Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
A German couple drove their BMW with great confidence under control of its computerized satellite navigation. Indeed, they drove it past a stop sign, down a ferry ramp, and into the Havel River in Caputh, near Potsdam/Berlin, Germany. The computer system reportedly neglected to tell them they needed to wait for the ferry. Ship traffic was stopped for two hours, but the couple was OK. [Sources: PGN Abstracting from numerous multiply submitted similar copyrighted stories, several quoting different officials reminding us that we should not blindly rely on technology. Big surprise to RISKS readers! But for the price of a Beemer, I thought it drove on water. PGN]
In Sweden, the first report about a 99-related computer problem appeared already on 1 Jan 1999. The Swedish police can normally issue provisional passports at the three main international airports in Sweden. But on the first day of 1999, no passports could be issued because the computer system could not handle 99. Four people in Stockholm and two in Goteborg had to cancel their trips because they could not get their passports. The system was reported to have been fixed during the afternoon. [Primary source *Sveriges Televisions Text-TV*, January 1 1999] A couple of things to note: Of course it is a risk to try to travel abroad without having a passport, but there could be good reasons - family emergencies, for example. The ordinary Swedish passports where changed in 1998 to conform with European Union regulations, but in this case the system must be much older or based on old components (if the designers where not extremely shortsighted). Most businesses do not open until Monday 4 Jan - we could expect to hear about more 99-problems then, I guess. Ulf Lindqvist, Department of Computer Eng., Chalmers University of Technology SE-412 96 Goteborg, SWEDEN +46 31 772 17 60 ulfl@ce.chalmers.se [Also reported by Martin Minow, and by Debora Weber-Wulff, who notes that 99 seems to be used often in Sweden to denote "end-of-file"... PGN]
The New Year provided an early taste of Y2K in Sweden. According to the Stockholm newspaper, *Svenska Dagbladet*, the modem-based "Giroguide" payment service run by the PostGiro refused to process payments "if the payer provided a specific date in 1999". (PostGiro is a convenient payment system run by the Post Office used as widely as checking accounts in the United States.) "It was due to a programming error" ... that can depend on the combination "99" that, in some cases, is used to mark end-of-run. Since you can enter payments up to a year in advance, it may also be due to a year-2000 problem, but Jarl Dahlerus, who is responsible for E-PostGiro, doesn't believe this is the case. If any customer is affected by the error, they will be compensated by PostGiro. Translated and summarized by Martin Minow, minow@pobox.com
I imagine this has been discussed some, but in case it hasn't. If you enter a number, say 123456789999 in Excel and save the file as comma delimited (csv I think MS uses) it will be saved as 1.234567E+11. Quite a few programs can't import this properly, including Word. But what's worse, bringing it back into Excel gives you 123456700000. I think the risks are fairly obvious. I wonder if the large bank I work for (which has standardized on Excel) knows about it. When opening an account I guess not only do I need to ask banks the interest rates, fees etc, but also what software they use. Sheesh. Tom Rowe, Atlanta, GA
Twin-brother computer hackers sentenced to death in China (Deutsche Presse-Agentur, 28 Dec 1998) Two Chinese computer hackers who illegally transferred 720,000 yuan (about 87,000 dollars) to their own bank accounts have been sentenced to death, the Beijing Chenbao newspaper said in its Monday edition. The hackers, twin brothers, had used inside information to rob a bank in the city of Zhenjiang, the report said. One of the brothers, Hao Jingwen, opened 16 accounts under false names in September, the report said. Then he entered a branch of the Trade and Industry Bank in Zhenjiang, in Jiangsu province, and installed a piece of equipment in the bank's computer system. http://web.lexis-nexis.com/more/cahners-chicago/11407/4120740/4 [Extracted from NMIA ZGram, zhi@zgram.net (Zhi Hamby)]
