Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
From rec.humor.funny, but it belongs in Risks, too... (True) In an effort to snag more long distance telephone calls (charged to a credit card or a third number), AT&T reserved the toll-free number 1-800-OPERATOR. Not to be outdone, and perhaps knowing the public better, MCI reserved the number 1-800-OPERATER and has been scooping up calls intended for its arch-rival. Walter C. Daugherity Texas A&M University daugher@cs.tamu.edu [So now we need legislation on Truth in Mispelings and Mistouchtonings? PGN]
>From the Tampa Tribune, Wednesday May 25, 1994 Howard Jenkins was a multimillionaire for about a half a day. About a week ago he lost his checkbook and called his bank to have a hold put on his account. "When he went to make a deposit Fiday morning, he was told to check the automated teller machine outside to make sure the account was working." He made a small withdrawal and the receipt told him his account balance was $889437.93. He went home and called the bank's automated telephone account inquiry system, and was informed that his balance was now more than $88 million. He went back to the bank and asked a teller for his balance, and was given an 8 digit number. She asked if he had received "an inheritance or something". He withdrew $4 million in cashier's checks and cash, requiring a bank manager's signature on each check, and they "didn't bat an eye". He returned later that day, accompanied by his lawyer, and returned the money. The bank attributes the erroneous balance to a computer error, probably linked to the hold transaction. Several things stand out to me: 1) He was told to check an ATM to see if his account was working. Whoever told him this should have been able to check directly using the bank's terminal. The bank (and reasonably so) puts a great deal of trust in the computer. 2) The balance shown on the ATM receipt was different than that given him by the automated telephone information system and the teller. Is this a user interface problem, or something more involved? 3) The computer error is likely to be the fault of inadequate testing or a user interface inadequacy (calling up a deposit transaction instead of an account hold transaction). Both topics have been discussed at length in this forum. 4) Nobody questioned this withdrawal or the large deposit. The teller who checked his balance was the only one mentioned in the story that even noticed his windfall. Proper software and human procedural checks would have caught this error. If a pre-computer bank teller had been handed a deposit of this size, the bank manager would have been notified. When the withdrawal was made, the manager would have known about the deposit and been confident that the request was legitimate. Are similar human checks and balances included in modern banking computers? Andrew C. Fuller, E-Systems, ECI Division, St. Petersburg, FL acfa@callisto.eci-esyst.com (813) 381-2000 x3194 72417.612@CompuServe.com
ATTENTION LIBRARIANS — FATAL BOOKSHELVES
A union claims that Library of Congress employees are exposed to
potentially fatal crushing hazards caused by sliding mechanical bookshelves,
and asserts in a lawsuit that the bookshelves have occasionally started up
unexpectedly, undeterred by safety sensors. The government insists the
bookshelves have experienced "only three or four failures," none of which
resulted in employee injury. (BNA Occupational Safety & Health Reporter
5/18/94 p.1787)
RISK-TAKING
Information technology visionary George Gilder calls Michael Milken a
risk-taker, "who was willing to plunge $2 billion into a company with $100
million in assets and $200 million in revenues. He had a great eye and really
did it brilliantly. The people who prosecuted him did not understand what he
was doing at all. It was mysterious to them and he was making too much money
to be legal [laughs]." (Upside, June 94, p.55)
Dell has issued a recall of 63,000 monitors after receiving 32 reports of
overheating or fires starting. The problem monitors bear the number DL-1460NI
on the back.
Owners of the monitors with that number should call 1-800-913-3355 to set
up free pickup and repair.
Arrangements also can be made through Dell forums on CompuServe and
America Online or by dialing Dell Computer Corp.'s bulletin board at
512-728-3589. Dell will ship packing materials to owners of the monitors, who
then will send them by Airborne Express to the company for repair within three
to five working days.
Michel E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn
[Watch out for The Foamer in the Dell. PGN]
As reported in Toronto's EYE Newspaper [eye@io.org] (similar to New York's
Village Voice) dated 19 May 1994:
The London Ontario detachment of the Ontario Provincial Police have begun a
campaign of harassment against local University Internet users who are
attempting to use the net to gain information on the Karla Homolka trial. A
University of Western Ontario (London) student had his Internet account frozen
by the university computer staff when requested by the Police. The reason for
this lay in the student's name being left on the text of a FAQ of the details
of the trial. Another student in Toronto had Faxed this material (which had
been Emailed to him) to the Toronto media, and the offices of the Premier of
Ontario and the Attorney-General as an act of provocation against the Ban (his
regular anonymous forwarding site was not working). The problem was that he
had forgotten to remove the other persons name and account number from the
original E-mail that was sent out.
