precedence: bulk Subject: Risks Digest 21.74 RISKS-LIST: Risks-Forum Digest Sunday 11 November 2001 Volume 21 : Issue 74 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: Programming error scrambles election results (Geoff Kuenning) Yet another Internet voting risk (Rebecca Mercuri) Election problems before the election in Virginia (Jeremy Epstein) Possible radiation therapy risk (Herbert Kanner) Risks of belief in identities (PGN) Stealing MS Passport's Wallet (Mike Hogsett) Security hole in cash machines (Andrew Brydon) UK: liberties fears over mobile-phone details (Monty Solomon) Dutch police 'bombard' stolen cell phones with SMS (Monty Solomon) Australian computer hacker jailed for two years (Peter Deighan) Even professional organizations forget about certificate expiration (Jeremy Epstein) Children's medical records released on the Web (Conrad Heiney) Glitch in iTunes Deletes Drives (Monty Solomon) Dates in Visual Basic (John Sullivan) Excel and non-decimal dots (magical via Mark Brader) Sweden's public radio reportedly bans SETI from office computers (Ulf Hedlund via Declan McCullagh) Random failures (Andrew Brydon) Re: Another SRI-wide Power Outage (Marcus L. Rowland) Re: Kids' learning game site becomes porn site (Daniel P. B. Smith, Ian Young, Paul Bowers) Re: DeCSS is Speech (Amos Shapir) Re: DoS attack on Mac OS9 (William Kucharski, Carl Maniscalco) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sat, 10 Nov 2001 14:16:27 -0800 From: Geoff Kuenning Subject: Programming error scrambles election results A San Bernardino County election last Tuesday was counted incorrectly due to a programming error. According to the *Los Angeles Times*, a veteran county employee claimed to have tested his code, but apparently had not actually done so. Some ballots were counted starting at the middle (sounds like an uninitialized loop variable); others were counted "from the bottom up" (don't ask me how). The unnamed employee has been suspended from programming duties. A consulting firm has now been brought in to verify the software for this and all future elections, something that should have been standard practice all along. In some races, heavily favored incumbents "lost" to unknowns who hadn't campaigned at all. The error was uncovered when officials noticed that the count for one race showed no votes counted. Especially telling is the following paragraph in one the Times stories: "County officials said the good news is that using a card-counting system means that ballots are still around to be recounted. If the same error had occurred with an electronic voting system, there would be no paper record, West said." We've been telling them for years. But I doubt they'll learn their lesson. Geoff Kuenning geoff@cs.hmc.edu http://www.cs.hmc.edu/~geoff/ [The results of 33 races were seriously in doubt, and all 85,000 ballots for 82 races will be recounted. Also noted by Erann Gat. PGN] ------------------------------ Date: Tue, 6 Nov 2001 14:50:56 -0500 (EST) From: Rebecca Mercuri Subject: Yet another Internet voting risk I was working at the polls in Mercer County NJ during the 6 Nov 2001 election and heard from a number of people whose spouses and/or children had applied for absentee ballots (since they would not be able to vote at the polls) but did not receive them. Mercer County is in the midst of the Anthrax mailing zone, with 3 post offices affected. Apparently, in some of the cases, the application for the absentee ballot was not received in time, and in other cases the absentee ballots were not received by the voters in time. How this relates to Internet balloting -- most schemes, including the one outlined by the California Task Force, would require the validation process and issuance of the Internet voting password to be issued by postal mail. A mail hold-up such as the one we are experiencing in New Jersey could adversely affect the process. In short, the best way to validate voters is in person. ------------------------------ Date: Wed, 31 Oct 2001 09:05:50 -0500 From: Jeremy Epstein Subject: Election problems before the election in Virginia Like almost all U.S. states (*), Virginia is undergoing redistricting as a result of the 2000 census. As a result, some people got new polling places. According to http://www.washingtonpost.com/wp-dyn/articles/A14523-2001Oct30.html Fairfax County sent electronic updates to the state for inclusion in the state's database to reflect local redistricting, and the state sent a new master database back, which lost about 18,000 of the updates. Unfortunately, Fairfax County used the erroneous data to send out voter information, and had to send out a second set of instructions. There's the predictable finger-pointing as to who's at fault for the snafu. All goes to prove that there are plenty of computer-related risks in elections, and that's before you even get to the polling place! (*) There may be some states where there's no redistricting. For example, Wyoming only has one representative, so there's no need for statewide redistricting, although there may be local redistricting. ------------------------------ Date: