precedence: bulk Subject: Risks Digest 21.65 RISKS-LIST: Risks-Forum Digest Saturday 8 September 2001 Volume 21 : Issue 65 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: More about Star Wars 2: "Letter from America" (Pete Mellor) The Heavens at War: NMD assessed (Leonard Erickson) Getting the Facts Out - Announcing "FACT SQUAD" (Lauren Weinstein) Citibank ATM network outage (Joshua L. Weinberg) France Telecom inadvertent disclosure blamed on "computer error" (Peter Campbell) Photo tickets dismissed in San Diego (Jim Griffith) Web filter considered harmful (Thomas Roessler) Early morning phone call angers citizens (Barry Hurwitz) New software lets managers search e-mail (Jonathan Leffler) Consumer Reports password policy risks (Bill Bumgarner) Norton Personal Firewall (Ben Laurie) Solar parking meters are a bad idea in wet Britain (David Mediavilla Ezquibela) Sacramento woman denied $2.8 million jackpot (Max) Accidental disclosure (Gene Spafford) Re: Air Force office mails confidential information (Maj. John Robinson) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, 2 Sep 2001 21:11:07 +0100 (BST) From: Pete Mellor Subject: More about Star Wars 2: "Letter from America" The following is a summary of Alistair Cooke's "Letter from America" this week (BBC World Service and Radio 4, Sunday 2nd September 2001). As in my previous message about "The Heavens at War", I have tried to give a fair summary, indicating personal comments by [PM: blah, blah]. Technical Aspects: Cooke summarised the progress on the National Missile Defense (NMD) project, and referred to the recent successful interception flight test (IFT-6). He then raised a problem with the vehicle used as a target. After talking about the various technical terms used in defence (going back to the time when journalists had to learn terms like "uranium" and "plutonium") he introduced the latest term: "spin-stabilisation". [PM: I downloaded the glossary of terms and acronyms from the Ballistic Missile Defense Organization's website. It occupies over 800 Kbytes in pdf format. Follow the link from: http://www.acq.osd.mil/bmdo/bmdolink/html/bmdolink.html ] An advanced missile such as the USA is capable of launching would use spin-stabilised warheads. Rotating them increases their accuracy, but also makes their trajectory more predictable and so they are easier to track in mid-course than cruder missiles. The targets used in the interception flight tests were spin-stabilised. Cooke quoted an anonymous source in the DoD who said that he had no illusions about the difficulty of implementing the Star Wars interception system, but having to intercept crude "wobblers" was an enormously difficult task, particularly in the presence of similarly wobbly decoys. The problem is due precisely to the primitive nature of the missiles that are likely to be launched in an attack from a less developed country! Around 100 acres of US Government land in Alaska have been set aside for testing interceptor flights to hit some of the USA's own crude wobbly rockets. Cooke's source said: "To succeed will take years and years". So, if North Korea can wait until 2004 before launching a rogue attack, the US might be able to intercept it! Three systems are therefore under development:- 1. To intercept a spin-stabilised warhead, 2. To intercept the "wobbly tumbler" warheads which are still capable of causing massive damage although they might end up miles off target, and 3. (The supreme technical achievement) to detect real from fake wobbly tumblers and hit the right one. Cooke quoted General Ronald T. Kadish: Our test philosophy is to add, step-by-step over time, complexity such as countermeasures and operations in increasingly stressful environments. This approach allows us to make timely assessments of the most critical design risk areas. It is a walk-before-you-run, learn-as-you-go development approach. These testing activities provide critical information that reduces developmental risk and improves our confidence that a capability under development is progressing as intended. [The Ballistic Missile Defense Program. Address by Lieutenant General Ronald T. Kadish, USAF Director, Ballistic Missile Defense Organization, before the House Armed Services Committee on the Amended Fiscal Year 2002 Budget. July 19, 2001 http://www.acq.osd.mil/bmdo/bmdolink/html/kadish19jul01.html ] (Cooke added a contemptuous "Harrumph".) The Political Dimension:- Although journalists are in the habit of saying that the President will do this or that, the budget for any proposal must go through both Houses of Congress before it is passed and funds become available. (The President proposes, Congress disposes.) A further question is: Does the President have the constitutional right to abrogate the ABM treaty? A 2/3 majority in Congress is required to empower the President to sign a treaty. In 1978 the late Senator Barry Goldwater brought suit against President Jimmy Carter to prevent him withdrawing from the