The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 18 Issue 81

Thursday 6 February 1997

Contents

o The (f)e-mail of the PCs is more deadly than the bail
PGN
o Difficulties in developing large systems: IRS, etc.
PGN
o E-mail saboteurs confuse Columbian kidnapping negotiations
Miranda Mowbray
o Dutch bank folly
Sape Mullender
o Will-o'-the-w-ISP! More on AOL, Cyber Promotions
PGN
o AOL: 45 minutes and Out -- w/glitch
David Kennedy
o C++ Committee felled by Concept virus
Nathan Myers
o Syntax completion - a bad thing?
Andrew Kelly
o Re: Mike Schlier on memory loss by cosmic radiation
Martin Minow
o Re: The *Shetland Times* Summary
John Pelan
o Maryland Recycles Law On "Annoying" E-Mail
AOP Bulletin via David Farber
o Re: Electronic Funds Transfer without stealing PIN/TAN
Dan Wallach
Lloyd Wood
o Re: Student takes 3.5 hours to crack RC4 40-bit key
D. Dale Gulledge
o Proposed satellite monitoring of car movements in Sweden
Feliks Kluzniak
o Car radio "security" KeyCodes
Paddy Spencer
o Info on RISKS (comp.risks)

The (f)e-mail of the PCs is more deadly than the bail [!]

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 6 Feb 97 10:31:37 PST
The case involving Adelyn Lee and Oracle's CEO Larry Ellison (see
RISKS-18.07-08) resulted in Ms. Lee being found guilty of perjury and
falsification of evidence.  She had previously won a $100,000 settlement
against Oracle, using as evidence an e-mail message (``I have terminated
Adelyn per your request.'') supposedly sent to Ellison by her former boss,
Oracle VP Craig Ramsey.  The prosecutor claimed that Lee had sent the
message herself from Ramsey's account.  She faces up to four years in jail.
Subsequently, the judge ruled that she may not use any of that settlement
money to pay her bail.  [Source: *San Francisco Chronicle*, 29 Jan 1997,
A11, and 31 Jan 1997, E1]

  [... Another case involving the credibility of digital evidence in
  penetrable, tamperable, and spoofable environments...  Apologies to those
  of you who do not know the classical poem from whose title the Subject:
  line takes off.  PGN]


Difficulties in developing large systems: IRS, etc.

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 6 Feb 97 10:20:58 PST
The IRS is apparently going abandon its past Tax Systems Modernization
effort, on which it has spent $4 billion.  In testimony for the National
Commission on Restructuring [``reinventing''] the IRS, IRS Assistant
Commissioner Arthur Gross (who less than a year ago took on responsibility
for IRS computers) stated that the systems ``do not work in the real
world.''  (Past criticism has come from the Government Accounting Office and
the National Research Council.  See also RISKS-17.96, 18.23-25, 18.43.)
Gross noted that the IRS lacks the ``intellectual capital'' for carrying out
the effort.  One system had been cancelled earlier (the program for
converting paper returns to electronic form), and 12 more systems are under
review.  Gross is proposing to contract out the processing of individual
returns to commercial firms (which raises all sorts of privacy issues),
although that is only a small portion of the processing demands.  [Source:
An item from *The New York Times*, seen in the *San Francisco Chronicle*, 31
Jan 1997, A1.]

A subsequent editorial on the IRS's plight [*Chron*, 2 Feb 1997] also
reminds us that the FBI ``threw away'' a $500-million fingerprint-on-demand
computer and its crime information database, the State of California spent
$1 billion on its nonfunctional welfare database system, along with more
millions on BART and the DMV.  Readers of RISKS are well aware of the
difficulties of developing large systems.  The real question is whether
anyone is learning from the past experience.  If only we were building
bridges and Henry Petroski were able to help us!


E-mail saboteurs confuse Columbian kidnapping negotiations

Miranda Mowbray <mjfm@hplb.hpl.hp.com>
Mon, 3 Feb 1997 20:21:11 GMT
Last August, sixty Colombian soldiers were kidnapped by the Fuerzas Armadas
Revolucionarias de Colombia (FARC), a Marxist-Leninist guerrilla group.  The
Colombian Government announced a few days ago that they would change from
negotiating with the kidnappers through face-to-face meetings with
intermediaries, which is slow and dangerous, to negotiating by e-mail.

Just after the announcement, the Government received a puzzled message from
the FARC, saying that they had already received two e-mail messages claiming
to be from the Government.  The e-mails are thought to have come from
right-wing saboteurs who do not want any negotiations to take place.

