The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 20 Issue 39

Friday 14 May 1999

Contents

o Hacker competition opens in Singapore with $10,000 prize
Keith A Rhodes
o Faulty software doomed Titan 4B Milstar launch
Keith A Rhodes
o MI6 Agents 'outed' by Web
Randy Holcomb
o 41-year-old died while NYC's 911 system was down
Monty Solomon
o ``Human error'' posts budget PR on the web prematurely
George Michaelson
o Computer woes set back opening for Tulsa's jail
Jo Oerhlein
o C compilers vs editors: WYSI NOT ALWAYS WYG
Daniel A. Graifer
o Risks of upgrading a UNIX system
Wolfgang Moeller
o Any Bell Atlantic customer can be spuriously Opted Out from CALL54
Douglas A. Brothers
o SurfWatch filters out plugandpray.com and minow.org
Martin Minow
o MS AutoRoute Express 2000
Pete Mellor
o Another talking lift bug
George Michaelson
o On-line account access
Leo Sokolskiy
o Wrong e-mail address
Bruce Wampler
o Risks of 3-letter user IDs for free e-mail accounts
Dan Yurman
o Info on RISKS (comp.risks)

Hacker competition opens in Singapore with $10,000 prize

"Keith A Rhodes" <rhodesk.aimd@gao.gov>
Fri, 14 May 1999 10:07:33 -0500
Prizes up to $10K are being offered to anyone who first penetrates
supposedly secure Web servers at an information technology trade show in
Singapore.  The two servers are products of Voltaire Advanced Data Security
in Israel [210.24.153.70] and Conclave Integrated Internet Security in
California [210.24.153.90].  There is also a third (unprotected) server
[210.25.153.80].  Successful penetrators must alert the organizers at
hackerszoneAyahoo.com within one day of the hack.  Conclave regional
director George Kane said it had "100 percent confidence" that its server
was hacker-proof.  You must "break into two workstations, then the secure
server, retrieve and change specified files, and then manage to leak the
information into a public work station."

Voltaire's key security product is a device that physically divides one
single personal computer into two workstations, guaranteeing separation of
secured and unsecured environments.

Conclave utilizes an integrated system that includes a firewall, anti-virus
and encrypting capabilities.

[Source: Agence France-Press item from Singapore, 13 May 1999]


Faulty software doomed Titan 4B Milstar launch (RISKS-20.36)

"Keith A Rhodes" <rhodesk.aimd@gao.gov>
Thu, 13 May 1999 14:35:24 -0500
The 30 Apr 1999 improper Milstar orbit was the result of Lockheed Martin
engineers loading flawed software into the Titan/Centaur rocket.  The flaw
was not detected despite extensive prelaunch "verification".  The report
will be published next week in *Aviation Week and Space Technology*.  "The
software was verified at Lockheed Martin Astronautics in Littleton,
Colo. The work force there already had been stung by 900 impending job cuts
and the murder of 12 students and a teacher at nearby Columbine High
School."  [Source: Article by Todd Halvorson, Florida Today, 8 May 1999,
http://www.flatoday.com/space/explore/stories/1999/050899b.htm; PGN-ed]


MI6 Agents 'outed' by Web

"Holcomb, Randy" <RandyHolcomb@firstusa.com>
Thu, 13 May 1999 11:04:57 -0400
A 'disgruntled employee' has reportedly exposed the identities of over 100
MI6 agents on a Web site.  [The U.K. government has insisted that the Web
pages be removed, although apparently mirrors are popping up in other
places.  PGN-ed]


41-year-old died while NYC's 911 system was down

Monty Solomon <monty@roscom.com>
Tue, 2 Feb 1999 12:07:14 -0500
Susan Ungvary repeatedly called 911 when her boyfriend collapsed, but
repeatedly got busy signals.  It turns out that the 911 system was down for
over an hour, as a result of a routine test (four times each year since
1996) of emergency generators in which the backup system failed to forward
calls to police headquarters.  Whether the death could be attributed to the
system outage is unresolved.  [Source: Associated Press item, *The Boston
Globe*, 2 Feb 1999, page A10; PGN-ed. 
"http://www.boston.com/dailyglobe2/033/nation/As_41_year_old_died__NYC_s_911_was_busy+.shtml"


