The RISKS Digest
Volume 19 Issue 96

Tuesday, 15th September 1998

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


NY Times Web site attacked
Epstein Family
Dave Farber
5th SRI squirrelcide causes 18.5-hour outage
Starr galactic dispersion avoided black holes except for USGovt
Sexy risks of searching for MP3
Sidney Markowitz
'Whois' blocks abusers domain database
Doneel Edelson
Y2K legal settlement
Keith Rhodes
Problem of signs — signs of problem
Mich Kabay
An inverse story
G. Roussos
Re: "Windows NT Security"
Mike Perry
Re: Rocket blows 12 Globalstar satellites
Privacy Digests
Info on RISKS (comp.risks)

NY Times Web site attacked

Epstein Family <>
Tue, 15 Sep 1998 08:08:27 -0400
According to *The Washington Post*, 14 September 1998, *The New York Times*
web site was repeatedly hacked over the weekend by attackers who replaced
the home page with one "containing images of bare-breasted women", and also
"attacked the newspaper and two reports, using vague threats and creative
spelling".  The attackers claimed to be defenders of Kevin Mitnick, who is
currently in jail over a number of hacking episodes of his own.

The article explains that the NYT staff removed the attackers' web page and
replaced it with their own, only to be hacked again.  The tug of war between
the two versions went on for two hours, before the NY Times took their site
off the air for several hours to prevent further attacks.  The FBI is
investigating, and claims to be familiar with the attacker group
[Hacking for Girlies].  [Total time reportedly 9 hours]

[As the NY Times and Washington Post are fierce competitors for title of
"best newspaper", I wonder how much glee the WP got from reporting this
story :-) ]

  [In their 14 Sep 1998 article, *The NYT* quoted George Washington
  University professor Lance Hoffman: "The material posted by the hackers is
  offensive, childish, threatening and chilling.  It's a good example of why
  we have to bring accountability to the Internet."

  In the 15 Sep 1998 *San Francisco Chronicle*, Jon Schwarz quoted Ira
  Winkler as saying ``Any Web site — no matter how secure — can be
  hacked.''  Although we often cite *The NYT* writers in RISKS, I guess
  *The NYT* management is not *reading* RISKS.  No surprises here.  PGN]

NY Times Web site attacked

Dave Farber <>
Mon, 14 Sep 1998 22:06:33 -0400
While *The Times* hacking was illegal, it should teach us a lesson.

I would like to propose a more sinister event ... . Suppose someone who was
more clever hacked *The New York Times* Web page not to destroy it but to
modify a piece of news. Say, for example, the person, better yet a group, at
9am inserted into the business page a news item with a very downbeat news
item on a company — preferably a widely traded company with a good short
showing. It would, no doubt, drive down the price and enable the short
sellers to made a lot of money while The Times/users recognized the breakin
and fixed it. A well organized version of this might be very hard to solve.

What would happen if there was an announcement of a, for example, coup in

Times for places we trust to protect their windows to the public a lot
better than The Times seemed to have.


5th SRI squirrelcide causes 18.5-hour outage

"Peter G. Neumann" <>
Tue, 15 Sep 98 08:13:05 PDT
Yesterday was one of those days when there was no power at work all day,
beginning just after 8am and continuing until 2:30 this morning.  ANOTHER
squirrel attack took down the main transformer, and prevented use of both
the cogeneration plant and public power.  As usual, some computer systems
were hosed and took further hours of work to restore.

See RISKS-8.75 for SQ#3, RISKS-16.46 for SQ#4, and RISKS-16.47 for a
protective measure that seems not to have been adopted by SRI.  To quote
from Where Have All the Flowers Gone, ``When will they ever learn?''
[For related items, see RISKS-17.91, RISKS-18.52 and 53.]

  [If your contributions and risks-requests bounced, please resubmit.]

Starr galactic dispersion avoided black holes except for USGovt

"Peter G. Neumann" <>
Tue, 15 Sep 98 17:18:31 PDT
We noted in RISKS-19.95 that many sites mirrored the Starr report soon after
it was released.  As a consequence, although Net traffic was very high,
individual sites were not affected too dramatically — except for the three
government sites (,, and, which were so saturated
that they were effectively nonexistent.  Once again, there was a beneficial
effect from not putting all of the eggs in one basket.

