The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 19 Issue 28

Thursday 7 August 1997

Contents

o USENET gateway flaw plus immoderation in bypassing moderation
RISKS
o Name collision lands robbery victim in jail
PGN
o IRS erroneously send out 90,000 tax warnings
o Hong Kong slip reveals press info
David Kennedy
o Four-star general upset with privacy invasion
Glen Roberts
o On-line court information system raises access questions
Brian Schimpf
o Internet access to criminal records info
Nancy Talner
o Is Microsoft distributing viruses?
Gerhard Duennebeil
o Bill would make software copying a felony
Edupage
o Chicago flooded with counterfeit bills
David Kennedy
o Ctrl-Alt-Del
Paul VanDyke
o Clean Sweep wasn't quite soon enough
Jim Horning
o Electronic airline ticketing
Jordin Kare
o E-mail readers and snooping
Bryan C. Hains
o Re: What to do about software patents
Anthony E. Siegman
Ray Todd Stevens
o Urban legends, in this case a true one: General Mills/AOL
Brad Elmore
o Info on RISKS (comp.risks)

USENET gateway flaw plus immoderation in bypassing moderation

<RISKS>
Thu, 7 Aug 97 10:57:56 PDT
The Berkeley USENET news gateway software was upgraded recently, but a bug
was introduced whereby an APPROVED line was automagically added, and
everything sent to the RISKS address went out to the USENET distribution.  I
am told that this has now been fixed.  My apologies to those of you who were
annoyed, and to those of you who were seriously harassed for unwittingly
being in broadcast mode.  However, this incident once again provides a
reminder of how flaky our infrastructure is, and how small changes can cause
new risks.

Incidentally, I was copied on correspondence between a spammer who had
abused the USENET comp.risks distribution and someone who took very strong
objection to the spam.  The spammer replied that he was innocent, insisting
he was not doing anything bad -- it was not *he* who was forging the
"APPROVED" line, it was his spamming tool!

Once again, let me add that due to horrendous quantities of e-mail spams, my
SysAdmin is filtering out mail from addresses that are predominantly sources
of spams.  Unfortunately, this may render a few of you incapable of reaching
RISKS.  (Sorry!)  But despite our filtering, we are still receiving vastly
too many spams each day.

PGN


Name collision lands robbery victim in jail

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 7 Aug 97 10:47:56 PDT
Antonio Picazo Mendoza Jr., was beaten and robbed on his way to a store near
his home in Stockton, California.  He managed to get home, where his family
reported the robbery to police and took him to the hospital.  Police
discovered that his first and last name, date of birth, and Social Security
Number matched those of Antonio Blanco Mendoza, a wanted parolee.  Despite
his protests that he was not that individual, he was detained in jail -- for
three days by the San Joaquin County Sheriff's Office, and for another two
weeks at Deuel Vocational Institution.  It appears that Blanco was using
Picazo's identity.

RISKS has had numerous cases in the past of *intentional* identity theft and
*accidental* assignment of the same SSN to different individuals.  It is not
yet clear which is true in this case.


IRS erroneously send out 90,000 tax warnings

"Peter G. Neumann" <neumann@chiron.csl.sri.com>
Thu, 7 Aug 97 10:37:22 PDT
The IRS, already beset with the woes of trying to modernize its archaic
computer systems, has stumbled onto a new glitch.  Because of a new software
error, warnings were incorrectly sent to 90,000 taxpayers that they were
subject to penalties and interest for failing to file proper tax returns for
nannies and other household employees.  But those taxpayers had already
followed new IRS rules by using a new ``simplified`` form.  This was another
unforeseen aftermath of the Zoe Baird ``Nannygate'' in which the IRS
ultimately decided the real problem was that the tax code was overly
complex.  [Source: Ralph Vartabedian, *Los Angeles Times*, 7 Aug 1997, seen
in the *San Francisco Chronicle* of that day, p.  A7]

