precedence: bulk Subject: Risks Digest 22.96 RISKS-LIST: Risks-Forum Digest Saturday 18 October 2003 Volume 22 : Issue 96 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://www.risks.org as http://catless.ncl.ac.uk/Risks/22.96.html The current issue can be found at http://www.csl.sri.com/users/risko/risks.txt Contents: Building cleared after computers blow (Graham Smith) Car navigation system led tourist into supermarket (Michael Borek) The Joy of Good Design (NewsScan) Top 10 data disasters (NewsScan) Billboard slip adds to humiliation for Chicago Cubs (Bill Higgins) The Future of Surveillance (Bruce Schneier) Hacker charged with securities fraud (NewsScan) More on the California recall election (Rebecca Mercuri) Re: Something Fishy about Diebold (Doug Sojourner) Re: Continental taking back mistaken transactions (Phil Reed) Re: Satellite photo of Eastern North America during blackout (Mark Brader) Deadlock in Licensing Agreement, Dell Dumped (Mark Brader) 'Lover Spy' software (Geoffrey Brent) Re: Unencrypted credit-card submission forms (Bill McGonigle) Re: Benjamin Franklin (Jay R. Ashworth) Re: W32/Swen: And I thought I had it bad... (Jon Seymour) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 16 Oct 2003 11:32 +0100 (BST) From: gks@cix.compulink.co.uk (Kildwick Smith Ltd) Subject: Building cleared after computers blow I bet your company's business risk list doesn't include computers blowing up! submitted by Graham Smith from http://www.thisislincolnshire.co.uk/displayNode.jsp ?nodeId=57711&command=displayContent&sourceNode=57238&contentPK=7422650 Building cleared after computers blow *Lincolnshire Echo*, 16 Oct 2003 An office building was evacuated on 15 Oct 2003 after 30 computers exploded. Around 400 members of staff at HBS Business Services, in Brayford Wharf North, Lincoln, left the building just after 12.15pm. Computers in one block of the building had blown up, producing smoke and setting off the fire alarms. Workers had to wait for more than 90 minutes before they could return to their desks. The cause was an electrical. All the computers have to be replaced. ------------------------------ Date: Thu, 16 Oct 2003 12:15:46 -0400 From: mikkeles@netscape.net (Michael Borek) Subject: Car navigation system led tourist into supermarket A US tourist's trip through Bavaria ended with an unexpected visit to a supermarket when his car's navigation system led him straight through the store's doors. He depended entirely on the navigation system and did not notice approaching the supermarket until entering it. [Source: Ananova News] http://www.ananova.com/news/story/sm_828633.html?menu=news.quirkies There are details neither on the navigation system in use nor the reason why it "thought" there was a carriageway there. I could see the cause being either inaccurate maps (data) or a failure in the resolution of the code (assuming that the algorithms work, of course!). In any case, the inattention (or misplaced attention) of the driver, who had been celebrating, is a significant factor. ------------------------------ Date: Tue, 14 Oct 2003 09:05:00 -0700 From: "NewsScan" Subject: The Joy of Good Design Design guru Don Norman says the way a device looks, feels and gives pleasure is just as important as how it works, and that good design can make up for some -- though not all -- shortcomings. "How attractive something is will mean people will overlook some of the bad functionality, but not completely." His new book, "Emotional Design: Why We Love (or Hate) Everyday Things," -- due out in 2004 -- focuses on the way design works at different levels of brain perception. "The visceral level is the low biological level and that's where beauty comes in and appearances matter. On the surface something looks attractive and feels good. That is very important and that makes the brain function differently," says Norman. The behavioral level, which controls muscles, perception and language, perceives an object's usability and how it feels. But Norman says the most important aspect of design is its ability to invoke the deeper level of reflection, the level that dictates how we feel about things. "That is where having a good brand name matters. Having a good brand name has to be earned because they stand for trust." Good emotional design must incorporate all three levels, and Norman cites Apple and Sony as two companies that have managed to do that well. [BBC News 14 Oct 2003; NewsScan Daily, 14 October 2003] http://news.bbc.co.uk/1/hi/technology/3175506.stm ------------------------------ Date: Thu, 16 Oct 2003 09:09:05 -0700 From: "NewsScan" Subject: Top 10 data disasters Although machine failure is at fault for the majority of lost data disasters, humans are increasingly culpable as well, according to recovery experts at Kroll Ontrack. "Despite being the easiest problem to prevent, we are seeing more cases where human error is to blame. Interestingly, we see a 15 to 20% increase in calls to recover lost data on Mondays. This could be a result of the rush to complete work and leave early for the weekend on Friday afternoons, as well as a lack of staff concentration on Monday mornings," says a Kroll spokesman. The