The RISKS Digest
Volume 20 Issue 84

Saturday, 18th March 2000

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Report on hacker altering MIT grades: NOT!
Mark Lutton
Radar glitch at Philadelphia's airport
PGN
WAAS Software Problems
Peter B. Ladkin
NASA report: Faster, cheaper is not better
PGN
Sea Launch rocket drops satellite into Pacific Ocean
PGN
Week-long outage after cable cut downs 11,000 phone lines
PGN
Overdue Railtrack calls in the Army
Ursula Martin
Hooked on I-sex
NewsScan
Hackers sued by software-filtering company
NewsScan
Y2K strikes again *R. Geoffrey Newbury)
Re: Arizona and Internet elections
Adam Shostack
Steve Wildstrom
It was just a network board...
Wayne Mesard
Risks of software configuration for filtering offensive language
George White
Online gambling operator convicted
NewsScan
The RISKS Of A Hyperactive Anti-Viral Immune System
Jon Seymour
Risks of being a pushy high-tech headhunter
Michael D. Crawford
Voicemail messages silently lost
Dick Karpinski
Correction to privacy risks item
Daniel P. B. Smith
Re: Web Information on heart attacks
Jeffrey Waters
Info on RISKS (comp.risks)

Report on hacker altering MIT grades: NOT!

Mark Lutton <mlutton@ma.ultranet.com>
Sun, 12 Mar 2000 21:03:46 -0500
On 9 Mar 2000, *The Boston Globe* reported that a hacker had broken into an
MIT computer system and changed the grades of 22 students in a cell biology
class.  Some grades were raised and some were lowered but not in any
sensible pattern.  Teacher Harvey Lodish announced to his class (on Thursday
March 2) that a cheating scandal had been uncovered.  Suspicions did not
point to any particular students in the class.  No motive could be inferred
and it was believed that an unknown third party had done the hacking for no
discernable reason.

On 10 Mar 2000, *The Boston Globe* reported that the mystery had been
solved.  The grades were recorded in a spreadsheet and a teaching assistant
had unknowingly sorted the student name column without also sorting the
grades columns.  No intruder, no hack, no cheating scandal.  Officials
discovered the source of the mistake only after spending a full week ruling
out the possibility of infiltration.

It seems to me that bound paper ledger books would be a much better tool
for keeping grade records, at least for this teacher and his assistants.

Ref:  www.boston.com, find Archives, search for "Lodish".  Mark Lutton


Radar glitch at Philadelphia's airport

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 18 Mar 2000 17:15:12 PST
THREE times, on the evening of 10 Mar 2000, an almost-40-year-old
air-traffic control radar system tracking arriving and departing planes
malfunctioned, causing the identification tags of planes on radar screens to
be blanked out.  This affected about 30 planes on 8 screens, each outage
lasting about three minutes — although on recovery, the tags had to be
manually reset by pilots, on request from the tower.  Backup was available.
This followed on previous outages on 5 May and 17 May 1999.  [Source: noted
in the *Inquirer* by Andres Zellweger, and in *Infoworld* by John McLean at
ubs.com.  An unconfirmed report indicated that the malfunction was due to
three ``processor cards''.  PGN]

  [An interesting question is whether the proposed new scheme of a highly
  distributed system that puts greater reliance on the computer systems in
  each cockpit will add to the risks or decrease them.  Distributed systems
  tend to create risks not generally found in centralized systems.  PGN]

    [Error in May dates fixed in archive copy.  PGN]


WAAS Software Problems

"Peter B. Ladkin" <ladkin@rvs.uni-bielefeld.de>
Wed, 01 Mar 2000 17:15:05 +0100
*AvWeek* reported "software problems" with the Wide Area Augmentation System
(WAAS) this week (28 Feb 2000, p49, story by Bruce Nordwall).  WAAS is a
ground-based system which will augment GPS positioning over the continental
US to allow position accuracy to less than 3 meters (from 100 meters). This
will enable the FAA to develop near-precision instrument approaches to
landing at airports that are not equipped with navigation aids, for
properly-equipped aircraft.