Source: BBC World Service News, 2/2/97
Miranda Mowbray mjfm@hplb.hpl.hp.com


Dutch bank folly

Sape Mullender <sape@styx.huygens.org>
Mon, 03 Feb 1997 22:31:21 +0100
An interesting scandal concerning electronic banking occurred in Holland.

It needs a bit of introduction: Banks have a system of `direct debit'
whereby a company (originally the utility companies, now almost every
company that requires periodic payments for services) can directly charge an
amount to a client's bank account.  Clients have to agree to this in advance
by signing a statement authorizing a company to do such direct debits.  The
banks guarantee that, up to three weeks after such a debit has occurred, the
client can undo the transaction.  Companies can use electronic-banking
software on their PCs to carry out direct debits.  The software package
(Girotel) is the same as the one clients can use to do their banking
electronically from their homes.

Last month, a Friesian church minister who publishes, I believe, a magazine
of some sort, requested a direct-debit arrangement so that he could directly
debit the accounts of his subscribers.  He was vetted by the bank and
declared reliable, so he got permission to carry out direct debit --
supposedly from consenting customers.

He then set to experimenting with it and discovered that he could
direct-debit the account of his sister-in-law without her signed agreement
and that he could also completely control the text on her bank statement
(except for the amount and the bank-account number).  He withdrew Hfl 2.50
from her account and got the text `Waterleidingbedrijf Friesland' (Water
utility company Friesland) on her bank statement.

Our minister was surprised and informed the press which led to some
considerable outrage about bank security.  A bank director, confronted with
the situation said that `nobody who had ever had money direct-debited from
his account wrongfully has not gotten it back' (sorry about the double
negative, but that's the way he put it).

The news programme in which he said this had just presented results from a
poll that showed that 20% of the people interviewed never check their bank
statements.  One wonders how the bank discovers whether people who do not
check their bank statement have had wrongful direct debits.  The banks
certainly appear to ignore the authorizations.  The reporter, unfortunately,
was not clever enough to ask the obvious follow-up question.

Sape Mullender


Will-o'-the-w-ISP! More on AOL, Cyber Promotions

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 6 Feb 97 9:47:20 PST
1. AOL's network bombed again, beginning at 2pm on 5 Feb 1997, and was not
fully restored until about 4:30pm.  The problem was attributed to a
"technical glitch" in a software upgrade.  [When have we heard that one
before?]

2. AOL was inaccessible to new sign-ons for about 20 minutes on 2 Dec 1996,
due to a ``software system bug'' in preparing for the influx of users
expected when the flat-rate charges went into effect; the 165,000 existing
sign-ons were left intact.  After fixing the bug at 4:55pm, AOL then blocked
about one of every 10 sign-on attempts for the evening.  (We note this case
retrospectively for the RISKS archives, although it may seem insignificant
in light of more recent problems.)

3. Cyber Promotions Inc got dinged twice this week.  On 3 Feb 1997, a
federal court barred them from sending unsolicited e-mail ads to
CompuServe's 5 million subscribers.  The next day, a different federal court
barred them from falsifying their FROM: addresses.  [I presume CPI will
still find ways to go through the (pro)motions.]

[Sources: Items 1 and 3 were in *San Francisco Chronicle* squibs, 6 Feb
1997.  Item 2 was from *The Washington Post*, 3 Dec 1997, C3.]


AOL: 45 minutes and Out -- w/glitch

David Kennedy <76702.3557@CompuServe.COM>
03 Feb 97 00:37:44 EST
AOL's latest strategy: 45 minutes and out (via COMTEX Newswire  31 Jan 1997)
[Courtesy of the COMTEX  Newswire via CompuServe's Executive News Service]

>    PC Week Online (January 30, 1997) - America Online Inc., trying to
> alleviate its by now infamous network gridlock, has come up with a new
> tactic: After 45 minutes on the service, users are being asked to log
> off. If they don't respond in 10 minutes, their session is ended.  [...]
> But there's one catch: Certain games, such as an AOL contest dubbed
> "Neverwinter," disguise the dialog box, resulting in users being kicked
> off the system without warning, according to some disgruntled subscribers
> and an AOL spokesman.  [...]  The Dulles, Va., company posted a fix
> enabling users to view the dialog box in its AOL Insider area earlier this
> week, he said.

Dave Kennedy [CISSP] Research Team Chief, National Computer Security Assoc.