Top 10 list of unusual data loss stories includes laptops being shot or thrown against the wall in a fit of e-rage; laptops suffering spills of red wine or latte because users were "drinking on the job," laptops falling off mopeds or car roofs, then being crushed by oncoming traffic; and PCs being thrown out a window or into a river to destroy evidence of theft or fraud. Our favorite? The laptop that slipped into the bathtub with its owner while he was working on accounts. Amazingly, Kroll Ontrack says in all these cases, it was able to rescue and restore computer files. [BBC News 16 Oct 2003; NewsScan Daily, 16 Oct 2003] http://news.bbc.co.uk/1/hi/technology/3193366.stm ------------------------------ Date: Wed, 15 Oct 2003 11:20:04 -0500 From: Bill Higgins Subject: Billboard slip adds to humiliation for Chicago Cubs Last night's baseball game was a difficult and disappointing one for the Chicago Cubs. For most of the game, they were ahead of the Florida Marlins in the struggle for the National League championship, entering the eighth inning with a score of 3-0. A fourth victory in the present series of playoff games would send them to the World Series-- which the Cubs have not reached since 1945-- so excitement was high. During the eighth inning, a Cubs fan at the edge of the stands reached out and deflected an incoming ball, causing a player to miss catching it. Even worse, the Marlins began a fantastic rally that ended the eighth inning, and ultimately the ballgame, with a score of 3-8. So, as I write this, the playoff series is 3-3, and tonight's game will decide the contest. This morning I heard WXRT radio report that "somebody at Budweiser hit SEND instead of DELETE," causing an animated highway billboard to spell out "CONGRATULATIONS 2003 NATIONAL LEAGUE CHAMPION CHICAGO CUBS." Obviously Budweiser's advertising people had the message ready for the contingency of a Cubs victory. You don't suppose that the same fumble-fingered guy who knocked the ball away from the Cubs' outfielder works at Budweiser as a billboard operator? Nah. I hope that the appearance of the mistaken congratulations doesn't jinx the Cubs, and that Budweiser will be able to re-use the message tomorrow. Bill Higgins Fermi National Accelerator Laboratory higgins@fnal.gov [Unfortunately for the Cubs, that did not work out. But it was a great year for them anyway, and we are once again reminded that baseball is a game of inches. Same thing for the Red Sox (and Giants and Athletics). Wait Till Next Year is always the operative slogan for all but the eventual winner. PGN] ------------------------------ Date: Tue, 14 Oct 2003 22:58:28 -0500 From: Bruce Schneier Subject: The Future of Surveillance [From CRYPTO-GRAM, October 15, 2003] At a gas station in Coquitlam, British Columbia, two employees installed a camera in the ceiling in front of an ATM machine. They recorded thousands of people as they typed in their PIN numbers. Combined with a false front on the ATM that recorded account numbers from the cards, the pair was able to steal millions before they were caught. In at least 14 Kinko's copy shops in New York City, Juju Jiang installed keystroke loggers on the rentable computers. For over a year he eavesdropped on people, capturing more than 450 user names and passwords, and using them to access and open bank accounts online. A lot has been written about the dangers of increased government surveillance, but we also need to be aware of the potential for more pedestrian forms of surveillance. A combination of forces -- the miniaturization of surveillance technologies, the falling price of digital storage, the increased power of computer programs to sort through all of this data -- means that surveillance abilities that used to be limited to governments are now, or soon will be, in the hands of everyone. Some uses of surveillance are benign. Fine restaurants sometimes have cameras in their dining rooms so the chef can watch diners as they eat their creations. Telephone help desks sometimes record customer conversations in order to help train their employees. Other uses are less benign. Some employers monitor the computer use of their employees, including use of company machines on personal time. A company is selling an e-mail greeting card that surreptiously installs spyware on the recipient's computer. Some libraries keep records of what books people check out, and Amazon keeps records of what books people browse on their website. And, as we've seen, some uses are criminal. This trend will continue in the years ahead, because technology will continue to improve. Cameras will become even smaller and more inconspicuous. Imaging technology will be able to pick up even smaller details, and will be increasingly able to "see" through walls and other barriers. And computers will be able to process this information better. Today, cameras are just mindlessly watching and recording, but eventually sensors will be able to identify people. Photo IDs are just temporary; eventually no one will have to ask you for an ID because they'll already know who you are. Walk into a store, and you'll be identified. Sit down at a computer, and you'll be