The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 19 Issue 72

Thursday 7 May 1998

Contents

o Risks of Internet kiosks
Nick Brown
o Glitch delays 85,000 transactions
Mich Kabay
o Lightning strike threatens public safety
Paul Gittins
o Y2K bug in IE4?
Andre Srinivasan
o Single point of failure makes town disappear for a day
Matt Curtin
o AT&T Announces Cause of Frame Relay Network Outage
Steve Bellovin
o Re: Inaccurate study quoting
Carl Ellison
o Crypto paranoia has its advantages
Nat Gertler
o Forgery when buying Pentium 2 computers -- failure is often only sign
Kriston J. Rehberg
o Risks of state interference
Name withheld by request
o Re: "Beyond Calculation" - seeing the forest for the trees
John R. Levine
o REVIEW: "Privacy on the Line", Whitfield Diffie/Susan Landau
Rob Slade
o Info on RISKS (comp.risks)

Risks of Internet kiosks

BROWN Nick <Nick.BROWN@coe.fr>
Thu, 23 Apr 1998 09:45:22 +0200
Last week I had my first look at a public access Internet kiosk, in a
motorway restaurant in Germany.  The results were not encouraging - the
Internet is a long way from being a consumer product.

At first sight the setup looked rather neat.  You insert 1 DM (about 50c US)
in an old-fashioned parking meter, which then appears to activate some
device while allows the keyboard and mouse to talk to the PC for ten
minutes.  However, that was about the only impressive feature of the setup.

The PC was running Windows 95, and Microsoft Internet Explorer v3.  And the
designers of the system obviously had no experience of designing anything
for the general public to use.

I watched in amusement as a boy of about 15 decided to show his grandparents
how cool the Internet was.  The instant he deposited his coin and touched
the mouse, the screen saver cleared to reveal that the previous user of the
system had decided to visit what I believe is termed an 'adult' site.  The
user quickly closed Internet Explorer, only to find another picture from
that site had been set as the Windows desktop wallpaper.  On restarting
Internet Explorer, he found that the home page had been set to yet another
page which he probably wasn't looking forward to explaining to his elderly
relatives.

When the family left in embarrassment, I set the home page to something more
suitable, and put a picture of one of my children as the wallpaper.  To do
this I had to log on (the boy had rebooted the PC in an attempt to clear the
pictures from the screen), which in itself would not be trivial for many
members of the public unfamiliar with computers - I had to type a username
and password, both of which contained the letter O and the number 0.  (I
don't think I need to mention that during the reboot process, I could have
entered the machine's BIOS setup and made it unbootable - which might have
been interesting if I had been working for the other local Internet
company.)

At our site we are often required to set up this kind of Internet kiosk for
exhibitions.  We use the following setup to prevent this kind of problem
(many of which can happen inadvertently - for example, setting the wallpaper
can be done with a click on the right mouse button and a slight drag):

- use Windows NT
- use automatic logon to a restricted account
- put Internet Explorer (or Netscape) in the startup group, and remove
  everything else from the desktop
- disable the right mouse button in the Start menu
- protect the Internet settings (home page, etc), and the desktop
  parameters (wallpaper file, etc) in the registry with REGEDT32 security
- log the user off after 5 minutes idleness using the LOGOFF screen
  saver.  The auto-logon will then restart Internet Explorer at its home
  page.  This is useful because we have observed that many people walk
  away from the PC without returning from an obscure site back to the home
  page, and other people are reluctant to start using it if they think
  someone has just walked away for a moment.

The only alternative to this is to supervise the PC, but at 6 DM = $3 per
hour, the people building the kiosks won't make a lot of money that way.

Nick Brown, Strasbourg, France


Glitch delays 85,000 transactions

"Mich Kabay [ICSA]" <Mich_Kabay@compuserve.com>
Sun, 3 May 1998 21:19:21 -0400
According to Canada's  _Globe and Mail_ 1998.05.02 p. A9,

> Can't bank on chips, CIBC finds
> By Suzanne Craig, Financial services reporter
>
> Toronto--A computer glitch that has wreaked havoc with Canadian Imperial
> Bank of Commerce's computer system this week will be fixed by Monday, the
> bank says.  Any deposits, withdrawals or bill payments made through CIBC
> bank machines or bill payments made by telephone and personal computer
> between Tuesday afternoon and Thursday morning have been captured by the
> bank but not recorded in customer accounts, the bank said.

