The RISKS Digest
Volume 20 Issue 15

Sunday, 10th January 1999

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

UAL clock wraparound
John Rushby
Risks of old documentation
Richard C. Wolber
Cell-phone surprise
Craig DeForest
Excel CALL function
Padgett Peterson
Phone service outage when computers stolen
Peter Kaiser
Y2K hits Singapore and Swedish taxi meters
Keith A Rhodes
The Windows April Fools 2001 Bug
from Richard Smith via Lloyd Wood
Editors also mitigate page-layout program hazards
Glen Turner
Re: Now you see it, now you don't
Jerry Leichter
Mike Williams
Call for Proposals - CFP99
Marc Rotenberg
Info on RISKS (comp.risks)

UAL clock wraparound

John Rushby <RUSHBY@csl.sri.com>
Mon 4 Jan 99 23:25:21-PST
I don't know about Y2K, but United airlines has a problem with H24.

This is what www.ual.com provided for the flight status of today's UA63
(scheduled to depart San Francisco at 7:15p and arrive Honolulu at 10:46p)

  Flight: UA 0063
  Date:   01/04/99

  Airport                     Time            Status

  San Francisco Intl Arpt   9:10pm Mon    Delayed 1 hr 39 min
  Honolulu Intl            12:01am Tues   Early  22 hr 35 min


Risks of old documentation

"Wolber, Richard C" <Richard.Wolber@PSS.Boeing.com>
Fri, 8 Jan 1999 12:57:08 -0800
This came from a friend of mine. I dialed the number and it actually works:

> I was installing Quickbooks 5.0, dated 1992, for a friend Wednesday. We
> had a little trouble, so I thought I would call the 1-800 support number
> (1-800-INTUIT-7). Well....  I got support all right. A recording of a
> female voice a low, whispering tone starts her sentence with "Hi Baby,
> You've just connected with..." I guess Intuit made some extra cash by
> selling it's phone number to a phone sex outfit. I wonder, do they get
> paid by the minute or number of calls? Needless to say, I did feel a
> little better after calling, which motivated me to finally fix the problem
> myself. So, everything worked out OK after all ......

Richard C. Wolber, Software Developer/Troubleshooter
DCAC/MRM Final Assembly G-4865  (425)965-6797

  [Your friend almost really got intuit!  PGN]


Cell-phone surprise

Craig DeForest <zowie@urania.nascom.nasa.gov>
Wed, 6 Jan 1999 05:22:19 GMT
A few days ago, I bought a Samsung SPRINT PCS phone at a Radio Shack in
Ft. Collins, Colorado.  When I pulled it out of the packaging, I noticed
that there were some fingerprints on the display window and a scratch on the
protective soft-plastic cover (that you're supposed to pull off when you buy
the phone).  The salesperson laughed and said that it had probably been
briefly out of the box for a demo or something.  I called Sprint from their
wired phone and turned on service, then went home.

Like most new cell phones, this one comes with an online directory.

Unlike most new cell phones, this one had 6 numbers preprogrammed into it:
"Work", "Home", "Cathy", "Lawyer", "Lisa", and "Jess".

I'm not especially upset that I was sold a used phone — it works just fine.
But it certainly brings to light a general RISK of information appliances:
If you return the appliance, you return the information you've stored in it,
too!

I deleted the numbers right away — but if I'd called "Home" and mentioned
"Jess", "Lisa", and "Cathy", perhaps the "Lawyer" would've gotten some more
business...


Excel CALL function

"Peterson, Padgett" <padgett.peterson@lmco.com>
Fri, 08 Jan 1999 08:52:13 -0500
There is a lot of press being given to this vulnerability (it is NOT a virus
but rather a security "hole"). Data Fellows sums it up best so far:
(http://www.datafellows.com/v-descs/rnewyear.htm) .

"This vulnerability, related to the CALL function of Excel, allows an
attacker to send an HTML e-mail or modify a HTML web page so that when
accessed, the HTML page will automatically launch Excel and use that to run
any program. This allows the attacker to do pretty much anything he wants
on the host machine."

What is not well understood is that this exploit is actually multifaceted -
there are a number of HTML constructs and a number of applications that can
be used. The choke point seems to be in the (Windows) Registry which decides
which applications (mostly Microsoft's) are considered "safe", that no
warning screen is generated on network download/launch sequences for these
applications. EXCEL is just one of these. A similar download sequence can be
observed by W98 users when visiting the "Windows Update" page and the check
for installed products is made. Note that the download occurs before a
screen is displayed..

It would seem that this is necessary for the "Active Desktop" however for
over a year various professionals, myself included, have been saying that
this concept is flawed and that discovery of intrusion vectors was
inevitable. Microsoft has disagreed (but then they disagree with governments
also).

One problem is that getting information from the company such as exactly
*which* applications are considered "safe" by default is like pulling teeth.
The only way at present is to seach the Registry as to whether a particular
byte in an obscure value is 00 or 01.

As expected Microsoft has announced that there is a fix - but it involves
disabling the CALL function entirely, applies to EXCEL97 only (95 responds
the same way), and if you do not have the OFFICE service packs installed, be
ready for a 24 Mb download and make sure that there is at least 50 Mb of
free disk space afterwards. As usual responding to a symptom and not the
cause.

