precedence: bulk Subject: Risks Digest 21.24 RISKS-LIST: Risks-Forum Digest Thursday 15 February 2001 Volume 21 : Issue 24 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: [Still debugging Majordomo config. Sorry for past problems.] Calligraphy, computers, and Chinese culture (NewsScan) Lost pet fees cost Toronto $700,000 (Perry Bowker) Network Solutions Sells Out -- Domain Info For Sale to Marketers (Lauren Weinstein) Hacker defends his vandalism, blames the victims (NewsScan) AnnaKournikova worm (rcooper) It's the wolf! It's the wolf! (David G. Bell) Osprey crash involved "software fault" (Peter B. Ladkin) Privacy on New Zealand golf Web site (Gavin Treadgold) Risks of outsourcing: you can bank on it! (Cris Pedregal Martin) Microsoft Hotfix undoes previous good (Graham Bell) SiteGuest.com: Unauthorized e-mail address capture whilst browsing (Stewart C. Russell) The very friendly skies of United? (Steve Bellovin) Risks inside my Jan 2001 American Express bill (Thomas Maufer) Domain name mismatch family feud (James Ryan) RISKS of anticipating computer problems (Eric Nickell) Satellite strike blows away DirectTV pirates (Serguei Patchkovskii) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 01 Feb 2001 09:42:58 -0700 From: "NewsScan" Subject: Calligraphy, computers, and Chinese culture A current debate among Chinese speakers revolves around anecdotal evidence that computer word processing is eroding the ability of people to write traditional characters by hand -- and thus constituting an attack on Chinese culture. But the same debate occurred a century ago, when the pen began replacing the calligraphy brush, which is now used by a tiny segment of the population and treated as an instrument of artistic expression rather than normal communication. Professor Ping Xu of Baruch College predicts that the computer will replace the pen, just as the pen replaced the brush: "Why would you still spend so much time on handwriting Chinese characters when you are eventually going to use computers? In spite of the opposition against the pen, why did the pen prevail? Because the pen is much easier to use and much easier to carry around. If the computer can provide an easier way of learning Chinese characters and all the Chinese language skills, eventually it will prevail." (*The New York Times*, 1 Feb 2001 http://partners.nytimes.com/2001/02/01/technology/01LOST.html; NewsScan Daily, 1 February 2001) ------------------------------ Date: Thu, 15 Feb 2001 14:15:44 -0500 From: Perry Bowker Subject: Lost pet fees cost Toronto $700,000 ... the city lost out on nearly $700,000 in pet fees last year because nearly half of Toronto's dog and cat owners were never billed. The staffer who knew how to run the computerized billing system was laid off. [...] only one city employee ever understood the system well enough to debug it when problems arose. That person was lost last year [due to downsizing] leaving no one to get things going again when the system ran into trouble and collapsed. [Source: *Toronto Globe and Mail*, 15 Feb 2001] The risks here are obvious, but the Y2K experience has shown that many organizations are still lucky to have even one person who understands some of their systems. There were lots of war stories about places where applications were run religiously because no one knew what they did, or why, or how - except they seemed to produce something or feed into something else - much less assess and correct any Y2K risk. Perry Bowker ------------------------------ Date: Wed, 14 Feb 2001 19:59:31 -0800 (PST) From: Lauren Weinstein Subject: Network Solutions Sells Out -- Domain Info For Sale to Marketers See PRIVACY Forum Digest V10 #03 for the entire item: http://www.vortex.com/privacy/priv.10.03 ------------------------------ Date: Wed, 14 Feb 2001 08:53:55 -0700 From: "NewsScan" Subject: Hacker defends his vandalism, blames the victims Defending his vandalism as an attempt to do good, a 20-year-old Dutch student arrested for creating the so-called Anna Kournikova computer virus that jammed Internet traffic throughout the world justified his action by saying he "never wanted to harm the people" whose computers he infected. He claims he intended only to issue them a warning to tighten their Internet security, and insisted that "after all it's their own fault they got infected." (AP/*The New York Times*, 14 Feb 2001; NewsScan Daily, 14 Feb 2001 http://partners.nytimes.com/aponline/technology/AP-Tennis-Virus.html; as usual, copyright material, reprinted in RISKS with permission) ------------------------------ Date: Wed, 14 Feb 2001 09:34:20 -0600 From: rcooper Subject: AnnaKournikova worm (from Esa-l, via Mark Luntzel) Well, we have survived the AnnaKournilova worm, but unfortunately this worm is directly responsible for our fax machine blowing up. Apparently numerous employees at our company is in our Attorney's address book. Apparently the law firm got hit pretty hard. Funny thing is, instead it being emailed to the recepients they were faxed. Got a pile of about 250 pages where the worm itself was faxed to numerous people at our office. The fax machine just couldn't handle it and blew up. Being we thought this was quite funny, I wanted to share it with the list. John, we need a sanitizer for fax machines now :-) ------------------------------ Date: Wed, 31 Jan 2001 21:23:14 +0000 (GMT) From: dbell@zhochaka.demon.co.uk ("David G. Bell") Subject: It's the wolf! It's the wolf! It is now commonplace for commercial sites to operate through several different versions of the same name, often by the use of different TLDs. In some cases, this may be cause of the distinct function of certain parts of their system, as with the recommended use of the .net TLD. In other cases, it is an attempt to make it easy for customers, and harder for competitors. After rather more than half a year of Real Soon Now promises, a new agricultural web site has opened for business, under the name of Globalfarmers. And they have as their main domain globalfarmers.com while also running globalfarmers.co.uk, as they are based in Scotland. Naturally, they have a system of registration and logins and SSL. However, if you connect by the www.globalfarmers.co.uk address, the Verisign certificate presented in the establishment of the secure connection is for www.globalfarmers.com, which triggers a spate of warning messages. Combine that with the 40-bit encryption, and I'm just paranoid enough to give up on trying to register. I know of other sites with multiple names, and secure connections, and this is the first time I've ever seen the wrong certificate presented. Globalfarmers seem to have made some mistakes, but I'm also wondering just what it all means. The error messages are rather uninformative. There seems to be an assumption that I already know about how these security systems work. Meanwhile, the naive user is always being told to check the padlock symbol displayed by the browser, and not how to respond to such error messages. There's a whole slew of risks here, including the problem of false positives (aka crying wolf), and what such things do to the reputation of a dot-com. David G. Bell -- Farmer, SF Fan, Filker, and Punslinger. ------------------------------ Date: Fri, 02 Feb 2001 21:27:21 +0100 From: "Peter B. Ladkin" Subject: Osprey crash involved "software fault" The investigation into the V-22 Osprey tilt-rotor crash on 11 Dec 2000 on approach to New River, North Carolina, about 7 miles away from the airfield, is almost completed. Lt. Gen. Fred McCorkle, who oversees Marine aviation, said the causes were a combination of hydraulics and software failure. The V-22 has two engines, one at each end of its wing, turning large propellors that are much larger than normal propellors but much smaller than helicopter rotors. It has a helicopter mode for landing and takeoff, in which the engine nacelles are vertical and the rotors operate in "helicopter mode", and for cruise flight, the nacelles rotate horizontally so that the rotors operate as giant propellors. The aircraft has recently completed its operational evaluation. During the evaluation, one aircraft crashed in Arizona on approach to landing, killing 19 marines. This was put down to "vortex ring state" or "power settling" of one of the two rotors, a condition in which a descending helicopter rotor encounters its own downwash and is unable to produce required lift. This happened with just one of the two rotors of the aircraft, which flipped inverted since the other rotor was still producing adequate lift, and there was no altitude available to recover. The opeval was not question-free, and some irregularities in maintenance records have recently come to light and are being investigated. The latest crash is believed to be unconnected to any maintenance irregularities. Helicopters have two means of controlling the pitch of the rotor blades, that govern the movement of the aircraft, called collective and cyclic pitch. They also have a power control, and these three together form the flight control system of a helicopter. Collective and cyclic pitch controls on the Osprey are hydraulic, as on most helicopters, as is the system controlling the angle of the engine nacelles (and thus transition between forward