The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 20 Issue 65

Sunday 21 November 1999

Contents

o Nasdaq software failure
Keith A Rhodes
o Netscape's cookie-preserving behavior
Crispin Cowan
o Announcing - PFIR: "People For Internet Responsibility"
Lauren Weinstein
o Businesses could owe millions for popular Year 2000 bug fix
Keith A Rhodes
o Japan rail ticket system crash due to 11/11/11 11:11
Dave Fossett
Hiroshi Naito
o Computer prompts increase errors?
Ursula Martin
o Re: Y2K creates "horseless carriages"
Adam Elman
o Possible risks in not examining end-user license agreements?
Anthony Garcia
o Microsoft Y2K liability
Lloyd Wood
o Risks of Office 2000
Lloyd Wood
o Re: Sarah Flannery
Jean-Jacques Quisquater
o Slashes in spreadsheets
Kent Quirk
o DVD crypto was intended to be weak
M Seecof
o Amazon password change requests poorly authenticated
Andrew R. Thomas-Cramer
o Who protects me from the protectors?
David Mediavilla
o Bill Royds" <broyds@home.com>
o Risks of advertisements in software
o Workshop on Freedom and Privacy By Design
Lorrie Cranor
o Info on RISKS (comp.risks)

Nasdaq software failure

"Keith A Rhodes" <rhodesk.aimd@gao.gov>
Wed, 17 Nov 1999 08:30:22 -0500
Traders were unable to buy or sell stocks for 17 crucial minutes on 16 Nov
1999 after Nasdaq officials attempted a software upgrade on the fly in the
last half hour of trading.  Something went wrong and investors were the ones
who paid the price.  [Source: Poorly timed software upgrade paralyzes Nasdaq,
by Larry Barrett ZDII, 16 Nov 1999]


Netscape's cookie-preserving behavior

Crispin Cowan <crispin@cse.ogi.edu>
Thu, 04 Nov 1999 18:09:33 +0000
I normally run with cookies completely disabled.  Sometimes I hit sites
that insist on using cookies (e.g. slashdot's login for non-anonymous
posting) and so I temporarily enable cookies.  I observed (with joy) that
when I disable cookies again, the "cookies" file disappears from my
~/.netscape directory.  Good, it appears to delete cookies when I disable
them.  So I started telling people about this cool feature.

However, some time later Gil Niger reported back to me that Netscape is
actually preserving cookie information across bouts of disabling cookies.
Consider this experiment:

   * enable cookies
   * browse a cookie-using site
   * observe the cookies file--hmmm, it seems to contain an old cookie from
     the washingtonpost.com
   * disable cookies
   * observe that the cookies file is gone, and a grep of the .netscape
     directory failed to show the washingtonpost.com cookie in any file
   * re-enable cookies
   * browse another cookie-using site (not washingtonpost.com)
   * observe the cookies file again--the washingtonpost.com cookie is back
     again

Not a huge deal, but it seems misleading, at best, to *appear* to be
deleting cookie information, while actually preserving it.  However, I have
never seen any NS documentation that suggested that NS was actually
deleting cookie info when cookies are disabled, so it's just my inference
from watching the file disappear.

I can't wait for Mozilla to stabilize:  I really want that "anonymous mode"
feature.

My version:  Netscape Communicator 4.7 for Linux/libc5/strong crypto.

Crispin

P.S.  Amusing note:  NS 4.7's spelling checker just flagged "Mozilla" as an
unrecognized word :-)

Crispin Cowan, CTO, WireX Communications, Inc.    http://wirex.com
Free Hardened Linux Distribution:                 http://immunix.org


Announcing - PFIR: "People For Internet Responsibility"

Lauren Weinstein <lauren@vortex.com>
Tue, 16 Nov 99 09:34 PST
                  ANNOUNCING
              PFIR: "People For Internet Responsibility"
                 http://www.pfir.org

November 16, 1999

PFIR is a global, grassroots, ad hoc network of individuals who are
concerned about the current and future operations, development, management,
and regulation of the Internet in responsible manners.  The goal of PFIR is
to help provide a resource for individuals around the world to gain an
ability to help impact these crucial Internet issues, which will affect
virtually all aspects of our cultures, societies, and lives in the 21st
century.  PFIR is non-partisan, has no political agenda, and does
not engage in lobbying.