The police action against the student's account was done without a
warrant, and also involved the questioning of the student at the local police
station. Likewise the students home computer was searched without a warrant by
using the threat of criminal charges. The Student's computer account was
reinstated, but he was required to turn over all incoming Email to the police
under the threat of criminal charges if he did not cooperate. A list of about
50 people who had received Homolka FAQ's were passed on to the police. The
important part of this entire situation is that no one, including the Ontario
Attorney-General office is certain that the ban applies to the Internet. The
ban states that details of the trial cannot be published in the print media
but there is no ban on possession of information. There is no mention of the
Internet, nor the use of computer systems in the ban. Further, there is no
official investigation of the Internet on the part of the Ontario Provincial
Police, except for this one detachment.
One of the questions raised is the ethics of the University of Western
Ontario's computer department. Their cooperation with the police was based on
a fear of having their computer equipment confiscated (similar to the case of
the University of Cambridge in England). If the situation had taken place with
in the library system of the university, it would not have been tolerated by
the library staff due to the long held tradition in that profession of the
defence of freedom of speech. If the Internet is to remain open this set of
values will have to become part of the professional commitment of the MIS
staff of universities as well.
If Schindler Elevator gets a black eye as a result of the Toronto
controversy, at least they have an ace in the hole.
They can just change their name to Schindler's Lifts.
[Remarkably, this was also suggested in various contexts by
Mark Bartelt <sysmark@chipmunk.cita.utoronto.ca>,
roedder@netcom.com (Spencer Roedder),
jcook@epoch.com (Jim Cook),
davis@ilog.ilog.fr (Harley Davis).
I am absolutely delighted that I am not carrying the
entire burden of elevating the level of discourse. PGN]
> ... This is a serious kind of failure, if an automatic system designed to
> prevent a problem makes it worse, it should do nothing at all!
This is probably true for conventional aircraft. For fly-by-wire aircraft,
however, the computer systems can never "do nothing".
I understand that the main computer system (in, e.g. A320) has six (approx)
flight modes, and that it responds slightly differently to manual inputs
depending on which mode it is in. Pilots are required to understand the
differences between the modes. I imagine that, in non-emergency situations,
the pilot would not need to worry about these differences: the aircraft would
respond "intuitively" to command inputs. In very unusual situations, the
required inputs to the machine may be counterintuitive. This can probably be
overcome in two ways:
(i) Give the flight computer more modes to be in, so that it could behave
"properly" or "intuitively" in the various situations.
(ii) Give the pilots enough simulator training so that the intuition takes into
account the mode that the aircraft is in.
In critical manoevres, like landing and go-around, pilot confusion is to be
avoided at all costs.
John Yesberg (jdy@itd.dsto.gov.au)
re: joe jett's alleded fraud: > It seems to me that this manipulation could only have been accomplished > through extensive computer manipulation by Jett and possibly by others. I believe this is incorrect. It probably happened because the accounting system did not handle the trade properly. i would guess that no outright manipulation of data or code was necessary. also, his gross strips position was probably growing larger and larger as time went on. this should have raised some red flags. mike rosenberg mkr@fid.morgan.com
<> 76 total accidents, 3513 fatalities. (How do you have *1* mid-air?
<> They must be counting accidents, not aircraft involved.)
Although you are probably right, this is not impossible. Several months ago,
several people were killed in a small airplane over Massachusetts when it
collided with a skydiver (who survived with a broken leg). One plane, midair
collision.
