The RISKS Digest
Volume 18 Issue 75

Friday, 10th January 1997

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Newt Gingrich's confidential teleconference compromised by cell phone
Bruce R Koball
Fired Contractor Arrested in Computer Sabotage
Babbage-Catch Dolls?
Web Spoofing Is No Joke
Computer threatens 11000 car-owners in Finland
Toomas Tamm
Run For Your Lives! Beepers Go Berserk, Refuse to be Silenced
Norm deCarteret
Double bills from SNDSS hotel
Defense Science Board Task Force on Information Warfare — Defense
A Blyth
InfoWar (a)--fraud & scavenging
Mich Kabay
Infowar (b): Misrepresentation on the Net
Mich Kabay
New US regs ban downloadable data-security software
Lucky Green
Y2K problems? What about 1997 problems for Coast Guard? [identity withheld]
British Telecom plan for Y2K noncompliance fines
Lloyd Wood
Re: VISA fines banks with Y2K problems
Lloyd Wood
Denied removal from a data collection service
Dennis Glatting
Internet Archive - copyright violations and future embarrassment
Tim Slagle
7th Conference on Computers, Freedom, and Privacy
Bruce R Koball
Info on RISKS (comp.risks)

Newt Gingrich's confidential teleconference compromised by cell phone

Bruce R Koball <>
Fri, 10 Jan 1997 14:53:30 -0800 (PST)
*The New York Times* reports today (10 Jan 1997) that Newt Gingrich was
overheard in a telephone conference call to other House bigwigs on 21 Dec
1996 plotting strategy on how to deal with his ethics problems and possible
attacks from opponents.  This despite his promise, made the same day to the
ethics subcommittee by his laywer, that he would not use his office or his
allies to orchestrate a counter-attack to the charges.

Big deal, you say?  Politics as usual, you say?

I agree, except for one hook... the call was intercepted by a Florida couple
on a scanner radio, most probably from the cell phone connection of one of
the participants.  No fans of Newt, the couple reportedly recorded the
conversation and passed it along to an anonymous Democratic Congressman, who
released it to *The Times*.

Some people never learn... and therein lie the RISKS...

Fired Contractor Arrested in Computer Sabotage

"Peter G. Neumann" <>
Thu, 9 Jan 97 10:15:08 PST
David Salas, 34, worked last summer as a subcontractor on the development of
a computer system for the California Department of Information Technology.
He was fired after falling out with his business partner.  He has now been
arrested on three felony charges, for ``allegedly trying to destroy'' the
system.  He is suspected of having built a backdoor into the system so that
he could access it remotely.  [Source: *San Francisco Chronicle*, 9 Jan
1997, although the article is very short on details.]

Babbage-Catch Dolls?

"Peter G. Neumann" <>
Thu, 9 Jan 97 10:39:21 PST
Gears and relays of old-time mechanical computers have been known to
inadvertently engulf various foreign objects, but Cabbage Patch Snack Time
Kid dolls are designed to eat plastic food.  These dolls were reportedly
trying to ingest assorted children's hair and fingers during the recent
holiday season, incurring some minor scrapes and bruises.  [Source: *San
Francisco Chronicle*, 31 Dec 1995, A2.]  Mattel is offering $40 to anyone
who returns a doll, according to an item I heard on the radio.  Although
this risk has no direct computer-related connection, the absence of an
easily accessible off-switch does seems like a flaw in the design of the
human-doll interface.  On the other hand, the existence of a reverse-flow
switch would probably be a bad influence on the eating habits of small

  Always look a gift doll in the mouth, but don't look too closely.
  The doll might have a ball, and it might be your (eye)ball.