and "helicopter" flight positions). The No. 1 hydraulic system failed on the Osprey at the moment the pilot started converting from forward-flight to helicopter mode. The nacelles had covered 10% of their travel, and the pilot immediately commanded the rotors back to forward mode. The aircraft crashed anyhow. Here is how Aviation Week's Robert Wall described what then happened (Aviation Week, "V-22 Support Fades Amind Accidents, Accusations, Probes", pp28-9, Aviation Week and Space Technology, January 29, 2001). "The V-22 is equipped with a triple-redundant hydraulic system and a mechanism that is supposed to be able to compensate for hydraulics problems in on line within 0.3 sec. Hydraulic levels are monitored by the flight control computers that monitor system pressure, reservoir fluid levels and changes in those levels. If an anomaly is detected, a combination of local switching isolation valve [sic] and remote switching valve are supposed to reroute hydraulics fluid from other systems, in this case the second and third, to compensate for the loss in the primary system. But that emergency system failed because of a software problem [...]" Apparently, the Marines are not yet giving out details of the software problem. It is worth noting that the V-22 hydraulics was designed to operate at 5,000 psi instead of the "normal" 2,000-3,000 psi, because it allowed use of smaller and lighter components. But it was the single largest failure item during 804.5 hours of operational testing. It is important to note, as the Marines have pointed out, that the reliability of the hydraulics systems themselves have nothing fundamental to do with the tiltrotor technology, but were simply a design choice. It is important also to note that the "software problem" occurred in the operation of a failure-mitigation mechanism, which is only activated during failure of a primary aircraft system. The original failure appears to have been purely mechanical. But it is well-known that it is difficult to assure the reliable functioning of systems that are activated only during rare failures. Another report appears in Flight International, 20 January-5 February, 2001, p24, "USMC fights for Osprey's future", by Paul Lewis. Peter Ladkin [Also noted by Mike Beims, who added that the risks of an incompletely tested backup system are a recurring theme in this forum. PGN] [A subsequent article by James Dao appeared in *The New York Times*, 13 Feb 2001, and quotes the Marine Corps on the forthcoming report. PGN] ------------------------------ Date: Wed, 31 Jan 2001 14:47:30 +1300 From: "Gavin Treadgold" Subject: Privacy on New Zealand golf Web site Recently the New Zealand Golf Association moved over to a newer and some would say fairer handicapping system. One feature of this system is the handicapping web site ( http://www.golf.co.nz ). This site is currently down for maintainence. On this site, golf club handicappers can enter golf scores for members, which are then consolidated into a national database. On this site you can log in and review your most recent rounds (date and location are given). You can also search for any other golfer in New Zealand and view their history. Cards are generally visible on the site within 2-3 days of the card being handed in. This site has a lot of benefits for golfers in New Zealand. 1. Being able to monitor people you play with to ensure they are handing good cards in and are not 'farming' their handicaps. 2. Ensuring that out of town visitors to tournaments supply their correct handicaps. 3. Providing club, regional, and national rankings of golfers. There are however a few recently discovered risks - hence the site being taken down and redeveloped. 1. Every user's login id consists of a three-digit club code, ie mine is 371 - Russley Golf Club, and a four-digit club member id. This gives every registered golfer in New Zealand a unique seven digit identifying id. There was initally no password to login, hence someone could guess seven digit numbers, or collect them as the member numbers are printed out on the handicapping lists at the golf clubs. You are able to record your email address, and create a list of friends. This information could have been farmed by a spider/crawler. FIX? Use more than just a unique identifer that is easily guessed. 