The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 19 Issue 32

Wednesday 20 August 1997

Contents

o Channel Tunnel Closed
Boyd Roberts
o "Neverlost"? Think again!
Martin Minow
o Can Y2K problems be cured by executive fiat?
Matt Wartell
o Re: SET risk
Phillip M. Hallam-Baker
o Re: Plane crashes into power lines near Los Angeles
Bob Ratner
o Re: Ctrl-Alt-Del and Wordmail
Jay R. Ashworth
o Door entry has surprising failure modes
Nathan Sidwell
o Unprovoked threatening spam from Samsung's Lawyers
Sean Matthews
o Re: e-mail spam equivalent to computer cracking?
Martin Gleeson
George C. Kaplan
Mark
o Re: A risk of not preventing spam relay
Keith Lynch
John Line
o Re: No Surfing on the Senate Floor
Alan M. Hoffman
Doug Mitchell
Charles Tompkins
Dave Kristol
o Info on RISKS (comp.risks)

Channel Tunnel Closed

Boyd Roberts <boyd@france3.fr>
Wed, 20 Aug 1997 17:32:37 +0200
The Channel Tunnel has been closed in both directions since early afternoon
(Weds 20 Aug 1997).  The reason for the closure is that several alarms
had been set off for a yet undetermined cause.  [Source: AFP]


"Neverlost"? Think again!

Martin Minow <minow@apple.com>
Tue, 19 Aug 1997 19:58:57 -0700
*The New York Times* "CyberTimes" section has an article describing
adventures with a satellite navigation system installed in a rental car.
The system, *Neverlost*, was not always helpful.  Of course, the author was
using it in Boston, ``land of streets made from cow-paths and drivers made
from pure adrenaline.''

<http://www.nytimes.com/library/cyber/compcol/081997compcol-manes.html>

Martin Minow  minow@apple.com


Can Y2K problems be cured by executive fiat?

"matt wartell" <msw@fore.com>
Tue, 19 Aug 1997 10:42:23 -0400
Reuters News Service (18 Aug 1997) quotes President Clinton as follows
in a speech at the National Archives on 15 Aug 1997:

  We can't have the American people looking to a new century and a new
  millennium with their computers, the very symbol of modernity in the
  modern age, holding them back and we are determined to see that it doesn't
  happen.  ... I want to assure the American people that the federal
  government, in cooperation with state and local government and the private
  sector, is taking steps to prevent any interruption in government services.

However, a July 1997 OMB report noted that 71 percent of the government's
``most important computers'' were yet to be repaired or replaced.

  [... but there are still 2.365 years left!  PGN]

http://www.yahoo.com/headlines/970818/wired/stories/clinton_1.html


Re: SET risk (Svigals, RISKS-19.31)

"Phillip M. Hallam-Baker" <hallam@ai.mit.edu>
Wed, 20 Aug 1997 13:44:11 -0400
> There are more than 50 other card security products available for Internet
> usage. They are generally simplier, faster, and avoid the SET exposures
> identified above.

I'm somewhat surprised by the inclusion of the above comment as a 'risk'; it
presents risks that are well known as if they had been recently discovered
serious flaws, which they are not.  Indeed, Nathaniel Borenstein of First
Virtual pointed out the same problem about two years ago.

The purpose of financial cryptography is to control, not eliminate, risk.  I
am familiar with the details of more than 75 Internet payment schemes.  The
credit-card associations chose SET for sound reasons, like SIPPS and
iKP/SEPP/SET before it, SET avoids the compilation of plaintext databases of
credit-card numbers and authentication details by merchants.

Absent the use of a 'smartcard' or similar protected memory product there is
no way to ensure that financial software has not been suborned.  This is a
particular problem when unsecure operating systems such as DOS, OS/8,
Windows 95 are in use.  The commercial reality however is that such systems
have to be supported, and in any case there is no point in requiring
hundreds of dollars to secure each Internet credit-card user when the
standard credit-card security system is so weak.  Using a password that is
presented to every merchant en-clair is hardly state of the art.