Web Spoofing Is No Joke (Edupage, 9 January 1997)

Edupage Editors <>
Thu, 9 Jan 1997 18:00:43 -0500 (EST)
Researchers at Princeton University have released a paper documenting ways
that nefarious crackers could dupe unwitting Web browsers into divulging
personal information, such as bank personal identification numbers or credit
card numbers.  One way to do this is to break into a legitimate Web server
and alter the links to other sites, so that when users click to transfer,
they're actually transported to the cracker's computer where the virtual
hijacker can watch every move they make (such as entering credit card info
when prompted).  The researchers suggest that Web surfers take the following
precautions: disabling JavaScript in their Web browsing software; keeping an
eye on the software's location line, to ensure they know where they are; and
paying close attention to the addresses they visit.  (*Chronicle of Higher
Education*, 10 Jan 1997, A25)
< >

Computer threatens 11,000 car-owners in Finland

Toomas Tamm <>
Fri, 10 Jan 1997 10:13:15 +0200 (EET)
In the Finnish TV news on 9 Jan 1997, it was reported that the Finnish car
registry had sent mail to 11 thousand car-owners stating that the
registration of their cars would be dropped from the registry, "because the
car has been out of use". The registry representative said this was caused
by a "computer error" the exact cause of which is being investigated.  The
registry then sent out 11,000 apologie letters.

What if the program had silently marked the 11,000 registration records as

Toomas Tamm, Department of Chemistry, FIN-00014 University of Helsinki FINLAND  +358+9-191-40173

  [Also reported by Jouko Holopainen <>.  PGN]

Run For Your Lives! Beepers Go Berserk, Refuse to be Silenced

"Norm deCarteret" <nsdec@VNET.IBM.COM>
Fri, 10 Jan 97 08:56:25 EST
Today's front page of the *Wall Street Journal* hints of the apocalypse: ``A
technical problem on the Skytel paging network led to a nationwide bout of
beeper madness, as a digital deluge of erroneous call-me-back messages swept
over more than 100,000 unwitting pager customers.''

What happened was an erroneous broadcast at 8 AM EST to over 100,000 Skytel
pager customers, most of whom assumed it to be a local phone#.  Thousands
tried to return the call.  The incident was then compounded by some 36 users
who recognized the number for what it was, a PIN.  They dialed Skytel,
entered the PIN and their own phone numbers.  ``The Skytel system then
efficiently zapped those real phone numbers out: to the same 100,000 pager
customers.  Ever eager, thousands of them then returned calls to the
diligent three dozen'' who got 300 calls an hour or more, still 40 an hour in
the afternoon.

At one time or another, we've all been grateful to a helpful customer
service rep who has managed to overcome ``the system'' and correct some
problem plaguing us.  Evidently, that's exactly what a Skytel staffer was
trying to do for a customer who wanted her pager service activated.  But
somehow ``a terribly wrong PIN'' was assigned, one that was linked to to a
secret code Skytel uses to broadcast news to 100,000 users.  The network
computer saw the PIN was wrongly linked and rejected it, ``but the Skytel
staff successfully overcame the computers recalcitrance'' and then tested
the new customer's PIN by zapping the 7-digit number over the network so it
would show up on her display.  Scott Hamilton, Mtel (Skytels parent company)
spokesman: ``with any kind of computer system, from time to time, numbers
have to be jiggled, and they were attempting to jiggle.  It was just a

Who of us hasn't ``jiggled'' a computer or been profusely grateful to
someone who did it for us and solved some nasty problem.  One RISK is that
many people who have to work with computers "know" how dumb they really are
and have found end-around plays in order to get the job done.  But, of
course, sometimes the computer 'recalcitrance' is deliberate.

Norm deCarteret

  [Also noted by Scott Call <> and
  George C. Kaplan <>.  PGN]

Double bills from SNDSS hotel

"Peter G. Neumann" <>
Wed, 8 Jan 97 8:49:46 PST
Don't duck bill analysis for reservations made on 17 Dec 1996 at the San
Diego Princess — for example, for attending SNDSS on 10-11 Feb 1997 (see
RISKS-18.20).  ALL CHARGED DEPOSITS on that day were double billed because
of a human/computer screwup.  (However, you may duck billed platypuses while
in San Diego.)

