precedence: bulk Subject: Risks Digest 22.18 RISKS-LIST: Risks-Forum Digest Saturday 27 July 2002 Volume 22 : Issue 18 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: Gridlock as 800 London traffic lights seize (Adrian Lightly) Nasdaq glitch hits stocks starting with 'M' or 'N' (Joan Lee Brewer) Princeton admissions office caught breaking into Yale computers (Steve Klein) Warchalking the Networks (Chris Leeson) Handspring hands out names and springs out numbers (Monty Solomon) Risks from cyberterrorism (NewsScan) American style cyber warfare: what are the risks? (Hendrik) No more JPEGs - ISO to withdraw image standard (Monty Solomon) Reinventing read-only disks (Jeremy Epstein) Possible day-of-week error - Zeller (John Stockton) Finger-printing children in schools, without parental involvement (Peter Houppermans) Apple OSX and iDisk and Mail.app (Randal L. Schwartz) Re: Listen to TCAS, not the controller! (Bob Morrell) Re: E-mail content filtering ... (Anthony W. Youngman, Nick Brown, Marc Horowitz, Robert Woodhead) Re: Uselessness of "Dirty word" filters (J.D. Abolins, Danny Lawrence) news@sei interactive--Second quarter 2002 issue available (Hollen Barmer) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 25 Jul 2002 09:55:35 +0100 From: Adrian Lightly Subject: Gridlock as 800 London traffic lights seize Central London was brought to a standstill in the rush hour today when 800 sets of traffic lights failed at the same time -- in effect locking signals on red. http://www.thisislondon.com/dynamic/news/top_story.html?in_review_id=649242&in_review_text_id=620267 http://www.thisislondon.com/dynamic/news/top_story.html ?in_review_id=649242&in_review_text_id=620267 Oops. I liked this bit: "The worst gridlock the capital has seen for years was caused by a computer which crashed as engineers installed software designed to give pedestrians longer to cross the roads." So, in essence, that worked perfectly. Testing complete. [Are you longing to cross the road on red? PGN] ------------------------------ Date: Wed, 24 Jul 2002 11:57:51 -0700 From: "Joan Lee Brewer -- CSE" Subject: Nasdaq glitch hits stocks starting with 'M' or 'N' Six days before it is set to launch a new trading platform, the Nasdaq Stock Market experienced a glitch as its systems accidentally rebroadcast the day's data for stocks beginning with the letters 'M' and 'N'. That resulted in daily volumes figures appearing much higher than they actually were for the affected stocks [with Microsoft, Nextel, and Novellus being listed among the top 10 movers]. [PGN-ed from Reuters item, 23 Jul 2002] http://news.moneycentral.msn.com/ticker/article.asp?Feed=RTR&Date=20020723&ID=1802531&Symbol=US:MSFT http://news.moneycentral.msn.com/ticker/article.asp ?Feed=RTR&Date=20020723&ID=1802531&Symbol=US:MSFT ------------------------------ Date: Fri, 26 Jul 2002 15:51:26 -0400 From: Steve Klein Subject: Princeton admissions office caught breaking into Yale computers The 26 Jul 2002 issue of the *Wall Street Journal* carried an article by Charles Forelle detailing how the Princeton admissions office was caught "accessing confidential Internet records to see whether its rival had admitted or rejected students who had applied to both schools." Princeton suspended, with pay, associate dean and director of admissions Stephen LeMenager, pending an investigation of the incident. "Princeton was able to use the publicly available Yale.edu1 Web site to get the confidential admissions data because it had the students' passwords -- the names, Social Security numbers and dates of birth they had provided on their Princeton applications." After hearing rumors about Princeton accessing their site, Yale officials reviewed access logs for the site and discovered that computers using IP addresses belonging to Princeton had accessed the site. Yale contacted the students to ask if they had used computers near Princeton to check their accounts. No one said yes. The IP addresses were traced to the Princeton admissions office. "Lauren Weinstein, the founder of the Privacy Forum, an electronic-rights group, said Princeton's actions were clearly wrong, but Yale's site should not have relied on Social Security numbers and birth dates, which can sometimes be retrieved from public records, to secure the data." Excerpted and paraphrased from the Wall Street Journal article found here: (subscription required) Steve Klein 1-248-YOUR-MAC-EXPERT (248-968-7622) ------------------------------ Date: Fri, 26 Jul 2002 09:47:00 +0100 From: "LEESON, Chris" Subject: Warchalking the Networks The 26 Jul 2002 *Metro* notes the appearance of strange chalk patterns on the streets of London. These consist of two semicircles, a circle, or a circumscribed W, with some numbers added. "Far from being the work of aliens, they have been created by something even more sinister - computer geeks." The symbols are the creation of one Matt Jones (a "British Internet expert"), and denote places where wireless connections to the Internet can be accessed. From what I can make out from the article the two semi-circles