WAAS accuracy was better than expected during tests (requirement was 7.6m
accuracy, but the system achieved better than 3m accuracy).  However,
integrity is the issue. The probability that a pilot would *not* get a
positive warning when WAAS guidance is erroneous for longer than 6.2 seconds
must be less than 1 in 10exp7 (units - I presume approaches). This evaluates
to one in 47.5 years, apparently.  *AvWeek* points out what most
safety-critical-system professionals know and others can figure out in a
second or two, that confidence to this level can only be achieved by
analysis and not by testing.

The software problems were not detailed. However, two other problems
uncovered during a 60-day stability test (that was terminated early) will be
fixed through software. One is related to the switchover between the two
ground-uplink stations. The other is multipath signal degradation at 5 of
the 25 wide-area reference stations, that will be corrected through
filtering software algorithms.

Peter Ladkin   University of Bielefeld, Germany http://www.rvs.uni-bielefeld.de


NASA report: Faster, cheaper is not better

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 18 Mar 2000 17:01:57 PST
After the recent Mars probes were lost, shuttles delayed, the Hubble
Telescope temporarily shut down, and other problems, NASA review boards have
concluded that the recent attempts motivated by ``Faster, Cheaper'' have
been overzealous, with too little money and not enough oversight.  [Source:
AP item, 14 Mar 2000, PGN-ed]


Sea Launch rocket drops satellite into Pacific Ocean

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 18 Mar 2000 17:14:41 PST
Launched from a converted ocean-going oil rig, a Russian-Ukrainian rocket
carrying a British ICO Global Communications satellite ($100M) fell into the
Pacific after liftoff.  This was a Boeing-led effort, after two previous
successes — a dummy test launch, and a DirecTV satellite.  [Source: *San
Francisco Chronicle*, 13 Mar 2000, A11, PGN-ed.  No cause given.  I hope
some RISKS reader can provide details.  PGN]


Week-long outage after cable cut downs 11,000 phone lines

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 18 Mar 2000 17:09:10 PST
11,000 phone lines in northeastern San Jose were down for about a week on 10
Mar 2000, when a construction crew accidentally took out four buried cables.
``The repair work is mind-numbingly tedious, with each wire having to be
spliced by hand and then tested.''  [Source: *San Francisco Chronicle*,
14 Mar 2000, A13,18, PGN-ed]


Overdue Railtrack calls in the Army

Ursula Martin <ursula@csl.sri.com>
Sun, 12 Mar 2000 20:30:05 -0800 (PST)
  [In RISKS-20.67, we noted the Y2K glitch in Railtrack's
  on-line timetables.  Much deeper problems have now arisen.  PGN]

Privatised Railtrack is running about a year behind schedule and 3 billion
pounds over budget in attempting to rebuild the London-Glasgow line.  They
have now turned to the Royal Logistics Corps and engineers (``sappers'')
from the Royal Engineers to teach Army discipline and consult on the
repairs.  Railtrack employees are being sent to Army training camps.
Retired military folks are also being used as consultants.  [Sources: The
Telegraph, 13 Mar 2000 and 16 Dec 1999; PGN-ed]

Two quotes are noteworthy:

* Robin Gisby, of Railtrack, said: "We have expertise on rebuilding railways,
but have never had anything as complicated as this line.  We are using the
Army because they have a lot of experience in moving men and materials to
tight deadlines."

* Don Foster, Liberal Democrat transport spokesman, said: "After the trouble
the Army has had with its rifles, let's hope they have more success helping
to get the West Coast main line into action."

An earlier article explains that the cost overrun from 2.2 billion to 5.8
billion (that's UK pounds and UK billions) were due to the decision to
abandon computerised "moving block" signalling, which removes the need for
traditional lineside signals.

http://www.telegraph.co.uk/et?ac=000125824864271&pg=/et/00/3/13/nrail13.html

http://www.telegraph.co.uk/et?ac=000125824864271&pg=/et/99/12/16/ntra16.html

  [URLs simplified in archive copy, TNX to Lloyd Wood.  PGN]