Defense Science Board Task Force on Information Warfare — Defense

A Blyth <>
Fri, 10 Jan 1997 21:04:55 +0000
A Defense Department panel, in an unusually strident report, recommended $3
billion of additional spending over the next five years to improve the
security of the nation's telecommunications and computing infrastructure.
Warning of a possible ``electronic Pearl Harbor,'' the task force appointed
by the Defense Science Board also said the Pentagon should seek the legal
authority to launch counterattacks against computer hackers.  ``There is a
need for extraordinary action,'' the board's task force on ``Information
Warfare-Defense" stated in a report that was quietly released on Friday.
Current practices and assumptions, it said, "are ingredients in a recipe for
a national security disaster."  The report also predicts that by the year
2005, attacks on U.S. information systems by terrorist groups, organized
criminals and foreign espionage agencies are likely to be ``widespread.''

  [The full article is entitled REPORT OF THE DEFENSE SCIENCE BOARD TASK
  Wall Street Journal*, 10 Jan 1997.  PGN Excerpting.  Also contributed by
  "Betty G. O'Hearn" <>.  PGN]

InfoWar (a)--fraud & scavenging

"Mich Kabay [NCSA]" <75300.3232@CompuServe.COM>
10 Jan 97 16:45:17 EST
For RISKS participants struggling to convince their managers of the
possibility of information warfare level II (inter-corporate conflict via
information), here is a useful case.

Canada's _Globe and Mail_ 97.01.10 pA1:

Letter drive linked to Shoppers employee: Owner of Meditrust says he
believes campaign scared investors away from mail-order pharmacy.

By Jane Coutts and John Saunders,   _The Globe and Mail_

A letter campaign attacking a mail-order pharmacy company has been traced to
a mailbox rented by the secretary of a vice-president of Shoppers Drug Mart.
The [C]$11-a-month box is home to the Society of Concerned Pharmacists,
whose listed address, Suite 142, 2671 Eglinton Ave.  E., is in fact Box 142
at Mail Boxes Etc., a private postal outlet.

Key points from the article:

* No evidence yet of the legitimate existence of the SCP.

* SCP accused of sending out 6,000 copies of a letter highly critical of the
mail-order pharmacy business proposed by Meditrust Healthcare Inc.

* Letter said SCP represented 6,000 pharmacists; now claimed to be
typographical error (should have been 600 but no proof of any members at

* Letter written by Larry Rosen, independent pharmacist partly funded in the
past by Shoppers Drug Mart.  .  .

* ... but letter was signed by another person described as a practising
pharmacist — of whom the College of Pharmacists of Ontario has no record

* Letter may account for failure of initial public offering of shares.

* Private Investigator searched garbage of mail drop and found record
showing that secretary rented box.

  This minor case demonstrates the risks of (1) breaching authenticity by
fraudulent misrepresentation; (2) the effects of breaches of integrity of
data in the real world, including especially the investment community; and
(3) the risks of breaches of confidentiality such as throwing out
confidential information in plain garbage.

  Extensions of these lessons to purely electronic data are clear: verify
authenticity and integrity of data before acting on any information from
untrusted sources; obliterate data remnants.  MEK

M.E. Kabay, Ph.D.  / Director of Education National Computer Security

Infowar (b): Misrepresentation on the Net

"Mich Kabay [NCSA]" <75300.3232@CompuServe.COM>
10 Jan 97 16:47:19 EST
Jack Kapica reports on cyberspace every Friday in _The Globe and Mail_.  He
points out today (Cyberia column, 97.01.10 p.A6) that despite the enthusiasm
expressed by the likes of _The Washington Post,_ _The Economist_ and _The
New Yorker_, AMAZON.COM does not, in fact, have more than 1,100,000 titles
in stock as claimed.  They actually have only 200 titles in stock in their
warehouse.  They just order the rest from distributors and wholesalers --
just like all other bookstores.

for an article by Jonathan Chait and Stephen Glass.

Caveat lector.

