precedence: bulk Subject: Risks Digest 21.34 RISKS-LIST: Risks-Forum Digest Wednesday 11 April 2001 Volume 21 : Issue 34 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: MIT'S cathedral of learning: online and free (NewsScan) Modern Times, II (jhaynes) Careful with that e-mail! (Lord Wodehouse) Risks of appearing in rec.humor.funny (Jim Griffith) Re: Risks of auto-updating software (L. P. Levine) More on Yahoo mail's anti-virus attachment translation (Kirrily Skud Robert) Re: Bogus Microsoft Corporation digital certificates (Nick Brown) Summertime blues (Lord Wodehouse) Re: Upcoming time-change risks (Derek Ziglar) Another Silly Date Problem (Peter B. Ladkin) Re: Dutch police fight cell theft ... (Zygo Blaxell, Christian Bartsch) Re: Cellphone text 'bombs' (Peter Chuck) Re: Future Mac Viruses? (Craig S. Cottingham, Paul Hessels) Re: "Internet Voting is no 'Magic Ballot'" (Julian White, Jay R. Ashworth) Bathtub Burnout (Rebecca Mercuri) Auto-updating and ReplayTV (Alan Wexelblat) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 04 Apr 2001 09:05:05 -0700 From: "NewsScan" Subject: MIT'S cathedral of learning: online and free The Massachusetts Institute of Technology has committed up to $100 million for a 10-year project to create public Web sites that offer, without charge, learning materials used in almost all of its 2,000 courses. The materials will include lecture notes, problem sets, syllabuses, exams, simulations, and video lectures. Called OpenCourseWare, the program is not intended for "audit" purposes and not as a means for students to earn college credits. Computer science professor Hal Abelson explained: "In the Middle Ages people built cathedrals, where the whole town would get together and make a thing that's greater than any individual person could do and the society would kind of revel in that. We don't do that as much anymore, but in a sense this is kind of like building a cathedral." MIT President Charles M. Vest is confident that the new program will in no way detract from the value received by residential students who are paying tuition of $26,000 for the on-campus experience of working directly with faculty and other students." I don't think we are giving away the direct value, by any means, that we give to students. But I think we will help other institutions around the world... I also suspect in this country and throughout the world, a lot of really bright, precocious high school students will find this a great playground." (*The New York Times*, 4 Apr 2001; NewsScan Daily, 4 Apr 2001 http://www.nytimes.com/2001/04/04/technology/04MIT.html) [This is a marvelous development to inVest in the future. RISKS applauds MIT. Three Cheers! PGN] ------------------------------ Date: Sun, 8 Apr 2001 10:13:24 -0500 (CDT) From: Subject: Modern Times, II The local paper reprinted a column by *Los Angeles Times* columnist Doris Kearns Goodwin. She starts out saying that Abe Lincoln's 1861 first inaugural address reached Sacramento in a time of seven days and 17 hours by Pony Express. "On March 17, [2001] the London Times released a Web version of a story that would appear in the next day's paper, falsely alleging that Steven Spielberg -- who has optioned my unfinished manuscript on Lincoln -- and I planned to present Lincoln as a 'manic depressive racist' and head of a 'dysfunctional' family 'who nearly lost the American Civil War.'" "Carried by satellite, the story reached Matt Drudge's Florida headquarters and was placed on his Web site even before the newsprint edition of the London Times had reached the streets. In the next 24 hours, 1.6 million hits were recorded n the Drudge site. The story was picked up by dozens of newspapers and made it to Rush Limbaugh's Web site, where Spielberg and I were accused of engaging in a left-wing conspiracy to denigrate American heroes in order to enhance the reputation of Bill Clinton. Within hours, the story was being discussed on talk radio and on television, and I was receiving e-mails from lincoln scholars as far away as Australia, who were understandably concerned by the story's portrayal of my intentions." Goes on to say that no reporter ever contacted her to check the accuracy of the story, and that the original reporter blamed the error on others and would allow her to submit a letter to the editor; but by then the false story was all over the world. Goes on to detail some history of Lincoln, some very early statements of his that could be construed to make him appear racist, clearly voided by his later statements, including his last speech, which stirred up John Wilkes Booth to kill him. ------------------------------ Date: Fri, 6 Apr 2001 17:54:05 +0100 (GMT Daylight Time) From: Lord Wodehouse Subject: Careful with that e-mail! Reported by the BBC http://news.bbc.co.uk/hi/english/world/americas/newsid_1263000/1263917.stm A chief executive who used an e-mail to threaten his staff with the sack for being lazy has seen his company's share price collapse after the message appeared on the Internet. Neal Patterson, head of the Cerner Corporation in Kansas City, USA, had no idea his private directive to staff would end up being seen by millions of people on the world wide web. In the three days after the publication of the