This case reminds me of another I wrote about earlier this year — but with a happier ending: http://cgi.pathfinder.com/time/digital/daily/0,2822,12983,00.html http://www.wired.com/news/news/politics/story/17068.html [Also AP item 28 Dec 1998] School Dazed by Speech Ruling, by Declan McCullagh A Missouri high school cannot punish a student for criticizing a teacher on a personal Web page, a federal judge ruled Monday. Saying the school violated free speech rights protected by the First Amendment, District Judge Rodney Sippel ordered the Woodland School District to let the student publish his site from a home computer. "Disliking or being upset by the content of a student's speech is not an acceptable justification for limiting student speech," Sippel wrote in a 17-page opinion. POLITECH — the moderated mailing list of politics and technology To subscribe: send a message to majordomo@vorlon.mit.edu with this text: subscribe politech More information is at http://www.well.com/~declan/politech/
See Also: Reverse Engineering the LEGO RCX http://graphics.stanford.edu/~kekoa/rcx/talk/ From: "Robert Raisch" <raisch@internautics.com> (When you provide technically capable, questing minds with simple, cheap and effective communications channels, they do what come naturally. This is why DIVX is doomed. /rr) Hackers have fun with Furby, BY MARGIE WYLIE, Newhouse News Service http://www7.mercurycenter.com/business/top/080145.htm Excerpt: While some people see a lovable little friend in this year's answer to Tickle Me Elmo, toy hackers like the 25-year-old programmer see a challenge: make Furby do as they command. Why? Why not? ``I figured it would be neat,'' said Tokash, who has created a Web site for Furby hackers to swap information (http://www.homestead.com/hackfurby). ``Somebody's going to hack this thing; I might as well be one of them.'' The Furby was designed by Tiger Electronics of Illinois to squeal, sneeze or snore and speak 200 words in a language called Furbish. And since its October introduction, hackers have skinned, autopsied and beamed the cloyingly sweet animatronic fur-ball with different infrared signals. The results, in excruciating detail, are posted on the Web. Rob Raisch, Internet Technical Hired Gun <http://www.raisch.com/>
The Net remembers everything; the Net forgets everything. What's the effect
on traditional ideas of research?
The Web these days relies on search engines. These are commercial ventures,
whose distinguishing features are in the technologies used to implement the
Web crawlers, indexers, and other components. Details of these technologies
have remained closely guarded trade secrets.
A group at Stanford University set out to do research on some nice new ideas
for search engines, applying and extending some traditional ideas from
library science to estimating relevance and importance of various Web pages.
The algorithms used, the architecture of the system, and other interesting
stuff, was published as a series of reports, which appeared - naturally
enough - on the Web at the group's Web site
(http://google.stanford.edu/about.html).
If you're interested in learning more ... you're too late. If you go to
that site, you'll find that the research group no longer exists. It's been
reconstituted as a corporation, Web site http://www.google.com/company.html.
That site currently has very little on it. The research papers are no
longer on the Web.
Now, I have no objection to the researchers going off to start a company. I
wish them the best of luck, even as I worry about the effect the drain of
talent from the academic world will ultimately have. However, I am
concerned about the removal of previously-public research material. We hear
repeated complaints that traditional journals don't accept URL's as
bibliographic citations. If *even a university research department*
approves the removal of on-line versions of its own research papers, how can
we take the Web seriously as a resource for scholarship?
Note that, even if the commercial venture decides to put the papers on-line
at its site, that would not be good enough. First of all, if anyone has a
citation to the papers at the old cite, the citation should be good on its
own - it should not require a chase to another site. More important,
however, commercial Web sites come and go. Even with the best of
intentions, a com- mercial Web site is not a stable academic reference. If
the new company fails; or if it succeeds, but is acquired by a larger
company and disappears as a separate entity; the papers will likely vanish
forever.
[Increasingly, much valuable research from the past is being forgotten.