The author makes the following key points:

* Details of the problem not made public.
* Not related to Y2K fixes.
* Transactions logged but not processed.
* The name of the CIBC's president of personal and commercial banking is
  Holger Kluge.

Programmers will wonder if Mr Kluge's name reflects on the nature of the
software problem.  [but only if they pronounce it as Hold(g)yr Kloodge
                   instead of Kloo-ge with a hard g, auf deutsch.  PGN]

M.E. Kabay, PhD, CISSP (Kirkland, QC), Director of Education, International
Computer Security Association (Carlisle, PA) <http://www.icsa.net>


Lightning strike threatens public safety

Paul Gittins <plg101@york.ac.uk>
Sat, 2 May 1998 12:21:36 +0100 (BST)
A lightning strike which partly damaged a public house (bar) in the North of
England was extensively reported in national papers and the television this
week. The lightning, suspected to be 'ball' or 'spherical lightning'
destroyed one wall of the house. When the fire brigade were called they
found themselves unable to attend the call as the strike had also affected
the automatic level crossing, causing it (I presume) to fall into fail safe
mode - closing the gates to the road to allow trains through. This being the
only road into the village accessible by a fire engine, there was a
significant delay to the emergency service arriving.  Fortunately no one was
hurt, but this incident shows how extensively a single storm can have cause
/ effect across a wider plateau.

Paul Gittins, Undergraduate, University of York, UK


Y2K bug in IE4?

Andre Srinivasan <andre@corp.borland.com>
Sat, 02 May 1998 14:02:47 -0700
I happen to have issued myself a certificate that expires in 2008 and,
when used with my server via an HTTPS connection, IE warns that the
certificate expired in '08.

Anyone care to verify this?


Single point of failure makes town disappear for a day

cmcurtin <cmcurtin@interhack.net>
06 May 1998 16:36:24 -0400
With so many "textbook cases" of single points of failure, you'd think that
we'd stop building systems to demonstrate the concept.  But, as RISKS
readers know, that's not the case.

About 11:30 a.m. on April 29, 1998, a friend of mine who works in the city
of Newark, Ohio, called me from his cell phone to ask if I could reach any
of his Internet-connected hosts.  Newark is very near Columbus.  The area
around it probably has a "daytime" population of about 75,000.

I confirmed that his entire network was unreachable, and even his ISP's
connection between Columbus and Newark was down.  He then told me that since
10:30 a.m., no one in Newark had any telephone service whatsoever.  No one
could take credit cards.  Some stores' POS terminals would not work.  No
ATMs were working.  Even the digital cellular network in Newark became
unusable--probably due to overload, as a result of picking up some of the
slack.

There was some restoration of local phone service around 2 p.m., but no long
distance service, even "close" long distance, such as to Columbus.  At 6:45
p.m., service was finally restored.

The problem?  One communications tower had been taken out of service
due to some sort of accident.

Matt Curtin cmcurtin@interhack.net http://www.interhack.net/people/cmcurtin/


AT&T ANNOUNCES CAUSE OF FRAME RELAY NETWORK OUTAGE

Steve Bellovin <smb@research.att.com>
Sat, 2 May 1998 19:15:39 -0400 (EDT)
s233$ catdoc /home/smb/MHN/632.2.msword

Jim Byrnes                                      Ruthlyn Newell
908-221-7876 (office)                           908-221-2737 (office)
908-689-6040 (home)                             908-647-6260 (home)
jbyrnes@att.com                         ruthlyn@att.com

FOR RELEASE WEDNESDAY, APRIL 22, 1998

BASKING RIDGE, N.J. - AT&T said today a unique sequence of events triggered
software flaws that caused last week's outage on its frame relay network.
The flaws were activated by an operating procedure that proved inadequate to
the specific configuration of one of the switches in the company's frame
relay network.