2. A golfer's record displays recent rounds and their home course. The link can then be made between someone being on holiday and handing in out-of-town cards. Joe Smith lives in the South Island, but has been handing in cards in the North Island for a few days now. Hmm, I'll use the Telecom White Pages ( http://www.whitepages.co.nz ) to find his address and phone number... say no more. FIX? Delay the display of any out-of-region cards for x days. 3. And another goody related to the second point. Employers and employees can keep an eye on each other to see how much golf they are playing, and if they are calling in sick and then having a game of golf! Ha! I'll bet this is the real reason the site has been taken down - all the executives complained that their sub-ordinates could see how much golf they really were playing. FIX? Nah, this one is too much fun to take away :) It will be interesting to see what sorts of fixes they have made once the site comes back online. Most people I have talked to about the site are supportive of it, with a couple of minor modifications to reduce some of the above risks. === Press Articles Golf: Website pulled after privacy concerns http://www.stuff.co.nz/inl/index/0,1008,588486a1823,FF.html Golfers chipping back over page http://www.stuff.co.nz/inl/index/0,1008,593772a1601,FF.html I can see the sub-par PGN jokes now... :) Gavin Treadgold, Red Iguana Ltd ------------------------------ Date: Mon, 5 Feb 2001 12:47:50 -0500 From: Cris Pedregal Martin Subject: Risks of outsourcing: you can bank on it! Summary: I left one bank because of their incompetence, and the new bank gave me an ATM card with my name and password, but linked to someone else's account. The RISK is embracing business models without regard to their technological implications, outsourcing in this case. Banks are a well-established source of RISKS-lore, but my recent experiences are starting to convert me into a believer in the existence of RISKS-karma. After many hours spread over months of unpaid consulting to my formerly small regional bank, trying to get them to (a) refund the double debit for a safe rental and (b) record that I had paid at least once, so I could actually access my safe, I decided to take my business elsewhere, and opened an account in my local (still) small bank. It does not take a RISKS reader to do this cautiously, so I waited for new checks and the automatic deposit to switch over before trying to use my new account... my very first ATM operation was a balance request, which yielded an amount well below the expected. Went to the brick'n'mortar office, where a check of their computers showed the correct balance. Although I was relieved I wouldn't have to fight to get my money back, I knew things were bad because there was obviously (at least) two different, not mirrored, databases at play here. I had to demonstrate the problem at their own ATM there, several times, before they'd start investigating, and after a good 30 minutes of consultations they admitted that yes, the card was linked to someone else's account, then had the gall to sternly ask me whether I had taken any money out, and then took another 20 minutes to "push through" the change, with some muted apology from the lowest-level employee involved. Turns out that they outsource the printing of ATM cards, and they outsource the running of their ATM machines, presumably to two different companies, and evidently they move information from their own database to these other organizations... in a very RISKy manner. The RISK here is familiar: embracing a business practice without understanding its technical underpinnings. The current management fads of outsourcing everything assume (implicitly!) well-defined and well-executed interfaces. In this sense, I am much luckier than PGN and other Californians who are experiencing a large scale version of the same with their supply (or lack thereof) of electricity. Cris Pedregal Martin - Computer Science, UMass - http://www.cs.umass.edu/~cris/ ------------------------------ Date: Thu, 1 Feb 2001 10:05:37 +1000 From: BELLG@allianz.com.au Subject: Microsoft Hotfix undoes previous good Good system administrators apply Hotfix packs to their systems promptly, to ensure known vulnerabilities are closed as soon as possible. Of course it is also wise to test the Hotfix to ensure it does not create new problems (and we all do that, of course). But who tests to see if it reintroduces problems/vulnerabilities removed by previous fixes? It looks like we all should start full security regression testing of Hotfix packs, following the release of the recent Microsoft Security Bulleitin MS01-005 , which includes the following statement: "An error in the production of the catalog files for English language Windows 2000 Post Service Pack 1 hotfixes made available through December 18, 2000 could, under very unlikely circumstances, cause Windows File Protection to remove a valid hotfix from