``Human error'' posts budget PR on the web prematurely

George Michaelson <ggm@dstc.edu.au>
Wed, 12 May 1999 15:56:57 +1000 (EST)
I liked:

  "result of a series of technical and human errors associated with
  preparations to meet the requirement for Budget information on
  government Websites immediately after the Budget speech"

Down here, and in the UK, it is routine for the Journalists to be in a
lock-in with government flaks 2-3 hours ahead of the budget so they can do
live comment based on advance knowledge.  I bet somebody took the logical
steps to make the Internet 'just as good as the lock-in'.
  [http://www.abc.net.au/news/newslink/nat/newsnat-12may1999-47.htm]


Computer woes set back opening for Tulsa's jail

Jo Oerhlein <COehrlein@aol.com>
Fri, 14 May 1999 09:20:34 EDT
The new Tulsa County jail will be dedicated tomorrow, but it is not ready
for prisoners -- because of software problems.  A pervasive information
system is supposed to track up to 1440 prisoners using bar-coded wristbands.
EPIC Solutions (San Diego) implemented the system, but is finding the
challenge more difficult than expected.  [Source: Article by Larry Levy,
*The Daily Oklahoman*, 14 May 1999, page 5]


C compilers vs editors: WYSI NOT ALWAYS WYG

"Daniel A. Graifer" <dgraifer@cais.com>
Fri, 14 May 1999 10:48:44 -0400
I recently sent some C source developed on unix to a colleague for
modification and compilation under MS Windows.  The resulting executable
behaved in unexpected ways precisely at the points he modified.  I have
finally figured what happened.

The MS Visual Studio V5.0 he is using has a built in source editor that
recognizes both Windows <CR><LF> and unix <LF> as "newline".  The
integrated C/C++ compiler will accept C++ style "//" comments in C
source.  In making his modifications, the colleague used "//" comments
to suppress my code, then added new lines of his own code, sometimes
above, sometimes below the suppressed entries.  Apparently, the VC++
preprocessor or compiler didn't recognize the unix <LF> characters as
termination of the commented out lines, and skipped everything up to his
next entered line containing the required <CR><LF>!

This is the only situation in C/C++ I can think where it would matter.
Still, I think having the editor and the compiler from the same
development platform have different definitions of "newline" is poor
form.  But just remember, What You See Is NOT What You Get!

Daniel A. Graifer <dgraifer@cais.com> Parker & Company 1-888-426-6548
Andrew Davidson & Company 588 Broadway, Ste 610, NY 10012  (212)274-9075


Risks of upgrading a UNIX system

"GWDVMS::MOELLER" <moeller@gwdvms.dnet.gwdg.de>
Mon, 10 May 1999 22:26:19 +0200
When was the last time you rebuilt all privileged (`suid root') applications
when upgrading a unix system, just in case?

I'm pretty sure one can find `small print' that demands this, however I'm
equally sure that hardly any system manager does so, since problems seem to
occur _very_ rarely. Here's a neat one:

Some time prior to the upgrade, system manager (S.M.) was asked to install
`sshd' on a not-so-common platform (nothing really security-relevant,
machine used for raw speed only, users just being accustomed to that sort of
login). Said platform (featuring a particularly elaborate user data base)
requires some special calls (simple calling sequences) to be done during
`login' - no problem, `sshd' knows about them, although not explicitly aware
of the particular hardware. Cautiously, S.M. configures `sshd' to not allow
`root' logins from the outside.  What other harm could it possibly do?

Upgrade has to occur somewhat in a hurry, release documentation isn't
on-site, but procedures are known well enough. S.M. asks the manufacturer's
support representative if special precautions have to be taken, "errr, not
that I'd think so". S.M. installs new version, all fine & dandy, even
remembers to check out `sshd' afterwards and finds it to work the same as
before.

