Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
There is a story in *The New York Times* 8 Apr 1999 about a web spoof that cost people serious money. Apparently, somebody set up a Web page that looked exactly like a commercial financial Web site. The claim was made that PairGain Technologies (PAIR) was set for a takeover. On this speculation, the price shot up 20% the same day. Once the hoax was proven, the stock came back down, but presumably not all the people who bought high got out on time. While such an event is unfortunate, there is a taste of "I told you so" to see that one of the dangers we've been preaching about for so long actually caused loss of revenue. I believe this is the first of many such swindles to come. Avi Rubin [Also noted by Jim Reisert. A PairGain employee, Gary Dale Hoke was subsequently arrested at home in Raleigh NC, despite ``an effort to access the Internet anonymously'', according to the *San Francisco Chronicle, B1, 16 Apr 1999. PGN]
Glitch causes 4 billion euro overdraft (IDG, 12 Apr 1999) by Mary Lisbeth D'Amico Although the January switch to the single European currency was smooth at most European banks, a prominent German discount bank and its customers this week were acutely aware that not all possible euro-caused glitches have been found. Customers of Bank 24, a discount bank owned by Deutsche Bank AG, were astonished [on 6 Apr 1999?] to find that their securities accounts appeared to be overdrawn to the tune of 4 billion euro ($4.32 billion). An oversight connected to the change to the euro was responsible for the error, affecting 55,000 customers. http://www.cnn.com/TECH/computing/9904/12/overdraft.idg/
Yahoo! subpoenaed to identify messagers; Raytheon execs resign At least two Raytheon employees have resigned in the wake of proprietary messages appearing on Yahoo message boards. Raytheon is accusing 21 employees, and has subpoenaed Yahoo! to the identify the senders of anonymous e-mail. [Source: CNNfn, 5 Apr 1999, PGN-ed]
Just in case you thought that security problems were solved by computers, we're reminded yet again that it all comes down to trusted people doing the right thing. I wonder if John Deutch got a copy of the Melissa virus, potentially sending classified files to his closest friends? A routine check of former CIA Director John Deutch's home turned up 31 files classified secret on his personal computer after he had stepped down and was retained as a consultant. No prosecution is planned, because the violations were not deemed criminal. [PGN-ed from various sources, mostly Associated Press, 11 Apr 1999]
So maybe I'm an April Fool, but it seems to me that the Y10K issue is worth
a little serious thought.
There are areas of human endeavor in which 8000 years is not an extreme time
span. At present, we deal with these long time spans only in modeling things
like geological and cosmological events. But it is not unreasonable that
within the next century, we may begin to build very high technology systems
with mission durations of thousands of years - for example, a system to
contain radioactive wastes, or a probe to another star system.
Y2K issues have raised our consciousness about timer overflows, but it's
quite possible that this may fade in succeeding generations. There's no
reason not to start setting standards now.
Perhaps all time counters should be bignums?
== Tom Swiss/tms@infamous.net == http://www.infamous.net
I'm hardly the first to point this out, but there is a certain risk in a) abstracting too much and b) doing this on 2. April and c) doing it with articles on such risk-worthy topics ;-) Why? This story makes perfect sense to any Risk-Reader but it's an April Fool's joke. (I myself expected them, but this one is hardly detectable.) The *Tages-Anzeiger* story goes on telling people to go to the townhall and register themselves to avoid losing their citizenship. Anyway: you should have backup tapes! David Frank, Dietlikonerstr. 14, CH-8304 Wallisellen, Switzerland +41 (0)1 830 6506, David.Frank@access.unizh.ch [Unfortunately, not all of the 1 Apr material is on hand in time.]
