The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 19 Issue 24

Wednesday 16 July 1997


o Errors in California's Megan's Law sex offender CD ROM
Karen Coyle
o Website on Spreadsheet Research
Ray Panko
o "*sex" County sites blocked
Frank Carey
o Jon-Benet Ramsay case "hackers" unmasked: dead battery
Bear R Giles
o Credit-card numbers stolen from the Web
Drew Dean
o Lewis satellite downlink jammed by car alarm
George Michaelson
o Aircraft and Passenger Electronics; FMS Nav Data
Peter B. Ladkin
o Mid-air collisions
Hal Lewis
o Faulty lavatory smoke detector lawsuit
Frank Carey
o High-technology toll road six months late in Ontario
George Swan
o "DA computer chief almost loses all to clever sabotage"
James H. Haynes
o Re: MD5 weakness and possible consequences
Bear R Giles
o DEC Alpha Bug?!?
Gregory F. March
o Manual compositing of reuters news on yahoo cocks up
George Michaelson
o Calendars
Andrew R Koenig
o Follow-up to backhoe attack on cable
Cliff Krieger
o Anti-spam technology
Simson L. Garfinkel
o List of known macro viruses
Klaus Brunnstein
o Web Security & Commerce, Garfinkel with Spafford
o 7th USENIX Security Symposium, Call for Papers
Avi Rubin
o Info on RISKS (comp.risks)

Errors in California's Megan's Law sex offender CD ROM

Karen Coyle <>
Wed, 02 Jul 1997 09:38:27 -0700
California issued a CD ROM to city and county police departments this week
that lists all registered "serious" sex offenders. The CD ROM is available
to the public at those departments, where they can look up sex offenders by
description, zip code, or other characteristics. However, like many
databases, this one has a few problems, as stated in the article in the San
Francisco Examiner, 2 Jul 1997:

Much of the information about San Francisco's high-risk offenders is out of
date.  ... "I'm sure that we have lots of people who are dead or have moved
away or are incarcerated," said Lt. Tom Bruton of the San Francisco Police
department.  ...  California Attorney General Dan Lungren has acknowledged
that the CD-ROM contains outdated or incomplete information on thousands of
the sex offenders.  About 40 percent of the state's convicted offenders have
not registered, he said. "

Karen Coyle University of California Library Automation

  [The *San Francisco Chronicle*, 16 Jul 1997, Peninsula Edition, A13,
  has an article by Charlie Goodyear, in which Lungren acknowledges that 60
  to 65 percent of the address and ZIP information is incorrect.  Immediately
  after the CD-ROM was released on 1 July, they realized that juvenile
  records of four offenders had been included; new databases were
  created and mailed out.  Another revision is now being prepared.
  Incidentally, the existence of the database is driving some offenders
  underground.  PGN]

Website on Spreadsheet Research

"Ray Panko" <>
Tue, 8 Jul 1997 17:29:14 -1000
In recent years, there has been a considerable amount of research on
spreadsheets, including error rates.  The Spreadsheet Research (SSR) website
summarizes data from field audits of more than 300 operational spreadsheets
and from experiments involving almost a thousand subjects ranging from
spreadsheet novices to long-time spreadsheet professionals.  The results are
pretty chilling.  Every study that has tried to measure spreadsheet error
rates has found them and has found them at levels that are deeply
disturbing.  The URL is:

Prof. Raymond R. Panko, College of Business Administration, Univ. of Hawaii
2404 Maile Way, Honolulu, HI 96822  (808) 956-5049

"*sex" County sites blocked

"Carey, F E (Frank), NCSIO" <>
Thu, 3 Jul 1997 10:17:35 -0400
Three New Jersey counties have found that information they put up on the
Internet is being blocked.  The Newark (NJ) Star Ledger reports that
screening tools (they specifically mention the AOL tool) block access to the
Sussex County Fair, Middlesex County College, Essex County College, and the
Essex County Clerk's office.  It should be obvious what's going on.  The
string "sex" triggers blocking of these sites.  A spokesman for Net Nanny
reportedly said that most problems occur when parents rely on the broadest
keywords possible, adding that "...some people don't read the manuals."

Frank Carey

Jon-Benet Ramsay case "hackers" unmasked: dead battery (RISKS-19.23)

Bear R Giles <>
Wed, 2 Jul 1997 15:40:17 -0600 (MDT)
The _Rocky Mountain News_ had an article on 28 Jun 1997 on the unmasking of
the "hacker" who invaded the high-security "war room" established by the
local Keystones and DA.

