The RISKS Digest
Volume 20 Issue 20

Wednesday, 10th February 1999

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


o Spanish bank buy lots of shares because of Euro problems
David Mediavilla
o E-Trade computers crash again — and again
o Copier quota exceeded
Philip Koopman
o Risks of Furbies: NSA was right!
Pete Mellor
o State of the states in Y2K readiness
o The NT Blue Screen of Death
Bruce Wampler
o The risks of "standard" software?
Rob Slade
o You are still in France
Adam Shostack
o It gets weirder every day...
Fred Cohen
o The risks of shopping at Amazon
Ross Anderson
o Re: Risks of successful security software
Pete Mellor
o Re: Government computer withholds benefits ...
Pete Mellor
o FMICS4 call for papers
Diego Latella
o REVIEW: "Mercury Rising", Douglas Pearson Ryne
Rob Slade
o Info on RISKS (comp.risks)

Spanish bank buy lots of shares because of Euro problems

David Mediavilla <>
Tue, 9 Feb 1999 12:20:21 +0100
According to the Spanish journal "El Pais", 5 Feb 1999 (quoting "Levante"),
the Spanish bank Bancaja bought 1000 million pesetas (> 6 million euros) in
shares of the Telepizza fast-food company, following a request for 1000
shares by a customer.  It was a human error. The bank system was expected to
detect transactions over 25 million pesetas but on the 4th of January, after
switching to Euro-ready programs, this check was not enabled. The difference
between the quantities bought and sold to the customer was held by the
bank. Fortunately the value of the stock rose 30%.

David Mediavilla Ezquibela

E-Trade computers crash again — and again

Edupage Editors <>
Sun, 07 Feb 1999 10:28:30 -0500
The computer system of online security firm E-Trade crashed on Friday for
the third consecutive day.  "It was just a software glitch.  I think we were
all frustrated by it," says an E-Trade executive.  Industry analyst James
Mark of Deutsche Bank is essentially sympathetic: "It's sort of a black eye
for them. They've been claiming that their architecture is superior. But
it's the application on a large scale.  As soon as E-Trade's volumes started
spiking up, they had the same problems as others."  Marks adds: "If you call
a broker, he may be on the phone or away from his desk or on vacation.
There are all sorts of times you can't get through and once you put an order
through there's no guarantee on terms.  Here you have a customer base that
is paying 5 percent to 10 percent of what it was paying for service in the
full-commission environment and it's demanding service above what was
available in the full-service environment. And they feel it's their right."
(*The Washington Post*, 6 Feb 1999; Edupage, 7 February 1999)

Copier quota exceeded

Philip Koopman <>
Wed, 10 Feb 1999 20:11:47 GMT
We recently suffered temporary loss of copier privileges for my graduate
course because we went over our quota.  It seems the machine says we made
4,294,967,026 copies in the last two weeks, and the caretakers accepted it
as a correct number because it came from a computerized accounting system (a
familiar RISK).  They asked, with a straight face, what in the world we had
been copying.

I tried pointing out that this is suspiciously close to 2**32 and that it is
far more likely the number -272 printed with an unsigned print format, but
that argument didn't do me any good.  I didn't waste time trying to do the
page/minute calculation vs. elapsed wall time for them...  So I think the
fix is we'll reset the counter to zero and hope it doesn't happen again.
And no, I have no idea how we got a negative number to start with.

Phil Koopman — —

Risks of Furbies: NSA was right! (RISKS-20.14 and .16)

Pete Mellor <>
Wed, 10 Feb 1999 13:38:58 GMT
A friend of mine (Malcolm) related an alarming tale this lunchtime.
He was helping a friend by driving her daughter to school. As they
pulled up at the school gates, she took a Furby out of her bag.

"You'd better not take that to school." said Malcolm. "Leave it in
the car." As he explained over lunch: "The worst decision I ever made.

