The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 19 Issue 13

Friday 9 May 1997

Contents

o Time-Bomb Ticks In No-Name Pentium Motherboards
Mich Kabay
o Cyber Promotions slammed, spammed, and dammed
PGN
o Power system loss, despite multiple redundancy at London Telehouse
Tim Sheen
o No more fingers in the dike: big flood gates
Geert Jan van Oldenborgh
o Netscape News reader risk
Lindsay F. Marshall
o Bug in Netscape shows whose C compiler they use
Paul Robinson
o Is E-Mail Safe?
John Mainwaring
o Norwegian surveillance camera
Martin Minow
o Year 2068 problem
Adam Shostack
o Dept of stupid statistics: Internet fraud
Richard Schroeppel
o Social benefits of comp.risks
Harold Asmis
o Keypunching data leaks
David Kennedy
o Re: A Labour-ious spelling-checker story
Paul Andrew Solomon Ward
o Swedish Phreaker Fined
David Kennedy
o Re: James Sander's Book on TWA 800
Marty Ryba
Fred Ballard
Clark Merrill
Pete Mellor
Mark Stalzer
o Info on RISKS (comp.risks)

Time-Bomb Ticks In No-Name Pentium Motherboards

"Mich Kabay [NCSA]" <Mich_Kabay@compuserve.com>
Sat, 3 May 1997 11:56:01 -0400
Time-Bomb Ticks In No-Name Pentium Motherboards
By Alexander Wolfe, EETimes (Via PointCast News and TechWeb, 28 Apr 1997)

> MILPITAS, Calif. -- There may be a ticking time-bomb in millions of
> Pentium motherboards.  The problem boards -- often low-cost or no-name
> brands -- skimp on the number and quality of capacitors that are required
> to smooth out voltage spikes around the CPU, a U.S. electronics executive
> has charged. As a result, they don't meet Intel's power specifications and
> are subject to unexpected failures that could trash data and files of
> unsuspecting consumers.

Key points made by the author:

* Bob Dobkin, a vice president at Linear Technology in Milpitas, CA, said
"Your processor locking up may not be [caused by] your software -- it could
be cheap power-supply components on your motherboard."  He added, "This is
potentially a bigger problem than the Intel Pentium floating-point bug
because there are millions of computers that could go bad."

* Apparently some clone manufacturers have not taken into account the design
criteria for Pentium and later CPUs and have used fewer and cheaper
capacitors than they should.

* "Klamath" (the Pentium II chip using MMX technology) will be even more
demanding, with voltage and current surges that exceed anything used in
Intel processors up to now.

* The article includes test results for seven types of motherboards.  The
poor performers had 11 and 21 capacitors; better boards were using 54
capacitors.

* Cheap capacitors also age quickly and can fail after a couple of years,
leading to system lockup.

* The author writes, "One way for OEMs to check that boards are within spec
is with an Intel power validator, a piece of hardware that sells for
approximately $1,000."

M. E. Kabay, PhD, CISSP (Kirkland, QC) / Director of Education, National
Computer Security Association (Carlisle, PA) / http://www.ncsa.com


Cyber Promotions slammed, spammed, and dammed

"Peter G. Neumann" <neumann@chiron.csl.sri.com>
Fri, 9 May 97 16:11:43 PDT
Cyber Promotions, one of the largest conduits for junk e-mail, was hit with
a temporary federal court restraining order in response to Earthlink's
complaint against their electronic ``trespassing''.  They also agreed to pay
CompuServe $65,000 to settle a federal lawsuit, and agreed to stop spamming
CompuServe users.  (They had earlier agreed to a similar settlement with
AOL.)  Also, in the same two-day period, they experienced a 20-hour
retaliatory reverse-spam that flooded their computer system with millions of
requests for hardware identification numbers [which some might call a taste
of their own medicine].  That attack was stopped by filtering out 50 net
addresses.  [Source: an AP item by Jennifer Brown, seen in the *San
Francisco Chronicle*, 9 May 1997, C2]


Power system loss, despite multiple redundancy at London Telehouse

Tim Sheen <eng407@abdn.ac.uk>
Fri, 09 May 1997 10:01:30 +0100
An article in the *Electronic Telegraph*, 9 May 1997, describes an incident
at Telehouse a supposedly "maximum security, telecommunications and
computing back-up center" in east London.  Despite several redundant power
systems (two connections to the national grid, battery room and two diesel
generators) the system was off line when "somebody simply flicked the wrong
switch." [1]

"The many fail-safe systems did not work because they are designed to
operate if external power supplies are disconnected. In this case the
power was switched off inside the building." [2]

Quotes lifted from the electronic telegraph. [1,2] attributed to Adrian
Bannington, financial director of Telehouse.