After fingerprinting the exterior and interior of the computers, our own
Inspector Clouseau ruled out the unusually severe weather we had that
weekend.  Sitting on the edge of tornado alley (and _in_ it, recently), we
can have extremely severe weather that causes power glitches, and three
other county computers were affected that weekend.

No, after exhaustive and undisclosed tests the CBI determined that the
computer suffered from... a dead CMOS battery.  The newspaper article
implied that the police actually had the audacity to name the battery as the
_culprit_ in the case, but I refuse to believe that they've extended the
Meese Doctrine (that suspects, by definition, are guilty) to inanimate
objects.  Then again, that would allow them to arrest the garrotte and
declare the case closed.

The strange twist (as if this case could get any stranger) is that the
police yelling "hacker, hacker!" may have encouraged someone to break
into the social services computer where data on JonBenet's brother is
stored.  The second case is still under investigation.

Bear Giles

  [Also noted by Jonathan Corbet <>, who commented
    "Anything can happen when you don't understand your hardware."
  and by Laura Stinson <>, who noted that
    "Excessive paranoia about hackers and inadequate paranoia about
    systems/hardware failure seems to be the hallmark of most bureaucratic
    organizations, and often leads to hasty--and inaccurate--causal

Credit-card numbers stolen from the Web

Drew Dean <>
Fri, 11 Jul 1997 16:31:11 -0700
Over 2,300 customers of Websites EPSN Sportszone and [offspring of
Starwave] received anonymous e-mail that their credit card numbers had been
stolen.  Each message said, "You are the victim of a careless abuse of
privacy and security.  This is one of the worst implementations of security
we've seen."  -- indicating that the message was from ``an anonymous
organization seeking to make the Internet a safe place for the consumer to
do business,'' -- and included the last 8 digits of the recipient's
credit-card number.  However, no fraudulent misuse had been reported.
[Source: Web Customers Get Warning on Security, *San Francisco Chronicle*,
11 Jul 1997, C3, datelined Bellevue, WA via Associated Press.  PGN

I don't know anything else, but I'll conjecture that the problem is not
related to cryptography.  Anyone want to take a bet on a bad CGI program?
Unfortunately, too many people, including the marketing departments of
Internet software vendors, tend to confuse cryptography with security.
Firewalls are of limited help as we make more and more things work on top of
HTTP, which we then allow to pass through the firewall.  Of course, really
fixing things would cost real money, and take real time, which no one has.
The problem with computers isn't that they allow new kinds of fraud (a
burglar could just as well go through an old-fashioned file cabinet), but
that the fraud can happen on a much larger scale, and much quicker.

Drew Dean

Lewis satellite downlink jammed by car alarm

George Michaelson <>
Fri, 4 Jul 1997 16:17:25 +1000 (EST)
>From Henry Spencer's *AVWeek&Space* digest on USENET

  Space news from April 21 *AW&ST*:
  Strong signal jamming the S-band downlink at the new control center
  for the Lewis satellite traced to faulty car alarm (!).

I liked the imagery, young dude rips off the Camaro, WHAM, suddenly half of
the narrowcasting for New Jersey dies...

George Michaelson, AAPT, 123 Eagle St, Brisbane QLD 4000  +61 7 3834 9976 pty/ltd

Aircraft and Passenger Electronics; FMS Nav Data

"Peter B. Ladkin" <>
Sun, 13 Jul 1997 19:25:57 +0200
There has been some further discussion recently amongst aviation
professionals on possible electromagnetic interference with aircraft systems
from passenger electronics [PGN, RISKS-18.47; Ladkin, RISKS-19.48
]. Concerned RISKS readers might like to read two recent surveys on the
possible phenomenon:
Albert Helfrick's article, `Avionics and Portable Electronics:
Trouble in the Air?', originally published in Avionics News Magazine
and available under the Bluecoat Public Reports list at under URL
(Acrobat PDF format, 453K); and a short article I wrote,
`Electromagnetic Interference with Aircraft Systems: why worry?'
(HTML, 46K), available through my compendium, `Computer-Related
Incidents with Commercial Aircraft', section `Do Passenger Electronics
Interfere with Aircraft Systems?' at

The final report on the Cali accident (Ladkin, RISKS-18.10) cited as one of
four `contributing factors' to the accident that the Flight Management
System navigational information used a different naming convention from that
published in (paper) charts. Recommendations 1 and 7 (of 17) to the FAA
address the navigation-database issue, as does Recommendation 3 (of 3) to
the International Civil Aviation Organization: `3. Establish a single
standard worldwide that provides an [sic] unified criteria for the providers
of electronic navigational databases used in Flight Management Systems.'
Shawn Coyle of Transport Canada, Safety and Security, has written a working
paper in which he identifies a serious problem arising from the lack of
standards for industry use in flight management systems of authoritative
navigational data. Coyle's paper gives eight examples of circumstances in
which there is incompatibility between an FMS's use of navigational data for
an approach, and the regulation approach profile itself.  Coyle's paper,
Aircraft On-Board Navigation Data Integrity - A Serious Problem, is also
available on the Bluecoat Public Reports list at URL (Acrobat
PDF format, 453K).

