The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 20 Issue 36

Saturday 1 May 1999


o Seagulls speak English: Aldershot
John Haseler
o Yet another satellite hits the dust
Joan L. Grove Brewer
o Titan 4B places military satellite in improper orbit
o No Bell Tolls for thee
Jeremy Ardley
o Risks of "smart" MS Internet apps
Andrew Shieh
o Re: Dodgy automatic address book resolution
Larry Pryluck
o MS-Outlook 98 risk of mislaying messages in Outlook today
Jahn Rentmeister
o Bloatware and the Windows API
Diomidis Spinellis
o Re: The Bloatware Debate
Henry Baker
o Bloatware and Nightlight Saving
R.A. Downes
o Update on DejaNews click-through monitoring
Richard M. Smith
o Re: WC Watch Company site ...
David B. Horvath
o Re: Risks of misaddressed mail
Frederick M Avolio
o REVIEW: "A Guide to Virtual Private Networks", Martin W. Murhamm
Rob Slade
o CONF: 12th Software Quality Week
Software Research
o Info on RISKS (comp.risks)

Seagulls speak English: Aldershot

"" <>
Sat, 1 May 1999 23:30:44 +0100
Quote from *Daily Telegraph*, 1 May 1999, Property section - in an article
explaining how to keep seagulls from nesting on your chimney-stack:

  The other day, I got a call from a man complaining that the gulls
  outside his window were interfering with his voice-activated computer.
  Apparently, every time a seagull let out a loud squawk, his computer
  would type up the word 'Aldershot' on this screen.  After a while,
  that kind of thing can drive you mad.

    [I guess the computer software was gulled into a characteristic
    AI pattern mismatch.  But this is clearly worth some further study.
    What would one good tern turn into?  Gullible's Travels?
    And what is the domain of discourse that includes Aldershot?  PGN]

Yet another satellite hits the dust

"Joan L. Grove Brewer" <>
Sat, 1 May 1999 02:40:30 -0700
On 28 Apr 1999 the *Seattle Times* and other new media reported that yet
another satellite had mysteriously lost contact.

In the article -- A real-life X-Files case: Where's the satellite?
-- John Antczak of The Associated Press

"Ikonos 1 (Greek for image) disappeared yesterday almost immediately after
it was launched from California's coast."

It was going to be only a 400-mile-high orbit, and they are puzzling over
what could what could have gone wrong...  This was the first private
satellite that could take high resolution images of earth.  ONLY the
military could do this until now.  [In 1994, the U.S. Government authorized
Space Imaging to launch a private satellite.  PGN]

There is still that BIG PUZZLE about what happened.  In fact, there have
been so many problems with private satellites that it does in fact beg the
question... Is this an X-File? :-) or is this something else. So many
satellites have been messing up that last weeks Dilbert TV show which aired
on April 26 they did a bit on satellites. Dilbert messed up and a satellite
went out of orbit hit another satellite and they all went so nuts that the
whole world shut down...  It was really quite funny.  Then bingo, two days
later yet another satellite bites the dust--perhaps literally.

Craig McCaw and Bill Gates put together a company called Teledesic that was
originally going to put 840 satellites in low orbits until Boeing talked the
down to 280.  I wonder what their game score will be.  Boeing who is doing
the project with them had one of the rocket blow up on the pad as well as
their satellite. :-) This could really get to be quite an expensive
business, especially if it's due to a natural phenomena like radiation belts
or a new sun cycle with massive sun spots. Maybe it will eventually get
turned back on.

Could this just be due to human error.  Low Orbiting satellites have to be
piloted by humans.  My original concern to the boys was where are you going
to find the highly trained and skilled engineers to run that many
satellites. We can't even find people to operate our computer systems and
the Internet? This is what I think the real problem is.  It's like with our
older mainframes having to have system engineers sleeping on cots in the
back room to baby sit all the time... Now with a lot of people raised on
computers do we really have the brain power to react fast enough in a crisis

Joan Brewer -- retired systems engineer

Titan 4B places military satellite in improper orbit

RISKS List Owner <>
Sat, 1 May 99 10:39:45 PDT
The U.S. Air Force is on another rough road in the sky.

A Titan 4B rocket (cost about $433.1 million) was launched from Cape
Canaveral on 30 Apr 1999 carrying a Milstar military satellite (worth about
$800 million).  Both were built by Lockheed Martin.  The three firings of
the Centaur upper-stage booster apparently occurred prematurely, resulting
into the satellite separating four hours early into an elliptical orbit from
460 miles to 3,105 miles up, rather than the intended stationary geocentric
orbit at 22,300 miles above the equator.

