Anthony Catania got suspicious when his floor started to shake. For weeks, sewer diggers had been tearing up the street in front of his restaurant-supply store in Seattle. Among the deployed tools was a tunnel-digging robot "mole," a $475,000, 18-foot-long device that can chew through 70 feet of soil a day using programmed directional coordinates. The machine has been doing solid yeoman's work for years, but this time somebody programmed it incorrectly. Catania realized this when he saw 11 hard hats peering expectantly into a 30-foot-deep hole in the street, one muttering, "Our mole is supposed to come out here but we haven't seen it." Eventually recovered without damaging Catania's property, the wayward mole left behind a 700-foot hole that will have to be filled with concrete. Cost: $600,000. [Source: *The New York Times Magazine*, 1 Jun 1997, p. 25] Apparently for $475,000 you don't get any tracking! Robert J. Sandler email@example.com
On Monday 2 Jun 1997, the major national EFTPOS (Electronic Funds Transaction, Point-Of-Sale) system crashed from 10am to noon. During the two hours Electronic Transaction Services estimated about 100,000 transactions were lost. Electronic Transactions Services covers about 80% of the country's retail terminals. The failure did not effect 'hole in the wall' money machines (ATMs) (source: *Otago Daily Times* 3 Jun 1997). Regarding the estimate of lost transactions, it is worth keeping in mind many major retailers have manual backup procedures for dealing with debit cards while the system is down. In a radio interview the following day a spokesman said that there were two failures. The first was the failure that caused a processor to stop working. The second, a failure in the backup procedures that should have meant the workload of the failed processor was distributed to the company's other 7 processors. The specific causes of the failures were not known at the time of the interview. The failure took place on a public holiday which was being used as a 'sale day' by some national chains of stores. Supermarkets were open at the time, but many locally owned shops were closed for the holiday. David H.
My name is Elisabeth Arnold. As you may or may not know, I have been the victim of a massive revenge spam. I work at a small ISP in New Jersey. Recently, I pulled a spammer's account for repeated violation of our acceptable-use policy. This was 2 weeks ago. That weekend, a message was sent out by "Beth Arnold" with a bunch of gibberish and a 200k wav file of "animal sounds". This weekend, 2 separate messages were sent, one to participants in the net-abuse groups — including a 300k wav file of recordings from the activity menu of an Audix voice-mail system, and another to participants in the comp.* and rec.* groups. You may very well have received this message: > Call BETH ARNOLD at 1-800-450-5766 to order a list of e-mail addresses and > bulk e-mail software. If you got this message, congratulations. You are > on a list of e-mail addresses that we sell. You will receive many more > messages like this one. [SLIGHTLY EDITED FOR RISKS. PGN] This message was obvious flame bait, and it worked very well. I received 200 calls to my 800 number before disconnecting it. My mail server was inundated with mail bombs, returns, and complaints. My http ports were SYN attacked. And I was "ping stormed". UUNet is useless in tracking this person down. They just don't care. I would appreciate any help I can get. Thank you, Beth Arnold firstname.lastname@example.org
I monitor the Learning Organization news list as it comes into our organization. The following item just came through. Richard Karash is the manager of this news group. Here is another RISK of trying to maintain a "too protected" community with a border patrol that is not able to tell who is friend or who is foe. - Ben Torrey >We've lost all compuserve readers... LO13813 >rkarash @ karash.com (Richard Karash) @ internet >I believe that, as a result of a change in policy at compuserve, none of >our compuserve subscribers are getting learning-org mail. I have been in >touch with several to confirm this and it appears to be the case. >Here's what seems to be happening: my tech support people here at my >vendor (world.std.com) think that compuserve is blocking all mail which >is directed to multiple addresses (more than a few) at compuserve. They >are doing so to combat unsolicited junk e-mail, but the effect is to kill >mailing lists for compuserve accounts. >Until this can be changed, we probably won't be hearing much from several >of our frequent contributors. > Richard Karash ("Rick") email@example.com <http://world.std.com/~rkarash> > Host for Learning-Org Mailing List <http://world.std.com/~lo> (617)227-0106 [I sent mail to postmaster@CompuServe.com asking for a clarification and giving alternative suggestions for handling the RISKS subscribers there. As of the time of posting this issue, I have heard nothing in return; business as usual? PGN]