In time it is likely that additional security measures will be justified.
These are likely to start with the replacement of the plastic credit card
itself with a smartcard of some description.  SET was specifically designed
to facilitate this.  Merchants will probably be offered some form of
discount for using an interface device sealed in a tamperproof box at some
point.

SET was certainly not presented as a solution to all forms of financial
transaction risk.  It is a flexible platform however and can be extended.
It is probably quite possible to eliminate all conceivable risks in the
first revision of the protocol.  To do so would introduce additional
complexity and reduce options for dealing with unanticipated risks however.

The point of SET is not just to protect credit-card numbers, it is to allow
a move away from a system so dependent on them for security in the future.

Phill


Re: Plane crashes into power lines near Los Angeles (RISKS-19.29)

"R.S.Ratner" <ratner.r@svpal.org>
Wed, 20 Aug 1997 12:04:02 -0700
This brought to mind a project I did years ago at SRI for a major US
Airline, which explored vulnerabilities of their IT operation, inter alia.
We found that a tug or barge going out of control on a nearby river and
taking out a bridge would bankrupt the airline!  The reservation
communications lines all came from a single telephone company central office
-- across the river.  Estimates for minimal bridge construction were 90 days
on an emergency basis, but 20 days without reservations capability would
bankrupt the airline.  They immediately put in a backup microwave link, but
I wonder how many other businesses are in similar risk positions today.

Bob Ratner


Re: Ctrl-Alt-Del and Wordmail (RISKS-19.31)

"Jay R. Ashworth" <jra@scfn.thpl.lib.fl.us>
Wed, 20 Aug 1997 15:47:16 -0400 (EDT)
>Wordmail is an example of the extensibility of Exchange; actually anybody
>can build an editor and hook it into Exchange as an Email editor using MAPI.

Well, yes, but this wasn't what the original poster was complaining about.
The point is that it's a custom, certainly, if not a standard, that the
primary intelligence contained in an email message be in text, accessible to
_any_ mail program, including this one I run here on my VT100.

His assertion was that what Exchange was doing was putting that primary
intelligence _in an attachment_, _in a proprietary format_, and leaving the
main body of the message _empty_.

If his assertion is incorrect, so be it... if not, then the design of
that system is poor, in todays environment... because people will come
to depend on it internally, and then be unpleasantly surprised when
they send mail to correspondents outside the company, who can't _read_
the messages.

Why is this feature so useful, anyway?  If Word could save these
documents in some standard interchange format, like HTML, for example,
in a proper multipart/alternate format, that would be another story,
but I gather that that is _not_ what it's doing...

And which format of Word are you running, anyway?  :-)

The RISKS are obvious: assuming that what Microsoft thinks is good for you,
actually is.

Jay R. Ashworth, Ashworth & Associates,  +1 813 790 7592
jra@baylink.com http://rc5.distributed.net


Door entry has surprising failure modes

Nathan Sidwell <nathan@bristol.st.com>
Mon, 11 Aug 1997 14:52:21 +0100
My work place has recently moved to a new building. The new place has
magnetic swipe cards which are used to gain entry to the building. One
swipes the card through a reader and then types in a 4-digit PIN to unlock
the door. The keypad has three lights, red, yellow and green, to indicate
its state. The yellow light is on when you are expected to enter a PIN, the
green light when the door is unlocked, and the red light when the wrong PIN
is entered.

The card does not indicate which building it is for, only giving the mailing
address of the company which provides the entry mechanism. So it would not
be obvious to anyone finding such a card as to which building they could now
enter. Thus having to type a PIN, in addition to swiping the card, is an
annoying additional security measure. However, to identify the card it has a
unique 4 digit number on it. Stunningly, the access PIN is VERY closely
related to this number -- given a card, one can derive the access PIN, even
a five year old could do it! Thus the additional security of the PIN is
useless -- if one did know which building the card was for, one might well
know how to determine the PIN.