a system. The removal of a hotfix could cause a customer's system to revert to a version of a Windows 2000 module that contained a security vulnerability." Graham Bell, Allianz Australia ------------------------------ Date: Tue, 13 Feb 2001 11:27:15 +0000 From: "Stewart C. Russell" Subject: SiteGuest.com: Unauthorized e-mail address capture whilst browsing I was looking at an estate agent's (realtor's) website when I noticed the status line on my browser saying "Contacting " then "Message Sent". I looked through the site's HTML code and there was a little piece of JavaScript which appeared to send an e-mail message to the site's owner with no intervention from me. This service is provided by http://www.siteguest.com/, who describe it as "Caller ID for your web site". Sure enough, in the next few days I started to get a number of e-mails from this realtor promising the best deals on houses. I'd prefer to choose who gets my e-mail address, and the behaviour of this particular individual has pretty much guaranteed no business from me. The risk? The usual JavaScript and security warnings should be on, and that combining web and mail functions in one program is not always a good idea. Stewart C. Russell Senior Analyst, Dictionary Division, HarperCollins Publishers, Glasgow, Scotland stewart@ref.collins.co.uk ------------------------------ Date: Thu, 15 Feb 2001 09:30:51 -0500 From: Steve Bellovin Subject: The very friendly skies of United? According to the *Wall Street Journal*, 15 Feb 2001, the United Airlines Web site had a problem a few weeks ago: it was quoting preposterously low fares. For about an hour, some international fares were "zeroed out", and customers were being quote a price that included only taxes and fees. United is declining to honor the tickets purchased during this time, saying that customers should have known that a price of less than $30 for a round trip from San Francisco to Paris wasn't reasonable. Steve Bellovin, http://www.research.att.com/~smb ------------------------------ Date: Thu, 1 Feb 2001 01:34:22 -0800 From: Thomas Maufer Subject: Risks inside my Jan 2001 American Express bill The items on my American Express Bill are listed in chronological order, oldest first. Beginning with items dated 1/1/2001, items dated from the future began to appear. For instance, the next several items were dated 1-Feb-2001, 1-Apr-2001, 1-Jun-2001, 1-Aug-2001, and 1-Sep-2001. It seems that they must have started interpreting the date as the month, and vice versa. The actual dates on the receipts corresponding to those items were 2-Jan-2001, 4-Jan-2001, 6-Jan-2001, 8-Jan-2001, and 9-Jan-2001. I understand the mistake that they made (but I can't fathom the reason that dates were corrupted), but I'm wondering what they'd say if I insisted that those charges be deferred until I actually *make* them, as I haven't actually made them yet. Thomas Maufer ------------------------------ Date: Wed, 31 Jan 2001 15:46:36 +1300 From: James.Ryan@telemedianetworks.com Subject: Domain name mismatch family feud A humorous story on similar domain names... I own "yourmailinglist.com" and was recently afforded front-row seats to a family feud of mind-boggling proportions. It seems someone with a large extended family had sent out a personal newsletter updating all his relatives on his current state of affairs, the kids are fine, Mary's in College, Joe has a new job, etc. etc. Well, one of the recipients took great offence to receiving such an impersonal form of communications. He blasted the entire list with a scathing sarcastic attack on the original sender who he accused of "spamming" his relatives instead of sending each one a personal update. In order to make himself "anonymous" he changed his reply-to address to "someone@yourmailinglist.com". Practically everyone on the list came back with their own scathing responses about how they were quite happy to receive the newsletter about Mike and his kids, and shouldn't he be ashamed of himself for his insensitivity, etc. Of course, all these replies ended up in my mailbox... I got my revenge, though. I simply "educated" all of those irate relatives in how to read an e-mail header, and soon they were blasting "Mr. Anonymous" at his proper address. The risk? If you're crazy enough to insult your whole extended family, be smart enough to know how to really cover your tracks... ------------------------------ Date: Thu, 8 Feb 2001 10:48:47 PST From: Eric Nickell Subject: RISKS of anticipating computer problems My credit union, Xerox Federal Credit Union recently changed its website. In the process, I lost access to my account information