Peter Ladkin

Mid-air collisions

hal lewis <>
Tue, 01 Jul 1997 21:34:48 -0700
I posted something on this forum in RISKS-19.11 to the effect that the
current air-traffic-control system is illogical, and increases the incidence
of mid-air collisions by constricting the available airspace to that which
can be easily controlled. In return, I got a moderate level of flame mail,
whose common denominator, some making the point with more vigor and ill will
than others, was that I was unfair to the FAA. (Some did point out that the
FAA is moving in the direction of free flight, but my fifty years of
watching the FAA and its predecessor have prevented me from holding my

The current issue of Risk Analysis (April 1997) contains an article by
someone who has done a Monte Carlo analysis on the mid-air collision
question, and has concluded that the present system increases the collision
probability by a factor of four, over random flying. I have not studied the
paper, and therefore can't vouch for the methodology, but it is there for
those seriously interested in the question.

Hal Lewis

Faulty lavatory smoke detector lawsuit

"Carey, F E (Frank), NCSIO" <>
Thu, 3 Jul 1997 10:22:30 -0400
The news on 3 Jul 1997 included an account of an Air France cabin attendant
who dragged a passenger out of the plane's lavatory with his pants down and,
in front of all the passengers, accused him of smoking in the lavatory.  The
passenger protested that he does not smoke and is responding with a
multi-million dollar law suit.  A faulty smoke detector is assumed.

Frank Carey

High-technology toll road six months late in Ontario

George Swan 7547 <>
Fri, 11 Jul 1997 16:04:35 -0400 (EDT)
There is a column in the *Globe and Mail*, 11 Jul 1997, about a new highway
completed across the north of Toronto Ontario.  Toll roads were unknown here
in Ontario.  Private industry was invited to tender proposals.  The
provincial government specified a system for collecting the tolls that would
obviate the need for cars to stop to make payments.  Frequent travellers
would rent a transponder for $2 C per month.  Occasional travellers who
don't have a transponder would pay a $1 C surcharge per trip in addition to
the regular distance fee.  Their travel would be tracked by digital cameras
that would snap pictures of their license plates.  Travellers would get a
bill in the mail.

Terence Corcoran's article says the toll system has been promised
to have been a few weeks away from readiness for six months.  So
far it has cost twice as much to develop as estimated.

Currently travellers are using the road for free.

The message for RISKS readers?  Just another demon child borne from
the courtship of boastful hype and wishful thinking.

"DA computer chief almost loses all to clever sabotage"

"James H. Haynes" <>
Tue, 8 Jul 1997 20:26:52 -0700
I'm reading this Associated Press story datelined San Francisco in a paper
published in Arkansas.  Says Ralph Minow who runs a family support computer
system for San Mateo County District Attorney.  System crashed in March
1996.  Says his assistant Paul Schmidt wanted his job, rigged the evidence
to show that Minow deliberately caused the crash.  Minow nearly lost his job
because of the sabotage; but the perpetrator made enough mistakes that he
was detected.  Says Schmidt was fired in February, and will be prosecuted if
his firing is upheld after a final hearing.  His lawyer says Schmidt is
being prosecuted for whistle-blowing.

Re: MD5 weakness and possible consequences (Leeming, RISKS-19.16)

Bear R Giles <>
Wed, 2 Jul 1997 18:20:22 -0600 (MDT)
In RISKS-19.16, Geoffrey Leeming <> suggests that it would
be computationally difficult to find two meaningful pieces of executable
code with the same checksum.

I disagree, and refer to an old hack as a demonstration of a well-known
example.  In a more innocent age if you wanted to protect a database against
casual alteration (e.g., by buggy programs which directly accessed the data),
you would compute a checksum across the entire database.  That's a cheap
test for non-malicious alteration, but it's too expensive to continually
recompute a CRC checksum across a large file.

The solution was to reserve two bytes (for a 16-bit CRC) in each record.
When the CRC of the entire database is computed this field was set to zero.
When a record was edited, the original CRC of the block was computed, then
this field was set to the value which forced the CRC for the entire record
to remain unchanged.  Since the CRC for the block was unchanged, the CRC for
the entire file also remained unchanged.