Sat, 10 Nov 2001 11:59:32 -0800 From: Herbert Kanner Subject: Possible radiation therapy risk As a patient being irradiated by a Varian linear accelerator, it interested me to be told by a technician that when they are behind schedule it is usually because of a computer crash. He said that the accelerator is controlled by "three computers that talk to each other." I inquired further and found out that they are PCs running Windows 2000. Not exactly confidence inspiring! Herbert Kanner 650-326-8204 ------------------------------ Date: Sat, 10 Nov 2001 11:54:17 PST From: "Peter G. Neumann" Subject: Risks of belief in identities For those of you who might believe that national ID cards might be a good idea, check out the December 2001 *Commun.ACM* Inside Risks column by me and Lauren Weinstein, previewed on my Web site http://www.csl.sri.com/neumann/insiderisks.html in anticipation of a U.S. House hearing next Friday on that subject. It is not just the cards themselves that would entail risks, but even moreso all of the supporting infrastructures, widespread accessibility to networking, monitoring, cross-linked databases, data mining, etc., and particularly the risks of untrustworthy insiders issuing bogus identification cards -- as happened a few years back on a large scale in the Virginia state motor vehicle agency (RISKS-11.41). The latest item on the ease of getting phony or illegal or unchecked identification papers is found an article by Michelle Malkin (Creators Syndicate Inc.), which I saw in the *San Francisco Chronicle* on 10 Nov 2001: Abdulla Noman, employed by the U.S. Department of Commerce, issued bogus visas in Jeddah, Saudi Arabia, in one case in 1998 charging approximately $3,178. The article also notes a variety of sleazy schemes for obtaining visas, in some cases without ever appearing in person and without any background checks, and in other cases for ``investments'' of a hundred and fifty thousand dollars. The article concludes with this sentence: ``Until our embassy officials stop selling American visas blindly to every foreign investor waving cash, homeland security is a pipe dream.'' I'm not sure that conclusion is representative of the full nature of the problem of bogus identification, but the problem is clearly significant. A driver's license or a passport or a visa or a National ID card is not really proof of identity or genuineness or anything else. ------------------------------ Date: Fri, 02 Nov 2001 14:51:52 -0800 From: Mike Hogsett Subject: Stealing MS Passport's Wallet From : http://www.wired.com/news/technology/0,1282,48105,00.html By cobbling together a handful of browser-based bugs with flaws in Passport's authentication system, Slemko developed a technique to steal a person's Microsoft Passport, credit card numbers -- and all, simply by getting the victim to open a Hotmail message. ------------------------------ Date: Fri, 9 Nov 2001 05:53:32 +0000 From: Andrew Brydon Subject: Security hole in cash machines http://news.bbc.co.uk/hi/english/sci/tech/newsid_1645000/1645552.stm By BBC News Online technology correspondent Mark Ward A serious weakness has been discovered in the methods used by banks to protect the number that lets you get money from a cash machine. Researchers from the University of Cambridge have found that the computer systems which check that these numbers are valid are easy to defeat. They warn that unscrupulous insiders could exploit these weaknesses to raid customer accounts. The researchers have called on banks to revise their security arrangements and use more open procedures to protect customers' cash. ... The physical construction of the cryptoprocessors is certified to a high standard to ensure that the boxes cannot be forced to give up the keys they use to scramble data. Any physical tampering with the box makes them destroy the keys they use. [However,] security researchers Michael Bond and Richard Clayton have found serious weaknesses in the software cryptoprocessors use to handle the encryption keys as they talk to different programs. ... using the clues provided by the leaky software, the cracking time can be reduced to just 24 hours. Andrew Brydon, Systems & Software Safety Analyst, Lancashire, UK ------------------------------ Date: Tue, 30 Oct 2001 21:02:14 -0500 From: Monty Solomon Subject: UK: liberties fears over mobile-phone details Records which map out users' whereabouts held indefinitely Stuart Millar and Paul Kelso, *The Guardian*, 27 Oct 2001 One of the fastest growing mobile phone providers is indefinitely storing information that allows its customers' movements over the last two years to be mapped to within a few hundred metres. As the government rushes through emergency anti-terror legislation that would require vast amounts of electronic communications data to be retained in the name of national security, *The Guardian* has established that Virgin Mobile has been storing the location records of its 1 million customers since the network launched in November 1999. Last night, the privacy watchdog, the information commissioner, told the Guardian that it would be investigating the