identified. I don't know if the technology will be face recognition, DNA sniffing, or something else entirely. I don't know if this future is ten or twenty years out -- but eventually it will work often enough and be cheap enough for mass-market use. (Remember, in marketing, even a technology with a high error rate can be good enough.) The upshot of this is that you should consider the possibility, albeit remote, that you are being observed whenever you're out in public. Assume that all public Internet terminals are being eavesdropped on; either don't use them or don't care. Assume that cameras are watching and recording you as you walk down the street. (In some cities, they probably are.) Assume that surveillance technologies that were science fiction ten years ago are now mass-market. This loss of privacy is an important change to society. It means that we will leave an even wider audit trail through our lives than we do now. And it's not only a matter of making sure this audit trail is accessed only by "legitimate" parties: an employer, the government, etc. Once data is collected, it can be compiled, cross-indexed, and sold; it can be used for all sorts of purposes. (In the U.S., data about you is not owned by you. It is owned by the person or company that collected it.) It can be accessed both legitimately and illegitimately. And it can persist for your entire life. David Brin got a lot of things wrong in his book The Transparent Society. But this part he got right. Kinko's story: ATM fraud story: Net spying: ------------------------------ Date: Fri, 10 Oct 2003 08:42:05 -0700 From: "NewsScan" Subject: Hacker charged with securities fraud A 19-year-old student at Drexel University in Pennsylvania is being charged by the Securities & Exchange Commission (SEC) of fraud and identity theft for hacking into someone's investment account and making a complex and illegal trade. The student is accused of using a program called the Beast to monitor every keystroke typed on the target machine, and by doing so was able to obtain the log-in and password for the investor's online brokerage account with TD Waterhouse. [*The New York Times*, 10 Oct 2003; NewsScan Daily, 10 October 2003] http://partners.nytimes.com/2003/10/10/business/10HACK.html ------------------------------ Date: Mon, 13 Oct 2003 17:31:08 -0400 From: "Rebecca Mercuri" Subject: More on the California recall election The following Web site contains some useful information pertaining to the California recall election and the resulting residual vote totals: http://www.votewatch2003.com/forum/showthread.php?p=983#post983 It provides polling data on questions that specifically asked "did you have problems using the voting machines" (yes 2%) and also "did you not vote for question xyz". The latter result was off by 2% from the semi-official vote totals indicating either that (a) the 2% of people that had problems using the machine weren't able to cast their vote properly, or (b) there are 2% of the votes being lost by the machines, or (c) the polling data is 2% low. (I am trying to find out how close they were on the totals for "what did you vote for" to see if (c) is really the case rather than (a) or (b).) Also, please note the caveat that everything is unofficial until the SoS posts the certified results, which will not occur until mid-November. ------------------------------ Date: Thu, 16 Oct 2003 13:28:56 -0700 From: Doug Sojourner Subject: Re: Something Fishy about Diebold Actually, all these numbers are so small that I don't think there is much here. The most significant case (Palmier) has the Diebold counties giving 3700 votes out of a total (in those counties) of 1300000, and outside Diebold counties 1500 votes out of a total of 6500000. I believe this means that in Diebold counties Palmier got 0.19% of the vote, with a sigma of 0.086%, and outside of Diebold counties 0.023% of the vote with sigma of 0.039%. With a null hypothesis that these both correspond to the same underlying probability of being voted for, I believe that the likelihood of this (the null hypothesis) happening is greater than f(0.19/0.86)*f(0), which is about 3%. That leaves this on the edge of statistical significance. The most dramatic case (Kunzman) actually has more than 8% chance that the null hypothesis is true. I didn't compute any others, but I doubt they could do better than Kunzman. So even though I distrust Diebold, I'm not sure this is strong evidence of tampering. [On the other hand there are various alternative scenarios... With all of the different ballot faces, the mapping of vote positions to vote tallies is always a potential problem, either accidentally or intentionally (and in the latter case, not necessarily deterministic). Butterfly ballots add difficulties for the voters. If there are many more more bad programmers than malicious ones, the election folks who insist that nothing can go wrong are seriously suspect. PGN] ------------------------------ Date: Fri, 10 Oct 2003 06:24:29 -0700 (PDT) From: phil reed Subject: Re: Continental taking back mistaken transactions (RISKS-22.94) Reading the tale of Continental Airlines taking back free miles reminded me