precedence: bulk Subject: Risks Digest 21.71 RISKS-LIST: Risks-Forum Digest Weds 24 October 2001 Volume 21 : Issue 71 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: With Mars probe maneuver, NASA finally catches a brake (inthenews) DB and WWW on one machine in Australian election (Andrew Goodman-Jones) Web defacement and cyberattacks (Dave Stringer-Calvert) Hacker cracks Microsoft anti-piracy software (Monty Solomon) Are spammers getting sneakier? part 1 (Rob Slade) Are spammers getting sneakier? part 2 (Rob Slade) Redesi virus (Rob Slade) The British BSE crisis (Anthony W. Youngman) Pregnant chad revisited (Fred E. Ballard) Re: Stray bomb caused by typo (Dan Jacobson) Non-risk, re: Jet engine starter motors (Ben Laurie) Re: Euro changeover (Otto Stolz) Re: Improper address-change validation (Chuck Falconer) Cutting through hype, spin, and propaganda - "Fact Squad Radio" (Lauren Weinstein) Re: Ham radio and Morse Code (Scott K. Ellis, Skip La Fetra) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 24 Oct 2001 11:11:44 -0400 From: inthenews Subject: With Mars probe maneuver, NASA finally catches a brake [In RISKS, we try to include success stories, not just catastrophes. Here is a NASA success (albeit after several Mars-related failures that have been reported here earlier). This item is from *The Washington Post*, 23 Oct 2001, via Science In the News (Sigma Xi). PGN] The Mars Odyssey, which left Earth seven months ago, braked into orbit around the red planet last night, giving NASA's Mars program a welcome boost after back-to-back failures in 1999. While outwardly confident, engineers at NASA's Jet Propulsion Laboratory in Pasadena, Calif., were anxious about the make-or-break "Mars orbit insertion" -- MOI -- rocket firing, a 19.7-minute maneuver one manager described as "the longest 20 minutes of our lives." In reality, engineers had to wait a full half-hour to find out whether Odyssey's main engine had done its job. After a brief scare caused by a momentary loss of data, flight controllers were able to confirm the rocket firing had started on time at 10:26 p.m. EDT based on analysis of radio transmissions from the spacecraft. But Odyssey disappeared behind Mars -- as expected -- halfway through the maneuver. http://www.washingtonpost.com/wp-dyn/articles/A42061-2001Oct23.html ------------------------------ Date: Mon, 22 Oct 2001 15:17:52 +1000 From: "Andrew Goodman-Jones" Subject: DB and WWW on one machine in Australian election Technical hiccups hit ACT election counting By Sandra Rossi, 22 Oct 2001, Computerworld Australia It is ironic that counting in Australia's first election offering electronic voting stalled because of technical hiccups following the ACT poll [on 20 Oct 2001]. Electronic voting is supposed to speed up the polling process and was used on Saturday during the ACT election offering voters a choice between traditional paper ballots and the Internet. By the time voting closed, the ACT Electoral Commissioner Phil Green was claiming Internet users significantly slowed down the collating of electronic votes. More than 11,000 pre-poll electronic votes were supposed to have been counted just after the polls closed at 6pm but there were periods when counting was at a virtual standstill. According to Green, disks were slower to load than expected and processing the disks for eight polling stations equipped for computer voting was drawn out because of competition from the Internet. "We're getting lots of hits on our Internet site and that's actually slowing down our server because it's all being run off the one database," Green said during counting. http://www.computerworld.com.au/IDG2.NSF/a/00046162?OpenDocument&n=e&c=CP ------------------------------ Date: Mon, 22 Oct 2001 17:37:08 -0700 From: Dave Stringer-Calvert Subject: Web defacement and cyberattacks GForce Pakistan hackers defaced the U.S. Defense Test and Evaluation Processional Institute Web site www.dtepi.mil as well as enduringfreedom.dtepi.mil and nasa.dtepi.mil http://www.newsbytes.com/news/01/171341.html after which a rival group of Pakistani vigilante hackers (Yiyat) identified the purported culprit and retaliated. http://www.newsbytes.com/news/01/171365.html [Above text PGN-ed from the URLs. I tried to verify the "processional", but dtepi.mil was apparently off the Net. PGN] Also, an interesting CNN article on a DoE cyberattack scenario. Best quote: The important lesson is that Black Ice showed how interdependent are the various infrastructure systems -- including telecommunications, utilities and banking -- and how major might be the combined effects of cyber- and physical attacks, she says. The infrastructure system providers didn't