The RISKS Digest
Volume 19 Issue 34

Tuesday, 26th August 1997

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


AOL users hit by e-mail scam and Trojan horse URL
Network Solutions goof bumps NASDAQ off the Internet
Will Rodger
Computer malfunction floods Boulder garages and basements
S.J. Hutto
Carlos Salgado Jr. pleads guilty
Tobacco Deal Could Set Precedent for Would-be Net Censors
Spelling checker not up on U.S. Marines
Julie Bird via Mike Linksvayer countersues Barnes & Noble
Florida to Automate Traffic Citations
Geoff Kuenning
Cockpit data wiped by RF interference?
Imran via Matt Clauson
The Auditor Might Notice Your Bad Data
Scot E. Wilcoxon
Netscape Communicator 4.02 and 4.01a allow disclosure of passwords
Andre L. Dos Santos
Mac/Unix security e-mail exchange
Martin Minow
Direct action to "sting" the junk e-mailers — RISKy?
Max Stern
Re: USC 47:227
Mich Kabay
Re: Software copying a felony
James L. Peterson
Re: Risks, Reliability, Regulation, Infrastructures
Henry G. Baker
Re: SET Risks
Jerome Svigals
Re: Stiction
Frank Hausman
A book on computers and the law by Curtis Karnow
"Trapped in the Net" by Gene I. Rochlin
Hans-Juergen Schneider
Info on RISKS (comp.risks)

AOL users hit by e-mail scam and Trojan horse URL

"Peter G. Neumann" <>
Tue, 26 Aug 97 8:04:17 PDT
Subscribers of America Online recently received e-mail apparently from AOL's
chief of Member Services, entitled ``Important AOL Information'' and giving
an update on AOL's efforts to improve its service.  At the end was a URL to
a letter from AOL Chairman Steve Case, in which readers were asked to give
their name, address, home phone, and credit-card number to update AOL's new
computers.  Surprisingly to most victims (AOL's subscribers include many
online novices, more of whom should be reading RISKS!), the file being
updated was that of a scammer who simply raked in the information.  (It was
not specified whether his/her identity had been determined.)  [Source: An
item by Rajiv Chandrasekaran, *Washington Post*, 26 Aug 1997, seen in the
*San Francisco Chronicle*, p. A3.  PGN Stark-Abstracting]

[See RISKS-19.07,11,26,27,28 for other recent items on AOL.]

Network Solutions goof bumps NASDAQ off the Internet

Will Rodger <>
Fri, 22 Aug 1997 11:41:24 -0400
  [PGN Abstracting, from article by Will Rodger,
  from Inter@ctive Week Online, 21 Aug 1997, 9:14am PDT,]

The NASDAQ stock exchange was knocked off much of the Internet for several
hours on 19 Aug 1997 as a result of administrative errors at the InterNIC, a
centralized Internet address clearinghouse run by Network Solutions Inc. of
Herndon, Va., NASDAQ officials said Wednesday.  Though the problem was
initially invisible to NASDAQ, which maintains its own database of Internet
addresses, the temporary suspension of access to the exchange's site blocked
users of major computer networks — including those owned by IBM Corp., MCI
Communications Corp., PSINet Inc. and UUnet Technologies Inc. — from
getting to the site.  As a result, NASDAQ was unreachable to most Internet
users for at least several hours Tuesday morning.  Problems with the Web
site had no effect on the functioning of NASDAQ itself.  The snafu was due
to a clerical error at NSI, which evidently lost track of NASDAQ's $50 fee,
submitted in October 1996.

Will remarked that things like this seem to be occurring more often.  The
weekend before, more than 5,000 Web sites were blocked for over 24 hours,
when Web Communication Inc and other domains were bumped from the Internet
after a screwup in routine InterNIC maintenance.  Will also mentioned the
disappearance of .com and .net, noted earlier in RISKS (Pouzzner, RISKS-19.25).

Computer malfunction floods Boulder garages and basements

Mon, 25 Aug 1997 09:22:27 -0700 (PDT)
Subtitle: Error makes mains exceed their capacity
Reported by the *Rocky Mountain News,* 25 Aug 1997.