via the web for 2 weeks, somewhat troublesome since I have items that are charged to the account automatically and I've come to rely on web access to be able to view and transfer money between savings and checking to cover those charges. The changeover has been a comedy of errors, but in the end, customer service informs me that the problems were entirely my fault. Hmph. First change I noticed was that I could no longer type in my 7-digit PIN. I had originally been issued a 4-digit PIN, but feeling that this was insecure, I changed it. My estimates are that since XFCU gives 3 tries to get the PIN right, limiting the PIN to 4 numeric digits gives them a .3% chance of guessing the right PIN, given an account number. With a customer base of 70,000 members and account numbers of only six digits, how long do you think it would take a hacker to break into, oh, .3%*70,000=210 accounts, eh? In trying to get into my account with the 7-digit PIN, I used up my 3 tries. A customer service rep re-opened the account, but this led me to a debug page, so I assumed that I still didn't have the right PIN. Had to end up having the PIN mailed to my home address. One week later, the mailed PIN arrived, I can see that it's a truncated form of my old 7-digit PIN, and we try again. Now, we land in a barf page. It's the sort of message a programmer puts up to flag system errors. From the XFCU home, I click on the "contact" link to send them email. (It's right next to their "Most Useful Credit Union Web Site" award icon. How ironic.) The email comes back 24 hours later due to delivery problems. (The customer assures me that they have received no email complaining about this problem.) When I call customer service, they're able to track down the problem in a few hours. Turns out in my correspondence with XFCU, they have always listed my account as "0369045" (not the actual number). I have always fastidiously typed in the leading zero. Why? The reason I typed in the leading zero was a defense against the possibility that some stupid computer programmer would not treat "0369045" and "369045" and that believing the one received or printed communication was to be preferred. I was both right and wrong. So, in the end, it was all my fault. Customer service informs me that they did not need to notify of the PIN change, because they initially issued 4-digit PINS, and though the previous web access let members change to a longer PIN, THEY HAD NEVER given us permission to use a longer PIN. Further, I was the one at fault for typing in the leading zero. How stupid of me. The RISKS here are obvious: Besides grumps about lowered security and truncating my PIN without bothering to inform me, there are two: * The RISK of causing a breakdown in service by anticipating one. * Second, a more traditional RISK: Knowing that there was one problem in the changeover (the truncated PIN), I lost sight of the fact that there might have been two (that I no longer allowed to type in the leading zero). Eric Nickell, Xerox PARC ------------------------------ Date: Tue, 30 Jan 2001 17:07:53 -0700 From: Serguei Patchkovskii Subject: Satellite strike blows away DirectTV pirates : PGN-ed (How long will it be until the next-iteration hack occurs?)] Not long at all. According to a very informative report in The Register (http://www.theregister.co.uk/content/6/16377.html), the DirectTV attack was directed at the old, and easily hacked, "H"-type smartcards, which were discontinued in 1999. The currently shipped cards, "HU"-type, are apparently somewhat more difficult to hack - but hacked versions are nonetheless already available, and were not affected by the attack. Neither were emulation-based systems, where a PC with the appropriate hardware connector impersonates a hacked smart card. Given that, according to The Register's sources, such hacks are not illegal in Canada, it won't take a lot of time before the new hacked cards become widespread. In fact, the DirectTV stike may even provide the pirates with a healthy cash infusion from all those people seeking to replace their now-defunct H-type cards. Serge.P ------------------------------ Date: 26 Dec 2000 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with option of E-mail address if not the same as FROM: on the same line, which requires PGN's intervention -- to block spamming subscriptions, etc.] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 20" for volume 20] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. http://the.wiretapped.net/security/info/textfiles/risks-digest/ . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 21.24 ************************