State of the states in Y2K readiness

Edupage Editors <>
Tue, 02 Feb 1999 15:05:09 -0500
A recent survey by the General Accounting Office shows only a third of the
421 computer systems used by the states to manage seven welfare programs are
Y2K-compliant, with Medicaid the lowest at 16%.  Systems that deal with
child-care and child-welfare are about 50% compliant.  An ongoing survey of
state readiness conducted by the National Association of State Information
Resource Executives (NASIRE) indicates that a narrow majority have completed
repairs on more than half their critical systems and expect to finish the
rest in the next few months.  But the rest of the states are way behind,
with Alaska in last place with only 15% of its computer systems repaired.
"For a state, if you're not ready, you're out of the game," says Steve
Kolodney, director of Washington state's information services and chairman
of NASIRE's year 2000 committee.  It's estimated that states will spend
close to $3.5 billion in bringing their computer systems to compliance, more
than half of the amount spent by the federal government to do the same.
(*Los Angeles Times*, 1 Feb 1999; Edupage, 2 February 1999)

The NT Blue Screen of Death

Bruce Wampler <>
Wed, 10 Feb 1999 13:05:29 -0700
Submitted without any additional comment needed, taken from
the MSDN Flash, Volume 3, Number 3, February 8, 1999 e-newsletter:

MSDN Flash Tips

MSDN Online Members-we have a new Tip for you each week at

From Exploring Windows NT

If you spend any time administering Windows NT, you're far too familiar with
the Blue Screen of Death (BSOD) which displays the cause of the crash and
gives some information about the state of the system when it crashed. The
BSOD will sit on the screen until someone reboots the system, which could be
very bad for a system that should be running 24 hours a day, like an
Exchange server. You can force NT to automatically reboot after a crash by
setting the value of
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\CrashControl\AutoReboot to 1.
Once you've changed this value, NT will reboot after writing the crash log

Bruce E. Wampler, Ph.D.

The risks of "standard" software?

Rob Slade <>
Wed, 10 Feb 1999 13:31:58 -0800
I use the term "standard" here so as not to get into any arguments about

Most of the people in my wife's office use Microsoft Word as a word
processor.  (Not terribly surprising, I grant you.)  They also use a number
of other programs, some of them specialty programs for vertical markets.
The office has, up to now, standardized on 1 1/2" labels for most things,
since almost all of the programs used had a setting for that format.  Most
of the labels have been printed by database programs, and not through the
word processor.

Thus it was, that, until very recently, nobody realized that the new upgrade
to Word (the entire office upgraded to Office 97 in May) did not have a
setting for 1 1/2" labels, at least not "built in."  And, having had some
stock on hand for most of this year, it came as a shock when they recently
submitted an order for 1 1/2" labels, and were told that the size was not
available.  At least, not in the generic house brand that they are used to
ordering.  Special label sizes can be ordered from a premium manufacturer
like Avery, but are not available as house brands from any of the three main
distributors that the office deals with.

When pressed, representatives for the companies all had the same story.
Nobody uses that size anymore, because Word doesn't use it.  Therefore it is
no longer a standard size, and no longer a standard stock item.

You are still in France

Adam Shostack <>
Fri, 5 Feb 1999 12:02:52 -0500
In RISKS-20.17, John Young reports on the French liberalization of crypto
laws.  Short-timers will remember the "You are now in France" attack
mentioned in RISKS-19.74.  I am unable to find a patch for Windows that
addresses this change, which means that people continue to be vulnerable
because of a law now repealed.  The risk, at a high level, is building
vulnerabilities into software because of a law.  The problems will survive
long after the law is replaced.

It gets weirder every day...

Fred Cohen <>
Tue, 2 Feb 1999 18:18:44 -0800 (PST)
On two fronts... [relating to separate items from Fred in RISKS-20.19]

The error message from Windows was because the file named "sensitive
countries" was read protected on the remote file server.  The error message
was simply confusing because it didn't identify that as a file name, but
rather as the reson it stopped.  The country it failed to process was indeed
a 'sensitive' country (according to US policy today) so it took some time to
figure out what really went wrong.

The PGP 'Trojan' is now being called a virus by folks who I believe wrote it
(although they claim that they are not the authors, the set of things they
know seems to suggest their authorship).  They feel that it is illegal for
those on the Internet to flood them with files and that they are going to
suffer from denial of service.  They brag that they have already gotten two
sites that filled their FTP server with filenames shut off the Internet by
ISPs and they threaten to get more shut off because they believe it is
illegal to download files into their public write-only access area.  They
also assert that writing a virus is legal and that possessing unauthorized
access control devices is legal...  law enforcement seems to disagree.

My response has been rather less then generous.  I have indicated that
they could demonstrate their sincerity by:

    1) disabling the remote ftp esrvice for user anonymous with the
    password specified in the (now declared) virus.