An article published today on the IDG Computerworld NZ site (www.idg.co.nz) detailed a "brave" new initiative in making information on individuals available on the Internet. The exact link is: http://www.idg.co.nz/nzweb/61e6.html but I wouldn't expect it will be there forever. Some of the best points are: * Netcheck New Zealand believes it is the first in the world to provide credit checks on people over the Internet. * The Managing Director will not reveal what security protects the site, but says it is secure. "We have sufficient security measures so that break-ins don't happen." * The companies using the system have to be members, and use a password to get access to the operation's database. He says member companies have to show their inquiries are what he calls 'Privacy Act compliant', meaning that they will have the signed consent of the customers they are doing the search on. * One aspect of the site which the MD believes won't be able to go ahead is the one-off searches with payment by credit cards. In practice it would have meant anyone could do a credit check on anyone else. He now says it's unlikely that will ever get started. * Conversely Baycorp, which is perhaps New Zealands biggest credit information bureau have stated that they will not be providing Internet access to their records, and their data is 40 bit public key encrypted when sent over the PSTN. * Looking at the site, the login screen is not SSL encrypted. There is no information about the rest of the site. I don't think I have to start to explain my concerns to RISKS readers. I am bemused by the "in practice this would have meant anyone could do a credit check on anyone else" - how do I know that the companies that PAY to use this service are any more trustworthy than a casual user (etc etc). Bruce Fitzsimons
This afternoon, I visited a web site that offered to help me work out how big a mortgage I could afford: http://www.halifax.co.uk/mortgage/pay.html I entered numbers to the nearest ten pounds in each box as requested, and my computer churned away computing the sum of these values. Imagine my surprise to find that the sum of a set of numbers each with a least significant digit of 0 does not sum to another number whose least significant digit is a 0. To cut a long story short, I identified the problem as the fact that I had entered 020 for one entry rather than 20. Now I don't know about you, but I think they are the same thing. Netscape (and MSIE) insists however that 020 is actually equal to 16. Ok so I realised quickly that the the number was being viewed as octal (I tried 0x... and that makes the input hexadecimal), but that's because I know what octal is. I would certainly never consider using it to enter an approximation of my monthly telephone bill on a web form. The reason I had entered 020 in the box, was that it contained 0 by default, and I had added my 20 to the end of the string when I typed it, rather than replacing the 0 with 20. I feel sure that more users of the web will get caught with this trap, than there will be users who are angry about not being able to enter numbers in octal. Chris Clarke
Date: Mon, 2 Jun 1997 13:09:01 -0700 (PDT) >From: Quinton Jansen <firstname.lastname@example.org> To: email@example.com Subject: Java has a similar problem to the 2000-year problem "TIME IS ON JAVA'S SIDE (*Information Week*, 19 May 1997, p. 12) Sun Microsystems acknowledged last week that the Java programming language has a year-2000-like date error: It will run out of dates in the year 292271023. Yes, that's roughly 292 million years from now. James Gosling, creator of Java, insists a team of engineers is rushing to fix the problem. "We can't be certain Java will be around that long," he kids, "but then again, we can't take any chances." In case you were wondering, the year 292271023 is the estimated date for the year 2000 fix at the IRS."