This was the third failure in a row -- following the Titan 4A with a Vortex
satellite last August 1998 in a mission with comparable costs (RISKS-19.91),
and a missile warning satellite on 9 Apr 1999 stuck in a useless orbit.

No Bell Tolls for thee

"J&J Ardley" <>
Sat, 1 May 1999 20:07:05 +0800
The following text is part of  dated
February 1999 as an example of a high security implementation of NT for
military purposes.  The CRONOS system is a wide area network of NT computers
used in NATO in Europe in the present conflict in the Balkans.  Steakley is
David Steakley, Cronos Project Leader at NC3A.  Jeremy Ardley


  Security of Windows NT Crucial to Cronos Because Cronos carries classified
  information, security was a top requirement. Specifically, NATO regulations
  required that Cronos use an operating system that carried the imprimatur of
  an independent security evaluation. "We had to have assurance that security
  rules could be enforced-to make sure that when anyone logs onto the
  system, he is authorized to log on and has security clearance at the level
  the system requires," says Steakley.

  "We insist that all of our systems meet the C2 level of security when
  they're used for classified information, on both the client and the
  servers," says Steakley, referring to a security rating level in the US
  Government's Trusted Computer Security Evaluation Criteria. Windows NT 3.5
  has been successfully evaluated by the US Government at the C2 level and
  Windows NT 3.51 has been successfully evaluated by the UK Government at a
  comparable level of E3/FC-2. Because of this lineage and the fact that
  Windows NT 4.0 had been submitted for its own C2 evaluation, Windows NT
  4.0 met NATO's security requirements."

In contrast to this is the following from  dated  October 26, 1998 which

Quote :

  NT 4.0 is not certified at the C2 level by NSA. Microsoft, however, is in
  the process of getting C2 certification for NT 4.0 with Service Pack 4 in
  a closed network configuration.

The essential element is that C2 certification to date applies to
non-networked configurations of NT 3.51 on a specific set of hardware.
Clearly the client and server configuration of NT 4.0 referred to by Steakey
are not covered by the existing C2 certification.  Extrapolation by Steakley
of the certification of 3.51 to 4.0 is also a non-sequitur, especially as he
claims that submission for evaluation equates to granting of a certificate.
Under his logic I should claim a Nobel prize when I next submit my name to
the committee.

Risks of "smart" MS Internet apps

andrew shieh <>
Sat, 1 May 1999 01:41:19 -0700
Recently, in response to a simple question about perl, i posted the answer of:


This worked fine. The person who i was responding to was using Microsoft
Outlook Express to read the newsgroup. He couldn't seem to figure out what
that meant. He quoted my message, and the "//i" showed up as "file://i", and
i guessed that that was how it also appeared to him on screen.

What you get is not what you see.

Re: Dodgy automatic address book resolution (Liddicott, RISKS-20.34)

"Pryluck, Larry" <>
Thu, 29 Apr 1999 12:38:41 -0400
I had an experience similar to Samuel Liddicott's.  Our office uses
MSexchange 5.0 running on Windows NT Workstation 4.0.  I tried to forward a
leave form to our secretary, Ann Jack, who's e-mail address is resolved on
the Global Address List.  I was chagrined to find out a day or two later
that the mail went instead to my friends Jack and Anne, whose e-mail address
is in my personal address book, which is first on the list.  This was even
after selecting "Ann Jack" from the global address list.  I may have even
put in the address to the right of the @ as well.

I finally gave in to the dark side and made "AJ" an entry in my personal
book.  No problems now, but it continues to amaze me how what used to be a
simple thing has been made complex by software that tries to out think the

Larry Pryluck, US Army Information Systems Software Center
Executive Software Systems Directorate

MS-Outlook 98 risk of mislaying messages in Outlook today

Jahn Rentmeister <>
Mon, 26 Apr 1999 18:32:43 +0200 (MES)
MS-Outlook as an MS-Exchange client uses a hierarchical folder list to store
e-mail messages in. Folders can contain mail messages, but also other
folders. The top-level folder is the "mailbox", which contains, among other
folders, a folder for incoming mail.

In Outlook 97, the top-level folder is just a folder like any other, in
particular, it can contain folders and mail messages, and activating the
folder shows its contents. In Outlook 98, however, displaying the top-level
folder of a mailbox displays an "Outlook today" screen, featuring "links" to
the user's calendar, task lists, e-mail drafts and inbox as well as a search
facility. However, the contents of the folder are not displayed in Outlook
98. But it is still possible to move e-mail messages into that folder.