M.  E.  Kabay, Ph.D.  / Director of Education National Computer Security

New US regs ban downloadable data-security software

Lucky Green <>
Tue, 31 Dec 1996 19:05:05 -0800
The new US crypto export regulations control the export of most if not all
data-security software. Regardless if the software uses cryptography or
not. Many software archives seem to be in violation of the new regs.

[Federal Register: December 30, 1996 (Volume 61, Number 251)]
[makes it illegal to export without a license:]

   c.3. ``Software'' designed or modified to protect against malicious
        computer damage, e.g., viruses;

[For the full text, see]

This certainly controls virus checkers, firewalls, and other security
software. There are substantial penalties involved in violating the EAR.
The US can assess daily penalties and block all exports of a company's
non-violating products. Criminal penalties apply as well.

"Export", as defined in the new regs, includes making software available on
the web or via ftp.

If you have a virus checker or similar software available for ftp inside
the US and the software can be downloaded from outside the US, you are most
likely in violation of the new EAR which took effect on 12/30/1996.

If you do not wish to go to prison, you may want to consult an attorney
immediately and remove all data security software from your server.

IANAL  --Lucky Green <>

Y2K problems? What about 1997 problems for Coast Guard?

<[identity withheld by request]>
Thu, 9 Jan 1997
On Wednesday 8 Jan 1997, the entire US Coast Guard discovered that its
standard Spreadsheet no longer runs on Wednesdays (or Saturdays), and
refuses to print files on Tuesdays and Thursdays!  Mondays and Fridays are
OK, though.

The Coast Guard uses a proprietary Operating System called CTOS, marketed by
Unisys.  Although most of the software was specifically built for the CTOS
environment, some of it was ported over from other operating systems.  A
program called Ofis Spreadsheet is an amazing clone of Lotus 1-2-3 v2.2, for

On the above date, everyone noticed that their spreadsheet program no longer
worked, giving what amounts to a Windows' General Protection Fault error at
start-up.  It turns out that the hexadecimal codes that CTOS uses to
represent the date added an extra digit with the new year.  Apparently, they
went from FFFFFFF to 10000000 at some point after New Year's Day.
Unfortunately, some of the non-native applications (the 1-2-3 clone and the
Progress db's seem to be the ones in question) can't handle this change

Interestingly, although no word has yet been spread on how to solve the
anecdotal Progress problems (of which I've seen no sign myself), the
solution to the spreadsheet conundrum is to change the date format.  Even
though the spreadsheet file may not access any date functions, the
application *does*, and it doesn't like MM/DD/YY formats from 1997 onwards.
But if you change the startup files to indicate a DD/MM/YY format, the
problem goes away...

RISKS: You may be concentrating on a problem (Y2K, which is a major effort
in the Coast Guard just now) that is not *quite* as timely as another that
is sneaking up on you.  Watch out! This sort of embarrassment just might
undermine your Y2K efforts.

Perhaps, from this time forward, it might be smart to run test systems with
clocks set a month or more ahead of schedule.  Just in case.  I know that I
will be.

British Telecom plan for Y2K noncompliance fines

Lloyd Wood <>
Thu, 9 Jan 1997 18:24:32 +0000 (GMT)
BT recently merged with MCI to form Concert; will MCI be following suit? Is
the 18-week grace period long enough for previously complacent suppliers to
rectify their systems?  [*Electronic Telegraph*, City News, 9 January 1997]

 [The 'red card' references are to a game called football, played
 here in the UK, where a red card signifies that a player is sent off
 the pitch for an offence such as kneecapping an opponent or beating
 up a spectator. This game has nothing whatsoever to do with American
 football or Australian-rules football, and is *not* called soccer.  L.]

includes links to related resources and previous articles on the millennium

By Roland Gribben

BRITISH Telecom is warning suppliers that they will be shown the ``red
card'' and be sacked if they cannot produce evidence that they are working
to change their computer and information technology systems to cope with the
year 2000 date change.  The group has written to its 1,800 suppliers and
drawn up a green, amber and red coding system to detail the state of
preparedness.  ``Red'' suppliers are in danger of being removed from the
list of suppliers.

