precedence: bulk Subject: Risks Digest 21.44 RISKS-LIST: Risks-Forum Digest Monday 4 June 2001 Volume 21 : Issue 44 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: House Science Committee hearings on voting systems (Douglas W. Jones) Swimming-pool changing cubicles (Alan Barclay) Insurer considers Microsoft NT high-risk (Oleg Broytmann) UK Government Gateway blocks non-MS browsers (Chatan Mistry) The risks of clueless marketing (Greg Searle) Computer-generated mail -- too easy to fake? (David G. Bell) Forgery attempt -- risk of identity theft (David Lesher) Sex-offender database risks (RISKS) Crash leaves disabled riders stranded (Jeremy Epstein) BT upgrade: The best laid plans... (John Sullivan) Re: Software Engineering, Dijkstra, and Hippocrates (Scot Wilcoxon, Richard I Cook) Re: EU considers retaining *all* telecom traffic (Michael Weiner) Re: NZ Electoral Web Site (Richard A. O'Keefe) Re: Another Backhoe Reminder (Arthur Marsh) Re: WeatherBug and Gator (David Crooke) Re: 37% of programs used in business are pirated (Jurek Kirakowski, Merlyn Kline) More SMS SPAM (Simon Waters) Re: Lost train (Mark Brader) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 29 May 2001 15:05:18 -0500 (CDT) From: "Douglas W. Jones" Subject: House Science Committee hearings on voting systems On May 22, 2001, the House Committee on Science held a hearing entitled "Improving Voting Technology: The Role of Standards", with Stephen Ansolabehere from MIT, Rebecca Mercuri from Bryn Mawr, Roy Saltman [retired from NIST], and myself -- Douglas Jones from the U of Iowa. The House Science Committee web site has an archive of the written testimony submitted in advance of all committee hearings. For this hearing, they also have a real-audio webcast-transcript in their archive. See: http://www.house.gov/science/full/fchearings.htm It's sorted in reverse chronological order; scroll down to May 22, 2001. In sum, I feel we presented a fairly strong united front on the key problems we face when using computers to count votes -- we agreed that current technology is poorly regulated, that many current voting systems have major defects, and that stronger standards must be put in place before any large-scale rush to replace "outmoded" voting systems with new technology. We did disagree about whether a new standard would have an effect on the next presidential election. I was, I think, the most pessimistic in this regard. It may be that our answers depended on our interpretation of the question -- I assumed that it would take a year, at minimum, to put a new standard in place, and that it would take vendors a year, at minimum, to offer new machines based on this standard. I also assumed that old machines would be grandfathered in, so the new standard would not have a significant impact on real polling places for several more years as old machines were slowly phased out. Doug Jones ------------------------------ Date: Mon, 28 May 2001 14:55:49 -0400 From: Alan Barclay Subject: Swimming-pool changing cubicles *The Register* reports on French swimming pool "Centre Sportif Richard Bozon" at http://www.theregister.co.uk/content/28/19236.html. It seems that instead of a simple and traditional bolt on the doors to the changing cubicles, the centre has installed a computerized array of motion sensors, which detect if the cubicle is in use and displays a red or green light to indicate occupation. There is nothing to prevent someone from ignoring the lights and opening an occupied cubicle. The obvious flaws are pointed out by *The Register*, including the problem for colour-blind people, and the sheer stupidity of putting in a high-tech solution to a low-tech problem, but they miss other problems, such as false positives and false negatives and the requirement to train the users of the facility of the meaning of the lights. [Boz-on and Boz-off? Beau-saun(a)? Hose-sauna? But watch out for swimsuits with false positives. PGN] ------------------------------ Date: Tue, 29 May 2001 12:20:53 +0400 (MSD) From: Oleg Broytmann Subject: Insurer considers Microsoft NT high-risk [...] An insurance company has started to charge 5-15% more if you use Windows NT as a base for Internet services: "We saw that our NT-based clients were having more downtime" due to hacking, says John Wurzler, founder and CEO of the Michigan company, which has been selling hacker insurance since 1998. Wurzler said the decision to charge higher premiums was not mandated by the syndicates affiliated with Lloyd's of London that underwrite the insurance he sells. Instead, the move was based on findings from 400 security assessments that his firm has done on small and midsize businesses over the past three years. Wurzler found that system administrators working on open-source systems tend to be better trained and stay with their employers longer than those at firms using Windows software, where turnover can exceed 33 percent per year. http://www.zdnet.com/intweek/stories/news/0,4164,2766045,00.html Oleg Broytmann http://phd.pp.ru/ phd@phd.pp.ru ------------------------------ Date: Mon, 28 May 2001 20:57:15 +0100 From: "Chatan Mistry" Subject: UK Government Gateway blocks non-MS browsers An article appeared on *The Register* on 28 May 2001. The original article can be found at http://www.theregister.co.uk/content/4/19239.html In short, the article briefly described an