AT&T said the problem began when a computer command was issued to upgrade
software code in one of the network switch's circuit cards.  This created a
faulty communications path that generated a large volume of administrative
messages to other network switches.  As a result, the other switches quickly
became overloaded and stopped routing data from customers' applications for
periods ranging from six to 26 hours before the network was fully restored.

Following an exhaustive examination of the outage, AT&T said it has
changed its software upgrade procedures and will install updated
software with safeguards that would have prevented the outage.

``This disruption certainly did not meet our customers' expectations for
service reliability, or our own, and for that AT&T apologizes,'' said
Chairman C. Michael Armstrong.  ``The applications that customers run on our
frame-relay network are

AT&T said last week it would forgo charging frame-relay customers until the
company had isolated and confirmed the root cause of the problem and defined
a fix.  Armstrong said he expects that process to be completed shortly.

Praising Cisco for its cooperation in identifying the root cause of the
problem and designing a fix, Armstrong said: ``We continue to have
confidence in Cisco and its products.''

AT&T will share its analysis of the network outage with the FCC, the
industry-wide Network Reliability Council, and other network providers.
``By sharing this information and best practices,'' Armstrong said, ``we
will help customers avoid similar network outages no matter which carrier
provides their frame-relay service.''

Frame relay is a high-speed, packet-data technology used by thousands of
businesses that need to exchange large amounts of computer information in
short and frequent bursts.


Re: Inaccurate study quoting (Perillo, RISKS-19.65)

Carl Ellison <cme@cybercash.com>
Mon, 04 May 1998 12:41:39 -0400
In RISKS-19.65, Robert Perillo made the mistake of taking seriously the
exaggerated, punchy writing style of my posting (19.62), adopted in
imitation of the testimony to which I was replying.  However, in the process
he supplied much information to substantiate my position so I should not
complain.

There was one glaring misleading conclusion, borrowed from the Denning-Baugh
report and repeated twice in his posting.

>The report does make clear that encryption could pose problems for law
>enforcement in the future.  "Our findings suggest that the total number of
>criminal cases involving encryption worldwide is at least 500, with an
>annual growth rate of 50 to 100 percent."  And "Quite a few people are
>technically sophisticated."

The annual growth rate of 50 to 100 percent is stated as if this were a
product of rapid adoption by criminals of technology helpful to their
enterprise.  If that were true, then we could start with a documented case
of organized crime using cryptography too strong for the government to break
and extrapolate from there.  The case I have in mind is that of rum runners
in April of 1927 using codes and ciphers that were custom designed for them
and that were reported in 1933 to have been stronger than those in use by
governments at that time.  With the slower growth rate, we would expect a
minimum of 1.5^(1998-1927) = 1.5^(71) = 3180382777245 criminal organizations
using crypto too strong for governments to break by April of 1998.  That is,
strong cryptography, carefully used so that it hinders investigations,
should have reached total saturation by the time of the study.

By contrast, as Mr. Perillo points out...

>Instead, the study's main conclusion was that it was unable to find any
>current incident where the use of cryptography significantly hindered an
>investigation or prosecution.  "Most of the investigators we talked to did
>not find that encryption was obstructing a large number of investigations.
>When encryption has been encountered, investigators have usually been able
>to get the keys from the subject, crack the codes, or use other evidence,"
>states the report.

Why is that?  Give that this observation is true, is there any impending
threat to law enforcement on a scale that demands drastic measures (such as
removing a citizen's right to attempt to achieve privacy from his own
government)?  What is being done to follow up on this study and learn
underlying reasons for this observation?

As for the 50-100% annual growth rate, do we have any idea how much this was
a side effect of the growth of use of personal computers during the time of
the Denning-Baugh study?  It clearly was not a result of rapid adoption of
strong cryptography by criminals as soon as they saw the benefits of it.

