The RISKS Digest
Volume 20 Issue 55

Friday, 27th August 1999

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


o New Microsoft Java flaw
Edward W. Felten
o Internet Explorer cannot read
Keith Edmunds
o Tokyo traffic chaos in GPS date rollover
Mike Martin
o GPS rollover hits yacht
Justin Mason
o 9/9/99
Lindsay Marshall
o Y2K in China
David Cowhig via Donald B. Wagner
o Downtown Chicago hit by electrical blackout
Doneel Edelson
o Power coming back on causes UPS to lose power
Ray Todd Stevens
o Numeric pager sending alpha messages
Ray Todd Stevens
o Ohio town law against cell phones while driving
Jim Griffith
o Justice seeks wider access to computer data
o Inadvertent nameserver cache poisoning
Rich Lafferty
o Purchase circles and insider information
Joseph A. Dellinger
o Can Linux survive software patents?
Martin Minow
o Canadian spy secrets leak on Web
David Kennedy
o Auto-Fix feature for Dell PCs
Henry Robertson
o Re: Car won't start if payments are delinquent
Keith Edmunds
o gnu touch has an unusual sense of time
B. Elijah Griffin
o Security check powers up computer
Edward Holden
o Re: NCIC 2000
Otto Stolz
o USENIX Annual Conference 2000, Announcement and Call For Papers
Moun Chau
o USENIX Security Symposium 2000, Announcement and Call for Papers
Moun Chau
o Info on RISKS (comp.risks)

New Microsoft Java flaw

"Edward W. Felten" <felten@CS.Princeton.EDU>
Thu, 26 Aug 1999 19:51:37 -0400
We have discovered a serious security flaw in the versions of Microsoft's
Java Virtual Machine that are distributed with Internet Explorer 4 and
Internet Explorer 5 for Microsoft Windows.  The flaw allows the creation of
a malicious applet that is attached to a HTML page, which could be delivered
over the Web via Internet Explorer or by e-mail via Outlook or other mail
programs that use Microsoft's Java Virtual Machine.  When the malicious
applet is executed, it can read, modify, or destroy any data on the
computer, insert a virus, insert software to spy on the user's future
on-line activities, or take any other malicious action.  The attack does not
require the user to do anything beyond viewing the Web page or e-mail

The flaw is a programming error (a race condition) in one of the
security-critical parts of Microsoft's Java class libraries. A malicious
applet can exploit this error to violate Java's security rules.  The applet
can then proceed to take control of the machine and perform any actions it
likes. We have implemented and tested an applet that demonstrates this flaw
by deleting a file on the victim's PC.

We are not releasing the demonstration applet or any further technical
details about the flaw at this time.

After consultation with us, Microsoft has issued a new version of
their Virtual Machine that fixes this problem.  A security bulletin
from Microsoft can be found at

For further information, contact Edward Felten at
609-258-5906, or Teresa Lunt at <>, 650-812-4424.

Edward Felten, Princeton University
Drew Dean, Xerox PARC
Dan Wallach, Rice University
Dirk Balfanz, Princeton University / Xerox PARC

Internet Explorer cannot read

"Edmunds, Keith" <>
Fri, 27 Aug 1999 16:24:03 +0100
I recently installed NT Server 4.0. Before upgrading to Service Pack 5, I
wanted to download some third party drivers. NT4 comes with Internet
Explorer V2, which is dated to say the least. I first decided to visit
Microsoft's web site to upgrade IE2 to IE4 or IE5. However, IE2 refuses to
display the home page at, giving instead the following
message: "Unable to open You do not have
permission to open this item. Directory Listing Denied This Virtual
Directory does not allow contents to be listed."

The RISK here is obvious. Ensure that your web site can be read by old
browsers, even if it isn't very pretty. This is particularly so if your
current product (NT 4.0) includes an obsolete browser itself...

