precedence: bulk Subject: Risks Digest 21.39 RISKS-LIST: Risks-Forum Digest Friday 11 May 2001 Volume 21 : Issue 39 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: U.S. Air Force blasts Outlook security patch (Yves Bellefeuille) Univ. Virginia prof uses computer to catch cheaters (Richard Kaszeta) Potential timestamp overflow on 9 Sep 2001 (Don Stokes) Excel-lent leaks (Christophe Augier) Foolish wireless network access policies and spam engines (Thor Lancelot Simon) Cops say teen concocted radio calls (Steve Hutto) The RISKS spam crossover has finally taken place! (RISKS) DMV screws up on licenses (PGN) To drive or to avoid identity theft: mutually exclusive? (Brett Glass) Re: Recording industry threatens researcher (Douglas W. Jones) 16th Annual Software Engineering Symposium 2001 (Carol Biesecker) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 04 May 2001 17:28:25 -0400 From: yan@storm.ca (Yves Bellefeuille) Subject: U.S. Air Force blasts Outlook security patch A paper, "Reinforcing dialog-based security," by Martin Carlisle and Scott Studer, of the US Air Force Academy Computer Science Department, is to be presented on 5 Jun 2001 at the IEEE Systems, Man, and Cybernetics Information Assurance Workshop in West Point, NY, sponsored by NSA. The paper criticizes the Outlook 2000 SR-1 E-mail Security update [RISKS-21.36], developed in response to the I Love You virus to block certain types of attachments. [Source: *Infoworld* Article by Sumner Lemon, PGN-ed. Thanks also to Monty Solomon. http://www.infoworld.com/articles/hn/xml/01/05/04/010504hnairf.xml] ------------------------------ Date: Tue, 8 May 2001 11:01:03 -0500 (CDT) From: Richard Kaszeta Subject: U. Virginia prof uses computer to catch cheaters The latest Wired News includes an article that discusses how a University of Virginia professor nabbed 122 students for plagiarism using a computer program he wrote himself. The program basically compares papers and looks for phrases shared between papers. Using this technique, the professor caught 122 of 500 students in his class cheating. All the students caught were referred to the schools Honor committee. (http://www.wired.com/news/school/0,1383,43561,00.html) As a seasoned systems administrator in a college department and former student myself, I know that in a college environment, the efforts to which some students will go to cheat show an astonishing amount of creativity---breaking into accounts, exploiting lack of permission control on other users' accounts, searching through the recycle bins, etc. The use of technology in this environment has made cheating easier, and harder to trace. The risk is that some of the students are probably innocent, merely being guilty of having their own papers copied without their knowledge. Indeed, some of the students claim towards the end of the article that exactly that has happened. Unfortunately, the technology of online composition and submission of papers (as typically done at most Universities) lacks sufficient security, encryption, and authentication standards. Richard W Kaszeta, Engineer, University of MN, ME Dept rich@kaszeta.org http://www.kaszeta.org/rich ------------------------------ Date: Mon, 07 May 2001 01:46:08 +1200 From: Don Stokes Subject: Potential timestamp overflow on 9 Sep 2001 In case no-one else has noticed ... On 9 Sep 2001, at 1:46:40 UTC, the Unix time_t value (the number of seconds since the 1st of January 1970 0:0:0 UTC) ticks over from 999999999 to 1000000000, thereby moving from being a nine digit decimal number (as it has been since 1973) to a ten-digit number. Anyone storing decimal time_t values into a nine-digit field is going to have an interesting problem on that date. ------------------------------ Date: Fri, 4 May 2001 09:14:05 -0400 From: "Christophe Augier" Subject: Excel-lent leaks This amusing story was told to me by a friend, whose company name will stay hidden. Once upon a time, there was a sales director in a big spirit and wines company. This person managed the whole team for a big European country. One day she had to take the decision of laying off a high position salesman, working for this company since years. Because of the turmoil generated inside the team by this firing, she wanted to set the organization changes, and she made a new Org-chart and asked her administrative assistant to forward the file to all the sales team. Well... Everything looks fine, since you don't know yet that the new org-chart was made on an Excel Book. "Book" means several sheets... So, what was distributed to the whole team?.... Sheet 1 : The Org-chart : ok. At least THAT was good. Sheet 2 : All the names of the salesman for the whole country, their salary, and appreciation commentaries (kind off:"this guy will never succeed / he is a burden") and raises projection. By the way, with a good raise projection for herself :) Sheet 3 : A road-map to lay off the old salesman. all the information, dates, argumentation needed to get rid of him. Isn't that nice? Conclusion : A nightmare ! all the guys with a bad appreciation went postal (one guy from the south realized that his "sibling" of the north was making double money for the same work & results, etc...). I guess they should have had a lot of resignation... And a friend of the fired salesman forwarded the mail to him, giving him good material for