Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
The approximately 100,000 merchants using CyberCash's IC Verify transaction software were given the opportunity to install a free upgrade for Y2K, but some of the merchants apparently did not get the fixes. Those who did not do so are apparently rebilling each customer transaction in the new year once each day until the fix is installed. Visa and Mastercard have installed software that attempts to catch the multiple transactions, but you'd better check your statements anyway.
In one of many reports of off-by-one-hundred Y2K effects, a few dozen Florida truckers received bills saying the were 100 years late in payments. Some people received bills for 100 years' back interest. There were even reports of people whose bank accounts temporarily showed 100 years' accumulated interest. No surprises there to long-time RISKS readers. Asymmetrically, we have also had a few reports of people being credited with 100 years worth of interest, although these seem rather specious if you are getting interest from 1900 to 1999, rather than from 1999 to 1900.
I spent the new year in Manhattan and yes, I was in Times Square new year's eve. After the ball dropped, I started calling friends to wish them a happy new year, and I was not able to make a single call on my Sprint PCS phone despite the very strong PCS signal I got. What made it worse was I could not receive any calls or voice mail during the day on the 1st and my outgoing calls (including calls to check voice mail) were switched to digital roaming calls despite the fact that Manhattan was in Sprint's service area. The problem lasted all day on the 1st, and into parts of the morning on the 2nd. A later conversation with a Sprint's service representative revealed that Sprint's network was jammed in several metropolitan areas including New York city during the 1st, and they were routing some of their traffic through Bell Atlantic or AT&T's network, which explained the mysterious roaming calls. Chenxi
MKS Toolkit Scheduler (Version 6.1) seems to have a problem with the Y2K date rollover. The application runs fine and must work off the system clock which also appears to be fine . The "Next Event" status how ever, shows that the next backup is on June 9, 2005 even though it performs daily backups properly. Ray McCormack, Solutions Consultant, McCormack Consulting 13215-C8 SE Mill Plain blvd. PMB 242 Vancouver, WA 98684 1-360-241-3092
I'm sure you'll know about this, but just in case: http://y2kmistakes.com has a wonderful archive of screenshots of Y2K affected sites. http://catless.ncl.ac.uk/Lindsay
Some amusing, generally harmless, Y2K snafus can be seen at the following URL. Look under "affected sites" in the upper left-hand corner. http://kwikware.com/y2kmistakes/
Sorry, I can' help this: On http://www.year2000.com/y2kbugbytes.html We have the following headline on Jan. 6, 2000: Year 2000 Bug Bytes Updated January 5, 1900 at 23:21 (UTC) Pete de Jaeger has a nice article on "Why no Chaos?" at http://www.year2000.com/y2kchaos.html, however. Prof. Dr. Debora Weber-Wulff, Technische Fachhochschule Berlin 13353 Berlin, Germany weberwu@tfh-berlin.de http://www.tfh-berlin.de/~weberwu/
I saw the following AP item on InfoBeat, a clipping service, but have not yet located it anywhere else. In particular, I have not located this information on NorthWest's web page. Northwest Airlines is alerting customers who recently made purchases on its Frequent Flier Web site that their credit-card numbers and personal information were unprotected because of a programming glitch. The problem arose when a computer programmer doing maintenance on the site put the system back on line, but forgot to restore the security system. [PGN-ed] Users have come to expect encrypted traffic, and frequently don't check the icon. Guess we need to be more careful!
According to a BBC News story dated Jan 6, 2000 <http://news.bbc.co.uk/hi/english/sci/tech/newsid_592000/592972.stm>, pirate broadcasters have learned how to use the Radio Data System (RDS) to force car radios that implement the standard to stay tuned to the pirates' broadcasts while within range of their transmitters. A radio with RDS active will switch temporarily to any station that broadcasts the appropriate embedded digital signal. This is intended to allow reception of brief traffic announcements, but the pirates repeatedly send the signal in their broadcasts to keep such radios tuned to them. The problem can be avoided by switching off the RDS feature on a radio, but then of course one loses legitimate traffic information. I only have the slightest acquaintance with RDS so I cannot evaluate the accuracy of the story, but the RDS standards document "SPB 490 Universal Encoder Communication Protocol (UECP)" obtainable from <http://http://www.rds.org.uk/rds98/mainpublications.htm> does not mention security at all. Fernando Pereira [Also noted by Aydin Edguer and Russ E. Cage. PGN]
Newsgroups: alt.fan.cecil-adams [Forwarded to RISKS by msb@vex.net (Mark Brader)] radio2@bigfoot.commm wrote: > I was just in my friendly neighborhood health food store. Got into a brief > discussion with the guy behind the counter, about Y2K. He pointed out a > box of Barbara's Cereal, which carried an expiration date of July 1900! > Guess it's been sitting on the shelf, there at Flanagan's, for a mighty > long time ... > — Geno I win. Ages ago I realized that my driver's license says it expired in 1000. Boy, what's the penalty for driving on a millennium-overdue license? Dana W. Carpender http://www.holdthetoast.com Author, How I Gave Up My Low Fat Diet — And Lost Forty Pounds! [In case you wondered, YES, it showed 1000 as a 4-digit year. She lives in Indiana. MSB]
The National Transportation Safety Board maintains a database of all aviation incidents in the US, and provides web access to capsule descriptions of various accidents. These are available by month (http://www.ntsb.gov/aviation/months.htm), so I suspected that there might be some issues with the display or breakdown of the data once we rolled into 2000. The website seems to be working correctly, however, with the exception of a strange entry in January 2000. The accident location (normally City,State) shows "TESTVILLE" and the link is http://www.ntsb.gov/aviation/DCA/99A999.htm (note the 99A999.htm is normally an incident number). The link itself fails to be retrieved, so I assume the test data has been removed from part of the database. I'm sure we'll see many similar manifestations of Y2K testing in the coming weeks and months. John Clarke P.S. Apologies to the citizens of TESTVILLE if it really does exist and a plane crashed there this month.