Keith Edmunds  Reading UK <>

Tokyo traffic chaos in GPS date rollover

"Martin, Mike" <>
Tue, 24 Aug 1999 10:55:20 +1000
The Australian Financial Review's Tokyo correspondent, Andrew Cornell,
reports (AFR Aug 24) that the GPS date rollover, previously discussed at
length in RISKS, occurred at 9 am Sunday Aug 22 in Japan and that "an
estimated 100,000 systems", mainly used by vehicle drivers for navigation
through Tokyo's unnamed streets, "froze or went blank as the system rolled
over into its new time sequence".

Cornell reports that Pioneer, the GPS market leader, had been advertising to
notify customers of the problem, and had adapted or replaced 210,000 of its
270,000 affected systems.

If this incident is typical of consumers' and small businesses' response to
a technology brick wall then it does not bode especially well for January 1
next year.

Mike Martin

  [See also Reuters, *The New York Times*, 23 Aug 1999,  PGN]

GPS rollover hits yacht

Justin Mason <>
Sun, 22 Aug 1999 20:01:15 +0100
From this evening's RTE news:

The Irish Marine Emergency Service has been dealing with a yacht on route
from the Scilly Isles to Kinsale which ran into fog and heavy weather south
of Ireland this morning. Local reports say that "The Tam-o-Shanter" radioed
for help when its Global Positioning System began to misread the boat's
position.  The crew were further hampered by extremely heavy weather and a
torn sail. With the aid of the IMES and Coast Radio Stations, a position was
given and the yacht is now safely in Kinsale Harbour.

It is believed a millennium style bug caused the "Tam-o-Shanter" to lose its
position today. At midnight GMT (1am Irish time) the GPS "rolled over".
After its launch in 1980 it had a life span of 1,024 weeks, which reached
zero this morning when the system reverted back to its start time.  All
mariners had been warned of this, but GPS units older than five years would
not have been capable of handling the change.

(snipped from


Mon, 23 Aug 1999 11:43:03 +0100 (GMT)
According to a report in one of the UK Sunday papers two real occurrences of
the fabled 9/9/99 bug have been found, one in a non-critical medical
application.  It would be interesting to have more information about this as
I have always thought that the 9/9/99 bug sounded like press scaremongering
rather than something that would really arise.

Y2K in China

"Donald B. Wagner" <>
Mon, 23 Aug 1999 09:31:45 +0200
Date:   Sat, 21 Aug 1999 20:32:39 -0400
Reply-To: H-Net list for Asian History and Culture <H-ASIA@H-NET.MSU.EDU>
From: David Cowhig <>
Subject: H-ASIA: May 1999 China Y2K National Conference: Guarded Optimism

May 1999 China Y2K National Conference: Guarded Optimism A June 1999 report
from U.S. Embassy Beijing
[see also the recently updated links to Chinese Y2K related websites at ]

Summary: China Y2K Czar Zhang Qi and other speakers at the Second PRC
National Y2K Conference held on May 6-7 in Beijing expressed greater
confidence in China's electric power grids but greater concerns about the
effect of the Year 2000 computer problem on railroad freight, medical
instrumentation and embedded chips. Zhang Qi said that electric power
companies would be assured funding for Y2K solutions. Some Chinese experts
doubt, however, that Y2K funding will be made available; the August 1998
State Council Y2K order made each unit responsible for funding its own Y2K
solutions. Zhang mentioned the recent Shanghai Y2K Seminar with Secretary of
Commerce Daley and her upcoming August 1999 USIA sponsored trip to the
U.S.A.. Central government speakers discussed the Y2K problem in
telecommunications, electric power, and transportation. Local government and
industry Y2K speakers came from Liaoning Province, Beijing Municipality, the
Beijing Municipal Health Bureau, the Baoshan steel company and Chinese
banks. Two speakers discussed Y2K legal liability issues.  The speakers
agreed that China faces Y2K difficulties in many sectors but no one foresaw
a national cataclysm. The Embassy Beijing view is that Y2K will not put
American citizens in China into danger but will likely affect business and
especially small businesses such as suppliers and small contractors.  These
Y2K problems might affect the overall Chinese economy gradually over weeks
and months.

