Subject: RISKS DIGEST 19.00 () REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest issue summary Volume 19 : Issue 00 () FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: SUMMARY OF RISKS VOLUME 19 (1 April 1997 to whenever) (NOTE: This issue is archived in ftp file risks-19.00 .) ---------------------------------------------------------------------- SUMMARY OF RISKS VOLUME 19 (1 April 1997 to whenever) RISKS 19.01 1 April 1997 French computer systems found to be immune to Y2K problems (John O'Connor) The Year 2100 Problem: a simple solution (Martin Minow) Microsoft buys Sun (Mark Stalzer) Maybe we should start a "savoracle" e-mail address (Martin Minow) The risk of perceiving the usual as normal (Gene Wirchenko) Spry policy change causes e-mail denial (Michael Miora) Unsecure online banking (David Ross) AT&T Worldnet snafu/scam (Matt Holdrege) Free book because computers cannot lie (Mich Kabay) Re: Computer model blamed for $83 Million loss (Mark Stalzer) Re: RISKS of tracking packages (Matt Welsh) Correction for ``hard core bits'' reference (Paul Eggert) Re: all-ways green lights (Mark Brader, Steve Summit, Dik T. Winter) "Child Safety on the Internet" by Distefano (Rob Slade) RISKS 19.02 02 April 1997 Strange buzzing sound in computer mouse caused by solar wind (Martin Minow) CalTrain computer stolen -- rider alert (Adrian Brandt via Al Stangenberger) Another NT security flaw (PGN) Re: The Year 2100 Problem: a simple solution (Mark S. Fineman) Embedded Chips Suffer from Year 2000 Problem, Too (Edupage) Re: Greenwich Mean Time just changed by 1 hour (A. Grant) Daylight savings time (Andre Sintzoff) UPS Tracking System experience [name withheld by request] Meta-risks of browser flaws (Matthew D. Healy) Re: SSL Browser Vulnerability Discovered (Eric Rescorla) Vulnerable Web forms (Anup K. Ghosh) Re: Risks of automatic spam blockers (Dan Zerkle) Spam-proofed "From:" lines (Wayne Mesard) Re: UK Banks' clearing system problem (Jerry Leichter) Microsoft Typography: Bug or Feature? (Rodger Whitlock) COMPASS '97 conference agenda (Dolores Wallace) RISKS 19.03 3 April 1997 New Zealand Police system (Richard A. O'Keefe) RISKS of disconnecting without first connecting (Bryan O'Sullivan) Re: UK TTP licensing proposals (Michael Bacon, Ross Anderson) Another Y2K Problem for Banks (Bruce Horrocks) All-ways green lights ... it's all in the timing (Richard Cook) RISKS 19.04 4 April 1997 Moynihan Commission hooked on Penpal virus hoax (George Smith) Sheriff prefers jail-door computer malfunction to April Fool's joke (Darrell R. Pitzer) The ghost of the Pentium FDIV bug (Frank Solomon) War story on errors in library versions (John Paulson) Re: CalTrain computer stolen -- rider alert (Mike Lipsie + Al Stangenberger) Emergency! Crisis in the Cockpit, by Stanley Stewart (Robert Dorsett) Spam, the naming of parts (Dan Sheppard) But I don't LIKE spam... (John Oram) Re: Spam-proofed "From:" lines (Curt Sampson, Tim Pierce) Re: Risks of automatic spam blockers (C Matthew Curtin, Ted Wong, Harlan Rosenthal, Dan Franklin, J. DeBert) RISKS 19.05 7 April 1997 Social Insecurity (Simson L. Garfinkel) Identity Theft (PGN) More on the Guyana Telephone Scam (Dewi Daniels) Woman trapped in tanning bed (Michael Mahr) Time-change risks and DECnet (Ian Brogden) Follow-up on Joseph Jett (Rich Mintz) Re: Elections Canada and the Net (Mark Brader) Not a forgery! (Vivek Sadananda Pai) Re: The ghost of the Pentium FDIV bug (Allan Heydon) RISKS 19.06 10 April 1997 NY City electronic voting machines: $20 million wasted (Ed Ravin) YAAXF: Yet Another ActiveX Flaw (David Kennedy) RISKS of Mail Merge for Ontario Tories (Mich Kabay) RISK of power of two: 25.6 mm per inch! (Richard Black) BMW fixes transmission via dialup to car (Nick Zervas) Re: Generating randomness (Paul C. Kocher) Programs broken by daylight savings time switch? (Earl Truss) Re: DECnet time-change (Larry Kilgallen, Jerry