practice to establish whether it contravenes regulations governing retention of communications data. [...] http://www.guardian.co.uk/mobile/article/0,2763,581763,00.html ------------------------------ Date: Tue, 6 Nov 2001 10:03:47 -0500 From: Monty Solomon Subject: Dutch police 'bombard' stolen cell phones with SMS Dutch Police 'Bombard' Stolen Cell Phones With SMS By Andrew Rosenbaum, Special to Newsbytes, AMSTERDAM, NETHERLANDS, 05 Nov 2001 The Amsterdam police have been using short messaging system (SMS) missives to block the use of stolen cell phones, and while the campaign has been successful, mobile providers are concerned about the cost and bandwidth strain of the campaign. About four months ago, the Amsterdam police began cooperating with the national telecommunications provider, KPN Telekom. When stolen phones are reported, the police asked KPN to use the phone to locate the telephone number. Then, every three to five minutes, the police sent SMS messages to the telephone saying, "Warning, this is a stolen telephone, using it is against the law -- stealing it is a felony." ... http://www.newsbytes.com/news/01/171836.html ------------------------------ Date: Wed, 31 Oct 2001 20:03:45 +1100 From: Peter Deighan Subject: Australian computer hacker jailed for two years This from Australian Broadcasting Corporation web site, 31 Oct 2001 URL = http://www.abc.net.au/news/newslink/nat/newsnat-31oct2001-96.htm Vitek Boden, a computer hacker who hacked into the sewage control computer and intentionally released caused thousands of litres of raw sewage into creeks and parks on the lower Queensland Coast (and the grounds of the local Hyatt Regency), has been jailed for two years by a Maroochydore District Court jury. [PGN-ed] An unexpected Risk? Wonder what the design decision was: perhaps to save on call-back costs for control staff? [also noted by Derek Ross and George Michaelson. PGN] ------------------------------ Date: Mon, 5 Nov 2001 09:23:29 -0500 From: Jeremy Epstein Subject: Even professional organizations forget about certificate expiration If you visit https://swww2.ieee.org/ (the site used for on-line renewal of IEEE membership), you'll learn that the certificate expired on Oct 31st 2001. I reported this on Nov 1st to IEEE, and as of today (Nov 5th), it hasn't been fixed. I'm curious how many other people noticed/reported it, or if everyone just clicked through due to the vast quantity of similar problems on the Internet. What good is certificate expiration if it gets ignored by users? ------------------------------ Date: Wed, 7 Nov 2001 10:45:58 -0800 From: Conrad Heiney Subject: Children's medical records released on the Web The University of Montana released confidential psychological records of children on the World Wide Web, according to the *Los Angeles Times*: http://www.latimes.com/news/nationworld/nation/la-110701private.story Four hundred pages of documents about at least 62 children were posted, including in some cases complete name and address information along with results of psychological testing. According to the times, the data was available for eight days starting October 29 and included confidential and detailed summaries of patients' psychiatric conditions in much more detail than in previous similar accidental releases of information. The University indicated that errors by students or technical employees were likely to be at fault. The obvious Risk of electronic medical records is once again proved in an especially painful way. Conrad Heiney conrad@fringehead.org http://fringehead.org ------------------------------ Date: Tue, 6 Nov 2001 09:58:07 -0500 From: Monty Solomon Subject: Glitch in iTunes Deletes Drives Glitch in iTunes Deletes Drives, By Farhad Manjoo, 5 Nov 2001 Some Macintosh users who rushed to download the latest version of iTunes -- Apple's popular digital-music player --were singing a song of woe on Friday. A bug in the installation procedure caused the application to completely delete their computers' hard drives. Apple issued an alert and a fixed version of iTunes 2 on Saturday morning, and the company urged people to remain calm. [...] According to Mac experts who examined the code of the buggy iTunes installer, the problem arose from a very tiny programming mistake -- a forgotten quote mark. Instead of typing the line "$2Applications/iTunes.app", a bleary-eyed coder had instead typed the disastrous $2Applications/iTunes.app, according to a message on MacSlash. [...] http://www.wired.com/news/technology/0,1282,48149,00.html ------------------------------ Date: Fri, 9 Nov 2001 16:56:45 +0000 From: John Sullivan Subject: Dates in Visual Basic I was just writing a test-harness in Visual Basic (VB6 SP5) when I noticed the following annoying and potentially downright dangerous behaviour. Part of the code generated a series of dates, and I'd entered the start date as a literal date of the form #2001-11-08#. This worked fine as I expected and as it wasn't at all important at this stage so I didn't look twice at what I'd just typed. When I came back to it today, I noticed it read #11/8/2001#. Now, I never code dates in