of a tale of woe from a few years ago. A former employer (now defunct) was implementing a direct-deposit function for their payroll. The actual payroll processing had been outsourced for some time to a large company that does this sort of thing routinely (name left out because they are still in business). As part of setting up the direct deposit, the payroll group collected bank account numbers and passed them along to the outsourcing company, who entered them in their various databases. Everything normal, nothing exceptional. As part of the checking process that looked for routine data entry errors, the outsourcing company's strategy was to run a complete end-to-end sequence that would perform an actual deposit of $0.00 into everybody's account. This would cause all the invalid bank account numbers to show up on the normal error report, so they could be corrected before running an actual payroll and accidentally not paying somebody on payday. You can probably guess what happened next: the test deposit was run, but with actual payroll amounts, not with a zero dollar deposit. The error was discovered after about an hour, and it took another couple of hours to prepare a "reverse deposit" transaction to get the money back out of the accounts. During that 3 hour window, a handful of people (almost all of them spouses of factory workers) discovered the extra money and withdrew it from their checking account. Some of them immediately spent it. I don't know who it was that had to tell those workers that they had to return the money, but I cannot imagine that it was a very pleasant job. ------------------------------ Date: Fri, 10 Oct 2003 01:28:51 -0400 (EDT) From: msb@vex.net (Mark Brader) Subject: Re: Satellite photo of Eastern North America during blackout (R-22.88) [Originally submitted 29 Aug 2003, lost in the shuffle. Sorry. PGN] In addition, if the UTC timestamps on the two photos are correct, then the labeling as "20 hours before" and "7 hours after", seen both in the images and their URLs, is wrong -- as is obvious because the two times are about 24 hours apart! The blackout actually at 4:10 pm EDT (give or take a couple of minutes, depending on location): that's 20:10 UTC, so the pictures are 19 hours before and 5 hours after. The first error looks like someone forgot about daylight saving time, but the second is harder to guess an explanation for. > However, there is a surprising amount of light still on, ... I don't see why John is surprised at this, since the article Andrew quoted says that "in the New York region .. nearly 20 percent of the available electricity remained on..." It seems natural that at the scale of a satellite photo we would not be able to tell which areas of the city were darkened and which were not. (Toronto, as noted, is pretty much gone in the second photo -- and that's correct. During the blackout I was listening to local radio stations that invited people to phone in with information about their neighborhood, and there sure weren't any calls that said "we never lost power".) ------------------------------ Date: Fri, 10 Oct 2003 01:30:22 -0400 (EDT) From: msb@vex.net (Mark Brader) Subject: Deadlock in Licensing Agreement, Dell Dumped [Also originally submitted 29 Aug 2003] Ian Goldberg writes at about his recent experience buying a Dell computer in Canada. In brief, the startup screen required him to declare that he had first read and then agreed to the relevant license agreements -- but the agree- ments themselves were shrink-wrapped and could not be read without first agreeing to them. Deadlock, and nobody he could reach at Dell even saw it as a problem. ------------------------------ Date: Tue, 14 Oct 2003 09:57:18 +1000 From: Geoffrey Brent Subject: 'Lover Spy' software As reported in various news outlets recently, 'Lover Spy' offer a service for jealous lovers looking to spy on their partners: "Using this very web site, you can very easily send Lover Spy as an e-greeting card. The e-card looks just like a normal e-greeting card sent via e-mail. When opened, it will display a graphic of your choice, whether it be romantic flowers, a funny e-joke, or kittens. But silently, this e-card will secretly install our award-winning spy software on their PC ! ..." The spyware then reports back to Lover Spy's customer with a record of websites visited, chat sessions logged, passwords captured, etc etc. Site is currently down (hopefully for good), but can be viewed in Google's cache: http://tinyurl.com/qsyd (full Google link at the end of this message, for those who don't like tinyurl). There are several very obvious reasons why this is a Bad Thing (not to mention illegal), and I doubt anybody on RISKS needs to be told the risks this poses to the unwitting recipient of the greeting card. However, at least one message-board poster (see link below) has suggested a more subtle angle: presumably this service also requires the customer to install some form of software on their own computer to receive the data collected from their unsuspecting partner. What are the chances that the customer-end software is *also* spyware? As any con-man knows, the easiest way to hoodwink your mark is to