Leichter) Re: Greenwich Mean Time just changed by 1 hour (Jeff Uphoff) Re: Y2K: revenge of originality (Charlie Shub) Blue Cross automated SSN update system (Jeremy Epstein) SSA Web/PEBES and Cross-Matching (John M. Willis) Re: Social Insecurity (Richard Hollands) PEBES "security" even weaker than described (D.V. Henkel-Wallace) Re: Meta-risks of browser flaws (Rob Bailey) Re: Not a forgery! spamming (Vivek Sadananda Pai, Simson L. Garfinkel) RISKS 19.07 14 April 1997 Swedish Narcotics Police Demand Telephone Card Database (Martin Minow) AOL Mail Latency (Dave Kennedy) Parkers pass out uncompliments (Michael O'Donnell) Old RISK: ``Computers are never wrong.'' (Joe Carlet) Risks of user migration (Al Donaldson) UK and Y2K: $50 billion (PGN) UK MoD and Y2K: 100 million pounds to reboot missiles (Geraint Price) GMT and Win95 (Michael Bacon) Computer kiosks (Bob Frankston) "Crack-A-Mac" contest results (Martin Minow) Magic-number reuse (Paul Brebner) Air collision RISK from increased accuracy (John Brooks) Re: RISKS of Mail Merge for Ontario Tories (Mark Brader) Re: Blue Cross automated SSN update (Harlan Rosenthal) Fun with export/import controls (Steve Gibbons) On the naming of names (Danny House) Telecommunications & Democracy: Historic Citizens' Report (Richard Sclove) RISKS 19.08 15 April 1997 Bizarre case of techno-harassment (PGN) Fake "PGP CRACKED" message lures users into trap (Derek Ziglar) When BC: really means CC: in e-mail (David Kennedy) The risk of a personalized act of kindness (Sam Lepore) New Trolling Scam on MSN (David Kennedy) IVHS vehicles and safety assumptions (Rich Mintz) Re: Parkers pass out (Simson L. Garfinkel) Re: Computers are usually right! (Bob Morrell) Y2K scenarios: a call for a vote (Bob Morrell) More on GMT vs BST: RS6000 (David Alexander) Re: GMT, BST, and "current civil time" (John Styles, Martin Minow) Re: Standard to Daylight and back (Sergio Gelato) Risks of not using Ridiculously Priced Technology (Sara Thigpen) Re: RISKS of Mail Merge for Ontario Tories (Tim Kuehn) RISKS 19.09 17 April 1997 Why Bre-X crashed the Toronto Stock Exchange (Dave Wortman) "Big Glitch Hits MSN E-mail" (PGN) "Heading off emergencies in large electric grids" (IEEE Spectrum via PGN) "My Hairiest Bug War Stories" (CACM via PGN) The risks of not using your own security measures [name withheld by request] Daylight savings change problem (Steve Doig) Using GPS as your time standard (Bernard Lyons) Re: Fake "PGP CRACKED" message lures users into trap (Fred Cohen) Re: DES Challenge risks (Thomas Koenig) Re: Social Security--the other side (Carey Tyler Schug) Re: YAAXF: Yet Another ActiveX Flaw (Russ Cooper) They fixed one! 11-digit dialing in San Diego (Mark Seecof) Re: Risks of Mail Merge for Ontario NDP (Mark Connolly) Daylight Time and UTC (Maggie Iaquinto) Re: More on GMT vs BST: RS6000 (Andrew Yeomans) Re: GMT, BST, UTC and all (Ian Miller, Bernard Lyons, Ian Stephens) "Network Security" by Kaufman/Perlman/Speciner (Rob Slade) RISKS 19.10 22 April 1997 Paperclip stopped trains in Finland (Jari M=E4kel=E4) 2 jets in near-miss approaching LAX; pilot blames autopilot (PGN) Re: Air collision risk from increased accuracy (Mike Rogers) Privacy Legislation (Edupage) Re: cyberstalker: house invasion a hoax (Ron Pfeifle) Re: cyberstalker: RISKS of assuming "high-tech" (Mich Kabay) Re: Hairiest Bug Stories (Steve Sapovits) Y2K and PARSLEY: Upgrade woes (Pete Mellor) Re: GMT and UTC (Martin Minow) Year-2000 Cost Estimates Rise (Edupage) Re: RISKS screwups on time changes (Michael Bacon) Re: IVHS vehicles and safety assumptions (Alan M. Hoffman, Mich Kabay) Law Review Article on Spam (Martin Minow) Re: Risks of automatic spam blockers (Dimitri Vulis) Re: "Crack A Mac" contest (Martin Minow) Addendum to DES Challenge RISKS (Thomas Koenig) Re: 11-digit dialing (Lauren Weinstein) Reminder on Privacy Digests (PGN) RISKS 19.11 28 April 1997 Java security flaw (Dirk Balfanz/Drew