Downtown Chicago hit by electrical blackout

"Edelson, Doneel" <>
Thu, 12 Aug 1999 16:32:30 -0400
Downtown Chicago experienced extensive blackouts on 12 August 1999.
Initially, three of the four transformers at a North Side substation went
off-line.  (One transformer had been undergoing repairs.)  In addition, a
high-voltage cable failed.  This caused Commonwealth Edison to black out
about 2300 customers in two different areas.  The Chicago Board of Trade,
other exchanges, banks, businesses, and residences were shut down.  [Reuters
item, forwarded by Doneel from Yahoo! News Top Stories Headlines, 12 August;

Power coming back on causes UPS to lose power

"Ray Todd Stevens" <>
Mon, 23 Aug 1999 20:03:41 +0000
This is an interesting failure mode.  Situation: Computer (monitor
and printer) running on a UPS that is plugged into 110 with other
items.  Here is the failure sequence.

Power goes out for a period of several minutes (at least 15 to cause
failure) UPS has been sized to allow 1 hour run time for computer.
Everything runs fine.  User acknowledges the UPS alarm and continues to work
as planned. Power is restored.  Everyone assumes that all is OK.  UPS
switches into battery charge mode and switches to line mode.  The combined
load is more than the breaker can take.  Now we have a localized power

#1   The power is back for such a short duration that the alarm on
the UPS doesn't reset and trigger.

#2  The other items on the circuit are noncritical and are not noticed
to be off line.

So, after about 30-45 minutes, the computer crashes with no warning.

Ray Todd Stevens, Senior Consultant, Stevens Services
R.R.#14 Box 1400, Bedford, IN 47421  (812) 279-9394

Numeric pager sending alpha messages

"Ray Todd Stevens" <>
Mon, 23 Aug 1999 20:05:19 +0000
One of my friends works in the customer service call center of a national
pager company. He deals with the usual complaints regarding poor pager
operation, as well as the occasional crank caller demanding to be paged less
often, more often, or by more interesting people.

The best call came from a man who repeatedly complained that he keeps being
paged by "Lucille." He was instructed that he would have to call her and
tell her to stop paging him.

"She don't never leave no number, so I can't call her back," he said.

After three such calls, someone thought to ask how he knew it was Lucille if
she didn't leave a number.

"She leaves her name," was the reply.

After establishing that the customer had a numeric-only pager, the light
bulb came on.

"How does she spell her name?" the service rep asked.

"L-O-W C-E-L-L"

Another problem solved.

  [I picked this up off of a joke list, but it certainly seems to apply to
  this list also.]

Ray Todd Stevens, Senior Consultant, Stevens Services
R.R.#14 Box 1400, Bedford, IN 47421  (812) 279-9394

Ohio town law against cell phones while driving

Jim Griffith <>
Wed, 25 Aug 1999 16:17:00 -0700 (PDT)
CNN reports that Brooklyn, Ohio has passed a city ordinance banning the use
of all but hands-free cell phones in moving vehicles, except in emergency
situations.  Effective September 1, violations may result in a $100 fine.
The city is responding to recent studies that show that the chance of having
an accident dramatically increases (one study says "quadruples") when cell
phones are being used.