Hooked on I-sex

"NewsScan" <newsscan@newsscan.com>
Wed, 01 Mar 2000 06:40:50 -0700
Psychologists from Stanford and Duquesne universities have published an
article in the journal *Sexual Addiction and Compulsivity* claiming that at
least 100,000 users are cybersex compulsives who spend more than 11 hours a
week visiting X-rated Web sites and chat rooms.  The study concludes: "This
is a hidden public-health hazard exploding, in part, because very few are
recognizing it as such or taking it seriously."  The researchers believe
that cybersex compulsives have difficulty maintaining normal relationships
with others.  [AP/*The New York Times*, 1 Mar 2000
http://www.nytimes.com/aponline/a/AP-Online-Sex.html; NewsScan Daily, 1
March 2000


Hackers sued by software-filtering company

"NewsScan" <newsscan@newsscan.com>
Thu, 16 Mar 2000 09:21:14 -0700
Programmers Eddy L.O.Jansson and Matthew Skala are being sued by
Massachusetts -based Microsystems Software, which produces and sells "Cyber
Patrol" filtering software to protect children from pornographic content on
the Internet. The lawsuit alleges the two men illegally "reverse-engineered"
its software to create a "cphack" software utility to destroy the
effectiveness of Cyber Patrol. Skala says he opposes Internet filtering
software on philosophical grounds. [AP/San Jose Mercury News 16 Mar 2000)
http://www.sjmercury.com/svtech/news/breaking/merc/docs/025265.htm;
NewsScan Daily, 16 Mar 2000]


Y2K strikes again

"R. Geoffrey Newbury" <newbury@io.org>
Wed, 15 Mar 00 11:29:18 -0500
Robert Challender in Nevada registered his car late.  He received a bill for
$378,426.25 from the Nevada Department of Motor Vehicles.  After the mix-up
was resolved, he wound up paying $60.  [Source: United States Agency puts
brake on bill, *National Post*, 13 Mar 2000, page A14.  Of course, he was
billed for accrued interest since 1900.  I suppose the car should then have
been re-registered as a horseless carriage, as per RISKS-20.63-65.  PGN-ed]

  [I received an apology from my sewer pipe root removal service, which
  installed a new computer system last April, presumably for Y2K compliance.
  They *just* discovered they had missed my annual service last September.
  More than 6 months late.  I hope they get to the root of the problem.  PGN]


Re: Arizona and Internet elections (Markowitz, RISKS-20.83)

Adam Shostack <adam@zeroknowledge.com>
Thu, 9 Mar 2000 10:44:15 -0500
Regarding the Arizona elections, the election.com web page on
confidentiality makes no promise that there will be no correlation of voters
and cotes cast.  Further, I'm unable to find a privacy statement of any sort
on the web site.  In light of recent revelations about 'democracy portals'
gathering information, there seems to be a worrysome chance that people's
actual votes may be tallied, sorted, and stored in personally identifying
formats.  (Ross Kerber, *The Boston Globe Online*, 7 Mar 2000)

http://www.election.com/political/arizona/security.htm
http://www.digitalmass.com/news/daily/03/07/database.html

  [Also, check out Lauren Weinstein's item on Internet voting, at
  http://www.pfir.org.  PGN]


Re: Arizona and Internet elections (Markowitz, RISKS-20.83)

"Steve Wildstrom" <steve_wildstrom@businessweek.com>
Thu, 09 Mar 2000 11:12:15 -0500
Voting is an unusual case where there is a simultaneous need for both
authentication and privacy, and it's hard to see how both can be met.  It's
easy enough in the real world of physical ballots. In Maryland, where I
vote, you sign in and are handed a set of ballots. Signatures are at least
perfunctorily checked against the registration record, but I have never been
asked for additional ID.

You vote the ballots in a punch machine. Before depositing the marked
ballots into the ballot box, you tear off the numbered stubs which
associate the ballots with your identity. This works nicely because the
entire process is visible to, and understandable by, the voter. Once
you are authenticated on line, how do you cast a secret ballot?