C++ Committee felled by Concept virus

Nathan Myers <ncm@cantrip.org>
Tue, 4 Feb 1997 13:58:10 -0800 (PST)
At the November 1996 meeting of the ISO/ANSI C++ Standard committee, the
computers provided by the meeting host for document preparation got an
infection of the MS Word "Concept" macro virus.  Since most attendees bring
a laptop, those got infected too.  We ended up spending twenty minutes in
full committee (~60 people) on explanations of how to eliminate it, and
protect against future infections.  The Concept virus, by the way, got its
big initial propagation aboard Microsoft Developer CDs.

Those of us who never use MS Word (because it's so buggy? see
http://www.cantrip.org/nobugs.html) were tickled half to death.  If a room
full of C++ experts can't keep viruses off their machines, what hope is
there for Joe User?  (Those of us using Linux were, of course, unaffected.)

If ever there were grounds for a class action lawsuit against a
software distributor, this would seem to be it: releasing a program
with a virus susceptibility switch, with the switch defaulted to "on",
and then negligently distributing a sample virus to take advantage of
it.  Given the great difficulty this has caused many large organizations
(I gather the University of Oregon was severely disrupted) I would
expect to see many co-plaintiffs on such a suit.  (NB: IHNBAL*.)

The RISK?  The usual: badly-designed software and arrogance lead to
angry (or sometimes just embarrassed) customers, and lawsuits.

Incidentally, another RISK is causing users who know better than to run the
buggy software laughing themselves silly at those who don't, and then
getting punched in the nose.

Nathan Myers <ncm@cantrip.org>  (*) Nota Bene: I Have Never Been A Lawyer.


Syntax completion - a bad thing?

Andrew Kelly <andrewk@vsl.com.au>
Thu, 06 Feb 1997 08:14:57 +0900
Looking at Rational's Apex Ada development environment, I am not at all sure
I am 100% pleased with the syntax completion it performs.  It seems to me
that syntax completion, as part of compilation, is not a good thing as it
*repairs* errors rather than report them (eg. unpaired begin/ends).  The
obvious risk being that incorrect code will quite happily be "repaired"
(very possibly, incorrectly) and will compile successfully.

I believe syntax completion should be available during editing, but not
automatically employed during compilation.  As far as I can discover, it
cannot be switched off in Apex either.

This seems, to me, to be more dangerous than it is useful ...  eg. If you
accidentally delete the "end" from a nested "if", where does the analyser
stuff the "end"?  Indeed, even if it gets the placement correct (eg. by
inference from the indentation

Has anybody had any experiences with syntax completion that may
confirm or allay my fears?

Andrew Kelly (andrewk@vsl.com.au), Software Design Engineer, Vision Systems,
Technology Park, Adelaide, SA 5095, AUSTRALIA ph: +61-8-300 4602


Mike Schlier on memory loss by cosmic radiation (Fischer, RISKS-18.79)

Martin Minow <minow@apple.com>
Thu, 30 Jan 1997 15:46:38 -0800
> From: Mike Schlier <schlierm@wpos.hill.af.mil>
> To: Martin Minow <minow@apple.com>
> In RISKS-18.79 you described an article describing research on memory loss
> caused by cosmic radiation.  I am in possession of a report put out by the
> Boeing Corp titled "Single Event Upset In Avionics" detailing a study of
> this same effect which was sponsored by the Defense Nuclear Agency and the
> Naval Research Laboratory. This paper was submitted for publication to the
> Dec 1992 IEEE Trans. Nucl. Sci.

> Mike Schlier, F-4 System Support, Hill AFB UT

  [Ed Fischer <EdFischer@aol.com> remarked on a typo in Martin's message,
     ``Summerized and translated by Martin Minow, minow@apple.com''.
  He suggested there must have been "Air[craft] conditioning".  PGN]


Re: The Shetland Times Summary

John Pelan <johnp@am.qub.ac.uk>
Tue, 4 Feb 1997 17:59:25 +0000 (GMT)
PGN asked me to summarize an overwhelming number of contributions [some not
included in RISKS, except for what was in RISKS-18.64,78,79] regarding the
*Shetland Times* case.

The most significant point to note is that the court case has yet to
happen.  A judge has merely granted a temporary injunction ("interim
interdict") preventing The Shetland News making hyper-text links to *The
Shetland Times*, pending a full court case later this year. That decision
was passed in October 1996 and no legal precedent has been set in doing so.

The case is being fought on the grounds of breach of UK Copyright Law.  The
final decision will probably rest on what constitutes a headline and whether
the headlines in question can be treated as a separate work either
individually or en masse, and whether websites fall within the definition of
'cable programme service' in the UK legislation.