indicate an unsecured network, the circle indicates a closed network and the circumscribed W indicates secured network. The recording of this information is called "Warchalking". Businesses claim that this is a major risk to security. That may be so - it is certainly not a good advertisement for the Business in question (the real threat to security is the Business that has not taken care to secure it's wireless network). OK, not a new risk (Wireless LANs go back at least as far as Risks 10.83), but a more visible incarnation of an existing one. ------------------------------ Date: Fri, 26 Jul 2002 16:49:27 -0400 From: Monty Solomon Subject: Handspring hands out names and springs out numbers Customers received two surprises from Handspring this week: an e-mail announcing the delay of the Treo handheld Treo 90 and Treo 270 (because of faulty screen parts), and customer names, e-mail addresses and phone numbers of other Treo customers. Handspring confirmed that its customer service department inadvertently attached a spreadsheet with customer information to an e-mail sent to about 250 people who placed Treo orders in recent days. [Source: Richard Shim, CNET News.com, 26 Jul 2002, retitled and PGN-ed] http://news.com.com/2100-1040-946624.html ------------------------------ Date: Thu, 25 Jul 2002 08:56:19 -0700 From: "NewsScan" Subject: Risks from cyberterrorism Cybersecurity experts are busy lobbying Congress for protections from liability lawsuits but some analysts say the media may be over-stating the risks from terrorist cyber attacks. Marc Maiffret of eEye Digital Security says, "Terrorists are only recently starting to realize the benefits of having people within their organizations that have real hacking skills," and University of South California professor of communications Douglas Thomas adds: "Cyber-terrorism is a lot more difficult than many people assume." Even so, security expert Stanley Jarocki warns that terrorists could do a lot of damage by cracking U.S. corporate systems: "Today, some say it would be easier for a terrorist to attack a dam by hacking into its command-and-control computer network than it would be to obtain and deliver the tons of explosives needed to blow it up. Even more frightening, such destruction can be launched remotely, either from the safety of the terrorist's living room, or their hideout cave." [AP/USA Today 24 Jul 2002; NewsScan Daily, 25 July 2002] http://www.usatoday.com/tech/news/computersecurity/2002-07-24-cybersecurity-protection_x.htm http://www.usatoday.com/tech/news/computersecurity/ 2002-07-24-cybersecurity-protection_x.htm ------------------------------ Date: Sat, 27 Jul 2002 17:19:11 +0900 From: Hendrik Subject: American style cyber warfare: what are the risks? According to CNET News.com, US Reps. Howard Berman, D-Calif., and Howard Coble, R-N.C., are planning to introduce a bill "that would permit copyright holders to perform nearly unchecked electronic hacking if they have a 'reasonable basis' to believe that piracy is taking place." http://news.com.com/2104-1023-945923.html I had already gotten a feeling of indigestion after researching the "palladium" issue, and now words are failing me - so may I ask the experts in this forum to share some of their insights about the proposed cyber warfare legislation and associated risks? ------------------------------ Date: Tue, 23 Jul 2002 20:13:59 -0400 From: Monty Solomon Subject: No more JPEGs - ISO to withdraw image standard The ISO standards body will take the unprecedented step of withdrawing the JPEG image format as a formal standard if Forgent Networks, a small Texan company, continues to demand royalties on a seventeen-year old patent. According to Richard Clark, JPEG committee member and JPEG.org webmaster, Forgent's royalty grab -- coming after two decades of royalty-free use -- means that ISO is obliged to withdraw the specification. [Source: Andrew Orlowski, *The Register*, 23 Jul 2002] http://theregister.co.uk/content/4/26339.html ------------------------------ Date: Thu, 25 Jul 2002 16:00:34 -0400 From: "Jeremy Epstein" Subject: Reinventing read-only disks In the days when disk drives were expensive and the size of washing machines, they usually had a "read only" physical switch. Flip the switch, and no matter what the software did, it couldn't write to the disk, because the write circuitry was disabled. Fast forward twenty years, where Scarabs Corp just introduced a disk drive with two heads and two cables. One cable is connected to a head (or more likely, a set of heads) that can read the disk and the other cable to an administrative computer that can both read and write the disk. Even if a hacker is successful at breaking into a system, they can't deface the web site. Too bad we don't have those old fashioned switches.... with the exception that you couldn't simultaneously have one machine updating and another in read-only mode, it's pretty much the same deal. Of course, none of these solutions are any good for web sites that need to update information on the fly (e.g., to put an order into a database). Details