precedence: bulk Subject: Risks Digest 22.84 RISKS-LIST: Risks-Forum Digest Monday 11 August 2003 Volume 22 : Issue 84 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://www.risks.org as http://catless.ncl.ac.uk/Risks/22.84.html The current issue can be found at http://www.csl.sri.com/users/risko/risks.txt Contents: Identity Crisis, article by Robert O'Harrow Jr. (PGN) Man proves he was victimized by network vandals (NewsScan) Dutch price index wrong due to software error (Erling Kristiansen) Worker deletes herself out of job (M Taylor) UCITA support fading fast (NewsScan) Judge throws out RIAA subpoenas (NewsScan) Who profits from spam? Surprise! (Bob Sullivan via Monty Solomon) Ticketmaster privacy policy slammed (Paul Festa via Monty Solomon) Hacker gets Acxiom customer information (Caryn Rousseau via Monty Solomon) Acxiom's FTP Server compromised by /now former/ client (Randy Holcomb) Software patching gets automated (William Jackson via Lillie Coney) How many Windows crashes occur in a year? (John Dvorak via Monty Solomon) Company's error sends customers to Massachusetts adult phone line (Monty Solomon) University library catalogue + security (Richard A. O'Keefe) GenCon Registration Woes Blamed on Computer Network (Allan Goodall) Re: Metadata in Photoshop files (Sidney Markowitz) Re: New online futures market bets on next White House scandal (Stephen R. Holmes) Re: Software violates stock ownership limits (John R. Levine) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sat, 9 Aug 2003 11:33:27 PDT From: "Peter G. Neumann" Subject: Identity Crisis, article by Robert O'Harrow Jr. *The Washington Post Magazine* Cover Story: Identity Crisis, by Robert O'Harrow Jr. http://www.washingtonpost.com/wp-dyn/articles/A25358-2003Aug6.html Caption on pair of photos: LEFT: Meet Michael Berry: political activist, cancer survivor, creditor's dream. RIGHT: Meet Michael Berry: scam artist, killer, the real Michael Berry's worst nightmare ... [This is an extraordinary article. MUST READING for all of us victims-in-waiting. PLEASE dig it out while it is still on-line. PGN] ------------------------------ Date: Mon, 11 Aug 2003 09:16:20 -0700 From: "NewsScan" Subject: Man proves he was victimized by network vandals In the U.K., a man has been acquitted in Exeter Crown Court after successfully arguing that child pornography found on his personal computer had been placed there without his knowledge by network vandals who had used a "Trojan horse" program to infect his machine. The case creates two worries: one, that actual child pornographers now have a new alibi that would be difficult to disprove; two, that innocent Web surfers might find themselves charged with possessing illegal material planted on their computers by malicious invaders. Former U.S. federal computer crime prosecutor Mark Rasch says, "The scary thing is not that the defense might work. The scary thing is that the defense might be right. The nightmare scenario is somebody might go to jail for something he didn't do because he was set up." [*The New York Times*, 11 Aug 2003; NewsScan Daily, 11 Aug 2003] http://partners.nytimes.com/2003/08/11/technology/11PORN.html ------------------------------ Date: Thu, 07 Aug 2003 22:13:23 +0200 From: Erling Kristiansen Subject: Dutch price index wrong due to software error The Dutch Central Bureau of Statistics (CBS) published an incorrect price index due to "an error in a computer program", according to the newspaper Trouw (7 August). The published index was too high by "a few tenths of a percent". No further explanation is given as to the nature of the error, why it was not discovered before publication, or how it was discovered later. This may have an impact on salary adjustments as well as pensions and various social benefits that are linked to the inflation rate. This is yet another example of how dependent we have become on "the computer says so, so it must be right". A few tenths of a percent on a country-wide basis, even in a small country, adds up to a lot of money. ------------------------------ Date: Thu, 7 Aug 2003 21:31:17 +0100 From: M Taylor Subject: Worker deletes herself out of job A Nova Scotia [Canada] government employee has been fired for deleting her own speeding ticket from a computer database. ... The unidentified woman will not face criminal charges. Now the kicker is she was found by an audit conducted after another employee had also altered entries in the database of driver's records. Why can people delete records from such a database? Shouldn't it operate like the accountant's double-entry ledger? Where mistakes are not deleted, but a correction entry is appended. http://novascotia.cbc.ca/regional/servlet/View?filename=ns_firedwork20030806 M Taylor http://www.mctaylor.com/ ------------------------------ Date: Fri, 08 Aug 2003 11:08:16 -0700 From: "NewsScan" Subject: UCITA support fading fast Key backers of the Uniform Computer Information Transactions Act (UCITA) have bowed to pressure from opposition groups and will stop lobbying for the bill's passage. The bill was intended to protect software developers from intellectual property theft by bringing into conformity conflicting software licensing laws in various states, but critics, including the American Bar Association and