Marc
John Gersh writes regarding an information channel display that showed an incorrect floor number during a fire alarm. Other contributors have written regarding cable-TV channels reporting "Software Failure" for hours or days on-end. As a manufacturer of such equipment for the Cable Television Industry, I hope I can provide some insight. A very common computer used in systems for broadcast applications is the Amiga. This is because of it's relatively low cost for this application, as well as the fact that it generates clean video at standard NTSC/PAL rates. On older versions of the operating system, if a program crashed severely (the Amiga OS does not provide memory protection or resource tracking, yet is fully multitasking), a flashing red "guru" message would appear, requiring an acknowledgement from the user to reboot the machine. Unfortunately, due to the nature of cable transmission, these machines are usually located in very remote sites. Of course, many cable companies are too lax in even monitoring for crashed displays. Under newer versions of the OS, this problem is solved in that after a timeout (usually 30 seconds), these requesters go away and the reboot proceeds normally. Since the Amiga isn't a very widely supported or understood platform, most of these cable operators do not upgrade to newer OS's, and some machines cannot legally be upgraded (physically they can, but since ROMs are not available from Amiga, you have to make a copy of the OS and install it on the hard drive of the machine, which is technically illegal.) Our solution for our customers was to create a "watchdog" program that would reboot the machine in the event that our main task failed in any way. We then discovered something interesting: Most of the crashes occurring were not a result of our program (or our competitors), but of line spikes and brownouts trashing the machine. We now insist that our customers at least purchase a line conditioner or a UPS as a result. One contributor to this list asked what cable companies will do now that Commodore is out of business, regarding replacement parts. For quite some time now, it has been quite difficult to obtain support from Commodore anyway, so my company as well as others have been acquiring spare parts from used machines. One should note, however, that Commodore's death is being exaggerated on the net, and that there is indeed a buyer, but specifics have not been made public at this time. An interesting incident reported to me by a customer: During the March, 1993 earthquake in Klamath Falls, Oregon, cable service was not interrupted. The 911 emergency center was being swamped with calls, many of them for non-life-threatening situations. They called the cable company and requested that a message be posted on the air to tell people with minor emergencies to use an alternate number to reach the 911 center. Unfortunately, the number provided to the cable company was incorrect, and was for the main 911 center's outgoing lines (non-emergency). The administrative office was then swamped with calls, and could not obtain and outgoing line to call the cable company and tell them to change the number. As a result, the 911 center wants modem access to our software so that they can alter displays themselves. (I don't see how that could have prevented this particular situation.) We are currently evaluating how best to achieve this. There are several liability issues that open up when you allow third parties access to your airwaves. Not to mention the fact that while our software is password-protected at this time, anyone with a password also has access to the billing and setup functions. We now have to segment our security further so that outsiders can not mess with private or operation-critical information. Bob Richardson, Product Development Supervisor, Sound Concepts / MagicBox (503) 752-5542 bob@csos.orst.edu
I am somewhat skeptical of the apparent failure in security described by
<eddy@gen.cam.ac.uk> in RISKS-16.08. I have been in the situation eddy
describes many times, and the "NFS server ..." message always appeared AFTER I
typed the password, if the password prompt appeared at all (sometimes it did
not). In fact since the code in question queries you for the password and
then waits to collect it, it is difficult to imagine what it could be doing in
between those two operations that would involve NFS access.
Also, if the included transcript is literally accurate
eddy@eddy> su
Password:
NFS server mbfs.bio not responding still trying
then, since the "Password:" prompt does not end in a newline, eddy must
have at least typed a newline before getting the "NFS server ..." message,
and the possibility that the entire password was typed before that newline
cannot be ignored; after all, until that much-loathed message appeared,
eddy was presumably expecting to "su" as usual so as to be able to unmount
the soon-to-disappear filesystems.
Of course, this is computer software, so I'm not saying it's impossible!
But I'd like to see it duplicated before I believe it. Unfortunately
eddy's message did not give the UNIX version involved in this scenario, so
I cannot do it here.
The _real_ risk is that once you've entered the password, you've got a
nascent superuser shell that anyone can type at once the server comes back
up. Yet one hardly wants to stick around and guard it... In a university
environment, this seems risky indeed.
Dan Franklin
> The _real_ risk ... superuser shell that anyone ... In a university
Interesting point. The risks of leaving the terminal unattended aren't the
usual ones for a university; this is a lockable office which I share with folk
that I trust not to abuse a root shell and who would have locked the office if
they'd gone out in my absence — ie, we don't get random undergraduates
wondering in in our absence — but I hadn't typed the password, so this
wouldn't have been a problem (except that I'd feel shy of letting random UG's
get at _my_ account, of course; which is one of our reasons for locking the
door).
> ... if ... literally accurate ... possibility ... cannot be ignored ...