"Officials blamed a malfunctioning computer for five water main breaks late
Saturday that cut service to about 40 homes, flooded basements and garages
and turned city streets into rushing streams."

A computer controlling water pressure gave inaccurate readings (presumably
lower than actual?), prompting a city worker to open up the mains.

The full article is online for a few days at

S. J. Hutto, pSIBER Technologies Inc.

Carlos Salgado Jr. pleads guilty (Re: RISKS-19.19)

"Peter G. Neumann" <>
Tue, 26 Aug 97 8:13:05 PDT
Carlos Felipe Salgado Jr. ("Smak") has pleaded guilty before his trial.  As
reported in RISKS-19.19, an FBI sting had paid him $260,000 for a diskette
with personal data on more than 100,000 credit-card holders that he had
obtained by hacking into company databases on the Net.  The maximum
penalties reported earlier have apparently been doubled — up to 30 years in
prison and fines up to $1 million.  [Sources: AP and others, 26 Aug 1997]

Tobacco Deal Could Set Precedent for Would-be Net Censors (Edupage)

Edupage Editors <>
Sun, 24 Aug 1997 09:46:40 -0400
A little-noticed clause in the recently proposed $368-billion deal struck
between the nation's largest tobacco sellers and states' attorneys general
states, "The new regime would ... prohibit tobacco product advertising on
the Internet unless designed to be inaccessible in or from the United
States."  Critics note that if the settlement becomes law, that clause could
set a disturbing precedent for restricting all forms of online speech, and
could encourage other countries to emulate these restrictions or make them
even tougher.  Any company with a global commercial presence, says a law
professor at University of California at Los Angeles, would be forced to
limit its online presence to whatever is allowed by the most restrictive
country it does business in.  (*Investor's Business Daily*, 22 Aug 1997;
Edupage, 24 Aug 1997)

Spelling checker not up on U.S. Marines (from BONG Bull No. 437!)

Julie Bird via Mike Linksvayer <>
Wed, 20 Aug 1997 15:01:44 -0700
Julie Bird at the *Air Force Times* reported a spelling-checker gaffe that
could have caused combat-relevant complications.  The spelling checker
rejected the Marine motto 'Semper Fi' and recommended 'Semi-pro fiddles'
instead.  The copy editor then accepted the change, although it was caught
before publication.

  [Violins? Nonviolence? Puttering around? Meddling?  Perhaps the spelling
  checker was written for the U.S. Navy, where a fiddle is a something
  aboard ship that keeps dishes from sliding around.  This case is quite a
  stretch; perhaps checkers are getting ever more imaginative these days.

  This item from Julie Bird <>, abstracted for RISKS, is
  excerpted from BONG Bull, The Burned-Out Newspapercreatures Guild's
  Newsletter, #437.  To subscribe: e-mail to, with text
    subscribe bong-l
  PGN] countersues Barnes & Noble (Edupage)

Edupage Editors <>
Sun, 24 Aug 1997 09:46:40 -0400
In the latest assault in the escalating battle between pioneer online
bookseller and Barnes & Noble, has filed a countersuit
against Barnes & Noble, alleging that the bricks & mortar entity should be
charging sales tax on the books it sells over the Internet.  Amazon 's
argument is based on the fact that B&N, unlike, has a physical
presence in most states through its chain of 1,000-plus stores that
therefore constitute the "nexus" of activity in each state.  An attorney for
B&N says there is "no basis whatever" for Amazon's claim.  In May, Barnes &
Noble filed suit against, saying its claim to be "the world's
largest bookstore" was false advertising.  (Wall Street Journal 22 Aug 97;
Edupage, 24 Aug 1997)

Florida to Automate Traffic Citations

Geoff Kuenning <>
22 Aug 1997 23:38:07 GMT
An article on Clarinet (22 Aug 1997) tells us that Florida has let a $6.2
million contract to Unisys to automate the issuance of traffic citations.
Troopers will "be armed with pen-based laptop computers and printers.  The
laptops...will 'recognize' the troopers' hand printing and automatically
convert it to easily readable text."