A couple of days later, S.M. logs in via `sshd' himself, and for the first
time enters `su'. Gets very amazed at the new system's intelligence, as it
knows to not ask him for a password. Minutes later, S.M. recognizes that
`su' would never ask for a password, when the parent process had been
created via `sshd' ... in spite of no other visible peculiarities with that
process.

A re-build (pretty likely boiling down to nothing but a re-link) of `sshd'
fixed the problem.

Quite a few years ago, when I saw the first mention of `ssh', I commented
"If you're a bank, you don't buy your safe at a flea market;
if you're not, you might be better off without a safe".
Maybe there's _some_ truth in it, after all.

Dr. Wolfgang J. "s."Moeller, Tel. +49 551 2011510, GWDG, D-37077 Goettingen,
F.R.Germany <moeller@gwdvms.dnet.gwdg.de> <moeller@decus.decus.de>

P.S. re "software bloat":
   Imagine uSoft going open source, and no-one going to have a look at it...


Any Bell Atlantic customer can be spuriously Opted Out from CALL54

<brothers@clark.net>
Tue, 11 May 1999 17:19:02 -0400 (EDT)
In the spring of 1999, Bell Atlantic-Virginia has notified its customers
that it plans to introduce the Bell Atlantic CALL54(sm) service to its
customers in northern Virginia. The CALL54 service is an automated reverse
directory assistance service that will enable northern Virginia customers to
obtain names and addresses for telephone numbers published by Bell
Atlantic. Name and address information for telephone numbers in the entire
states of Virginia and Maryland will be available at a charge of $.75 per
request of up to 3 numbers.

This service is already available in New Jersey, West Virginia and
Maryland. Bell Atlantic will not provide name and address information for
non-published numbers.

Customers with published telephone numbers may exclude their names and
addresses from CALL54 service by calling toll free 1-877-678-6887 to "Opt
Out" of the service. There is no charge to "Opt Out" of CALL54.

When you call their "Opt Out" service, you enter a ten-digit phone number
and the system repeats it back to you. You are asked for a confirmation
(depress 1) or cancellation (depress 2.).

What would prevent anyone in the world from opting you out of the service?
Would you be notified that you were "Opted Out?"

The process could be made considerably more secure by requiring that a
subscriber call from the number being "Opted Out" or "Opted In" and then
only giving the user the choice of "In" or "Out". There would be no need to
enter a number as the phone company knows your number when you call them.

Douglas A. Brothers <brothers@clark.net>


SurfWatch filters out plugandpray.com and minow.org

Martin Minow <minow@apple.com>
Fri, 7 May 1999 20:50:08 -0700
EXPLETIVE DELETED: SurfWatch, an Internet-filtering company that aims to
protect children from online pornography and violence, boasts that it only
blocks objectionable sites after "thoughtful analysis" by its staff.  This
left James Tyre, a Pasadena lawyer and Internet activist opposed to
filtering, more than a little bemused when SurfWatch blocked his newly
registered site, www.plugandpray.com for "sexually explicit content."  The
main problem: Mr. Tyre's site was and remains totally blank but for an
innocuous banner ad.  SurfWatch says its software most likely confused
Mr. Tyre's site with a pornography site that shares the same numerical
Internet protocol address in a setup called "virtual hosting."  SurfWatch
has since unblocked Mr. Tyre's site, but others haven't been so lucky.
Martin Minow, a Silicon Valley programmer, recently discovered that his new
site www.minow.org, was also blocked by SurfWatch for alleged explicit
content.  The site bears only the words, "This site is under construction."
Theresa Marcroft, director of marketing for SurfWatch, concedes that the
company's software tends to block even innocuous virtually hosted sites if
they are added to an Internet address that has been previously blocked,
although she notes that the company responds quickly to unblock clean sites
once it knows about them.  "We're doing our best," she says.  "This is such
a nit in the overall objective of keeping kids away from the objectionable
stuff." [Compiled by Nicole Harris and Ann Grimes, Posted by James S. Tyre
<j.s.tyre@cyberpass.net>, from *The Wall Street Journal*, 6 May 1999, B4]


MS AutoRoute Express 2000

Pete Mellor <pm@csr.city.ac.uk>
Tue, 11 May 1999 12:25:21 +0100 (BST)
The following is taken from the BBC Watchdog web pages
(www.bbc.co.uk/watchdog). I would like to thank Gordon Brown
<gordon@jdc-etype.demon.co.uk> for passing it to one of my colleagues.