Justice seeks wider access to computer data

"NewsScan" <>
Fri, 20 Aug 1999 08:20:25 -0700
The Justice Department wants to broaden rules for allowing law enforcement
officials to secretly enter suspects' homes or offices and disable security
on PCs in advance of administering a wiretap or conducting a further search.
An Aug. 4 memo says that encryption software "is increasingly used as a
means to facilitate criminal activity, such as drug trafficking, terrorism,
white-collar crime, and the distribution of child pornography."  Officials
at the Justice Department have drafted the Cyberspace Electronic Security
Act, which would expand existing search warrant powers to allow for
disabling encryption.  To extract information from the computer, agents
would still be required to get additional authorization from the court.
Privacy advocates say the proposed legislation would compromise personal
freedoms: "They have taken the cyberspace issue and are using it as
justification for invading the home," says a spokesman for the Center for
Democracy and Technology.  [*The Washington Post, 20 Aug 1999*,;
NewsScan Daily, 20 August 1999; reproduced with permission.  To subscribe to
NewsScan Daily, send an e-mail message to with
'subscribe' in the subject line.]

Inadvertent nameserver cache poisoning

Rich Lafferty <>
Mon, 23 Aug 1999 02:51:02 -0400
[Site names omitted to protect the guilty and innocent...--r]

I just ended an unusual conversation in which myself and a colleague were
enlisted to help debug a nameserver problem in which, according to the
original report, a large site had started using a smaller site's nameservers
for all its requests.

As it turns out — and the nature of the original report, pointing at the
large site, managed to disguise this for a while — the smaller site was a
domain farm, where, instead of adding A records for their thousands of
domains and hundreds of hostnames in each domain, they had configured their
nameserver to respond with a particular A record for any responses that
managed to make it to their nameserver. While this would also give their
address to queries for names that they weren't authoritative for, this
wasn't a problem in practice, as they had no local users using those

In other words, when working, only queries regarding their domains would
reach their server, and their server would respond with the same address for
all of those. Not particularly elegant, but it seemed to work.

Then they added NS records to those responses. And not just any NS records
-- accidentally or otherwise, all of their responses were claiming NS
authority over .com.

Now, usually, that wouldn't get picked up by anyone — nameservers querying
their server would have a perfectly-good cached NS record for .com. obtained
from a root nameserver. But it *did* happen that the nameserver at this
large site managed to start thinking that this little nameserver was
responsible for .com., and started sending all of its queries there. As far
as I can tell, it was only a matter of unfortunate timing, with a request
landing at that server and their cached NS record for .com. expiring at
nearly the same time.

The effects were somewhat disastrous, of course. Since the nameserver was
configured to give the same A record for everything, all of the requests for
*.com from the large site ended up at the same page full of
advertisements. The domain servers at the small site were overwhelmed, and
so were the *web* servers, having to serve up the page full of adverts so

While nameserver cache poisoning is something of an old RISK, this instance
had unusual repercussions in that it basically ended up with a denial of
service for all parties involved. (While we hope we caught it before it
became an extended problem, had we not, it would have continued indefinitely
as the small site's nameserver continued reminding the large site that it
was responsible for .com. with every request any of the large site's clients
might have made.)

(Interestingly, it took some explaining before the small site would
acknowledge that the problem was at their end — it often comes as a
surprise to small Internet quick-buck operations such as these that what
they do wrong can have such a disastrous effect on other parties. The ones
described above ended up getting things resolved after encountering myself
and a colleague on an IRC channel which offers help with Unix.)

Rich Lafferty, Information and Instructional Technology Services, Concordia
University, Montreal, QC  1-514-848-7625

Purchase circles and insider information

"Joseph A. Dellinger" <>
Thu, 26 Aug 1999 15:54:23 -0500 (CDT) has come out with a new service, "purchase circles".  It lets you
look up the 10 most popular books ordered by people at different
companies. I'm not sure realizes how powerful an information
source this is. I heard about this new feature from Stanford students near
graduation, who are using it to assess the relative "Dilbert index" of
possible future employers (as indicated by the ratio of new-age management
to technical books making the list). You can also use it to get some idea of
the current mood within a company. One large oil company in particular
stands out: people there are mostly ordering books on changing careers and
on introductory web/programming/internet skills. Not surprisingly, this is a
company about to be acquired.