investigation by the UK Linuxuser magazine. It has found that the certificates being used on parts of gateway.gov.uk, the UK governments attempt at making all services available online by 2005, are specific to Windows and Internet Explorer 5.01. These signatures are currently provided by Equifax and ChamberSign. The article also goes to say that: The Government Gateway doesn't exactly have much up on it at the moment, but the likelihood is that although simple registration by user name and password will give you access to some information services, all of the transactional ones will require use of certificates. The one service available for individuals, electronic filing of tax returns, certainly does, so effectively only Windows/IE users can currently use it. UK.gov seems to have swallowed the Microsoft pitch whole; according to Linuxuser, the explanation given is that "other browsers do not give proper support for SSL and digital certificates." I for one am very concerned. With Microsoft-based servers apparently being hacked almost at will, I can see a future when it will no longer just be the Internet where your identity can be used. And just for variety, what about if you are one of these people (aleit in the minority) that uses a non MS operating system or x86 hardware (such as a Mac)? Of course, until the original Linuxuser article appears (the issue containing this article goes on sale next week), not of this can be collaborated. ------------------------------ Date: Tue, 29 May 2001 11:22:58 -0400 From: "Greg Searle" Subject: The risks of clueless marketing Has anyone else noticed the cluelessness of Microsoft's marketing when assigning a name to their new line of products? Do you think any of these marketing people are familiar with the popular "emoticons", or "smileys"? Has anybody else realized that "XP" is a person wincing and sticking their tongue out? Will the new MS products leave a bad taste in your mouth? :-b [:-b is itself quite nice. A tongue-tied emoticon? PGN] ------------------------------ Date: Sat, 02 Jun 2001 19:32:56 GMT +0000 From: dbell@zhochaka.demon.co.uk (David G. Bell) Subject: Computer-generated mail -- too easy to fake? A front-page story in *The Yorkshire Post* of 2 Jun 2001 reported that fake letters had been sent out in Bradford, requesting that people send _original_ birth certificates to enable the local council to recreate records lost through a computer error. Original birth certificates are usable for identity theft. The new twist comes from how the letters were created: A council spokesman said they had no reason to believe council employees had stolen headed paper as the headings on most council correspondence were printed of on each individual letter by computer, and so could be copied by anyone who has received a letter by e-mail. I'm not sure just what the computer-printed headings are, whether it includes some expensively-designed logo, and what details are actually included in e-mails. Obviously, it's that little bit easier to fake a letter if the genuine article is entirely computer-printed, rather than using old-fashioned pre-printed paper. Even with that barrier, people are becoming used to entirely computer-printed letters, headings and all. I just hope I don't get an e-mail from Bradford council, if they have their logo attached as a graphics file. [Original Yorkshire Post story by Amy Binns ] David G. Bell -- Farmer, SF Fan, Filker, and Punslinger. ------------------------------ Date: Sat, 2 Jun 2001 11:11:06 -0400 (EDT) From: David Lesher Subject: Forgery Attempt -- risk of identity theft of a different sort.... ... The package arrived bearing the official stamp of the Prince George's County clerk of the Circuit Court, the signature of the chief judge and a court order demanding the immediate release from prison of a triple murderer. {details re: attempt to free prisoner with forged documents} [Prince George's Chief Administrative Judge William D.] Missouri said he believes the signatures were photocopied from real court documents and pasted onto the fake release order. He suspects that someone inside the courthouse may have been involved. ... This is not the first time copied signatures have been used. It won't be the last. But one wonders what the big push at retailers toward digitized credit-card slips will bring. ------------------------------ Date: Tue, 29 May 2001 16:02:19 -0500 From: RISKS List Owner Subject: Sex-offender database risks One of our readers was searching through the Illinois Registered Sex Offender database at http://samnet.isp.state.il.us/ispso2/sex_offenders/index.asp and ferreted out a wide variety of database errors, some of which could have really nasty consequences. There are lots of incorrect street addresses, ZIP codes, mispelingz, inconsistencies, people living in different apartments shown with the same address, etc. The Chicago Police Department Sex Offender Database is not consistent with the Illinois State Police Sex Offender Information. To discourage vigilantes, the former database omits digits of addresses that are given in full in the latter, but the former has photos that are omitted by the latter. One wonders about how many entries point to the wrong person. Overall, the risks are many. ------------------------------ Date: Sat, 02 Jun 2001 21:49:06 -0400 From: Jeremy Epstein Subject: Crash leaves disabled