non-ISO format if possible, and being in the UK with my locale set to UK never, ever, use US mm/dd format unless I know it's the only format a broken program accepts. Retyping it showed that the date was changed in front of my eyes: #2001-11-08# becomes #11/8/2001# (2001-11-08) #11/8/2001# becomes #11/8/2001# (2001-11-08) #8/11/2001# becomes #8/11/2001# (2001-08-11) #15/11/2001# becomes #11/15/2001# (2001-11-15) It changes as soon as the cursor left the line. So you type it, check it, find it correct, go off somewhere else, blam! The first has reduced the comprehensibility of the code. The second and third give no feedback that they're not conforming to the current locale. The last two show that VB is not even being consistent in its parsing. The Risks: Dumb programs thinking they're smart enough to change a programmer's code can lead to unpredictable behaviour. If you assume that what you type is what gets saved then you may not even notice, and errors in strings of numbers are immediately less obvious than structural or logical errors. If I (or a colleague) came back to the first example in a few months time, will we know whether it means 8th Nov or 11th Aug? It would be natural to assume it's using the current locale, but in this case it isn't. What I actually typed was unambiguous. I use VB, and dates in VB, so rarely that I may not even remember this behaviour myself a year or two down the line. Thankfully I don't have to use this noddy little toy for writing Real Programs in. ------------------------------ Date: Wed, 7 Nov 2001 13:43:25 -0500 (EST) From: msb@vex.net (Mark Brader) Subject: Excel and non-decimal dots * From: magical@rahul.net * Newsgroups: alt.usage.english * Subject: Re: Telephone Area Code * Message-ID: <7bqiutgjqqg1tu29qd6ak615c14pbcfavo@4ax.com> * Date: Wed, 07 Nov 2001 17:07:08 GMT On Wed, 07 Nov 2001 07:54:15 GMT, in alt.usage.english, David Hecht created > The US convention (AAA)BBB-CCCC is not just evolving into AAA-BBB-CCCC; > now I'm seeing more and more of the "international" style: AAA.BBB.CCCC > . This appears in some "chic" guidebooks. I tried using that format, until I pulled a text file into Excel and it changed all the phone numbers into "real numbers" and deleted terminal zeros. Excel also has this annoying habit with IP addresses, changing 10.0.0.10 to 10.0.0.1. I can't find a way, in the *import* function, to define these numbers as "text" so that Excel will leave them alone upon import. Sigh. ------------------------------ Date: Thu, 08 Nov 2001 15:22:14 -0500 From: Declan McCullagh Subject: Sweden's public radio reportedly bans SETI from office computers SETI homepage: http://setiathome.ssl.berkeley.edu/ Date: Thu, 08 Nov 2001 21:10:05 +0100 To: declan@well.com From: Ulf Hedlund Subject: Swedish national radio bans SETI software Conspiracy theory has reached the state owned public service radio in Sweden, "Sveriges Radio" (www.sr.se). They have banned all use of the SETI software and says that three of the technicians from the IT department are going to be relocated. According to the head of human resources, Per Thorsell, this is due to the fact that they don't know if the software is actually performing search for extraterrestrial life. "The software could be used by some service for other purposes, e.g., calculation of missile ballistics", he says. http://www.sr.se/ekot/index.asp?article=22761 [in Swedish; translation tinkered slightly after consulting Ulf Lindqvist, who suggests they should be equally paranoid about other black-box software they might be running. PGN] To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ ------------------------------ Date: Tue, 6 Nov 2001 22:31:18 +0000 From: Andrew Brydon Subject: Random failures (Re: Bank Canada, Sokskiewicz, RISKS-21.73) >I think that sometimes we are better off accepting such "random" occurrences Rather we should be analysing our systems for random failures and interactions due to these random occurrences, designing out or mitigating to limit the effects of such failures. To do any less may be unprofessional, and in many cases illegal. >Sometimes I feel that RISKS readers expect to live in a perfect world. I think we should expect all reasonable care to be taken over developing and implementing the systems which we use, as for any other consumer product or service. The difference with, say a toaster, is that there are far fewer interactions and controls to consider, but we still expect it to turn bread to toast without error. Andrew Brydon, Systems & Software Safety Analyst, Lancashire, UK ------------------------------ Date: Tue, 30 Oct 2001 23:02:37 +0000 From: "Marcus L. Rowland" Subject: Re: Another SRI-wide Power Outage A couple of weeks ago I spent three hours trying to find out why one of our laboratories (see various previous comp.risks digests) was tripping out its circuit breakers again, despite the system having been overhauled. We eventually realised that someone had put a box of equipment down on top of a stool that wobbled slightly, so that it pressed against the emergency cut-out button whenever someone brushed past it... Marcus L. Rowland