Another example of the designers of a system protecting against a perceived
problem, that of an unreliable external power supply, but neglecting the
unreliability of the operators...

Tim Sheen, Department Of Engineering, Fraser Noble Building, King's College,
Aberdeen, AB9 2UE. t.m.sheen@abdn.ac.uk  (+44)-1224-273-830


No more fingers in the dike: big flood gates

Geert Jan van Oldenborgh <gj@ganesha.xs4all.nl>
Thu, 8 May 97 20:15:28 +0200
Next Saturday our Queen will open the last piece of the coastal defenses put
in place after the 1953 floods.  As part of the harbour of Rotterdam is
behind the dam, it is movable.  Quite a nice construction, actually: two
floating walls attached to huge ball-bearings 240m behind.  The closing time
is about 11 hours, so the decision to close is based on the weather
forecast, tides and so, and is made by a computer system "BOS" (Decision &
Support System in Dutch).  This is expected to happen once every 5 years or
so.

There is *no* manual override.  Research at Leiden University has reportedly
shown that humans will make a wrong decision every 1000 events, whereas the
computer is trusted to fail once every 100000 decisions.  We have been
overtaken by software.

[Source: http://www.nrc.nl/W2/Lab/Profiel/Waterkering/bos.html (in Dutch)]
Geert Jan van Oldenborgh  oldenbor@knmi.nl  http://www.xs4all.nl/~gjvo


Netscape News reader risk

"Lindsay F. Marshall" <Lindsay.Marshall@newcastle.ac.uk>
Wed, 7 May 1997 09:52:03 +0100 (BST)
I noticed a warning posted to a newsgroup about someone who is posting news
articles containing embedded JavaScript that continuously opens windows
until the browser runs out of resources and crashes.

I suppose that if you think that active content is a good idea then it must
be an even better idea if you can do it everywhere.....

http://catless.ncl.ac.uk/Lindsay


Bug in Netscape shows whose C compiler they use

Paul Robinson <foryou@erols.com>
Sun, 04 May 1997 01:44:13 -0400
I was looking around the Java applets that Sun has on its Javasoft site -
they have a list at http://java.sun.com/applets/js-applets.html and I was
trying a few of them out.  I am using Netscape 3.01 for Windows 95.  At one
point, I came across one,
http://java.sun.com/applets/Jumpingbox/example1.html and ran it.

Netscape version 3.01 for Windows 95 crashes with the following error: a
"crash" dialog box (red circle with white X) appears saying

MICROSOFT VISUAL C++ RUNTIME LIBRARY
RUNTIME ERROR PROGRAM C:\(directory list)\NETSCAPE.EXE
R6025 - pure virtual function

Dismissing this produces the system "crash" dialog box:

NETSCAPE CAUSED AN INVALID PAGE FAULT IN MODULE MFC40.DLL at 0137:5F8012B6

This problem is reproducible, because I caused it to happen a second time
when I watched where I was going and what I was doing so that I could
discover exactly where the error was that crashed Netscape.  Interesting to
note that Netscape uses Microsoft Visual C++.  Hmmm.

This message is similar to one which has been sent to netscape both through
their web site and as E-Mail.


Is E-Mail Safe?

"John Mainwaring" <crm312a@nortel.ca>
07 May 1997 11:21 EDT
I recently received a message on a mailing list I look after with the
alarmist subject line: "Fw: [Fwd: IMPORTANT!!! STOP EVERYTHING AND READ
THIS."  Readers of Risks will not be surprised to learn that this was
PENPAL, and indeed there were already a couple of replies that told everyone
to relax, it was a hoax.