Regarding the plethora of foolacious items in RISKS-20.26-29, RISKS has a general policy of NOT explicitly identifying foolish material around 1 Apr each year. You are all on your own, and expected to read discriminatingly. Besides, sometimes the most ridiculous sounding risks are quite real. I received a few pieces of e-mail questioning the validity of one particular item or another, which suggests to me that some of you must have taken many of the other items as genuine! This is somewhat surprising, but will not alter our policy in future years. An unexpected exception to this policy was Lauren Weinstein's Inside Risks column on the risks of teleportation in the April 1999 issue of the Communications of the ACM. Although neither he nor I wanted any explicit April Foolish disclaimers on the column, our CACM editor decided to add an explicit warning — perhaps fearing that some of you were ready to try this technology anyway. For those of you who are not CACM subscribers, Lauren's column is on my Web site, Start with http://www.csl.sri.com/neumann and click on "Inside Risks". Also on my Web site (http://www.csl.sri.com/neumann/house99.html) is my testimony for yesterday's hearing of the House Science Committee subcommittee on technology, in which I consider Melissa as the tip of a very large iceberg — the abysmal state of computer and communication security. My testimony, plus that of Keith Rhodes and others, will also be at http://www.house.gov/science/welcome.htm — click on committee hearings, then subcommittees, and find the 15 Apr hearing, supposedly by the end of the House working day EDT. Incidentally, newer readers sometimes ask why RISKS comes out so irregularly. The answer of course is that I run it in odd moments, whenever I can. If you ever think you missed an issue or think that your subscription might have been dropped, please check the various RISKS Web sites and mirrors for the latest issue. (Even when I prune the list militantly from previous invalid addresses, I sometimes receive as many as 300 bounces on the next issue. I gather that USENET loses an issue now and then as well.)
The 22 Feb 1999 "Engineering News Record" in an item titled "Dredge spoil misplaced due to alleged GPS programming error" reports that 600,000 cubic yards of dredged spoil were dumped almost half a mile from an approved site, off the coast of Orange County, California, due to an error in keying in co-ordinates into a GPS receiver. A new GPS unit had been installed on a tug, and apparently the operator keyed in the co-ordinates in base 60 ( degrees, minutes, seconds) instead of in base 100 ( degrees, minutes, decimal fraction of a minute) that the new GPS used. The error was detected when the crew of the tug noticed another tug and barge dumping spoil in the approved site. Misinterpretation of the display units of measurement is a fairly common problem in user interface design and is probably responsible for no end of wasted paper, misprogrammed VCRs, and in at least one case ( the 767 "Gimli Glider" incident) a serious threat to air safety. W. T. Shymanski <wts@ieee.org>
[From an anonymous source]
I worked with the PRC-138 for over 5 years now. I was teaching some Korean
soldiers how to operate it with a wire antenna hanging out the window. Well
this is not the most optimum antenna and it provide not to be by being able
to watch smoke start curling off my finger tips while operating the radio.
The manual on this radio states that the radio must be grounded and the 20
watt manpack set comes with a strap and small ground rod. The PRC-104 has
this same problem if you build a poor antenna that the radio cannot match
to. It probably stand the same that 125 watt systems in vehicles need to be
grounded also.
Subject: [SIGNET] AN/PRC-138 Potential RADHAZ
1. Testing of the AN/PRC-138 HF radio by the Canadian Military has revealed
a non-ionizing radiation hazard.
2. This message is posted to inform you and to find out if any similar
incidents have occurred with radios with US forces. Also, if this condition
is known, what are we doing about it to prevent this hazard?
3. The Canadian PM for the 138's received reports from users in Bosnia that
electrical shocks were received from the AN/PRC-138 in a man-pack
configuration and when used as a temporary communications system in a
vehicle. It had also been reported that electrical shocks were being
experienced by users of the 138 when installed in a vehicle mounted 125 Watt
Power amplifier system in the Canadian ILTIS (jeep-type) vehicle.
4. The investigation revealed the AN/PRC-138 radio produced electrical
shock/RF burn hazards when configured as a man-pack or installed as in the
ILTIS in the 125 Watt configuration. A man-pack operator would feel
electrical sensations from any conductive part on the radio front-panel and
uninsulated screw on the handset during transmission. The investigation
also revealed that the sensations were worst when humidity conditions were
dry. In the ILTIS, the RF burn sensation was not limited to the radio
equipment but also any other uninsulated and ungrounded conductors such as a
watch bracelet. The electrical sensations created by the contact current
could also cause a knee-jerk reaction which in itself could cause an
accident.
