The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 18 Issue 76

Thursday 16 January 1997

Contents

o Taco Bell-issimo
Peter G. Neumann
o Telstar 401 catastrophic failure
Lauren Weinstein
o More on fired contractor arrested in computer sabotage
Cathy Horiuchi
o Five-Million-Dollar Bug
David Kennedy
o Redundant virtual circuits lead to single point of failure
Sidney Markowitz
o Missing-characters file: Not the only ones with that problem
Mark Brader
o Electronic airline ticketing
Robin Burke
o More Y2K humor: Split the difference
Mark Brader
o Re: April 1 considered harmful
Chuq Von Rospach
o Problem with Insight's WWW mail
Christopher G. Holmes
o Risks of miskeying e-mail addresses
Gerard A. Joseph
o Congress and FBI aided Gingrich's cell-call snoops
Jim Warren
o FBI Offers New Proposal for Digital Wiretaps
Edupage
o Re: New US regs ban downloadable data-security software
David Holland
o FreeWare WORD macro antivirus release: PC/MAC
Padgett Peterson
o DIAC '97, Seattle 1-2 March 1997
Susan Evoy
o Info on RISKS (comp.risks)

Taco Bell-issimo

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 15 Jan 1997 17:07:30 PST
Willis Robinson, 22, of Libertytown, Maryland, was sentenced to 10 years in
prison (6 of which were suspended) for having reprogrammed his Taco Bell
drive-up-window cash register -- causing it to ring up each $2.99 item
internally as a 1-cent item, so that he could pocket $2.98 each time.  He
amassed $3600 before he was caught.  [AP item in the *San Francisco
Chronicle*, 11 Jan 1997, A11, pointed out to me by Glenn Story.]  This is
another version of the old salami attack.


Telstar 401 catastrophic failure

Lauren Weinstein <lauren@vortex.com>
Mon, 13 Jan 1997 16:46 PST
On Saturday morning, 11 Jan 1997, AT&T's Telstar 401 satellite, with a full
complement of both C and Ku band transponders, went dead.  Technicians have
been unable to reestablish any contact.  The satellite normally carries both
broadcast network and syndicated television programming.  The networks, as
"platinum" customers, were quickly switched to an alternative bird.  Almost
everyone else has been scrambling to find transponder space for their
programming.

The risk?  Don't assume the satellite will always be there!

--Lauren--  Moderator, PRIVACY Forum  www.vortex.com


More on fired contractor arrested in computer sabotage (RISKS-18.75)

Cathy Horiuchi <cathy.horiuchi@smud.org>
Thu, 16 Jan 1997 11:05:00 PST
This was reported locally in the *Sacramento Bee*, 8 Jan 1997, and is
being discussed extensively if informally hereabouts.  Unfortunately, the
twenty-column-inch long article is not stored at www.sacbee.com's archive
page online.

The accused saboteur was a subcontractor of a subcontractor of a contractor
of a state agency.  He spent at least six hours online before being
detected, and then crashed the system, which had to be restored from backup.
The newspaper article states damages as limited to $10,000, but that number
may be invalid.  Here in Sacramento the cost of a first-rate security
incident audit by an outside firm runs $20 to $30K, plus the cost of system
changes based on security weaknesses.

The nature of professional services procurement in government lends itself
to multiple levels of subcontracting.  Most computer technical experts do
not work independently, since that would require large insurance bonds and
skills writing responses to governmental requests for proposal.  Often
contracting and outsourcing firms bid for contracts, and only hire
contractors once the bid is rewarded, so there is constant staffing churn.

The RISK here is starkly stated in the article, in the last few paragraphs,
where the opinions of the management team are given: "Department officials
claim they did not know Salas was fired because he was a subcontractor and
they had no direct dealings with him.  John Thomas Flynn, who heads the
department, said his staff did everything 'by the book'.... Flynn said, 'We
didn't drop our guard.'  Since the intrusion, computer security has been
improved.  But even without the extra precautions, it is unlikely that such
an intrusion will ever occur again, department officials said."