However, I currently use MS Internet Mail (the one that comes with Internet
Explorer), and there's a bit of a twist to the tale.  This particular
message had arrived as a disembodied attachment.  MSIM turns attachments
into a rich computing experience.  (See previous postings on ActiveX for an
explanation of this phrase.)  They show up as icons in a tray at the bottom
of the message.  If you double click the icon, you may start up Word or
Excel, or you may even run the the attachment as an executable.  This
particular icon was nicely labeled "IMPORTANT!!! STOP EVERYTHING AND READ
THIS NOW!!!", but there was no obvious way of knowing what would happen if I
double clicked.

I've figured out how to detach MSIM attachments and inspect them.  It
turned out that this one was just the PENPAL notice with a couple of
"forwarded by" headers.  However, if someone chose to attach a destructive
executable and labeled it "Read Me Now", and if I double clicked to read
it, I could have a very rich computing experience indeed.  There's really
nothing fundamentally new here, just a situation where a generally user
friendly program makes it a little too easy for a novice to get bitten.
Perhaps there's a thread that MS is too deeply rooted in the mind set of
individual computers (security by accident), and is jumping onto the
internet bandwagon without sufficient forethought.  Who knows?  Perhaps
lemmings enjoy the ride.

John Mainwaring  Nortel RTP NC  crm312a@nortel.ca


Norwegian surveillance camera

Martin Minow <minow@apple.com>
Wed, 7 May 1997 08:51:27 -0700
Mikael Pawlo <mpawlo@algonet.se> writes (in a Scandinavian mailing list on
legal issues) about a Norwegian surveillance camera that is ``is sending
pictures from the entrance of a brothel [a `massage studio' according to the
article] out on the WorldWideWeb,'' quoting an article in the Norwegian
(net) newspaper, Nettavisen, noting that this would probably not be legal in
Sweden.  The article is <http://www.nettavisen.no/Innenriks/862983189.html>
(in Norwegian) and the camera is at <http://sel.ikke.no/horer/>

According to the article (and assuming my translation is accurate), the
pictures are legal ``as long as auto license numbers or the identity of
people photographed is not made known.''  Nettavisen also noted that the
person who is broadcasting the photos did not dare to have his picture or
name published.

The picture I saw was of such low quality that I doubt that anyone could be
recognized, so the risk may be small.  But it is only the start.  (About a
year ago, a Swedish restaurant had a camera on their web page, showing
presumably happy eaters, and was told by the Data Privacy folks to turn it
off.)

Martin Minow  minow@apple.com

  [I don't recall Martin submitting the parenthetical
  item before.  He must have been smorgas-bored.  PGN]


Year 2068 problem

Adam Shostack <adam@homeport.org>
Thu, 8 May 1997 10:32:27 -0400 (EDT)
http://www.rdg.opengroup.org/public/tech/base/year2000.html
outlines a cunning plan to delay the problem until everyone responsible has
retired, and probably died.[*] It suggests interpreting years from 00-68 as
being in the 21st century, and 69-99 as being in the twentieth.

While the paper does say that 4-digit dates are the correct solution, the
use of sliding date windows like this is avoiding the problem in a way I
hadn't seen before.  It seems unjustifiably optimistic to assume that
computers will be retired just because of a Nth instance of a date problem.

Adam

[*] Is this a new risk of life extension techniques?  That people will live
long enough to be lynched for (their mistakes||practical decisions made
under the pressures of the day)?

   [This does not do much for the folks-over-100 problems we find in RISKS
   now and then, and creates a bunch of new folks-over-31 problems.
   Another simplistic solution that will create lots of new problems? PGN]


Dept of stupid statistics: Internet fraud

"Richard Schroeppel" <rcs@cs.arizona.edu>
Tue, 6 May 1997 23:48:57 MST
Note the estimated fraud figure of 6 billion ECUs.  If we assume half of the
fraud was done on the net, and that there are perhaps 10 million European
net users, and that an ECU is worth about a buck, that's $300/user.  The
high end of the range gives $3000!  I can see why Europe is hesitating to go
online, what with money just oozing away through the modem like that.
Rich  rcs@cs.arizona.edu