Steve Wildstrom, Technology & You Editor, Business Week, 1200 G St. NW Suite
1100, Washington DC 20005 1-202-383-2203 steve_wildstrom@businessweek.com


It was just a network board... (Re: RISKS-20.80)

Wayne Mesard <Wayne.Mesard@east.sun.com>
Tue, 29 Feb 2000 14:27:37 -0500 (EST)
> a handful of network cards, costing about $50 a piece, were not able to
> handle [the Y2K witching dates], and were generating erratic packets.
> Replacing the boards has fixed the problem, according to *Der
> Tagesspiegel*.

This story (or rather http://babel.altavista.com/'s translation of same)
set off all my Urban Legend alarms.  [Beat ya to the pun, PGN.]

Most of us have encountered bugs that looked and smelled like one thing (due
to coincident or misinterpreted symptoms), but eventually turn out to be
something else.  Add to that the predisposition to blame anything and
everything on Y2K, and you've got a recipe for miss-diagnosis.

I'm perfectly willing to believe that this is a Y2K bug.  And even that the
bug is with the network card as described in the article.  But first we need
more information:

  - What was done to fix the problem on Jan 1?  How did that fix become
    undone between then and now?

  - Who is the manufacturer of this network card?  Do they know about
    the problem?  Do they agree that it is a Y2K bug?  Why have we only
    heard of this single manifestation of the bug?

  - Why is a network card aware of the date, anyway?  (At $50, I doubt
    there's any on-board encryption key management, for example.)  And
    how could this information cause it to "generate erratic packets"?

Without answers to these questions, I remain skeptical.

Wayne();


Risks of software configuration for filtering offensive language

George White <aa056@chebucto.ns.ca>
Sun, 12 Mar 2000 20:40:25 -0400 (AST)
The Royal Court, a UK theatre group known for vigorous opposition to
censorship and for plays whose dialogue is intended to shock and offend,
recently obtained a new computer system.  This system was configured to
prohibit entry of expressions that might violate standards appropriate to
office e-mail systems in the US, much less dialogue of the sort for which
the group is known.  [Guardian Weekly, March 2--8, 2000].

George White <aa056@chebucto.ns.ca> Halifax, Nova Scotia


Online gambling operator convicted

"NewsScan" <newsscan@newsscan.com>
Tue, 29 Feb 2000 08:37:28 -0700
The first defendant to stand trial in New York for online gambling via
offshore locations has been convicted. Jay Cohen, a U.S. citizen, ran an
Antigua-based sports betting parlor called the World Sports Exchange. He was
found guilty under a federal law against using telephone lines to place
illegal wagers. Cohen faces up to five years in prison on a conspiracy
charge and two years for each of seven sports betting counts.
[Bloomberg/*Los Angeles Times*, 29 Feb 2000;
http://www.latimes.com/business/20000229/t000019506.html; NewsScan Daily, 29
February 2000]


The RISKS Of A Hyperactive Anti-Viral Immune System

jon seymour <jon@zeta.org.au>
Sun, 19 Mar 2000 11:12:14 +1100
A friend was attacked by a worm the other day. This worm is a Visual Basic
script that attempts to copy itself to every mapped drive it can find, and
then some random ones besides.

Having found the worm, he created a copy of it, gave it a safe file name and
then sent it to me as an attachment to an e-mail. His intent was simply to
share a curio with me.  He certainly didn't want to infect me and thought he
had taken sufficient pre-cautions to prevent that occurrence. And, in fact,
I was never infected. But the lack of a successful infection does not mean I
didn't catch a nasty fever.

I use Windows NT, Netscape and don't have Visual Basic scripting enabled. I
also have a popular virus checker installed with reasonably recent list
files. You'd think I could read his mail safely without any problems. You'd
be wrong.

What happened was this. As soon as I attempted to open my mail, I caught the
title of the e-mail "I've been attacked by a worm". Then my mail client
froze and several seconds later, the virus checker popped up and told me
that my inbox had been infected by the worm and that it couldn't repair the
file. So, I think, let's repair it manually. I shutdown Netscape and attempt
to make a copy of my Inbox. Can't do it - access denied. Try to tail my
inbox. Can't do it - access denied. Try to type my inbox. Can't do it -
access denied. Not entirely sure what has happened at this stage, I start my
scanner and ask it to do a full scan.  1 hour later it finishes. The only
copy of the worm is in my inbox - it hasn't actually executed. But I still
can't get at my inbox. So I figure I have to disable the virus checker. That
doesn't work. So I reboot.  Attempt to tail the file. The virus checker pops
up again. Eventually, I manage to disable the virus checker, get access to
the mail box, delete the offending mail item. Netscape would still not allow
me to open my inbox. Then I realise it doesn't like some of the blank lines
I left at the end when I did the manual edit, so I delete them too. Finally,
2 hours after the mail arrived, I could resume normal use of my system.