AutoRoute Express 2000 Weekend Watchdog 07.05.99

In February, Microsoft launched the new AutoRoute Express 2000 journey
planner. By entering the details of any journey you want to make, it will
show you the best roads to use and calculates how long the drive will
take. It predicts possible hold ups and even recommends scenic spots on the
way. Now Microsoft has admitted to Weekend Watchdog that Autoroute's
directions could cause drivers to make unnecessary detours that add miles to
their trips.

Richard Emery, a logistical planner from Bracknell, advises companies on the
best routes for moving their goods. It literally pays Richard to know the
quickest way from A to B.

Using Autoroute Express 2000, Richard planned a trip from his home to a
charity office in Llanelli in South Wales. He knew it was a long way but was
not sure how long it would take. The software came up with what appeared to
be a good set of clear directions, providing almost door to door road names,
and said that the journey should take 2 hours and 36 minutes. Then Richard
programmed in two 10 minute service station breaks. The journey suddenly
changed from 169 to 185 miles, and the time taken increased by 1 hour and 3
minutes.

Richard demonstrated the problem to Weekend Watchdog with a real journey
from Swindon to Reading.

Autoroute Express 2000 says it is a distance of 49.3 miles and, without a
coffee break, should take 51 minutes along the M4. Richard then programmed
in a 10 minute stop at Membury Services, almost half way between Swindon and
Reading on the motorway. Autoroute changed a 30 second round trip into a 33
minute drive through the countryside. The software ignores the fact that
most service areas are connected to the motorway, and works out a route via
junctions and A roads to the back of the service station.

Richard has discovered that this is the case with routes all over
England. For example, London to Nottingham, 127 miles with two short coffee
breaks according to AutoRoute, will take 3 hours and 15 minutes.  That
leaves 1 hour and 5 minutes to get coffee.

Microsoft says it's very sorry Richard Emery has experienced such problems
with Autoroute Express 2000. It says that it is "committed to resolving
these issues in the next version of the product".  The company has set up an
Autoroute Express 2000 Hotline on 0345 002000, which is open until 10pm on
May 7th and between 9-5pm from then on.

http://www.bbc.co.uk/watchdog/stories/autorout.shtml

Peter Mellor, Centre for Software Reliability, City University, Northampton
Square, London EC1V 0HB, UK. Tel: +44 (171) 477-8422, p.mellor@csr.city.ac.uk

  [Actually, the shortest distance between two points may involve the pub
  nearest where you started.  If after a few pints you forget which way you
  were going, the trip can be much shorter.  PGN]


Another talking lift bug

George Michaelson <ggm@dstc.edu.au>
Wed, 12 May 1999 16:00:44 +1000 (EST)
I've mentioned the lifts in our building with an off-by-one error on the
floor.

Now I've noticed that if you select a 'DOWN' lift button, but get into an
'UP' lift, albeit empty, and with no real 'UP' calls on it, although you get
to select 'DOWN' as a destination, it still vocalizes "going up" as it
moves.. downwards.

The sole reason for talking lifts seems to be to help blind people. You
can imagine that in an emergency (not that you should use lifts then anyway)
there would be some concern that a talking lift can confuse the rider even
if the delivery point is correct.

I'm sure this is an example of an I.T.  system grafted onto the core workings
of the lift: the latter are going to be subject to some kind of safety proofs
since the lift operations depend on them. The vocalizer is seen as 'ephemeral'
and its bugs don't matter except...

-George


On-line account access

"Leonid (Leo) Sokolskiy" <sokolski@hsc.usc.edu>
Tue, 11 May 1999 09:39:34 -0700
Recently the bank which issued one of my credit cards, First USA, started to
offer on-line account access. I decided to give it a shot: it is a nice
system, letting you see your charges, etc. Imagine my surprise one day when
after I logging in I was looking at someone else's list of charges although
the system listed them under my account number. When I went to the
statements section, I could pull up images of previous statements from
someone else's account including name, address, account number, and list of
charges.