One morning, as I was entering from the car park, I swiped the card and
started entering a PIN. But I'd started entering the PIN for a different
card. I noticed my error before completing the 4 digits, and as one simply
remembers PINs by the pattern thay make on the keypad (well I do, at least),
I didn't know how many digits I'd typed. No problem, I thought, I just swipe
the card through and that will reset the lock, so I can type the right
number. This I do, but the door remains locked. Confused by this, I
carefully swipe the card through, notice that the yellow light flickers off
and on (as it normally does when you swipe), and carefully retype the
PIN. Part way through, the red light flickers. The door remains locked.

Now I figure out how the lock works:
1) Reswiping the card does not reset the keypad, in spite of indicating
otherwise, by the lights changing.
2) Entering the wrong PIN is not a sticky error mode. It is not cleared
only by swiping a card through. Pressing a key will also reset the key
sequence. So you cannot tell that an error occurred in a sequence, by the
final state of the lights.

All I need to do now is carefully press keys until I see the red light go on
(I must still be part-way through a sequence). Then I can reswipe the card
and type in the correct key.

This I do, only to still be denied entry. Arrgh! After three failures, the
system invalidates your card!

So here I am in the carpark, locked out of the building, when I discover
this door does NOT have an intercom on it to call reception (unlike the
others). I have to leave the carpark (fortunately I don't need the card to
do this) and walk round to reception to explain the problem. They do not
seem to appreciate the problem -- that the failure modes on the entry
mechanism are 'surprising'.

I also discovered another failure mode. While trying to call reception from
the carpark, I noticed that in addition to having the digits 0-9, there are
two buttons labeled A and B. These seemed to serve no function, except that
simultaneously pressing both lit the green light.  Unfortunately for me,
this wasn't some kind of override, as the door remained unopenable, inspite
of the keypad indicating otherwise.

It is depressing that the high tech replacement for the humble key, fails so
spectacularly.

Dr Nathan Sidwell, Chameleon Software Group at SGS-Thomson nathan@acm.org
http://www.pact.srf.ac.uk/~nathan/ nathan@pact.srf.ac.uk nathan@bristol.st.com


Unprovoked threatening spam from Samsung's Lawyers

Sean Matthews <sean@mpi-sb.mpg.de>
Tue, 19 Aug 1997 14:54:13 +0200 (MET DST)
A new development in the spam wars?  I was away from my machine for
the last fortnight, and set up my vacation program to reply to any
mail with a brief `I'll get back to you' message.

When I got back, I found in my mailbox an aggressively nasty message from
Samsung America Inc.'s lawyer (Russell L. Allyn, Attorney at Law, SBN
143531, of Katz, Hoyt, Seigel & Kapor, Los Angeles), which included, among
many things, the following (complete) paragraph:

> Your email name was provided as being suspected of
> connection to various acts of internet terrorism.  Your acts
> are illegal.

For the curious, full text, with abuse and threats, is at
http://www.mpi-sb.mpg.de/~sean/Samsung; it makes amusing reading. I'm
not sure if it is legally correct even in L.A., never mind in Germany
where I received it. Certainly that last complete sentence quoted
seems, to put it mildly, very sloppy on the part of Mr. Allyn.

Apparently some idiot at Samsung America spammed the net at the
beginning of the month with a message which I deleted without even
bothering to read.  The person qualifies as an idiot not for spamming
the net (which makes him merely offensive), but for leaving the
reply-to field set to Samsung America's address and thus providing an
barndoor sized target for anybody with a grudge about junk email.

After the mail bombs arrived, it seems the lawyers gathered the
addresses of all the replies together and bombed back.  I got caught
in the crossfire.  I wonder if any of the hinted legal actions
possible against mailbombing are applicable to unprompted threats of
legal action delivered by email?