    2) Notifying all sites that have in the past and will in the
    future try to download to that address that they have the virus
    and provide instructions for mitigating the harm.

    3) Providing all of the information required to track down the
    person who is receiving the information uploaded to that server
    and cooperating with local law enforcement to have them arrested.

To date, their (two of them so far) response has been less than
positive, but I hope to convince them to do what they can to mitigate
the harmful effects of this executable code regardless of their

Naturally, I also saw the DTK audit records of an attempted anonymous
login against the ftp server port on one of the machines that somebody
used to send a message to the named site at a time corresponding roughly
to the time they sent the first e-mail on the subject.

Fred Cohen at Sandia National Laboratories at tel:925-294-2087 fax:925-294-1225
Fred Cohen & Associates: - - tel/fax:925-454-0171
  [Fred's long disclaimer separating his two roles is omitted, as usual.  PGN]

The risks of shopping at Amazon

Ross Anderson <>
Tue, 09 Feb 1999 10:15:12 +0000
Today I tried to order a book from Amazon. Their server asked for a
credit-card number and I duly filled out the form. At the bottom it demanded
a password. According to Amazon, this means that `you won't need to give us
your credit-card number again unless you enter a new shipping address'. I
tried to enter the order without a password but it was refused.

What is the risk? Well, merchant retention of credit card numbers is a well
known vulnerability; card numbers are much more likely to be stolen from
merchant servers than while in transit on the net. Forcing customers to
choose a password adds four extra risks.  Firstly, the customer may choose a
bad password; secondly, if he doesn't, he will probably write it down
somewhere; thirdly, it will be kept on Amazon's system somewhere; and
fourthly, it is likely to cause problems for people who have a dispute with
their bank. I have acted as an expert witness in a number of court cases of
disputed cash machine transactions, and the bank usually says `you must have
written the PIN down somewhere'. If everyone who shops at Amazon must choose
a password which discloses their credit card details, then banks might turn
away all complaints from people who've ever shopped there.

There's another problem, which neatly highlights the tension between the USA
and Europe over data protection law.  The Amazon server also refused my
order when I refused to give them a telephone number. This isn't necessary
for the transaction, so compelling disclosure is dubious under European law.

So I tried ordering from, which ought to abide by our local
laws. This server also insisted on a password and a phone number, and even
on a town in the address form (despite the fact that I live in the
countryside). It also didn't turn on SSL for the credit card capture form,
so the card number was sent in clear. This is bad news, as we Brits don't
have the benefit of US consumer protections: if my credit card number is
stolen and abused, my bank will likely charge me the whole lot, and it's not
clear what evidence I will have that it was Amazon's fault.

So appears to be in breach of the Data Protection Act of
1984. I therefore went to the Data Protection Registrar's Website at
<> and did a register search:

> Search terms: name=amazon and
> No documents have been found that contain the above search terms.
> Please return to the form to begin a new search.

This looks highly illegal: under the Act, part 2, sections 5(1) and
5(5) compel everyone in the UK who holds personal data to
register. (See <>.)

I have e-mailed the Registrar, and will be interested to see what happens.

For several years now, the media have been hailing Amazon as the miracle of
the age, the model that all net based businesses - indeed all businesses
everywhere - should follow. I find that rather worrying,

Ross Anderson, Cambridge University
ross dot anderson at cl dot cam dot ac dot uk

Re: Risks of successful security software (RISKS-20.19)

Pete Mellor <>
Tue, 2 Feb 1999 11:38:40 GMT
Nick Brown <> reported on the "hacker's revenge" story from
the Daily Torygraph. There were one or two other interesting details, and
the story as it appeared is a bit misleading.

At first glance, a reader might imagine that it was the "Access Denied"
system that had been broken, which I think is not the case.

The challenge to the hackers to break their super firewall system was
actually issued by the manufacturer, Gen Technology. Paul Smith (age 29) was
described as *a* creator of Access Denied, not *the* creator. This implies
that he was one member of the development team, and makes me wonder why he
was personally singled out for retribution.

Gen Technology claim that over a period of several weeks, 240,000 attacks
were made, but none breached the firewall. (How do they know the number of
attacks, I wonder?) Apparently, the defensive features of Access Denied
include checking a "user profile" and serial number on any computer seeking
access, as well as the usual user name and password.