Isn't it the job of management to know and manage the chain of control?
Even if a department employee were tasked with managing all the contractors,
there is a big difference between knowing a contractor is working between 8
& 5 and knowing exactly what that person is doing and creating.  Traditional
management practice does not require or expect technical knowledge.  That
means security, reliability, auditability are dependent on the integrity of
the technical workforce, not on the management and quality control
processes.

The idea that it cannot happen again is naive; the statement itself is an
attractive nuisance.  No system is static in this day and age.  The next DNS
server or Internet firewall that is installed will create a situation
wherein this may happen again, since it appears, from what has been stated
in public, management has learned little from the event.

Cathy Horiuchi, Principal IT Analyst, Sacramento Municipal Utility District
choriuc@smud.org


Five-Million-Dollar Bug

David Kennedy <76702.3557@CompuServe.COM>
10 Jan 1997 18:30:22 EST
[DMK: Many of us can remember the $6 Million Man, well....]

Electronic Roach Implants Probed, By ERIC TALMADGE
Courtesy of Associated Press via America Online's News Profiles:

A big brown cockroach crawls across the table in the laboratory of Japan's
most prestigious university.  The researcher eyes it nervously, but he
doesn't go for the bug spray. He grabs the remote.  This is no ordinary
under-the-refrigerator-type bug.  This roach has been surgically implanted
with a micro-robotic backpack that allows researchers to control its
movements.  This is Robo-roach.  ...

  [With a $5 million dollar grant from the Japanese Government -- no
  Proxmires in the Diet obviously]

Professor Isao Shimoyama, head of the bio-robot research team at Tokyo
University says, electronically controlled insects carrying mini-cameras or
other sensory devices could be used for a variety of sensitive missions --
like crawling through earthquake rubble to search for victims, or slipping
under doors on espionage surveillance.  ...

      The controls, however, still have a few serious bugs of their own.
      Swiss researcher Raphael Holzer, part of the Tokyo University team
Holzer jolts a roach with an electric pulse to make it move slightly to the
right and keep to an inch-wide path.  Instead, the roach races off the edge
of a table into Holzer's outstretched hands.
      ``The placement of the electrodes is still very inexact,'' he admits,
setting the bug back on track.  ...

      Holzer is optimistic. ``The technology isn't so difficult,'' he
said. ``The difficulty is to really understand what is happening in the
nervous system.''


Redundant virtual circuits lead to single point of failure

Sidney Markowitz <sidney@research.apple.com>
Tue, 14 Jan 1997 10:48:45 -0800
This note from Finland was passed on to me by a friend. It points out the
Risks of working with virtual systems while carrying assumptions and habits
from the real (physical) world.

  ... we had here data line breakdown last week and no Internet connections
  worked. It happened so that there was heavy icing on the line between Oulu
  and Kajaani which caused the break.. we had reserve line but that was also
  broken.. that line was leased from Finnet and it happened that as
  logically separate it was physically that same line which Finnet had
  leased from the primary operator! The agreement with Finnet was ended
  immediately.

Sidney Markowitz <sidney@research.apple.com>, Virtual Rocket Scientist
Apple Research Labs, Apple Computer

*fh ARPAnet loses New England despite 7-trunk ``redundancy''; one accidental
cable cut in White Plains knocks out all 7 links, 12Dec86 (S 12 1)

  [Long-time RISKS readers will recall the event on 12 Dec 1986 (RISKS-4.30)
  when New England was completely cut off from the ARPAnet because a single
  cable that was accidentally severed in White Plains, New York, happened to
  contain all seven trunk lines that had been established to provide
  physical redundancy!  Several other similar cases are also in the RISKS
  archives, including the backhoe in Annandale VA that on 14 Jun 1991 took
  out two *separate* cables (RISKS-11.92).  Physical, schmysical; but, is
  it perfectly logical?  PGN]


Missing-characters file: Not the only ones with that problem

Mark Brader <msb@sq.com>
Wed, 15 Jan 1997 04:39:08 EST
A *Houston Chronicle* article by Dwight Silverman was forwarded to
comp.dcom.telecom by Tad Cook a few weeks ago.  It was about various changes
that Southwestern Bell, the phone company there, is planning to make in
their directories.