EC STUDY CITES FRAUD ON THE INTERNET (from EDUPAGE)

A study conducted by Deloitte & Touche on behalf of the European Commission
estimates that international fraud has cost the European Union anywhere from
6 billion to 60 billion European currency units, with much of that fraud
perpetrated over the Internet.  "At its simplest, the Internet allows a
fraudster to set out a site on the World Wide Web which claims to be the
site of a reputable company or organization.  Victims are then induced to
part with funds via credit-card payments, or induced to reveal valuable
information.  At least one major international bank is known,
confidentially, to have suffered from this although details of losses are
not available," says the study.  And while encryption can help ameliorate
some of the problems, it is a "double-edged sword" says the study, because
it can also shield the nefarious doings of crooks on the Net.  The study
calls for international cooperation among governments in apprehending
electronic fraudsters, and says the issue poses "huge" challenges to law
enforcement and civil agencies: "The traditional sources of forensic and
other evidence will become rarer, and a range of new types of evidence will
need to be acceptable to the courts."  (BNA Daily Report for Executives, 5
May 1997)


Social benefits of comp.risks

Harold Asmis <harold.w.asmis@hydro.on.ca>
Mon, 05 May 1997 12:23:54 -0400
I would like to report an incident that confirms the positive social
benefits of this forum.  A while ago I posted an example of an SSL security
breach.  Luckily for me, I mentioned the name of the bank involved, and with
even more luck, somebody passed the item on to a national newspaper.  This
was extremely lucky, because banks and lawyers don't read comp.risks, but
they read newspapers.

It all started when the now-never-named bank put its mutual fund information
on a third party's site that had absolutely no legal-liability relationship
with the bank.  My company has thousands of employees going through a single
firewall with a single IP address.  Since the bank is downstairs, it turns
out that just before an important income-tax deadline that my company was
funnelling out extraordinary traffic to the third-party web site.  Even
though the SSL traffic was encrypted, a unique session key has to be
generated each time somebody goes into the site.  You can't `log out' so
your session stays open until they decide to expire it, a few hours later.
Now 40 bits is a lot, but lucky for us, somebody decided to use the IP
address as part of the key generator.  Suddenly, for our company, 32 bits of
randomness was eradicated.

The high volume meant that session keys were being fully rotated every hour.
As luck would have it, the inevitable happened.  Person X checked their
portfolio, and 40 minutes later, Person Y checked theirs.  Person Y was
instantly teleported into Person X's account.

This messenger tried to sort things out and suffered the ventilation of most
such messengers.  But, lucky for Society, there was lots of employment for
lawyers.  Security experts benefited from the large amount of money that was
spent to straighten this out, by the bank that had nothing to do with it.
Of course, with great humbleness, not a word of this will get out.

We are lucky that we never have to worry about this problem again, and
although some may think that the lesson here is to 'never mention
names', we may have not had such a fortunate outcome, if this
correspondent hadn't been so naive.


Keypunching data leaks

David Kennedy <76702.3557@compuserve.com>
Wed, 7 May 1997 01:45:19 -0400
Courtesy of the Dow Jones News Service via CompuServe's Executive News
Service:

         Plaintiffs Join Privacy Suit Against Metromail,R.R Don

Dow Jones  5/1/97 12:00 PM

>   WASHINGTON (Dow Jones)--A Washington law firm said plaintiffs from three
> states joined an ongoing purported class action against Metromail
> Corp. (ML) and R.R. Donnelley & Sons Co.  (DNY), which owns about 38.4% of
> Metromail, over alleged privacy violations.

:: Ohio grandmother completed a metromail survey and received a "sexually
graphic and threatening letter"  from the person who keypunched her data.
That person was a guest of the taxpayers of the State of Texas resulting
from a rape conviction.

:: Persons from four states have joined the suit.

:: Donnelley spun off Metromail in June 96.

:: The Texas Department of Criminal Justice was originally part of the suit,
but has been dismissed by the court.

Dave Kennedy [CISSP] Research Team Chief, National Computer Security Assoc.