More than half BT's suppliers have yet to answer inquiries about the change,
according to the latest edition of Computer Weekly.  Milli Lewis, BT's year
2000 project manager, said: ``We are starting an escalation process which
will leading to BT not trading with suppliers after an 18-week warning.''
BT has already started planning for changes in its computer network and aims
to have everything in place by the end of next year, but along with other
major groups also deeply involved in the exercise, it is worried that other
companies down the supply chain will not be ready.

The telecommunications group is ready to step up the pressure on suppliers
it feels are failing to demonstrate they are taking the change seriously and
could start weeding out the laggards by March.  It has a team of managers
available to help companies tackle the problem.


Re: VISA fines banks with Y2K problems (Wood, RISKS-18.73)

Lloyd Wood <>
Wed, 8 Jan 1997 15:06:50 +0000 (GMT)
In response, Michael C Voorhis wrote,

> Actually, it appears, you don't need to register in order to use that URL.
> It already has my "user code" attached to it.
> The correct URL for the web page is included above, everything to the
> right of the question-mark in the URL above specifies that I'm reading
> the article I would imagine.
> Hmm.  I suppose as a RISKS reader I might have checked this, but I did not.
> A risk associated with passing URL's to other people, via e-mail?

Good question. Other people can now pretend to be you to the site, and
browse the site without registering, giving false reading preference
information to the site.

This is arguably good for web users as a whole, many of whom dislike having
their preferences tracked, but bad for the content provider and for the user
allocated the URL if the URL owner attempts to do customised profiling, page
output or secure transactions based on the supplied data.

The registration could be made more secure, with name and password required
each time for access instead of a bookmarkable identifier-in-URL - but many
sites have gone away from that model, since it discourages casual use.

Here in the UK, the Electronic Telegraph, which I'm more familiar with, uses
a similar identifier-in-cgi-for-state-machine URL.

They've completely redone their identifier system, requiring that people
reregister, three times since going online in 1994, presumably due to
running out of allocation numbers (new URLs are considerably longer) and/or
wanting to purge 'old' users from their database.

I don't know what data is generated or how the ET plans to move to a payment
system for searching their archives, which have been on a 'free trial' basis
for the last couple of years.

Open, easily-subverted registration systems like these provide a risk to the
overall quality of the provider's tracking data and a risk to the individual
registered, but it's probably an acceptable risk to society as a whole, IMO,
since it's convenient and makes the content referrable.

For the user so inclined, it's a great way of increasing your privacy by
providing inaccurate data and fudging the data generated to track your
reading interest.

Anyway, when you registered the only true information you provided was a
valid e-mail address for automatic verification - right? The online
newspapers are starting from a mass of unverified information, and the
tracking information can't make it any better. Entropy goes one way, and (in
this case) I can't see the ET easily moving to a payments model for their
search engine any time soon.


Denied removal from a data collection service

Dennis Glatting <>
Fri, 3 Jan 97 08:44:04 -0800
Recently, there was a message posted in this forum of data collection
services and a list contacts to have yourself removed from them. I contacted
several of those services and was surprised by the response from
Bigfoot. Apparently, their database is one-way although I can subscribe to
their service and *modify* my profile.

> From: (Bigfoot Admin)
> Subject: Re: REMOVE
> Date: Fri, 03 Jan 1997 09:08:26 -0500
> Currently, we can not delete listings that have already been
> entered in our database.  However, you may edit your profile to
> become unlisted and therefore have no information visible to
> anyone searching for you on our directory.  Just follow the
> following steps to change your status:

I do not know how Bigfoot collected my e-mail addresses (they have collected
both past and present e-mail addresses) but spammers tend to collect
addresses by scanning the USENET. To battle the onslaught of spam I no
longer use a valid return address in my news postings. I wish that were not

The risks? First, unknown to the people, companies collect information on
them and freely advertise it. Imagine the repercussions of battered women
hiding from their spouse.  Two, you may or may not have any rights regarding
the information about you they make available. Lastly, to protect ourselves
we are being forced into an anonymous society.