Amazingly, calls and e-mail to customer service produced little response
beside weak assurances to "investigate and fix it".  Thus, despite bank's
repeated statements that they concerned and respectful of their customer's
privacy, it does not see to trickle down to implementation level.


Wrong e-mail address

Bruce Wampler <bruce@objectcentral.com>
Fri, 07 May 1999 18:36:59 -0600
I just received a very big e-mail file filled with several Microsoft Word
documents from a name I did not recognize.  My first reaction was to worry
about the Melissa virus, but closer examination of the To: revealed a wrong
e-mail address. The e-mail was addressed to "xxx@realitycentral.com".  The
documents were obviously confidential real estate contracts, and the
intended address must have been "xxx@realtycentral.com" -- no "i".

I own the URL "realitycentral.com" which is presently parked.  All e-mail to
the site is automatically forwarded to me.  There are a lot of parked URLs
waiting for development that probably forward e-mail, or even dump it.

A couple of risks are obvious here. First, one needs to be very careful when
sending confidential material that it goes to the right place, and really
gets there. Second, it is possible to send e-mail to a site and have it
delivered anyway, even though there is no one with the specific address at
that site. This would usually cause a bounced message.  Unless the sender is
informed by the ultimate recipient of the e-mail (which I did), they will
never know their mail went to the wrong place. Finally, there is the risk of
having a URL similar to another busy site, not unlike having a phone number
similar to a busy business number -- one may get a lot of wrong numbers.

The topic of sending e-mail to the wrong address has no doubt been discussed
before, but I thought this instance demonstrated a couple of interesting
twists.

Bruce E. Wampler, Ph.D., Author of the V C++ GUI Framework
mailto:bruce@objectcentral.com  http://www.objectcentral.com


Risks of 3-letter user IDs for free e-mail accounts

"Dan Yurman" <n43w112@hotmail.com>
Sun, 9 May 1999 10:17:20 -0600
The proliferation of free e-mail services available from a 'portal' sites
raises the question of how to insure your user ID is unique among millions
of other current and especially prior users of these services.  For
instance, a quick tour of the major portals indicate free e-mail is available
from the following locations.  This is necessarily a representative sample
of sites chosen more or less for convenience, and not for any commercial
purpose.  Perhaps as many as 20 million people have or have had free e-mail
accounts these or other sites.

http://www.hotmail.com/
http://www.hotbot.com/
http://www.yahoo.com/
http://www.lycos.com/
http://www.excite.com/
http://www.bigfoot.com/
http://www.switchboard.com/

For those of you who are considering signing up for a free hotmail e-mail
account, or for any of the others, consider this lesson learned from a
friend.  Don't sign up for a user ID on Hotmail, or any other free e-mail
service, using the three letters of your initials.  There may be someone out
there, in fact count on it, who also has those initials, and who may have
had a Hotmail or other free e-mail account prior to yours.

Hotmail, like other free e-mail services, "recycles" user IDs.  This is not
unlike what the phone company does with your number after you move.  After a
suitable period of time, it reissues the number to a new customer.
Otherwise, it would run out of numbers.  I'm not picking on Hotmail, just
arbitrarily using them in this example since they are one of the largest of
the free e-mail services.

This challenge is that you may not like what the previous "owner" of your
three letter user ID was interested in getting over the Internet.  For
instance, suppose the three letters of your initials are 'ABC' yielding a
Hotmail account of abc(at)hotmail(dot)com.  So, if your name is 'Anna Belle
Cornwall,' (a made up name for this posting with any resemblance to a real
person strictly coincidental) it may be the prior user of that account name
was Archie Bunker Cooper (same disclaimer).  If "Archie" was into less than
mainstream interests, or worse, and signed up for mailing lists on his
favorite subjects, now innocent Anne Belle is going to get that stuff
because she now owns the account abc(at)hotmail(dot)com.