One of the changes is that they plan to list e-mail and WWW addresses for
businesses that want to supply them.  However, this will not be possible for
residential listings at first -- I swear, this is just how the posting
appeared -- because

#  "Right now we have a certain system constraint in our residential
#  listings database that prevents us from printing certain characters on
#  a page," Hillyer said. "The biggest problem is that we can't print the
#  sign."
#
#  The sign is a crucial part of all e-mail addresses, separating the
#  user's name from the computer system -- or domain -- he uses.
--
Mark Brader, msb@sq.com         "But I do't have a '' key o my termial."
SoftQuad Inc., Toronto                                     -- Ly[nn] Gold

  [Southwestern Bell evidently needs a noncommercial
  source for obtaining its commercial-at (@) characters.


Electronic airline ticketing

Robin Burke <burke@cs.uchicago.edu>
Mon, 13 Jan 1997 11:09:26 -0600 (CST)
I have had recent and vivid evidence of the risks of much-hyped "electronic
ticketing" systems for air travel. My wife called to confirm her reservation
on a return flight, only to discover that, according to the airline she had
already flown a week earlier. "You've used that ticket," she was told. Since
electronic ticketing procedures require that the agent match the user's ID
with the ticket information, she was treated like someone trying to scam the
airline by flying twice.

Fortunately, the date of usage was different than the date for which
the ticket was issued, although the flight number was the same, and
she had various records, such as her credit card receipts, through
which to assert her identity, but only after many hours on the phone.

The supervisor who finally resolved her case seems to be handling a lot of
electronic ticketing problems. The agent is supposed to look at the
passenger's ID, and pull up the ticket record corresponding to that
traveler. However, there is also a receipt for the electronic ticket: "not
valid for travel" that has the name and ticket number on it. Apparently, in
this case, the gate agent used the ticket number from the receipt, but typed
it in wrong, then failed to notice that the ticket record retrieved was for
a different passenger than the one named on the receipt.

No record is made of the validating transaction (the agent matching the ID
against the ticket record), except for the agent marking the record as used,
so the airline has no way of knowing who actually traveled on our ticket,
and we had no way, within the system, of documenting the fact that the
ticket had been used by someone else.

I, for one, will stick with a physical ticket.

Robin   University of Chicago, Computer Science Department
http://www.cs.uchicago.edu/~burke/


More Y2K humor: Split the difference

Mark Brader <msb@sq.com>
Tue, 14 Jan 1997 17:54:22 GMT
In comp.software.year-2000, Darren Berar suggests a compromise for those
struggling with converting from 2-digit to 4-digit years.

| I suggest the 3 digit year.  It puts the whole issue off for another
| 1000 years and is only 50% of the work to implement a 4 digit year.  :-)

Mark Brader              "Should array indices start at 0 or 1?  My ecumenical
msb@sq.com                 compromise of 0.5 was rejected without, I thought,
SoftQuad Inc., Toronto      proper consideration."     -- Stan Kelly-Bootle

  [Mark noted that there were two follow-ups (follows-up?) in that
  newsgroup from people who took this message seriously!  Incidentally,
  the 1996/2001 edition of the annual Denning Newsletter from Peter and
  Dorothy Denning -- which this time looks back from the future in 2001 --
  indicates that the Y2K problem will have been successfully postponed for
  another 48 years by observing that K is properly equal to 1024, so that
  COBOL programmers could simply change the representation of the year field
  from base 10 to base 2.  Verrry cute.  Happy New Year 2000 to the Dennings
  for that one. PGN]


Re: April 1 considered harmful (Evans, RISKS-18.74)

Chuq Von Rospach <chuqui@plaidworks.com>
Sun, 12 Jan 1997 13:03:14 -0800
>We need to address the risks involved in even _having_ a 1 April in the
>calendar.  What if a powerful newbie takes a 1 April prank seriously, and
>dives in to "fix" something?  What are the risks there?

Shrug. Christmas offends non-Christians. Should we do away with it?
Halloween has satanic roots (according to some; it's actually pagan.  Not
everyone sees the difference).