However the root problem is the Registry permissions and the fact that these
are either not well documented or not documented at all. As long as these
remain, further discoveries are sure to follow.

Padgett Peterson, P.E., Lockheed-Martin Corporate Information Security
1-407.306.1101  padgett.peterson@lmco.com


Phone service outage when computers stolen

Peter Kaiser <kaiser@acm.org>
Tue, 05 Jan 1999 22:55:14 +0100
On 3 Jan 1999, three men wearing ski masks broke into a Sprint telephone
office, tied up workers, shot them with stun guns, and removed live
telephone relay switching equipment (perhaps to fill a custom resale
order?), knocking out service for about 75,000 customers for about 7 hours.
[Source: Associated Press, 3 Jan 1999, seen in *The Boston Globe* online on
4 Jan 1999; PGN Abstracting.]

This interruption of phone service isn't fundamentally different from
utility service disruptions caused by the theft of wiring or pipes.  But
computers are a lot easier to steal.  I believe I reported long ago here on
the theft of a computer from an unstaffed area whose exact time was known
because there were records of exactly when the computer was taken offline;
but the computer was small enough to fit into an athletic bag, and was
never found.  The thief probably just walked out of the building with it.

I wonder who buys stolen telephone exchange computers.  And what they say
to the people who service them.

Pete   kaiser@acm.org


Y2K hits Singapore and Swedish taxi meters

"Keith A Rhodes" <rhodesk.aimd@gao.gov>
Mon, 04 Jan 1999 10:13:06 -0500
Computerized meters in 300 Singapore taxis failed for about two hours at
noon on 1 Jan 1999 in an early Y2K manifestation.  Taxi meters in Sweden
also acted up on the same day, but passengers there hardly complained.  The
meters continued to work but gave riders unexpectedly low fares.
[Source: Associated Press, 3 Jan 1999, *The Sunday Times*, PGN Abstracting]

  [NOTE: I guess free parking is one of the new-year's initiatives that the
  government didn't tell people about. Perhaps we can make certain this
  happens in San Francisco, D.C., and New York. The problem of moving from
  1998 to 1999 has also been found in some of the embedded systems in power
  plants, mostly in graphical counters for trend analysis.  KR]


The Windows April Fools 2001 Bug (from Richard Smith)

Lloyd Wood <L.Wood@surrey.ac.uk>
Thu, 7 Jan 1999 13:16:56 +0000 (GMT)
This is really a daylight-savings problem in the Visual C++ library -
but the last time it would have happened would have been in 1990...

More on the webpages. Since it's windows *applications* rather than
Windows itself, it can be expected to be widespread.

<L.Wood@surrey.ac.uk>PGP<http://www.ee.surrey.ac.uk/Personal/L.Wood/>

  ---------- Forwarded message ----------
Date: Thu, 07 Jan 1999 00:39:30 -0500
From: glen mccready <glen@qnx.com>
Subject: The Windows April Fools 2001 Bug [from 0xdeadbeef]

From: "Richard M. Smith" <rms@pharlap.com>

I thought the deadbeef crowd might be interested in this story.......

I just got confirmation from Microsoft of the "April Fools 2001" bug that I
reported on Monday.  Although not technically a Y2K bug, many Windows
applications are going to break on April 1, 2001 and start giving the wrong
time of day.  The bug lasts for a week.

Technical details of the bug can be found at:

   http://security.pharlap.com/y2k/april1.htm

A live test page for the bug is available at:

  http://security.pharlap.com/y2k/demo1.htm

With this bug, any technical person involved with Y2K testing has a new
date to worry about which April 1, 2001.

Richard


Editors also mitigate page-layout program hazards

Glen Turner <glen.turner@adelaide.edu.au>
Thu, 07 Jan 1999 01:02:17 +1030
In RISKS-20.14 Jordin Kare <jtkare@ibm.net> gives a number of sensible
methods to decrease the risk of not noticing the delimiting characters used
to separate text from page layout commands.

A most useful method is not mentioned — use an editor that displays
differing syntactic components using differing textual properties.

This makes the difference between text and markup commands much clearer.  A
good editor will also highlight common syntactic errors.

Such editors date from at least the Andrew project.  I recall the facility
being available in 1984 for Pascal when I used DEC's LSE editor running on
the VMS operating system.

These days, I happen to use the XEmacs editor and the Linux operating
system.  To take Mr Kare's concrete problem, text in TROFF source appears in
a black normal-weight font.  TROFF commands, whether indicated by an
apostrophe or other characters, appear in a green bold-weight font.  Text
and markup are much less readily confused.

Glen Turner.  Network specialist, The University of Adelaide.


Re: Now you see it, now you don't (RISKS-20.14)

Jerry Leichter <leichter@lrw.com>
Fri, 8 Jan 99 20:01:27 EST
> [Increasingly, much valuable research from the past is being forgotten.
> Unfortunately, the operative motto seems increasingly to be
>   ``If it is not now on the Web, it never existed.''  PGN]

Well ... there's more to it than that.

