The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 19 Issue 65

Thursday 2 April 1998

Contents

o Problem in wintertime/summertime switching in Germany
Nikolaus Bernhardt
o Y2K in China
Don Wagner
o April First, a bad day for high tech in Holland
Paul van Keep
o Hackers Exploiting Over 100 Holes In Windows NT
Shake Communications
o Pull rip cord
Andrew Gabriel
o Painful spell-checker mistake in WordPerfect
Jeroen Bruintjes
o Risks of unfortunate product names
Roger Strong via Jim Griffith
o Inaccurate study quoting, Re: anti-crypto rhetoric
Robert J. Perillo
o RC5-64 Project can change laws on encryption technology
RC5 Team
o Re: Funding for a new software paradigm
Fred Cohen
o Re: DJ10K
Frank Markus
o Re: Rivest's chaffing concept
Stacy Friedman
o Re: EMI and TWA 800
Piers Thompson
o "Computers, Ethics and Society", Ermann/Williams/Schauf
Rob Slade
o Info on RISKS (comp.risks)

Problem in wintertime/summertime switching in Germany

Nikolaus Bernhardt <nikolaus@nikon.on-luebeck.de>
29 Mar 1998 21:30:00 +0100
On 29 Mar 1998, in the early morning hours (02:00), the official time in
Germany changed from wintertime (UTC +1, MEZ) to summertime (UTC +2,
MESZ). The hour from 02:00 to 03:00 is 'stolen' and will be given back in
the changing from summertime to wintertime.  Everyone has to adjust the
clocks with a delta of +1 hour.

Deutsche Telekom, the formerly state-owned telecommunication company
provides the time in their ISDN exchanges ("Vermittlungsstelle").

On 29 Mar 1998 the Deutsche Telekom made some mistakes in the City of
Luebeck (local area code 0451): The system clocks were adjusted *twice*
instead of once so that the ISDN-exchange provided a false time to all
connected ISDN-devices.

Normally all the ISDN-Exchanges are synchronized by a radio driven clock
(DCF77 transmitting the official time in Germany).

Operators at the hotline were scared about this failure.  After a few
minutes they called me and told that the clock would be corrected
immediately.

Computer systems equipped with a ISDN-Card can normally obtain the DCF-77
based time by retrieving the time token from the ISDN-Exchange and save the
money for a local DCF-77 card -- which costs several hundred Deutschmarks
(1.85 Deutschmark =~ 1 US$).

The risk of trusting the time provided by the Deutsche Telekom is obvious.
When you want or need the official time, you better spend some money in a
dedicated DCF-77 radio-controlled clock-device.

Nikolaus Bernhardt <Nikolaus@nikon.on-luebeck.de>


Y2K in China

D B Wagner <DWag@compuserve.com>
Mon, 30 Mar 1998 05:54:43 -0500
Check out
  http://www.redfish.com/USEmbassy-China/sandt/y2ku.htm
for the Y2K situation in China as well as some other risky issues.

Don Wagner <DWag@compuserve.com>  http://coco.ihi.ku.dk/~dbwagner

  [I did, and it is pretty scary.  PGN]


April First, a bad day for high tech in Holland

Paul van Keep <paul@sumatra.nl>
Wed, 01 Apr 1998 23:25:03 +0200
It might be related to the date but things went seriously on 1 Apr 1998 in
The Netherlands. Here's a recap of three problems as reported on the 6
o'clock news:

- Digging activity damaged a fibre optic cable in the north, leaving
part of the country without phone service for hours.  A classic single
point of failure error.

- The national BeaNet system was down for part of the day.  This is the
system that processes among others debit (PIN) payments, ATM cash
withdrawals and online I-Pay transactions. The failure was attributed to 'a
problem with the computer'.  Let's hope one computer is not what they depend
on to run such an essential system.

- The Postbank (one of the largest banking institutions in the country) were
confronted by a maintenance operation that took longer than it should.  This
had the side effect that the systems for online transactions (separate from
the BeaNet system) were not reloaded with the latest account balances from
the day befor only only.  This caused problems for people trying to retrieve
cash from postbank ATMs whose balance should have been positive but weren't
because of the mismatch (the opposite was probably also true).  Note that
there are at least two separate systems here that track account balance (I
think there are even three) that get synchronized only once every 24 hours.
This allows for a lot of overdrafting.