No offense intended to William Evans, but this seems to me to be
well-intentioned but creeping PC-ism. Someone might interpret an April fools
joke wrongly. Therefore, do away with April fools. Someone might drink,
drive and kill someone in a car. Obviously, do away with drinking and
driving.

Personally, I'd go for the cars first. They kill a lot more people than
April Fools jokes do. I think we need to keep perspective. Just because
there *is* a risk doesn't necessarily mean we have to obliterate anything
that causes a risk.

Life is not about removing risks. Life is about understanding and managing
risks, and resolving SERIOUS risks. Just because something might be a
problem doesn't mean it is, or is worth fixing....

Now, having said that, folks who pull stunts like this (not that I'd know
anyone who has, not me. nope) have a responsibility to do so in a
non-destructive manner. It's sort of like drinking and driving -- it's not
the drinking that's the problem, it's the idiot who doesn't know enough not
to drive drunk. A good April Fools joke merely causes embarrassment when
someone falls for it. That's half the fun of designing those things.  If
they cause damage by design or accident, then the writer of the joke ought
to be responsible for the impact of it. Doesn't matter if you meant to throw
a firecracker at someone or not, if you blow off a finger, "I didn't mean
to" isn't a valid defense...

I think this piece brings up an interesting meta-question: the risk of
RISKS: by focusing on risks in this forum, do we run the risk of losing
perspective on risk? Because if we are just as seriously talking about doing
away with April 1 over the risks of a misplayed joke as we are bugs in air
traffic control systems and the risks to human life, then we sure have lost
our sense of perspective. All risk is not created equal, and sometimes we
seem to forget that...

Chuq Von Rospach (chuq@solutions.apple.com) Software Gnome
Apple Server Marketing Webmaster <http://www.solutions.apple.com/>

  [NOTE: This message is from the unidentified creator of one of the best
  April-Fools spoofs ever: the SPAFFORD SPOOF, RISKS-6.52, 1 Apr 1988, and
  a follow-up from Spaf in RISKS-6.54.  PGN]  [typo corrected in archive]


Problem with Insight's WWW mail

Christopher G. Holmes <holmes@papillonres.com>
Thu, 16 Jan 97 15:23:00 EST
I just discovered a problem with Insight's new WWW based on-line
purchasing system.  Insight sells personal computers & peripherals.

When purchasing an item, the system asks you to set up an account first.
Setting up an account is simply filling in a form with name, address, and
phone #.  An account # is then assigned.

A coworker set up an account with them a few weeks ago and bought
something for his personal use, though he gave the office phone #.  I set
up an account a few days ago to buy something for work and gave the same
office phone #.  The system gave me the coworker's account #, but gave no
indication that this was an existing account.  All information needs to be
entered again at "check-out" in addition to supplying a credit card # &
shipping address.

I received my order today with my coworker's name & home address on the
bill.  I called and explained the situation.  The service rep told me that
account #'s are keyed to the phone #.  She checked and told me that the
proper credit card had been billed, but that the credit card co. had not
checked the order for a correct billing address, etc. (This check is
pretty standard for mail order these days.  In fact, most outfits will
only ship to the CC billing address).  So no harm done, but I had a hard
time convincing the rep that this was a problem that needed to be
addressed.  I can imagine a scenario where a someone's home address is
given to some jerk in the same office who's been harassing him/her.  And
what if my phone # changes?  And the old number is reassigned?  The phone
# is also used as a "password" to help verify the account # when checking
order status.  Will we never learn?

Christopher Holmes


Risks of miskeying e-mail addresses

"Gerard A. Joseph" <gerard@ozemail.com.au>
Thu, 02 Jan 1997 10:45:01 -0800
Most users have learned at least once that a computer will do what it's
told, even if it's not what the user intended (provided the input is valid).

It would appear that many users are careless about handling and entering
e-mail addresses.  If such carelessness results in an invalid e-mail address,
no real harm is done; the originating user will probably get a message back
to that effect, realize his error, and resend the message with the
destination address duly corrected.