Unfortunately, the operative motto seems increasingly to be
``If it is not now on the Web, it never existed.'' PGN]
"1999 problems with medical device clocks found" <http://www.sjmercury.com/business/tech/docs/085460.htm> discusses two medical devices that the FDA is warning hospitals of non-health threatening failure in 1999. The HP defibrillator will print "set clock" instead of the date on its printed record. The other, a patient monitor, will also fail to correctly report the date in it's logs. Obviously, somebody made "99" mean "clock needs to be reset". These are relatively new devices. We they really so short of memory that they couldn't find a bit somewhere for this flag? Daniel A. Graifer, Parker & Company 1-888-426-6548 Andrew Davidson & Company, 588 Broadway, Ste 610, NY 10012 1-212-274-9075 [Note: relating to Jerry Leichter's Y2K item in RISKS-20.13, various folks observed that 9 Apr 99 is the 99th day of 1999, which in some programs is represented as 9999, an erstwhile stopcode. PGN]
Last week I received my Health Insurance renewal notice with the period of cover listed as "From: 4 January 1999 To: 4 January 1900". Since I was not alive for most of the 99-year period I am intending to decline their generous retrospective insurance offer. It does not bode well, that in December 1998, HBA, one of the larger Health Insurance companies in Australia can presumably be so far behind in its Year 2000 project that they have not tested the production of their primary revenue collection document. Many other companies have already finished their Year 2000 projects. Now is the time that annual renewals for all sorts of things will be issuing that should have expiry dates falling in January 2000, it will be interesting to see how many other 1999 to 1900 renewals appear. [Many people are actually expecting some serious problems beginning next week for insurance companies and others who have to deal with dates a year ahead. PGN]
The mention of a pipe and the risk of not having a sign reminded me of an incident. Some background information, this took place in a nuclear training facility. For the most part a "real" plant wouldn't have as many tags and signs as this plant, but every pipe, wire, machine was labeled. So that's the stage and the pipe in question had the label CPW, the meaning of that pipe was taught early, and everyone there knew what it was, so much in fact that an ongoing joke about its meaning as Coffee Pot Water, however the real meaning of that acronym is Controlled Pure Water. And what that means is this water could be potentially contaminated. Anyway you can probably guess the conclusion of this story, but I will continue anyway. A new trainee, had apparently heard the joke before the lesson, and used CPW to fill up a coffee pot. The risks here are many. The joke definition of the above incident is really a risk with human nature or boredom of being over trained perhaps, but that aside. The use of acronyms is certainly a risk and I'm sure its been seen on this list many times. Even without using acronyms, the above sign could still be misinterpreted, Controlled Pure Water sounds at first like its pure and guaranteed to be so. Most people at this plant knew what controlled meant in context of this plant, but others? And back to the SF power outage, had that pipe been labeled substation ground, would that have meant anything to a construction crew? The real risk of this power outage would seem to me a physical security risk, as with the CPW incident. Neither of these things needed to be easily accessible, but once they are humans will err. -eric leif <ericleif@mindspring.com>
In RISKS-20.13, Ben Sherman <ben@2600.com> noted that Quark Xpress, as
part of a "feature" allowing embedded ASCII string commands, would
silently convert <> to >, mangling published UNIX listings. This is by no
means a new problem, and is, I think, inherent in the use of embedded
commands.
Circa 1981, I was typesetting a songbook using TROFF, the UNIX typesetting
program in which one flags command lines embedded in text by starting them
with a period (.), e.g., .PP signals a new paragraph. After some 2000
copies of the book had been printed and put on sale, we discovered that,
in perhaps a dozen places, entire lines of text had vanished. (This is
remarkably difficult to detect when proofreading familiar songs, similar
to losing complete sentences out of prose text).
On close examination, we found that TROFF had silently "eaten" every line
beginning with an apostrophe ('). VERY close reading of the TROFF manual
revealed that the apostrophe is an alternate command line marker, so that
any line starting with an apostrophe will be treated as a command. This
fact was noted in one obscure footnote, and not referenced anywhere else.