the American Library Association, said the legislation would grant software makers too much power over their products at the expense of consumers. So far, UCITA has been enacted in only two states, Maryland and Virginia, and now that the effort has lost the support of the National Conference of Commissioners on Uniform State Laws (NCCUSL), UCITA is unlikely to gain further consideration from other states, says an NCCUSL spokeswoman. Opponents of the bill commended NCCUSL for its decision: "It is heartening to see NCCUSL backing away from a very flawed statute, but it will never be able to write sound law for the information economy until it takes to heart the criticisms of the user sector," said Jean Braucher, a law professor at the University of Arizona and a member of AFFECT -- Americans For Fair Electronic Commerce Transactions. [CNet News.com 7 Aug 2003; NewsScan Daily, 8 August 2003] http://news.com.com/2100-1028_3-5061061.html?tag=fd_top ------------------------------ Date: Mon, 11 Aug 2003 09:16:20 -0700 From: "NewsScan" Subject: Judge throws out RIAA subpoenas A federal judge in Boston has rejected subpoenas filed by the Recording Industry Association of America last month as part of its nationwide crackdown on digital music file-sharing. The subpoenas targeted students at Boston College and the Massachusetts Institute of Technology who used various screen names to share songs online. In his ruling, Judge Joseph L. Tauro said that under federal rules, subpoenas issued in Washington cannot be served in Massachusetts. The RIAA called the ruling "a minor procedural issue" but declined to say whether it would refile in Boston. pAP 8 Aug 2003; NewsScan Daily, 11 Aug 2003] http://apnews.excite.com/article/20030809/D7SQ5LC80.html ------------------------------ Date: Sun, 10 Aug 2003 12:27:27 -0400 From: Monty Solomon Subject: Who profits from spam? Surprise! (Bob Sullivan) Many companies with names you know are benefiting Bob Sullivan, MSNBC, 8 Aug 2003 There wouldn't be spam if there wasn't money in spam. So to understand what primes the spam economy, MSNBC.com answered a single unsolicited commercial e-mail. Following this one spam trail led us from Alabama to Argentina, from a tiny Birmingham-based firm and someone named "Erp" past a notorious spammer named Super-Zonda - and right through big-name companies like Ameriquest, Quicken, and LoanWeb. And that's just the beginning. The truth about spam is this: While the dirty work is done by secretive, faceless computer jockeys who are constantly evading authorities, lots of companies with names you know profit, at least tangentially, from their efforts. ... http://www.msnbc.com/news/940490.asp ------------------------------ Date: Fri, 8 Aug 2003 01:30:04 -0400 From: Monty Solomon Subject: Ticketmaster privacy policy slammed (Paul Festa) By Paul Festa, CNET News.com, 6 Aug 2003 People buying tickets online through Ticketmaster may be surprised to find themselves receiving spam as an encore. The ticket service, which holds a lock on advance ticket sales for most major entertainment events, is taking heat from consumers for a privacy policy that does not let online ticket buyers opt out of receiving e-mail pitches from an event's producers and other businesses associated with it. That, Ticketmaster critics say, means that the company has made receiving spam part of the price of admission. "I have only bought a single ticket from Ticketmaster, many years ago," wrote one customer on an online discussion board devoted to the privacy policy. "Since that purchase, I have received tons of 'targeted' e-mail personalized with my full name, the city, etc...For now, I do everything I can to avoid ticket purchases from Ticketmaster (and have been successful)." The Ticketmaster privacy policy under fire states that customers may "opt out" of getting e-mail from Ticketmaster itself, but cannot refuse to share their personal information with "event partners" -- defined as "the venues, promoters, artists, teams, leagues and other third parties associated with that concert, game or other event." ... http://news.com.com/2100-1026-5060827.html ------------------------------ Date: Fri, 8 Aug 2003 02:20:18 -0400 From: Monty Solomon Subject: Hacker gets Acxiom customer information (Caryn Rousseau) By Caryn Rousseau, Associated Press, 7 Aug 2003 A computer hacker gained access to private files at Acxiom Corp., one of the world's largest consumer database companies, and was able to download sensitive information about some customers of the company's clients, the company said Thursday. "The data on the servers was a wide variety of information, some of which was personal, some of which was not," Jennifer Barrett, the company's chief privacy officer, said in an interview with The Associated Press on Thursday. The AP was notified of the intrusion by an anonymous caller who would not identify himself or his connection with the company. Barrett said the company did not know about the breach until a law enforcement agency from Ohio contacted it last week. Barrett said both the hacker and the stolen information are in police custody. She said about 10 percent of the company's customers were affected and that, "it would include some of our larger