Mutual Defence Treaty with Taiwan. The Supreme Court ruled 6 to 2 in Carter's favour, and stated in its judgment that such a decision is down to the executive and branches or the legislature. A senior constitutional lawyer has stated that the Senate should decide next week after its summer recess if the President does have that power. If the Goldwater/Carter case is taken as a precedent, then the President could in theory opt out of any or all treaties to which the US is party (including withdrawing from the United Nations and NATO!) Cooke concluded that, all things considered, including the probable cost [PM: $7,044.779 million for fiscal year 2002 alone, from Kadish's address] and the serious doubts about the constitutional right to abrogate the ABM treaty, "The prospect for Star Wars 2 seems, to put it mildly, ill-starred!" [PM: Footnote. See slide 13 in the news briefing on the interceptor flight test:- http://www.defenselink.mil/news/Aug2001/g010809-D-6570C.html Several software problems interfered with the functioning of the ground tracking station.] Peter Mellor, Centre for Software Reliability, City University, Northampton Square, London EC1V 0HB +44 (0)20 7040 8422 ------------------------------ Date: Sun, 2 Sep 2001 05:31:10 PST From: shadow@krypton.rain.com (Leonard Erickson) Subject: The Heavens at War: NMD assessed I'm just going to point out a few examples of a major risk here, the arguments being advanced as to possible counter-measures against lasers show a *fundamental* misunderstanding of the means by which weapons lasers damage targets. They don't *burn* thru the surface, they deposit *huge* amounts of energy (kilojoules to megajoules) into the surface layers of the target in *microseconds*. The time scale makes rotating the vehicle a bad joke. And the energy levels make reflective coatings an equally bad joke. At these energy levels, the target spot *explodes* into plasma with effect equivalent to a fair sized chunk of TNT. And this has pointed out back when SDI was being worked on. Yet these *same* "problems" are still being pointed out. There are similarly disingenuous aspects to the discussion of decoys. Given that none of this appears to have been mentioned in the program, I have to conclude that it wasn't even *remotely* objective in assessing the missile defense program. In short, from what was reported to RISKS, the program was badly slanted. And hardly anything to base a risk evaluation on. Other aspects of the post make it seem inappropriate for RISKS as well. As a counter,let me just note that there are risks to *not* trying to develop a defense. And to spreading grossly inaccurate "risk assessments" regarding something that is in it's early testing stages. There are potential problems. But bringing up "problems" like the ones I mention above is not eliminating risks, it's spreading propaganda. Other items brought up may be valid risks or invalid ones, depending on one's assessment of the relative risks of no missile defense versus one that is not 100% effective. But *that* aspect of things is *not* a valid topic for *this* list! Not unless there's been a major policy change that I'm unaware of. Leonard Erickson (aka shadow{G}) shadow@krypton.rain.com ------------------------------ Date: Thu, 6 Sep 2001 19:26:50 -0700 (PDT) From: pfir@pfir.org (PFIR - People For Internet Responsibility) Subject: Getting the Facts Out - Announcing "FACT SQUAD" PFIR - People For Internet Responsibility - http://www.pfir.org [ To subscribe or unsubscribe to/from this list, please send the command "subscribe" or "unsubscribe" respectively (without the quotes) in the body of an e-mail to "pfir-request@pfir.org". ] Getting the Facts Out - Announcing "FACT SQUAD" September 6, 2001 http://www.pfir.org/factsquad-announce Greetings. Immediately following the recent People For Internet Responsibility "Future of the Internet" Workshop, technology columnist Dan Gillmor reported on the event within his widely-read column. He especially noted one of the key points of agreement at the meeting -- there's a serious need for coordinated information sources and experts to counter the often skewed information provided by lobbyists and other vested interests relating to technology issues. As it stands, it's usually those well-heeled interests who have successfully organized, for their own betterment, to provide information about technical matters to media, politicians, and many others. Dan used the term "fact squad" to describe the need for a coordinated effort to provide some balance in these matters. PFIR has now set up a structure that we hope can provide assistance in filling this fact gap. We've created "Fact Squad" -- its home page, which describes the project in more detail, is at: http://www.factsquad.org Fact Squad is oriented specifically towards folks who need straightforward, direct, and largely "jargon-free" information about these topics. It is a coordinated resource for media, researchers, or anyone else -- cutting