5. The man-pack tests utilized the radio at 20 Watts over several
frequencies with both the whip antenna, model number AT271A/PRC (NSN
5985014248333) and the dipole antenna, model 1903AD (NSN 5985013567620). A
safe distance of 0.75 metres from the whip and 1.5 metres from the dipole
transmitting antennae was measured. In order to eliminate any potential
confusion when antennae are exchanged, a safe distance of 1.5 metres should
be observed for both antennae.
6. Personnel requiring more information or a copy of the complete test
results should send their requests to the undersigned.
Major RK (Kevin) Ferguson
Canadian Forces Liaison Officer - Signals
714 Signal Towers
Fort Gordon, GA 30905-5680
Phone: Comm (706) 791-4163
DSN 780-4163
Fax: Comm (706) 791-7829
DSN 780-7829
E-Mail: fergie@emh.gordon.army.mil
Error of US$19,130 ! I have found Microsoft Excel to be very good at mixing different data types without having the user to specify those types. However, the fact that the types are not specified explicitly pose a risk. I recently had a budget submitted and approved that turned out to add up to US$19,130 over what the grand total said it did. The problem was that the $19,130 item was actually listed as "19, 130" The space character was barely distinguishable on the screen (partially because of the use of a proportionally-spaced font and the fact that the space was directly after a comma). It was only when I printed the spreadsheet later on that I noticed it (after the budget was approved). Normally, this error stands out because Excel by default left-justifies text and right-justifies numbers. However, I had specifically right-justified the column in question earlier. The issue here is that the "19, 130" was interpreted by Excel as text rather than as a number. Since Excel doesn't generate warnings when adding text, but rather interprets it as 0, I had no notification of the problem. This is an instance of a general risk in the trade-off that often comes with making interactive systems usable in that many mundane tasks are automated (such as type specification), and warnings are eliminated resulting in the user not knowing how things are interpreted. Prof. Ben Bederson, Computer Science Department, HCIL, University of Maryland College Park, MD 20742 1-301-405-2764 www.cs.umd.edu/~bederson
Karsten Sohr <sohr@mathematik.uni-marburg.de> at the University of Marburg
in Germany has discovered a very serious security flaw in several current
versions of the Java Virtual Machine, including Sun's JDK 1.1 and Java 2
(a.k.a. JDK 1.2), and Netscape's Navigator 4.x. (Microsoft's latest JVM is
not vulnerable to this attack.) The flaw allows an attacker to create a
booby-trapped Web page, so that when a victim views the page, the attacker
seizes control of the victim's machine and can do whatever he wants,
including reading and deleting files, and snooping on any data and
activities on the victim's machine.
The flaw is in the "byte code verifier" component of the JVM. Under some
circumstances the verifier fails to check all of the code that is loaded
into the JVM. Exploiting the flaw allows the attacker to run code that has
not been verified. This code can set up a type confusion attack (see our
book "Securing Java" for details http://www.securingjava.com) which leads to
a full-blown security breach.
We have verified that the flaw exists and is serious. Attack code (in both
applet and application form) has been developed in the lab to exploit the
flaw. Sun and Netscape have been notified about the flaw and they are
working on a fix.
What?! RISKS in mobile code? We're happy to alert you to yet another lesson
regarding the classic tradeoff between security and functionality.