customers." ... http://finance.lycos.com/home/news/story.asp?story=35190673 ------------------------------ Date: Fri, 8 Aug 2003 21:31:18 -0500 From: "Randy Holcomb" Subject: Acxiom's FTP Server compromised by /now former/ client "... The breach involved one external FTP server outside Acxiom's firewall that is used to transfer files back and forth between Acxiom and its clients. The company said no internal databases were accessed and no breach penetrated its firewall. Additionally, the firm said only a small percentage of its clients' data was involved in the incident. Acxiom's client list includes a number of Fortune 500 companies, like Microsoft, IBM, AT&T, and Blockbuster. The company says it services 14 of the top 15 credit card companies, 7 of the top 10 auto makers, 7 of the top 10 media entertainment companies, 6 of the top 10 magazine publishing companies, 4 of the top 5 telecom companies, 5 of the top 6 retail banks and 3 of the top 5 retailers. ..." ------------------------------ Date: Fri, 08 Aug 2003 15:09:26 -0400 From: Lillie Coney Subject: Software patching gets automated (William Jackson) By William Jackson, GCN Staff Whenever the Defense Department's Computer Emergency Response Team Coordination Center sends out a vulnerability alert, each DoD systems administrator must acknowledge it and respond with a plan for closing the hole. The notification and response is becoming more automated, said a security manager at a DoD software development shop, who contacted GCN and asked that neither he nor his agency be named in print. The problem is that the remediation is manual. When you get two or three alerts an hour, it gets out of control. The DoD security manager said he uses the Hercules automated remediation tool from Citadel Security Software Inc. of Dallas to cut the time for fixing flaws in multiple machines from weeks to days or hours. [...] [And when it is *fully* automated, think of how wonderful it will be to have new Trojan horses and security flaws installed instantaneously, without having to require human intervention. Perhaps someday we might have systems that do not require continual patching, but I'm not holding my breath. PGN] ------------------------------ Date: Sat, 9 Aug 2003 00:26:44 -0400 From: Monty Solomon Subject: How many Windows crashes occur in a year? (John C. Dvorak) Magic Number: 30 Billion By John C. Dvorak, 4 Aug 2003 So what actually happens when your Windows XP machine crashes and asks if you want to send a report? The reports obviously accumulate in some database, and I can only assume that when one bin piles up with similar crash memos, the coders get to work. Exactly how many notifications does Microsoft get? Nobody knows for sure, but based on comments Bill Gates made at a recent meeting for analysts, the number must be astronomical. Gates said that 5 percent of Windows machines crash, on average, twice daily. Put another way, this means that 10 percent of Windows machines crash every day, or any given machine will crash about three times a month. Since Bill is a math junkie, I have to assume this number is real and based on something other than a phone survey. Those reports seem like the obvious source. Now according to StatMarket.com, as of March 2003, Windows XP had 33.41 percent global market share among operating systems. Let's give Microsoft the benefit of the doubt and make Windows XP's share an even 35 percent at this point. How many computers are in use? According to the Computer Industry Almanac, there were 603 million worldwide in 2001, and the growth rate seems to be around 10 to 15 percent per year. Let's be relatively conservative, and add just under 100 million to get a round number of 700 million PCs. With 10 percent of them crashing daily, we have 70 million crashes every 24 hours. And since only 35 percent are XP machines, 24.5 million reports a day accumulate in Redmond-nearly 9 billion per year. I doubt this number will go down anytime soon. ... http://www.pcmag.com/article2/0,4149,1210067,00.asp [Wonderful article. John goes on to estimate that this works out to a minimum of 30 billion Windows system crashes per year. He points out that this magic number is also the number of gallons of fresh water California wastes because of mismanagement, the dollar total for the Enron scam, and a few other nice examples. But he concludes that he is partial to the number ZERO, and thinks maybe that should be the target for Microsoft. PGN] ------------------------------ Date: Fri, 8 Aug 2003 01:01:44 -0400 From: Monty Solomon Subject: Company's error sends customers to Massachusetts adult phone line Associated Press, 6 Aug 2003 Some unsuspecting Verizon customers trying to pick a new long-distance plan were offered ''sexy introductions'' and a chance to ''continue the fun'' on an adult phone line. A letter sent to thousands of Verizon long-distance customers across the country last week listed a number for ''Intimate Connections'' as a Verizon customer service number, Verizon officials said Tuesday. ... http://www.boston.com/dailynews/218/region/Company_s_error_sends_customer:.shtml ------------------------------ Date: Mon, 11 Aug 2003 15:25:32 +1200 From: "Dr Richard A. O'Keefe" Subject: University library catalogue + security Until recently, our university library used