understand the interdependencies among their systems," Scalingi says. "If you talk to state and local government and local utilities, they'll tell you they have great response plans. The problem is, they write them in isolation. http://www.cnn.com/2001/TECH/ptech/10/21/black.ice.idg/index.html ------------------------------ Date: Sun, 21 Oct 2001 01:45:01 -0400 From: Monty Solomon Subject: Hacker cracks Microsoft anti-piracy software By John Borland, Staff Writer, CNET News.com, 19 Oct 2001 A piece of software being distributed anonymously online has successfully cracked part of Microsoft's anti-piracy technology, the centerpiece of much of the giant's recent forays into the audio and video world. Microsoft confirmed Friday that the code, written by a programmer using the pseudonym "Beale Screamer," can strip off the protections that prevent a song from being copied an unlimited amount of times. The company's digital media division has spent much of the day talking to record labels and content partners in an effort to respond to Screamer's software, said Group Product Manager Jonathan Usher. http://news.cnet.com/news/0-1005-200-7590303.html ------------------------------ Date: Fri, 19 Oct 2001 09:33:54 -0800 From: Rob Slade Subject: Are spammers getting sneakier? part 1 As we are all well aware, spam has been around for a while. As most of us are aware, replying to the "if you have received this message in error and want to be removed from our lists" message at the bottom of most spam simply allows the spammers to verify that they have a "live one"--e-mail address, that is. Recently I received a flood of spam, all simply offering to take my name off their list--if I replied to it. I guess the clients of spam companies are starting to get pickier about the quality of the lists. However, I have also started to receive the odd message like one I got this morning. The subject line stated that the sender saw my ad on Google. Now, I don't advertise on Google. But then again, Google is a Web search tool, and a lot of people are careless about differentiating between the vast quantities of sites out there consisting solely of masses of banners, and information sites like the ones I have up. Reading the message was no more informative: it simply asked me to send more information. The headers were more interesting. The message was ostensibly from someone at referralware.net, but the "Received" lines indicated an origin at prontomail.com. rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: Sun, 21 Oct 2001 22:01:45 -0800 From: Rob Slade Subject: Are spammers getting sneakier? part 2 So I get this e-mail with no subject, but the "From" name is the same as my daughter. Only, of course, it isn't her. It's somethingtosell5678@aol.com. Only it isn't that, either, when you look at the headers, it's: Received: from Azzarmaster (ppp-178.11.triton.net [216.65.178.11] (may be forged)) Now isn't that clever! triton.net has determined that the header information *it* received may be forged! It is helpfully warning me that I may be receiving spam! Really? How would it know? Is this, perhaps, an open relay? And, if so, why is it open? Why isn't triton.net closing off this type of abuse? Well, let's look at the IP address, 216.65.178.11. Good old Samspade.org can tell us that: Trying whois -h whois.arin.net 216.65.178.11 Lucre, Inc. (NETBLK-LUCRE) 4011 Plainfield Ave Grand Rapids, MI 49525 US [...] Coordinator: Hale, Steve (SH1448-ARIN) steve@lucre.net (616) 361-0128 OK, lucre.net certainly sounds like a domain name that a spammer would pick. However, the information goes on: Domain System inverse mapping provided by: NS1.TRITON.NET 209.172.0.5 So let's be guessing that the header isn't actually forged at all. Perhaps we are just supposed to give up looking when we see an indication of a forged header, and not try to find out who actually sent this message. Or, perhaps triton.net is simply going for plausible deniability: "Spam? Gee, that's too bad. Bummer that the headers are forged, otherwise we could tell who sent it." rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: Sun, 21 Oct 2001 11:44:54 -0800 From: Rob Slade Subject: Redesi virus RISKS readers may have heard of one or both variants of Redesi, also known as Dark Machine or Ucon. (In fact, it was PGN who first alerted me to the existence of the second.) (If you haven't heard about them, don't open any e-mail attachments with filenames of Common.exe, Rede.exe, Si.exe, UserConf.exe, or Disk.exe. These filenames seem to be consistent in both versions, in file attachments, and on infected machines.) There are two variants. One comes with a large variety of possible subject lines, all