Dean/Edward Felten/Dan Wallach) Mad Cows: Trust the computer (Charlie Lane) Chicken Little, where are you when we need you? (A. Padgett Peterson) Poltergeist beds (Mich Kabay) Microsoft redefines comic strips! (Marc Salverson) Computer Contributes to 747 Tail Scrape (Mike Rogers) Death by Equifax (Chuck Jerian) Re: Hairiest Bug Stories (Henry G. Baker) When software vendors drop products (Mark Seecof) Re: Elevators vs stairs: the risks of distrust (Geert Jan van Oldenborgh) Re: Air-collision risk due to improved --i.e., GPS-- accuracy (Hal Lewis) Re: IVHS: fly-by-wire risks (David Alexander) Risks of what everyone "knows" (A. Padgett Peterson) Re: IVHS vehicles and safety assumptions (Kevin Clifton) Re: Cyberstalker: house invasion a hoax (Michael Shiplett) YOMDSTCS: Yet One More DST-Change Story (Varda Reisner Bruhin) Crypto '97: Information and Registration (Bruce Schneier) RISKS 19.12 2 May 1997 Internet routing black hole (PGN) California child-support deadbeat database flawed (PGN) Levi Strauss personnel data stolen (PGN) Risks of credit fraud and identity theft, and PEBES (PGN) James Sanders' Book on TWA 800 (Peter Wayner) [name corrected in archive] I see a new idea for 1-900 service: prescriptions by modem (Rob Bailey) Motorola may take legal action over health claims (Mich Kabay) Re: Reuters techie brings down trading (PGN) A Labour-ious spelling-checker story (Finn Poschmann) A spell-binding RISK (Mike Lee) On the naming of names (Adrian Robson) Risks of electronic thesauri (Steve Schafer) Re: More on GMT vs BST: RS6000 (Dave Sparks) Re: YOMDSTCS: Yet One More DST-Change Story (Steve Work) RISKS 19.13 9 May 1997 Time-Bomb Ticks In No-Name Pentium Motherboards (Mich Kabay) Cyber Promotions slammed, spammed, and dammed (PGN) Power system loss, despite multiple redundancy at London Telehouse (Tim Sheen) No more fingers in the dike: big flood gates (Geert Jan van Oldenborgh) Netscape News reader risk (Lindsay F. Marshall) Bug in Netscape shows whose C compiler they use (Paul Robinson) Is E-Mail Safe? (John Mainwaring) Norwegian surveillance camera (Martin Minow) Year 2068 problem (Adam Shostack) Dept of stupid statistics: Internet fraud (Richard Schroeppel) Social benefits of comp.risks (Harold Asmis) Keypunching data leaks (David Kennedy) Re: A Labour-ious spelling-checker story (Paul Andrew Solomon Ward) Swedish Phreaker Fined (David Kennedy) Re: James Sander's Book on TWA 800 (Marty Ryba, Fred Ballard, Clark Merrill, Pete Mellor, Mark Stalzer) RISKS 19.14 14 May 1997 Russian nuclear warheads armed by computer malfunction (Matt Welsh) All your eggs in one basket! Telehouse power and UK Net outage (Azeem Azhar) Yet another web page hacked: Swedish meat balled up (Martin Minow) Judge throws out 2 out of 3 DEC keyboard verdicts (Edupage) Kansas Sex-Offender Database seriously flawed (Robert Davis) Internet Explorer runs arbitrary code: MIME type overridden (Mark Fisher) GAO report says Pentagon overpaid contractors by $$millions (Fred Ballard) Risks of Ignoring Scale (Fred Ballard) Unsecure Databases (Steve Branam) A definitive clarification of time measurement (John Laverty via Peter B. Ladkin) Y2K fixed? But what about the month? (Phillip G. Felker) DES challenge news (Thomas Koenig) MD5 weakness and possible consequences (Thomas Koenig) RISKS 19.15 15 May 1997 Pentium II math flaw (John Sheehy) Re: Time-Bomb Ticks In No-Name Pentium... (Henry G. Baker, Joan L Brewer) Re: US Navy response to USS Vincennes airliner shootdown (Jonathan Thornburg) Re: Power system loss, despite multiple redundancy (Ray Todd Stevens) Re: No more fingers in the dike: big flood gates (Nick Brown, Amos Shapir) Re: Swedish Phreaker (Kurt Fredriksson) ACM lacks $50 (Bertrand Meyer) Signature scam? (John Elsbury) Dialing someone who became `road kill' on the Information Superhighway (Paul Robinson) RISKS of subscribing yourself to an e-mail database service (Steve Andre') Choosing