at http://computerworld.com/securitytopics/security/story/0,10801,72943,00.html ------------------------------ Date: Wed, 24 Jul 2002 18:37:22 +0100 From: John Stockton Subject: Possible day-of-week error - Zeller Algorithms for determining the day-of-week from year-month-day - whether or not truly Zeller's - can, for certain dates, compute a negative number mod 7, which does not yield the desired result. Zeller himself dealt with this. Tests using "current" dates in the later 1900's would not have seen this problem. A good test date is 2001-03-01 (1st March 2001); the algorithm can easily be run manually. The problem has been seen, for example, in C code in an Internet draft. Those whose systems do suitable run-time checking may already have discovered the problem. John Stockton, Surrey, UK. http://www.merlyn.demon.co.uk/programs/ Dates: miscdate.htm moredate.htm js-dates.htm pas-time.htm critdate.htm etc. ------------------------------ Date: Mon, 22 Jul 2002 16:37:58 +0100 From: Peter Houppermans Subject: Finger-printing children in schools, without parental involvement [Note the return of an old favourite: "People who have nothing to hide - why would they worry?" PH] Row over finger-printing in schools Source: http://news.bbc.co.uk/hi/english/education/newsid_2144000/2144188.stm Tens of thousands of children are being finger-printed in school -- often without the consent of their parents, a human rights group has complained. Prints are taken for a library lending system which the makers say makes lending more efficient and less vulnerable to abuse. But the pressure group Privacy International says the practice is illegal and breaches the human right to privacy. [Dangerous] One of the makers of the technology, Micro Librarian Systems (MLS), say they have sold about 1,000 systems to schools in the UK and abroad. Simon Davies, of the campaign group Privacy International says the practice is "dangerous, illegal and unnecessary". He says the use of the technology should be banned in schools. "It dehumanizes our children and degrades their human rights," he said. "Such a process has the effect of softening children up for such initiatives as ID cards and DNA testing. It's clearly a case of 'get them while they're young'. They are seen as a soft target for this technology". [Encrypted] The group says it has been contacted by parents who are angry that they have not been asked for to give their consent for the finger-printing. Manufacturers MLS say it would be very difficult for a third party to access the prints and make use of them. The company's technology director Stephen Phillips said: "The system does not store the actual finger-print, but a map of it which takes in the print's key features. "The image is then compressed and encrypted, so it would take a lot of effort to use it. "People who have nothing to hide - why would they worry?" Mr Phillips said the company advised schools to consult or inform parents before they used the technology. He said only two parents had complained about the use of the technology to the company. Privacy International says it expects there to be legal challenges to the use of the technology in schools. [Also commented on by Gary Barnes. PGN] ------------------------------ Date: 24 Jul 2002 09:10:59 -0700 From: Randal L. Schwartz Subject: Apple OSX and iDisk and Mail.app (From Bugtraq, submitted to RISKS by Monty Solomon) (http://online.securityfocus.com/archive/1/284087) The password for an Apple iDisk is sent via HTTPS/WebDAV. However, if you configure OSX with an iDisk password, the same password is copied to the Mail.app configuration (which might not have been previously configured). Clicking on a "mailto" link fires up Mail.app, which then connects to mac.com which *does not* support any method of encrypted password transmission. Net effect: your iDisk password is transmitted in the clear without your awareness, albeit as a mail password. Problems: - mac.com SMTP doesn't support encrypted passwords - mac.com's mail password is *always* identical to iDisk password - OSX's "do what I mean" friendliness saves passwords without knowledge ------------------------------ Date: Thu, 25 Jul 2002 09:05:20 -0400 From: "Bob Morrell" Subject: Re: Listen to TCAS, not the controller! (RISKS-22.15) RISKS has for many years now provided us with commentary and insight into the problems that result from trusting computers too much. I think more comment is due on the collision of a cargo plane and a Russian airliner, which could have been prevented if the Russian Pilot had trusted the computerized collision avoidance system (TCAS) rather than the human air controller. Marty Solomon noted the event in RISKS-22.15. There are several reported aspects of this event that deserve some thought. Every non pilot (and several private aircraft pilots who do not use TCAS) that I have spoken to, without exception, say they would have trusted the human air controller rather than the computer, this despite the fact that the human was miles away, using a remote sensing device and managing other