  [This is a case of Tax Deform!  Incidentally, I do not recall anyone
  heretofore noting a quasiliterary reference to J.D. Salinger's 1966
  book, which could alternatively have been titled *Nanny and Zoe*.  PGN]


Hong Kong slip reveals press info

David Kennedy <76702.3557@compuserve.com>
Fri, 11 Jul 1997 02:34:40 -0400
From:  http://www.news.com/News/Item/0,4,12161,00.html

Hong Kong slip reveals press info, By Reuters, 5 Jul 1997

> HONG KONG--The Hong Kong government has apologized for accidentally
> posting the personal information of hundreds of journalists on the
> Internet.  Local newspapers quickly noticed that the government had posted
> a list of almost 1,000 journalists covering Monday night's Hong Kong
> handover to China on a Web site, plus passport and identity card details.

Mary Leung, chief information officer for the Government Information
Services said the release was an accident.  People attending the People's
Liberation Army arrival in Hong Kong were required to register with their ID
number and passport numbers.

> The name list was posted on the Internet June 29 because of a technical
> oversight and was removed by the government July 2 after the mishap was
> spotted. Leung believes the list might not have been seen by many surfers,
> though the government's Web site is open to everyone.

> Apologizing Thursday for the error, she said she believed it was an
> isolated incident that would not affect people's confidence in the
> protection of their personal information. "The oversight is regretted,"
> Leung said.

[dmk: I suppose that's one way to get the media interested in privacy
matters.]

Dave Kennedy [CISSP] Research Team Chief, National Computer Security Assoc.


Four-star general upset with privacy invasion

Glen Roberts <glr@ripco.com>
2 Aug 1997 18:07:01 GMT
Maj. Tom Rheinlander, a spokesman for Griffith [four-star general and the
U.S. Army Vice Chief of Staff], said the general was unhappy when told
Friday his Social Security number was out there for all the world to see.
"As would most Americans, General Griffith views the publication of his
Social Security number on the internet as an invasion of his privacy,"
Rheinlander, said.  [Source: the *Oil City Derrick,* 2 Aug 1997 (my home
town newspaper).  PGN Abstracting] http://www.fulldisclosure.org/govtssn.html

  [This is one of the messages that slipped through into comp.risks.  PGN]


On-line court information system raises access questions

Brian Schimpf <schimpf@gradient.com>
Wed, 06 Aug 1997 09:47:10 -0400
An article in *The Boston Globe* (5 Aug 1997, B1) reports on litigation
concerning access to an on-line service to provide information about court
dockets for a number of superior courts in Massachusetts.  The system is
called SCRIB, or Superior Court Remote Inquiry for the Bar, and allows
participants to court actions to view the court dockets so they can easily
schedule their appearances without burdening court staff.

Mr. Ross Mitchell is not a lawyer but is representing himself in a civil
lawsuit.  He found out about the system and requested access, but was told
that the system is only available for lawyers, including the attorney
representing the man who is suing him.  So Mr. Mitchell filed suit in
federal court arguing that he had a right to the same access to public
information.  He has lost several rounds and his case is now before the US
Court of Appeals.

A key problem in the case is the capacity of the system, which was designed
only for lawyers, judges and court staff.  James Klein, administrator of the
Superior Court, says the system is already near capacity.  " 'If we were to
open it up to the general public, we would have to shut it down entirely
very quickly because the lines would be jammed,' said Klein.  And the system
cannot be expanded because it is scheduled to be replaced when a new court
computer system goes on line in the next five to six years."

The Risks here are pretty familiar: a system which was designed without
adequate consideration for the demands which would be placed on it, leading
to the danger that a system which uses new technology to provide a real
benefit may be shut down completely due to insufficient capacity.  And a
reluctance to address problems in an information system today based on an
expectation that a new system will solve all the problems quite some time
(five to six years) in the future.

