanting to lose my 3 letter domain to the same kind of "ignorance", I have been keeping a close eye on my domain registration. My domain was due to expire July 31, 2000 Now according to NSI's web site, here is how it should work; >Under normal conditions, 30 days before the annual renewal fee is due, >Network Solutions' will send an invoice to the billing contact by postal and >electronic mail. Payment is due within 30 days. If payment is not received >by the due date, the domain name is subject to deactivation and deletion. >The registrant is solely responsible for ensuring that their Web Address >remains active. I received neither the e-mail, or the snail mail notification that NSI says I should have. Yes, the e-mail and snail mail contact info are correct and complete. So, my personal experience makes me wonder where the blame actually lies in these stories. I know that if I worked for a dot.com, I'd be checking all of my employer's domains expiration dates. Arthur J. Byrnes ------------------------------ Date: Tue, 18 Jul 2000 14:18:27 +0100 From: Gary Barnes Subject: Royal Mail claims web orders encrypted when they aren't A couple of weeks ago I wanted to order a substantial quantity of stamps, and so went to the Royal Mail web site (http://www.royalmail.com/). I clicked on the "Business Solutions" link at the foot of their front page, and was taken to http://www.royalmail.com/atwork/ where there's a sidebar in which "Shop" appears twice. Following this link takes one to http://www.royalmail.com/shop/index.htm, "The Shop". I then clicked on "Stamps and Envelopes for business", and started to place my order. When prompted to enter my credit card number to pay, I checked the URL of the frame containing the form asking for these details. It was http://www.royalmail.com/shop/direct/order.asp, and wasn't encrypted. When I checked the "Security" link at the left of this very same page, I was told (http://www.royalmail.com/shop/security.htm): "Worried about security? For your ease of mind, all orders sent from your computer to our web servers for products featured on this Internet web site will be secured through the use of encryption technology" In fact, there is a certificate for www.royalmail.co.uk, and I was able to place an encrypted order via https://www.royalmail.co.uk/shop/direct/order.asp I contacted the webmaster to point out that their shop didn't use a secure URL, and received a reply saying that this would be fixed as soon as possible, but this hasn't been done nearly two weeks later. The RISK here is that customers will believe a web site that says "all orders sent from your computer to our servers [...] will be secured through the use of encryption technology", especially when the organisation responsible is as "trustworthy" as Royal Mail, and then trustingly send their unencrypted card details over the Internet. There's also the RISK that once alerted to such mistakes companies won't or can't act to fix the problem in a timely fashion, or at least remove their incorrect boasts of being "secure". Another contributory RISK seems to be the use of relative URLs such as "direct/order.asp" instead of absolute URLs such as "https://www.royalmail.co.uk/shop/direct/order.asp". Gary Barnes ------------------------------ Date: Tue, 18 Jul 2000 14:24:19 +0200 From: boyd.roberts@ca-indosuez.com Subject: London Underground magnetic ticket bug When I was in London last week, I'd just gone out through the ticket barrier with my magnetic ticket. Then I re-entered because I'd seen a timetable which had some information I needed. So far, so good. When I tried to get out my ticket was refused. A London Transport employee explained to me that there was a timer on the ticket. You can't get out until either the timer expires or you find someone to let you out. This is atrocious design. They are trying prevent you from entering multiple people with the same ticket but the timer runs in both senses; entry and exit. I guess they're just very lucky that you can't get to your destination too quickly. It could be even worse; say there's a fire and you need to get out and the station is not staffed. Who'd get sued over that? LT? The system designers? Could be interesting / catastrophic. The Paris Metro, RER and SNCF does this right. There's an entry timer, but it's not used to control exiting. Boyd Roberts ------------------------------ Date: Thu, 13 Jul 2000 07:14:45 -0400 From: "Keith A Rhodes" Subject: Man charged with breaking into NASA computers A 20-year-old man was arrested Wednesday for allegedly breaking into two computers owned by NASA's Jet Propulsion Laboratory and using one to host Internet chat rooms devoted to hacking. Raymond Torricelli of New Rochelle, N.Y., was named in a five-count complaint that also charged him with sending unsolicited advertisements for a pornographic Web site and intercepting passwords and usernames traversing networks of computers owned by Georgia Southern University and San Jose State University. He was also accused of stealing credit card numbers that were used to make more than $10,000 in unauthorized purchases. Court papers, which were unsealed in Manhattan federal court, alleged Torricelli was the head of a hacker group known as "#conflict'' and that he used the name ``rolex.'' [Source: Reuters, 12 Jul 2000] ------------------------------ Date: Thu, 13 Jul 2000 15:40:25 -0500 From: "Michael L. Cook" Subject: A self-referential risky accident I live in "semi-rural" Iowa, in an area where most house are on acreages mixed in and around farm-land. Neighboring houses are well in sight, but not close together as in a traditional suburban neighborhood. The local telephone company has been laying fiber optic cable for the last couple of years for this rural area. They subcontract the trench cutting and physical cable placement to others. This morning on our neighbor's property, a man was guiding a trenching machine ("Ditch Witch") to where a trench was to be cut. The heavy morning dew made the grass slippery, and the machine slid down the side of the roadside ditch. The man tried to leap aside, but was knocked into the air by one of the tires of the rolling machine as it started its slide downhill. The man fell 10-15 feet into the ditch and landed on his back. Fortunately, the machine did not roll over him. Also fortunately, my family and I were outside at the time, and my wife saw him fly through the air. We all started running to the scene. My wife got there first and yelled to call 911. I yelled to her to go to the neighbor's house, just a few yards away from her. I ran back to our house to also place a call just in case she couldn't. I called 911, and rescuers responded in a few minutes, and the man seemed all right, but was transported to the nearest large hospital several miles away. However, my wife was unable to call from the neighbor's house. Why? The trenching folks had disabled the phone line in order to do their work! A co-worker of the injured man didn't seem panicky, but apparently didn't remember that he had a phone in his truck. Risk: Don't have an accident while working on stuff you've disabled, since you might need that equipment if you have an accident! ------------------------------ Date: Mon, 10 Jul 2000 08:58:57 +1000 From: Fraser_McHarg@nag.national.com.au Subject: Re: Australian DST rules changed for Olympics (Lutton, RISKS-20.94) September is actually early spring in Australia, spring starts 1st September here. DST normally starts on the last Sunday of October. Microsoft is "taking it calmly" doesn't actual inspire me. My NT machine at work has never got daylight savings time correct, although W98 has (until this year at least). The biggest risk is not the changing of the date of daylight savings but having different states that are normally on the same timezone, or same difference, suddenly being different. Fraser McHarg, Melbourne, Australia ------------------------------ Date: Sun, 09 Jul 2000 14:29:17 -0400 From: Matt Fichtenbaum Subject: Re: Software upgrade cancels train tickets (Shorrocks, RISKS-20.94) > There is no substitute for complete lack of proper testing or for > un-necessary software changes. I interpret that as "Complete lack of proper testing is an absolute requirement." Lose a minus sign, did we? :-) ------------------------------ Date: Tue, 4 Jul 2000 11:39:04 +0100 From: "Charles Arthur, The Independent" Subject: Re: UK Millennium Bridge instability (Woolf, RISKS-20.92) (It shut on the Monday having opened on the Sunday. The problems were less on the Sunday, though still noticeable to people who walked over.) Worries that the bridge was overloaded are wrong, said Arup's Tony Fitzpatrick... It could support 5 times the maximum number of people you could stand on it, unless you started carrying people on your shoulders. The interesting upshot of this, announced on 28 Jun, is that this really is a new phenomenon in bridge problems. It's caused by the pedestrians and the bridge acting as mutual exciters: certain spans of the bridge (it has three) have resonant frequencies around 1 Hz, which is roughly walking speed. This means that when the bridge begins moving from side to side, people move sideways to keep their balance - increasing the forces making the bridge swing. Very nice animations of what happened (exaggerated) at http://www.arup.com/MillenniumBridge/images/videos/mode_5.avi and http://www.arup.com/MillenniumBridge/images/videos/mode_6.avi plus explanations generally in the "engineering" section of the site (http://www.arup.com/MillenniumBridge/). Interesting, of course, that they can simulate it now but not before... Which does bear out the risks noted above. However, it wouldn't have mattered if this was being done by computers or fusion-powered elves. Nobody had encountered it before (apart, it is suggested by Arup, from a Japanese stadium where the manufacturer insisted that the problems should not be publicised for fear of losing face). So they couldn't design against it. ------------------------------ Date: Wed, 5 Jul 2000 23:42:43 +0100 (BST) From: Lloyd Wood Subject: Re: Another Win95/DOS interaction (Epstein, RISKS-20.93) > Unfortunately, "/on" *really* means "sort in alphabetic order by the > 8.3 short name of the file". There doesn't seem to be a way to tell > the "dir" command I want it to sort the real name of the file, not > the abbreviation. The 8.3 "abbreviation" is in fact the real name of the file. Windows is hamstrung by its legacy support. PGP ------------------------------ Date: 13 Dec 1999 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 19" for volume 19] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. http://the.wiretapped.net/security/textfiles/risks-digest/ . ==> PostScript copy of PGN's comprehensive historical summary of one liners: illustrative.PS at ftp.sri.com/risks . ------------------------------ End of RISKS-FORUM Digest 20.95 ************************