Not only will she get all of 'Archie's' solicited mailing list material, she
will also get every piece of spam still hunting for valid e-mail addresses
known to be linked to his user ID and interests.  If she's lucky, all she'll
get are some get rich quick schemes, the occasional porno come on, and
offers to buy stamp / coin collections or HO train sets.  It could be a lot
worse, especially if "Archie's" ex-wife, his creditors, or other malcontents
think they are still talking to him over the Internet.  Of course, "Anna
Belle" could try answer them, but usually at this point explanations will
not work, and like trying to teach the proverbial pig to sing, only wastes
her time and annoys the pig.  The replies also tell spammers they have a
valid e-mail address.

There is nothing she is going to be able to do about all that spam, and the
other stuff, except close the account and get a new one.  This could be very
inconvenient if she had already told her friends and family about her new
three letter user ID.

There are several good strategies to avoid this problem.

* Put a number in your hotmail or other free e-mail user ID after the 1st
letter, e.g a2bc(at)hotmail(dot)com, or in any position after the first
letter, except the last.  Hotmail, unlike some others, requires the first
position to be a letter to avoid having their sites being the origin of
spam.

This strategy eliminates many heritage users IDs based on three initials.
Even with 26 letters in the alphabet, there are still a finite number of
combinations.  The available three letter combinations go from AAA to ZZZ.
Since Hotmail has millions of users, your probability of encountering a
match using just the three initials of your name, based on a prior or
current user, is very high.  However, assigning an arbitrary number within
the three letter sequence eliminates "collisions" with all users IDs based
solely on three initials.

* Use at least four letters, e.g. abcd(at)hotmail(dot)com, which will also
eliminate a pretty good percentage of the like instances of inheriting three
letter user IDs that have been recycled.  This decreases the odds of
encountering a match, but still raises the possibilities of "collisions"
with people who have shifted user ID naming strategies from using their
three initials to using their first names.

If you use four letters and a number, after the 1st position, you have
significantly increased the odds that no one else will have ever had this
user ID before you.  Now you have not only eliminated letter letter user IDs
based on initials, but also almost all user IDs based on first names.  The
exception is if you put the number in the last position, e.g. if "Anna
Belle" chooses 'anna5' etc.

* For a maximum strength strategy to avoid duplication with previous e-mail
user ID owners try at least four letters plus mixing in say the first two or
three numbers of your house street address, last few digits of your zip
code, birthday date of your dog, cat, goldfish, etc., or any other numeric
sequence that is meaningful.  If "Anna's" zip code is 95472, she could
choose a user ID of A9n5n4bc(at)hotmail(dot)com.

So if the mythical "Anne Belle" wants a no hassle user ID, that no one among
the millions of past Hotmail users have held, one of these simple strategies
should do the job for her.  However, don't put these numbers at the end of
the letter sequence.  Mix them in the middle.  It is common for other online
services like AOL and Prodigy to put numbers at the end of user IDs to avoid
duplications.

* Pick an entirely non-obvious combination, say the bar code for your
favorite beer brand, your initials combined with the current temperature
(your choice of indoor or outdoor readings), or, as in my case, a geographic
reference.  I choose the nearest USGS map corner, but you could look up the
lot lines of your home or apartment and get carried away with surveying
coordinates. :-)

The drawback is that these strategies fly in the face of personalizing your
free e-mail account with something that others will remember easily.  The
whole point of the free e-mail accounts is that they are part of "mass
customization" marketing strategies so the portal companies may not like
this advice, or at least not very much.  In fact this advice may fall in the
same category as the story about the engineer who had to choose between a
talking frog and a beautiful princess.  However, it will work.  I'm assuming
you've already done some customization of your own with your home ISP, and
that your use of a free e-mail account is to keep some communications out of
your priority e-mail inbox, or for other business or personal reasons.

Enjoy the Internet.  Surf safely.

I am not affiliated with hotmail except as an end user of the service.

Dan Yurman  n43w112@hotmail.com  Eagle Rock, Idaho

Please report problems with the web pages to the maintainer