Anybody care to predict the number of traffic tickets thrown out of court
over the next several years because they were issued to the wrong people?

The one saving grace is that the motorist gets a printout with a copy of the
ticket.  But I can just see the poor innocent party who has to prove that he
was in Bangladesh on the day that somebody with a similar license number ran
a red light.

Didn't they learn from the Newton?

Geoff Kuenning

Cockpit data wiped by RF interference? from Imran

Matt Clauson <>
Mon, 25 Aug 1997 21:18:57 -0600 (MDT)
The forwarded message below was sent to the "DefCon Stuff List"
(, for information, sub/unsub requests,
etc.).  My concern about is this: why would an aircraft designer take RISKs
with passenger safety by installing (apparently, at least to me) non
RF-shielded equipment that can be damaged by the RF output from a 3 watt
800MHz RF signal (saying the phones are analog), not to mention several
computers?  I have several computers, radios, etc. here on the ground
(producing a lot of RF, spurious and non) and I have no problems with 3
watts of 800MHz RF.  If that little RF can wipe a aircraft computer, what
could it do to major office buildings, etc. where cell phones are used in
MUCH closer proximity to computers (and sometimes much more sensitive ones).

- ---------- Forwarded message ----------
Date: Mon, 25 Aug 1997 09:07:54 +0300
>From: Imran <>
To: DC-Stuff <>
Subject: Can your cell-phone hijack a plane?

Yesterday I read an article in a local newspaper describing how it is
illegal to take all your weapons and explosives on flight — except for your
cell-phone and laptop.  Last week a flight inbound for London from Istanbul
had to crash land in Switzerland because all the cockpit data got wiped off
because of a cell-phone.  At the specific moment two people were talking and
three had their phones open.  Police are still investigating.  [...]

The Auditor Might Notice Your Bad Data

Tue, 26 Aug 1997 11:43:21 -0500 (CDT)
A Florida state agency auditing group (OPPAGA) reported:

Best agency answer to data question: When asked to explain why its data base
showed that lab tests of water quality samples were completed before the
samples had even been collected, agency staff provided the following memo:

    Top 10 Reasons Why Data is Analyzed Before it is Collected

    10. We practice Zen and the Art of Ground Water Sampling.
    9. We can impress auditors that way.
    8. We can tell whether collecting the sample will be worth our time.
    7. We get results much sooner this way.
    6. It saves money.
    5. It lets us know what type of sample we need to take.
    4. We can notify the well owner that we have a hunch their well should be
    3. Our lab has an incredible turn around time.
    2. The lab transmits data faster than light speed, so it arrives before it
       is sent.
    1. Our computer's clock battery has been dead since 1992, so every sample
       gets that creation date.

Quoted in:

Scot E. Wilcoxon

Netscape Communicator 4.02 and 4.01a allow disclosure of passwords

"Andre L. Dos Santos" <>
Mon, 25 Aug 1997 15:45:56 -0700 (PDT)
Using the latest Netscape Communicator we are able to get your credit card
number, password for online banking or online brokerage order, etc, only
restricted by the imagination of the malicious server implementer. This is
due to a flaw in Javascript identified by the Reliable Software Group at
University of California Santa Barbara. It enables a malicious site to track
all activities of a user in the Internet. Besides being able to get this
information, which violates the user's privacy, by using an ingenious
technique we are able to target chosen pages and use a fake server to
convince the user to type in privileged information. We submitted a security
bug report to Netscape, but we believe that this is a very serious threat,
which is easy to implement. As such it should be widely disseminated. This
flaw was tested in Netscape Communicator 4.01a, the latest version of
Netscape, and it is described, together with other attacks in our paper at

Netscape has released a new version of Communicator for Windows 95/NT. It is
Netscape Communicator 4.02. In this version our attack is much more
threatening. This is because on the previous version the access on the
location object was better implemented and in order to get a string value to
this object we had to close a second browser we opened. Using the new
version of Netscape we are able, using an infinite loop, to access the
string that represents the location object, against the security policy of
Javascript.  Therefore, using this version, we don't even need to close the
second browser. We are still investigating which other security policies are
badly implemented in this new version of Netscape Communicator.