Dr. Gary McGraw Prof. Edward W. Felten
Reliable Software Technologies Secure Internet Programming Lab
gem@rstcorp.com Dept. of Computer Science
Princeton University
http://www.securingjava.com felten@cs.princeton.edu
[Reportedly fixed in 1.2.1. PGN]
I spoke with Mr. Lee on the phone and he said that he stands by his story. He also said that some of the specific wording in the Risks Digest summary of the story was significantly different from his actual story. He also requested that the Risks Digest not carry any more material from his column. To that end I plan to no longer forward his column to you. Here is my statement on the matter. I am CC:ing the hospital, and plan to send them a copy of the actual posting from Risks when it is published. [Sorry for the delay. I've been away too much. PGN] In RISKS-20.23, I noted a report from Leonard Lee's Glitches of the week, Newsbytes News Network<<http://www.newsbytes.com/<>, 24 Feb 1999, concerning problems in the Vancouver Hospital computer system that resulted in errors in patient medical records. In response, I received the following communication from Murray T. Martin, President & CEO of Vancouver Hospital: "As you are in error, we write to ask you to remove the postings, to apologize to VHHSC, and to initiate steps to advise those who may have accessed the information. Vancouver Hospital and Health Sciences Centre takes very seriously these defamatory statements, and has advised the software vendor of our concerns. We reserve the right to take legal action on the alarming and libelous statements. In particular, your statement as fact that the software and process errors had the effect of "significantly delaying treatments and discharges, and increasing costs" is incorrect and defamatory. There is no evidence to our knowledge of any of these effects, and ask that if you have such evidence, you provide it to us." I apologize to Vancouver hospital for any harm that this has caused.
Microsoft Outlook 98 has scheduled Memorial Day for May 24, 1999 instead of May 31, 1999. I thought this kind of power was reserved for the Federal Government! According to my Microsoft contact, this feature is included in Office 2000 as well - and so apparently there is not much quality assurance in the data that Outlook comes with. This is actually a fairly serious problem for those of us that rely on Outlook. I managed to schedule a visitor coming from another Country to give a talk on what turns out to be Memorial Day. If the plane tickets the visitor bought are non-refundable, we could have some trouble. I'm sure that the Microsoft licensing agreement absolves them from responsibility for this kind of error. So, the risk is, make sure you trust your data sources... Prof. Ben Bederson, Computer Science Department, University of Maryland, College Park, MD 20742 www.cs.umd.edu/~bederson 1-301-405-2764
A professor and psychologist at Penn State kept state mandated records for each client in a separate Word file. He obtained PGP 5.0 for Windows 95 and set up a Username and Passphrase. He then used PGP to encrypt each client file. He backed up the encrypted client files and after reassuring himself that he could recover any encrypted file, he erased the plain text files. Then his fixed disk crashed. He installed a new fixed disk and installed PGP 5.0 again, and attempted to re-establish what he called "the key" by using the same Username and Passphrase. He had never backed up the key ring file (secring.skr) thinking that he could re-create what he thought was "the PGP key". Needless to say his 150 or so encrypted client records are not decipherable. Thus, for all practical purposes, that data is lost and the encrypted files may as well be erased. Moral: When encrypting any data, find out how to and what to back up for BOTH the data and key(s) . Then secure each of these backed up media, probably under lock and key, with a copy not in the same building as the computer. At least periodically verify that backed up data can be decrypted successfully on an independent computer. Herman D. Knoble, Penn State Center for Academic Computing, University Park, PA 16802-2101 +1 (814) 865-0818 hdk@psu.edu http://www.personal.psu.edu/hdk
This evening I watched an item on the Melissa virus on a cable TV technology
newsmagazine show. The reporters talked to someone at a company that
monitors Internet performance, who attributed two days during which
performance was degraded by 20% to 23% to many downloads of virus checking
tools and information about the virus.
Then they asked people from a virus-checking software company how to defend
against such viruses. They said "Always run a virus checker, and update
your database frequently".
This struck me as being incomplete. Why does virus defense have to be
reactive? I'd heard that Microsoft has a free downloadable Word viewer that
wouldn't have the macro security hole. So, off to the Microsoft Web site.
The prominently-displayed short note there on Melissa wasn't much different
from what the virus-checker guys said on TV. "Turn off macros, use a virus
checker, update it frequently." No mention of what to do if your machine
has already been infected (so that turning off macros might not be
possible), no mention of a macro- ignorant doc viewer.
I found the download index that showed the Word document viewer.
Unfortunately I couldn't download it, because my browser (IE4.0) reported a
programming error in the download page.
So, I settled for downloading a white paper on security features in Office
2000. This was a Word document packaged in a self-extracting executable
program. Not the ideal format to inspire confidence in this reader! The
paper (o2ksec.exe) does contain useful information, including the registry
settings to disable VBA macros or add-ins, and suggestions for locking
critical sections of the registry without interfering unduly with user
activities. Any guesses as to how many sysadmins and self-admins will
follow those instructions?