PFIR has been founded in November, 1999 by Lauren Weinstein of Vortex
Technology in Woodland Hills, California and Peter G. Neumann of SRI
International in Menlo Park, California.  Both have decades of continual
experience with the Internet and its ancestor ARPANET, Lauren originally at
the UCLA lab which was the ARPANET's first site, and Peter at the net's
second site, located at SRI.

Peter is the chairman of the ACM (Association for Computing Machinery)
Committee on Computers and Public Policy, and the creator and moderator of
the Internet RISKS Forum.  Lauren is a member of that same committee, and he
is the creator and moderator of the Internet PRIVACY Forum.

With the rapid commercialization of the Internet and its World Wide Web
during the 1990's, there are increasing concerns that decisions regarding
these resources are being irresponsibly skewed through the influence of
powerful, vested interests (in commercial, political, and other categories)
whose goals are not necessarily always aligned with the concerns of
individuals and the people at large.  Such incompatibilities have surfaced
in areas including domain name policy, spam, security, encryption, freedom
of speech issues, privacy, content rating and filtering, and a vast array of
other areas.  New ones are sure to come!

While corporate, political, and other related entities most certainly have
important roles to play in Internet issues, it is unwise and unacceptable
for their influences to be effectively the only significant factors
affecting the broad scope of Internet policies.

There are numerous examples. While e-commerce can indeed be a wonderful
tool, it is shortsighted in the extreme for some interests to treat the
incredible creation that is the Internet as little more than a giant mail
order catalog, with ".com" associated hype on seemingly every ad, billboard
and commercial.  Protection of copyrights in a global Internet environment,
without abusive monitoring, is a challenge indeed. The Internet can be a
fantastic tool to encourage the flow of ideas, information, and education,
but it can also be used to track users' behaviors and invade individuals'
privacy in manners that George Orwell never imagined in his "1984" world.

PFIR is a resource for discussion, analysis, and information regarding
Internet issues, aimed at providing a forum for *ordinary people* to
participate in the process of Internet evolution, control, and use, around
the entire world.  PFIR is also a focal point for providing media and
government with a resource regarding Internet issues that is not controlled
by entities with existing major vested financial, political, or other
interests.  This is accomplished through the PFIR Web site, the handling of
telephone and e-mail queries, and through digests, discussion groups,
reports, broadcast and Internet radio efforts, and other venues.

For full details about People For Internet Responsibility, including
information regarding how you can participate in or keep informed about PFIR
activities (including the PFIR Digest mailing list), please visit the PFIR
Web site at:

   http://www.pfir.org

Individuals, organizations, media, etc. who are interested in more
information regarding PFIR or these Internet issues are invited to contact:

Phone, Fax, or E-mail:

Lauren Weinstein
TEL: +1 (818) 225-2800
FAX: +1 (818) 225-7203
lauren@pfir.org

Please send any physical mail to:

PFIR c/o Peter G. Neumann
Principal Scientist
Computer Science Lab
SRI International EL-243
333 Ravenswood Ave.
Menlo Park, CA 94025-3493 USA

Thank you very much.  Be seeing you!

Lauren Weinstein
Peter G. Neumann
16 November 1999


Businesses could owe millions for popular Year 2000 bug fix

"Keith A Rhodes" <rhodesk.aimd@gao.gov>
Fri, 12 Nov 1999 14:21:46 -0500
It turns out the windowing technique used frequently by Y2K remediators to
postpone the Y2K problem (reinterpreting two-digit dates ij: from 00 to xy
as 2000+ij, and from xy+1 to 99 as 1900+ij) was patented in 1998 by Bruce
Dickens, at McDonnell Douglas Corp, now Boeing.  He wants to collect
big-time.  However, that technique seems to have existed long before the
patent application was submitted (for example, in the 1960s on one-digit
year software).  I guess we'll have to wait and see what happens.  (There
are apparently also 30 other much more specific patents on Y2K fixes.)
[Source: Associated Press item by Anick Jesdanun, 11 Nov 1999; PGN-ed]