problems. The TCAS, on the other hand, was right on the scene, directly communicating with the other plane's TCAS. The Hollywood portrayal of 'infallible' machines, and perhaps daily experience with modern PC's clearly has downgraded the public trust in automated devices. Western pilots, it was reported (NPR I believe), are trained to trust the TCAS over the human controller, Russian aviators the reverse, so it appears that the pilot was following his training, rather than deciding on the spur of the moment who to believe. Russian trainers are no doubt rethinking this policy. It would be interesting to learn the historical source for this difference in training. As with almost all major aviation disasters, multiple mistakes led to this crash. The decision to ignore the TCAS was the last in a series, and if the reports on the Russian training are correct, was not, technically speaking, a mistake on the pilot's part, however horrific the results. The RISK of blind, unthinking MIStrust of computers, we now see, can be as great as the risk of blind trust. An educated understanding of the computerized systems that we use is essential. Public perception is, in my opinion, too monolithic. TCAS is a highly tested system with a flawless record; it cannot be compared to the computer program that calculates my power bill. Bob Morrell, Cancer Center, http://home.triad.rr.com/bmorrell/ ------------------------------ Date: Thu, 25 Jul 2002 13:09:10 +0100 From: "Anthony W. Youngman" Subject: Re: E-mail content filtering ... (Miller, RISKS-22.16) As I understand it, the main purposes of the filters is to control the amount of unsolicited (usually commercial) bulk e-mail a.k.a. spam. I've seen reports that UBE is a significant contributor to network infrastructure costs, which accrue to the recipient, not the sender. The filters do seem to be having some positive (from the recipients point of view) impact on the spam problem. Something else to watch out for is legality ... Certainly in the UK I do not know of any ISP that filters incoming mail. There may be some, but none of the big boys (BT, Demon, Freeserve that I know of) do. To do so without the explicit knowledge of their customers would almost certainly lay them open to charges of censorship, of unlawfully tapping and tampering with communications, etc etc. Many ISPs do filter outgoing mail though. I know Pipex scan everything going out via their servers, as does (I believe) Freeserve. Freeserve go even further, forcing all outgoing SMTP through their mail proxies, which have sophisticated anti-spam checks. They can get away with scanning outgoing mail because of AUPs and customer contracts, but scanning incoming mail would be legally very dangerous. Cheers, Wol ------------------------------ Date: Thu, 25 Jul 2002 18:35:24 +0200 From: BROWN Nick Subject: Re: E-mail content filtering ... (Miller, RISKS-22.16) IMHO, the problem stems (as usual!) from bad management, and to a lesser degree, to incompetent sysadmins (hired by the same bad managers). What typically happens is that a bunch of users (say, not-very-computer-literate bosses - think Dilbert's pointy-haired boss) receive spam which they deem offensive (say, females receiving invitations to p*rn sites, or males insulted by the suggestion that they need V*agra or other below-the-waist "enhancements"), and demand that "something must be done". Now in a 33.6K modem environment, spam is a waste of download time, but on a corporate LAN when mails are brought to your desk in real time, it really isn't much effort to click "delete", and after a few dozen, one can recognise 99% of spam from the title... if one cares to make the effort (not always a hallmark of the "PHB"). So, the PHB storms off to the IS department with cries of "stop this cr*p from getting through". Now, either the IS people are clued up - in which case they might or might not try to dissuade the PHB, depending on whether their previous experiences in the corporate culture lead them to believe that this is likely to be fruitful - or, in many cases, they aren't. Either way, it's likely that they will implement e-mail filtering with "a product", usually "the market leader", which in turn got to be that way by making the biggest and most far-fetched claims, while spending the minimum on R&D to actually get that way. Many of us have already been down exactly the same road with Web content filtering. Most RISKs readers will, of course, be horrified by the idea that a spam filter could unintentionally block even a tiny percentage of non-spam mail. But I suspect that for the average PHB, not getting quite as many [genuine] e-mails as s/he currently does, might not be a bad thing. Less time spent typing (ugh!) and working out how blind copy works, etc. If they do get shouted at for not answering an important mail, well, they can blame IS ! ------------------------------ Date: 24 Jul 2002 19:13:34 -0400 From: Marc Horowitz Subject: Re: E-mail content filtering ... (Bourguignon, R-22.17) > * Just PGP signing an e-mail is enough to ensure that the e-mail content is > not altered without notice. This is true. However, if it is altered, recovering the content of the original message may be difficult if you don't know what the filter did. One can argue this is a feature, as the recipient cannot misunderstand what he cannot decode or decrypt. >> * Just PGP encrypting is enough to ensure that the e-mail content >> cannot be filtered. This is not true, and ignores the point of Bill Gunshannon's original post. It is nearly guaranteed that PGP's base64 encoding will contain words which may cause the e-mail to be modified or dropped. Your dirty jokes may get through, but your lunch plans with your mother may not. Of course, the presence of such words in the encoded ciphertext is completely uncorrelated to the presence of such words in the plaintext, but explaining this to your PHB is up to you. ------------------------------ Date: Thu, 25 Jul 2002 19:56:56 -0400 From: Robert Woodhead Subject: Re: E-mail content filtering ... (Miller, RISKS-22.16) >* Just PGP encrypting is enough to ensure that the e-mail content cannot be > filtered. Unfortunately, one of the most common and useful anti-spam heuristics is "e-mail contains none of the most commmon english words". This catches a lot of non-English spam and pure-html crud. As the maintainer of a database of anti-spam heuristics (and previously, an anti-virus program author), the fact is that perfect spam detection is impossible, it's yet another variant of the halting problem. I personally find that the most effective approach is spam-labelling; in other words, adding headers to suspect e-mail saying "I think this is spam, and this is why". Then let the user's e-mail app apply filtering rules using the additional context. For example, I filter all e-mail marked as spam to the bottom of my inbox (lowest priority), then use other filtering rules to whitelist e-mail from known sources. I get over 300 spams a day but it takes only a few seconds to quickly scan them for false positives. Robert Woodhead, Webslave & Mad Overlord http://selfpromotion.com/ ------------------------------ Date: Thu, 25 Jul 2002 08:16:41 +0000 From: "J.D. Abolins" Subject: Re: Uselessness of "Dirty word" filters (Lawrence, RISKS-22.16) Re: rejecting a horse named "Dr. Fager", I started to see other possible rejection problems. Proper names: Would the name of the current USA President being interpreted as a vulgar term deserving filtering? The possible derogatory term rejected by the DW filter Danny Lawrence encountered is also a British reference for a cigarette. (I guess some proponents of DW filters would consider cigarettes and smoking worth filtering out. But then how can one do an anti-smoking... oops,,, anti-[filtered]... education on the Web?) Speaking of British terms, a recipes for some traditional British food dishes would run afoul of the filters: "[filtered]ers and Mash" "Spotted [filtered]" "[filtered] in Gravy" But "Bubble and Squeak" should be be safe. [Not entirely. PGN] ------------------------------ Date: Thu, 25 Jul 2002 11:44:06 -0400 From: "Danny Lawrence" Subject: Re: Dirty word filters and Horse's names Actually horse's names are still limited to 18 letters and all names must be submitted to the Jockey Club for approval. There is an overview of allowable names here: http://home.jockeyclub.com/rules/rules.html#rule6 (see, there is a "Rule 6"!). Also note the last rule "B. In addition to the provisions of this Rule, the Registrar of The Jockey Club reserves the right of approval on all name claiming requests." One owner, after having several names rejected by Buddy Bishop, the registrar, decided to call his horse "Buddy Named Me". ------------------------------ Date: Wed, 24 Jul 2002 11:18:15 -0400 From: Hollen Barmer Subject: news@sei interactive--Second quarter 2002 issue available The second quarter 2002 issue of news@sei interactive is now available. The articles in this issue are "Preventing Security-Related Defects" "TIDE: Promoting Technology Adoption Through Technology Collaboration" "First International Conference on COTS-Based Software Systems a Success" "CERT/CC and Secret Service Collaborate on Security" Our columns in this issue are Watts New: "Surviving Failure" The Architect: "Aligning Business Models, Business Architectures, and IT Architectures" The COTS Spot: "Risk/Misfit Redux" Security Matters: "Is There an Intruder in My Computer?" news@sei interactive (http://interactive.sei.cmu.edu/) is a Web-based publication of the Software Engineering Institute (SEI). The news@sei interactive team is interested in your comments, questions, and suggestions for improvement. Contact us at interactive@sei.cmu.edu. CERT, Capability Maturity Model, and CMM are registered in the U.S. Patent and Trademark Office. CMM Integration, CMMI, Personal Software Process, and Team Software Process are service marks of Carnegie Mellon University. ------------------------------ Date: 29 Mar 2002 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 21" for volume 21] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 22.18 ************************