Internet Archive - copyright violations and future embarrassment

Tim Slagle <slagle@drip.Colorado.EDU>
Tue, 7 Jan 97 15:08:14 -0700
I was looking through the logs of our HTTP server and saw a large block of
accesses from  It looked like they were sequentially
downloading each page on our server, but I didn't recognize the address as
being one of usual search services.

I checked out their web site ( and it looks like they are
systematically making and storing copies of everything the can access over
the Internet.  Their pages talk about what a great research tool their
database will be for future 'net historians, but also says that it will be a
treasure-trove for marketers and entrepreneurs.

I didn't find a discussion of their position on the copyright issues their
project brings up, but I doubt that whole-scale copying of entire sites
without any human intervention or commentary is 'fair use', especially
considering the American Geophysical Union v. Texaco case (RISKS 16.68).  At
more than 1 TB of text and images copied off of the 'net (and 100GB more
each week), they could have the largest archive of violated copyrights in
the world.

Giving them the benefit of the doubt (that they aren't maliciously copying
other people's work for profit), a risk is that one's enthusiasm for a new
medium or technology can blind one to the existing legal guidelines that
apply to one's project.  I don't really have the interest or resources to
pursue an infringement suit, but I bet someone else (like an artist,
publisher, or software company) will, especially if the Internet Archive
starts allowing access to their data.

Another risk for people with Web pages is that every rant or embarrassing
picture that you publish on the Web (and later think better of and remove)
could now be accessed by future generations without your control.  It could
be argued that posting to Usenet implies a certain loss of rights to control
the fate of your message, given the nature of Usenet distribution.  I
wouldn't think the same is true for Web pages (but I have no qualifications
in IP law).

Tim Slagle,,

7th Conference on Computers, Freedom, and Privacy

Bruce R Koball <>
Wed, 8 Jan 1997 18:12:41 -0800 (PST)
   The Seventh Conference on Computers, Freedom, and Privacy
       CFP'97 : Commerce & Community, 11-14 March 1997
  San Francisco Airport Hyatt Regency; Burlingame, California

CFP'97 will assemble experts, advocates, and interested people from a broad
spectrum of disciplines and backgrounds in a balanced public forum to
address the impact of new technologies on society.  This year's theme
addresses two of the main drivers of social and technological
transformation: How is private enterprise changing cyberspace? How are
traditional and virtual communities reacting?

Topics in the wide-ranging main-track program will include:
  Perspectives on Controversial Speech
  The Commercial Development of the Net
  Governmental & Social Implications of Digital Money
  International Perspectives on Cryptography
  Cypherpunks & Cybercops
  Regulation of ISPs
  Intellectual Property and Info-Property
  The 1996 Elections:  Creating a New Democracy
  The Coming Collapse of the Net
In addition, there will be parallel-track lunch-time workshops:
  The Case Against Privacy           How a Skiptracer Operates
  Cyberbanking                       How the Architecture Regulates
  Rights in Avatar Cyberspace        National I.D. Cards
  Public Key Infrastructures         European IP Law
  Sexual Harassment in Cyberspace    Virtual Communities
  Domain Names                       Archives, Indexes & Privacy
  Government Regulation of E-cash    Crypto and the 1st Amendment
and tutorials:
  The Economics of the Internet
  Regulation of Internet Service Providers
  The Latest in Cryptography
  The Constitution in Cyberspace
  Info War: The Day After
  Personal Information and Advertising on the Net
  Transborder Data Flows and the Coming European Union
  Intellectual Property Rights on the Net: A Primer

A complete conference brochure and registration information are
available on our web site at:
For an ASCII version of the conference brochure and registration
information, send e-mail to:
For additional information or questions, call: 415-548-2424

Please report problems with the web pages to the maintainer