  [NOTE: It will be interesting if the companies then ask Mr. Dickens to fix
  the problem after the window expires.  Keith]

    [The patent office seems to be overwhelmed these days, and is issuing
    many patents for which prior art CLEARLY existed at the time.  The
    entire patent process seems to be getting out of control.  PGN]


Japan rail ticket system crash due to 11/11/11 11:11

Dave Fossett <dajf@REMOVE_THISpo.teleway.ne.jp>
Fri, 12 Nov 1999 14:18:04 +0900
Newsgroups:  misc.transport.rail.misc

The MARS ticket reservation computer system for the nationwide JR network
crashed spectacularly at 11:10 on the 11th November 1999. The reason was not
initially clear, but while some speculated it was a kind of Y2K-like
problem, the most obvious cause seemed to be the overwhelming number of
requests for tickets printed with the date and time 11/11/11 11:11.  In the
Japanese calendar, 1999 is written as Year 11, being the 11th year of the
current emperor.

Dave Fossett, Saitama, JAPAN [via Andre Sintzoff]


Japan rail ticket system crash due to 11/11/11 11:11

Hiroshi Naito <mt5h-nitu@asahi-net.or.jp>
Sat, 13 Nov 1999 21:10:55 +0900
Newsgroups:  misc.transport.rail.misc

The following is supplemental info of this incident.

The JR's ticket reservation and issuing system crashed on the day at
around 11:11 because of intensive access caused by ticket collectors
who were in favor of a string of 10 "1" letters (11, 11, 11, 11,11)
printed on a platform ticket (Nyujo ken in Japanese). The first two
digits indicate the year of Heisei 11 in original Japanese era
designation still in use as well as the year in the Christian
calendar. Regular train tickets have time stamping printed up to date,
but a platform ticket is printed up to minutes. At that time, the
ticket collectors suddenly started purchasing platform tickets through
the MARS system. The rate of platform tickets issued is usually only
about three percent of the entire tickets while it reportedly soared
up to 75 percent at 11:11 on the day. Besides, the system requires 150%
more processing time per transaction for a platform ticket compared
to for a regular train ticket. This situation caused a massive load on
the central computer beyond its ticket issuing capability and resulted
in the computer down.

This seems to be a good lesson as to the Y2K issue.  The transport-related
systems must be well verified and has been fixed for the date processing
problem of Y2K, however, this incident suggests implication of system downs
all over the world on 2000, 1, 1, caused by unexpected overwhelming
transactions.

Hiroshi Naito [via Andre Sintzoff]

  [I also received another take on this problem written by Nina Thorsen,
  sent via Martin Minow.  PGN]


Computer prompts increase errors?

Ursula Martin <ursula@csl.sri.com>
Fri, 12 Nov 1999 18:49:43 -0800
http://www.newscientist.com/ns/19991106/newsstory1.html

This is a story about experiment suggesting more errors when relying on
computer prompts than when reading instruments manually.


Re: Y2K creates "horseless carriages" (Doty, RISKS-20.64)

Adam Elman <aelman@stanfordalumni.org>
Mon, 8 Nov 1999 21:44:52 -0800 (PST)
"Horseless carriage" is a legal designation used by some states to indicate
a particular type of automobile registration, usually for early-20th-century
cars.  It's not an issue of a DMV programmer picking an odd-sounding
category.

Of course, this points out a RISK of transient URLs; the San Jose Mercury
usually leaves articles up only for a few days before they move them into
their archive, where you have to pay to retrieve back content.  However, I
was able to find this article by searching on "horseless carriage" in both
the San Jose Mercury News site and the Portland, ME Press-Herald
(http://www.portland.com/) -- which makes it seem much less of an urban
legend.

Adam  [also noted by many other contributors!  Thanks.  PGN]


Possible risks in not examining end-user license agreements?

Anthony Garcia <agarcia@starbase.neosoft.com>
Thu, 18 Nov 1999 15:01:49 -0600 (CST)
Dialpad (www.dialpad.com) is a recently launched free net-to-telephone
gateway service.