Re: A Labour-ious spelling-checker story (Poschmann, RISKS-19.12)

Paul Andrew Solomon Ward <pasward@undergrad.math.uwaterloo.ca>
Mon, 5 May 1997 15:12:59 GMT
<> Mr. Blair, who will become the youngest prime minister since 1812,

Need I point out that the quoted date of 1812 is also incorrect.  It should
be 1832.  Perhaps it is a RISK of computer users that we notice the
(frequent) spelling errors and this numbs us to the more significant factual
errors.   paulward (DrGS)


Swedish Phreaker Fined

David Kennedy <76702.3557@compuserve.com>
Wed, 7 May 1997 01:45:10 -0400
Courtesy of Reuters News via CompuServe's Executive News Service:

           Swedish hacker who paralyzed US switchboards fined

Reuters North America  4/30/97  2:39 PM

>    GOTHENBURG, Sweden (Reuter) - A Swedish teen-ager who paralyzed
> U.S. telephone switchboards for months, prompting a global hunt by the
> FBI, was fined the equivalent of $350 by a Swedish court Thursday.  The
> self-styled "Demon Freaker," who was not named in court, jammed Florida
> switchboards last year by linking them to sex lines. He had cracked the
> codes of a company that enables Americans to call home from abroad,
> allowing him to call anywhere in the United States free.

::  60K calls valued at US$250K.

> He managed to transfer the telefax number of the soft-porn magazine
> Hustler to his own line so that he received orders for the magazine and
> for sexual paraphernalia....  His mother said the boy had problems with
> alcohol and glue-sniffing but she had no idea he was spending his nights
> on the phone to America....  The boy was fined $345. He is now in a state
> care institution.

[DMK: Comment--US$345?  What ever happened to the criminal justice
principles of correction, deterrence and punishment?]

Dave Kennedy [CISSP] Research Team Chief, National Computer Security Assoc.


Re: James Sander's Book on TWA 800 (Wayner, RISKS-19.12)

Marty Ryba <ryba@ll.mit.edu>
Mon, 5 May 97 11:36:36 -0400
All missiles currently used by the Navy for air defense (the RIM-7
SeaSparrow and the Standard) are semi-active homing: the little radar in the
front of the missile is receive-only, requiring illumination from the Mark
99 (or similar) X-band illuminator on the shooting ship (though later
CEC-like improvements may allow another asset to serve as illuminator).  So,
it would require the *entire system* to confuse Flight 800 with the target
drone.  While not impossible, there would be recorded data (especially in a
test) to show whether this in fact occurred.  Furthermore, test ops
involving live fire go through elaborate safeguards to prevent this
confusion.  If there was in fact a drone airborne to be shot at, it would
have been done in restricted airspace (like off of Wallops Island), with
adequate warnings broadcast and stringent abort requirements if any planes
flew near the area.

Dr. Marty Ryba  MIT Lincoln Laboratory  ryba@ll.mit.edu  [DISCLAIMERS!]


Re: James Sander's Book on TWA 800 (Wayner, RISKS-19.12)

Fred Ballard <fredb@compuserve.com>
Sun, 4 May 1997 12:48:35 -0400
I also know nothing directly about what the Navy does, but I met someone,
now out of the Navy, who told me a story about a Navy missile-targeting
program for downing Exocet-like missiles used during the Gulf War.

He said the program initially suffered from an alarming tendency to end up
targeting the ship the hostile missile was heading towards rather than the
hostile missile itself.  To prevent the anti-missile from hitting one of our
ships, the program was changed to have the anti-missile veer off when it was
close to a friendly ship.

During the war he and some other officers spent their time during the war in
a crow's nest of a ship.  They saw an Iraqi missile coming towards their
ship, seemingly right at them.  One of our cruisers fired a missile at it
and they watched in horror as our missile veered off as programmed.
Fortunately, a nearby British cruiser had also fired a missile at it,
downing it in the nick of time.  It seems the British did learn their lesson
from their experience in the Falklands.  He said our missiles' program was
changed as fast as possible as a result of this incident.

Meanwhile, when they got to port later, they looked up the seamen from the
British cruiser and treated them to whatever they wanted to drink for as
long as they wanted to drink.