Andre L. dos Santos, Reliable Software Group
University of California Santa Barbara

Mac/Unix security e-mail exchange

Martin Minow <>
Tue, 26 Aug 1997 09:42:52 -0700
After the recent security breach of the "Crack-A-Mac" server (which has now
been compromised three times), Ric Ford's Macintouch web-site provides an
interesting e-mail exchange comparing the relative security of Macintosh
against Unix systems.

To quote one respondent:
  "Because the Mac was not made to be a networked computer, it is
  infinitely more secure than a UNIX box. If you are running plain
  vanilla Webstar on a Mac, you are safe. Period. If you are running
  plain vanilla Apache (or other UNIX webserver) on a UNIX box, you
  are toast if there is a determined hacker. Only the most dedicated
  SysAdmins can keep up with all the CERT advisories and patches...
  and even if you do, there will be holes. Whether it be a NIS hole,
  a finger hole, a telnet bug, or what have you, there will always
  be one more hole than fix on a UNIX box."

The exchange is at <>.  Macintouch
is a daily newsletter with hints and comments on the Macintosh written
by a columnist for Macweek magazine.  It is at <>.

Martin Minow

  [Infinitely, eh?  Wow, that is *really* impressive!  PGN]

Direct action to "sting" the junk e-mailers — RISKy?

Tue, 26 Aug 1997 10:06:32 -0400 (EDT)
I recently saw a new anti-junk-e-mail tactic which, at first glance, struck
me as a great idea.  The concept is to "sting" the producers of bulk e-mail
mailing lists by including something like the following in your .sig:

  And for you automated e-mail junk-mailers out there, here is
  a list of the current board of the Federal Communications Commission:

    Chairman Reed Hundt:
    Commissioner James Quello:
    Commissioner Susan Ness:
    Commissioner Rachelle Chong:

  And let's help you send some junk mail to the USPS, too:

This is based on the assumption that the junk list compilers sift entire
Usenet News articles (not just the "From:" lines) for any syntactically
valid e-mail addresses.  The e-mail addresses listed above will thus be
included on the compiled lists; then these worthy individuals will receive
any junk mail sent by anyone using said lists.

Since these people have influence on public policy, it is hoped that the
annoyance of actually receiving as much junk mail as the rest of us do will
push them in the direction of strong sanctions against such junk mail.

Where I work, we have been having a discussion in-house about whether or not
doing this is advisable.  The strongest objection that I have seen is that
by including such addresses in one's e-mail, one is actually contributing to
junk mail, and thus acting contrary to the same anti-junk-mail principle
that one is trying to promote.  Also, if one does it from one's company
account, one may be acting against the corporate policy for internet use;
and finally, there is the issue of contributing to a violation of the right
to privacy (here meaning the right not to be harassed) of the public
individuals cited.

I find these contra arguments not completely persuasive, but I am still

The final RISK that I can see is that we may actually influence the
policy-makers to take some action, but that action may turn out different
from our expectation and preference.

Max Stern, Sherman Oaks, CA

Re: USC 47:227 (Sprunk, RISKS-19.33)

"Mich Kabay [NCSA]" <>
Tue, 26 Aug 1997 07:00:42 -0400
  Unsolicited commercial/propaganda e-mail subject to legal action.  Under US
  Code Title 47, Sec.227(a)(2)(B), Sec.227(b)(1)(C), and Sec.227(b)(3)(C), a
  State may impose a fine of not less than $500 per message.  Read the full
  text of Title 47 Sec 227 at

This text deals with unsolicited commercial _telephone_ calls and _faxes_,
not explicitly with junk e-mail.  For a pessimistic analysis of the argument
that existing federal laws cover junk e-mail, see "Garbage In: Emerging
Media and Regulation of Unsolicited Commercial Solicitations" by Michael
W. Carroll <>.
This jurist provides a thorough and award-winning review of the
applicability of such laws to junk e-mail, especially section 2a, "Has
Congress Already Banned Spamming?"  His answer is, alas, "No."