The vengeful hacker telephoned Mr. Smith, and said that he was part of a
team of hackers (interesting in itself), and that he had been humiliated in
front of his friends by being unable to fulfil his boast that he would get
through the firewall in five minutes. There are fascinating clues to hacker
psychology here. He was described by Mr. Smith as having a "British
voice". (Why is that so newsworthy, I wonder? Maybe to make it clear to
foreigners that our crooks are just as clever as your crooks? :-)

Since, presumably, Paul Smith's personal credit records were not kept on the
office machines at Gen Technology, the hacker must have attacked the records
held by a central credit rating agency. This has alarming implications. If
Paul Smith's credit rating can be falsified, then anybody could suffer the
same fate. (It is probably not surprising that these agencies are sloppy
about security, but it would seem that Paul Smith would have a prima facie
case against them for negligence.)

Apparently, the hacker also described on the 'phone exactly what he was
going to do. (In which case, why did Mr. Smith not alert the credit rating
agency?) What the hacker apparently did was to insert six false "default
notices" (as would result from persistent failure to keep up repayments on a
credit card or loan, when you are deemed to have breached the terms of the
contract) and one "County Court judgement" (an order to pay, made by a civil
court in favour of a mortgage company when instalments are seriously in
arrears, or of a local government authority when the defendant has not paid
Council Tax).  In the British system, the County Court judgement is the real
killer when it comes to obtaining future credit.

(If the hacker would care to contact me in confidence, I might like a few
things taken *off* my credit record! :-)

Peter Mellor, Centre for Software Reliability, City University, Northampton
Square, London EC1V 0HB, UK. Tel: +44 (171) 477-8422

Re: Government computer withholds benefits ... (R-20.19)

Pete Mellor <>
Mon, 8 Feb 1999 11:16:50 GMT
The "Money Box" programme on BBC Radio 4 on Sat Jan 30 carried an item about
problems with a UK government computer system which have led to underpayment
of widows' pensions and other benefits.

The computer system involved is the new NIRS 2 system installed by the UK
Government Department of Social Security (DSS), at a total cost of 140
million pounds sterling, which was said to be the largest civilian system in

The system was originally scheduled for completion in February 1997.  The
contractors now expect the remaining subsystems to be installed in March of
this year. Problems have apparently been caused by "software bugs", although
it was not clear from the programme to what extent software faults, as
opposed to late and incomplete delivery, are responsible for the trouble.

NIRS 2 holds records of National Insurance (NI) contributions.  (For non-UK
readers, this is a form of tax, normally deducted at source along with
income tax, but shown as a separate deduction on salary advice slips. NI
contributes to the government fund used to pay state pensions, unemployment
benefit and sickness benefit.)

It appears that it has not been possible to input complete and up-to-date
records of all National Insurance contributions, on which the amounts of
certain benefits are calculated. This has forced benefits to be calculated
by "guesswork" for more than one million claimants.  One effect has been
that women entitled to widow's benefit have been underpaid. Among those
affected are 160,000 new pensioners, whose underpayment is 1.30 pounds per
week *on average*, with some losing up to 100 pounds per week, for periods
of up to two years.

The problems with NIRS 2 have also meant that the government has failed to
pay a total of one billion pounds into private and occupational pension

There are a lot of angry widows beating on the doors of the Department of
Social Security. So far, they have not received an awful lot of help.  A
short time ago, the Liberal Democrat MP David Rendell drew attention to the
scandal by a question in Parliament. Steven Timms, Minister of State for
Social Security, said in interview on the programme that, from the 6th
January of this year, all *new* claimants would be paid correctly. He stated
that the NI contribution records would be up-to-date by the end of March,
and that existing beneficiaries whose total underpayment exceeded 100
pounds, and whose payment due for lost interest exceeded 10 pounds, would
automatically be reimbursed by lump sum payments for both underpaid benefits
and interest.

This seems to be a continuation of the problem which surfaced in the middle
of 1998, to which the DSS was reluctant to admit in case it led to a spate
of fraudulent claims for unemployment benefit (since the payment offices
could not check the bona fide of any claimant by going on-line to the

The government has set up a task force to deal with enquiries:-

  NI Benefit Task Force, Benefits Agency Department ST, Quarry House,
  Quarry Hill, Leeds LS2 7AU

Sources for the above are the Money Box programme itself (followed up by a
'phone call to Radio 4 enquiries), and their fact sheet. Anyone who requires
further details should send a SAE to:-

  Fact Sheet Week 5, Money Box, Room 6239, BBC Television Centre,
  Wood Lane, Shepherds Bush, London W12 7RJ

Apparently, reports from current affairs programmes such as Money Box are
not held on the BBC's Website, due to lack of staff to input them.  However,
a report also appeared in The Times on 26th January.