the lawsuit he was engaging against the company. The risks? When you don't know how to use Excel or any software : don't use it for critical information ! When you send an e-mail : watch out what you are sending ! ------------------------------ Date: 3 May 2001 20:53:30 -0400 From: tls@panix.com (Thor Lancelot Simon) Subject: Foolish wireless network access policies and spam engines A local university has deployed a large 802.11 wireless network without WEP or any other security measure. Given the complexity of distributing WEP keys to huge numbers of students, faculty, and staff, not to mention the need for periodic changes, and the notorious insecurity of WEP itself, this might seem to be a reasonable choice. They have decided to provide public access to their IP connectivity for those within radio range of their campus rather than tackle the very significant issues associated with restricting access. The RISK? Their campus mail-handling machines will relay mail to any inside or outside destination if it's received from an address "inside" their campus network. The network architecture they've chosen for their wireless deployment dictates that anyone can walk onto their (large, urban) campus, or even just park his car outside, and spam away freely with hundreds of megabits per second of bandwidth to most points on the Internet. Basically, their entire campus just became a "safe harbor" for anyone owning a laptop and wireless card to do nefarious things to outside hosts with, essentially, perfect, impenetrable anonymity. There's not even a billing record for a throwaway dialup account to trace back; just a MAC address that can be trivially changed and the knowledge that it was used *somewhere* on their campus to do Bad Things at some point in the past. Thor Lancelot Simon ------------------------------ Date: Fri, 11 May 2001 12:07:04 -0600 (MDT) From: Steve Hutto Subject: Cops say teen concocted radio calls *Rocky Mountain News*, 11 May 2001 (excerpt) http://rockymountainnews.com/drmn/local/article/0,1299,DRMN_15_455095,00.html "A 16-year-old boy using a handheld radio and a computer allegedly sent Denver police cruisers and a helicopter to fake emergencies and called officers off legitimate 911 calls for more than a month before getting caught. Police said Thursday that the teen managed to hack into the department's computer-controlled radio system, program his radio to transmit on the department's frequency from his Southwest Denver home and then took on the alias of Jerry Martinez, a fictitious Denver police officer." The teen enjoyed chatting with police helicopters flying overhead as well as reporting non-existent emergencies and accidents. Eventually, police dispatchers caught on. When he called requesting license-plate information, they kept him talking for an hour and a half while the FCC physically located him using "special equipment". The final straw came a couple days later when an informant talked him into modifying another radio to transmit on police frequencies. The teen was charged with a dozen misdemeanors and a dozen felonies. The best part of the story is near the end: "Police have not determined how the teen allegedly hacked into their radio system. The police department's emergency radio system uses two sets of security identification codes and a computer to prevent unauthorized access." Considering all the possible risks here is a scary proposition, especially if used judiciously by someone with a bit more restraint. -Steve Hutto ------------------------------ Date: Wed, 2 May 2001 16:31:28 PDT From: RISKS List Owner Subject: The RISKS spam crossover has finally taken place! Subsequent to the posting of RISKS-21.35, for the very first time in our almost 16 years of RISKS issues, the number of spam e-mail messages has exceeded 50% of all RISKS e-mail (despite filtering by our incoming mail systems). This is an extremely unfortunate happening, because I first have to filter out and delete all the e-junk before I can even hope to ferret out the good stuff that you are faithfully submitting. Also noteworthy is that the volume of legitimate contributions continues to increase (which is wonderful because more of you are responding, but is sad because I cannot include everything)... I hate to recommend draconian anti-spam measures, but the problem is clearly out of control. We are of course opposed to short-sighted legislation and censorship -- especially if it overzealously filters out desired e-mail. Perhaps it is time to implement some radical techniques such as that described in a 1992 paper by Cynthia Dwork and Moni Naor, Pricing Via Processing Or Combatting Junkmail, Proc. Crypto 1992, LNCS 740. PGN ------------------------------ Date: Fri, 11 May 2001 07:58:14 -0700 (PDT) From: "Peter G. Neumann" Subject: DMV screws up on licenses [TNX to KFWB item from Lauren Weinstein] DMV Sends Licenses To Wrong Addresses California's Department of Motor Vehicles has mailed as many as 3,000 driver's licenses to the wrong addresses due to a malfunction in an 8-year-old sorting machine that processes more than 7 million licenses and ID cards every year. DMV officials say they will retire the machine. It is unclear exactly how many licenses were erroneously mailed. There are 202 confirmed errors so far, but officials expect more. Officials say they are not concerned about the