Brian C. Schimpf, Gradient Technologies, Inc., 2 Mt. Royal Ave., Marlboro,
MA 01752  schimpf@gradient.com  (508) 624-9600 x214  http://www.gradient.com/


Internet access to criminal records info

<Talner@aol.com>
Tue, 5 Aug 1997 21:22:00 -0400 (EDT)
  [Courtesy of Bob Jacobson <bluefire@well.com>]

The Washington State Patrol is starting a pilot project called the WATCH
program, which was authorized by the 1997 legislature.  The program will
make criminal history information available on the Internet so that anyone
who wants to run a background check on someone for employment purposes (or
to deny housing rental or just to snoop) can do so without going through the
state patrol.  This raises some dilemmas regarding privacy, public records
access, and allowing people to rehabilitate themselves from a criminal
conviction.  For example, under current law, you can get a conviction
vacated after a certain period of time and then answer "no" when asked by
employers if you have a conviction, but this is useless if anybody can find
the record anyway.  Also, current law allows background checks on criminal
records to be done for certain jobs, but not for every job.  Under the new
system, anyone who has ever had a criminal case may risk having jobs,
housing, and many other things denied to them because of that case.  It is
further clear that under current public disclosure law, most conviction
records are public.  Can anybody help me analyze these issues and propose a
remedy that maintains access to public records while at the same time
lessens the ongoing punishment of individuals who can never escape their
past?  Thanks.  Nancy Talner


Is Microsoft distributing viruses?

<Gerhard.Duennebeil@FZMAIL.arcs.ac.at>
Wed, 6 Aug 1997 09:11:09 +0200
A more or less happy user of Microsoft's Word 6.0a, I decided some days ago
to peek into the new Office97 package.  Working with huge text documents I
didn't want to take the risk of migrating to the new products without having
at least some know how about it. So I decided to make an installation
running from CD and play around with it. I also decided (and did so) never
to store an important old document with the new software until my decision
to migrate and the way to do so was clear.

Now, a few days later, I tried to work with a WORD6.0a document I never have
stored with the new WORD. Imagine my surprise when I suddenly found out that
I was not able to access an embedded MSGraph object. For your information:
The Office97 CD was not inserted at this moment.  Looking for some reasons I
found the embedded object having a format of MSGraph 5.0. When I created
that object it had MSGraph (1.0?) format.  It looks like someone changed the
format without asking me.  I also peaked around in the registry and found an
entry related to MSGraph that said "AutoConvertTo:
xxx-xxx-xxxx-xxxxxxxxx-xxxxx" (some of these GUID).

Guess, what was behind this GUID? Right, MS-Graph 5.0.  So to me it looks
like MS is distributing software, that manipulates my data without my
knowledge and makes it unusable this way.  That is at least one important
property also expected from viruses, right?

The risk? Obvious, isn't it?

Gerhard Duennebeil, Austria <Gerhard.Duennebeil@arcs.ac.at)


Bill would make software copying a felony (Edupage)

Edupage Editors <educom@educom.unc.edu>
Tue, 5 Aug 1997 13:36:05 -0400
A bill sponsored by Rep. Robert Goodlatte (R-Va.) and supported by the
Software Publishers Association would make it a felony to copy more than
$5,000 worth of software.  The "No Electronic Theft Act" stipulates that any
person who reproduces 10 or more copies of copyright software totaling more
than $5,000 could land a three-year jail sentence.  A second offense could
net six years in a federal prison.  The bill is designed to close the
current loophole that exempts software copying from criminal prosecution
unless it is willful and for profit.  The U.S. Senate is considering a
similar bill.  (*PC World Online*, 4 Aug 1997; Edupage, 5 Aug 1997)


Chicago flooded with counterfeit bills

David Kennedy <76702.3557@compuserve.com>
Tue, 5 Aug 1997 12:40:46 -0400
Counterfeit bills (particularly twenties, and about one-fifth of them
computer-generated) are flooding the Chicago area, made by what the Secret
Service calls ``casual counterfeiters'' -- despite the possibility of a
15-year Federal sentence.  Many suspects are computer-literate young adults
and even high-school students.  [Counterfeit dollars flood Chicago area
(UPI, 1 Aug 1997, via CompuServe's Executive News Service), PGN Abstracting]