This morning's IWAR Situation Report contains information about an attack on the electric power infrastructure in California. Although the attack used conventional weapons, it is one of the first attacks on the power infrastructure possibly linked to a political situation. Surf over to: http://www.iwar.org, log in, and get a password. [...] Betty@infowar.com, Assistant to Winn Schwartau [Over 60 rounds were fired at a Pacific Gas and Electric substation in Redwood City, CA, knocking out power in the area. A Confederate flag and a newspaper with the headline of the McVeigh's guilty verdict were found on the fence surrounding the facility. PGN]
Federal prosecutors have indicted 17 individuals for their involvement with an Asian organized-crime syndicate responsible for armed robberies in May 1995 of more than $10 million worth of Intel Pentium chips from two companies in Orange County, California. (*The New York Times*, 4 Jun 1997)
We recently installed a new security system for our computer room door. This requires you to type in a 5-digit code to release the lock. Several codes are in use, for software people, telephone technicians, cleaners, etc. The system allows certain codes to be defined as "privileged". If a privileged code is preceded by a press on a button marked "L", the door will thereafter be open for all. If it is preceded by a press on "R", the door will be closed for all except privileged codes. However, the designers of the circuitry forgot to build in a timeout. If someone presses "L" or "R" inadvertently (perhaps immediately after having typed their code - the buttons are rather small and easy to press by accident), and the next person to enter the room (which might be 60 hours later, on Monday morning) uses a privileged code, the "L" or "R" will be activated. There is a brief flash of an LED when this occurs, but I doubt if anyone other than the service engineer is likely to work out what it means at the time. We contacted the suppliers of the lock, who to their credit understood and acknowledged the problem and have promised to fix it, but said we were the first to report it. Maybe we're just clumsy, but we've hit the problem six times in as many weeks. Perhaps other customers are locked out and can't get to a phone. The risks are reasonably obvious: a malicious person could gain untraceable entry by systematically pressing "L" after entering his or her access code, and eventually a privileged user would be the next to turn up; or, someone could accidentally press "R", and after the next (privileged) person entered the room and went on three weeks' vacation, we'd be looking for someone with cutting gear. Nick Brown, Strasbourg, France
We've had a large number of the automated hangups that Thomas Brazil identified. Dialing *69 didn't work (we'd get an automated message telling us that we couldn't dial back to that number). The operator gave us an interesting theory. Apparently, it's the result of faulty equipment at telemarketers. The telemarketers have equipment which dials numbers and listens for an answering machine. If an answering machine is identified, it hangs up. If a person answers the phone, the call is transferred immediately to an operator (who sees your name appear on their computer screen). The operator tells us that the equipment used by the telemarketers doesn't do a very good job of identifying people on the phone and they hang up on a lot of people. I suppose it's better for them to hang-up on people (who don't know who they are!) than to waste their operators time talking to machines. Kevin McCullen
The mention of enterprise.net in RISKS-19.17 and RISKS-19.18 caught my attention as I had recently had an unrelated "problem" with them. One of our customers reported that as of Thursday, May 31, he was unable to bring up a web page from the server at homepages.enterprise.net. At the time, I hadn't caught up on my RISKS reading and didn't know anything about it other than my observation that once my traceroute packets hit the CRL backbone, they were unroutable. We chalked this one up as another CRL/Sprint/BGP mystery since we had implemented dual-homing with BGP only a few days before and routing to enterprise.net through Sprint worked fine. Along come the RISKS articles saying that enterprise.net was involved in a spam incident. Putting the pieces together, we surmise that CRL is still advertising the route but is denying transit through their network. (We have no proof since CRL made no announcement that such an action would be performed.) By applying such blanket censorship to an entire network, CRL is not allowing legitimate traffic through and by offering no explanation of their actions, they've created confusion among their customers. As a workaround, we have added an ad-hoc static route to our main router so that traffic destined for enterprise.net gets sent via Sprint. Barry
Anonymous Harassment on Net Eludes Florida Law Two Florida men who had been arrested for anonymous harassment on the Internet have now been released. A chief assistant state attorney in Florida explains: "It's simply not criminal under statute in the state of Florida. I'm not condoning this activity. All I'm saying is that I'm left powerless to do anything about it." The two men are 19-year-old former high school students who had used a Web site to allege that a teacher and student at their school were engaging in homosexual relations. The statute cited in the men's arrest prohibits anonymous publication of material that holds a person up to ridicule or contempt; however, the Florida state attorney's office concluded that the statute is an unconstitutional infringement of the right to free speech. (*St. Petersburg Times*, 31 May 1997, Edupage, 1 June 1997) Edupage is written by John Gehl <firstname.lastname@example.org> & Suzanne Douglas <email@example.com>. Voice: 404-371-1853, Fax: 404-371-8057.