(A variant method initialized the field so each record had a known,
identical checksum.  Then all changes maintained the checksum as an

This is why standard CRCs aren't good in cryptographic applications.  If
you can write any data to 16 contiguous bits (or restricted data to a
somewhat larger block) you can force the CRC to be any value desired.

The 128-bit MD5 hash will obviously require more than 2 bytes... but it
shouldn't be too hard to find ways of squirreling small chunks of rewritable
data throughout the data.  The most obvious approach is

  static char md5hack[16];

Or you could just use "sloppy" coding practice:

  static char stealthhack[200] = "hello, world";

You could even sneak the buffer into the code segment:

  foo ();
  goto hackaround:

  /* code is irrelevant, it just takes up space in code segment
     which will be overwritten later */
  for (i = 0; i < 10; i++)
     j = i;


This then becomes a matter of determining an _efficient_ way to set the
value of the MD5 (or any) hash function to a desired value.  The brute force
method (allocate a buffer and write every possible value to it, computing
the hash function) is impractical when there are 2^128 to 2^160 possible
hash values.  But if, for example, you could reduce the problem to 4
problems with 2^32 possible hash values in each...

Of course a careful examination of executables or documents will show
dead spots or "weird" comments, but who would have the time to run such
exhaustive tests on a substantial application or document?

Bear Giles

DEC Alpha Bug?!?

"Gregory F. March" <march@BondNet.COM>
Wed, 02 Jul 1997 15:14:24 -0400
So there I am, looking at our trading system and noticing that the price of
one particular bond was different on two separate machines.  Damn, I think.
Must be a bug in the latest release of our software.  Quick, do a sum on all
the libraries.  Nope, they are the same.  Executable?  Nope, the same.
Hmm...  Step through the code, hey, look at that!  The pow() function is
returning different results!

So, I wrote a stand alone program.  Sure enough, the machine with the
latest rev motherboard (one that was just replaced by DEC) is
producing bad numbers.  Time to try 'dxcalc', DEX's X calculator.
Yup. different numbers.  How about perl?  Yup, different numbers.  How
about 'bc'?  Duh, bc doesn't take floating point powers.  Hmm... check
libm.  Nope, they are the same.

Bottom line:  DEC will be here shortly.

Test your alpha.  Try 'pow(1.234567, 7.654321)'.  If you don't get
5.017something, you have the same problem.

Risks?  In our case, could have been a large sum of money.

* Gregory F. March * * *

Manual compositing of reuters news on yahoo cocks up

George Michaelson <>
Tue, 15 Jul 1997 12:19:46 +1000 (EST)
I track 3 or 4 of the summary pages on --
which are reworked reuters news info.  Several times now, the link and
related 1-para summary has hotlinked to completely unrelated stories.  Or
are they?  The last one was a headline on the MIR commander having a heart
attack and it linked to a story on Yeltsins sex-life.

Just thinking about that one nearly gave *me* palpitations.

I suspect that the process is (a) manual (b) mindlessly boring and (c) uses
some keyword recognition process, and the person-in-the-loop saw 'russia' in
both of them and got the link wrong.


Andrew R Koenig <>
Tue, 15 Jul 1997 11:39:42 -0500
I was just browsing through the introductory pages of the pocket-sized
calendar book I use.  It has blanks for the following information:

    Telephone number (home and office)
    Fax number
    Religious affiliation
    Blood type
    Drug allergies
    Social security number
    Driver's license number
    Automobile registration number
    Insurance company
    Credit cards
    Next of kin

At the bottom of the page, it says

    In event of emergency, please notify ____________
    If this diary is found, please return to the owner.

Anyone who fills out all that other information had better not lose it...

Andrew Koenig

Follow-up to backhoe attack on cable (O'Hearn, RISKS-19.23)

"Cliff Krieger" <>
Thu, 3 Jul 1997 17:40:48 -0400
In 1973, a similar event happened at Korat Royal Thai Air Force Base and
when the US tenant tried to switch to the backup communications cable they
found that a large section of it had been stolen some time in the past.

The solution was to launch an EC-130 Airborne Command and Control Aircraft
(ABCCC) and use it to maintain communications with higher headquarters.  The
extended risk is that those who do not learn from history are condemned to
repeat it.

C R Krieger

Anti-spam technology

"Simson L. Garfinkel" <>
Mon, 16 Jun 1997 08:49:05 -0800
A little more than a month ago, Vineyard.NET, my ISP, started blocking SMTP
connections from computers on the Internet that do not have valid reverse
DNS.  We did this an an anti-spam measure.  A few days after we brought up
the new system, spamming dropped dramatically --- more than 75%!