This creates a situation where it is possible for a user to move a message
to that folder, but is later unable to access that message.  (Unless the
e-mail message is found by a search of all folders.)

Moving messages into folders is commonly done with the mouse, and
accidentally moving messages to the wrong destination folder is not uncommon
(at least not for me). This can create (and has created) situations where
e-mail messages "magically" disappear, possibly before they have been acted
upon or even before they have been read.

To my knowledge, there is no way accessible to the average user to check the
contents of this folder in Outlook 98, or to disable the "Outlook today"

The fact that contents of the folder are not displayed together with
the "Outlook today" screen is not obvious to the user, except if a
user tests this  by deliberately moving mail into that folder.

This "feature" was not present in Outlook 97, and it is possible to check
the folder contents using Outlook 97. (With MS-Exchange, e-mail messages and
folder structure are usually stored on the server)

There is a way to disable the "outlook today" feature, described at
(create and set a special key in the Windows registry)

Jahn Rentmeister <>

Bloatware and the Windows API

Diomidis Spinellis <>
Sat, 01 May 1999 15:19:23 +0300
A number of contributors to previous digests have stressed the risks
associated with increasingly bloated software applications.  I believe that
a part to the complexity and unreliability of many modern software
applications can be attributed to their use of the Windows Application
Programming Interface (API).

I recently wanted to read - using C code - the name of the file pointed by a
Windows shortcut: a shell-level equivalent of the Unix symbolic link.  Unix
symbolic links can be read by using readlink(2) - a simple three argument
system call.  The code I had to write to examine the Windows shortcut
spanned over 100 lines of C and included initialisation of the COM
(component-object model) library, checking for Unicode filenames, getting
pointers to two COM interfaces, and releasing all the associated handles at
the end.  Seven of the API functions could return with an error which had to
be checked.  I am sure other readers can point to other similar examples.

The architecture, interface, and functionality of the Windows API make it
difficult to master and use effectively, and contribute negatively to the
safety, robustness, and portability of the applications developed under it.
The API is structured around a large and constantly evolving set of
functions and is based on a problematic shared library implementation (the
infamous Dynamic Link Libraries - DDLs). The provided interfaces are
complicated, non-orthogonal, abuse the type system, cause name-space
pollution, and use inconsistent naming conventions. In addition, the
functionality of the interface suffers from inconsistency, incompleteness,
and inadequate documentation [1].

I foresee that problems associated with the use or misuse of the Windows
API will provide material for many future RISKS digests.

[1] Diomidis Spinellis. A critique of the Windows application programming
interface. Computer Standards & Interfaces, 20:1-8, November 1998.

Diomidis Spinellis, University of the Aegean

Re: The Bloatware Debate (Downes, RISKS-20.35)

Henry Baker <>
Sat, 01 May 1999 06:51:36 -0700
> One of the chief hallmarks of early UNIX was how simple, compact programs
> worked well together....

The biggest productivity losses due to bloatware are IMHO the enormous
intellectual effort of the compiler people to 'optimize' bad code into good
code, and of the CPU hardware architects to make 'legacy' bad code run fast.
I would estimate that 50-70% of the size of compilers and 50-70% of the size
of CPU chips is devoted to protecting the investment in code that never
should have seen the light of day.

On another note, though, Unix itself inspired a generation of programmers to
write bad, buggy code that never bothered to check error codes, and assumed
that all input was error-free.  There was a wonderful paper in the
Communications of the ACM a number of years ago about feeding 'line noise'
into various standard (and presumably well-debugged) Unix utilities and
seeing the spectacular crashes that ensued.

Bloatware and Nightlight Saving

Sat, 01 May 1999 07:58:09 +0000
While we're on the bloatware debate, let's look at some wonderful features
that have come our way via that Mecca of intellectual happiness, Redmond

The incident below takes place soon after the Premium Release of Windows 95
and about one week before my corporation scrapped it altogether. I had 95
installed in my home and it was Saturday night and time for bed.  I kicked
in the screen saver and joined my wife under the covers.

Some hours later I was wakened from a sound sleep by a commotion in the next
room. The wife did not wake, but I did, and I was curious what had cause the
noise and went in to check.

It was the computer. The monitor screen had a big message box planted on
it. The wording was something to the effect:

"Microsoft Window 95 has detected that you have now gone over to standard
time from daylight savings time and has adjusted your computer's clock
accordingly. Thank you for choosing Microsoft Windows 95."