riders stranded MetroAccess is a Washington DC-area public transit system for the disabled (door-to-door service). Users call up at least 24 hours in advance to make a point-to-point reservation to get to/from work, shopping, medical care, etc. According to a 1 Jun 2001 article in *The Washington Post* (http://www.washingtonpost.com/wp-dyn/articles/A3679-2001May31.html), Metro Access lost all reservations for services due to crashes by both the primary and secondary systems. Those with regularly scheduled service (e.g., every day or every week) were recovered from a backup system, but anyone with a one-time reservation was lost (about 1000 of the 2800 entries in the database). The contractor that runs the system "has no idea who had placed the remaining 1000 reservations and made public pleas for anyone with a Metro Access reservation to call and confirm it." Which could, of course, lead to more failures as the system gets overloaded with calls. The article claims that it was a hardware, not a software problem. No information was provided on how often backups are done, or how both the primary and secondary systems failed at once (seems quite unlikely if it truly is a hardware problem, unless both were hit by lightening or something like that). ------------------------------ Date: Fri, 1 Jun 2001 19:02:50 +0100 From: John Sullivan Subject: BT upgrade: The best laid plans ... British Telecom currently offer two fixed-cost internet access plans for ISPs to resell. One ISP, PlusNet, has supported the old scheme (SurfTime) since last year. However they wanted to move over completely to the new scheme (FRIACO) which is simpler and cheaper. This has been in the pipeline for months. Amongst other differences SurfTime requires you to buy two separate components, one from the ISP and one from BT. A couple of days ago an email was sent announcing today as the date of the big change. It recommended cancelling the BT component of SurfTime last night (the 31st May), as they would no longer be supporting at their end as of now. Early this morning user accounts were migrated across, the FRIACO access numbers were enabled and the old SurfTime numbers were disabled. The problem is that both services require your local exchange to be upgraded and configured, by BT, just so. And many exchanges haven't been, resulting in many unhappy customers unable to dial in. At 5pm (about 12 hours after the migration) PlusNet announced that the SurfTime access numbers had been re-enabled until such time as BT fixed their end of things. Unfortunately some people had already followed the instructions in their previous message to cancel their SurfTime subscription at the BT end last night... One message from PlusNet reads: > We are obviously very disappointed about this as we have spent months on > meticulous planning, but we have been let down somewhat by third parties. Of course, with so much planning it was *bound* to work first time. No need to keep the old service available until the new was *proven* to work, oh no. ------------------------------ Date: Sun, 27 May 2001 10:55:37 -0500 From: Scot Wilcoxon Subject: Re: Software Engineering, Dijkstra, and Hippocrates (M.Cook, R-21.42) > The March 2001 issue of the *Communications of the ACM* contains an > article by Edsger Dijkstra called "The End of Computing Science?" ... > As many of the RISKS entries have shown, application and other developers > have certainly made a mess of things at times, often of Laurel and Hardy > proportions ("That's another fine mess you've got us into."), and worse. The title refers to "Computing Science". Most developers have never taken a Computer Science course, much less know the underlying concepts or apply them. I suspect many do not know who Dijkstra or the ACM are. ------------------------------ Date: Tue, 29 May 2001 12:03:46 -0500 From: "Richard I Cook" Subject: Re: Software Engineering, Dijkstra, Hippocrates (M.Cook, RISKS-21.42) Michael Cook [no relation] wrote in RISKS-21.42 > If/when Software Engineering becomes a fully licensed profession, perhaps > part of the code of ethics should be similar to the intent of part of the > Hippocratic Oath, "First, do no harm". This is a paraphrase of the > statement "The health and life of my patient will be my first > consideration" which is from the World Medical Association's "Declaration > of Geneva" of 1948. Speaking from experience as a member of the profession for which that oath was originally developed, I would suggest that Michael's laudable objectives might better be pursued via some other route. Richard I. Cook, MD ------------------------------ Date: Mon, 28 May 2001 08:17:35 +0200 From: "Michael Weiner" Subject: Re: EU considers retaining *all* telecom traffic (Weingart, R-21.42) Dave Weingart reported on EU plans to retain all telecoms traffic. Apparently, the EU is not that ambitious, but the issue is critical enough. Current EC telecommunications law protects the privacy of telephone users by obliging the operator to delete or anonymize traffic data as soon as there is no more pressing need to retain it (e.g., as the bill for the services have been paid, etc. - see article 6 of http://europa.eu.int/eur-lex/en/lif/dat/1997/en_397L0066.html). Law enforcement agencies find this cumbersome as it does not allow them to obtain information on past telephone usage (for the period before