Sean Matthews, Max-Planck-Institut fuer Informatik, Im Stadtwald, 66123
Saarbruecken, Germany +49 681 9325 217  http://www.mpi-sb.mpg.de/~sean/


Re: e-mail spam equivalent to computer cracking? (Gilham, RISKS-19.31)

Martin Gleeson <gleeson@unimelb.edu.au>
Wed, 20 Aug 1997 11:49:59 +1000
> [Perhaps some of our Australian readers can say
>  whether any of *their* laws were violated!  PGN]

There has been some discussion as to whether or not our laws cover spam in
general, but I believe they're as clear as US law when it comes to this
particular method of masquerading. The relevant part of Australian law is:

    The Commonwealth Crimes Act 1914 (as amended). Section 76E was added
    under the Section 9 of the Crimes Legislation Amendment Act No. 108 of
    1989.

    CRIMES ACT 1914 - SECT 76E Damaging data in Commonwealth and other
    computers by means of Commonwealth facility
      76E. A person who, by means of a facility operated or provided by the
           Commonwealth or by a carrier, intentionally and without authority
           or lawful excuse:
           (a) destroys, erases or alters data stored in, or inserts data into,
               a computer;
           (b) interferes with, or interrupts or obstructs the lawful use  of,
               a computer; or
           (c) impedes or prevents access to, or impairs the usefulness or
               effectiveness of, data stored in a computer;
           is guilty of an offence.
    Maximum penalty: Imprisonment for 10 years.

When "inserts data into" in clause (a) is related back to "intentionally
and without authority", I think such masquerading falls within the intent
of the law.

    The lack of physical presence within the borders of Australia do not
    excuse the sender from being bound by our laws when it comes to computers.

    CRIMES ACT 1914 - SECT. 3A. Operation of Act.

      3A. This Act applies throughout the whole of the Commonwealth
          and the Territories and also applies beyond the Commonwealth
          and the Territories.

    Our laws allow a trial to occur "in absentia" where the Justice feels
    that such is in the best interests of the Crown. He or she may also
    issue a warrant for the arrest of the sender and initiate extradition.

I send this along with the applicable US code in response to spam to the
abuse and postmaster contacts along with the spammer. Thanks to Karl
Ferguson <karl@tower.net.au>, who allowed me to use it.

Martin Gleeson, Webmeister, Information Technology Services, Univ. of Melbourne
+61 3 9344 7407 gleeson@unimelb.edu.au http://www.unimelb.edu.au/%7Egleeson/


Re: e-mail spam equivalent to computer cracking? (Gilham, RISKS-19.31)

"George C. Kaplan" <gckaplan@ack.berkeley.edu>
Wed, 20 Aug 1997 10:34:35 -0700
As it happens, I have some recent experience configuring mail software to
deal with spam relaying.

> ibm.net site that masqueraded as satech.net.au so it could relay the
> message through satech.net.au's SMTP server.

Actually, satech.net.au wasn't fooled by the masquerade.  They looked up the
IP address of the ibm.net host to determine its hostname, as shown in the
header:

> Received: from satech.net.au (slip166-72-12-169.us.ibm.net [166.72.12.169])
                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Why did they relay the message?  Probably because they don't
discriminate: their mail system is configured to relay any message
that's received.  (See below for a possible reason).

> Isn't this in violation of the U.S. federal law ...

I'll let the lawyers talk about the legalities, but it sure seems like
unauthorized use to me.  That's why the systems I manage at UC Berkeley (a
very small number of the thousands on campus) will relay mail only for which
the sending host or the recipient is within the Berkeley.EDU domain.

But a lot of sysadmins on campus are reluctant to do this kind of filtering
because many of their users routinely use outside ISP's to access the campus
network from home or while traveling.  These users point their mail software
at their campus mailservers, and legitimate email to off-campus addresses
would be blocked if the mailservers didn't relay.

We don't yet have a simple way to block the spammers while allowing specific
users to relay mail through our systems.  And retraining thousands of
not-very-technically-savvy users to use their ISP's for mail relays would be
a major task.

George C. Kaplan, Communication & Network Services, University of California
  at Berkeley 510-643-0496 gckaplan@ack.berkeley.edu


Re: e-mail spam equivalent to computer cracking? (Gilham, RISKS-19.31)

<mark@leasion.demon.co.uk>
20 Aug 1997 17:46:51 -0000
The point is that even though box.net.au did actually correctly identify the
sending machine, by DNS lookup. It still accepted the information it was
given, presumably via the SMTP "HELO" command. The risk here would be more
of the sysadmin who dosn't configure their machines correctly.