Paul van Keep, Sumatra Software


Hackers Exploiting Over 100 Holes In Windows NT

"Shake Communications Pty Ltd" <shake@shake.net>
Thu, 26 Mar 1998 00:03:32 +1000
101 Ways to Hack into Windows NT

MELBOURNE, AUSTRALIA: A study by Shake Communications Pty Ltd has identified
not 101, but 104, vulnerabilities in Microsoft Windows NT, which hackers can
use to penetrate an organisation's network.

Many of the holes are very serious, allowing intruders privileged access
into an organisation's information system and giving them the ability to
cause critical damage - such as copying, changing and deleting files, and
crashing the network.  Most of the holes apply to all versions (3.5, 3.51
and 4) of the popular operating system.

Shake Communications, an information and internet security firm, has
compiled the statistics as part of an ongoing study and compilation of
vulnerabilities in popular hardware, operating systems, applications and
programming languages.

The vulnerabilities are ranked High, Medium or Low according to the damage
(loss or resources, time and money) they can cause and are categorised into
Denial of Service (D.O.S.) vulnerabilities, Server Message Block (S.M.B.)
vulnerabilities, Malicious Program vulnerabilities and Miscellaneous
vulnerabilities. The majority of weaknesses affect Versions 3.5, 3.51 and 4.
Some apply only to one or two of the versions and others apply where an
application, such as Microsoft Access, is running on Windows NT.

Some examples of how hackers (from both the outside and the inside of an
organisation) can exploit the various vulnerabilities are as follows:

* An intruder can crash the Windows NT system by sending spoofed packets to
multiple ports where the source and destination settings are the same;

* Holes in the Server Message Block authentication can give a local user
unauthorised network access under certain conditions (for example, an
employee can break into the payroll system);

* An unauthorised user can use the alerter and messenger services to send
fake pop-up messages to legitimate users and thereby fool them into entering
information such as their password;

* Hackers can use their own programs to exploit holes, such as L0phtCrack, a
password cracking program, and NtAddAtom, a program which crashes NT;

* Even where a domain user creates a file and removes all its permissions
(reading, writing, deleting), an unauthorised user can still delete such a
file.

Some of the holes have no recommended countermeasures and others rely on
physical security measures (such as locking the Windows NT server in a
room). Fortunately, there are software patches or fixes available to rectify
many of the vulnerabilities. Microsoft freely provides these at its Web Site
(http://www.microsoft.com). Unfortunately, many users are probably unaware
that this service exists.

Shake Communications also provides links to patches/fixes in its
Vulnerabilities Database, which also covers other operating systems,
programs, applications, languages and hardware.

For more information contact Shake Communications at info@shake.net or +613
9555 8560.  Shake Communications maintains a Vulnerabilities Database
containing over 3,000 vulnerabilities and associated patches/fixes at
http://www.shake.net. This is updated daily and available by subscription.

Acknowledgments

Costin Raiu
Joba DoVoe
Microsoft Corporation
Paul Ashton
The L0pht
www.ntshop.com


Pull rip cord

<andrew@cucumber.demon.co.uk>
Mon, 16 Mar 1998 22:10:00 GMT
A correction published in a magazine about flying (if I heard correctly)...

  The phrase reading:
    "state zip code"
  should have read:
    "pull rip cord".

[source BBC Radio 4 - "The News Quiz"]

Risks: left to your imagination    :-)

Andrew Gabriel, Consultant Software Engineer


Painful spell-checker mistake in WordPerfect

"Jeroen Bruintjes" <brun@bart.nl>
Mon, 16 Mar 1998 11:37:37 +0000
Being copywriters with a love for reliable and simple technology, we still
use WordPerfect 5.1.  However, this program also seems to have its glitches,
one of which can be quite embarrassing.  Last week, a colleague stumbled on
an error in his (Dutch) spell-checker.  While scanning his text, the program
didn't recognize the word 'Campbell'.  It suggested 'kampbeul' as an
alternative. Which in English stands for *camp bully *or *camp executioner*.