Why the programmers thought the apostrophe was a "safe" character to use
is unclear, but seems to follow the same logic that caused the Quark
Xpress bug: in "normal" writing, one does not use <>, nor start a line
with an apostrophe. However, these occur frequently in specific types of
writing: in UNIX shell scripts for <>, and in poetry or song lyrics for
lines starting with apostrophes (which frequently use contractions like
'Til and 'Tis).
The consistent Risk is that any reserved character combination, no matter
how obscure, may occur in someone's text, quite possibly without them
realizing it. If there is a solution (other than really careful
proofreading of typesetting-program output) it presumably includes
conspicuously documenting such combinations, ruthlessly minimizing their
number, and trying very hard to avoid anything even remotely likely to be
entered other than deliberately.
Jordin Kare
Just thought RISKS readers would like to know about a few New Year's gifts
from all.net:
I thought many of you might be interested in the newest "game" on
http://all.net/
The Cracking Game
In this 'game', we teach defenders about attack and defense techniques
by having them try to tell us how they would crack into a variety of
different sorts of systems and having various defensive things happen to
them along the way. It is also a lot of fun and somewhat of a
challenge. Just select it from the "Would you like to play a game?"
Menu and press Go.
Please note that the game is still under development and your comments
will be greatly appreciated.
I have also put up a beta-test version of an automatic game:
The Network Security Simulator
This simulator is intended for design, attack, and defense analysis for
computer networks, but it may also be of some interest from a gaming
viewpoint. It has just been added to the games menu at http://all.net/ Just
select "Network Security Simulator", select inputs from the menus, press go,
and see the results. Press "reload" to simulate again - with different
results of course. Your comments again will be appreciated.
Fred Cohen & Associates: http://all.net - fc@all.net - tel/fax:925-454-0171
[Standard RISKS disclaimer. In this case, FC's work at FC&A is separate
and independent from any work he does for at Sandia. PGN]
Periodically I will remind you of TWO useful digests related to privacy,
both of which are siphoning off some of the material that would otherwise
appear in RISKS, but which should be read by those of you vitally interested
in privacy problems. RISKS will continue to carry general discussions in
which risks to privacy are a concern.
* The PRIVACY Forum is run by Lauren Weinstein. It includes a digest (which
he moderates quite selectively), archive, and other features, such as
PRIVACY Forum Radio interviews. It is somewhat akin to RISKS; it spans
the full range of both technological and nontechnological privacy-related
issues (with an emphasis on the former). For information regarding the
PRIVACY Forum, please send the exact line:
information privacy
as the BODY of a message to "privacy-request@vortex.com"; you will receive
a response from an automated listserv system. To submit contributions,
send to "privacy@vortex.com".
PRIVACY Forum materials, including archive access/searching, additional
information, and all other facets, are available on the Web via:
http://www.vortex.com
* The Computer PRIVACY Digest (CPD) (formerly the Telecom Privacy digest) is
run by Leonard P. Levine. It is gatewayed to the USENET newsgroup
comp.society.privacy. It is a relatively open (i.e., less tightly moderated)
forum, and was established to provide a forum for discussion on the
effect of technology on privacy. All too often technology is way ahead of
the law and society as it presents us with new devices and applications.
Technology can enhance and detract from privacy. Submissions should go to
comp-privacy@uwm.edu and administrative requests to
comp-privacy-request@uwm.edu. (For example, vol 13, issue 031, 23 Dec
1998, has a long item on random credit-card fraud via small charges.)
There is clearly much potential for overlap between the two digests,
although contributions tend not to appear in both places. If you are very
short of time and can scan only one, you might want to try the former. If
you are interested in ongoing discussions, try the latter. Otherwise, it
may well be appropriate for you to read both, depending on the strength of
your interests and time available.
PGN
Please report problems with the web pages to the maintainer