of which contain either a double hyphen or an ellipsis (three or six periods). Many appear to be comments from Kev, Gaz, Will, Si, Jim, Arwel, or Michelle. The body of the message of this A version reads "heh. I tell ya this is nuts ! You gotta check it out !" and file attachments with filenames as listed above. Infected machines will have files with the filenames listed created in the root directory of the C: drive with the hidden attribute set. However, this variant doesn't make any changes to the Registry, and doesn't do any apparent damage. The second variant comes with a subject line that may refer to Microsoft, security updates, alerts, terrorists, emergency response, and viruses. The body contains what appears to be a message from Microsoft describing the attachment as a security patch, and a message of endorsement from the forwarder. (Since both variants are forwarded using Microsoft Outlook address books, the messages will appear to come from someone you know.) (Note that Microsoft is not in the habit of sending out security patches as e-mail attachments.) The B variant adds entries to the Registry, and attempts to use an entry in the Autoexec.bat file to reformat the disk on or after November 11, 2001. The filenames of the attachments, and the files created, are the same. Note that the close association and quick release of the two variants may have been a two stage piece of social engineering. The first release would create some concern, and would promote a heightened sense of urgency about applying patches or fixes, possibly enough to prompt people to run suggested repair programs without getting confirmation. The second virus would take advantage of this kind of panic. And, in this case, the "cure" is definitely worse than the disease. (However, given some of the second set of subject lines, the second release may simply be trying to take advantage of the uncertainty over terrorist attacks.) By the way, if you are trying to filter viruses at the e-mail gateway, scan e-mail for messages with attachments with filenames Common.exe, Rede.exe, Si.exe, UserConf.exe, or Disk.exe. Also note the message text "heh. I tell ya this is nuts ! You gotta check it out !" and "Just recieved this in my email I have contacted Microsoft and they say it's real !" Note that deleting messages on the basis of body text is not recommended, since it may eliminate warning messages. rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: Mon, 22 Oct 2001 15:08:30 +0100 From: "Anthony W. Youngman" Subject: The British BSE crisis [This message is not particularly relevant to COMPUTERS, but highly relevant to TRUSTING THIRD-PARTIES. PGN] As you probably know, some scientists were asked to study whether BSE had jumped species into sheep, and were given a load of sheep-brains to study. It then turned out that these were not sheep, but cow brains, leading to newspaper headlines about how scientists couldn't tell the difference between sheep and cows. This morning, it took a turn for the worse. It appears that the scientists *had* suspected something was wrong, and asked for a sample of their material to be analysed to check the species. However, as their brief was to look for BSE, they could only *request* that somebody else check for species. It seems that when this check was done, it was done on a sample of material that the original scientists *should* have been given, not on the sample they had provided from what they *had* been given. So of course the species test "proved" they had sheep brains. The risk? The classic "need to know" principle meaning that people are forced to rely on others "doing the right thing" rather than being empowered to make sure themselves that things are okay. And the classic of basing your test on the assumption that things are okay, rather than assuming (and looking for) a cock-up. [Heard on Radio 4] ------------------------------ Date: Mon, 22 Oct 2001 11:32:18 -0500 From: fred.e.ballard@abbott.com Subject: Pregnant chad revisited (Re: Jones, RISKS-21.70) It is shocking that a risk so obvious was not mentioned or found. I think it is a real insult to voters, and a disgrace to the manufacturer and voting officials. Sheesh! Like so many things in RISKS, an intelligent sixth grader wouldn't run things this way. Fred Ballard fredb@acm.org fred.ballard@abbott.com [The really sad thing is that many of the same punch-card machines were apparently also implicated in the 1988 Florida Senate race. Buddy Mackay lost a close election to Connie Mack, in which there was a drop-off of 210,000 votes relative to the Presidential race in the same four counties. A lot of people must have been asleep at the