However, an error that results in a valid e-mail address has potentially more
serious consequences.  It can result in a significant and embarrassing
breach of privacy, and, depending on the honesty and the diligence of the
unintended receiver, may remain unknown to the sender until it surfaces
through some other means.  I often receive misaddressed e-mail, some of it
intensely private in nature.  While courtesy and common sense dictate that I
return it promptly to the sender and inform him of the error, nothing about
the Internet can guarantee the sender that any private information he
unintentionally disclosed to me will not be abused.

E-mail addresses, like telephone numbers, can be wrongly transcribed or
miskeyed.  With a burgeoning user population, it would seem that there is an
increasing probability that a randomly miskeyed e-mail address will actually
be someone else's e-mail address.  Users should develop an awareness of the
risks to their privacy (as well as to the effectiveness of their
communication!) of getting e-mail addresses wrong.


Congress and FBI aided Gingrich's cell-call snoops (Re: RISKS-18.75)

Jim Warren <jwarren@well.com>
Wed, 15 Jan 1997 17:09:31 -0800
Please note that it is the U.S. Congress that aided the cell-phone
industry's initially remaining unsecure by making it unlawful to intercept
calls that thus allowed cell peddlers to tell tech-naive prospects that cell
calls were "safe".

But it is our federal enforcers -- led by the FBI -- who have zealously and
diligently *BLOCKED* installation in U.S. cellphones of often-proposed,
repeatedly-urged, readily-available automated scrambling technology to
uncrackably protect the privacy of personal cell-phone calls, and also
protect cell-phone id numbers -- that are *still* broadcast in the clear and
thus trivially intercepted and cloned, costing the cell industry "billions"
of dollars (that is, *if* the folks using cloned fones would actually pay
for the calls that they make for free).

My information is that our FBI even had a major hand, earlier this decade,
in keeping the European cell-phone standards committee from finally
adopting cell-phone standards that they ready to accept, that included
automated uncrackable voice scrambling for *all* new cell phones.

Seems our FBI told the French security folks how awful that would be for
government snoops (i.e., all cell-users must be considered potentially
guilty of something), and the French instantly demanded that the
call-security aspects of Euro cell-phone standards be trashed.  They were.

Jim Warren


FBI Offers New Proposal for Digital Wiretaps

Edupage Editors <educom@elanor.oit.unc.edu>
Thu, 16 Jan 1997 18:10:07 -0500 (EST)
The Federal Bureau of Investigation has released for public comment a new
proposal for facilitating tapping of digital phone calls by law enforcement
officials armed with court orders.  Under the new proposal, which is
significantly more modest than what the Bureau had asked for in a earlier
plan, law enforcement officials would operate under a formula in which (for
example) 523 phone lines could be monitored simultaneously in a place such
as Manhattan.  Privacy advocates oppose the FBI's plan as an unacceptable
expansion of electronic surveillance.  (*The New York Times*, 15 Jan 1997,
A8; Edupage, 16 January 1997)


Re: New US regs ban downloadable data-security software (RISKS-18.75)

David Holland <dholland@hcs.harvard.edu>
Thu, 16 Jan 1997 17:12:15 -0500 (EST)
"Lucky Green" (shamrock@netcom.com) wrote:

 > [Federal Register: December 30, 1996 (Volume 61, Number 251)]
 > [makes it illegal to export without a license:]
 >
 >   c.3. ``Software'' designed or modified to protect against malicious
 >         computer damage, e.g., viruses;
 >
 > [For the full text, see
 > http://www.epic.org/crypto/export_controls/interim_regs_12_96.html]

The cited text is not to be found on that page. (Standard RISK...) I
found it at http://jya.com/ke121396.htm using Altavista.

It does appear that the language in question appears in the list of
controlled items, even though in most previous documents of this sort
virtually identical language appears as an exception to export
controls. Did somebody goof when preparing the new regulations?

In any event, it appears that later language

       Note: 5D002 does not control:
       a. ``Software'' required'' for the ``use'' of equipment excluded
   from control under the Note to 5A002.
       b. ``Software'' providing any of the functions of equipment
   excluded from control under the Note to 5A002.

exempts anything that uses encryption only for access control or uses
only message digests. Since this describes most existing virus
protection software, I think some major legal wrangling will be
necessary.