At this stage the much touted implications of the outcome of the trial are
highly speculative, often greatly exaggerated *and* are largely provisional
on the complaint being upheld. Thus comments in this forum are best reserved
at this stage, pending the actual trial and possible appeal, until the legal
and technical RISKS, if any, become known.

 John Pelan (J.Pelan@qub.ac.uk)

[Thanks to Mark Gould <Mark.Gould@Bristol.ac.uk> for additional comments.
 Definitive information available via http://www.shetland-times.co.uk/
                                  and http://www.shetland-news.co.uk/   ]


Maryland Recycles Law On "Annoying" E-Mail

David Farber <farber@cis.upenn.edu>
Tue, 04 Feb 1997 17:37:46 -0500
 Excerpted from...

 =============================================================
 AOP Bulletin      Friday, February 3, 1997       Volume 97:05
 =============================================================

 The following is information distributed to members of the
 Association of Online Professionals and others involved in the
 online communications industry.  Contacts and other information
 about AOP may be found at http://www.aop.org.

 *****************************************************
 Maryland Recycles Law On "Annoying" E-Mail
 *****************************************************

 A Maryland bill that would make it illegal to send "annoying"  or
 "embarrassing" e-mail was introduced this week by Democratic General
 Assembly member Samuel Rosenberg.

 The bill got little support when it was introduced last year, but
 Rosenberg hopes to play off of recent murders involving electronic mail to
 see the bill passed.

 Civil liberties groups argue that the law would be unconstitutional, and
 that the terms "annoy" and "embarrass"  are too vague to be meaningful.
 If passed, House Bill 778 would amend the state's criminal harassment law
 to prohibit the use of e-mail to annoy, abuse, torment, harass, or
 embarrass other people, with violators receiving a fine up to $500 and
 three years in jail.

 A similar bill introduced last year is quietly progressing through New
 York's state legislature. Senate Bill 1414, introduced by Democratic State
 Senator Ray Goodman, could be voted on in the House early this year.

 Full text of the Maryland bill can be found at
 http://mlis.state.md.us/1997rs/billfile/HB0778.htm.


Re: Electronic Funds Transfer without stealing PIN/TAN

Dan Wallach <dwallach@CS.Princeton.EDU>
Mon, 03 Feb 1997 13:01:00 -0500
[Summary: an ActiveX control can add a pending online transfer to
          your Quicken file]

While interesting, this is a great example of "I told you so."  When you
accept an ActiveX control, you're allowing completely arbitrary code to
rummage around your machine and do anything it pleases.  That same code
could make extremely expensive phone calls (900 numbers or whatever) with
your modem; it can read, write, and delete any file on your computer; it can
install Trojan horses and viruses.  All without any of the subterfuge and
hackery required to do it with Java.  ActiveX hands away the keys to your
computer.

That said, ActiveX still has its uses.  On a corporate internal network,
ActiveX is a nice replacement for custom internal applications, where the
internal app would have been completely trusted, anyway.  ActiveX across the
*Internet*, however, is a disaster that doesn't have to wait very long to
happen.  The only security barrier is an annoying dialog box that many users
will either ignore or configure away [one wrong click and you now trust code
signed by each and every key issued by a given CA (e.g., VeriSign)].

The solution?  Blocking ActiveX (or Java) at the firewall seems fragile, at
best [see Dave Martin et al.].  Ideally you want to install your security
policy [e.g., only allow ActiveX signed by your IS department] inside every
user's Web browser.  I can't speak for any browser vendors, but it's safe to
suspect they're working on it.

Dan Wallach                  Princeton University, Computer Science Department
dwallach@cs.princeton.edu    http://www.cs.princeton.edu/~dwallach/  PGP Ready


Re: Electronic Funds Transfer without stealing PIN/TAN (RISKS-18.80)

Lloyd Wood <eep1lw@surrey.ac.uk>
Thu, 6 Feb 1997 21:06:59 +0000 (GMT)
>
> From: weberwu@tfh-berlin.de (Debora Weber-Wulff)
> The newspaper quotes various officials at Microsoft et al.
> expressing disbelief

'We left that out of the third-party developer documentation! Who leaked
it?'

> /outrage

'We've been beaten to market! By Germans! This is unamerican!'

> /"we're working on it".

'We'll be giving away our own secretly-siphon-all-your-money-to- Microsoft
ActiveX program, currently undergoing final usability tests and stringent
quality assurance in our developer labs, at no cost to you - just to try and
regain our deserved share of this exciting new emerging market!'

Where does your money want to go today?

