precedence: bulk Subject: Risks Digest 21.49 RISKS-LIST: Risks-Forum Digest Monday 18 June 2001 Volume 21 : Issue 49 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: Passive radar? Removing the cloak of invisibility (What's New via Dave Farber) Therac Returns: Data-entry errors kill five patients in Panama (Allan Noordvyk) WashingtonPost.com real estate database (Nick Laflamme) ebates.com installs Java program on users computer (Bill Tolle) Risks of peer-to-peer in the office (Alpha Lau) PCs used as cash registers (Nick Brown) Software "worm" searches your computer for pornography (NewsScan) Conflicting sensors placed on different parts of the line (Robert Gordon) New world disorder? (Mike Coleman) Security vulnerability databases (Uwe Ohse) Yet another e-commerce error (Leonard Erickson) Re: PC parrot: telephone bird vs. real phone ring (Dan Jacobson) Re: Banning virtual forms of entertainment ((Gerard A. Joseph) Re: Formula 1's string of ... failures (Bob Dubery, Chris Kantarjiev) The magic, fast-food, wand (Rob Slade) QWE2001: Call for Papers and Presentations (SR/Institute) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sat, 16 Jun 2001 10:39:31 -0400 From: David Farber Subject: Passive radar? Removing the cloak of invisibility (What's New) So just how stealthy is the $3.6B stealth bomber? Radar would need to look straight up at the bomber's flat bottom surface. Tracking would therefore require a vast array of antennas. But according to a story early this week in the *London Daily Telegraph*, such arrays already exist: Roke Manor Research in Britain claims that stealth aircraft can be tracked by their effect on ordinary mobile phone traffic. News media in the US did not discover the story until last night. The Pentagon is taking it seriously, and other nations, including China, are now developing such a system. [Source: What's New, 15 Jun 2001, from Dave Farber's IP distribution] ------------------------------ Date: Sat, 16 Jun 2001 06:50:03 -0700 From: "Allan Noordvyk" Subject: Therac Returns: Data-entry errors kill five patients in Panama >From the *Seattle Times*: ... data entered incorrectly in a computer program used in radiation therapy for cancer patients has caused at least five deaths in Panama ... For 28 cancer patients, healthy tissue was inadvertently exposed to high levels of radiation, David Kyd, spokesman for the International Atomic Energy Agency, said yesterday. So far, five deaths have been linked to the radiation exposure, while two other deaths are from "ambiguous" causes, he said. One patient died from cancer. Agency experts expect two-thirds of the surviving patients to develop serious complications. Radiologists using the program assumed the computer software had a fail-safe mechanism that would prevent healthy tissue from being exposed to radiation, Kyd said. But the five radiology experts from the International Atomic Energy Agency found health-care workers incorrectly entered the data, administering dangerous levels of radiation to healthy tissue. Kyd said, "had the instruction manual been followed to the letter, this wouldn't have happened. But this wasn't done." Full text of the article can be found at: http://archives.seattletimes.nwsource.com/cgi-bin/texis/web/vortex/display ?slug=radiation14&date=20010614 [PGN Note: Therac background in RISKS-9.20, RISKS-14.04, RISKS-14.75, and http://courses.cs.vt.edu/~cs3604/lib/Therac_25/Therac_1.html] Allan Noordvyk, Software Artisan [Added later: The company has issued a response, at: http://www.multidata-systems.com/PDFs/MDresponse.PDF] ------------------------------ Date: Thu, 14 Jun 2001 10:20:26 -0400 From: Nick Laflamme Subject: WashingtonPost.com real estate database WashingtonPost.com, in association with a local real estate agency, has put up a database of home sale prices and property tax appraisal values. They've merged together tax records and real estate deed updates from several counties in the Washington, DC, metropolitan area, and some of the records are as detailed as any Multiple Listing Service listing you'd find while looking for a home to buy. This data base will prove useful for people trying to compare the price of a property they're considering with the values of the neighboring properties. However, because you can search by owner as well as by zip code or address, it has some nasty privacy implications. For instance, I can find the listing on my former manager's home knowing only his last name and the county in which he lives. Worse, I can find his street address, something not available to me through conventional sources. Trolling through deed listings and the like is an old risk. Consolidating it and putting a too easy to use Web interface on it is a comparatively new risk. Inquiries to washingtonpost.com about the privacy implications of this were referred to their Real Estate editor, who has not responded after more than a week. It's enough to make me even more glad that I rent, not own, my home. Nick Laflamme, Vienna, VA ------------------------------ Date: Fri, 15 Jun 2001 09:51:20 -0500 From: Bill Tolle Subject: ebates.com installs Java program on users computer Being a frequent shopper on the Internet I "bit" on an offer from http:/www.ebates.com. They offer a rebated from merchants if you go through ebates.com