Intuit, who make Quicken (a popular personal and small business financial management application) provide an online service to update share prices, currency rates etc. Recently users connecting to Intuit's UK server have been automatically offered an application upgrade with the following message: "There is an upgrade available to updated [sic] your current version of Quicken 2000. Would you like to download the update now ? Don't be afraid, it is just a test : My name is Nour". Clicking on "Tell me more" gives the message "This version has some improvements in all the area [sic]". This raises two issues: 1. Either test code has leaked into live service or their site has been hacked. In either case, it is a serious security breach for software which is trusted (e.g., a Trojan horse could create access to users' personal financial data). 2. Intuit has a policy of sell-cheap / charge-lots-for-support which means that there is no way to find out what has happened without waiting for the New Year holiday period to be over, then paying $1/minute. How nice: the opportunity to pay to get information about their operational failures :-) This is a major breach of trust and it is to be hoped that Intuit will take it seriously. Perhaps a public apology via RISKS?
I guess I'd only say that if a web developer wanted to use dates in JavaScript, they would: 1) have to do a lot of nit-picky detective work, reading documentation from Netscape, Microsoft, and the EMCA, to discover the "correct" way to display the year, 2) end up with a script that still wouldn't work on most people's browsers, and, 3) learn that they shouldn't have bothered anyway, since some standards group will no doubt later change the "standard" yet again in a way that breaks all previously written scripts. Yeesh. All this pain, sweat, and confusion just to display a bloody date on a bloody web browser. Small wonder that software reliability issues are gaining attention in the new century... Andrew D. Fernandes <mailto:andrew@cryptonym.com>, Cryptonym Corporation <http://www.cryptonym.com> Telephone +1 919 469 4714
Described by his lawyer as "a disturbed young man" suffering from depression, 19-year-old Jay Satiro of New Rochelle, NY, has been sentenced to one year in jail for cracking into America Online computers and causing an estimated $50,000 in damages. Satiro had been an AOL technical support volunteer and had used knowledge obtained from his job to break into the company's systems and replace AOL programs with his own. [AP/*USA Today*, 21 Dec 1999) http://www.usatoday.com/life/cyber/tech/ctg955.htm; NewsScan Daily, 22 Dec 1999, reproduced with permission]
Call me naive, but I can't help marvel, risks or not, at what is going on. Here I am, on the penultimate day of the millennium (OK, I know, that will be next year, but what's wrong with celebrating twice?), listening through minuscule speakers on my computer to a broadcast of perfect sound quality from a site half-way around the world. It's playing something I know, but I can't just recall what it is. So I catch four Italian words on the fly and type "senza perdere un momento", not forgetting the quotes, into AltaVista. A second later, and perhaps fifteen seconds after I first asked myself the question "what is this?", I have the answer, thanks to someone at Stanford who keeps the full text of Donizetti's "Don Pasquale" on his Web pages. Just a few years ago none of this would have been possible. I wouldn't have had a clue where to begin my search. Even a trip to the UCSB library would have been unlikely to help. The prospects of using computers for advancement of human knowledge are all around us; they are staggering. Let's remember this as we continue (as well we should) worrying about the associated risks. Bertrand Meyer, Interactive Software Engineering/Monash University http://eiffel.com, http://tools-conferences.com
Network Associates WebShield SMTP V4.5 Beta 2 on prometheus2 intercepted a mail from <owner-risks@csl.sri.com> which caused the Content Filter HTTP to be triggered. [Lots of RISKS issues lately have been blocked. Perhaps Y2K is now considered to be a dirty word. In some other cases RISKS copies were rejected because they were too long. Apparently some temporary Y2K virus filters believe that if mail is longer than 10K, it might contain a virus or Trojan horse. The assumption that viruses are bigger than 10K seems specious. PGN]
When I first read the report of RST breaking the netscape algorithm I was caught up in the moment. Netscape should have known better than do something so foolish! Then I read the next comp.risks and I felt like a fool. There is a great risk in pretending to have security when you really have none. I think many people believe that ssh protects them from wrong-doers, and that nothing bad can happen to them if they use ssh. The authors of the Internet Auditing Project(1) have a good story to tell about ssh, as do the people who run the web site for rootshell.org(2). Some sys-admins here at work are rabid about ssh. They have disabled telnet and rlogin for "security" reasons, and naively believe that ssh is somehow more secure. Ssh protects the data stream between two secure machines. Anyone sitting between the