L.

multiple mailing lists and resends to me.
if we had a decent newsfeed I'd've read it in comp.risks first.
<URL:http://www.sat-net.com/L.Wood/><L.Wood@ieee.org>+44-1483-300800x3435


Re: Student takes 3.5 hours to crack RC4 40-bit key (RISKS-18.80)

D. Dale Gulledge <ddg@cci.com>
Wed, 5 Feb 97 10:18:00 EST
Last night, in his State of the Union address, President Clinton advocated
placing confidential medical data online, as well as getting schools
connected to the Internet.  So long as his administration is opposed to
strong encryption and insistent on putting sensitive private information on
the net, the risks are numerous.  This contest offered a $1000 prize.  The
price for specific data on the net probably runs much higher than that.


Proposed satellite monitoring of car movements in Sweden

Feliks Kluzniak <feliks@carlstedt.se>
Wed, 29 Jan 1997 20:39:29 +0100 (MET)
The new issue of "Dagens IT", no. 3, dated 28 Jan - 3 Feb 1997 (a Swedish
paper aimed at information technology professionals), contains an item that
might be of some interest to those RISKS readers who followed discussions
about automatic highway toll booths in the US and related subjects.

My (probably imperfect) translation follows.

  Car users will be be put in "feetcuffs"
  (written by Margaretha Sundstroem)

With the help of a new satellite system car users might pay different taxes,
depending on when and where they drive.  This is what the State
communications commission is said to be discussing.

According to (the newspaper) "Dagens Politik", the State communications
commission is discussing a proposal to use satellites for determining car
taxes in the future.  It is proposed that all of Sweden's 3.5 million cars
should be equipped with a little reader fastened to the instrument board.
Car users would then buy cards that can be inserted into the reader.  The
card would communicate with a satellite that would register where you drive
and for how long.  The car tax would then be withdrawn from the card.

The proposal has been put forward by the State institution for communication
analysis.  They estimate that just the Stockholm (tax) authorities would be
able to earn six billion crowns by using this system.

The costs for car users would thereby increase.

 - - - -

The reference to "feetcuffs" (by analogy to "handcuffs" - ankle
shackles?)  is an allusion to radio transmitters that are irremovably
fastened to the ankles of some criminals in this country so that the
authorities can monitor their compliance with the rules of house arrest.

The word "communication" is meant to include car traffic etc.  The word
"billion" is given in its US meaning: a thousand million.

The risks?  Apart from the risks of having very complex systems
automatically determine how much you have to pay, there are the usual
privacy considerations. Some cry out "big brother".  Others say you are
already in this situation if you carry a cellular phone.

Feliks Kluzniak,  Carlstedt Research & Technology, Gothenburg


Car radio "security" KeyCodes

Paddy Spencer <paddy.spencer@parallax.co.uk>
Tue, 04 Feb 1997 12:41:30 GMT
Some time ago I managed to run the battery down on my car and after getting
a jump start I found the radio, instead of displaying the station frequency
showed three bars (---) flashing. I didn't know what the hell this was about
so started randomly pressing buttons (the radio has 4 pre-set station
buttons) and found that buttons 1-3 changed the number but 4 didn't appear
to do anything. Eventually the display stopped flashing and wouldn't accept
any more button presses.  I was bemused.

Lying awake that night I realised that this was of course the security
system that Ford introduced into their audio systems: disconnect the power
source (here done by running the battery flat) and you need to enter a
security code to regain access to your system.

I asked around various Ford garages and eventually found one that offered to
give me the code -- apparently there is a database of all security codes
that is sorted by the serial code on the radio. I took it along and the guy
quite happily took the radio off and dug out the code and told me what to do
to set it; you get ten goes to put the right code in, after this you have to
leave it in the car with the ignition on, but the engine not running for 1
hour, after which you get to try again.

So where are the RISKS?

1. I received about half a dozen different sets of instructions on how to
reset the radio -- all from Ford staff! Introducing a technology throughout
your entire product spectrum and not making sure your staff know how to use
it...

2. The guy who found the code for me made no effort to ascertain that I had
a legitimate right to own the radio or retrieve the code. For all he knew, I
might have nicked it from a car that morning and be wanting to have it reset
in order to sell it later.

3. After finding out the code, he then wrote it on the case of the radio --
on a label provided by Ford for this purpose! So Ford on the one hand say
"If a thief removes the radio he can't use it because he doesn't know the
code" and on the other they're saying "If you need to know the code just
take the radio out and have a look on the case."

Not the most secure scurity system I've ever come across!

Paddy Spencer        Parallax Solutions Ltd (http://www.parallax.co.uk/)

Please report problems with the web pages to the maintainer

Top