and protecting your password: NOT! (Mike Wilson) Re: Year 2069 problem (Hallam-Baker) Workshop on safety-critical systems standards (Victoria Stavridou) FMICS2 Programme and Call for Participation (Diego Latella) RiskWorld (Mary Bryant) RISKS 19.16 17 May 1997 Power outage crashes 1529 Bank of America ATMs (Mathew Lodge) Poorly debugged new software results in $98,000 mistake (Tim Rushing) More high-tech driver's license systems stolen (Gary Grossoehme) On-line brokerage-trading passwords in plaintext (Cliff Helsel) Security of Social Security Administration Database (John Pescatore) Re: MD5 weakness and possible consequences (Wayne Mesard, Geoffrey Leeming) The Year 65536 bug bites early! (Joshua M Bieber) Re: ~2K (Bob Frankston, Peter B. Ladkin) newmediagroup.com headers were forged in junk e-mailing; retaliation against my public anti-SPAM activities (Jim Youll) Re: ACM lacks $50 -- or not... (James K. Huggins, Fred Cohen) "Electronic Democracy" by Browning (Rob Slade) RISKS 19.17 21 May 1997 RISKS of Key-Recovery Encryption (Matt Blaze) Sun exploits loophole in crypto ban (PGN, Michael C. Taylor) Election Reporting in a NaNy State (Mark Brader) Risks of paying attention to uncontrolled e-voting (Ashley Craddock via Mich Kabay) Another Computer Bug: Ants in the Machine (Mich Kabay) Information-Hiding Workshop (Ross Anderson) Re: newmediagroup.com headers were forged ... (Arnt Gulbrandsen) Taking redundancy too literally (Bruce Horrocks) Frequency standards (Hal Lewis) Clock synchronization and relativity (Andrew J Klossner) Re: ~2K (William Lewis, Hal Lewis, Mark Stalzer, Greg Smith, Bob Frankston) RISKS 19.18 22 May 1997 Software problems with new-generation air-traffic control center (Peter B. Ladkin) On-line change of postal address (Peter Scott) Petrol bowser fun and games (Stuart Lamble) Anti-spam bill introduced in U.S. House (Jim Griffith) Anti-spam bill introduced in U.S. Senate (Lance J. Hoffman) E-mail disaster: inadvertent use of a mailing list (Don Byrd) DEC's OpenVMS has Y2K problem on 19 May 97: UNIX compatibility (Smith and O'Halloran plus Tim Shoppa) Risks of key recovery - and likely ineffectiveness (Clive Page) Security risks from active usenet articles (Steve Atkins) Java security architectures/testing methodology/flaws (Emin Gun Sirer) Abortion.com suspends poll (Mich Kabay) Re: Power system loss, despite multiple redundancy (Al) Re: Fire ants and computers (James H. Haynes) Re: Clock synchronization and relativity (Wayne Hayes) Double Positives (Barry Jaspan) Re: Time-Bomb Ticks in No-Name Pentium ... (William Hacker) Risks of out of context information (Richard Brodie) RISKS 19.19 29 May 1997 FBI sting nabs man trying to sell 100,000 credit-card data items (PGN) Computer fraud in subscribing to telephone service? (Thomas Brazil) Oklahoma bombing trial transcripts (Henry G. Baker) Area-code switcheroo (Gary McGraw) How Secure Is AT&T's WorldNet Security? (Brian S. McWilliams) Eavesdropping tools used by drug barons (Peter Wayner) AltaVista stores username/password for shopping malls (Fredrik Pihl) Re: On-line brokerage-trading passwords in plaintext (Hal Lewis) Risks of lying on return address of spam (Mich Kabay) Anti-spam bill introduced in U.S. Senate (Abigail) Re: E-mail disaster: inadvertent use of a mailing list (Dorothy Denning, Joe Carlet) Re: JVM verification (Li Gong) General relativity vs special relativity (Steven M. Schweda) Re: Fire ants and computers (Simson L. Garfinkel, Vexxallarius Venturi) Re: On-line change of postal address (G. Allen Morris III, Evan McLain) Final version of "Risks of Key Recovery" available (Matt Blaze) RISKS 19.20 31 May 1997 Spam and yeggs? Brake fast, or be devoured! (PGN) KGB infiltrates MI5 on the hotline (Mich Kabay) Privacy and car navigational systems (DonNorman) Prison guards leak sensitive computer data (David Kennedy) Runaway train-ticket vending machine (Tim Pietzcker) Lost Pond: Jurassic