message, shares in the healthcare software development company plummeted 22% on the stock market. It never ceases to amaze me that people armed with a computer and e-mail completely lose their common sense. However it seems to the the type of e-mail that should never have been written let alone sent and not by a senior person in the company. Gerald Ratner built up the family business, piling it high, selling it cheap and making a fortune out of cut-price jewelry. But a throw-away joke in a speech at the Royal Albert Hall in front of Chancellor Norman Lamont brought his empire crashing down around his ears. (he called a item he sold cr*p.) With the Internet the inept director can find that it is even easier to ensure that bad news travels faster and further. ------------------------------ Date: Thu, 5 Apr 2001 15:34:57 -0500 (CDT) From: griffith@olagrande.net Subject: Risks of appearing in rec.humor.funny In 1994, I had an article appear on rec.humor.funny titled "AOL's cutting edge customer service", in which I related an incident where an AOL representative responded to a complaint by suggesting that the complainant should "telephone the Internet and talk to their tech support people". Since them (and as recently as today), I've been receiving email from AOL users who are somehow convinced that my e-mail address is the AOL customer service address. Jim ------------------------------ Date: Tue, 3 Apr 2001 12:49:31 -0500 (CDT) From: "Prof. L. P. Levine" Subject: Re: Risks of auto-updating software Graystreak said: >In his recent (April 2001) AskTog column, Bruce Tognazzini reports on his >ReplayTV which, one recent day, updated itself to disable a valuable >feature. > http://www.asktog.com/columns/045ReplayTV.html I agree with his main point that software that updates itself is a menace and a problem, but the replay change that was noted in the Tognazzini posting came and went in about 4 weeks. I noted the change and did not like it but said nothing. After a few weeks the feature that had been disabled (a clean pause without ads) reappeared. I must assume that there was a good deal of noise made by the customer base as RePlay had just scrapped a revenue source. Good for them. Customers who don't like a product revision should speak up and even decide to drop the product. Manufacturers will listen, but we got to talk. Leonard P. Levine e-mail levine@uwm.edu Professor, Computer Science University of Wisconsin-Milwaukee ------------------------------ Date: Mon, 2 Apr 2001 22:00:13 -0400 From: Kirrily Skud Robert Subject: More on Yahoo mail's anti-virus attachment translation Further to "Yahoo! Mail translates attachments" in RISKS-21.27, I saw the following e-mail on a mailing list which discusses medieval cookery: From: Subject: (OT) "Medireview" ??? Does anyone know why certain Web sites and mail servers change the word "medieval" to "medireview" without any warning? Have I missed something? Did they change the spelling of the word, and not mail me the notice? In addition to translating terms like "expression" to "statement" and "eval" to "review" in an attempt to disable potential virus code, it seems that they don't check for word boundaries, so "eval" is translated to "review" even when it's within a word like "medieval". It's easy to fix this in Perl (for instance), where the programmer would write s/\beval\b/review/g to check for word boundaries. The RISKS? Firstly, "two wrongs don't make a right." Yahoo's half-baked attempt to fix one problem without adequate thought or testing has caused more problems. Secondly, while the mangling of the word "medieval" on a cookery mailing list may be unimportant, similar mangling occurring to a person's name, address, e-mail address, URL or other important data could have knock-on effects of a much more serious nature. Addendum: I've just had a report of an actual instance of a mangled e-mail address: > Someone [...] changed his e-mail address to "cheval" and several of us > couldn't get his new address straight because it kept coming up at > "chreview". Eventually, we realized what the word actually was, but it > took a while. *sigh* Kirrily "Skud" Robert http://infotrope.net ------------------------------ Date: Fri, 6 Apr 2001 17:55:18 +0200 From: BROWN Nick Subject: Re: Bogus Microsoft Corporation digital certificates (Savit, R-21.30) This whole area is reminiscent of, say, nuclear power, or electronic voting, or anything based on Social Security numbers: the technocrats (who do not necessarily have any technical background, even if thet are in the private sector) come up with some great scheme that "simply" relies on nobody ever, ever screwing up. (Since most technocrats have never actually done a real job in their lives, they have probably never screwed up either.) This attitude is known in French as "yapuka", short for "il n'y a plus qu'a...", or "it's easy, all you have to do is...". It "should have been obvious" (that phrase again) that at some point, somebody would screw up and some invalid certificates would slip out. If this had been considered in advance, Microsoft and Verisign would maybe look a bit less like headless chickens right now. I have a modest proposal: all documentation and marketing material concerning any system which contains