wheel. PGN] ------------------------------ Date: 20 Oct 2001 08:19:35 +0800 From: Dan Jacobson Subject: Re: Stray bomb caused by typo (Hollebeek, RISKS-21.70) > ... GPS coordinates could use a check digit that detects one digit errors > and transpositions, much like the one used in credit-card numbers. Erm, but aren't any coordinates valid as long as you don't go beyond, e.g. 90 degrees north latitude, etc. OK, yes, it would be wise to check that the coordinates are indeed within Afghanistan, unless oops, we want to create a random international incident, or maybe even blow ourselves up. Odd that with all that high tech, he still had to type them in instead of clicking on it... Or maybe he needs an Afghanistan Residential Zoning Map hooked into his GIS to lock out bad picks. http://www.geocities.com/jidanni/ Tel+886-4-25854780 ¿n¤¦¥§ [Also commented on by Lou Schneider. PGN] ------------------------------ Date: Sun, 21 Oct 2001 21:28:46 +0100 From: Ben Laurie Subject: Non-risk, re: Jet engine starter motors (RISKS-21.70) One of the rays of sunshine in the otherwise bleak cloudspace that is RISKS is that the occasional risk turns out not to be. I have been told by a significant number of people that the starter motor is not what goes on "continuous" after the jet has taken off. Instead the ignitors stay on and ensure that if the flame goes out, it is relit. It is, apparently, normally not necessary to respin the turbines once in flight. If I remember correctly, because the 777's engine start sequence is entirely automated (literally one switch for each engine), there's no distinction made between starter motors and ignitors on the control panel. There's a single switch that does, in effect, "off", "on" and "continuous". Thanks for all the corrections on this issue. Ben ------------------------------ Date: Mon, 22 Oct 2001 19:38:57 +0200 From: Otto Stolz Subject: Re: Euro changeover (Long, RISKS-21.70) On Sun, 14 Oct 2001 21:50:48 +0200, Douglas Long wrote: > Converting all values to Euros and then calculating the > account balance [...] yields one answer. Calculating a > partial balance in Francs, converting to Euros, and then > completing the remaining calculations using Euros [...] > yields a slightly different result. This is an intrinsic property of the two operations {conversion | addition}: they are not commutative; cf. . Hence, there are rules the banks are legally bound to, cf. . However, according to the dossier cited above, the particular issue observed by Douglas Long is subject to national rules. [...] (Note: EUR cash will only be introduced on 01 Jan 2002) > some ATM transactions are reported in Francs ... others ... in Euros This sort of happening is forbidden in Germany. However, I do not know anything about national regulations in France. In Germany, customers currently can choose whether their accounts are handled in DM or in EUR. Banks are committed to carry the original amount and currency of every single transaction through to the final account (in addition to the EUR amount they use for their own balancing); hence, if a DM amount is transferred from one DM account to another DM account, the original DM amount will precisely be balanced in both customer accounts, notwithstanding the fact that the banks themselves calculate in EUR. The same scheme applies to cash deposits to, and withdrawals from, DM accounts. ------------------------------ Date: Sat, 20 Oct 2001 03:18:24 GMT From: CBFalconer Subject: Re: Improper address-change validation The US postoffice operates the same way. I recently put in a change of address, and the advisory went to the new address, along with all the old mail. Chuck F (cbfalconer@yahoo.com) [At SRI, we did a study for the USPS many years ago, and I complained then about that stupid policy. Evidently, they still have not learned. PGN] ------------------------------ Date: Wed, 24 Oct 2001 10:42:25 -0700 From: Lauren Weinstein Subject: Cutting through hype, spin, and propaganda - "Fact Squad Radio" Announcing "Fact Squad Radio" October 21, 2001 http://www.factsquad.org/radio PFIR - People For Internet Responsibility - http://www.pfir.org [ To subscribe or unsubscribe to/from this list, please send the command "subscribe" or "unsubscribe" respectively (without the quotes) in the body of an e-mail to "pfir-request@pfir.org". ] Greetings. The main purpose of People For Internet Responsibility's recently-announced "Fact Squad" effort is to cut through hype, spin, misinformation, and propaganda regarding technological issues and their effects upon society. In furtherance of this goal, we're pleased to announce the launching of the "Fact Squad Radio" service. Fact Squad Radio is providing very short (one