M.E. Kabay, PhD, CISSP (Kirkland, QC), Director of Education
National Computer Security Association (Carlisle, PA)

  [I read the sections and concluded that it is not a black-and-white issue.
  However, a suit in progress could clarify the issue somewhat.  PGN]

Re: Software copying a felony (Edupage, RISKS-19.28)

James L. Peterson <>
Fri, 22 Aug 1997 14:34:34 -0500
Does the proposed Goodlatte legislation say that the copying has to be
illegal?  (The Edupage squib did not say.)  If not, we should be able to put
those felons at Microsoft and Sun and IBM and HP away for years for the all
that software that they copy and sell.

About the only people who wouldn't be felons here would be GNU since
their software is free and they can copy it as many times as they want
and not reach the $5,000 limit.  But I suspect Microsoft thinks Windows95
is worth at least $1 and they have probably made over 5000 copies, so
lock them up!

  [This reminds me of the original California computer crime legislation,
  which said in effect that it is illegal to read, write, alter, or delete
  data.  Perhaps it still does.  I once chided someone in Sacramento for
  that, and he said, "Oh, but we'd never use it on someone who wasn't doing
  something wrong."  PGN]

Re: Risks, Reliability, Regulation, Infrastructures (Ware, R-19.33)

Henry G. Baker <>
Fri, 22 Aug 1997 11:56:31 -0700 (PDT)
Methinks the Beltway Bandit doth protest too much!  For some reason,
bureaucrats and their Beltway Bandit lackeys always assume that more
regulation is better than less regulation.  In this case, Willis is arguing
that "the system ain't broke, so don't fix it".

I would argue that the system _is_ broken, and it is badly broken.  Here in
California we pay twice as much for our electricity as people in other
states, and many of these costs were _caused_ by the politicians and the
bureaucrats themselves in the first place.  We're not happy about paying for
these hair-brained ideas like nuclear power plants and
doctor/dentist-taxshelter windmills.

I, and nearly everyone I know, could afford to purchase a backup generator
_every year_ for what we pay in excess electricity costs.

The Internet works precisely because it dispenses with link-by-link
guarantees, and uses end-to-end protocols.  Its openness encourages
innovation — something that the electrical utilities have discouraged for
the past 80-100 years.  Perhaps the myth of 'economies of scale' that the
utilities have wrapped themselves in for the past 100 years is just that --
simply a myth.  Or if the economies of scale exist, but never make it to the
customer, then they doesn't matter.  The best place to put redundancy is at
the customer level, where each customer can optimize for his own goals and

Henry Baker

Re: SET Risks (Sterling, RISKS-19.33)

Sun, 24 Aug 1997 08:39:21 -0700
Unfortunately, this response demonstrates the problems with the SET process:

1.  It is highly dependent on an Electronic Wallet, which is never discussed
in the SET process.

2.  It is highly dependent on who the user of the wallet is, which is never
discussed in the SET process, nor is how to identify the user discussed.

3.  The very practical issue of carrying the user's certificate between PCs
is never discussed in the SET process. SET ignoring this issue and its
security demands doesn't make the issue go away!  Not addressing mobility
ignores the issue that insiders will use those techniques to overcome SET

4.  The issue of insiders usurping complete certificate messages is never
discussed in the SET process.  This must be a very serious issue since the
card associations have already published a disclaimer.  See the V/MC press
release of 8/6/97.  It establishes the SET Mark (a trade mark like symbol)
for SET acceptable web pages.  The release clearly states the purpose to be
" use their cards on marked web sites WITHOUT ANY WORRY OF THEIR CARD
DETAILS BEING INTERCEPTED." (my capitalization). Are they so naive as to
think there will not be counterfeit SET marks on unauthorized web pages?
Any security solution that depends on the user or employee actions is known
to be ineffective.

5.  The history lesson that software exposures exist in the current card
system anyway, misses the point.  SET is supposed to be the NEW invincible
solution and doesn't fix this known exposure.

