precedence: bulk Subject: Risks Digest 21.81 RISKS-LIST: Risks-Forum Digest Friday 7 December 2001 Volume 21 : Issue 81 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: Trader's error causes multi million-dollar loss (George C. Kaplan) Security hole at WorldCom left internal computer networks at risk (PGN) Judge ordered hack of Interior Department trust fund system (James H. Paul) NatWest bank turns debits into credits (Bob Buxton) Cops get speeding tickets from cameras (Monty Solomon) Gwinnett County GA keeps prison inmates list online (Nick Brown) "Late-night" Internet-porno-ban (Debora Weber-Wulff) Optimizations at kiosks can be costly (Seth Arnold) Grocery self-checkout risks (Scott Nicol) Swedish police reportedly doctor video evidence, admit it (Jerry via Declan McCullagh, Ulf Lindqvist) E-voting and international law (Lucas B. Kruijswijk) Re: "Light turnout" for election (Andrew Fleisher) Re: Connecticut AG website wants Microsoft ... (Roland Roberts, Nathan Sidwell) Re: PLEASE REMOVE me from the CAL database (RootsWeb HelpDesk) Re: REVIEW: "Hackers Beware", Eric Cole (Mark Brader) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 04 Dec 2001 08:19:18 -0800 From: "George C. Kaplan" Subject: Trader's error causes multi million-dollar loss An article in the *Wall Street Journal* on 3 Dec 2001 describes how a simple data-entry error could end up costing UBS Warburg up to $100 million: Dentsu Inc., one of the world's biggest advertising companies, was making its trading debut Friday on the Tokyo Stock Exchange after completing one of the year's biggest initial public offerings -- a deal arranged by UBS Warburg, a unit of Switzerland's UBS AG, ... Before the Tokyo market opened Friday, a UBS Warburg trader entered what was intended to be an order to sell 16 Dentsu shares at 610,000 yen ($4,924.53) each or above. Instead, the trader keyed in an order to sell 610,000 Dentsu shares at 16 yen apiece ... The order was canceled by 9:02 AM, but not before 64,915 shares, almost half of the 135,000 shares in the IPO, had been sold. The price of Dentsu shares, which had been bid up to 600,00 yen before the market opened, fell to 405,000 yen. Now, UBS Warburg is obligated to deliver the shares it sold, and will have to buy them on the open market. The article doesn't say anything about sanity checks in UBS's trading software. These have their own risks, of course, but you'd think that an error of 4 orders of magnitude in the selling price would at least merit an "Are you sure?" before the order went through. Once again, we see how computers let people make really big mistakes quickly. George C. Kaplan. Communication & Network Services, University of California at Berkeley 1-510-643-0496 gckaplan@ack.berkeley.edu ------------------------------ Date: Thu, 6 Dec 2001 10:16:14 PST From: "Peter G. Neumann" Subject: Security hole at WorldCom left internal computer networks at risk A security hole at WorldCom Inc. left internal networks at several of the nation's top companies (e.g., AOL Time Warner, Bank of America, CitiCorp, News Corp., JP Morgan, McDonald's Corp., Sun Microsystems) open to hackers. Adrian Lamo, a consultant in San Francisco, worked with WorldCom to fix the months-old problem over the weekend. There is no evidence that the security hole had been exploited, although it was possible to reconfigure or shut down corporate networks. Lamo: ``These networks were never designed to be connected to the Internet, They were private circuits running between locations.'' [Source: eponymous AP item, 05 Dec 2001, PGN-ed] http://www.siliconvalley.com/docs/news/tech/080991.htm ------------------------------ Date: Wed, 05 Dec 2001 15:17:56 -0500 From: "James H. Paul" Subject: Judge ordered hack of Interior Department trust fund system In an extraordinary step approved by a federal judge, a computer expert hacked his way into a government-run, Denver-based financial system last summer, created a false account and later altered yet another account. All this happened without the hacker being detected. Those steps, endorsed by U.S. District Judge Royce C. Lamberth in advance, were revealed Tuesday as part of a court case involving the Interior Department's handling of more than 300,000 trust accounts it is supposed to manage for American Indians. A court-appointed master said the ease with which the government's computer system could be penetrated was "deplorable and inexcusable." In a report ordered released by Lamberth, the special master, Alan Balaran, called on the judge to seize control of the system. [Source: Court-appointed hacker altered Indian accounts, by Bill McAllister , *Denver Post* Washington Bureau Chief, 5 Dec 2001 (http://www.denverpost.com/Stories/0,1002,53%257E254976,00.html; PGN-ed [The DoI Web site is now OFF THE NET. PGN] ------------------------------ Date: Mon, 03 Dec 2001 11:35:36 +0000 From: Bob Buxton Subject: NatWest bank turns debits into credits NatWest Bank (UK) online banking service offers the ability to download bank statement information into Quicken and Microsoft Money on your PC and until recently this worked