through the hype and getting to the facts. Fact Squad by itself obviously cannot be the complete solution to the long-festering and worsening problems of manipulated information and propaganda relating to technical issues and their impact on society. But we think it's potentially an important step in the right direction. In addition to the Fact Squad home page listed above, three new contact e-mail addresses have been established relating to this effort: - Questions or information about specific topics or issues: facts@factsquad.org - General inquiries: general@factsquad.org - Information about participating in Fact Squad: participate@factsquad.org We look forward to your questions, comments, and participation. Thanks very much. Lauren Weinstein lauren@pfir.org or lauren@vortex.com or lauren@privacyforum.org Tel: +1 (818) 225-2800 Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org Moderator, PRIVACY Forum - http://www.vortex.com Member, ACM Committee on Computers and Public Policy Peter G. Neumann neumann@pfir.org or neumann@csl.sri.com or neumann@risks.org Tel: +1 (650) 859-2375 Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org Moderator, RISKS Forum - http://catless.ncl.ac.uk/Risks Chairman, ACM Committee on Computers and Public Policy http://www.csl.sri.com/neumann ------------------------------ Date: Wed, 05 Sep 2001 09:16:25 -0700 From: "Joshua L. Weinberg" Subject: Citibank ATM network outage Citibank's network of 2000 automated teller machines went down on the evening of 4 Sep 2001, due to software problems. It was still down the next day. Citibank's online Internet system also crashed at the same time. Basic service was restored about two hours later, but various problems persisted. [Source: Reuters item, 5 Sep 2001; PGN-ed] http://dailynews.yahoo.com/h/nm/20010905/bs/financial_citibank_dc_2.html Joshua L. Weinberg, 2 Townsend St., Apt 1-905, San Francisco, CA 94107 1-415-777-3339 joshua@theWeinbergs.com ------------------------------ Date: Thu, 6 Sep 2001 20:28:19 -0500 From: "Peter Campbell" Subject: France Telecom inadvertent disclosure blamed on "computer error" A variant on the risk of leaving information you don't want disclosed in 'comments' part of a MS Office document, except that instead of the consequences being just egg-on-face, there are selective disclosure issues and the potential for accusations of unfairness. In the US, class action lawsuits have been attempted for less. http://public.wsj.com/sn/y/SB999174259870751856.html http://biz.yahoo.com/prnews/010830/nyth052.html For the uninitiated, selective disclosure of material information is a mortal sin in the investment world. The underlying principle of financial markets is one of fairness to all shareholders -- stock in a company is not called "equity" for nothing. Executing trades based on information to which all shareholders do not have access is called insider trading, though mechanisms do exist that allow insiders to trade in a perfectly legitimate and legal fashion, and is a grave offense in most countries with developed financial markets. Of course, most large investors have more time, resources and expertise to devote to decision making than most small ones, so their advantage is undeniable. But the basis for making investment decisions, so-called material information, must be available to all investors, large and small. A widely discussed regulation, dubbed Reg FD (for Fair Disclosure) was adopted by the SEC in October of 2000: more information on that here: http://www.sec.gov/rules/final/33-7881.htm Back to the subject and the risk: the error is obviously human and the risks of email compounded with the notes/comments/change-tracking features have been discussed many times in Risks. Indeed the company I work for released a PR document with the revision history intact... I can happen to the best of us ! ------------------------------ Date: Tue, 4 Sep 2001 18:22:57 -0500 (CDT) From: Jim Griffith Subject: Photo tickets dismissed in San Diego A judge in San Diego dismissed 290 tickets issued by a new red light camera system. The issue was a $70 contingency fee paid per ticket to the private company operating the system, which gave that company a clear monetary incentive to issue more tickets. The case in question may impact the fifty other cities in the nation which also use red light camera systems. The judge did not question the accuracy of the technology itself. http://abcnews.go.com/wire/US/reuters20010904_522.html ------------------------------ Date: Fri, 7 Sep 2001 12:42:11 +0200 From: Thomas Roessler Subject: Web filter considered harmful Today, I had to call Palm Support Germany about some problems encountered with one of their new models (insert m500 into the USB cradle, and the PC will occasionally reboot). The call-center guy I had on the phone hadn't heard about the problem. However, I had done a web search before, and had found some mailing list discussions where someone reported that Palm's US second-tier