a DYNIX catalogue. That had a Telnet interface and a Web interface; I always used the Telnet interface because that way I could get things done quicker. We now have a new catalogue, called Conzulsys, which you may be able to view at https://otago.conzulsys.ac.nz. It's described as the "New Zealand Universities' Shared Library System", and indeed one can look up things in (a few) other libraries as well. Problems. (1) There isn't a Telnet interface any more. This means that I can no longer use 'expect' to drive queries. Chizz. (2) The interface isn't really designed for any of the machines I use (a SunBlade100 and a G3 PowerMac). For example, quite a lot of buttons have black text on a dark blue background, so that I cannot see what the buttons actually are. The navigation links at the top of the page are images, even though they are just plain text, and they're a little too small to read comfortably on a 90dpi screen. (3) The ***** thing keeps timing out. For example, just now I started a multisite search for a particular author; it popped up a window showing me that the searches had started, and then a second later, before delivering any results, said "Restart Web Voyáge Your Catalogue session timed out due to inactivity." How can that be when I've just entered a query? And now that's happened, it doesn't matter _what_ I click, I get the same stupid timeout page. (4) When new books come into the library, they are put on a rack of "New Arrivals" shelves. It used to be that you could take them over to a terminal and book them. Now you have to fill out a paper form and hand it to the librarians, and at the end of the week they have to spend several hours sorting these things out by hand. (Literally sorting to get priority right; you have to fill out the time you put the form in.) (5) You might not have predicted (3) or (4), but you probably *could* have predicted this one. The HTML they generate is systematically bad. A element is used to connect a page to its style sheet, BUT it is put in the instead of the where it belongs. In fact, it's worse than that. Sometimes the is before the . In addition, ampersands in URIs are *not* escaped as &. The pages are sufficiently garbled to give even HTML Tidy a headache, which makes it difficult to replace expect queries with wget queries. (6) Nowhere in any of the pages is there the slightest mention of Javascript or that you must turn off security features to use the pages. But Javascript there is. You can imagine how thrilled I am at having to enable Javascript on the machine where I write exams... But here's the really cute thing. Under the old system, if I wanted to reserve a book, I had to enter my library card barcode and a password. As far as I know, the library card barcode wasn't used for anything else, and if someone intercepted the barcode and password, it didn't actually let anybody *do* anything to me except reserve books, which would have been nuisance value. Now all the staff have been assigned a user code and a password. The user code has the form <3 letters of last name> <2 letters of first name> <2 digits> <1 letter> I don't yet know how the final digits and letter are assigned. This user code is printed on the library cards, so at least all the library staff can see them. The password is not. This is where social engineering comes in. Because these user codes and passwords are new, many staff members don't have them or don't know them. So you ring up a certain phone number, and they tell you what your password is or let you assign one. When I assigned my password last week, there was NO check that I was who I said I was. Why is this a problem? After all, all you can do with this is reserve books and renew ones, plus see what someone has out, and I've always regarded what I have out as pretty much public information anyway. The government here is introducing something called Performance Based Research Funding. Sounds good, except that the data are going in now and won't be updated until 2006, so it's really (*Former* Performance) Based Research Funding. Most academic staff have to use a web browser to enter a lot of information (much of which the university should have anyway, but that's another story) into a PBRF database. How do they know you have a right to enter this information? Why, from your user code and password, of course. The same user code that is printed on your library card and the same password which is set/reported without any checks on who you are. After that, I don't suppose I need to tell you that the courseware system uses the same user code and password as the other system. [I somewhat reluctantly fixed a typo above: "bardcode" sounded appropriately Shakespearean for a library system. PGN] ------------------------------ Date: Mon, 11 Aug 2003 09:06:53 -0500 From: Allan Goodall Subject: GenCon Registration Woes Blamed on Computer Network GenCon is a large, annual game convention and trade show held at the end of July or early August. Although it was held in Milwaukee, Wisconsin for many years, this was its first year in Indianapolis, Indiana, with a record attendance figure of 28,000 people over the four days of the convention. The wait in line to register has always been a point of complaint, but this year that wait