Doesn't anybody get it?
Chuck Karish karish@well.com (650) 329-8655
Big financial institutions were quick to put in place automated safeguards against the Melissa virus. Which didn't explain why one coworker received an e-mail on Tuesday, eight days after the affair hit most UK sites, headed "Important message from GWUser". It came from GWUser, who (the address showed) was based at a UK "Big Four" high street bank. In fact, it was Melissa-generated. The mail itself though did not contain the dreaded document, nor any document; instead there was a message from the Bank's virus-checking software saying it had removed the document. The address list, meanwhile, showed 25 addresses - some inside, some outside the Bank (such as ourselves). However, almost simultaneous with this message came another one, by automaton, from the Bank's security systems. "You have been infected by the Melissa virus", it said (I'm busking a little - the colleague has since deleted them). This message had been sent out to all the recipients on the same list. The implication of the message was that it couldn't identify the source of the message it was complaining about as being inside its walls, and was blaming us for sending it, rather than warning us. Even so, two clear risks: 1) doubling the load on mail systems by having two messages, even though the virus-checker did do its work and killed it (thus saving further propagation); 2) confusing the hell out of recipients who aren't savvy enough to follow what had happened - which included the original colleague here. We however have reason not to worry about this. We run Macs, use an old version of Word without macros but with forward compatibility, and use Lotus Notes rather than Exchange or OExpress. Virus writers have not expanded to fill that particular niche, if they ever can/will. Charles
> 4 Microsoft praised for having GUIDs in documents. I certainly hope that 4) is followed by: 5 Microsoft is condemned for developing a language with a poor security model. That Melissa can disable security-related menu commands and alter the 'security' features of the macro language interpreter shows what a poor security model the language has. Perhaps this was acceptable when the macro language was used for simple templates in documents, but with the emergence of macro virii and the expansion of the language to fairly effectively control the machine, this is not acceptable any more. Cross-platform languages such as Tcl and JavaScript have some security model which attempts to reduce the ability of code to damage your system in some way (e.g. Tcls Safe-Tcl security model is now fairly advanced, and allows users to run scripts in 'Safe Mode' preventing scripts from accessing sensitive parts of the machine). That any 'security' in Word macros can appear to be overridden by macros is poor show on Microsoft part. They need to fix this, and soon. Scott Keir scott@tardis.ed.ac.uk www.tardis.ed.ac.uk/home/scott/ | [Incidentally, there is confusion among the various news reports of Melissa as to exactly when and how the GUID entered into the identification of the perpetrator. Can anyone who really knows enlighten us? PGN]
The Christmas Tree "virus" affected VM systems some 10+ years ago. (IIRC it really affected PROFS.) I think it is reasonably comparable to Melissa. > Microsoft engineers decided to dispense with a security kernel ... If a computer has an integrated word processor in its mail software, then it very well might not take supervisor privileges for a word processor macro to send mail. I think this was the source of the PROFS vulnerability. --henry schaffer
CALL FOR PAPERS The Center for Millennial Studies at Boston University in conjunction with the American Studies Department at Brandeis University announce the upcoming conference sponsored by the Lilly Endowment Foundation, Boston University, and Brandeis University. NEW WORLD ORDERS: MILLENNIALISM IN THE WESTERN HEMISPHERE November 7-9. 1999 An interdisciplinary inquiry examining the wide range of millennial movements in the Americas: their origins, traditions, interpretations and consequences, both religious and secular from the perspective of elite, popular, or counter-culture. Papers on the historiography of millennialism in the Americas will also be considered for presentation. DEADLINE For Abstracts Is JULY 1, 1999 [presentations 20 minutes in length] Contact: Beth Forrest, Center for Millennial Studies at Boston University 704 Commonwealth Ave., Suite 205, Boston, MA 02215 1-617.358.0226 cms@mille.org http://www.mille.org [Richard and his CMS colleagues at Boston University are looking at the BIGGER PICTURE of Millennialism! PGN]
Please report problems with the web pages to the maintainer