The complete list of books being ordered by a given company might provide
very interesting insider information. There might be a noticeable spike in
"What color is my parachute" orders preceding public disclosure of an
impending big layoff, for example. A rash of "introductory Spanish" book
orders might indicate a planned expansion into or relocation of workers to a
Spanish-speaking country. How long before employees are ordered not to order
books over the internet using their work accounts?

Can Linux survive software patents?

Martin Minow <>
Sun, 15 Aug 1999 21:14:30 -0700

An interesting article on the effect of patents on open source software.

Disclaimer: I'm a co-author of one patent, and recently authored three
software patents for my former employer.

Before moving to San Francisco, I helped a friend try to recover backup
tapes from MIT-AI (the birthplace of the Open Source movement, though there
was much open source available before that computer). It seems that MIT folk
wanted to recover "prior art" (from the 1960's) that is now being patented.

Martin Minow

Canadian spy secrets leak on Web

David Kennedy CISSP <>
Fri, 27 Aug 1999 02:32:39 -0400

by Andrew Mitrovica

>In what intelligence experts are calling an embarrassing gaffe and a
>serious breach of security, one of the military's top-secret electronic
>eavesdroppers posted the names and location of CF-18 pilots based in Italy
>on his own Web page before and during the war in Yugoslavia, The Globe and
>Mail has learned.   [...]

>Moreover, he said he set up his Web page with the consent of his superiors
>at the Defence Department before he shut it down in the spring because he
>feared that it might imperil the lives of CF-18 pilots and their crews, who
>made hundreds of bombing sorties during the Balkans war.  [...]

>Reg Whitaker, a York University political science professor and an expert
>on intelligence matters, said MCpl. Arsenault's Web page was "a very
>serious breach of security. And it clearly provides confirmation that these
>guys [CSE] were there [in Italy]. It's safe to assume that this kind of
>sensitive information being posted on the Internet is not official policy
>for the agency. That's really very embarrassing."   [...]
>His Web page was not the only source of information about military snoops
>and the CSE to appear on the Internet recently.
>In March of 1997, the Defence Department briefly posted on its own Web site
>confidential information about military personnel who collect and monitor
>communications for the CSE, known in the military as "291ers."
>The department's Web site provided a complete list of the number, location,
>rank and responsibilities of hundreds of researchers throughout Canada, the
>United States and Britain. However, it did not include names.

Dave Kennedy CISSP Director of Research Services

Auto-Fix feature for Dell PCs

"Henry Robertson" <>
Thu, 26 Aug 1999 09:34:48 -0400
These days many people (not me) have gotten used to the auto-update features
for various software packages. For example, the Norton Antivirus program can
be set so that every Friday night it automatically connects to the Norton
web site and downloads the latest virus protection features. Not a bad idea
if you trust this type of connection. Well, Dell has taken this a bit
further. A product called "Open Manage Resolution Assistant" will reside on
their next series of servers/workstations. It looks for failures or errors
and auto-notifies Dell's technical staff. (The worst is yet to come.) Dell's
staff then has the capability of doing remote diagnostics and running
certain "scripts" on your computer to find the problem. This requires a
major hole in your system firewall! If you feel comfortable with a
technician in Texas roaming around on your financial server, then this isn't
as scary for you as it is for me.

For more info see "Inter@ctive" magazine, vol.6, no.34, page 7.

Henry Robertson, Safety Systems Group, Jefferson Lab  1-757-269-7285

Re: Car won't start if payments are delinquent (Smith, RISKS-20.54)

"Edmunds, Keith" <>
Fri, 27 Aug 1999 16:02:39 +0100
> ...The big difference is that an ignition lock malfunction puts the
> _purchaser_ at risk, so presumably market forces would work to insure
> reliability."

Insure or ensure? "Insure" means you accept that the risk exists and ask
someone else to pay out in some way if the risk is realised; "ensure" means
you do everything you need to do to remove the risk.

The RISK here is a misunderstanding about whether or not the risk exists,
and what comeback there might be if it does. Perhaps the real risk is not
understanding the difference between American and English: as one person
once said, "Two nations divided by a common language."