http://www.ffutures.demon.co.uk/ http://www.forgottenfutures.com/ [VERY OLD problem. In the Multics days in the later 1960s at Bell Labs, sitting down in a particular chair in the computer room would often crash the system, due to the under-floor wiring. PGN] ------------------------------ Date: Mon, 05 Nov 2001 20:11:49 -0500 From: "Daniel P. B. Smith" Subject: Re: Kids' learning game site becomes porn site (RISKS-21.73) In the interest of becoming a well-informed netizen, I took a look at http://www.moneyopolis.org and http://www.moneyopolis.com. Imagine my disappointment^h^h^h^h^h^h^h^h^h^h^h^h^h^h^h relief, to find that as of 11/5/2001 these sites appear to be ... an online interactive children's game produced as a public service by Ernst and Young. Daniel P. B. Smith [Quite a few RISKS readers noted this. So, either the WashPost and NYT (which ran its own story) got it wrong, or E&Y quickly repaired its image by re-acquiring the .org domain -- presumably at an indecent markup. PGN] ------------------------------ Date: Tue, 6 Nov 2001 09:58:17 -0000 From: Ian Young Subject: Re: Kids' learning game site becomes porn site (RISKS-21.73) You won't be surprised to hear that Ernst & Young (no relation) are not the only people to have been affected by this scheme. I got some moderately irate E-mail recently from users of a small site I run because one of the sites I had linked to had apparently converted to a porn site in the way the *Post* describes. However, in this case: * the registration was by a different company: someone out of Tbilisi, Georgia instead of Yerevan, Armenia. * The new site contained a single page containing an _advertisement_ for "Euro Teen Sluts", plus half a dozen post-close pop-ups for similar sites, but also offered to sell you the domain name in question! Obviously, buying up random dead domains is a cheap way of getting advertising space, as long as you don't care who sees the adverts in question. Risk 1: links are sometimes seen as endorsements. That's a problem for me, but it is presumably also a problem for people like Google, whose rating system depends on seeing that particular sites are linked _to_ by other sites. I wonder how they cope with this? I can see that they do, because the site I linked to still has a lot of links to it, but no longer appears in a Google search with any of the obvious keywords... Risk 2: automatic link checkers will tell you there is something there, but they won't tell you what it is. You actually have to visit your links once in a while to check they haven't turned into something else. ------------------------------ Date: Mon, 5 Nov 2001 21:11:49 -0500 From: "Paul Bowers" Subject: Re: Kids' learning game site becomes porn site (RISKS-21.73) On a similar theme, one of my visitors pointed out to me that a link from my site was now resolving to some cyber-babe page. Apparently, exicom.org recently changed owners. The articles I had linked from the site were good technical pages. ------------------------------ Date: Tue, 06 Nov 2001 14:37:22 +0200 From: Amos Shapir Subject: Re: DeCSS is Speech (Tyre, RISKS-21.73) May I point out that the original purpose of ALGOL -- the granddaddy of all structured programming languages -- was to create a common set of notations which would enable people to converse about algorithms. ALGOL code was not meant to be compiled into executable object code, and its first specification (of 1960, IIRC) had no defined means for I/O. Amos Shapir ------------------------------ Date: Sun, 11 Nov 2001 07:31:51 -0700 From: "William Kucharski" Subject: Re: DoS attack on Mac OS9 (Gat, RISKS-21.73) The risk in MacOS 9 is not surprising, and not really a RISK. Not unless you're expecting the Multiple Users feature of MacOS 9 to provide anything more than rudimentary security. Sure, you can change passwords if you have physical access to the machine. You can also boot any Mac with a MacOS 9 CD and completely circumvent all protection. The biggest RISK here is believing a feature meant largely to provide different environments for different family members or to prevent clueless users from damaging the system (i.e. dragging crucial system control panels or extensions to the trash) provides any TRUE degree of security... William Kucharski ------------------------------ Date: Sun, 11 Nov 2001 16:51:33 -0800 From: Carl Maniscalco Subject: Re: DoS attack on Mac OS9 (Gat, RISKS-21.73) The Multiple Users control panel in OS 9 *is* a pretty ugly hack but the security risk isn't quite as bad as Mr. Gat makes it out to be. To effect a password change that would "render that machine useless," the malicious user would have to gain access to a Mac where someone has already logged on to the admin account. In my opinion, anyone who leaves a computer unattended in that state in an insecure environment probably deserves whatever he gets. Carl Maniscalco, Deus Ex Macintosh, Mac Consultants, San Diego, CA ------------------------------ Date: 12 Feb 2001 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 20" for volume 20] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 21.74 ************************