: Isn't this in violation of the U.S. federal law ...

This would depend on such laws applying only to the access and not giving
any restriction as to where they are accessing.

: Why isn't the sender guilty of a felony ...

Again the same potential problem if the laws have been written with the
assumption that the cracker is in the same country as their target.


Re: A risk of not preventing spam relay (Glatting, RISKS-19.31)

Keith Lynch <kfl@clark.net>
Wed, 20 Aug 1997 01:22:10 -0400 (EDT)
In RISKS-19.31, Dennis Glatting reports having blocked all e-mail from a
site after having gotten just one spam that was apparently from that site.
That's the biggest RISK of spam in my opinion.  It cuts us off from each
other.

* Filters meant to discard spam often discard legitimate e-mail.

* People who realize that much e-mail is discarded unread are less
  likely to take the time to write informative e-mail, since it
  will very likely never be seen by the recipient.

* People who know where spammers find e-mail addresses are likely
  to stop posting useful messages to newsgroups or mailing lists,
  and are likely to ask that all their past messages be removed from
  any online archives.  Or they may post using a fake address, making
  it impossible for them to receive legitimate replies.

* Archivists may get disgusted at the number of people asking to be
  removed, and may shut down their archive.

* People have been falsely accused of spamming, and unjustly punished.

* Newsgroup posters who post under a fake address and direct all replies
  -- including ones not of general interest -- to the newsgroup, cause
  newsgroups to fill with junk, causing people to stop reading them.

* So does newsgroup spam, which has already rendered numerous newsgroups
  totally unusable and abandoned.  On several, I've checked 100
  consecutive messages and found that every one of them was spam.
  Starting over with a new newsgroup doesn't help, since spammers
  will take over the new one too.

Our moderator reports that he [*] rejects all e-mail from sites on which
there are lots of spammers.  [Not me; our entire site is being subjected to
spams, and our Admins decided that is the only thing we can do at the
moment.  PGN]  That's a perfect example of what I'm talking about.

Spam is rapidly making the net unusable.  It's as if you spent the day in a
business meeting, a hobby club meeting, a PTA meeting, and an author talk at
a bookstore, only to have every event repeatedly interrupted by outsiders
who read a commercial pitch (probably for a pyramid scheme or a quack
remedy) then leave without listening for replies.

I wouldn't be surprised if the true costs of spam are already in the
billions of dollars, mostly in lost opportunity costs.  In return for which,
perhaps a half-dozen people are making a mediocre living, mostly by selling
spamming services to the gullible and larcenous who can't believe that if
they send one-million ads for an MLM or credit-repair scheme, they will
probably get fewer than ten positive responses.
   [Perhaps some of them actually do get tons of responses?  PGN]*typos fixed

Keith Lynch, kfl@clark.net  http://www.clark.net/pub/kfl/
I boycott all spammers.


Re: A risk of not preventing spam relay (Glatting, RISKS-19.31)

John Line <jml4@cus.cam.ac.uk>
Tue, 19 Aug 1997 19:45:51 +0100 (BST)
> who I'll call foo.com. ...

This serves as a reminder to be careful about choosing dummy placeholder
names. foo.com is a real domain (exists in the DNS), as are bar.com,
foobar.com, foo.org, bar.org, foobar.org, example.com, dummy.com,
badguys.com,... You get the idea. A lot of "obvious" dummy names actually
exist as valid domain or host names.

There are at least two sorts of associated risk -

 * the risk of legal (or other) action in response to defamatory comments
   which used a dummy name (that happened to exist) to hide the identity
   of the domain actually being criticised, or other unwelcome (mis)uses
   of real domains (e.g. perhaps using "foo.com" as a dummy name in
   documentation that was unconnected with the real foo.com).