was particularly excessive, peaking at four hours on the Saturday. In an open letter to various message boards and newsgroups, GenCon CEO/owner Peter Adkison blamed most of the problem on the convention's computer network. A copy of the open letter can be found here: http://www.gamingreport.com/article.php?sid=9515 In summary: - The computers used for registration were on the same network as the computers that allowed convention attendees to freely access the Internet. Apparently there were no restrictions on the use of these public access computers. - By the first day of the convention 216 computers on the network were infected by a worm. The source of the infection was one of the public access computers, which also contained downloaded p*rn files. - The network wasn't sufficient to handle the traffic even without the worm problem. The worm amplified the problem. - Each attendee received a badge with their name printed on it. Badges were printed at a limited number of printers, 6 badges to a sheet. At times, the printers would time out due to the excessive network traffic. Sometimes the printed sheets would get lost. The badge printers were a major bottleneck in the system. The RISKS here should be obvious. This isn't the first time GenCon has had public access terminals on their network. The registration process doesn't appear to be much different from when I last attended (August 2000). Either the convention organizers were unusually lucky in previous years, or the problems weren't deemed sufficiently bad to warrant (in the minds of the organizers) stronger security and procedural changes. Adkison doesn't state whether or not the change in venue this year was a contributing factor. ------------------------------ Date: Fri, 08 Aug 2003 10:35:25 +1200 From: Sidney Markowitz Subject: Re: Metadata in Photoshop files (RISKS-22.83) Photoshop may not be to blame and the RISK may be broader than a single software product being the Microsoft Word of photography. According to Sue Chastain at http://graphicssoft.about.com/b/a/2003_07_26.htm the revealing thumbnails mentioned in RISKS-22.83 were not likely to be placed by Photoshop. Thumbnail previews, part of the EXIF metadata standard used by all digital cameras, may be created automatically when the picture is taken. She says "EXIF information and metadata is increasingly becoming a concern for professional photographers working in digital because it can potentially expose information [...]". Photoshop, rather than being the culprit, has a "Save for Web" command that strips out metadata including thumbnail previews. ------------------------------ Date: Fri, 8 Aug 2003 17:04:27 -0400 From: "Stephen R. Holmes" Subject: Re: New online futures market bets on next White House scandal Having just re-read John Brunner's 1975 novel "The Shockwave Rider", I was, umm, shocked to open RISKS 22.83 and find "New online futures market bets on next White House scandal" and "Pentagon's online trading market plan draws fire". In Brunner's future world (circa 200x), citizens gamble on the "Delphi" odds that such-and-so (everything from war and famine to soap opera events) will come to pass, in exactly the same fashion. Both schemes mentioned in RISKS could have been taken directly from the novel. Life imitating art? ------------------------------ Date: 8 Aug 2003 04:33:56 -0000 From: johnl@iecc.com (John R. Levine) Subject: Re: Software violates stock ownership limits (RISKS-22.83) About 25 years ago, someone had a computer hooked up to a Telex line and programmed it to trade commodities futures, sending telex orders to his broker. But it wasn't programmed to take into account the size of the various markets, some of which aren't all that big, and one day he got a phone call from the CFTC and they were not at all pleased that he had cornered the market in a thinly traded commodity, potatoes or something like that. He unwound his position and adjusted the program so it never traded that particular commodity again. I know this sounds like an urban legend, but I personally know the guy. > For companies, the RISKs are less clear. It's not clear whether > they had any way of finding out who was actually buying their stock, ... Not really. Stock held in accounts at brokers or banks (most of it these days), is nominally owned by one of a handful of specialist companies such as Cede & Co. There is a way that the broker can tell the company who the beneficial owner is so they can send out annual reports and proxy statements, but that takes a while, so that companies have only a vague idea of who owns their stock on any given day. That's one of the reasons you have to file notices with the SEC if you plan to buy a substantial amount of a company's stock. John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 330 5711 Member, Provisional board, Coalition Against Unsolicited Commercial E-mail ------------------------------ Date: 30 May 2003 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .UK users should contact . => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES: http://www.sri.com/risks http://www.risks.org redirects you to the Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue] Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 22.84 ************************