Keith Edmunds  Reading England <>

gnu touch has an unusual sense of time

"B. Elijah Griffin" <>
Fri, 27 Aug 1999 16:59:09 -0400 (EDT)
Today I was trying to use the output of "ls -l" and the --date option of
touch (from GNU fileutils 4.0) to restore time stamps on some files I'd
ftp'd to something close to the original time stamps.

Apparently, however, a command like:

    touch --date='Nov 11 1996' file

results in "1996" being interpreted as 7pm plus 96 minutes or 8:36pm, which
I find to be a distinctly non-intuitive understanding of time.

Had I not double-checked the results, these mistaken time stamps would have
remained and conflicted with my intent for restoring them in the first


Of course, ls's ideas about displaying time are screwy enough.

  [Of course, "fileutils" looks like it might be a French word
  if you treat the "eu" as a diphthong.  But then a diff-thong might be
  a program that discriminates between things like thongs and songs.  PGN]

Security check powers up computer

Tue, 24 Aug 1999 08:22:45 -0400
Before flying I normally put my laptop computer in my carry-on bag in
standby mode, where the contents of memory are stored on the hard disk and
the power is off.

Perhaps a dozen times in six months, the procedure for inspecting bags on
entry to the terminal seems to have managed to restart the computer.  An
hour into flight, I discover the computer is on and the battery is 80%
used. This is irritating(!) and perhaps dangerous, although none of my
flights has crashed.

Sometimes, now, I remember to check the machine is still power-off by
inspecting it after boarding the plane while still parked at the gate.  On
one such occasion I was strongly reprimanded by a flight attendant for
"using" the computer at that time.

I find it interesting that an anti-terrorist inspection might risk creating
an electronic hazard to a flight.

Edward Holden

Re: NCIC 2000 (Fairfax, RISKS-20.54)

Otto Stolz <>
Mon, 23 Aug 1999 10:17:38 -0600
> What is particularly ironic about the new licensing requirement is that
> (legal) firearms ownership has long been limited to those persons who have
> no criminal record.  Thus, the statute mandates the collection and
> dissemination of fingerprints from people who are known to have committed
> no crime.

Rather, those fingerprints are collected from people who are not known
to have committed a crime — an essential difference, and probably part
of the rationale for that statute.

Otto Stolz

USENIX Annual Conference 2000, Announcement and Call For Papers

Moun Chau <moun@usenix.ORG>
Fri, 27 Aug 1999 19:57:52 GMT
2000 USENIX Annual Technical Conference
June 18-23, 2000
San Diego Marriott Hotel & Marina
San Diego, California, USA
Sponsored by USENIX, the Advanced Computing Systems Association.

Please see the detailed submission guidelines and conference
Paper Submissions deadline: November 29, 1999

USENIX Security Symposium 2000, Announcement and Call for Papers

Moun Chau <moun@usenix.ORG>
Tue, 24 Aug 1999 20:00:31 GMT
9th USENIX Security Symposium 2000 Conference
August 14 - 17, 2000
Denver, Colorado, USA
Conference URL:

The USENIX Security Symposium brings together researchers, practitioners,
system administrators, systems programmers, and others interested in the
latest advances in security and applications of cryptography.  The keynote
speaker is Dr. Blaine Burnham, Director of the Georgia Tech Information
Security Center (GTISC) and formerly Program Manager for the National
Security Agency (NSA) at Ft. Meade, Maryland.

Paper submissions due: February 10, 2000

  [Wow! A year from now, and I just got back last night from the 1999
  Conference in WashDC, after sitting on the plane docked at the gate
  at Dulles, which finally took off four hours late while we waited
  for a bunch of storms to pass.  At least I did not have to go through
  Chicago, where most UAL flights were cancelled because of someone
  who evaded the security controls.  PGN]

Please report problems with the web pages to the maintainer