Computer science is unique in its reliance on non-traditional means of
publication.  There's been an over-reliance on conferences and conference
proceedings, which are not handled well by libraries.  Further, while
conference papers are peer-reviewed, the level of review - and the
consequent level of the papers - has never matched what you get in the
traditional publication venues.  There are exceptions - SOSP, to cite one
example, has tended to have unusually good papers - but by and large a
conference paper is a good first draft for a journal paper (but most never
appear in journals).  Things have historically been even worse in CS theory,
where often all you find in the conference proceedings is an extended
abstract - and the final paper somehow never gets published.

The other over-reliance has been on technical reports.  Some technical
report series are excellent - I've got a pile of old PARC reports that are
wonderful; many of the MIT reports were great when I was looking at them.
Most tech report series are of very variable quality, however - and of
course you can't find *them* either.

All of this was the case before the Web came along.  It all of a sudden
appeared to be the solution to the CS publications problem.  Just put all
the tech reports and whatever on-line, and they'll be available to everyone
everywhere.  Except that (a) they disappear anyway; (b) the quality is
extremely variable.

I've been out of academia for over 3 years now, and I let my ACM and IEEE
memberships lapse - the stuff was piling up way faster than I could find
time to read it, between a non-academic job and an infant (now youngster).
I do follow papers in a number of areas, and indeed they are much more
accessible now than they used to be.  But serious research - in the sense of
finding the work already done in a field - can be tricky.  Stuff is
unorganized, un- reviewed, of unpredictable quality - and it disappears.

Then again, we don't respect the history of our own field.  Books go out of
print rapidly - and libraries can't keep up.  I collect the classics when I
can get my hands on them; they're irreplaceable, and often still valuable.
(I'm also always amazed by the quality of writing of papers from the 60's
and early '70's.  We've lost that.)

We like to think that we in CS are on the leading edge of a revolution, but
the fact is *it* is driving *us*.  Things are different in other fields.
Physicists have done a much better job of integrating the Internet and the
Web with their research and publications.  It helps to have an established
way of working, not just make everything up on the fly.  (And, of course, it
was the physicists - not us CS types - who invented the Web.)

Jerry


Re: Now you see it, now you don't (Leichter, RISKS-20.14)

Mike <John.Michael.Williams@Computer.org>
Fri, 08 Jan 1999 18:59:05 -0500
Is it still on the web if it's locked down?  ACM used to have the ACM
Turing Award Lectures, including Ken Thompson's classic, seminal
"Reflections on Trusting Trust," on the web available at no charge.
Now, as an ACM member since '64, I have to pay a high premium to get it,
or to pass it on others who need it more than they know.

Fat chance.

Mike Williams


Call for Proposals - CFP99

Marc Rotenberg <rotenberg@epic.org>
Tue, 5 Jan 1999 17:26:32 -0500
  [I could have titled this CFP for CFP99, but that would be confusing.  PGN]

                Computers, Freedom + Privacy 1999
                    THE GLOBAL INTERNET
                     Omni Shoreham Hotel
                        Washington, DC
                       April 6-8, 1999

The Program Committee of the conference on Computers, Freedom, and Privacy
(CFP99) is seeking proposals for the ninth annual CFP, which will be held in
Washington DC between April 6th and April 8th 1999 at the Omni Sheraton
Hotel.  CFP is the leading Internet policy conference. For almost a decade,
CFP has shaped the public debate on the future of privacy and freedom in the
online world. The CFP audience is diverse with representatives from
government, business, education, non-profits and the media. The themes are
broad and forward-looking. CFP explores what will be, not what has been. It
is the place where the future is mapped.

The theme of the 1999 CFP conference is "The Global Internet."  Proposals
are welcomed on all aspects of privacy and freedom. The 1999 Program
Committee is particularly interested in receiving proposals that deal with:

  ACCESS TO THE INTERNET, particularly those relating to
  globalization and governance. Of particular interest are
  issues of privacy, censorship, free speech and access.

  INTERNATIONAL ISSUES, especially the emerging issues of global
  privacy protection, encryption policy, international
  principles of human rights, regulation, legislation, and copyright.

  ELECTRONIC COMMERCE, including the impact of payment systems,
  regulations, and technical standards on personal freedom and privacy.

  CULTURE AND LANGUAGE ON THE INTERNET, such as the significance
  of diversity, multilingualism, and cultural representation

We strongly encourage proposals that involve leading experts, innovators,
policymakers, and thinkers.  The CFP99 Program Committee will finalize the
selection of proposals by February 1, 1999, proposals should be received by
15 Jan 1999 by e-mail to proposals@cfp99.org [Apparently, slightly late
proposals will be considered if they are good, which is why I am running
this notice on 15 Jan 1999!  PGN]

For more information on the Computers, Freedom, and Privacy Conferences,
please visit the conference Web page http://www.cfp99.org. If your have
further questions about CFP, please feel free to contact a member of the
Program Committee.

PROGRAM COMMITTEE chair: Marc Rotenberg, EPIC and ACM, Washington, DC.

Please report problems with the web pages to the maintainer

x
Top