I was impressed! When I returned to bed the wife was stirring and protesting
my being up and about. I told her "you'll never believe what that Bill Gates
did now!" and as she drifted off again to sleep I gave her the whole story.

But my sleep and mirth with Microsoft did not last long. It was exactly one
hour later that I was awakened again - and for the same reason! The
computer's clock, put back from 3 AM to 2 AM by Wonderful Windows, had again
hit 3 AM, and - you guessed it - Wonderful Windows again put it back to
standard time. At this rate Sunday would never occur!

Even though I knew better I passed it off as a fluke and went back to
bed. And both one hour later and two hours later (my time, not Microsoft's)
I was rudely disturbed by the collective alternative intelligence of
Redmond. At that point I turned the machine off, had a few moments of black
insight into how things are done and tested in that cauldron of cerebral
superiority, and decided then and there that Microsoft Windows 95 could
never be taken seriously.

RA Downes  Radsoft Laboratories

Update on DejaNews click-through monitoring

"Richard M. Smith" <>
Sat, 01 May 1999 17:23:26 -0400
I just wanted to give an update on the DejaNews ruckus
that got started in the, alt.privacy,
and comp.risks newsgroups earlier this week.

As reported by myself and a number of other folks, DejaNews is monitoring
when people click on links to external Web sites and e-mail addresses in
newsgroup messages displayed by DejaNews.

DejaNews issued a statement on Friday afternoon saying that they plan to
stop monitoring click-throughs of e-mail addresses.  *ComputerWorld* and
*Wired* both have stories on this announcement:

This is good news, as there was no particular reason in the first place for
DejaNews doing this sort of thing.  The software changes on the DejaNews
servers should be pretty trivial to make.

According to *ComputerWorld*, DejaNews may continue to track when people
click on a link to external Web site in a newsgroup message.  This is
somewhat of an unusual practice for a search engine to be doing.  To my
knowledge only Hotbot does this same sort of tracking.  For people concerned
about this, a simple solution is to copy the link text and paste it into the
location or address window of a browser.  This solution bypasses the
redirect trick being used by the server to do the monitoring.

The larger issue that I see here is something that can affect any Web site
or ISP.  The more information that a Web site or ISP chooses to track and
save away, the more likely they are to be dragged into legal disputes.
Lawyers and law enforcement people are increasely asking for and getting log
files from both ISP and Web site operators.  Here are some interesting
articles on this subject:

    "Arrest made in Bloomberg story hoax",4,35201,00.html
    "Internet chat faces new suit"
    "Spouses may delete their marriage, but e-mail lives on as evidence"
    "Online, both the guilty and innocent are easy to spy"

Things will get really interesting if information from server logs is turned
over in a civil case about some individual and this individual thinks that
the Web site operator or ISP shouldn't have been collecting and archiving
the information in the first place.

Richard M. Smith <>

Re: WC Watch Company site ... (Ziglar, RISKS-20.35)

David B. Horvath, CCP <>
Fri, 30 Apr 1999 21:58:58 -0400 (EDT)
>IWC, a Swiss manufacturer of high-end wristwatches, ...

Ahh, the risks of common TLA domains. is InLink Web Creations
(actually refreshes to - Inlink Communications, an ISP in St
Louis). gets you the watch manufacturer.  There were three people
listed: "Mrs. Privacy Invasion (anon@", "Mr. up (yours)", and "Mr.
Prinya Sivasirikarul (no e-mail address)".  I wonder if Mrs. Invasion reads
RISK Digest?

David B. Horvath, CCP             
Consultant, Author, International Lecturer, Adjunct Professor

  [Also noted by Mike Durkin.  But it seems people are not
  necessarily giving the requested information.  That seems
  like a very good idea, although may not be good enough.  PGN]

Re: Risks of misaddressed mail (Thompson, RISKS-20.35)

Frederick M Avolio <>
Fri, 30 Apr 1999 19:22:33 -0400
The bigger problem, and I think more problematic, is our total dependence on
e-mail when a telephone call could clear things up nicely. We assume because
e-mail almost always works, that it *will*. Sometimes a telephone call to
clear things up or to inquire as to status will save days of time and
e-mail. I suspect we have all been in exchanges of e-mail that would have
beeter and more quickly been done via the telephone.

I love e-mail. Love using it. I believe I fully understand and appreciate
its utility. But it is not the ultimate communication tool. Sometimes a
call, "did you ever send that document to me?" saves time and effort.