Quoted from http://www.twa.com: "Welcome aboard the TWA ... WebSite! ... you can personalize your experience ... to meet your individual travel needs and interests ... by simply entering your name and a password in the box below and clicking on the Sign in button. (We suggest that you use your E-mail address or some other unique password that is easy to remember)." Ken Knowlton
In RISKS 19.20, "cooler" mentions the Microsoft sidewalk site (http://www.newyork.sidewalk.com/) as a way for Microsoft to sell "your e-mail address together with any demographic data they might gather about you". The way this gathering is done is a lot less insidious (i.e., invisible to the user) than one might think after reading Mich's article. On the abovementioned page, there is a link called "Customize Sidewalk Now!", but the URL is called "membersurvey", which seems a lot more appropriate. It enables the user to "Get the information that's most interesting to you". After registering of course, thus providing all "Locator information" (see below for MS's definition of this) voluntarily. It's interesting to note that the "Terms and Conditions" are not mentioned or referred to on this registration page... As for these terms and conditions, somehow the definition of "Locator information" (which MS also allows itself to share with "other parties") was omitted from RISKS 19.20: "Locator information" consists of a user's name, e-mail address, physical address and/or other data about the user that enables the recipient to personally identify the user. Any user who does not wish to receive any special offers or communications from Microsoft on behalf of suppliers, or directly from Microsoft or its affiliates, may so notify Microsoft at the listed below under SERVICE CONTACT. So MS can basically do anything they want with your demographic information, unless you just happened to read the Terms and Conditions and told them specifically to leave you alone. That reminds me a bit of mail-spammers offering to remove you from their list if you send them an e-mail. How very considerate of them. Marnix Arnold (disclaimers...) [In response to an earlier comment, I had previously inserted the missing text into the archive copy of RISKS-19.20. PGN]
Back in RISKS-18.95, Mich Kabay cited an article that appeared in March in the (Toronto) *Globe and Mail*: > Officials have decided that the Internet will face the same rules as other > news media when it comes to disseminating public opinion polls within 48 > hours of election day and releasing vote results early on election night. And in RISKS-19.05, I called it bizarre that they were deciding this only now. The reason turns out to be that there is a new law this year with wider prohibitions on poll results, and that's what was being discussed. It looks as though it was a mistake to introduce this law in the winter: it contains a daylight saving time bug! The problem is that most of the country observes DST, but not all: in Saskatchewan (well, almost all of it) they keep Central *Standard* Time all year. So when DST is in effect everywhere else, the table in RISKS-19.05 REALLY reads: Time zone Local time Pacific Time NDT 8:30 4:00 ADT 8:30 4:30 EDT 9:30 6:30 CDT 8:30 6:30 CST 8:30 7:30 MDT 7:30 6:30 PDT 7:00 7:00 and so, when the election was held yesterday, it was the results from Saskatchewan, of all places, that were the last to come. One hopes the government will take the time to debug the law before the *next* election. (Okay, so it's not a computer bug. But legislation is, after all, a kind of programming too — it's just executed on rather different hardware. And it's subject to the same kind of requirements of accuracy and precision.) Mark Brader, firstname.lastname@example.org, SoftQuad Inc., Toronto