stray licenses. They are asking those who receive a license that does not belong to them to return it. Those who do not could face criminal charges. For the actual license owners, the DMV will issue a new license number upon request to prevent identity theft. Motorists with questions should call DMV's information line at 1-800-777-0133. ------------------------------ Date: Fri, 11 May 2001 09:36:11 -0600 From: Brett Glass Subject: To drive or to avoid identity theft: mutually exclusive? This February, my driver's license came up for renewal -- a fairly ordinary event. I expected to wait briefly at the local Department of Transportation office, take an eye test, have an unflattering photo taken, and be on my way in short order. Alas, it was not to be. When I submitted the renewal form, I was shocked and dismayed to discover that the clerk would not renew my license unless I placed my Social Security number on it. There was no Privacy Act notice on the form (as required by the 1974 Privacy Act), so I asked the clerk why she believed she could to demand my Social Security number -- and refuse me a license if I did not supply it. What I found out was chilling. Not only does Federal Law -- thanks to the striking of a single word from a huge statute -- require that drivers submit their Social Security numbers when applying for licenses. It also requires that all of the information maintained about a driver by a state -- including that number -- be revealed to virtually all comers. Here are the details of these onerous laws, along with additional information about the laws in my particular state (which are typical of state laws throughout the country). I'll also describe the way in which one state is fighting the Federal laws that would require it to compromise its citizens' privacy and subject them to trivially easy identity theft. Requirement for Collection Very recently, welfare reform legislation changed Federal law to require that states collect all citizens' Social Security numbers when they apply for driver's licenses. (Earlier versions of the law only required it if one applied for a *commercial* driver's license, on the theory that one could threaten a deadbeat parent's livelihood if he or she required that license to work.) But a subtle amendment, slipped in just recently, struck the word "commercial," requiring the SSN to be collected from all applicants. The ironically numbered passage at 42 USC 666(a) (see http://www4.law.cornell.edu/uscode/42/666.html) says: >(13) Recording of social security numbers in certain family matters. - >Procedures requiring that the social security number of - > > (A) any applicant for a professional license, driver's > license, occupational license, recreational license, or > marriage license be recorded on the application; > > (B) any individual who is subject to a divorce decree, > support order, or paternity determination or acknowledgment be > placed in the records relating to the matter; and > > (C) any individual who has died be placed in the records > relating to the death and be recorded on the death certificate. > For purposes of subparagraph (A), if a State allows the use of a > number other than the social security number to be used on the > face of the document while the social security number is kept on > file at the agency, the State shall so advise any applicants. Note that while a different number may be used on the "face" of some licenses, the state must still collect the Social Security number. Also note that many of the items mentioned above are public records which can be accessed by all comers (in some cases, due to open record laws such as Wyoming's). Requirement to Disseminate The requirement that states disseminate Social Security Numbers it has collected comes from a law misleadingly titled the "Drivers' Privacy Protection Act." This law did in fact start out as a law to protect drivers' privacy, but due to amendments promoted by monied lobbyists it has just the opposite effect. (It is said, justifiably, that the law should really be called the "Drivers' Privacy Prevention Act.") The law is reproduced on the Web at http://www.networkusa.org/fingerprint/page1b/fp-dmv-records-18-usc-123.html Note that this law makes ALL of the information you submit to your state's DMV/DOT available to *anyone* who claims that it's needed for any business purpose. If I wanted your driving records and SSN, all I'd have to do is walk into the courthouse and claim that you owed me a dollar. The DPPA was challenged by the Alabama Attorney General on states' rights grounds and was ruled unconstitutional by a Federal district court: http://www.networkusa.org/fingerprint/page1b/fp-dppa-al-appeal.html However, the US Supreme Court, in a chilling ruling that dubbed our personal information "items in interstate commerce" and therefore subject to Congressional control under the Commerce Clause, reversed the Circuit Court: http://caselaw.lp.findlaw.com/cgi-bin/getcase.pl ?court=US&navby=case&vol=000&invol=98-1464 [SPLIT URL] In retrospect, challenging the law on the basis of states' rights was probably a big mistake. The Alabama AG might have had better success had he cited the right to personal privacy delineated in Griswold v. Connecticut. State SSN Requirements And Public Records Acts The laws of many states also mandate the collection of Social