Carl M. Ellison, CyberCash, Inc., 207 Grindall Street Baltimore MD 21230-4103
cme@cybercash.com  http://www.cybercash.com/  (410) 727-4288


Crypto paranoia has its advantages

Nat Gertler <nat@gertler.com>
Fri, 01 May 1998 20:55:05 -0700
I recently found myself in an unusual position... I was actually aided by
the fact that the government has placed strict controls on the export of
cryptography programs.

For a book that I recently completed writing (_Easy PCs_), I needed to
install Internet Explorer 4 (not something I'm happy about; applications
that take over OSes do not strike me as a good idea.) This would let my
system look much like Windows 98, or at least OSR2 (which I am unable to buy
for my system, as the OEMs around here are requiring complete system
purchases to get it.) So what do I do? Download it, of course!

Except you don't just go download ie4. You download a program designed
specially to download it. That way, you have a downloading system that can
restart a download in the middle, should it get cut off for some
reason. That's reasonable, when one is talking about tens of megs of
files. It's a sane way to handle things.

At least, it would be a sane way, if the downloading program actually
worked. It does not. For some reason, in the midst of downloading a file, it
will suddenly go from having downloaded, say, 908K of the file to having
downloaded some small fraction of that. Constantly restarting the download,
it would never reach the end. I lost several hours of precious time trying
to get this program to do what it was designed to do.

I threw in the towel. I went out to try to buy a copy of just ie4 at local
stores. No luck. For whatever reason, they didn't have the Special Edition
CD. I did try picking up an on-line service package that had ie bundled with
it, but that turned out to be revision 3.

So I'm stuck. The book, already in trouble, is getting later and later.
I could order a CD from Microsoft, but that would take days to get here.

I probe the Microsoft web site a little more, and what do I find? A special
link for downloading the 128-bit crypto version of ie4. I chase down the
link, and find that instead of needing a special download program, this is
just one 13 meg file one can directly get! Why? Because if they went through
the standard program, there would be no way to prevent foreign agents from
downloading the 128-bit version and using it to commit acts of banking!

It's a bad law, to be sure. But it's done me some good.

(Of course, once I started running the browser, the dang thing crashed.  And
I don't mean one of those cute little Internet Explorer Is Not Responding
crashes, I mean one of those Windows Has Become Unstable crashes. Has
become?)

Nat Gertler


Forgery when buying Pentium 2 computers -- failure is often only sign

"Kriston J. Rehberg" <kriston@ibm.net>
Sun, 03 May 1998 23:10:38 -0400
Hi, here's a message I sent to my friends after I bought a forged Pentium 2
machine.

If you're thinking of buying or have bought a Pentium 2 computer recently, I
hope this message will save you some grief with forged clock speeds and
unreputable dealers.  Perhaps those store-brand computers should not be as
fast as their labels state.

I recently purchased two Pentium 2 MMX-based computers from a very large,
local computer department store (in VA).  One of them was sold as a P2 300
MHz with ECC Cache, the other a P2 266 MHz with identical features.  In
reality, after close inspection of the chip and the output of a diagnostics
program on the 300 MHz model, I found that computer to contain forged
components.  I found evidence that the original serial number had been
rubbed off the CPU module.  Around the "new" serial number was evidence of
tampering and the faint outline of what looked like the old serial number.
The typeface didn't even match the old serial number and the new number was
easy to wipe off.  The final proof was the indisputable fact that this
Pentium chip did not feature an "ECC Cache".  According to Intel's
documentation, *all* 300 MHz Pentium 2 chips must have this feature.  The
faked serial number had "EC" which indicates that the chip must have this
feature.  However, diagnostics proved that the ECC Cache feature was
definitely not present on this chip.  Therefore, the processor speed and
serial number turned out to be forged and what I had purchased instead was
most likely an overclocked P266 or P233 processor in a motherboard jumpered
to run it at 300 MHz.  Intel explains that as an artifact of their
manufacturing process, there is nothing inside any Intel processor that can
be used to identify its proper clock speed.  The only evidence would be
unexplained, intermittent failures, or accidental discoveries such as mine.
So much for quality control from the world's largest CPU manufacturer.