The transcript is literally accurate; I copied the text from the command-tool
to the mail window by raw cut-and-paste. I had not typed anything at the
password prompt when the NFS server message came up; what I did type (a tenth
of a second later — thus before I'd noticed the message) was only the first
three letters of the password and I soon removed those with ^U because they
were being echoed ! I followed that with a return and several ^Cs (a strategy
which doesn't trick su normally — the first experiment I tried on discovering
what had happened) so that nothing should sensibly have been able to go wrong.
> ... after all ... eddy was ... expecting to "su" [so as] to unmount ...
Dead right there; but, as I say, I noticed what was happening _before_ I'd
typed the whole password.
> I am somewhat skeptical ...
And all Dan's reasons for skepticism (which I respect as such given that he
only has the information third hand) are exactly the reasons for my horror
upon discovering that I'd managed to become root without having typed the
magic words.
> I'd like to see it duplicated before I believe it. ... UNIX version ...
Yes, duplication under controlled conditions is the only way to confirm. The
machine I'm running on is a Sun SPARCclassic running SunOS 4.1.3.
Eddy
[A similar correspondence occurred between
Caveh.Jalali@eng.sun.com (Caveh Jalali) and Eddy,
but it is not included here because of the overlap. PGN]
Subject: Time:10:57 AM
OFFICE MEMO Re: UK ATM Spoof Date:5/19/94
Date: 19 May 1994
From: gary_preckshot@lccmail.ocf.llnl.gov
Subject: Re: UK ATM Spoof
>.....copies the one-time response from the card's LCD into the keypad).
>The ATM or banking network validates the response and continues the
>transactions. Results of setting up a spoof on a stolen ATM: zero.]
Surely this is an example of the risk of becoming too enamoured of your own
ideas. Regardless of the elaborate scheme proposed, all the fake ATM machine
needs to do is look like it is responding correctly, and the user will enter
his or her PIN. The issue isn't validation, it's getting information out of
the user by deceit, and anything that fools the user will work. Only other
information, not available easily either to the user or to the credit card
thief, will fill this security hole.
Instead, there probably has to be a piece of information possessed by the
"smart" card which cannot be obtained without correct authorization. Only an
ATM hooked up correctly to the bank could obtain the passwords to unlock the
card, which then provides some internal code unrelated either to the PIN or to
the card account number. However, this raises other issues, such as how could
you use such a card for phone charges? Or how could charges be validated at
the point of sale? Somehow the same challenge/response would have to occur at
Macy's as it does at the ATM, or what good would the internal validation code
do? Thus, the challenge would be available for analysis on the general
telecommunications system, and a significant communications burden would be
placed on the system due to wide spread usage. Somehow, I don't think it's
quite so simple.
Gary
DRTOPE@delphi.com
Periodically I will remind you of TWO useful digests related to privacy, both
of which are siphoning off some of the material that would otherwise appear in
RISKS, but which should be read by those of you vitally interested in privacy
problems. RISKS will continue to carry general discussions in which risks to
privacy are a concern.
* The PRIVACY Forum Digest (PFD) is run by Lauren Weinstein. He manages it as
a rather selectively moderated digest, somewhat akin to RISKS; it spans the
full range of both technological and non-technological privacy-related issues
(with an emphasis on the former). For information regarding the PRIVACY
Forum, please send the exact line:
information privacy
as the BODY of a message to "privacy-request@vortex.com"; you will receive
a response from an automated listserv system. To submit contributions,
send to "privacy@vortex.com".
* The Computer PRIVACY Digest (CPD) (formerly the Telecom Privacy digest) is
run by Leonard P. Levine. It is gatewayed to the USENET newsgroup
comp.society.privacy. It is a relatively open (i.e., less tightly moderated)
forum, and was established to provide a forum for discussion on the
effect of technology on privacy. All too often technology is way ahead of
the law and society as it presents us with new devices and applications.
Technology can enhance and detract from privacy. Submissions should go to
comp-privacy@uwm.edu and administrative requests to
comp-privacy-request@uwm.edu.
There is clearly much potential for overlap between the two digests, although
contributions tend not to appear in both places. If you are very short of time
and can scan only one, you might want to try the former. If you are interested
in ongoing detailed discussions, try the latter. Otherwise, it may well be
appropriate for you to read both, depending on the strength of your interests
and time available.
PGN
Please report problems with the web pages to the maintainer