The National Audit Office report on National Insurance Fund Account 1997/98
is available on:

The fact sheet quotes two addresses and 'phone numbers (available on
request) from where hard copies of the NAO report may be ordered.

Peter Mellor, Centre for Software Reliability, City University, Northampton
Square, London EC1V 0HB, UK. Tel: +44 (171) 477-8422

FMICS4 call for papers

Diego Latella <>
Mon, 8 Feb 1999 14:36:22 +0100 (MET)
       Working Group on Formal Methods for Industrial Critical Systems
 4th International Workshop on Formal Methods for Industrial Critical Systems
                    Trento, Italy, July 11-12 1999
Submission date 30 Mar 1999.  Satellite meeting of FLoC'99

S. Gnesi, CNR-IEI, Via S. Maria 46, I56126 Pisa - ITALY phone: +39 050 593489

REVIEW: "Mercury Rising", Douglas Pearson Ryne

Rob Slade <>
Fri, 5 Feb 1999 08:42:14 -0800

"Mercury Rising", Douglas Pearson Ryne, 1998, 038002945
%A   Douglas Pearson Ryne
%C   1350 Avenue of the Americas, New York, NY 10019
%D   1998
%G   038002945
%I   Avon Books/The Hearst Corporation
%O   +1-800-238-0658
%T   "Mercury Rising"

Well, the other day I read "Mercury Rising."  That's right, read, not
watched.  Actually, the movie was based on a book originally published as
"Simple Simon," and, of course, the book was re-issued in conjunction with
the movie release.

The book is about an autistic boy who, in the idiot savant way that
sometimes comes with autism, is able to crack mathematically encrypted
messages simply by looking at them.  Unlikely?  True.  But I wouldn't want
to bet against the abilities of organic computers.  They can do some amazing

No, I'll stick to the computer and encryption stuff I know.  It's
hairy enough.

(By the way, I was amused to find out that Bruce Willis is Black.)

Let's start with the satellite.  Now, this is a KH designation satellite, so
no wonder it needs a crypto upgrade.  Except, hold on a minute.  The
description of what it does doesn't have anything to do with spying or
intelligence gathering.  This is a plain, old, ordinary comsat, picking up
messages and relaying them.  It doesn't need encryption capability any more
than a piece of copper wire needs encryption: it just passes bits.  The bits
might be encrypted at source and decrypted at the destination, but that
doesn't matter to the bits.  In fact, if the message *isn't* encrypted at
source, there is no point in encrypting it enroute.

But just suppose we do need encryption.  OK, we'll send up the upgrade.
Ready the command mode for reprogr...  What?  You're sending up a black box
on the shuttle?  And not just a tape, or anything: this is a module that is
going to have to be swapped out for the box that is there?

Well, let's leave the satellite for the moment, shall we?  Right, we have
this new, super duper encryption algorithm.  (Seems to be an awful lot like
DES, what with S boxes and all.  Hmmm.  Seems to be even more like someone's
misunderstood version of triple DES, but we'll let that pass.)  (Has one
heck of a key length, though.  Wouldn't be very effective on short messages.
Sorry, OK, back to the review.)  Everybody is to use it.  NSA, diplomatic
corp, CIA, FBI, everybody.  Same algorithm.  Same crypto gear.  Same key.
Ummm, excuse me?  (Good thing it's a long key, I guess.  No, wait, that
doesn't make any more sense...)

Right, let's move on to hackers.  Now, of course, everyone who is any good
at using computers is unhygienic.  Or crippled.  Or both.  (This also
applies to mathematicians, apparently.)  And, of course, any evil hacker is
completely undetectable as he slides down the T-1s of the nation, slipping
into computers that have no connection to outside networks at all.
Especially one who is working for the government because he got caught doing

OK, I've believed enough impossible things before breakfast.  If we have to
get into white hat/black hat Illuminati, both groups completely occult, my
brain is going to start to hurt.

copyright Robert M. Slade, 1998   BKMERRIS.RVW   981113
Find virus, book info

Please report problems with the web pages to the maintainer