correctly. Previously you could choose to download all of your transactions from multiple accounts in a single download, now you have to download each account separately which takes much longer - especially since when using Netscape it forces you to go through the long winded logon procedure each time. But the real problem is that the information that you download into Quicken or Microsoft money in the .OFX file format is plain wrong. It shows standing orders out of my account as credits into the account! This of course results in the account balance appearing to be much higher than it should be and as a result I went overdrawn before I realized what was going on. The NatWest help desk acknowledge that this is a known problem but don't know when the problem will be fixed and have done nothing to warn customers or disable the function from the web site. ------------------------------ Date: Sat, 1 Dec 2001 16:10:41 -0500 From: Monty Solomon Subject: Cops get speeding tickets from cameras Cops get speeding tickets from cameras By Brian DeBose, *The Washington Times*, 1 Dec 2001 Some D.C. police officers say they are slowing their response to emergencies because photo-radar cameras are ticketing them for speeding on Code One calls, and they are being forced to pay the fines. At least three D.C. police officers told The Washington Times they were caught by the cameras and ticketed while on official police business. They said they and other officers have been forced to pay the fines, and are now on edge about speeding to a crime scene and running red lights in emergencies. Like area motorists, they have little chance of getting a reprieve from the D.C. Bureau of Traffic Adjudication without evidence to present in their defense. ... Some officers have paid so many tickets that they are no longer speeding or running red lights to get to their dispatched calls even in emergency situations, Sgt. Neill said. ... http://www.washtimes.com/metro/20011129-13345237.htm ------------------------------ Date: Thu, 6 Dec 2001 13:48:45 +0100 From: Nick Brown Subject: Gwinnett County GA keeps prison inmates list online As reported at the excellent www.cruel.com: Wondering what happened to that acquaintance from Gwinnett County, Georgia, from whom you haven't heard in a while ? Try http://www.gwinnettcountysheriff.com/Docket%20Book.htm. The RISKs are many and varied, but to get you started, click on the link to see the list of charges against any inmate, at the end of which you find: "If you have reason to believe this information is inaccurate, you may submit a request for review to: Gwinnett County Sheriff's Department Records Section 2900 University Parkway Lawrenceville, Georgia 20043" No indication is given of how long it takes between one's (postal) application to have incorrect details removed, and the update to the Web site, but presumably the interval can be reduced if your lawyer can spell "defamation". ------------------------------ Date: Wed, 05 Dec 2001 15:02:30 +0100 From: Debora Weber-Wulff Subject: "Late-night" Internet-porno-ban German officials are apparently attempting to prove that the PISA results (Germany is pretty much at the bottom of the pack in regards to education world-wide) are true and anyone, no matter how ignorant, can be a politician in Germany: The German Federal Government and the State governments have agreed to new measures for protecting youth from pornography on the Internet: according to the "Financial Times Deutschland" (http://www.ftd.de/pw/de/FTDPRAR3MUC.html) all such content is banned from 11 p.m. until 6 a.m. No, this is not April Fools' Day. Really. The German government seems to think that when it is 11 p.m. in Germany, it is 11 p.m. everywhere else. And that all those XXX folks on the Internet will happily turn off the sleaze during the German day when the kiddies are awake. This has of course caused an uproar amongst those in the know. Spiegel-on-line wrote an open letter to the guy in charge of publishing this nonsense, Frank-Walter Steinmeier http://www.spiegel.de/netzwelt/politik/0,1518,170361,00.html [The sarcastic wit in the letter may not make it through Babelfish intact, but it is quite funny] What a sorry state of affairs. The risks posed by ignorant politicians may yet be far more dangerous that the odd virus and software mistake..... Prof. Dr. Debora Weber-Wulff, FHTW Berlin, Treskowallee 8, 10313 Berlin +49-30-5019-2320 http://www.f4.fhtw-berlin.de/people/weberwu/ ------------------------------ Date: Tue, 27 Nov 2001 18:28:30 -0800 From: Seth Arnold Subject: Optimizations at kiosks can be costly Like Richard Akerman and Geoffrey Brent, an automated vending machine's failure mode caught me by surprise. However, what I interpreted as a failure mode may just be an optimization: When purchasing a bus pass from an automated credit-card kiosk, I was informed "Authorization Denied" after selecting the pass I wanted, so I took my card and walked away. A kind soul ran up to me, handing me my receipt. An unkind soul didn't bother to hand me my bus pass. As far as I can figure, the Authorization Denied screen was probably