two machines can't tell what is going on in the ssh stream because of the encryption. The risk to the user is assuming that either end is secure. Where I work, the important servers don't run telnet or rlogin, because those protocols are "insecure". The servers only run ssh. Our network is switched. In order to sniff packets an attacker either needs to be in the machine room with a cable plugged into the switch, or they need to be on either of the two machines that the traffic is going between AND they need to be root. If they are root on either machine, then they can: a) read the unencrypted TTY instead of the encrypted stream b) read the local secret keys and decode the stream on the fly c) replace ssh with a Trojan d) trace the program and extract the unencrypted data from the write()s e) many more things I can't think of right now If no one has compromised my system, then it is safe to use telnet to login between machines. If someone has compromised my system however, I might as well use telnet since I can't trust ssh anymore. If no one has compromised my system, and I need to login over an untrusted network, and I have a secure machine to login from, then ssh is the perfect tool. Where am I going to find a secure machine outside my network? I bet there are lots of secure machines all over the place, but I will never know which ones they are. If security is really important to me, I will never log in to any computer from any other computer I don't own (and hence trust) myself. That means I that if I need to login to work when I am off site, that I need to have my own laptop that I keep powered down, encased in cement, buried in a vault, and guarded by an army (and even then can I really be sure it is secure)? Last week I spent an entire day at work wondering how to protect my mail server from all the trouble that is expected from people trying to hide under the veil of Y2K. I took ssh out of the inetd.conf, and told everyone that they have to log in on console from now on. (1): http://www.securityfocus.com/templates/forum_message.html?forum=2&head=32&id=32 (2): http://www.rootshell.org/mailinglist-archive/rs-25
"Daniel A. Graifer" <dgraifer@cais.com> makes an interesting point that a debugger & a screwdriver may be analogous when comparing intent to commit a crime. But I believe that the menace behind the law & the practice of encrypting region coded disks is far more insidious... It's not about stopping casual, or even determined piracy. They can encrypt & degrade all they like to try & foil copying. But at the end of the day, a picture has to appear on a screen somewhere for someone to see it. There is no way they can stop a determined person or corporation from taking a copy of that unless they own & control everything in between. Their attempt to push this law through is more akin to denying you access to a screwdriver to fix your own lock in case it breaks, or because you don't like the colour of the door... Why shouldn't I have the means to play a legally bought DVD on my laptop using Linux? Why should I have to pay money (If it were possible) to some faceless company who may perhaps come out with a DVD player, that may create a player for my favourite OS, on my favourite hardware?
The First Workshop on Security and Privacy in E-Commerce
Athens, Greece, 4 Nov 2000 http://www.rstcorp.com/conferences/wspec00/
held in conjunction with the ACM Conference on Computer and Communications
Security, http://www.ccs2000.org
Preliminary Call for Papers
The First Workshop on Security and Privacy in E-Commerce seeks to bring
together practitioners and researchers to address the real-world security
and privacy concerns in e-commerce. We are seeking contributions on topics
in security and privacy that will enable the e-commerce systems of tomorrow
to be developed more securely and robustly without compromising individual
privacy rights. The workshop will focus on group discussion and
collaboration in identifying the important problems and potential solutions
in this important topic area. Proceedings from the workshop will be
published and distributed to attendees. Highest quality papers will be
published in a book and widely distributed after the workshop. We are
seeking research papers, business case studies, or system designs that
address security and privacy concerns in any of the following topic
non-exclusive areas:
- anonymizing e-commerce/Web transactions
- component-based software in e-commerce
- databases access control
- denial of service attacks and countermeasures
- detecting anomalous database transactions
- detection and recovery from Internet-based attacks
- e-commerce protocols
- e-commerce systems
- Internet client risks
- malicious software or Trojan functionality
- mobile agents in e-commerce
- novel attacks and countermeasures
- privacy negotiation/bartering
- privacy risks with cookies/tokens/identifiers
- software analysis and certification.
Submissions will be accepted for regular research papers, case studies, and
panel proposals. Abstract submission deadline: May 1, 2000.
See http://www.rstcorp.com/conferences/wspec00/ for complete Call for Papers.
Anup K. Ghosh, Ph.D., Program Chair
Please report problems with the web pages to the maintainer