Various folks have noted that if the Communications Decency Act
(subsequently declared unconstitutional) were in effect, the Starr Report
(subsequently declared indecent) might have resulted in fines of $250,000
and 5 years in prison to those posting it on the Internet.  An Associated
Press item on 15 Sep 1998 estimated that almost 6 million people had read
the Starr report via the Internet.  (... well, maybe browsed.)

Sexy risks of searching for MP3

"Sidney Markowitz" <>
Fri, 11 Sep 1998 13:53:43 -0700
Related to PGN's parenthetical comments in RISKS-19.95 (which you can find
in that issue by searching for the words "sex" and "MP3"), I was searching
for Grateful Dead bootleg recordings (not pirated!) in MPEG3 format and was
surprised that many of the links that came up were porn sites that had no
mention of MP3 nor Grateful Dead. Investigation revealed that the HTML
source for the porn sites contained META tags with repetitions of the words
"MP3" and a long list of rock bands, designed to fool the search engines.
Add in to the mix the practice of many of these porn sites to spawn new
browser windows when you try to back out of them (there has to be a pun
there, somewhere) and I'm sure there are a number of risks for the unwary

sidney markowitz <>

'Whois' blocks abusers domain database

"Edelson, Doneel" <>
Mon, 14 Sep 1998 14:57:05 -0500
>From Yahoo News -

Monday September 14 2:17 PM ET
'Whois' blocks abusers domain database
By Randy Barrett, ZDNet

Network Solutions Inc. is blocking certain companies from using its public
database of domain name holders.  NSI's Whois database contains detailed
information on 2.3 million Internet domain name recipients who have
registered through NSI's InterNIC service.  The listings, which include
name, postal address, telephone numbers and e-mail addresses, were designed
primarily to help network operators communicate with domain holders. But
Whois has become increasingly popular with companies that mine the list for
direct mail marketing campaigns and subsequently burden its servers.  "You
don't have to tie up all the bandwidth [to mine the list]," said David
Holtzman, NSI's senior vice president of engineering.

Hits soaring

NSI allows mining of the Whois database, but in the past two months, the
number of hits to the site has doubled every 20 days, Holtzman said. In
June, the site received 12.2 million hits. In July, that number jumped to 21
million. The August statistic was not available.  Holtzman found that 32
percent of the Whois traffic - more than generated by all of Europe - was
initiated by a single company. He won't name names but said two companies in
particular badly abused the database and are now locked out. The culprits
initiated parallel sessions via HyperText Transfer Protocol with multiple
computers and slowed down by 50 percent access to Whois for the rest of the
Net.  "I interpret it as a denial-of-service attack," Holtzman said.  But,
in this case, the companies' motives appeared more impatient than
nefarious. Holtzman at first tried to meet the demand by adding new hardware
but finally gave up and filtered the two companies instead. Whois access
speeds are now improving, he said.

Can identify source

Numerous domain name holders said they regularly receive direct mail
marketing solicitations from such companies as American Express Co. and
Verio Inc. and can tell by the addressing that the source is Whois.  "Every
time I register a domain, I get paper junk mail from Verio telling me what a
swell idea it would be to use their service. It's quite clear what they're
doing, since it always comes to the contact listed for the new domain, which
I always list care of my company," said John Levine, author of the book
Internet for Dummies.

NSI even uses the database for its own marketing. Last month, the company
sent out e-mail messages to domain holders advertising digital
identification services from VeriSign Inc.

Y2K legal settlement

Mon, 14 Sep 1998 10:45:06 -0500
Produce Palace International, a grocer in Warren, Mich., has accepted
$250,000 from Tec America Inc. of Atlanta (a subsidiary of the Tec
Corporation, an affiliate of Toshiba of Japan), which makes its cash
registers and credit-card verification systems.  (The plaintiff's attorney
claimed this is the first reported Y2K settlement.)  Produce Palace said the
entire system routinely crashed when a single register was presented with
credit cards with 00, for the Year 2000, in the expiration date, with
crashes one-fifth of the days over a 500-day span.  The case was filed in
1997.  David Nadler (a Washington lawyer) was quoted saying, "It's a
lemon-law case dressed up in year 2000 clothing."  [Source: *The New York
Times*, 14 Sep 1998]

Problem of signs — signs of problem

Mich Kabay <>
Tue, 15 Sep 1998 08:23:12 -0400
At Logan Intl Airport in Boston on 14 Sep 1998, there was a lot of milling
about and frustration as people entered the lineup for a Business Express
commuter flight to Philadelphia.  The flight that was boarding was actually
for Halifax, Nova Scotia, and Philadelphia passengers were being turned
away.  They would then go to the harried flight attendant at the counter for
an explanation, causing yet more delays as they interfered with newcomers
trying to register for later flights.