the last screen displayed on an off-screen buffer -- upon switching the display to the previously off-screen buffer, the machine did not clear the old screen. I imagine had I waited two more seconds, the machine would have informed me of the successful transaction. While I can think of several technological solutions to this problem, I decided to do something more pragmatic: purchase my bus tickets from the human-operated vending station a few blocks away. (And yes, several phone calls and two days later, my money was refunded to my card.) ------------------------------ Date: Thu, 06 Dec 2001 00:37:22 -0500 From: Scott Nicol Subject: Grocery self-checkout risks This past summer, two major grocery store chains in my city installed self-checkout lines. They are arranged in groups of four, with one cashier station supervising the group. Credit-card purchases can be signed for at the self-check line (electronic pad), but sometimes the line's register will prompt you to go to the cashier's station to finish your transaction. In other words, credit-card transactions for 4 different stations are handled at one register. On my August credit-card statement, I noticed two charges on the same day in the same store. To make a long story short, the charge was finally reversed today. The "extra" charge was for the checkout line adjacent to the one I used, and was completed before my checkout was complete (it showed up first). The head cashier volunteered today that she had dealt with one other customer who had the same thing happen. The only strange thing about the checkout was that, at the end of the transaction, I was prompted to swipe my card twice, then prompted to go to the cashier station to sign the receipt. Swiping a card twice isn't unusual - credit cards and credit-card readers aren't perfect. Having 4 different card readers connect to one cash register is. I assume, in this case, the system assigned the first swipe to the order from the adjacent line, and the second swipe to my order. Scott Nicol ------------------------------ Date: Sat, 01 Dec 2001 19:07:13 -0500 From: Declan McCullagh Subject: Swedish police reportedly doctor video evidence, admit it Date: Sun, 2 Dec 2001 01:19:37 +0100 >From: jerry@xs4all.nl To: Subject: Swedish police files complaint against themselves interesting article re Video Evidence in belgium newspaper; http://www.standaard.be/nieuws/buitenland/index.asp?doctype=detail.asp &ArticleID=DST01122001_034 (in Dutch) re. http://www.svt.se/granskning/reportage.asp?S=744&A=744 (Swedish) quick translation; Swedish police filed a complaint against themselves after a sewdish TV show revealed that police used manipulated video footage as evidence. The TV show Uppdrag Granskning [http://www.svt.se/granskning/] compared its own footage with the evidence used by the attorney general. The comparison shows that images were swapped, sound was edited, and police brutality cut out. Scenes where 19 year old Hannes Westberg gets shot in the belly have been tampered with. PS. The complaint is about copyrights and abuse of power. Jerry POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. Declan McCullagh's photographs are at http://www.mccullagh.org/ To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ ------------------------------ Date: Sun, 2 Dec 2001 21:38:01 -0800 (PST) From: Ulf Lindqvist Subject: Swedish police reportedly doctor video evidence, admit it This is in agreement with what I have read in Swedish media. What is missing here is that the prosecutor's office has repeatedly tried to obtain raw film footage from TV stations, presumably to compare with the police videos, but they refused and the Supreme Court agreed with the media. Out of context, it sounds pretty nasty that a teenager was shot by police, but it is apparently proven that he was hurling 4x4x4 inch solid cubic pavement stones at an officer who was already badly wounded from previous stones, bleeding and semiconscious. The police, relatively inexperienced with riots, were armed with nightsticks and pistols only, nothing "in between" such as water cannons, teargas/pepper spray or rubber bullets. ------------------------------ Date: Mon, 3 Dec 2001 00:18:25 +0100 From: "Lucas B. Kruijswijk" Subject: E-voting and international law Many articles were posted about the risks of computers with elections. I wondered to which extend the national Constitutions and International Law protects the election process and reduces the risks. After some research I made the conclusion that some kinds of voting are indeed violating International Law. This means that there is a risk that a judge may forbid some kind of voting methods, making the investment worthless. I also asked my government (the Dutch government) to react on the issues which led to remarkable responses. The Dutch government is investigating the possibilities of two new ways of voting. Voting at home with the use of the Internet and voting with a "voting pillar". The voting pillars can be placed in public areas. There are no officials nearby and the pillar is controlled remotely. The voter has to identify itself with