We decided to filter against sites that do not have valid reverse DNS
because a lot of spammers do not have valid reverse DNS.  But it also seems
that we have caught up in our filter some legitimate sites that do not have
their nameservers properly configured.  Below is a list of all of the sites.

Interestingly, there are some sites below which are obviously spamming sites
(, for example). But there are also a lot of legitimate
sites as well, like,,

I'm trying to contact the postmasters at these sites to get them to correct
their systems. So far, I have sent many messages to the folks at Dow Jones,
for instance.  Unfortunately, all of those messages have been ignored.

So I'm not really sure what to do.  I like the anti-spam filter. I don't
want to start building an exception list.  And it seems that as the Internet
gets larger and larger, more and more machines are improperly administered.

Perhaps it would be simpler to just block the known spammers.            29
BANYAN.SMTP.IHS.GOV    226        229       11               38
acc                  11        77     288    456        13     58      77  2       38      154        154           2         33
hermes              10      143      238      76   1       39     98             41         1         39             77        38      77      77      18      38       21
WELCOME              153        2        1
[]           3       38
firewall            10     220           34         39      30       38             31      117

  [Incidentally, is now filtering out e-mail from sites from
  which we have been receiving inordinate numbers of spams.  This may have
  some unfortunate consequences, such as RISKS not being able to receive
  mail from some of you whose ISPs have been deemed less than helpful.
  Sorry!  The situation is really out of hand.  I'm getting hundreds of spam
  messages.  PGN]

List of known macro viruses

Klaus Brunnstein <>
Thu, 10 Jul 1997 18:30:30 +0200
SUMMARY: Macro Virus List (PC + Macintosh) according to VTC
name specification, including (PC) In-The-Wild Indication
  Vesselin Bontchev @ FSI
  Klaus Brunnstein, Uni-Hamburg
  Joern Dierks, VTC Uni-Hamburg
  Thomas Buck, VTC Uni-Hamburg
  VTC = Virus Test Center, Status: June 30, 1997
<>> Copyright (c) 1997 University of Hamburg, Germany <<<

The number of known macro viruses in June 1997 grew again significantly:
with 18 new strains 132 new viruses, growth was significantly reduced as
compared to previous months (e.g. 37 new strains with 246 new viruses in
May). Only 22 months after Microsoft shipped the first Word macro virus
(Concept.A), the 1000th macro virus was reported around June 20, 1997.

Strains with fastest growth include Showoff (+15) as well NPAD and
CAP (+12) whereas growth of Wazzu (+5) and Concept (+3) is moderate.

The "list of known macro viruses", dated June 30, 1997, reports in
detail about all known macro-related malware. Here are the essential
statistical data:
                                   Word   +   Other  =  Total    (New)
        Number of Strains           214   +      15  =    229    ( 18)
        Number of Viruses          1051   +      14  =   1065    (132)
        Number of Trojans            21   +       7  =     28    (  0)
        Number of Generators         10   +       0  =     10    (  0)
        Number of Intendeds          22   +       1  =     23    (  0)
        Number of Jokes               0   +       1  =      1    (  0)
        Remarks: (*)=(viruses+trojans+intendeds+jokes)

  [list omitted for RISKS]

This list is published monthly (normally between the 3rd and 8th of a month)
and can be downloaded via FTP from VTCs "new" WWW/FTP site:

[Long and short] lists are also available from VTCs "old" ftp site:*

Web Security & Commerce, Garfinkel with Spafford

"Peter G. Neumann" <>
Sat, 05 Jul 1997 16:28:43 -0400
  Web Security & Commerce, Simson Garfinkel with Gene Spafford
  O'Reilly & Associates, Inc., 1997, $32.95

This is a truly useful book that can help many of you avoid a lot of the
risks in Webware -- some of which have been discussed in RISKS, some of
which have not.  It is intelligently written, timely, informative, accurate,
comprehensive, understandable, and a great pleasure to read.  It becomes the
de facto definitive Web-ster's guide to Web security.

7th USENIX Security Symposium, Call for Papers (abridged for RISKS)

Avi Rubin <>
Fri, 27 Jun 1997 10:34:02 -0400 (EDT)
26-29 January 1998, Marriott Hotel-- San Antonio, Texas
Program Chair, Avi Rubin, AT&T Labs - Research
Papers due 9 September 1997
Full version of CfP at

Please report problems with the web pages to the maintainer