let him think he's hoodwinking somebody else. And when the scheme they sign up for is illegal - as this one most certainly is - then they're much less likely to squeal when they find out who the real target is. You're already giving Lover Spy your credit card number just by signing up for your service - and captured bank account details etc. could be the icing on the cake. http://george.hotelling.net/90percent/linkage/lover_spy.php http://www.google.com.au/search?q=cache:7JvdodIm7xoJ:www.gootle.us/technology. php+%2B%22lover+spy%22+%2Bgreeting&hl=en&ie=UTF-8 ------------------------------ Date: Fri, 10 Oct 2003 11:48:42 -0400 From: Bill McGonigle Subject Re: Unencrypted credit-card submission forms (Scott, RISKS-22.94) One of the criticisms of the HTTPS/SSL/TLS protocol is that it provides both encryption and authentication without the option to forgo either. In this case, the host has used a default certificate name generated by, probably, the OpenSSL toolkit. Note, it's not a sample certificate, it's randomly generated at install time, so the user needn't fret a man-in-the-middle attack. So, in this case, you have encryption but not authentication. If you're confident of the host name and can somehow verify that a DNS spoof isn't being employed (known IP, DNSSEC), you're good to go. Of course, it's not reasonable for the general population to make this verification. For the princely sum of up to $900 per year per hostname, SSL vendors like Verisign will sign a certificate for you saying that you are who you claim to be. Your web browser will trust the certificate and not display a warning because, e.g. Verisign's certificate is built into your web browser. The trouble is, the amount of verification many certificate vendors go though is minimal (some require only a faxed letter on company letterhead), you have to trust the signer, and your certificates can be stolen (only some browsers support certificate revocation). So, critics charge that all you have is a false sense of security, which can be a greater risk. Some people fail to buy a 'real' certificate for cost reasons and some for philosophical reasons. Most just go ahead and pony up the cash to make the warning go away for the users. ------------------------------ Date: Mon, 13 Oct 2003 14:06:05 -0400 From: "Jay R. Ashworth" Subject: Re: Benjamin Franklin (RISKS-22.93-94) > Ben's original quote also gives the Patriot Act guys plenty of wiggle room, > by using the phrases "essential liberty" and "temporary safety." Who's to > judge "essential" and "temporary"? Franklin himself, I think. He wasn't providing interpretative wiggle room there, IMHO, he was making *another* value judgment: that liberty *is* essential, and security often only temporary. Remember the environment *they* lived in... it was, likely, much closer to today's America than 3 years ago's America... and yet they did what they did. Why can't *we* (, Mr Ashcroft)? Jay R. Ashworth, Baylink, The Suncoast Freenet, Tampa Bay, Florida http://baylink.pitas.com +1 727 647 1274 jra@baylink.com ------------------------------ Date: Fri, 17 Oct 2003 09:27:59 +1000 From: Jon Seymour Subject: Re: W32/Swen: And I thought I had it bad... Admittedly I was quickly disavowed of that notion by a few private responses to my last RISKS post - mine was but a mild dose of W32/Swen And then this, from http://www.theage.com.au/articles/2003/10/16/1065917549896.html The Swen virus has been blamed for delaying e-mails to BigPond customers by up to several days. On 14 Oct 2003, BigPond reported its customers were receiving e-mails late due to a rapid rise in messages being sent and received through the network. E-mail messages had increased on average from about eight million to 13 million daily. Spokeswoman Kerrina Lawrence today said the Swen virus was responsible for the sudden surge in traffic. "Telstra's technical staff has been working around the clock to establish additional network capacity to cater for the unexpected ... increase in e-mail traffic," she said in a statement. Ms Lawrence said the additional capacity will help cater for the rise in messages. "Telstra understands that the virus/worm has been taking over customers' computers and using them to send large amounts of junk e-mails (spam)," Ms Lawrence said. So, if only 1/2 of this 5 million per day increase is due to the e-mail containing the Swen worm (being generous and allowing for bounce messages), then Telstra is busily working to add an extra 2.5 *1,000,000 * 145kB / (24*3600) * 8 =~ 32Mbps capacity to their e-mail network. One presumes that they are also doing something about filtering so that all that extra capacity does not get eaten up by the worm, but then perhaps I presume too much. ------------------------------ Date: 30 May 2003 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .UK users should contact . => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. *** NEW: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: http://www.sri.com/risks http://www.risks.org redirects you to the Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue] Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 22.96 ************************