to get to the merchants site. I made the mistake of assuming that Buy.com and BarnesandNoble.com would not associate themselves with anything illegitimate. That was a mistake. I read ebates.com's privacy policy and the only thing it mentions is "cookies", not a word about any other type of tracking software. My second mistake was that I had enable Java in Internet Explorer while trying to solve some problems and had failed to disable it later. I signed up for their service. Later that same day, after I had rebooted my computer I found that a program named "Javarun.exe" was trying to access the Internet and was also trying to act as a server for the Internet. Fortunately, the firewall caught it and stopped it. Upon investigation, I found that ebates had installed a new folder named "C:\Program Files\topmoxie" that included the Javarun.exe program. There was also a file named "einstall.txt" in the C:\ directory that shows the installation of 134 ".class", ",dll", etc. files. Fortunately I had backed up my registry earlier in the day and was able to restore it to a point before I signed up with ebates. I am waiting for a reply from Buy.com and BarnesandNoble.com regarding my complaints to them for being associated with such an illegitimate operation as this. Bill Tolle, 245 S. Peachtree St., Jasper, Texas 75951 1-866-378-8525 - (409) 384-9094 http://ExclusiveBuyersAgents.com ------------------------------ Date: Wed, 13 Jun 2001 17:17:31 +0100 (BST) From: Alpha Lau Subject: Risks of peer-to-peer in the office A new line of business software introduced [12 Jun 2001] by AltaVista will let workers scour corporate networks, e-mail accounts and personal computers by stitching together valuable and sometimes embarrassing information scattered on far-flung office systems. ... By making it easy to retrieve information from a hodgepodge of computer servers, e-mail accounts and PC hard drives, the search software effectively creates a peer-to-peer network similar to the one popularized by the online music-sharing Web site Napster, which is battling to stay afloat after running afoul of copyright laws. The AltaVista software is based on the premise that businesses operating in an information-driven era will be better off if more employees can sift through a community storehouse of data gathered from corporate intranets, workers' e-mail boxes and PC hard drives. http://www.wired.com/news/business/0,1367,44461,00.html The premise only holds if the network is trustable. I'm sure most of us treat Web pages with an appropriate degree of mistrust. As for Napster, How many MP3s downloaded are actually of good quality?! I wonder how many pointy haired bosses would fall for a document posted on a server with no links to it, but submitted to the master index... Not to mention the privacy risks stated in the article... ------------------------------ Date: Fri, 15 Jun 2001 15:40:24 +0200 From: BROWN Nick Subject: PCs used as cash registers I had an illuminating experience today while waiting in line to pay at a sports shop. The clerk/cashier at the register next to where I was waiting finished her shift and was replaced by a colleague, so I got to see how the changeover worked. And for once, although it involves Microsoft products, this is not really an MS-bashing story, but just another tale of complacency and idiocy from corporate IT. I had already noticed the small (and very cute) LCD display (10 inch TFT, perhaps), but the first indication I had of the fun to come was when the first cashier stood up and the Windows NT logon prompt appeared as her logoff completed. The second cashier then sat down and typed her username and her password (which appeared to consist of two letters...). I was then surprised to see four "DOS windows" (Microsoft has another name for these, but you know what I mean) pop open and display various messages, as a whole series of programs started up. Most notable among these was a virus checker. It seemed to be taking some time to complete, and although NT had not been setup to prevent the desktop loading until the check was complete, the user decided to clear it from her screen anyway. Instead of minimising it, she killed it (and the three other DOS windows) with the "X" button. Some preliminary conclusions (that old oxymoron again): - The register is using basic NT logon procedures (with a trivial password) as some form of "security". - They have installed some el-cheapo anti-virus software which *doesn't run in the background*. - The users are killing the anti-virus software, either because it slows down their work, or because they haven't had the minimum training required to know how to minimise a window. (Of course, the window could have been started minimised anyway.) - Since the PC has no diskette drive or Internet connection (I asked), it's not even clear exactly what virus threat is being protected against. Or when the A-V software was last updated... Overall summary: this company's IT department is staffed by people who have no understanding of the issues, just a boss who demands buzzword-based "results". I'd hazard a guess that they are patting themselves on the back because their anti-virus software has successfully kept out (as in, not detected any) viruses ! PS: I suppose it's superfluous to mention that the large