minute), tightly-focused audio features, each concentrating on a single relevant topic of importance. These vignettes are aimed at explaining the issues briefly in a non-technical manner suitable for general audiences. Topics to be covered will include both matters of long-standing importance and crucial issues of the moment. We encourage linking and redistribution of these features, and they are freely distributable without any further permission being needed for non-broadcast, non-commercial usage. Requests for other kinds of usage will be considered on a case-by-case basis. We'll be ramping up towards a five per week, M-F schedule. All segments are in the standard MP3 format. The debut Fact Squad Radio feature concerns a topic of some significant interest right now -- National ID Cards. Fact Squad Radio is at: http://www.factsquad.org/radio Thanks very much! Lauren Weinstein lauren@pfir.org lauren@vortex.com lauren@privacyforum.org Tel: +1 (818) 225-2800 Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org Co-Founder, Fact Squad - http://www.factsquad.org Moderator, PRIVACY Forum - http://www.vortex.com Member, ACM Committee on Computers and Public Policy ------------------------------ Date: Fri, 19 Oct 2001 21:43:40 -0400 From: "Scott K. Ellis" Subject: Re: Ham radio and Morse Code (Decker, RISKS-21.70) With due respect to Mr. Decker, I believe he has slightly (perhaps unintentionally) distorted the most recent developments in amateur radio licensing. While it may be true that the ham radio community has in the past considered Morse code a "favorable" barrier to entry to keep out "undesirables," current Morse code requirements have a more reasonable explanation. The maximum required Morse code speed for a ham license is now 5 WPM. While there are several license grades with more "long distance" frequency bands available for use, they are now all accessible by passing the appropriate technical knowledge test. The 5 WPM code requirement for the long-range frequency bands is a result of international treaty requirements. There are currently efforts underway to have that portion of the international treaties changed, at which time the Morse code requirement will be removed from the amateur licensing requirements. Scott K. Ellis ------------------------------ Date: Sat, 20 Oct 2001 10:35:12 -0700 From: "Skip La Fetra" Subject: Re: Ham radio and Morse Code (Decker, RISKS-21.70) > ... And it's also something that could come back to bite you in the butt, > should those of the "excluded" class ever reach positions of power. No truer words have ever been spoken. Mr Decker's points against the Morse code requirement are true and to-the-point (I speak as an Amateur Extra (20 words-per-minute Morse) licensee who has *never* attempted a "real" Morse contact -- I learned the code (and it *IS* very hard!) simply to get the license. Mr. Decker's points about exclusion ring true. However, there are other points which were omitted in his message which need to be made in balance -- and this is my reason for this message to RISKS. These are not "rebuttals" to his premise, but point to other reasons why Amateur ("ham") radio is justified in today's society. Ham Radio (and its FCC justification) is about COMMUNICATION. We are a trained bunch of COMMUNICATORS (it does not really matter if we are using Ham, CB, or other frequencies) who are experienced at accurate COMMUNICATION. We are equally skilled at picking up a police or fire hand-held radio as we are at using our "special" frequencies -- and getting a CLEAR message across. In an emergency situation, communication needs far outstrip the installed capability -- Hams are PEOPLE who have frequencies (communication channels) and clear-communication skills who can use their resources (or those of the police/fire/Red Cross agency they are present to help) to keep information flowing. (I do wish to point out that the ham "special" frequencies are necessary to augment the limited number of police/fire channels in a true communications emergency.) This is (one of) the core justification(s) of Ham radio by the FCC. Active (hobby) use of the radio spectrum enables ham operators to be ready and able to help in times of communications emergency. Morse Code is a useful method, but it is not the only method. Skip La Fetra, Amateur Extra, AA6WK, Skip@LaFetra.com http://www.LaFetra.com/Skip/AA6WK [I have omitted several other messages on this topic, but there seems to be lively disagreement. PGN] ------------------------------ Date: 12 Feb 2001 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 20" for volume 20] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 21.71 ************************