support knew the problem quite well. So I gave the list archive's URL to the guy, asking that he investigates the problem. "Sorry, I can't access this through our web proxy. They want to be sure that we don't surf for private purposes during work hours." The RISK should be obvious: Filtering support employees' web access for security or whatever other reasons can seriously damage these employees' ability to do their job. Thomas Roessler http://log.does-not-exist.org/ ------------------------------ Date: Sun, 2 Sep 2001 06:49:52 -0500 From: "Barry in Indy" Subject: Early morning phone call angers citizens A lightning strike caused a computer to begin sending out an automated phone message in the middle of the night. The meeting announcement, scheduled to be delivered during the day on Friday, August 31, but was sent starting after 9 PM Thursday night, and continued until 3:30 AM Friday. There were about 50 complaints. http://www.indystar.com/print/citystate/sat/articles/badcall01.html The RISKS? Political suicide, at the least. Barry Hurwitz ------------------------------ Date: Wed, 5 Sep 2001 12:49:04 -0700 (PDT) From: Jonathan Leffler Subject: New software lets managers search e-mail Note from *Computerworld*: Managers everywhere will soon have the power to remotely check employee e-mail boxes, search for common words and even delete e-mail without notification, thanks to new software. http://computerworld.com/nlt/0%2C3590%2CNAV47_STO63417_NLTDM%2C00.html [JL: The risks of abuse seem legion. And accidental abuse could occur; what if that deleted email was actually important?] Jonathan Leffler (Jonathan.Leffler@Informix.com) Guardian of DBD::Informix v1.00.PC1 -- http://www.perl.com/CPAN ------------------------------ Date: Wed, 05 Sep 2001 17:40:57 -0400 From: Bill Bumgarner Subject: Consumer Reports password policy risks My family regularly uses *Consumer Reports* to evaluate various products before we make a purchasing decision. The enclosed e-mail is the culmination of a rather round-about discussion. The original problem was that I could not log into my CR account [paid subscription] because it kept claiming the password is incorrect. Eventually, I discovered that I could log in if I claimed that I had forgotten my password and forced the site to send me a "click here to change your password" URL via email (in plain text, of course). Along the click trail of "click here to change your password", the user enters a new password twice, verifies the two passwords matches, logs the user in (to the edit the account page-- ugh), and presents the user with the site as if they had successfully logged in. If the user happens to choose a password containing an exclamation point (!), the site silently drops the exclamation point without giving the user any feedback that it has done so. Subsequent login attempts, of course, fail (unless the user happens to forget to type the (!)). Risk #1: Silently modifying the user's entered password, claiming successful entry, and storing the modified (and likely insecure password) Risk #2: Limiting passwords to just letters/numbers. Most good password crackers will brute force through all the various 'dog', 'd0g', d)g' possibilities. Risk #3: Having a "forgot your password" click path that leads directly to all of the pertinent account information. Thankfully, it does not display your FULL credit card-- but does give the last five digits and does allow the user to modify various bits of critical information. Risk #4: Sending the "forgot your password" URL in a plain text email. A dead horse. Risk #5: Having nice, responsive customer support that had *no clue* that this problem existed (or even that it was a problem) when, in fact, the problem has been an issue for nearly a year (maybe longer). I'm sure there are others... b.bum (enjoying a 'Fisher & Paykel' as a result of information found on the above site.... talk about killer engineering. Drop a couple of wet sneakers in it, set it to spin dry at 7,000 RPM and it actually balances the drum to keep the thing from tearing itself apart!) Begin forwarded message: > From: customerservice@customerrelations.consumer.org > Date: Wed Sep 05, 2001 05:14:24 PM America/Montreal > To: "Mr. Bill Bumgarner" > Subject: Message from Consumer Reports Online - Ref:382442 > > Dear Mr. Bumgarner: > > Thank you for your recent e-mail. It was a pleasure to hear from you. > > After reading your e-mail, I'm sorry to say that your password cannot have > an exclamation point (!). However, please be assured that your password > can indeed consist of letters and numbers. If you have any questions, > please feel free to contact our Online Subscription Department toll-free > at > (800) 633-0663. A representative will be more than happy to assist you. > > Again, thanks for your e-mail. I hope you continue to enjoy the benefits > of Consumer Reports OnlineĈ. > > Sincerely, > > Jenny Manzueta > Customer Relations > 382442 In cyberspace, no one can hear you