 * the risk of inadvertently allowing access to your own systems, or causing
   unwelcome network connections to remote systems, by failing to remove
   or comment out example entries in sample software configuration files
   which refer to "imaginary" systems or domains which just happen to exist
   (now, even if the authors of the examples checked and found the names
   were not in use when the examples were written).

John Line - Cambridge University Computing Service, New Museums Site,
Pembroke Street, Cambridge CB2 3QG, England jml4@cus.cam.ac.uk +44 1223 334708


Re: No Surfing on the Senate Floor (Spainhower, RISKS-19.29)

"Alan M. Hoffman" <ahoffman@sprynet.com>
Tue, 12 Aug 97 12:52:11 -0400
How does this demonstrate technological incompetence?  My school does not
allow laptops in the classrooms because the sound of typing is distracting
for the other students.  Furthermore, I guess I would be a little irritated
to think my Senator was receiving "real time analysis" of pending
legislation and ongoing debates via email from highly-paid lobbyists and
campaign contributors.  It's nice to think that the Senate is thinking long
and hard about the RISKS of upgrading their technology.


Re: No Surfing on the Senate Floor (Spainhower, RISKS-19.29)

Doug Mitchell <dmitchel@traveller.com>
Mon, 11 Aug 1997 22:54:08 -0500
Several years ago in Alabama, the State House of Representatives passed a
rule barring computers on the House floor.  (Ironic that the one technology
issue that Alabama is in the lead on is in barring the use of technology).
According to the press reports of the time, there was only one
representative who was using a laptop at the time, so the rule could be
reasonably interpreted as directed at him.  Apparently, the prevailing
opinion of this representative among his colleagues was best described as
the north end of a south bound mule.  I have no idea if this applies in this
case.

The risk:  Even with high-tech, you still have to be nice to people.


Re: No Surfing on the Senate Floor (Spainhower, RISKS-19.29)

Charles Tompkins <TOMPKINSC@NDU.EDU>
Wed, 13 Aug 1997 09:11:21 -0500
What I find more disturbing is an apparent lack of understanding that the
Senate is supposed to be a deliberative body where members listen to and
debate issues of the highest national policy.  Regrettably, IMHO members
already spend too much time off the floor, reading, posturing for the press,
etc., etc.  Notebook computers have no more business on the Senate floor (or
many other places where human interaction is key, e.g., courtrooms) than
cellular phones - for the same reasons.  The RISK is to civility and the
deliberative process.


Re: No Surfing on the Senate Floor (Spainhower, RISKS-19.29)

Dave Kristol <dmk@bell-labs.com>
Wed, 13 Aug 1997 11:10:57 -0400
In RISKS-19.29, R Spainhower <rs@world.std.com> castigates the U.S. Senate
for disallowing laptops on the Senate floor.  But I think the issue is more
complicated than just technophobia.  My comments are based on hazily
remembered information from an August 11, 1997, National Public Radio story
on "All Things Considered".  (The audio is available on-line at
<http://www.realaudio.com/rafiles/npr/password/nc7A1101-4.ram>, but
unfortunately I can't listen to it (again) from within our firewall.)

The Senate is a very tradition-bound place.  Right now senators may not
carry pagers or cell phones on the Senate floor.  Furthermore, access to
them by aides, etc., is very much limited.  The idea is for the Senate
to be a deliberative body, free from external distractions.

Imagine the potential distractions of having laptops.  Trying to look up
information while other Senators are speaking (and thus not closely
following the argument the speaker is making.)  Senators playing
solitaire or Maze Wars. Senators exchanging email with each other or
with their staffs via wireless networks.  (And imagine the interesting
security implications of that!)

My first reaction to the flap was like R Spainhower's.  But after some
contemplation, I'm willing to let the Senate remain a body for
deliberation and discussion, without electronic intrusion.

(Oh, and I'm just as cynical as the next person about how well the Senate
actually performs its deliberative function, but its not clear to me that
allowing electronic gadgets on the floor would make things better.)

Dave Kristol

Please report problems with the web pages to the maintainer

Top