The marketing literature on their website states:
     "Dialpad.com is the world's first free Java-based
     web-to-phone service.  With Dialpad.com, you can
     make unlimited free phone calls to anybody in the
     US as long as the other party has a valid phone number."
and
     "There is absolutely no cost involved in using
     Dialpad.com. The per call cost of Internet
     telephony is much lower than that of regular
     telephony. We bear the costs of calls you make and
     cover them with the revenue generated from banner ads."

To use the service, you have to download a Java applet that runs on your
machine.  Downloading the Dialpad client program requires that you click an
"I Accept" button at the bottom of a web page containing their End User
License Agreement, at http://www.dialpad.com/license_agreement.html

The Dialpad EULA starts off by identifying "The Dialpad.com Website"
as "(the "Website" or "Site")" and continues off into the usual sort
of EULA verbiage.

However, about halfway thru, it includes an interesting clause I've
never noticed before on any other EULA:

  Dialpad.com cannot and does not guarantee or warrant that the files
  available for downloading from the Site will be free of infection or
  viruses, worms, trojan horses or other code that manifest contaminating
  or destructive properties. You are responsible for implementing
  sufficient procedures and checkpoints to satisfy your particular
  requirements for accuracy of data input and output, and for maintaining
  a means external to the Site for the reconstruction of any lost
  data. YOU ASSUME TOTAL RESPONSIBILITY AND RISK FOR YOUR USE OF THE SITE,
  SOFTWARE, SERVICE AND THE INTERNET.

It seems rather strange for Dialpad to make this disclaimer about
their own software's behavior.

Should we beware of Greeks bearing gifts, in this case?  Can such a clause
in an agreed-to EULA successfully indemnify someone who installs a Trojan
Horse program on your machine, allowing them to claim your consent?

Anthony Garcia <agarcia@neosoft.com>


Microsoft Y2K liability

Lloyd Wood <L.Wood@surrey.ac.uk>
Tue, 16 Nov 1999 15:56:29 +0000 (GMT)
I didn't know I _was_ a Microsoft (UK) customer. Must be because they
own Apple.  And I refuse to take seriously any Y2K statement ending with:

   MOREOVER, MICROSOFT DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS
   REGARDING THE USE OR THE RESULTS OF THE USE OF ANY MICROSOFT YEAR
   2000 STATEMENT IN TERMS OF ITS CORRECTNESS, ACCURACY, RELIABILITY,
   OR OTHERWISE.

disclaiming everything previously said, and sent by some clueless
organisation that can't wrap to less than 80 chars.

<L.Wood@surrey.ac.uk>PGP<http://www.ee.surrey.ac.uk/Personal/L.Wood/>

  [Get the full message from Lloyd if you are curious.  PGN]


Risks of Office 2000

Lloyd Wood <L.Wood@surrey.ac.uk>
Wed, 17 Nov 1999 19:24:52 +0000 (GMT)
(Pointed out to me by Adam Kirby.) Try this in Office 2000.

Open a new document.
Type 'Hello World'.
Save as HTML.
View source of the saved document.

The length of the resulting document (three pages!) firmly places this
in the 'extend' part of 'embrace and extend'. Risk? We're going to be
drowning networks in even more redundant crud.

<L.Wood@surrey.ac.uk>PGP<http://www.ee.surrey.ac.uk/Personal/L.Wood/>


Re: Sarah Flannery (RISKS-20.16)

Jean-Jacques Quisquater <jjq@dice.ucl.ac.be>
Thu, 11 Nov 1999 19:02:56 +0100
Do you remember Sarah Flannery and her new cryptoalgorithm?
Here are some links:

     http://jya.com/flannery.htm
     http://www.intel.com/pressroom/archive/backgrnd/co51198a.HTM
          (including Gordon Moore and George Bush!)
     http://www.girlscientist.org/links.html

     See also comp.risks 20.16 (15 J. 99)
     Subject: 16-yr-old Irish girl's crypto system
     With comments by PGN

The story continues:

     http://www.esat.ie/youngscientists/new/students/eu.htm
     http://www.cordis.lu/improving/src/hp_ys.htm
     http://europa.eu.int/comm/dg12/press/1999/pr2509en.html
     http://europa.eu.int/comm/dg12/press/1999/pr2509en_ann.pdf

And the paper

      http://cryptome.org/flannery-cp.htm

Thanks to John Young.