laugh. ------------------------------ Date: Tue, 04 Sep 2001 20:31:08 +0100 From: Ben Laurie Subject: Norton Personal Firewall I recently had a problem with a Web site I run. A user complained that Norton Personal Firewall was saying the site was "trying to access her bank account details". Much investigation later, we discovered that the problem was completely stupid. NPF protects the user from sites that allow them to enter sensitive information in a form that is not secured by SSL. I guess there's some value in this. However, a number of factors combine to produce completely unnecessary FUD, not to mention a complete waste of everyone's time. Firstly, users are advised to protect their credit/debit card numbers by entering only some of the digits - the recommended number being 4. Secondly, the "firewall" objects to a web page being served by the server containing the sensitive information if the page contains a form and is not secured by SSL. However, it does not check whether the data presented is even in the form. Thirdly, the message presented to the user suggests that the webserver is somehow trying to _access_ the sensitive data rather than present it (I'm afraid I do not have the exact wording - figuring out the problem was tedious enough without trying to elicit such details from the user). The net effect of all this is that you get hysterical messages from the user (and everyone else on the mailing list they post this problem to) saying that you are trying to steal their credit card numbers. And the cause? A link containing a timestamp in seconds. For any 4 digit sequence the timestamp will match it for 1 second approximately 10 times a day, for 10 seconds once a day, for 100 seconds every 10 days, and so on. This lucky user happened to have a number that recently matched all the time for a period of 12 days. http://www.apache-ssl.org/ben.html ------------------------------ Date: Thu, 6 Sep 2001 20:26:55 +0200 From: David Mediavilla Ezquibela Subject: Solar parking meters are a bad idea in wet Britain http://news.telegraph.co.uk/news/main.jhtml?xml=/news/2001/09/06/nmet06.xml Nottingham Council (United Kingdom) admitted that the 215 parking meters powered by solar energy that they installed didn't function as expected. They followed the example of other countries in sunny Southern Europe, but, even when this summer has been sunnier in Nottingham, several meters have failed allowing parking for free during periods. Others didn't work even in sunshine because they were under trees. The provider, Metric, is adjusting them for winter to save energy. David Mediavilla Ezquibela ------------------------------ Date: Fri, 07 Sep 2001 15:28:16 -0700 From: Max Subject: Sacramento woman denied $2.8 million jackpot [The RISK: having a failure mode the same as the winning mode. Max] Nevada Gaming Control Board agents say a Sacramento woman did not win a $2.8 million jackpot she thought she won last month at a Reno casino because the machine malfunctioned. "The first reel started to spin, and it touched a maintenance card," said Paul Dix, a Gaming Control Board supervisor. "And the machine did what it was supposed to do. It went into a tilt." But Francesca Galea, 29, insists her play was a legitimate win. And she's willing to fight for the winnings. [PGN-excerpted from AP report, 7 Sep 2001] ------------------------------ Date: Wed, 5 Sep 2001 08:42:03 -0500 From: Gene Spafford Subject: Accidental disclosure Several recent Risks Digests have (once again) illustrated hazards associated with accidental disclosure of personal information online. Readers who do not get the Computing Research Association News might want to check the May issue. I wrote a cautionary article about using online applications and recommendation letter collection, specifically for academia. See for " Protecting Personal Information in Academia." ------------------------------ Date: Wed, 05 Sep 2001 14:53:18 +0000 From: tympani@att.net Subject: Re: Air Force office mails confidential information (RISKS-21.63) Re: the USAF Academy e-mail foul-up mentioned in RISKS-21.63: the standard e-mail package for Air Force offices is MS Outlook, which lets you assemble lists of names into addressee groups to avoid the hassle of typing or reselecting a large list of names each time you want to send out a mass message. What likely happened here is that the officer responsible simply clicked the wrong addressee group in haste or carelessness; for instance, instead of selecting "Cadet Group Headquarters" he might have selected "Cadet Group," which would shotgun the message out to everybody. Of course there are any number of other ways this could have happened, but I doubt that there are any shenanigans going on. Maj. John Robinson, USAF [Still, it could be SirCam. PGN] ------------------------------ Date: 12 Feb 2001 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 20" for volume 20] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 21.65 ************************