an electronic card with biometric information (iris recognition). Both ways of voting can not ensure that the voter is alone when he/she casts his/her vote. There are no technical solutions known that prevent that couples votes together at home. It might be possible to ensure this for a voting pillar, but with the different body sizes this is certainly not trivial. These limitations conflict with International Law. First of all, there is article 21.3 of the Universal Declaration of Human Rights: "The will of the people shall be the basis of the authority of government; this shall be expressed in periodic and genuine elections which shall be by universal and equal suffrage and shall be held by secret vote or by equivalent free voting procedures." But more precise and more important is article 25.b of the International Covenant on Civil and Political Rights: "To vote and to be elected at genuine periodic elections which shall be by universal and equal suffrage and shall be held by secret ballot, guaranteeing the free expression of the will of the electors." When I read this article I conclude that the primary concern is the "free expression of the will". However, the only legal way to achieve this is by "secret ballot". So, if a government chooses a voting method where there is no indication that the free expression of will is compromised but where the vote is not secret, then this method is still not allowed to be used (obvious the reason for this is that it is very hard to determine whether a will is free or not). The interpretation of "secret ballot" is now very important. Note that word 'ballot' refers to "voting balls" and not to the vote itself. There is a risk in translating this into another language, because a literal translation of 'ballot' might not exist. In such case a translation from "secret paper" is maybe better than a translation from "secret vote". According to the New Shorter Oxford Dictionary, the words "secret ballot" means "in which votes are cast in secret". So, the circumstances in which the vote is cast are important. If someone tells his/her vote afterwards, it is still a secret ballot (because the vote was *cast* in secret), but if two persons vote together with their personal computer, then it is not a secret ballot. This does not necessarily imply that voting at home or with voting pillars are violating the Covenant. First of all if the voter is in such situation that there is no realistic possibility to ensure that he/she casts his/her vote in secret (for instance when he/she is abroad), then of course the right to vote is more important then the secrecy of the vote. Second, the article in the Covenant does not specify the responsibilities of the States. You may argue that the secrecy of the vote is also the responsibility of the voter to some extend. The Human Rights Committee made comments on this article. The Committee is allowed to make such comments under article 40 of the same Covenant. If a State did also sign the first optional protocols, then individuals (and they are admissible in this case) can ask the Committee for a judgment when domestic remedies are exhausted. So, the Committee is the highest court. On paragraph 20 of the comments, the Committee says: "States should take measures to guarantee the requirement of the secrecy of the vote during elections including absentee voting, where such a system exists." The States are not fully responsible for the secrecy, but they are obliged to make effort to ensure the secrecy. To my opinion the "voting pillars" violate the Covenant. The government can give the same service to the voter and ensuring the secrecy. It just adds a supervising official to the voting pillar. So, the government is not fulfilling its obligation of making this effort. Voting at home via the Internet, is allowed for those people that live in remote areas or abroad. However, a judge might forbid it for people that live in urban areas where polling stations are not a practical problem. A judge is probably more willingness to listen when is realized that voting via the Internet will finally lead to the elimination of polling stations. In the Netherlands the introduction of voting machines led to a 10% reduction of polling stations, because of the expensive voting machines and budgets policies of the local governments (according to documents of the national government). When voting at home is possible, then less people will go to the polling stations, which result that polling stations are closed, which will result that more people will vote at home etc. I have requested 'Het Ministerie van Binnenlandse Zaken en Koninkrijksrelaties' (the Ministry of the Interior or Home Department), to react on the matter of the Constitution and International Law in relation with the new ways of voting. The Ministry responded that the responsibility of the State for the secrecy of the vote is "facilitating". So, according to this principle the State is not responsible in anyway to ensure that the votes are cast in secret; it should only guarantee that the voters have the possibility to vote in secret. I