they placed a tap). Statewatch, a British NGO active in the field of privacy protection, has published a leaked EU Council document on its website that urges the Commission "to review [...] the provisions that oblige operators to erase traffic data or to make them anonymous" in order to "ensure that the purpose limitations regarding the personal data do not come into conflict with the law enforcement authorities' needs of data for crime investigation purposes": http://www.statewatch.org/news/2001/may/enfo7277.htm If this initiative is acted upon, it will significantly reduce the privacy protection of telephone users in the European Union. Network operators will have to foot the bill for providing the necessary storage space and for carrying out the database searches that will no doubt be requested by law enforcement agencies. ------------------------------ Date: Fri, 25 May 2001 14:39:53 +1200 From: "Dr Richard A. O'Keefe" Subject: Re: NZ Electoral Web Site I've had some responses to my note in RISKS-21.41. Others have confirmed that they find the pages unreadable. The site maintainer has also been in contact, and in fairness I think I should make these points. (1) NZ law requires a signature on any application to change electoral roll records; what the Web site does is let you fill out a form electronically which you can then fill in, sign, and post, or you can ask them to print the completed form and post it to you. (2) This means that the newspaper report that you can enroll and change your record ONLINE is at best a half-truth. RISK of believing the newspapers? (3) The maintainer did not respond with an angry defence but has sought constructive advice about improving the site. I sent some advice, and was given a thank-you. (4) It's more secure than I said. Apparently, had I been able to get further, I would have been asked for my house number as well. (No comment on my part required.) (5) I was assured that the site had been "extensively tested": on Windows, using Netscape 4 and IE 4. They don't apparently have a Mac to test things on. (6) The fact that I can't get through *may* have something to do with the support (or lack of it) for SSL at this end. (iCab indicates this with "Network error #-15", some browsers are better, some are even worse.) There remains the Risk of a NZ Government project being placed in a position where "extensive testing" has to mean Windows-only. ------------------------------ Date: Thu, 24 May 2001 16:06:19 +0930 From: Arthur Marsh Subject: Re: Another Backhoe Reminder (Felsche, RISKS-21.41) I doubted that there were "thousands" of fibres to reconnect, and looked for other accounts of the incident. ZDNet Australia had an account at: http://www.zdnet.com.au/news/dailynews/story/0,2000013063,20222584-1,00.htm that included: Telstra crews had to replace 1.5 kilometres of cable and reconnect every individual fibre optic wire within it - about 150 strands in total. Arthur Marsh, Network Support Officer, Information Technology Services The University of Adelaide SA 5005 Australia Ph: +61 8 8303 6109 [PGN notes: This was also discussed by Kent Borg, who added a Lesson: Just because someone is an official spokesman doesn't mean he actually knows what he is talking about. Also, just because something is written with quote marks doesn't mean the quote is accurate. Someone clearly confused the image of a trunk of a zillion copper pairs with fiber optic cables and came up with a mule that doesn't exist; and no Australian Broadcasting Corporation editor caught it.] ------------------------------ Date: Sat, 26 May 2001 00:37:27 -0500 From: David Crooke Subject: Re: WeatherBug and Gator (Garrison, RISKS-21.42) Your correspondent seems surprised that the accompanying Gator product offers to store passwords, but this is a feature of more than one modern browser (Mozilla and Internet Explorer spring to mind) and of almost every one of Microsoft's own products, including (laughably but sadly) their PPTP VPN client. ------------------------------ Date: Mon, 28 May 2001 13:49:58 +0100 From: jk Subject: Re: 37% of programs used in business are pirated (RISKS-21.42) This study clearly has shock value as it combines seemingly objective data and emotive language. I have noted a number of misquotations of its findings in various news announcements and tried to find out how this figure of 37% is really computed. But first of all, as to credibility of source: does the Business Software Alliance (BSA) have any vested interest in artificially inflating or deflating this figure? The International Planning and Research (IPR) organisation which seems to have advised the BSA says that 'BSA educates computer users on software copyrights; advocates public policy that fosters innovation and expands trade opportunities; and fights software piracy.' The BSA report at http://www.bsa.org/resources/2001-05-21.55.pdf concludes that 'To ensure a high level of confidence, member companies of BSA reviewed the results of the study and their input was used to validate and refine the study assumptions'. This sounds like an inherently highly risky procedure for obtaining the truth. But to press on... The methodology, from what I can understand of it, compares the number of computers sold to each country with the amount of software sold to that country (lots of various 'adjustments' for replacements, maturity etc