6. The attempt to disassociate the SET process from the vendor
implementation flies in face of a card association PR campaigne to enumerate
the outside vendor role in making SET happen.  It flies in the face of
intense vendor promotion of the SET process as their basis for selling the
new invincible SET solutions - which we are now told has the some of the
same shortcomings as the current software solutions.

7.  The response that consumers will not have much choice is wrong.  The
Mondex system completely by passes the SET complex 26 step process with a
demonstrated card-to-card security solution usable through open systems.
Mondex USA has announced significant roll out this and next year.  The
concepts are being tested by Citibank (with the Verifone Personal ATM, phone
connected device), and Chase (with Mondex units) in the early 1998 major
field test in New York early next year.  All the banks and credit unions of
Canada have announced Mondex use.  Also, several USA financial institutions
have announced that Mondex smart cards will carry both USA and Canadian
dollars, and will carry cash, debit and credit funds.  I would be a little
worried at the card associations.  The associations can not continue to
stone wall smart card credit cards in the United States.  In fact, smart
cards (NOT addressed in the SET process) would go a long way to overcome the
SET deficiencies I have discussed in this note.  Or, maybe this message from
Mr Sterling is notice that MasterCard (51% owner of Mondex International) is
about to suppress Mondex use in the USA.

In summary, the credit-card associations and their SET process can't have it
both ways.  To offer the invincible Internet solution - but keep the old
problems.  To offer the SET process but ignore the shortcomings of the
vendor implementations.  To offer an open system, Internet, solution and
then to ignore smart card benefits and the practical issue of SET process
mobility between the five PCs in my life.  (home, office, laptop, hotel and
the company I am visiting.)

jerome svigals,

Re: Stiction

Frank Hausman <>
Fri, 22 Aug 1997 16:14:01 -0700
Addendum to the stiction item: On a very stuck Seagate hard drive, after
dropping , smacking, and spinning the drive on its axis didn't unstick the
heads from the disk, I took The Final Desperate Measure.  Clean-area
precautions were taken: hands were scrubbed and a Hefty-brand portable clean
room was prepared.  After the "warranty void if removed" drive lid was
removed, the platter was turned by hand with about ten pounds of force and
the lid was reattached.  The drive powered up with no ping, ding, or screech
sounds and valuable data was copied off as fast as fingers could fly.  It
worked for a year afterwards, after which the whole computer was
   When a friend's hard disk drive stuck badly, I made _him_ do it.
Same results.
   The following mysteries remain: Were the environmental dust particles
large enough to be simply spun off the platter?  Was the garbage bag so
static-ridden that it acted as a dust trap?  Exactly how much luck was
involved?  Does this sort of thing work all the time?
   Of course, this is a RISK to any older in-service hard disk:
tamper-labels should be inspected.

A book on computers and the law by Curtis Karnow

"Peter G. Neumann" <>
Fri, 22 Aug 97 11:54:24 PDT
Curtis E.A. Karnow, Future Codes: Essays in Advanced Computer Technology and
the Law, Artech House, Boston and London, 1997 (xii+276)

Curtis Karnow is a practicing attorney in San Francisco with considerable
experience as a federal prosecutor and judge.  His background includes many
cases relating to computers and risks.  This book brings together new
material with a collection of thoughtful essays he has written (e.g., in
Leonardo Electronic Almanac, WiReD and law reviews).  It could be of great
interest to many RISKS readers interested in the law.  This is a crossover
book that makes it very clear why computer folks need to know much more
about the law, and why lawyers need to know much more about computer

"Trapped in the Net" by Gene I. Rochlin

"Hans-Juergen Schneider" <>
Fri, 22 Aug 1997 19:41:35 +0200
Trapped in the Net
The Unanticipated Consequences of Computerization
By Gene I. Rochlin
Published by Princeton University Press
310 pages Hardback: 0-691-01080-3

Having only read the first chapter so far this book appears to discuss a lot
of issues relevant to RISKS and can be found at:

Please report problems with the web pages to the maintainer