Ctrl-Alt-Del

Paul VanDyke <pvandyke@geocities.com>
Tue, 05 Aug 1997 08:50:23 -0800
With Windows NT, this is the method of logging onto the console at the
server.  This is also the famous three-finger salute that reboots a computer
not running NT.  Last night we did some system maintenance and moved an NT
server close to an OS/2 Warp Server.  The monitor for the NT server is
sitting on a shelf above the other monitor.  The keyboard is in a drawer
right under the monitor.  Our LAN admin wanted to log onto the NT server,
but used the wrong keyboard.  OOPS!  Well it rebooted the OS/2 server just
as commanded.  Too bad it was only 10 minutes till 8:00am.  He didn't knock
too many people off.

The risk?  He got too familiar with a key sequence that should be guarded.

I used to think that is was neat to hit C-A-D and not have the computer
reboot, but not anymore.  Bad programming Microsoft!


Clean Sweep wasn't quite soon enough

Jim Horning <horning@intertrust.com>
Fri, 01 Aug 97 19:54:00 P
There's another use for those forged driver's licenses.  This seems to be
not so much a computer-related risk, as a risk that could have been
ameliorated with a little more intelligent application of computers:

I am in the process of getting my checking world back in order after a
Southern California ring made off with a total of about $7,000 in cash from
my account one day last week.

* The ring is well-organized and efficient.  My branch manager in Palo Alto
says that there are already three other customers of her branch that she's
currently working with -- creating new accounts, getting new checks,
recovering missing funds, etc., etc., etc.  One customer's account was hit
for $12,000.

* All they need is your name and checking account number (everyone who
handles any check you write has this information).  They then forge a "good
quality" California driver's license, with your name and their picture, to
use as ID for over-the-counter bank transactions.

* They know the bank's fraud prevention procedures and thresholds.  They
"deposited" four bad checks, taking most of the amount in cash, but each
check was just under $1,000.00.  They hit multiple branches, all in Southern
California.  They also made two cash withdrawals.

* The amount they can take is not limited by the balance in your account:

  - If you have overdraft protection, they can go to the limit on that
    (e.g., the limit on your Visa account).
  - When they deposit a check with "cash back," they take the amount
    of the phony check, not the amount left in your account.
  - Checks and over-the-counter transactions are processed overnight,
     not online, so by working a number of different branches, they can
     take multiples of your account.

* There doesn't seem to be any reasonable way (at Wells Fargo Bank) to limit
over-the-counter cash withdrawals from an account (unlike ATM withdrawals).

* The best protective measure seems to be to monitor your account frequently
(via the Web, telephone banking, Quicken online, or whatever) and
IMMEDIATELY report anything suspicious.

* Everyone at Wells Fargo has been very nice and helpful, but it's a real
nuisance to deal with this.  To their credit, their Loss Prevention unit
spotted the anomalies and notified me in less than a week -- well before I
would have received my statement.  I'll get all my money back, but no
reimbursement for the time I'm spending.

Jim H.

  [Added note from Jim:]

There is one defense against over-the-counter raids, but it's pretty
drastic.  It's what they did to my old account as soon as they recognized
"unusual activity": Flag the account so that all over-the-counter cash
transactions require approval by a specific person in the Loss Prevention
unit.  This includes third parties, like our cleaning lady, who was unable
to cash our $60 check, because she wanted cash -- a deposit to an account
would have gone through.

* I would have thought that one could restrict an account so that cash
withdrawals were limited for over-the-counter as well as ATM transactions,
but, no, the computer isn't programmed for that.

* I would have thought that, by now, over-the-counter cash withdrawals were
totalled bankwide, not just per branch, in real time, but no, screening for
unusual activity apparently happens overnight.  [The ring apparently knows
this: There has been no further attempted fraudulent activity since the one
day.]

* I would have thought that a $2,100 cash withdrawal (the largest single
transaction) would require more ID than a California driver's license, but
apparently not.