Note that almost all system software is designed to protect against
malicious computer damage; if legal wrangling results in such software
in fact becoming subject to export control, most operating systems
projects are going to have major problems.

David A. Holland                      dholland@hcs.harvard.edu


FreeWare WORD macro antivirus release (PC/MAC)

Padgett 0sirius <padgett@gdi.net-antispam>
Wed, 15 Jan 1997 21:45:16 -0500
Many people said it could not be done, but that just gets me interested and
after literally months of obsessive programming (fortunately do not need
much sleep 8*) on 14th January I posted for release as FreeWare (no charge
for non-commercial use): MacroList.

Like the WORD macro viruses, this defense is designed to work on both MAC
and PC platforms and anything from a 386/SE 30 to Pentium Pro 200/Power PC
100.

A macro itself, it builds on the concept that some things in WORD are not
subvertable by a document/template and provides a mechanism for detection of
any abnormalities.

Like the rest of my programs, it has not a clue what a virus is, instead it
gives users visibility into the areas where viruses reside and allows the
user to decide what to do (DELETE ALL is an option).

I have designed it to be compatible with other anti-virus programs (even
SCANPROT) though MacroList is effective even against E-Mail launches of
encrypted messages.

Enough said: it may be downloaded from http://www.netmind.com/~padgett/
- select "AntiVirus Hobby" and coming soon to sites near you.

Warning: there is a message in the ABOUT.

[A. Padgett Peterson]


DIAC '97, Seattle 1-2 March 1997

Susan Evoy <sevoy@Sunnyside.COM>
Tue, 14 Jan 1997 11:09:26 -0800
                     Community Space & Cyberspace
                         What's the Connection?
                   http://www.scn.org/tech/diac-97
                 March 1 - 2, 1997, 9:00 am - 5:00 pm
                    University of Washington HUB
                           Seattle, WA  USA

Will cyberspace destroy society by turning us all into high-tech couch
potatoes?  Or will it provide unprecedented opportunities for community
involvement?  On March 1 and 2, 1997, Computer Professionals for Social
Responsibility (CPSR) will present its sixth DIAC ("Directions and
Implications of Advanced Computing") conference to help answer those
questions.  The theme is "Community Space and Cyberspace: What's the
Connection?" and our aim is to challenge some of the cyber-spacy hype and
bring the discussion back to earth to the communities we live in.

Howard Rheingold, best-selling author of "The Virtual Community:
Homesteading on the Electronic Frontier" will give the keynote address on
March 1.  Howard's presentation will be followed by panel discussions on
economics, education, high-technology social mediation, and other topics.
In these panels computer pioneers, activists, and other thinkers and doers
will describe their experiences and ideas on what has changed, what may
change, and, most importantly, what citizens can do to make the technology
more responsive to community needs.

Some of the Panelists include (among others)

  + Peter van den Besselaar, Social Science Informatics, University of
    Amsterdam and De Digitale Stad (the Digital City), Amsterdam
  + Amy Borgstrom, Executive Director, ACENET, OH
  + Amy Bruckman, Researcher, MIT Media Lab, Cambridge, MA
  + Steve Cisler, Senior Librarian, Apple Computer, Cupertino, CA
  + Jamie McClelland, Libraries for the Future, New York, NY
  + Peter Miller, Network Director, Community Technology
      Center's Network (CTCNet), Newton, MA
  + Kevin Rocap, California State University at Long Beach
  + Roland Waters, CEO, RTIME, Inc.

The second day, March 2, will feature workshops on a variety of topics
presented by practitioners from the Pacific Northwest, Boston,
Amsterdam, New York City, and many other places.

Workshop Topics include

  + Libraries in Cyberspace
  + Community Voice Mail for Homeless Clients
  + Networking for Non-Profits
  + City Government Programs On-Line
  + Telecommunications and Educational Reform
  + On-Line Services: Forum for Collaboration or Technology of Isolation?
  + Safety in Cyberspace
  + Civil Liberties in Cyberspace
  + Navigating the Maze of Telecommunications Policy Changes
  + ...

For more information: Doug Schuler, douglas@scn.org, 206.634.0752

Please report problems with the web pages to the maintainer