When I went back to the large computer department store to return the two
computers, they did eventually return my money with no restocking charge.
The service department claimed to never have heard of this problem, but
offered to replace the CPU on a repair call.  They could give me no
assurance that I could get a non-forged CPU.  I offered that they replace it
with a retail-packaged Pentium from the do-it-yourself department, but he
declined. So, he lost a big sale of two top-of-the-line computers and the
business of a frequent, regular customer.  However, I went to the sales
floor to discuss this with the salesman who sold me the two computers and he
readily admitted that P333's and P300's are nothing more than overclocked
P266's or P233's and didn't see a problem with the relabeled processor
module.  He then tried to sell me a 333 MHz system!  I'm not making this up!
I will leave you to draw your own conclusions.  So, be careful out there.

There was some news about forged Pentium 2 processors and how to identify
them at http://www.news.com/ this past week.

Nitty-gritty details: There is no way to identify a forged 266 or 233 MHz
processor.  The fact that you can identify most 300 MHz P2's is an accident
because Intel decided to make all 300 MHz chips and higher contain the ECC
feature.  The price difference between non-ECC 266 MHz P2's and ECC 300 MHz
CPU's is about $160, which is a lucrative temptation (by comparison, ECC
266 MHz P2's are only $100 away from ECC 300 MHz P2's, making it hardly
worth the labor cost for the forgeries).  Note that there is also no way to
identify a forged 330 MHz or 350 MHz P2 processor.  It makes me wonder who
the processor manufacturer cares more about protecting -- the customers, the
resellers, or the manufacturers themselves.  In any case, the safest way to
purchase Pentium 2 CPU's is directly from Intel in the "retail" package.
These CPU's are typically $20-$30 more and are sealed in the box and come
with a three-year warranty direct from Intel.  That warranty is much longer
than the forged chips will actually last, so Intel is actually giving you a
good deal.  Non-retail, or "OEM" chips are sold in bulk through resellers
and are only warranted with the system, but the rub is that the processor is
likely to burn out from heat damage shortly after the warranty has expired
on the system.

Caveat emptor,

Kris Rehberg

PS...These forgeries are very rarely done with the knowledge of the store.
It's usually one of the resellers of the CPU's that do it.  Some even pry
open the module and replace a fast CPU board with a much slower CPU, believe
it or not.

Kriston J. Rehberg  http://kriston.net/


Risks of state interference

<Name withheld by request>
Wed, 6 May 1998 18:49:20 +0200
Here is an unofficial English translation of a decree from the President
of the former Soviet republic of Ukraine.  It would appear that freedom of
information is not yet fully understood in that nation - the intention is
presumably to monitor all Internet traffic entering and leaving the country.
The futility of doing this will be familiar to most RISKS readers, of
course, but apparently not to at the Ukraine government.

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

EDICT OF THE PRESIDENT OF UKRAINE ON SOME MEASURES
CONCERNING PROTECTION OF STATE INTERESTS IN THE INFORMATION SPHERE

For further ordering the operation of information networks and forming
conditions that will provide information security of the state and control
over the development of information networks and data transmitting networks
in Ukraine, according to Section 1 of Article 106 of the Constitution of
Ukraine, I rule the following:

1. The State Committee of communications of Ukraine shall procure the exit
to foreign networks only from the networks of the enterprises (operators)
'Ukrtelekom', 'Ukrkosmos', Infokom'.

2. Ministries, other central and local agencies of the executive power, as
well as enterprises, offices and organizations that include secret regime
subunits shall transmit their date only through the enterprises (operators)
listed in Article 1 of the present Edict.  The bodies of the local
self-administration are recommended to transmit their data according to the
procedure used by the executive power agencies.

3. The Cabinet of Ministers of Ukraine shall suggest for adoption to the
Supreme Rada the draft of the law 'On controlling security in data
transmitting networks of Ukraine'

President of Ukraine   L. Kuchma   22 April 1998


Re: "Beyond Calculation" - seeing the forest for the trees

John R. Levine <johnl@iecc.com>
5 May 1998 04:01:03 -0000
> "Every few hundred years, throughout Western history, a sharp
> transformation has occurred. ... "Our age is such a period of transition."
> From memory, Drucker suggested that the current transition can be dated
> from around 1950 ...