Security numbers -- and make the forms containing those numbers public records. I live in Wyoming, and this is the case in my state. (The details of the laws are instructive because they are similar to those in other states; however, if you're uninterested in the specifics, you may want to skip down to the heading "Michigan's Challenge" to learn more about a recent challenge to the Federal laws.) Wyoming law, at W.S. 31-7-111 (b) ("W.S." = "Wyoming Statutes"), describes the information required on a driver's license application: >(b) The application shall include: > > (i) The full legal name and current mailing and residential > address of the > person; > > (ii) A physical description of the person including sex, height > and weight; > > (iii) Date of birth; > > (iv) The person's social security number or other numbers or letters > deemed appropriate on applications for instruction permits, > driver's licenses, commercial driver's licenses and > commercial driver instruction permits; Note that the statute does provide for an alternative; however, the phrase "deemed appropriate" (By whom? What is the standard of propriety?) is vague. The clerk said that she, at least, deemed no other numbers or letters to be "appropriate." The law also requires the state to keep the application on file even after it is processed. According to W.S. 31-7-120, >31-7-120. Records to be kept by division; exception. > > (a) The division shall maintain a readily available file of and > suitable indexes for: > > (i) All license applications denied with the reasons for denial > noted thereon; > > (ii) All applications granted; > > (iii) Every licensee whose license has been suspended or revoked > and the reasons > for the action; > > (iv) All accident reports and abstracts of court records of convictions > received under the laws of this state with suitable notations for > each licensee showing the convictions of the licensee and the > traffic > accidents in which he has been involved. What's more, the application is, according to the state's open records law, a public record that anyone may access. According to W.S. 16-4-201(a)(v), >(v) "Public records" when not otherwise specified includes the original >and copies of any paper, correspondence, form, book, photograph, >photostat, film, microfilm, sound recording, map drawing or other >document, regardless of physical form or characteristics that have been >made by the state of Wyoming and any counties, municipalities and >political subdivisions thereof and by any agencies of the state, >counties, municipalities and political subdivisions thereof, or received >by them in connection with the transaction of public business, except >those privileged or confidential by law; Needless to say, an open records law would be meaningless if a government agency were allowed to censor the records on its own initiative before revealing them! So, if the Social Security number were to be redacted, the Department of Transportation would have to be specifically authorized by law to do it. Alas, as in most states, there appears to be no Wyoming statute declaring the form -- or the information on it, including the Social Security number -- to be privileged or confidential. Worse still, any such declaration would arguably be overridden by the Federal statute. Wyoming Violates the Privacy Act The Wyoming Department of Transportation (WYDOT) also violates the Federal Privacy Act by failing to place a Privacy Act Notice on its driver's license applications. 5 U.S.C. § 552a note (1982) (see http://www.usdoj.gov/foia/privstat.htm), also called the Privacy Act of 1974, provides that: >(b) Any Federal, State or local government agency which requests an >individual to disclose his social security account number shall inform >that individual whether that disclosure is mandatory or voluntary, by what >statutory or other authority such number is solicited, and what uses will >be made of it. Without a Privacy Act notice (which does *not* appear on the current application), WYDOT is not permitted to collect Social Security numbers whether there is a Federal requirement for it to do so or not. This was affirmed in Gredinger v. Davis (see http://www.networkusa.org/fingerprint/page2/fp-ssn-davis.html). Nonetheless, the state's Department of Transportation refuses to issue the license based on an otherwise complete application. Michigan's Challenge The Michigan Secretary of State is challenging the Federal laws that, together, require collection and disclosure of Social Security numbers. The two press releases at http://www.sos.state.mi.us/pressrel/active/010227-1n.html and http://www.sos.state.mi.us/pressrel/active/010104-1n.html describe the progress of the case. When the Federal law was modified to encompass all drivers' licenses, it was claimed by overzealous legislators that the change was necessary to collect drivers' Social Security numbers to pursue deadbeat parents. The Michigan Secretary of State, however, says that it would actually make their system LESS effective, not more, because of the actual logistics of tracking deadbeat parents. In the second press release cited above, her office wrote: >Secretary Miller argued in her exemption requests that the collection of >Social Security numbers would violate the strong interest her department >has in protecting customer privacy. The