Fred Ballard  fredb@compuserve.com  Highland Park, Illinois USA


Re: James Sander's Book on TWA 800 (Wayner, RISKS-19.12)

Clark <MERRILL@stsci.edu>
Sun, 4 May 1997 18:50:53 -0400 (EDT)
The missile that all of the shoot down people say was used was an SM-2 from
an AEGIS Weapon System.  This missile will not go "looking for the target on
its own".  "It's primary mode of target engagement uses mid-course guidance
with radar illumination of the target by the ship for missile homing during
the terminal phase".  This comes from
http://www.dote.osd.mil/reports/FY95/sm2.html.  That means that the ship had
to be locked onto the 747.

There is one SM-2 that will is a radar homing model, but that one locks onto
a specific type of radar and then goes for it.  Someone on the ground would
have to have it be looking specifically for a 747.

Also for this to have been a missile, a LARGE number of people would now be
involved in the coverup:

The crew of the ship that fired the missile.  It is very obvious when a
missile fires onboard ship.  The navy reports none were fired that night in
the area.

The people who did the inventory of all of the navy ships in the area
to make sure they were not missing any missiles.

The crash investigation team who have reported that all of the explosive
damage is consistent with an explosion from the inside and no shrapnel
damage that would have to be there from a missile.

The officers in the Command and Control chain who have seen the orders
that made the coverup happen.

The enlisted men who work the como gear in that C&C chain.

Does anybody really think that the US government is capable of that kind of
coverup, with that many people?

I am a former military brat who is very interested in this stuff.  Sorry for
the long rant.

Clark Merrill, Space Telescope Science Institute, Baltimore, Maryland
merrill@stsci.edu


Re: James Sander's Book on TWA 800 (Wayner, RISKS-19.12)

Pete Mellor <pm@csr.city.ac.uk>
Mon, 5 May 1997 16:59:02 +0100 (BST)
At a recent lecture here on the Lockerbie bomb disaster, the lecturer
displayed the radar recording, and explained that there were two distinct
tracks of debris, the "south track" and "north track".  These were produced
by the front section, which detached in the few seconds following the
explosion, and the rear section, which included the wings, and took longer
to come down. Many vital clues to the way in which the aircraft
disintegrated were deduced from what bits landed where.

You can learn a lot from the distribution of debris.

> But my mind may be prejudiced by the fact that there are no exact
> solutions for n-body differential equations.

It is true that in Newtonian mechanics no closed-form solution has been
found to the differential equations which describe the motion of three or
more bodies under the influence of one another's gravitational attraction,
but this has nothing to do with the scattering of debris.

Peter Mellor, Centre for Software Reliability, City University, Northampton
Square, London EC1V 0HB, UK. Tel: +44 (171) 477-8422, p.mellor@csr.city.ac.uk


Re: James Sander's Book on TWA 800 (Wayner, RISKS-19.12)

Mark Stalzer <stalzer@macaw.hrl.hac.com>
Mon, 5 May 1997 10:45:48 -0700
I have not read this book but it seems highly unlikely that you can deduce
anything about a non-explosive missile strike from the debris pattern
(unless you found a piece of the plane with a hole in it). The best public
evidence to date about the cause of the TWA 800 disaster is that the center
fuel tank exploded, and the debris pattern should be consistent with this
explosion.  A missile without a warhead simply does not have enough momentum
to change the pattern in any discernible way, particularly if it went right
through the plane.

Also, if judged by past behavior, the US Navy does not lie about shooting
down airliners. When the Vincennes downed the Airbus, the Navy admitted they
did it, held an investigation, axed the skipper, and the US government
ultimately made reparations to the families. I think we should give the navy
the benefit of the doubt if they say they didn't do it.

  -- Mark

(Incidentally, the n-body problem is solvable to any finite accuracy on a
computer.)

  [I have not been able to find a copy of the book yet.  RISKS had until
  Peter Wayner's review stayed out of the ongoing discussion, waiting for
  something definitive.  I'm still waiting.  But there are also risks
  related to the long delay in awaiting some definitude.  PGN]

Please report problems with the web pages to the maintainer

Top