Fred, Avolio Consulting, 16228 Frederick Road, PO Box 609, Lisbon, MD 21765
410-309-6910 (voice)  410-309-6911 (fax)

REVIEW: "A Guide to Virtual Private Networks", Martin W. Murhamm

Rob Slade <>
Fri, 30 Apr 1999 08:20:06 -0800

"A Guide to Virtual Private Networks", Martin W. Murhammer et al,
1998, 0-13-083964-7
%A   Martin W. Murhammer
%A   Tim A. Bourne
%A   Tamas Gaidosch
%A   Charles Kunzinger
%A   Laura Rademacher
%A   Andreas Weinfurter
%C   One Lake St., Upper Saddle River, NJ   07458
%D   1998
%G   0-13-083964-7
%I   Prentice Hall
%O   800-576-3800 416-293-3621 fax: 201-236-7131
%P   174 p.
%T   "A Guide to Virtual Private Networks"

You don't have to look very far to figure out that this book is by
IBM, of IBM, and probably for IBM.  All of the authors (even those
that don't rate the front cover) work for IBM, and ... well, lookee
here!  IBM just happens to make products that relate to virtual
private networks (VPNs)!

Chapter one is a reasonable overview of the basic concepts behind
VPNs.  However, the level of the writing is inconsistent, some parts
of the explanation are a bit confused (they tend to use the term
"tunnel" a lot, even where "circuit" might be more fitting), and
overall one gets the feeling that this should be presented on a big
screen in a dark auditorium, with a suit droning on and on.  There is
a tendency to illustrate (with not very illuminating figures) rather
than explain, when it comes to the technical bits.  Either that, or
just start to list off protocols.

Encryption is explained fairly well in chapter two.  There is some
detail as to the actual operation of some algorithms.  (I notice that
DES [Data Encryption Standard] is not among them, and that it is
claimed fully, and not just derivatively, for IBM.)  The discussion of
key and algorithm strength is weak, however, and there is no
discussion of the basic problems or concerns of key management.

Chapter three provides format details of the IPsec (Internet Protocol
security) AH (Authentication Header) and ESP (Encapsulating Security
Payload) protocols.  References for the appropriate draft documents
are given at the end of the chapter.  The Internet Key Exchange (IKE)
(also known as Internet Security Association and Key Management
Protocol [ISAKMP]) is discussed in chapter four.  Chapters five to
seven look at scenarios for branch offices, business partners, and
remote access, respectively.  There is little new content, and most of
the material could be inferred from the text of earlier chapters.
Showing admirable forbearance, most of the detail of IBM products is
held for the appendices.

While not all parts are particularly readable, the book does, at
least, have the advantage of being short.  The fundamental concepts of
VPNs are given, enough so that a technical manager could get a basic
grasp of what was required.  Possible attacks, and the complexities of
implementation, are not dealt with very well.

copyright Robert M. Slade, 1999   BKAGTVPN.RVW   990321    or

CONF: 12th Software Quality Week (QW'99; edited for RISKS)

Software Research <>
Fri, 30 Apr 1999 20:25:40 GMT
The 12th Annual International Software Quality Week (QW'99) will be held
26-28 May 1999 in San Jose, California USA.  Two days of pre-conference
tutorials are 24-25 May 1999.  The complete program for QW'99 can be found
at the QW'99 Conference WebSite:

KEYNOTE SPEAKERS (26-28 May 1999) address the Conference Theme "Facing the
Future" in a coordinated sequence of talks:
 * Martin Pol (IQUIP Informatica BV) "Facing the Future Means Facing Test
 * Jeff Schuster (Rational) "Facing the Future: E-Commerce Quality and YOU!"
 * Cem Kaner (Attorney at Law) "Facing the Future: The Law"
 * Roger Sherman (Independent Consultant) "Facing the Future: Commercial
   Product Testing"
 * Jakob Nielsen (Nielsen Norman Group) "Facing the Future: Usability
   Aspects of Quality"
 * Brian Marick (RST) "Facing the Future: New Models for Test Development"
 * Boris Beizer (Independent Consultant) "The Mavin"

COMPLETE INFORMATION or to register by phone or by mail is available from:
        901 Minnesota Street
        San Francisco, CA  94107  USA
        Phone:  +1 (800) 942-SOFT (7638) or +1 (415) 947-1441
        FAX:    +1 (415) 957-0730
        Web:    <>

Please report problems with the web pages to the maintainer