any technology whatsoever should, by law, carry the word "probably" in front of each verb describing technical details of the system, and "unless someone screws up" at the end of each sentence describing (claimed) functionality. Examples: - "When you click on the icon of the diskette, Microsoft Word will *probably* save your work". - "When you select 'Book now', the system will *probably* reserve your ticket". - "XYZ Backup Manager means you will never lose another file, unless someone screws up". See how much more accurate this is? Imagine how much happier the world will be without all the disappointment which users feel when the system fails to deliver as promised. Nick Brown, Strasbourg, France ------------------------------ Date: Tue, 3 Apr 2001 13:18:28 +0100 From: Lord Wodehouse Subject: Summertime blues It may have already been noted, but in Germany, Deutsche Telekom had problems with their speaking clock over the weekend of 24th/25th March. Users using the alarm service found that on Monday 26th March their call was an hour late, because the system did not advance to daylight savings time. I expect there were other problems, including the ones where US and UK/Europe companies found that the time difference was one hour more for a week. John, Global Research IS, GlaxoSmithKline, Medicines Research Centre, Gunnels Wood Road, Stevenage SG1 2NY United Kingdom +44 1438 76 3222 e-mail: mailto:w0400@ggr.co.uk Web: http://www.gsk.com/ ------------------------------ Date: Tue, 3 Apr 2001 21:08:13 -0400 From: "Derek Ziglar" Subject: Re: Upcoming time-change risks > In the USA we change to Daylight Savings Time (spring ahead) ... > This year, that also happens to be the first day in April. ... > I can see that this confluence is going to cause some amount of confusion, > as some people automatically disbelieve any official-seeming announcement More true that you may think. I may even cause the media to fail to even report such announcements. In January 1999, a defect in the Microsoft Visual C++ Runtime Libraries was discovered and documented in PC World magazine. Someone had discovered that the time function in the runtime library had an inherent error that it would misapply the Daylight Saving Time setting of Microsoft Windows anytime the daylight savings time went into effect on the first day of the month--like in 2001. The consequence of this bug is that Visual C++ built programs and others that use this same shared library will 'see' the time incorrectly for the first week of the month, then correct itself. Programs on the same computer that don't use this library should see the time correctly. The risk? Well, I certainly heard no recent alerts that this was to occur! I had no cause to suspect any problem until Sunday morning when my company's servers started misprocessing work because the C++ programs that process our data 'saw' the time one hour differently than SQL Server itself did. A most perplexing situation to debug--when two programs running on the *same* computer have a different view of the time! Sure, Microsoft reports this bug was supposedly fixed in a service patch to the *compiler*, But who was responsible for distributing the fixed *runtime* components that were distributed with all the applications people had written using that compiler? As Alan Wexelblat said, how many people would fail to take seriously a problem warning associated with April 1st? Apparently enough that the media completely failed to follow up on this April 1, 2001 risk they had reported over two years ago! January 1999 article from PC World http://www.pcworld.com/resource/printable/article/0,aid,9327,00.asp Microsoft Knowledge Base documentation on the problem. http://support.microsoft.com/support/kb/articles/Q214/6/61.ASP?LN=EN-US&SD=g n&FR=0&qry=daylight%20savings&rnk=5&src=DHCS_MSPSS_gn_SRCH&SPR=VCC Derek Ziglar, Atlanta, Georgia ------------------------------ Date: Fri, 06 Apr 2001 09:15:20 +0200 From: "Peter B. Ladkin" Subject: Another Silly Date Problem I have a digital certificate from a well-known german certification authority, trustcenter.de. They informed me on the 9 February that the certificate was about to run out. Es laeuft am 04/05/01 15:00:42.000 ab. (It runs out on 04/05/01) On the 4 April, they said it again: Ihr [...] Client-Zertifikat mit den folgenden Daten, [...] gueltig seit: 04/05/00 15:00:42.000, [...] nur noch bis zum 04/05/01 15:00:42.000 gueltig ist. (Your certificate with the following Information [...] valid since 04/05/00 15:00:42.000 ist only valid until 04/05/01 15:00:42.000) I believed them. I also want this certificate. But this morning at 06.25 local time they informed me: Ihr Class 1 Client-Zertifikat mit den folgenden Daten, [...] ist am 04/05/01 15:00:42.000 abgelaufen. (Your certificate with the following Information [...] ran out on 04/05/01 15:00:42.000) In the language in which this security agency is writing to me, 04/05/01 means unambiguously 4 May 2001. As it does unambiguously all over Europe. But they obviously meant it to mean the 5 Apr 2001. Can I *really* be the first person that has been caught by this mistake? This goes to show that it's not only NASA that can mix up their units. The solution is probably to insist that agencies which provide