Actually, it was "The Duck World: Jurassic Pond", which scans slightly better. I mirrored a copy of the hack at <URL:http://www.sub-rosa.com/handler/lost-world-hack/>, for those who missed it. >* Alan Sutton, Universal Studios vice president for distribution and > marketing, said he thought prank was amusing and done in a spirit of fun. >* Universal plan to improve their security. Hacking web sites isn't that difficult for anyone with access to the regular bag of cracker's tricks; it's rumored that the CIA web page hack some time back was via poorly checked NFS export options... It's nice to see a web hack with subtlety and a sense of humor, though. ;) Michael Handler <email@example.com> * Sub Rosa * Washington, DC [Also commented on by David Schachter, Lloyd Wood (with an oft-forwarded item from http://netlynews.com), Joe Buck, and Jeffrey Young. Jurassic Duck is the third bogus-hack report in a week, after AT&T WorldNet and the yet-to-awaken LAPD.org. PGN]
Lance Hoffman makes some excellent points about the Murkowski bill. In its present form, the Murkowski Bill legitimizes spam as long as it is tagged with the word "Advertisement" on the subject line of the message. The bill also proscribes verifiable e-mail routing and then *requires* that ISPs install filtering systems for their customers or face being sued and fined by the Federal Trade Commission. This approach, while well-intentioned, forces consumers and their internet service providers to do all the hard work — making ISPs and their customers bear the costs of the spam. This approach has been likened to legalizing burglary while penalizing you for not having the right locks on your doors. This may also explain why the Murkowski bill is vigorously supported by the junk e-mailers. On the same day Murkowski introduced his bill, Rep. Chris Smith (NJ) introduced a bill that would add e-mail to the existing law restricting junk faxes. The Smith bill gives consumers a private right of action against spam: $500 for *each* of the unsolicited messages they receive. (And if the court believes that the spammer "willfully" or "knowingly" violated the law, the damages are tripled.) The junk fax law has worked extremely well, it has survived many court challenges, and it has cut the junk fax problem off at the knees. The Smith bill doesn't attempt to proscribe technical standards for mail delivery and it places enforcement in the hands of the consumer, not in the hands of any government agency. Smith's bill incorporates much of the language offered by CAUCE, the Coalition Against Unsolicited Commercial E-mail, an ad hoc volunteer organization of ISP operators, system administrators, mailing list owners, and spam fighters. You can see copies of the Smith bill and his introductory floor statement at <http://www.cauce.org>. Ray Everett-Church, Esq. <firstname.lastname@example.org> www.everett.org/~everett
I have seen some messages on this newsgroups of the dangers of e-mail aliases, and I recently had two scary experiences. I worked at Bellcore last year, and I was used to sending e-mail to users by including only their userid in the mail address. Now I am at AT&T. I sent a long, very sensitive message to one of my co-workers at Bellcore, and out of habit, I only used the userid. Well, it turns out that this id is an alias at AT&T, and my message went to a group of people that should not have seen it. I am currently doing damage control. I quickly imagined how much worse it could have been if certain names were included in that alias. The other incident was similar. I had aliased Stuart Haber to his new e-mail address, email@example.com. Then, when I got to AT&T, I sent a message to Stuart Stubblebine about a project we were working on. Unfortunately, I had stuart aliased, so the message went to Stuart Haber instead. Fortunately, S. Haber realized that the message was not intended for him, and quickly notified me of this. S. Stubblebine meanwhile, had not received a message, which I had promised him by a certain time. This problem was quickly fixed, but the potential for what errors like this could lead to makes me sweat. I now make it a habit to grep an alias out of my .mailrc file before I send it mail. (yes, I still use regular Unix mail for the most part) I supposed more modern mailers print out the name of an alias before sending the mail, but that would not have prevented the first problem I had above, where the alias was a system alias, which was used because there was no userid at AT&T for my colleague at Bellcore. Avi Rubin
Please report problems with the web pages to the maintainer