Slashes in spreadsheets (Re: RISKS-20.64)

Kent Quirk <kent_quirk@cognitoy.com>
Sun, 07 Nov 1999 17:38:33 -0500
> From: Vicky Larmour <vicky.larmour@camcon.co.uk>
> ...why should forward slash be treated as an ALT press, but not if I
> am already editing text in a cell?

Ah, bitten by "ancient" history.

See, back in the days when Lotus was King and Microsoft a wannabe, Lotus
1-2-3 was effectively an operating system on a lot of computers. There were
huge numbers of people who started it up in the morning and used it all day
long for everything -- not just spreadsheets, but letters, graphics, etc.

1-2-3's menu system (before any attempt at GUI standards and before the
mouse was common) was invoked by hitting slash. Once you got used to it, you
really really liked it. So /fr was "menu file retrieve", etc.

Lotus was forced by its customers to support this mode of usage in future
spreadsheets. It did so by popping up a little dialog box containing nothing
but the original 1-2-3 menu when you hit the slash key; whatever command you
typed would then be translated to Windows GUI commands for you. (During the
internal development process of the Windows version of 1-2-3, when this
feature was introduced, the dialog box was labeled "Same as it ever was.")

Microsoft was busy watching the Lotus look-and-feel lawsuit around this
time, and they presumably didn't wish to be *quite* as obvious as
popping up a 1-2-3 menu system. So instead, they made the slash key
invoke the windows menu in the same way that Alt does.

> Why isn't this listed in the keyboard shortcuts in the Excel help?

Probably because they had hopes of making it go away someday, and they
didn't want to create a generation of users that depended on it.

Kent Quirk, Game Designer, kent_quirk@cognitoy.com http://www.cognitoy.com/


DVD crypto was intended to be weak

<mseecof@seatimes.com>
Tue, 09 Nov 1999 15:11:00 -0800
Sure, the DVD CCS encryption scheme was weak.  Weak methods are cheap and
easy to implement.  Since people analyzing licensed software decoders
would've broken even strong encryption of DVD movies, movie vendors had no
incentive to pay for anything but weak encryption.  They prefer to fight
piracy with jackbooted enforcement of ill-conceived laws like the "Digital
Millennium Copyright Act," an interesting Herman-Kahn'ian case of relying on
deterrence rather than defence.


Amazon password change requests poorly authenticated

"Andrew R. Thomas-Cramer" <artc@prism-cs.com>
Mon, 15 Nov 1999 11:37:28 -0600
The Web business Amazon.com will provide new account passwords over the
phone given only heavily-distributed public knowledge. Access to the
account allows ordering with its credit-card number.

Because I'd forgotten my Amazon password, I called via voice to change it.

I was asked first for:
* My e-mail address.
* The last purchase.

Since I didn't recall my last purchase, I was asked instead for:
* My e-mail address.
* My name.
* My zip code.
* The last four digits of my phone number.

I think it's in the realm of possibility that one or two other people might
know my e-mail address, name, zip code, and phone number.  I haven't yet
received an e-mail notice that my password has changed, but it's been only
ten minutes.

Fortunately, the shipping address for an order can't be changed unless the
credit card number is re-entered. However, this only reduces, not
eliminates, the risk of theft, and it doesn't forestall pranks.

BTW, this e-mail was *not* sent from the same address referenced by my Amazon
account.


Who protects me from the protectors?

<David Mediavilla>
Tue, 9 Nov 1999 14:32:46 +0100
The Agencia de Protección de Datos ( http://www.ag-protecciondatos.es/ ) is
the Spanish authority that registers and oversees use of personal data
(names, addresses,...) in private and official files.

They offer a form ( http://www.ag-protecciondatos.es/dato4.htm ) for
requests from citizens.
The form redirects to a ~secure~ server
https://wwws.servicom.es/ag-protecciondatos/dato4.htm .
There, you _must_ (according to standard procedure
https://wwws.servicom.es/ag-protecciondatos/por_que.htm ) provide your
personal data (name, postal address, e-mail address).

It is the first time an official organization requests my postal address and
e-mail address at the same time. But I may think that since these people are
the ones who defend me against privacy breaches, they will keep my privacy.