Good thing he wasn't using the spell checker on autopilot. Such mistakes can
very well cause a customer to end all relationships.

Jeroen Bruintjes

  [You needed a Campbell Soup-er Checker.  Dank U wel.  PGN]


Risks of unfortunate product names

Jim Griffith <griffith@netcom.com>
Mon, 30 Mar 1998 10:45:19 -0800 (PST)
Stolen shamelessly from alt.humor.best-of-usenet, which was stolen
shamelessly from rec.humor.oracle.d:

> Subject: Re: The question was too hard...
> From: "Roger Strong" <rstrong@yetmans.mb.ca>
> Newsgroups: rec.humor.oracle.d
>
> One of my co-workers was on the phone, walking a customer through removing
> the software for a Star multiport from an NCR Tower.  The command was
> "rm -r star".  It took a full fifteen minutes for him to figure out why it
> was taking so long.....

Jim


Inaccurate study quoting, Re: anti-crypto rhetoric (Ellison, R-19.62)

Robert J. Perillo <perillo@gibraltar.ncsc.mil>
Fri, 20 Mar 1998 14:56 EST
The statement made by Carl Ellison <cme@cybercash.com>, 06 Mar 1998
(RISKS-19.62), "How come Dorothy Denning didn't find any significant use of
crypto by criminals in her survey of law enforcement officers?", is
inaccurate.  The Denning-Baugh report, referenced below, did find
significant use of encryption by criminals, 500 current cases worldwide,
over 20 cases were presented in detail, and they estimate that the number is
growing at annual rate of 50-100% (some cases from the report are listed
below).  In more than one of the cases, the encrypted information could not
be deciphered by law enforcement.

The report does make clear that encryption could pose problems for law
enforcement in the future.  "Our findings suggest that the total number of
criminal cases involving encryption worldwide is at least 500, with an
annual growth rate of 50 to 100 percent."  And "Quite a few people are
technically sophisticated."

Instead, the study's main conclusion was that it was unable to find any
current incident where the use of cryptography significantly hindered an
investigation or prosecution.  "Most of the investigators we talked to did
not find that encryption was obstructing a large number of investigations.
When encryption has been encountered, investigators have usually been able
to get the keys from the subject, crack the codes, or use other evidence,"
states the report.

The statements that criminals have not used Crypto AG or CyLink encrypting
telephones are also incorrect.  The Denning-Baugh report did not even
address this topic.  But, evidence was presented in the late 1980's that
possible foreign Terrorist organizations and Drug Cartels were using Crypto
AG Voice Ciphering products.  According to an ex-employee's legal filings,
and "tell-all" book, Crypto AG was requested to insert flaws and weaknesses
into their equipment that could be falling into criminal hands.

An interesting observation about the report is that when encryption is
encountered by law enforcement, they are unprepared to deal with it and
forced to use in-house computer forensic specialists (with little training
in cryptography), consultants, academics, and/or private companies to attack
the problem.  While the U.S. Government spends at least $7 to $10 billion
per year on "code breaking" at Military-Defense and Intelligence
organizations, under current law ("posse comitatus" on up) it is illegal for
these resources to be used for domestic law enforcement.  We could change
these laws, and increase funding to these agencies to handle their new
mission? We could create similar agencies inside domestic law enforcement at
equivalent cost? Therefore, the requests by law enforcement, to promote and
have access to corporate and local Key Recovery systems, can be seen as a
low-cost solution to the problem and an effort to save money for the
U.S. taxpayer.

The cases examined include:

* "The Japanese death cult, Aum Shinrikyo, which used encryption to store
records on its computers.  Authorities were able to decrypt the files in 1995
after finding the decryption key on a floppy disk.  And found evidence of
plans to launch attacks in the U.S. and Japan."

* The New York subway bomber, Edward Leary, who had created his own
encryption system to scramble files on his computer.  According to the
report, after Manhattan police "failed to break the encryption, the files
were sent to outside encryption experts.  These experts also failed.
Eventually, the encryption was broken by a federal agency.  The files
contained child pornography and personal information which was not
particularly useful to the case."