monitor above the entrance to the store, which is meant to display the store's Web page, has, on the last three occasions I've visited, displayed a blue screen of death... from Windows 9x, not even NT. ------------------------------ Date: Mon, 11 Jun 2001 08:47:20 -0700 From: "NewsScan" Subject: Software "worm" searches your computer for pornography A new computer virus called VBS.Noped.a now circulating invades computer memories in a hunt for picture files with pornographic-sounding names and reports them to the police. The virus (a "worm") arrives from an unknown source as an e-mail attachment with the subject line: "FWD: Help us ALL to END ILLEGAL child porn NOW." If it finds suspected pornography, it sends a message to the police saying: "This is Antipedo2001. I have found a PC with known child pornography files on the hard drive. I have included a listing below and included a sample for your convenience." An executive of the National Center for Missing and Exploited Children has repudiated the rogue effort and says his group "does not support unlawful means even to achieve meritorious ends." [*The New York Times*, 11 Jun 2001; NewsScan Daily, 11 Jun 2001; http://www.nytimes.com/2001/06/11/technology/11VIRU.html] ------------------------------ Date: Wed, 13 Jun 2001 11:05:36 +0100 From: Robert Gordon Subject: Conflicting sensors placed on different parts of the line Conflicting sensors could cause power failure. In our new building, a potential design fault has came to our notice. The details are that the sensor for the load-shedding system and the sensor for starting the UPS generators are at different places upon the inward power cable. As such if the inward power feed is broken between the two sensors, the UPS will attempt to start, but the load shedding system will see no loss of power and so will not shed any noncritical systems. This could potentially cause an overload of the UPS generators whilst it is staring up and a complete failure of power to the building. If anybody has any other new premises and datacentre risks, I would be most interested to hear what they are. I can be contacted a robertwgordon@totalise.co.uk Many Thanks in advance Robert Gordon ------------------------------ Date: Fri, 15 Jun 2001 16:57:07 -0500 (CDT) From: Mike Coleman Subject: New world disorder? In a recent gnu.misc.discuss thread, Florian Weimer points out that with the new locale (i18n) stuff, the pattern '[A-Z]' might also match the lowercase letters 'a' through 'y' (and not 'z', yes), depending on the setting of the LC_COLLATE environment variable. (It turns out that on a current Debian Linux system, at least, it also depends on whether or not the 'locale-gen' program has ever been run.) It's not hard to imagine a slew of bugs and root exploits based on this "feature". Mike Coleman, mkc@mathdogs.com http://www.mathdogs.com ------------------------------ Date: Wed, 13 Jun 2001 15:29:13 +0000 From: Uwe Ohse Subject: Security vulnerability databases I recently posted to a software security mailing list about a vulnerability in some software package. Now I got e-mail stating someone saw an article in "SecurityFocus.com's Vulnerability Database" claiming I posted it to another security mailing list. I had a look ... and found a number of errors in the database entry. The vulnerability in question is a local one, not a remotely exploitable bug. The bug database got it exactly the other way round. The database entry states the bug exists in version 1.0, but not in 1.0.1 to .3. This is wrong - the bug exists in version 1.1.0 (i don't know about older versions). There are other minor incorrect informations. The risk is obvious. See http://www.ohse.de/uwe/articles/fcron-1.1.0.html for more information. ------------------------------ Date: Fri, 8 Jun 2001 22:17:49 PST From: shadow@krypton.rain.com (Leonard Erickson) Subject: Yet another e-commerce error I'd just found a Web site offering a part I needed for an obsolete computer I'm working on. I clicked the "check out" icon. I was then presented with field to enter a customer name and account number, and a button to click if I wanted to purchase without establishing an account. I clicked the button and was presented with a screen to enter shipping address and billing address. Complete with phone number, email address, the works. Which would have been perfectly fine, except the data for the *last* customer was still there. The risks are obvious. I assume a script error of some sort failed to clear a temporary file or buffer. This wasn't the only error. The billing address half of the page was headed "Billing address (if different from shipping address)". But when I tried to clear out the fields, upon clicking to continue it made me go back and fill them out anyway... And then the final insult. The item was on sale, and the price displayed was the regular price. I've notified the site owner and they've said they'll fix it. The real irony is that they have a *prominent* notice about their privacy policy. Leonard Erickson (aka shadow{G}) shadow@krypton.rain.com ------------------------------ Date: 15 Jun 2001 12:21:05 +0800 From: Dan Jacobson Subject: Re: PC parrot: telephone bird vs. real phone ring (RISKS-21.47) Several times a day the Telephone Bird fools me into almost answering my cordless phone