On the bright side, my money (including my July payroll deposit) has
supposedly just been transferred to my new account.  Of course, there's no
easy way to test this, since my online banking access has been shut down to
prevent fraud...

Jim H.


Electronic airline ticketing

Jordin Kare <kare@sirius.com>
Mon, 04 Aug 1997 00:12:59 +0000
The discussion in RISKS-19.27 of problems with an online ticketing service
reminded me of a recent "adventure" a colleague and I had with a major
airline.

My name is Jordin Kar_e_.  My colleague is Thomas Kar_r_.  We were
travelling together on business from Oakland, CA to Los Angeles.  Our
(L.A.-based) travel agency had gotten us both electronic tickets on (we
thought) a 7 a.m. flight.

For those who have not used e-tickets, you do not get a physical ticket in
advance of your flight.  Instead, you show a photo ID at checkin and receive
a boarding pass only.  Airlines are heavily promoting this "ticketless
travel", noting that, among other things, it keeps you from "losing
tickets".

Tom and I arrived at the airport together.  Two clerks were working the gate
counter.  Both clerks ask to see "photo ID and the credit card the ticket
was bought with".  Hmm -- we don't have any such credit card, since the
travel agency bought the tickets for us.  My clerk merely says, "Is this a
business trip?" and when I say yes, she checks her screen, taps a few keys,
and hands me a boarding pass.  Tom's clerk, however, refuses to issue him a
boarding pass if he doesn't have the credit card the ticket was purchased
with, and an argument ensues.  Neither clerk asks for the e-ticket tracking
number (a unique index number which is given to the buyer at the time an
e-ticket is bought and is supposed to be used like a reservation
confirmation number, to make sure the transaction is not "lost in the
computer").

While Tom is arguing, I sit down to wait for boarding.  As I get up to board
the flight, I happen to check my boarding pass to make sure my Frequent
Flyer number is shown, so I'll get mileage credit.  To my surprise, the FF#
is not mine.  A quick look shows that the boarding pass has someone else's
name on it.  I take it back to the desk, and my clerk says, more or less,
"Oh, I'm glad you noticed." and takes back the boarding pass.  The other
clerk is still talking to Tom, but has apparently resolved the argument.  He
sees the returned boarding pass, says something like, "Oh, there's what I
was looking for", grabs it, and (although I didn't notice what he did at the
time) hands it to Tom!

Meanwhile, my clerk asks my name again, looks at her computer, and says
they have no record of an e-ticket or even a reservation for me!

After some discussion, she eventually looks up my return flight, finds a
reservation, and is able to find my missing e-ticket -- I'm on the 8:30
flight out, not the 7 a.m. flight.  (Fortunately, the return flight was
the one I thought it was, as she apparently could not search for an
e-ticket record by name alone).  So Tom commiserates with me on how the
travel agency screwed up, and boards the 7 a.m. flight, leaving me to
sit in the airport for an hour or so.

So far the RISK is that the airline quite happily gave me someone else's
boarding pass, for a flight on which I had no ticket, electronic or
otherwise, simply because I had a similar last name.  Had I not happened to
check it, I could have flown on someone else's ticket.  In addition to the
obvious RISKs of screwed-up travel arrangements, it is worth noting that,
had I boarded the 7 a.m. flight and had it crashed, the wrong next-of-kin
would have been notified.

(A secondary RISK (or at least irritation) is that a major airline seems to
have no clear policy regarding the matching of credit cards to e-tickets,
and seems to have trouble with the notion that an e-ticket traveller might
not be the purchaser of the ticket.  Yet another RISK is that, had my return
flight also been wrong, the airline apparently couldn't have found my
e-ticket at all, at least until my travel agent's office opened and I could
get the tracking number.)