* "A police department in Maryland encountered an encrypted file in a drug
case.  Allegations were raised that the subject had been involved in
document counterfeiting, and file names were consistent with formal
documents.  Efforts to decrypt the files failed, however, so the conviction
was on the drug charges only."

* "The head of a California gambling ring kept his records in a commercial
accounting program encrypted with a code word.  The maker of the program
refused to help law enforcement break the code, but access to the files was
gained by exploiting a weakness in the computer system.  This yielded four
years of bookmaking records which resulted in a guilty plea on criminal
charges and payment of back taxes."

* The espionage case against former CIA employee Aldrich Ames, who was
directed by his Soviet handlers to encrypt computer file information that
was passed to them, "and was eventually convicted of espionage against the
U.S., was aided because the investigator handling the case was able to
decrypt Ames's files using AccessData Corp. software (an automatic
de-encryption program)."

References :

 * National Strategy Information Center, Dorothy Denning and
   William Baugh, "Encryption and Evolving Technologies as Tools
   of Organized Crime and Terrorism," July, 1997.

 * The Washington Post - WashTech, Elizabeth Corcoran, "Around
   the Beltway, Encryption: Who will Hold the Key? Two Bills
   Reflect the Split over Restrictions", Aug-04-1997.

 * Mercury News, Simson Garfinkel, "Denning unable to confirm FBI
   Assertions; alters her position", 31-Jul-1997.

Robert Perillo, CCP, CNE     Richmond, VA     perillo@dockmaster.ncsc.mil
Staff Computer Scientist                      perillo@gibraltar.ncsc.mil

[Usual disclaimers]

  [The Ames case strikes me as a bad example, and a classic case of
  trying to oversell the impediments of crypto, considering the long
  history of incriminating phone calls in the clear and the long trail
  of other evidence that would seem to have been ignored or perhaps
  suppressed in an effort to gather more evidence.  PGN]


RC5-64 Project can change laws on encryption technology

RC5Team <rc5team@iname.com>
27 Mar 1998 15:03:44 GMT
The RC5-64 Project can change the US law on encryption technology.  However,
it needs your help to achieve this goal.  US laws currently limit the export
of high-bit encryption messages/programs. The RC5-64 Project proves that
these low-bit technologies offer insufficient protection.  If you're
interested, visit http://bovine.home.ml.org .

The Bovine United Team


Re: Funding for a new software paradigm (Moran, RISKS-19.64)

Fred Cohen <fc@all.net>
Tue, 31 Mar 1998 22:06:44 +6400 (PST)
I assume (hope? wish!!??) this is a joke?
> this new approach, dubbed "Fault-Oblivious Computing", to quickly become the
> dominant software-engineering paradigm. [...]

I have a few better ideas - but DARPA will not likely fund them:

1) Devise a language that fails safely (where safety has programmer
   adaptable defaults and values) so that failures "do the right
   thing". I think that Perl and Basic come pretty close to this.

2) Create a set of standard and approved subroutines that replace the
   default system calls and include proper error handling (as well
   as providing for easier portability).

3) Teach programmers that "don't care" return values are turned into
   real - and usually wrong - semantics at runtime.

4) Create a charge-back system where each system crash costs the
   company that provided the software $100. Based on historical
   statistics, mandate that a bond in the expected amount for
   the lifecycle of the system be posted as a condition of sale.

5) Use a real operating system and real programs built for resiliency
   instead of demos built for time to market in critical systems.

6) Require a quality control and support system for those who provide
   government systems for military use.

Fred Cohen & Associates: http://all.net - fc@all.net - tel/fax:510-454-0171


Re: DJ10K (RISKS-19.64)

Frank Markus <fmarkus@pipeline.com>
Wed, 01 Apr 1998 14:17:30 -0500
The report in RISKS-19.64 about the likelihood that a five-figure Dow Jones
Average will break many software programs designed to deal will four-digit
averages brings to mind a current problem.  Berkshire Hathaway is a
significant stock on the New York Stock Exchange.  For good and sufficient
reasons, Warren Buffett, the chairman of the company, does not consider it
wise to either split the stock or to pay dividends.  As has been widely
reported, Berkshire Hathaway has been very successful.  The problem is that
as the price of the stock is now far greater than any other stock on the
NYSE.  (As I write, it is well above $60,000 a share.)