the bases of which are not explained). The number of computers sold is then multiplied by a number (again, all highly convoluted, but no hard details as to where these magic numbers come from) to give a figure for the demand for software given the hardware sales. The difference between this demand figure and the amount of software actually sold is the amount of 'piracy'. This is in fact a gross simplification of their actual methodology but seems to be the essence of it. It relies a lot on magic numbers. In comparison to the coyness of the description of how all the magic numbers are computed, the final data, *is* displayed in glorious detail per country, per year, dollar loss, etc. If the way the magic numbers were arrived at is fair and above board, then it would make sense to publish details of the process in order to boost the confidence of the report and to show that not only does it make an emotive point, but that it has good grounds for doing so. Otherwise, given the source, one may be tempted to dismiss it on the grounds of possible self-interest by the authors (if they wish to fight software piracy, they could hardly publish a report which says that software piracy doesn't exist, could they?) I spoke last summer to a technical manager of a medium-sized company in one of the so-called 'black spots' of software piracy fingered in the report. He told me that when they up-sized, the company had moved from MS Office to Star Office, because the latter was being given away for free. He also told me of how the company sourced shareware and freeware because he didn't trust 'black-market stuff'. Shareware is usually an order of magnitude cheaper than commercial stuff, and you often get to keep in touch with the folk that created it as well. He and I have remained in contact and swapped some interesting resources, so it isn't all talk. His approach sounded eminently rational to me: if you're poor, buy the hardware and find free- and share-ware on the web. All of a sudden, the conclusions of BSA report sounded a lot more risky to me. Jurek Kirakowski, HFRG, Ireland http://hfrg.ucc.ie/ http://hfrg.ucc.ie/jk/ ------------------------------ Date: Tue, 29 May 2001 16:25:51 +0100 From: "Merlyn Kline" Subject: Re: 37% of programs used in business are pirated (RISKS-21.42) > tops the list in terms of dollars (an estimated $4 billion) lost to piracy. This sounds like one of those inflammatory and inflationary statements the RIAA has become fond of recently. To my mind there is a big difference between this statement (which describes something that I can't imagine a means of estimating) and a statement like "tops the list in terms of dollars (an estimated $4 billion) retail value of pirated software". Many users would not be using the software they are using if they were forced to buy it rather than pirate it - they would be using a cheaper alternative. ------------------------------ Date: Sat, 26 May 2001 19:58:02 +0100 From: Simon Waters Subject: More SMS SPAM (Re: Moskowitz, RISKS-21.42) Robert Moskowitz's Risks article 'Great DoS attack for cell phones' prompted me to write. This week I've received two identical SMS messages telling me to urgently call a number, normal enough for a busy IT consultant perhaps, but the number was for a premium rate line. Such abuses are not specifically SMS related (A favourite UK scam was to make very cheap goods and holiday offers via junk fax, where to accept it the order must be sent to a premium rate fax number - no doubt some Office employees figured they would turn their employers phone bill into their holiday money and ordered despite knowing the number was premium rate), although the ever changing number schemes inflicted on the average Brit by our telecoms regulator is making it harder and harder to sort out the wheat from the chaff, and the sheer number of mobile phones will make these scams more profitable and presumably therefore more common. At least I may have found a use for the premium rate number blocking service offered by many mobile phone operators, it will let people act on their SMS messages without be lumbered with an unexpectedly large bill. Perhaps someone would care to enlighten me as to what urgent messages I declined to pay for? Simon Waters www.eighth-layer.com Tel: +44(0)1395 232769 ICQ: 116952768 Moderated discussion of teleworking issues at news:uk.business.telework ------------------------------ Date: Wed, 30 May 2001 11:45:01 -0400 (EDT) From: msb@vex.net (Mark Brader) Subject: Re: Lost train (Weber-Wulff, RISKS-21.42) I don't think the Swiss Federal Railways (Schweizerische Bundesbahnen, SBB, http://www.sbb.ch) could have been involved here: the lines from Chur to Davos are part of the Rhaetian Railway system (Rha"tische Bahn, RhB, http://www.rhb.ch). Mark Brader, Toronto, msb@vex.net [Correction noted in RISKS-21.43. But could be a joint arrangement? PGN] ------------------------------ Date: 12 Feb 2001 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) which now requires confirmation to majordomo@CSL.sri.com (not to risks-owner) [with option of E-mail address if not the same as FROM: on the same line, which requires PGN's intervention -- to block spamming subscriptions, etc.] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 20" for volume 20] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 21.44 ************************