that I carry around my semi-tropical hilltop, as they sound the same. I have not identified exactly which of the many birds here makes the same sound as the phone yet. Obviously the designers never thought that using those "neat sounds from nature" might cause problems when taken out of the expected office environment and put back into the environment they came from. Good thing I have not installed the chirpy doorbell. http://www.geocities.com/jidanni Tel886-4-25854780 e-mail:restore .com. [Wait until you get a voice activated computer! PGN] ------------------------------ Date: Sat, 16 Jun 2001 14:36:20 +1000 From: "Gerard A. Joseph" Subject: Re: Banning virtual forms of entertainment (Dinwiddie, RISKS-21.47) Perhaps more significantly, how do you ascertain the virtuality of something? Is the Dutch government awake to the potential difficulty of proving something is real rather than virtual? Gerard A. Joseph ------------------------------ Date: Mon, 18 Jun 2001 22:01:02 +0200 From: "Bob Dubery" Subject: Re: Formula 1's string of ... failures (Keskinidis, RISKS-21.48) Things are only going to get worse. The systems that Stellios reports on are all tied into the engine's control module and all seek to curb a limit on wheel spin, to perfectly synchronise gear changes (the gearshift also being computerised - though usually the driver can override this feature) and to generally provide optimum traction in any circumstances - usually by modulating or momentarily cutting the engine output. These systems were banned at the end of the 1993 season, but in reality it is impossible for the stewards to figure out who has got what in their control system and whether or not it is legal. Last year FIA (who run F1 in terms of drafting the rules and regulations) stated that a team had cheated in 1999 and would be exposed. We're still waiting, because FIA could not make their charge stick and so declined to name the offending party - even though an ex-driver had tipped them off that there was something illegal about the un-named team's cars. So the systems are once again allowed. And they have not proven reliable (remember that each team must contrive it's own solution and so each team must write it's own software - there is no public domain code here). As a quid pro quo for the re-admittance of systems they don't really approve of (because they take over functions that should be left to the driver), FIA have got a promise from the teams that starting 2002 the cars will be equipped with a system that will allow the stewards to impose a speed limit, apply this limit to part or all of the circuit, and force the cars to travel at this limit. Another feature to be added is a proximity detector that will (in theory) reduce the chance of collisions in wet conditions (when the cars generate huge amounts of spray). Monaco is the narrowest circuit that F1 visits. At the start this year 4 cars were left standing on the grid because of software bugs. This left the marshalls less than a minute and a half to clear these cars out of the way before 18 racing vehicles came accelerating back along the main straight, heading straight for the stationary vehicles and the marshalls. Software that was supposed to make it easier for the drivers to make a good start has had the reverse effect. Things are now worse than when the driver had to control 850 horse power with the accelerator pedal. At this rate of progess, and at this level of reliability, the so-called safety features could result in carnage. Picture the scene at a fast track like Spa (Belgium), Monza (Italy) or Silverstone (England) when the stewarts try to reduce the cars to 80 or 90 mph because of an accident, and some car's software doesn't react, and the driver comes round a corner at 150 mph and finds slow moving vehicles, possibly an ambulance, in his way. Double Risk here... (1) These smart systems become impossible to police (in Champ Cars they have a similar problem this year, several teams are "known" to be cheating but nobody can actually prove anything) (2) These systems could actually make things more dangerous when they fail. ------------------------------ Date: Mon, 18 Jun 2001 13:20:36 -0700 From: Chris Kantarjiev Subject: Re: Formula 1's string of ... failures (Keskinidis, RISKS-21.48) > One thing is for sure, this is soon to be race against technology and not > who was the better driver on the day and as if it wasn't already a 2-man > race anyway (McLaren and Ferrari). It's been a technology race for some time. The recent ruling to allow traction control and launch control are unfortunate but deemed necessary because some companies were pretty clearly already using them, despite efforts to police them. This is an attempt to level the playing field. I find it somehow ironically satisfying that it's backfiring on a few of the players who seemed most likely to benefit from it! > Cars can only go so fast around any track, And how fast would that be? Tire technology (there's that word again) is constantly improving. Do you remember the active suspensions of 8 or so years ago, where the in-car from Mansell's car, so equipped, was rock solid through the corners, while everyone else was skittering about? Did you miss the recent episode where CART halted a race because the cars were travelling