The computers that set the stock tables for the *Wall Street Journal* and
*The New York Times* cannot cope with Berkshire.  I discovered that the
price of BRK.A is hand entered into the stock tables of both papers when I
called both to report that their closing price for the previous day differed
substantially. Apparently it was not the first time it had happened.  Other
newspapers avoid both the software and the column-formatting problems by
omitting Berkshire (which happens to be a leading stock in terms of market
capitalization.)

On the Internet, I have been unable to find a single generally available
portfolio program that can deal with Berkshire!  Among those that cannot are
My Yahoo!, Quote.com and C|Net's Snap.


Re: Rivest's chaffing concept (RISKS-19.64)

"Stacy Friedman" <SFRIEDMA@us.oracle.com>
31 Mar 98 17:43:32 -0800
I recently read a joke which went something like this:

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 LETTER TO VICE PRESIDENT:

 Bob Smith, my assistant programmer, can always be found
 hard at work in his cubicle.  Bob works independently, without
 wasting company time talking to colleagues.  Bob never
 thinks twice about assisting fellow employees, and he always
 finishes given assignments on time.  Often Bob takes extended
 measures to complete his work, sometimes skipping coffee
 breaks.  Bob is a dedicated individual who has absolutely no
 vanity in spite of his high accomplishments and profound
 knowledge in his field.  I firmly believe that Bob can be
 classed as a high-caliber employee, the type which cannot be
 dispensed with.  Consequently, I duly recommend that Bob be
 promoted to executive management, and a proposal will be
 executed as soon as possible.
     - Project Leader

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 A SUBSEQUENT MEMO WAS SOON SENT FOLLOWING THE ABOVE LETTER:

 That idiot was reading over my shoulder while I wrote the
 report sent to you earlier today.  Kindly read ONLY the odd
 numbered lines (1, 3, 5, etc...) for my true assessment of him.
 Regards.

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

How's that for separating the wheat from the chaff?

Stacy Friedman, Senior Performance Engineer, Oracle Forms
sfriedma@us.oracle.com   (650) 506-8008


Re: EMI and TWA 800 (RISKS-19.64)

Piers Thompson <piers_thompson@ionica.co.uk>
Wed, 1 Apr 1998 14:32:58 +0100
>The April 9 _New York Review of Books_ has published a long special
>supplement, "The Fall of TWA 800: The Possibility of Electromagnetic
>Interference," by Elaine Scarry, a noted author and Harvard professor:

I note from the paper itself that Elaine Scarry is professor of
"Aesthetics and General Theory of Value".  I don't know whether her
noted authorship includes any titles of relevance to air investigation
or EMI.

The paper itself makes a number of elementary errors of fact and relies
heavily on innuendo for effect.  It is far from a rational, scientific
review of the evidence.  The author claims that parts have been
subjected to scientific review.  It seems unlikely.

>
>    http://jya.com/twa800-emi.htm  (128K with 3 images)
>
>The article closely examines the possibility of electromagnetic interference
>in TWA 800's controls, comm, and black boxes by activities of the ten US
>military planes and ships in the vicinity which were heavily equipped for
>electronic warfare and were conducting tests of the gear.

The paper presents no evidence (and doesn't even claim) that the military
units were either "heavily equipped for electronic warfare" or "conducting
tests".

Piers


"Computers, Ethics and Society", Ermann/Williams/Schauf

"Rob Slade" <rslade@sprint.ca>
Mon, 30 Mar 1998 08:03:27 -0800
BKETHICS.RVW   980131

"Computers, Ethics and Society",
M. David Ermann/Mary B. Williams/Michele S. Shauf, Oxford, 1997.

%A M. David Ermann
%A Mary B. Williams
%A Michele S. Shauf
%C 70 Wynford Drive, Don Mills, Ontario   M3C 1J9
%D 1997
%G 0-19-510756-X
%I Oxford University Press
%O C$29.95 800-451-7556 fax: 919-677-1303 cjp@oup-usa.org
%P 340 p.
%T "Computers, Ethics and Society, Second Edition"

Ethics.  Don't talk to me about ethics.

Computer industry the size of a planet, security specialists sleeping under
every bush, a zillion philosophy students and what do we do?  We write a
textbook.