an official security function use ISO-standard dates. Peter Ladkin ------------------------------ Date: Wed, 04 Apr 2001 16:59:54 -0400 From: Zygo Blaxell Subject: Re: Dutch police fight cell theft ... (Dzubin, RISKS-21.32) >After a user reports his GMS handset stolen, [...] Uhhh...I'm not sure what GMS is in this context, but if it's a misspelling of "GSM", then I see a problem. In GSM, there is a separate SIM card in the handset which contains all of the subscriber's authentication/authorization information, and which is intentionally interchangeable between handsets (subject to some restrictions, but generally when switching between handsets supplied by the same service provider). If someone was trying to sell the _handset_, they could do so without including the SIM card--I've done this a couple of times as handset technology evolves over the years. The buyer provides their own smart card, and the telco doesn't even have to be informed that the sale took place for the handset to work for its new owner. Naive GSM users reading this article might attempt to send such messages to their own phone number if their handset is stolen. This won't work if the thief has any clue at all. Kids, don't try this at home. I suppose it is possible that the police may use the telco's resources to track the handset down by its IMEI or something--handsets, high-end accessories, even batteries these days have serial numbers embedded into them which are accessible from the handset firmware and can be interrogated from the telco (if not routinely broadcast while the handset is on). Zygo Blaxell (Laptop) ------------------------------ Date: 03 Apr 2001 00:00:00 +0000 From: cbartsch@gmx.de (Christian Bartsch) Subject: SMS in Netherlands on stolen phones (Re: RISKS-21.32) I've only seen reports (but no firsthand source, maybe because of my lack of the Dutch language), but I have a little difficulty believing them. AFAIK the SMS service in the GSM network addresses the SIM card in the phone (i.e. the mobile's number). If you insert another (not stolen) SIM card and throw away the old one, you won't receive any text messages. Why? That would require addressing the IMEI of the stolen phone, which to my knowledge is not possible. I think some American phones have their number hardcoded in the phone, but here (i.e. GSM in Europe) you could only annoy anyone using a stolen SIM card, not a stolen phone with a "clean" SIM card in, methinks. Chris http://www.zahlungsverkehrsfragen.de/ ------------------------------ Date: Tue, 3 Apr 2001 11:26:24 +0200 From: Peter Chuck Subject: Re: Cellphone text 'bombs' The CNN article correctly explains that every mobile device has a built-in serial number (IMEI). Cellphone operators can block all use of a mobile handset based on this IMEI. Here in Belgium we have one operator that blocks stolen IMEIs and two others that do not (it would cost them money). The result is that all the "new owners" of stolen cellphones are calling via the lazy/cheap operators. In the Amsterdam scenario, the taxpayers are funding the police to do the work of private cellphone operators. Peter Chuck, Consultant, Cap Gemini Ernst & Young, Brussels, Belgium. ------------------------------ Date: Mon, 02 Apr 2001 21:17:56 -0500 From: "Craig S. Cottingham" Subject: Re: Future Mac Viruses? (PC Rescue, RISKS-21.32) > Mac users have been crowing for some time that their system is less prone to > viruses than the horrible alternative. Could this be about to change? First off, any person who claims that Mac OS is less *susceptible* to viruses than the "horrible alternative" is mistaken. The greater part of Mac OS's relative dearth of viruses is due to "security through obscurity" -- in this case, a much smaller developer base. All the tools you need to write code for Mac OS, virulent or not, have been freely available for download from Apple's web site for more than two years. > "The box contains three installation CDs -- Mac OS X, Mac OS 9.1 and a CD > full of developer tools, including the Cocoa programming environment, which > is reportedly simple enough for school kids to use." Secondly, Linux has included, from day one, developer tools simple enough for school kids to use, as evidenced by the number of open source projects started by students. (The most notable example that comes to mind is Napster; I believe its author was a high school student when he created it.) Following that logic, there should be a preponderance of viruses for Linux. Instead, there are, to my knowledge, none. (Worms which exploit security holes in daemons are a horse -- a Trojan horse? -- of a different color.) The security model built into Linux and other Unix-like operating systems -- of which BSD, on which Mac OS X is built, is one -- contrasts sharply with the security model, such as it is, built into the variants of Windows. So right from the start, Mac OS X is starting from ground more solid than either its predecessor or that "horrible alternative." What remains to be seen is how well Apple has balanced the Unix-like security model with the expectations of a user base that is used to having free run of the machine. I haven't installed Mac OS X on any of my machines yet, but it appears from the posts to one OS X mailing list that