The problems were caused by the electronic announcement board, which clearly
showed that the Philadelphia flight was boarding even though it wasn't.

A few minutes later, while the Philadelphia flight, now 10 minutes late, was
_really_ boarding, the board entry winked out, giving the impression that
the Philadelphia flight had left.  Late-coming Philadelphia passengers now
besieged the desk in panic demanding to know what they would do having
supposedly missed their flight.

I asked the agents why the board was inaccurate; could they not adjust the
flight information?  No, said the agent, it was all computer-controlled and
there was nothing she could do about it.

The flight attendant on the little commuter place to Philly was apparently
better-informed.  The flight status is controlled by a human being in
operations (via a computer program, of course).  In the absence of feedback,
the signs are causing more trouble than if they were turned off.

The fundamental problem is that no one is integrating information about late
flights or allowing for real-time information from the gate.  An information
system based on theory isolated from reality is bound to fail.

I will send a copy of this message to the president of Business Express so
he will see to a simple improvement: allowing for feedback from the gate.

M. E. Kabay, PhD, CISSP / Director of Education
ICSA, Inc. <>

An inverse story

Sun, 13 Sep 98 22:54:40 BST
RISKS frequently reports problems caused by cut cables to voice or data
communications, as a result of work of the [insert you favourite public
utility here]. Especially those of you who suffered such fortune may be
interested to know that on Friday night a worker of Cable and Wireless, UK,
damaged a British Gas pipe while repairing phone lines in Chiswick, West
London. As a result approximately 1,400 people had to be evacuated and had
to spend the night away from their homes. [ITN News, Sat 12/9/98]

Re: "Windows NT Security" (Frankston, RISKS-19.95)

Fri, 11 Sep 1998 22:02:36 edt
All of Bob's concerns about what access is really needed, different roles,
the problems of "super" users, and the basic requirement of always being
able to just trust the system are addressed by B2 operating systems.


  [Well, not all, but many.  But then, there are very few B2 systems,
  and system developers are not very eager to develop any more.  PGN]

Re: Rocket blows 12 Globalstar satellites

"Eugene" <>
Mon, 14 Sep 1998 08:57:42 +0300
Yuzhnoye is not in Russia.  It is in the Ukraine.  Eugene

  [Spasi'ba!  PGN]

Privacy Digests

<RISKS moderator>
17 Apr 1997
Periodically I will remind you of TWO useful digests related to privacy,
both of which are siphoning off some of the material that would otherwise
appear in RISKS, but which should be read by those of you vitally interested
in privacy problems.  RISKS will continue to carry general discussions in
which risks to privacy are a concern.

* The PRIVACY Forum is run by Lauren Weinstein.  It includes a digest (which
  he moderates quite selectively), archive, and other features, such as
  PRIVACY Forum Radio interviews.  It is somewhat akin to RISKS; it spans
  the full range of both technological and nontechnological privacy-related
  issues (with an emphasis on the former).  For information regarding the
  PRIVACY Forum, please send the exact line:
     information privacy
  as the BODY of a message to ""; you will receive
  a response from an automated listserv system.  To submit contributions,
  send to "".

  PRIVACY Forum materials, including archive access/searching, additional
  information, and all other facets, are available on the Web via:

* The Computer PRIVACY Digest (CPD) (formerly the Telecom Privacy digest) is
  run by Leonard P. Levine.  It is gatewayed to the USENET newsgroup
  comp.society.privacy.  It is a relatively open (i.e., less tightly moderated)
  forum, and was established to provide a forum for discussion on the
  effect of technology on privacy.  All too often technology is way ahead of
  the law and society as it presents us with new devices and applications.
  Technology can enhance and detract from privacy.  Submissions should go to and administrative requests to

There is clearly much potential for overlap between the two digests,
although contributions tend not to appear in both places.  If you are very
short of time and can scan only one, you might want to try the former.  If
you are interested in ongoing discussions, try the latter.  Otherwise, it
may well be appropriate for you to read both, depending on the strength of
your interests and time available.

Please report problems with the web pages to the maintainer