It's so depressing.

It has been seven years since the first edition of this book was published,
and five years since I reviewed that first edition.  I was rather looking
forward to it at the time, it being the only title I had found to address
this all important issue.  I was a bit chagrined to find that it was, a) a
series of articles, rather than a book; and, b) a textbook.  Well, courses
on computer ethics are important, and in the interim there have been both
other textbooks and serious examinations of the topic for the working
professional.  I've gotten over my disappointment that the book was a
textbook, but still find it to be flawed *as* a textbook.  As with other,
similar, works, some of the disappointment arises from the fact that, so
far, this is close to the best we can do.

The apparent organization of the material is good.  The first section of
papers deals with general ethical theory.  Unfortunately, the background is
somewhat limited, dealing only with utilitarianism, generally simplified to
"the greatest good for the greatest number", and some minor variations.
(Kant's "Categorical Imperative" is covered, but it can easily be seen as a
special case of utilitarianism where "badness" is exponential.)  The first
paper, "Ethical Issues in Computing," stands as an overview of topics to be
covered in the book.  As such, the piece can't be faulted for a lack of
depth.  However, what analysis there is in the essay betrays a reliance on
facile reasoning and presumptions based on strictly anecdotal evidence, or
no evidence at all.  In this regard, it foreshadows too much of the material
in the book overall.  The second and third papers, "Information Technologies
Could Threaten Privacy, Freedom, and Democracy," and "Technology is a Tool
of the Powerful," demonstrates another shortcoming of the book: an emphasis
on theoretical societal, rather than practical personal, responsibilities
and issues.  As the material begins to examine generic ethical principles in
light of specific problems, the treatment becomes uneven, although by and
large it offers little except further problems in defining moral action.  (I
was sad to see that a first rate treatise on privacy as it relates to
monitoring of criminal offenders; lucid, readable and almost poetic while
casting an insightful new light on the subject; has been removed.)

In light of my comments about a social bias to the book, it may seem strange
that part two is entitled "Computers and Personal Life."  However, personal
action and responsibility is in the minority.  Four papers deal with
privacy, commerce, and employment, again pitting the individual against the
mass, if not the state.  The excerpt from Gates' "The Road Ahead" (an
unremarkedly ironic inclusion given the current debate and legal battles
over "ownership" of the desktop) is nothing more than a bit of blue sky
pronouncing.  The articles by Postman, Gergen, and Broadhurst are better
informed, but no closer to ethics.  Eugene Spafford seems to be the only
contender in the personal activity arena.

"Computers and the Just Society" is definitely back with the person against
the principality, paying particular attention to employment (in the
aggregate) and privacy (as being eroded by legislation against encryption).
There is a nod to cyberspace and the law on the way through, but it isn't
much improvement over the first edition.  (Aristotle and Augustine didn't
even make the cut this time out.)

Part four, on "Computing Professionals and Their Ethical Responsibilities"
shows titular promise, but is back on the individual against society once
more.  Indeed, there is little that is specific to the computing
professional.  A paper on "whistle-blowing' is clear as to the issues, but
finally ambiguous as to any answers.  Steven Levy's piece on Lotus
Marketplace is a bit depressing when you realize the final outcome: Lotus
never did release marketplace, but a number of recent "products" are much
greater invasions of privacy.

Given the almost absolute emphasis on society, I was rather surprised
to see only one paper, and that tangentially, related to the rise of
the Internet.  The net has become a major force in society, both in
spreading hate literature and other disinformation, and in promoting
democracy and discourse.  The second edition does not appear to have
taken the opportunity to come up to date in this regard.

Much of the material collated here is interesting, and worthwhile background
for a course in computer ethics, but it doesn't go anywhere.  The quality is
very uneven and, ultimately, much of the writing is disappointing.  The
section and subsection headings often bear only the most tenuous connection
to the contents, although related articles to tend to have some commonality.
As course reading material, this book could be very useful in the hands of a
good instructor.  As a resource for those working in the lines ... well, I
suppose we keep looking and hoping.

copyright Robert M. Slade, 1993, 1998   BKETHICS.RVW   980131

Please report problems with the web pages to the maintainer

Top