The RISKS? A worm can give you a nasty fever, even if it doesn't find a
suitable execution environment. All it has to do is lure a hyperactive
anti-viral immune system into acting.

jon.

PS: out of courtesy to fellow RISKS readers, I haven't added the worm as
an informative attachment :-)


Risks of being a pushy high-tech headhunter

"Michael D. Crawford" <crawford@goingware.com>
Sat, 18 Mar 2000 07:14:41 -0800
While this isn't related to actual software failures I think it's
probably relevant to the interests of most of the people who read this
list, and the risk to the headhunters will become clear.

I used to get jobs and contract through recruiters and job shops
regularly but lately I've been finding them especially pushy, crass and
just plain ignorant.  There are some who are quite good but these days
they are definitely in the minority.

I also have found a lot of high-tech workers are taken advantage of by
the contract firms, such as the fellow who posted to
alt.computer.consultants about how he billed his agency at $35/hour, and
the agency billed his time to the client at $90/hour, or my friend who
was completely unqualified for a contract QA job, so the agency totally
fabricated a new resume for him and sent him to the interview without
mentioning the fraud, only to have it discovered by the client who asked
for details on his exciting, relevant and completely fictitious job
experience.

What really drove me over the top is that I got a "follow-me" number for
my business but chose to let it go to voice mail while I've been away
for the week visiting my desperately ill father.  A recruiter from
Oxford International called wanting me to do some smalltalk work, which
I'd like to do but I'm not available, so I called back and left a
message saying I had a friend who might be interested in the job, and
I'd check with her to find out.

Well this recruiter just blasted my business line off the hook, scaring
my poor mom who was confused by the cryptic messages from the follow-me
service.  The recruiter, figuring that she wasn't going to get through
on the business line, made the effort to track down my home phone number
and then hounded my fiance to locate me, and leaving many messages
demanding my friend's phone number.

My friend didn't want the job, and sure was adamant about not giving out
her number after I described the recruiter's efforts.

I called the recruiter back, left a message saying she wasn't going to
get my friend's phone number and recommended she go to my web site and
read this page, which I've had up for quite a while, ever since I came
to the firm conclusion that agencies weren't interested in finding me
the kind of work I'm looking for:

http://www.goingware.com/notes/recruiters.html

Shortly after, a new consultant posted to alt.computer.consultants about
how he just got into the business and wanted to know about services that
find clients for a fee, saying he was just a programmer, didn't know
about marketing, and was reluctant to make cold calls.

So I posted everything I knew about finding clients without going
through the agencies, and in fact have been doing totally independent
consulting since April '98 without a single cold call.

I saved the post and then went to a lot of extra effort to write it up
real nice in HTML and discuss what I thought of the state of the
recruiting business these days and posted it here:

http://www.goingware.com/tips/marketing.html

The main point of the page isn't just how to find clients - it's how to
find clients without going through those obnoxious agencies.  It's about
taking back the power we were born with and using it to run our lives
ourselves without allowing ourselves to be taken advantage of by those
who would feed off of us.

I'm going to write a corresponding page soon to help employers and
clients find employees and consultants without using agencies.

The short version: it's not rocket science.  Get a web page.  Put
keywords in it.  Submit it to search engines and web indices - clients
will find you when they do web searches.  Use search engines and web
indices to locate clients.  It takes some effort but not really that
much and actually it's kind of fun.

This is a particular case of what's discussed at the Cluetrain
Manifesto, which I highly recommend reading:

http://www.cluetrain.com

which (very briefly stated) points out that businesses that try to
control the flow of information and do not serve their customers well
will experience a backlash that is greatly aided and amplified by the
free flow of information on the Internet, and the ready ability for
customers (software consultants) to communicate directly with each other
about things that such businesses (headhunters) would rather not have
discussed publicly.