around the Texas racetrack fast enough that drivers were starting to black out? The teams seem to be doing live testing, all right. I can't find the URL at the moment, but Coulthard (who arguably lost the race at Monaco when his launch control failed on the formation lap, so he had to start from the back) was quoted as being pleased that the organizers had allowed them to do many practice starts ... and they'd all been flawless. I think the teams just don't know what and how to test, yet. Or, at least, McLaren don't. ------------------------------ Date: Fri, 15 Jun 2001 07:29:27 -0800 From: Rob Slade Subject: The magic, fast-food, wand (Re: McDonald's, RISKS-21.43, 21.46) Both RISKS readers and Bruce Schneier's June 15th CRYPTO-GRAM have noted some potential problems with McDonald's proposal to use the FreedomPay and FasTrak payment systems. As I read www.usatoday.com/life/cyber/tech/2001-05-29-mcdonalds-e-payments.htm I was mentally ticking off all the reasons I couldn't see much advantage to using this type of procedure in a fast food restaurant. I don't use drive-through venues all that much, so I'm not used to paying for my food with my keys. (And consider the drive-thru: at the second window, are you really going to turn off the engine, take out your keys, swipe the wand, put the keys back in the ignition, and stall out repeatedly while the guy in the monster truck behind you leans on his horn?) I've already got enough keys that my key case is awkward. Anything smaller than a pocket knife is going to be hard to find in my "change" pocket. The possibility of losing a tiny item that is keyed to my credit card, and possibly not finding out until the next statement comes is disturbing. And, yes, the assertion that "participants can `load' their FreedomPay account via the Internet or over the phone" would seem to allow the possibility of being defrauded even if you don't participate in the trial. But as I was considering the actual transaction in the store, I started to wonder about the stated reasons *for* using the system. It isn't going to make the purchase any faster for the customer. Consider the usual situation at the moment. You order. The cashier starts to put together your meal, but if you want anything more than a standard dark, carbonated beverage, there generally comes a point at which the hunting-and-gathering process is stymied: there aren't enough "fries," or you've ordered a salad "wrap" (you health food freak, you), or you don't want *that* much mayonnaise (I'm sorry, "chicken sauce") and so something needs to be made before your order can complete. At this point the cashier returns to the till (leaving your "shake" under the hot lamp and your nuggets beside the "soft serve" freezer), takes your money and gives you your change. Then you wait some more, and finally get your food units. So, does the possession of a wand save you, the customer, any time? Generally speaking, the answer will be "no." Does the fast food chain gain many sales because you have a McDonald's wand, and not one for Burger King? The respective chains will have their own religious marketing beliefs in that regard, but, again, the answer is much more likely to be, "no." The three factors in the success of a restaurant have always been, in order of priority, location, location, and location. McDonald's and its ilk aren't keen on participating in "food court" situations where you have a choice, and where the possesion of a wand might have tipped the scales in their favour. So why are they keen on the idea? The most likely reason would seem to involve that cashier. Even at minimum wage, the cost of processing an order and dealing with cash has to run about thirty to seventy cents per order in wages, plus additional costs. Once the capital costs of a wand system are covered, the cost of the billing part of the order can be reduced to an almost arbitrarily low figure. And, was it not McDonald's who recently did a trial with a terminal where patrons could compose their orders, and then pick them up at the counter? With both systems in place, the joint moves one step closer to becoming a giant vending machine (albeit with much less choice than an Automat), where you punch buttons, wave your wand, and wait for the bag to thump into the slot. (And wait. And wait ...) Eliminate those pesky employees, and you eliminate costs. rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: Sat, 16 Jun 2001 12:16:04 -0700 From: sr@linux20292.dn.net Subject: QWE2001: Call for Papers and Presentations (PGN-ed) 5th ANNUAL INTERNATIONAL INTERNET & SOFTWARE QUALITY WEEK EUROPE 2001 12-16 November 2001 Brussels, Belgium EU CALL FOR PAPERS AND PRESENTATIONS SR/INSTITUTE, 901 MINNESOTA, SAN FRANCISCO, CA 94107 USA Phone: [+1] (415) 550-3020 FAX: [+1] (415) 550-3030 WebSite: Email: qw@soft.com ------------------------------ Date: 12 Feb 2001 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) which now requires confirmation to majordomo@CSL.sri.com (not to risks-owner) [with option of E-mail address if not the same as FROM: on the same line, which requires PGN's intervention -- to block spamming subscriptions, etc.] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 20" for volume 20] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 21.49 ************************