But the story is not complete.  *After* Tom Karr reached LA, he discovered
that the stub of his boarding pass did not say "Thomas Karr" -- it said
"_Harold_ Karr".  A check with the airline revealed that Tom Karr, like
Jordin Kare, had a reservation on the 8:30 flight, not the 7 a.m. flight.
So Tom *did* fly on someone else's ticket, and had to do some fast talking
to the airline to make sure that his return flight wasn't cancelled (since
"Thomas Karr" never picked up his e-ticket on the 8:30 flight).  So the same
boarding pass was issued to *two different* *wrong* passengers.  What
happened to poor Harold Karr, the legitimate 7 a.m. passenger, we can only
speculate....

Jordin Kare


E-mail readers and snooping

"Bryan C. Hains" <hains@neocortex.health.ufl.edu>
Mon, 04 Aug 1997 00:05:19 -0400
With the availability and ease of installation, e-mail software such as
Pegasus and Eudora the potential for abuse exists with the latest round of
features.  With both of these packages an internal parser scans the text of
your e-mail's body and highlights predetermined "phrases" that begin with
"http://" and "mailto:" for ease of web browsing and reply.  Obviously the
specifics of these scans are coded into the guts of the software.

The risk?  If the source were obtained by a not-so-friendly entity and
modified to look for other more valuable information within the message,
this info could be stealthily usurped and sent to a third party.  A modified
"new version" or "update" could be released onto the net (somewhere such as
windows95.com) and thousands of unsuspecting users could become extremely
vulnerable extremely quickly.

Bryan C. Hains, Dept of Neuroscience, University of Florida Coll. of Medicine
and Brain Inst. http://www.naples.net/~nfn02711 hains@neocortex.health.ufl.edu


Re: What to do about software patents (RISKS-19.27)

AES <siegman@ee.stanford.edu>
Sat, 02 Aug 1997 13:49:37 -0700
(A copy of this message has also been posted to the following newsgroups:
comp.risks)

> Seeing the vast numbers of non-novel and obvious software patents issuing in
> my area (financial services), a number of unorthodox ideas are crossing my
> mind, such as ...
>
> Are we reaching the point where we should ask a judge to place the Patent
> Office, or the software art areas, under a court-appointed receiver or
> administrator, due to its manifest ongoing failure to carry out its official
> duties under Federal Law with respect to 35 U.S.C. 101, 102, 103, Rule 56
> and so on?

I'm not sure if you've been following the fervid discussion of this issue
in misc.int-property.

Speaking as a reasonably competent scientist and engineer, my view is
there are vast numbers of non-novel and obvious patents in every field in
which I'm competent to judge, although non-novel software patents may have
the potential to do a lot more immediate damage.  Given the competence
expected of and resources available to patent examiners, it could hardly
be otherwise.

Patent attorneys, however -- at least those whose post to
misc.int-property -- seem to vehemently disagree with this view.

  [This item was another one that slipped through into comp.risks.  PGN]


Re: What to do about software patents (RISKS-19.27)

"Ray Todd Stevens" <raytodd@tima.com>
Thu, 7 Aug 1997 05:49:27 -0700 (PDT)
You really have faith in the courts or Congress doing a better job.
Want to buy some high value swamp, too?


Urban legends, in this case a true one

Brad Elmore <bee@bk2k.gsu.edu>
Mon, 04 Aug 1997 10:17:00 -0400
(Re: General Mills & AOL in sleazy partnership: Chex Quest CD-ROM game)

| ... the children's program host who told his viewers to go to daddy's
| wallet, take out the money, put it in a envelope, and send it in.

This is of course an urban legend (see the full story with references at
http://snopes.simplenet.com/radiotv/tv/soupy1.htm); here's the summary:

Claim: Soupy Sales asked his young television viewers to send him
"little green pieces of paper" from their parents' wallets.

Status: True.

Synopsis: Yes, Soupy Sales really did jokingly make this request to his
television audience on 1 January 1965, but two commonly-believed aspects of
this legend -- that Soupy subsequently received tens of thousands of dollars
in the mail, and that his show was cancelled as a result of the prank -- are
untrue.

The RISKS of urban legends should be well-known by now.

Please report problems with the web pages to the maintainer

Top