All this trust is lost because, in the jump to secure HTTP, they used an SSL
2.0 certificate from RSA Data Security valid until _12/10/99_ 23:59:59.

David Mediavilla Ezquibela  <davidme.forum@bigfootNOSPAM.com>


Risks of advertisements in software

"Bill Royds" <broyds@home.com>
Sun, 14 Nov 1999 22:51:27 -0500
A company called Conducent (http://www.conducent.com also called TimeSink)
is offering to pay creators of free Microsoft Windows software if the
software contains modules to display banner ads when the software is
used. These modules are installed on the client's machine when the freeware
is installed and is added to the user's start-up entry in the Windows
Registry file without informing the user of the fact. This is an entry for
TSADBOT.exe in the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
entry. Shareware the does this includes PKZipW and Cute-FTP.
  When the user runs the software, an Internet connection is attempted to
a bank of computers controlled by Conducent, posting information about what
program is running and other information about the user. This seems to be
the method by which Conducent determines which software is running for
royalty payments. It also uses the information to determine which
advertising to show the user.
  This is very similar to the Trojan horses that worry people so much and is
probably illegal in countries with strong privacy laws.  If someone was able
to intercept these transmissions they could determine internal network and
personal information about a user.  Many users would not install these
programs if the realised the nature of how the advertising works.
  But an even worse fate occurs if the AdBot is thwarted in its attempts to
connect to Conducent by a firewall or other controls.  It starts to attempt
to connect continually, about 10 times/second causing a huge load on local
network facilities. If it can't connect even then, it tries to connect using
Telnet and other ports with the background AdBot retrying the HTTP connects
after several hours.

Bill Royds, 3414 McCarthy Road, Ottawa, ON  K1V 9A1 Canada
1-513-733-7727  BRoyds@home.com


Workshop on Freedom and Privacy By Design

Lorrie Cranor <lorrie@RESEARCH.ATT.COM>
Fri, 12 Nov 1999 17:30:33 -0500
(Note the extended deadline)

DEADLINE REMINDER, CALL FOR PARTICIPATION
      WORKSHOP ON FREEDOM AND PRIVACY BY DESIGN

COMPUTERS, FREEDOM, AND PRIVACY 2000

      --> Submissions due November 30, 1999 <--

Westin Harbor Castle Hotel, Toronto, Canada, 4-7 April 2000

       http://www.cfp2000.org/

This announcement is at http://www.cfp2000.org/workshop

PURPOSE:

CFP has traditionally focused strongly on legal remedies as essential
instruments in the fight to ensure freedom and privacy.  But law is often
very slow to catch up to technology, and has limited reach when considering
the global scope of modern communication and information technologies.

This workshop instead explores using -technology- to bring about strong
protections of civil liberties which are guaranteed by the technology
itself---in short, to get hackers, system architects, and implementors
strongly involved in CFP and its goals.  Our exploration of technology
includes (a) implemented, fielded systems, and (b) what principles and
architectures should be developed, including which open problems must be
solved, to implement and field novel systems that can be inherently
protective of civil liberties.

We aim to bring together implementors and those who have studied the social
issues of freedom and privacy in one room, to answer questions such as:

 o Implementation
   o How can we avoid having to trade off privacy for utility?
   o What sorts of tools do we have available?
   o What sorts of applications may be satisfied by which architectures?
   o What still needs to be discovered?
   o What still needs to be implemented?
   o Is open source software inherently more likely to protect civil
     liberties, or not?  Should we push for its wider adoption?
 o Motivation
   o How do we motivate businesses to field systems that are inherently
     protective of their users' civil liberties---even or especially when
     this deprives businesses of commercially-valuable demographic data?
   o How can we encourage users to demand that implementors protect users'
     rights?
 o Evaluation criteria
   o Given some particular goal(s) for a particular project or technology---
     such as protecting privacy---can we tell in advance if the end result
     is likely to help?
   o How can we tell if a system, once fielded, has achieved its goal(s)?

The intended end products of this workshop are:
 o Ideas for systems that we should field, and
 o Implementation strategies for fielding them.

Please report problems with the web pages to the maintainer

Top