Mike Crawford crawford@goingware.com http://www.goingware.com


Voicemail messages silently lost

Dick Karpinski <dick@cfcl.com>
Mon, 13 Mar 2000 22:02:46 -0800 (PST)
Apparently some bugs survive change of ownership. Now that Octel is part
of Lucent, I thought I'd see if they fixed the problem I was reporting
perhaps five years ago. Looks like not:

I wrote this:

Years ago Octel voicemail replies had to be terminated with ## in order to
be delivered. My efforts to get that changed were resisted at the time. Can
you tell me if it is still so, please?

Lucent responded:

Hello Richard, I am personally unfamiliar with your prior request however,
we have not changed the commands.  Perhaps this was not explained adequately
in the past.  The first # ends the recording and allows for the entry of
sending options, like private and priority, to be added to the message, and
also, allows for deleting and re-recording the reply should the person wish
to change what is in the content of the message.  Then, the second # is the
command to send the message.  I believe it would be unlikely to change that
in the future as the control functions after recording a reply are important
and even mandatory.

If you wish to offer further suggestions, I would offer that sending them in
to our Marketing and Engineering groups would be a good route as they are
constantly looking at ways to improve our products.

> Thank you for your question and interest in Lucent Technologies, voice
> messaging products.
> Roger J. Miller
> Manager, Messaging Technical Services Organization
> Lucent Technologies

So I wrote:

I shall do as you say, but I personally request that you consider the plight
of the average guy using the system. If he's not really well trained in
replying to voice mail, he may treat it as if it were voice mail. That is,
when he's done talking to the machine, he hangs up.

The problem is not even that such messages are unceremoniously dumped.  The
problem is that the message is lost AND NO ERROR IS INDICATED.  A guy can go
for months telling people he DID return their voice mail while they tell him
they never got it.

It wouldn't take a big change to fix the problem, but all the experts chalk
up the failures to inadequate training. I chalk it up to a BROKEN user
interface that allows slightly forgetful users to go on making mistakes for
a long time.

This makes the whole organization seem stupid or irresponsible. It may die
the death of a thousand cuts. This is not a trivial matter. They are your
customers and they deserve better.

Yours for a better world,

Dick Karpinski   The world's largest leprechaun.   |=|:-}=

PS. Could you let me know how to reach your Marketing and Engineering
groups to suggest the change?


Correction to privacy risks item (RISKS-20.83)

"Daniel P. B. Smith" <dpbsmith@world.std.com>
Tue, 14 Mar 2000 06:34:30 -0500 (EST)
I recently cited SPEBSQSA, a non-profit organization to which I belong, as
an exemplar of a tendency of more and more organizations to casually roll
out Web sites with privacy risk exposure on an "automatic" or "opt-out"
basis.

My item on SPEBSQSA contained a factual error.  I criticized their
members-only web site for making chapter rosters available, with
name/address/phone information.  This information is in fact only made
available to registered Chapter officers.  This reduces the privacy risks
and means that the Web site's privacy policy is similar that of SPEBSQSA.

This restriction is not obvious to a casual observer, but I should have
checked this specifically before submitting this item to RISKS.

Apologies to those concerned.

Daniel P. B. Smith <dpbsmith@world.std.com>

  [This correction is included in the interest of barber-shop harmony.  PGN]


Re: Web Information on heart attacks (RISKS-20.83)

"Jeffrey Waters" <jeffreyw@htimes.com>
Thu, 09 Mar 2000 08:22:47 -0600
I would encourage Mr. Turner to review the current manuals used by the
American Heart Association for training health-care providers in BLS (Basic
Life Support) CPR.  This document does mention the coughing routine.  As I
recall, it does not endorse this method but does outline what purpose the
coughing serves.

I would hope the ER department at RGH will have a few words with Mr Turner.

And if he has a heart attack, by all means, don't let him cough!

J Waters

Please report problems with the web pages to the maintainer

x
Top