Duck (Mich Kabay) Risks of caring for an electronic pet (Mich Kabay) Florida "Computer Gang" Members Arrested (David Kennedy) Grappling with the risks of ATMs and heavy machinery (John Oram) Re: How Secure Is AT&T's WorldNet Security? (Steve Bellovin) Microsoft and Privacy ("cooler" via Mich Kabay) [added para in archive copy] Re: Computer fraud in subscribing to telephone service? (Geoff Kuenning) Re: Postal Service change of address (Lauren Weinstein) Re: General relativity vs special relativity (Frederick G.M. Roeber) Call for Papers -- IFIP WG 11.3 Working Conf on Database Security (Sushil Jajodia) RISKS 19.21 5 June 1997 Programmed Tunnel-Digging Robot (Robert J. Sandler) Cashless not crashless (David Hood) Revenge spam hits antispammer (Beth Arnold) Anti-spam missile misfires... (Reuben G. Torrey and Richard Karash) Big Brother strikes again... Netcheck New Zealand (Bruce J. Fitzsimons) When is 0 not 0? The wonderful world of the Web (Clarke Christopher Turrall) Java has a similar problem to the 2000-year problem (Quinton Jansen via Lindsay F. Marshall) Attack on California's electric power infrastructure (Betty G.O'Hearn) Indictments for Computer Chip Theft (Edupage) Commands without timeout (Nick Brown) Re: Computer fraud in subscribing ...? (Kevin McCullen) Re: newmediagroup.com headers were forged ... (Barry Brown) Re: Florida "Computer Gang" Members Arrested (Mich Kabay) Uniform password method (Ken Knowlton) Re: Microsoft and Privacy (Marnix Arnold) Re: Time-zone bug in Canadian election (Mark Brader) Re: Lost Pond: Jurassic Duck (Michael Handler) Re: Senate anti-spam bill (Ray Everett-Church) More dangers of e-mail to the wrong users (Aviel Rubin) RISKS 19.22 12 June 1997 Washington D.C. air traffic slowed (PGN) Poorly designed train signal nearly causes crash (Martin Minow) Computer glitch slows trains (Jeremy Epstein) Cut cockpit wiring found on airliner (Matt Welsh) Company blackmails Netscape for details of browser bug (Jim Griffith) Censorship from half way around the world (Jeremy Freeman) Smith Barney customers become momentary millionaires (Jim Griffith) Texas Drivers in the Privacy Pothole (Lauren Weinstein) Largest Database Companies to Restrict Use of Personal Data (Edupage) Risks of being a spammer (Jim Griffith) Major corporation's misconfigured FTP server (John P. Wilson) 3001: Improving A Classic (Scot E. Wilcoxon) Geez Pleez Sloueez (Mark E. Ingram via Peter Ladkin) Re: When is 0 not 0? The wonderful world of the Web (Mathew Lodge, David Jones) IFIP WG 11.3 Working Conference - August 11-13, 1997 (David Spooner) CFP: 1998 Symposium on Network and Distributed System Security (Matt Bishop) CFP: The Impact of the Internet on Communications Policy (Nora O'Neil) RISKS 19.23 26 June 1997 U.S. Supreme Court rules on Communications Decency Act (PGN) RSA's DES challenge achieved (PGN) McCain-Kerrey Secure Public Networks Act (PGN) Revised Internet Regulation in China Announced (Li Gong) "Hackers" get into Ramsay case computer (Jonathan Corbet) Backhoe-attack cable thief disables phone service in Russia (Betty G.O'Hearn) Malfunction Causes Motor Melee (Scott Lucero) 1998-1999 Leonids may damage satellites (Jonathan Nash) Unix path risks -- well-known, but still amusing (Michael Patrick Jackson via Alan Wexelblat) Microsoft Web site Interrupted by cracker (Edupage) MS Outlook sends e-mail on Ctrl-Enter when editing with Word (Michael Passer) Malepropylene Microdictus (Stephen Speicher) Re: Software Problems with new UK ATC Center (Andres Zellweger) Old risks, new villains... when will they learn? (Quinn Yost) 7-Eleven Big Brother (Mich Kabay) UK Government proposes ID numbers for 4-year-olds (Gary Barnes) Chip Theft by Home Invasion (David Kennedy) Re: Company blackmails Netscape for details of browser bug (Dorothy Denning) Netscape vs. Cabocomm (Andy Waldis) "Secret Power" claims to expose secret international spying networks (Betty G.O'Hearn)