Oh, humph.  You want a sharp transformation, look at the period from 1840 to
1860.  In 1840, if you wanted to send a message or a package to someone
else, you gave it to a guy on a horse or in a sailboat who would proceed at
a walking pace in the direction of the recipient.  Getting news or goods
between New York and San Francisco or London took weeks and was subject to
large unpredictable delays.

By 1860, there were telegraphs, railroads, and steamships, so messages could
go anywhere in the developed world in a few minutes, and goods were
delivered on predictable schedules.  These were at least as wrenching
changes as anything in this century, and we're still getting used to them.

John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869
johnl@iecc.com, Village Trustee and Sewer Commissioner, http://iecc.com/johnl,


REVIEW: "Privacy on the Line", Whitfield Diffie/Susan Landau

Rob Slade <rslade@sprint.ca>
Tue, 5 May 1998 08:35:39 -0800
BKPRIVLN.RVW   980301

"Privacy on the Line", Whitfield Diffie/Susan Landau, 1998,
0-262-04167-7, U$25.00
%A   Whitfield Diffie
%A   Susan Landau
%C   55 Hayward Street, Cambridge, MA   02142-1399
%D   1998
%G   0-262-04167-7
%I   MIT Press
%O   U$25.00 +1-800-356-0343 fax: +1-617-625-6660 manak@mit.edu
%P   342 p.
%T   "Privacy on the Line: The Politics of Wiretapping and Encryption"

This seems to be the year for privacy.  Hard on the heels of
"Technology and Privacy" (cf. BKTCHPRV.RVW), "The Electronic Privacy
Papers" (cf. BKELPRPA.RVW), and the related "Borders in Cyberspace"
(cf. BKBRDCYB.RVW) comes this volume.

Given the emotional content with which the encryption debate has been
loaded in recent years, it is important that the introduction, in
chapter one, is a neutral and even-handed look at the background of
the discussion, presenting the issues on both sides, although little
of the case for either.  Specific references may be from the United
States, but the arguments made are generic enough to be considered by
all audiences.  Chapter two gives an overview of cryptography, which
is, of course, excellent.  Not only does it explain the importance of
keys and cryptographic strength, but it also gives insightful analysis
into business and social factors in the development of the field.
Cryptography and public policy, in chapter three, is restricted to
developments within (and related to) the US, but looks at all types of
issues, both technical and not.  Chapter four discusses national
security with a quick but clear and thorough overview of the various
aspects of intelligence gathering, particularly communications
intelligence.  There is also brief mention of information warfare.
Much of the heat in the current debate about encryption restrictions
involves law enforcement.  (References are frequently made to drug and
child pornography rings.)  Therefore, the brevity of chapter five is
disappointing.  The content, however, is not.  It builds a solid
framework for the topic, and notes an instructive difference in
effectiveness between wiretaps and other electronic bugs.  Chapter six
is again specific to US history, reviewing activities both in support,
and destructive, of privacy.

Chapter seven deals specifically with wiretapping technology,
activities, and legality in the US.  Much of the material in the
chapter has been at least touched on previously, and there is
noticeable duplication.  There is less duplication in chapter eight's
discussion of the current communications scene, although little new
material.  The same is not the case with current cryptography in
chapter nine, providing brief backgrounds of the myriad efforts being
made to disseminate and suppress encryption capabilities.  The
conclusion, in chapter ten, seems to come down on the side of opening
encryption development and distribution.

An extensive, possibly exhaustive, bibliography is a major resource in
the book.

The thorough research, even tone, and informed analysis make this work
an excellent foundation for discussion.  It does not, however, provide
much in the way of direction.  That the authors should tend to support
the dropping of restrictions on cryptography is not surprising, but
such support is neither strong nor impassioned.

copyright Robert M. Slade, 1998   BKPRIVLN.RVW   980301

Please report problems with the web pages to the maintainer

Top