the security model is obvious for tasks which require superuser rights. Craig S. Cottingham http://pgp.ai.mit.edu:11371/pks/lookup?op=get&search=0xA2FFBE41> ------------------------------ Date: Wed, 4 Apr 2001 16:12:23 -0400 (EDT) From: Subject: Re: Future Mac Viruses? (PC Rescue, RISKS-21.32) >Mac users have been crowing for some time that their system is >less prone to viruses than the horrible alternative. Could this >be about to change? Considering Mac OS X is running FreeBSD, I don't expect virii to be any MORE of a problem then from their legacy OS. Its pretty hard to write a virus that trashes a whole FreeBSD system. I don't expect that having an IDE that is so easy kids can use will make any noticeable difference... Now worms on the other hand..... Paul ------------------------------ Date: Tue, 3 Apr 2001 09:35:39 +0100 From: "Julian White" Subject: Re: "Internet Voting is no 'Magic Ballot'" (Ashworth, RISKS-21.32) I must agree with Jay on this one. Ensuring that the Internet vote originates from who it claims to be is not wholly solvable at this time. To many issues around the security of this information (whether that be originality, transmission or storage) make it too risky to implement for such an important process. Also, the flip side of adding complex security is that if the Government were able to validate a vote against a voter, they then will have the ability to collect information on a voter's voting habit. I suspect that this is something that many of us would find unacceptable behaviour on behalf of our esteemed Government staff. For those of us with data protection and/or privacy laws we would at least have legislation to strangle the Government with, for those of you without there will not be much you could do to stop it. However this does not mean we should exclude "electronic" voting. One can see the advantages of collecting the voting information electronically direct from the ballot box. Replacing the paper based system with an electronic counter would produce a more accurate result, faster. The verification of the voter is done as per normal, by turning up to the ballot station. Of course we need to ensure that the voting tallies are not tampered with, which is probably more procedural than technical. The critical issues with electronic voting are those as described by Jurek Kirakowski [RISKS-21.32], namely the user interface. This will be an issue for the technical, social and psychologist arenas to solve as a collective. Julian White, Nu-Dimensions, UK. JWhite@Nu-D.com ------------------------------ Date: Tue, 3 Apr 2001 05:16:15 -0400 From: "Jay R. Ashworth" Subject: Re: "Internet Voting is no 'Magic Ballot'" (RISKS-21.32) Another method of counting can certainly be *added* to "paper"... but note what I said about "a physical object that the voter can inspect". And that can *be* recounted; the more important issue. Paper cannot be abandoned. Merely augmented. Jay R. Ashworth Baylink The Suncoast Freenet, Tampa Bay FL http://baylink.pitas.com +1 727 804 5015 ------------------------------ Date: Tue, 10 Apr 2001 22:00:44 -0400 (EDT) From: Rebecca Mercuri Subject: Bathtub Burnout (Re: Nordal, RISKS-21.33) > The risk of putting non-reliable legacy equipment in the same room > as your $30,000 servers with hundreds of concurrent users is obvious. Audun Nordal's conclusion is a tad misleading. Anyone who has taken a reliability engineering course (do they still teach such things anywhere?) knows that the "bathtub curve function" indicates that it is at BOTH ends of the equipment age spectrum where the increased possibility of breakdown exists. New equipment burn-in (note the full meaning of this terminology) eliminates many of the front-end problems, but I'd suspect that brand-new $30,000 servers (with defective CRT monitors) probably are at least as risky as the workhorse VT420s. Rebecca Mercuri ------------------------------ Date: Thu, 5 Apr 2001 08:34:11 -0400 From: Graystreak Subject: Auto-updating and ReplayTV It has been pointed out to me that Tog's column, which I referenced in RISKS-21.32 is (4) months out of date. The malfeature Tog talks about was removed, apparently, last December. That does not, I think, obviate my major point. I was _not_ trying to say: "ReplayTV is bad" but rather "we have opened ourselves up to a whole new class of risks" through a combination of always-on/always-connected computers, and auto-updating software. Risks Digest is a fine forum for presentation and analysis of specific cases; however, part of the point of such cases - I think - is to illustrate larger classes of risks and systemic design flaws which can lead to multiple vulnerabilities. Alan Wexelblat wex@media.mit.edu http://wex.www.media.mit.edu/people/wex/ moderator, rec.arts.sf.reviews ------------------------------ Date: 12 Feb 2001 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) which now requires confirmation to majordomo@CSL.sri.com (not to risks-owner) [with option of E-mail address if not the same as FROM: on the same line, which requires PGN's intervention -- to block spamming subscriptions, etc.] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 20" for volume 20] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 21.34 ************************