think the Ministry is in error on this point. First of all, if that would be the case, then the Covenant should say something like "one has to right to vote in secret", but that are not the words of the Covenant. Second, it would mean that it is allowed to give the voter the option to make his/her vote with his/her name public on the Internet (the voter has still the possibility to vote in secret). I think one does not consider this as a proper way of voting. In a new letter I explicitly asked the Ministry to react on the text of the Human Rights Committee. I also pointed on the inaccuracy of the Dutch translation on the words "secret ballot". Since I wrote this letter recently, I did not have a response yet. Despite the fact that serious questions can be raised about the compatibility of the new voting methods with national Constitutions and International Law, the Ministry does not mention these in the official documents at all. I hope they do a better job with security. Lucas B. Kruijswijk ------------------------------ Date: Mon, 03 Dec 2001 14:09:35 +1000 From: Andrew Fleisher Subject: Re: "Light turnout" for election (Rhodes, RISKS-21.80) [With respect to] power/phone outages and online voting, what about the case where there is localised damage to power or phone systems preventing people from using online voting systems in significant elections which are close? It makes the recent Florida debacle during the Presidential election seem simple. ------------------------------ Date: 03 Dec 2001 12:28:57 -0500 From: Roland Roberts Subject: Re: Connecticut AG website wants Microsoft ... (Ravin, RISKS-21.80) I took a look at this with both Netscape 4.77 and Mozilla 0.95 (both on Linux) and it displayed fine. The only "functionality" provided by Javascript appears to be a pop-up that tells me the site is best viewed at 800x600 or 1024x768. I think the real issue here is general stupidity: turning a "nice" feature (the pop-up about resolution) into an absolute requirement. Roland B. Roberts, PhD, RL Enterprises, 76-15 113th Street, Apt 3B Forest Hills, NY 11375 roland@rlenter.com roland@astrofoto.org ------------------------------ Date: Mon, 03 Dec 2001 11:13:35 +0000 From: Nathan Sidwell Subject: Re: Connecticut AG website wants Microsoft ... (Ravin, RISKS-21.80) I've noticed more and more of this kind of brokenness over the last 12 months. (This is with Netscape on Solaris or Linux.) 1) An Internet bank (which no longer has my custom), broke the 'print' capability of all but IE. And then failed to understand that (a) the Web != Microsoft, and (b) a standalone machine would not be connected to the web. 2) A credit-card company had the same problem. It used to work, but back in May it broke. I reported the problem and nothing has happened since then. 3) Many Flash sites claim I have not got flash enabled. One of these has enough smarts to say something like 'You don't appear to have Flash, go to get it or go to continue, if you know our check bombed out' Dr Nathan Sidwell :: Computer Science Department :: Bristol University nathan@acm.org http://www.cs.bris.ac.uk/~nathan/ nathan@cs.bris.ac.uk ------------------------------ Date: Sat, 1 Dec 2001 13:35:12 -0700 From: RootsWeb HelpDesk Subject: Re: PLEASE REMOVE me from the CAL database (RootsWeb, RISKS-21.80) [This was the reply many of us received in response to requests to be removed from the RootsWeb database noted in RISKS-21.80. Apparently quite a few RISKS readers made such requests! PGN] A response to your Help Desk message, "PLEASE REMOVE me from the CAL database," of Saturday, 1 December 2001, at 12:52 p.m. follows [...]: As some states have passed laws to make their records publicly available, many of these records have been made searchable on RootsWeb.com for genealogical purposes. This data is a great asset to many individuals doing family history research. In addition to our goal to provide outstanding genealogical resources to our users, MyFamily.com is very committed to the privacy of those using our services, whether on MyFamily.com, Ancestry.com or RootsWeb.com. For this reason we have removed the CA and TX birth records from our site. ------------------------------ Date: Sat, 1 Dec 2001 20:57:46 +0000 (UTC) From: msb@vex.net (Mark Brader) Subject: Re: REVIEW: "Hackers Beware", Eric Cole (Slade, Risks-21.80) > %T "Hackers Beware: Defending Your Network from the Wiley Hacker" > ... within [the first] six sentences , misspells the word "brakes." It would be still more impressive if the title was misspelled [Wiley] as shown above. Or was that one the reviewer's error, perhaps induced by familiarity with books published by Wiley? Mark Brader, Toronto, msb@vex.net [Note: It is actually wrong [Wiley, and not too wily!] on the cover page as shown on the Wiley Web site: http://images.amazon.com/images/P/0735710090.01.LZZZZZZZ.jpg The Wiley Coyote Editor must have been working overtime. PGN] ------------------------------ Date: 12 Feb 2001 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 20" for volume 20] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 21.81 ************************