process would be expensive and >counterproductive to measures already in place by the state to track >those owing child support. It was also noted that in addition to being >an unfunded federal mandate, the law raises questions about its ability >to protect the welfare of Michigan children. > >This federal law applies only to citizens with driver licenses, which >severely limits the ability to locate deadbeat parents. Consequently in >Michigan, more than four million people would be overlooked because the >databases containing records of suspended drivers, state identification >card holders and those on the Qualified Voter File would be excluded >from any search. > >Currently, the Michigan Family Independence Agency (FIA) conducts >searches of all Secretary of State databases for deadbeat parents using >a name, or even part of a name. It is successful in obtaining >identification 90 percent of the time, according to figures from FIA and >the Secretary of State. The Secretary of State estimates that the >success rate would drop to about 60 percent under the federal law >primarily because searches would be limited to only residents with >driver licenses. Other problems with the federal law identified by >Secretary Miller include: > >* States would not be required to verify the Social Security numbers >collected by their Department of Motor Vehicles or Secretary of State >offices are correct. > >* The law represents a significant duplication of effort because both >the Internal Revenue Service and Michigan Department of Treasury already >have databases of Social Security numbers. > >* The law places the majority at risk for possible misuse of their >Social Security numbers and identity fraud in attempts to target a >minority guilty of delinquent child support payments. Unfortunately, because the suit is being brought in only one Federal district, a ruling in favor of the Michigan Secretary of State would not be binding in the rest of the country. My Status Deb Ornelas, an administrator at the Wyoming Department of Transportation, insists that I submit my Social Security number in order to keep my license. She says that she believes that her hands are tied by both state and Federal law. Indeed, due to a lack of vigilance by legislators and citizens, they may well be unless the law is challenged and that challenge is successful. Thus, I may need to decide between the risk of trivially easy identity theft or loss of my right to drive. Suggestions regarding how to proceed, and help in starting an initiative to have the Federal laws changed, would be greatly appreciated. --Brett Glass ------------------------------ Date: Fri, 4 May 2001 11:00:07 -0500 (CDT) From: "Douglas W. Jones" Subject: Re: Recording industry threatens researcher (RISKS-21.37) I cannot avoid suggesting an analogy (in the spirit of the analogy fest cited in the previous item in the same Risks Digest): If I present a paper about the construction of a gun, nobody threatens to sue me. In fact, if I possess a gun, I am protected by the second amendment. My right to talk about and possess guns is unlimited. Only my use of guns to injure or kill is regulated by law. If, on the other hand, I wish to present a paper describing the weakness of a commercial encryption product, where that weakness could be used to violate a copyright law, my first ammendment right to free speech is irrelevant. Discussion of the weakness itself is forbidden, without regard to whether I construct a mechanism to exploit that weakness and without regard to whether I actually injure the interests of a copyright holder. We can conclude from this that the second ammendment is far stronger than the first ammendment, or that the interests of copyright holders are far more important than the right to life of potential shooting victims. It is ironic that the entertainment industry is directly behind this round of attacks on the first ammendment! Doug Jones PS: http://www.cs.uiowa.edu/~jones/compress/#intro contains, in the solution to machine problem 3, the source code of a program that I believe would violate the DMCA if anyone were stupid enough to use a ROTn Caesar cypher to protect a copyrighted work (distributing the work in ROTn encrypted form, and selling the value of n to to customers). This program finds n for almost any ROTn encrypted English text. ------------------------------ Date: Mon, 7 May 2001 19:30:22 +0000 (UTC) From: cb@sei.cmu.edu (Carol Biesecker) Subject: 16th Annual Software Engineering Symposium 2001 Catalysts for Improving Acquisition and Development of Software-Intensive Systems SEI 16th Annual Software Engineering Symposium 2001 15 -- 18 Oct 2001 Grand Hyatt at Washington Center, Washington, D.C. For more information about the Symposium, contact Symposium 2001 Conference Coordinator Phone: 412 / 268-3007 FAX: 412 / 268-5556 E-mail: symposium@sei.cmu.edu ------------------------------ Date: 12 Feb 2001 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) which now requires confirmation to majordomo@CSL.sri.com (not to risks-owner) [with option of E-mail address if not the same as FROM: on the same line, which requires PGN's intervention -- to block spamming subscriptions, etc.] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 20" for volume 20] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 21.39 ************************