The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 20 Issue 95

Wednesday 19 July 2000

Contents

o Anti-spam legislation
NewsScan
o Google allows anonymous spam
Lloyd Wood
o British law would allow police to intercept e-mail
NewsScan
o Clinton administration plans on wire taps & encryption
NewsScan
o ID theft finally coming to the fore
PGN
o Mother's maiden name as security check
Bill Tolle
o Navy to use Windows 2000 on aircraft carriers
Nancy Leveson
o House rejects Internet gambling bill
NewsScan
o Italian crash exposes risks of online stock trading
Keith A Rhodes
o DC Metro can't label rerouted trains
Wm. Randolph Franklin
o Illinois man dies after utility cuts power
Bill Higgins
o Fox network misprograms time on US VCRs for a year
Michael D. Crawford
o Company lost domain name
Arthur J. Byrnes
o Royal Mail claims web orders encrypted when they aren't
Gary Barnes
o London Underground magnetic ticket bug
Boyd Roberts
o Man charged with breaking into NASA computers
Keith A Rhodes
o A self-referential risky accident
Michael L. Cook
o Re: Australian DST rules changed for Olympics
Fraser McHarg
o Re: Software upgrade cancels train tickets
Matt Fichtenbaum
o Re: UK Millennium Bridge instability
Charles Arthur
o Re: Another Win95/DOS interaction
Lloyd Wood
o Info on RISKS (comp.risks)

Anti-spam legislation

"NewsScan" <newsscan@newsscan.com>
Wed, 19 Jul 2000 12:28:55 -0700
The U.S. House of Representatives passed 427-1 a bill that would require
senders of unsolicited commercial e-mail messages to provide a valid return
e-mail address that recipients of the messages could use to take them off
the mailing list. Under the law, the Federal Trade Commission could bring
legal actions again spammers who willfully ignore it. Violators could also
be sued by Internet service providers. [AP/*USA Today*, 19 Jul 2000)
http://www.usatoday.com/life/cyber/tech/cti244.htm; NewsScan Daily, 19 July
2000]


Google allows anonymous spam

Lloyd Wood <l.wood@eim.surrey.ac.uk>
Wed, 12 Jul 2000 18:23:16 +0100 (BST)
http://services.google.com/cgi-bin/emailresults?/search?q=

In providing an 'e-mail these results to friends' service, Google is allowing
completely anonymous mail delivery; just delete the filled-in search text
and go.

The risk is that this will be used for spam or for harassment; Google
headers and footers mean that Google will get any blame. If you're ranked
highly on a particular google search, this becomes an obvious and convenient
promotional tool for you: you're 'recommended by Google!'.

Or, if you miss anon.petit.fi, this may be good news, since tracing the
source without contacting Google is made less straightforward.

Received: from services.exo.google.com (crawler.googlebot.com [209.185.253.175]
      (may be forged))
          by ns.google.com (8.9.3/8.9.3) with ESMTP id JAA11738
          for <l.wood@iee.org>; Wed, 12 Jul 2000 09:58:25 -0700

Unlike hotmail et al, Google doesn't even append an initial Received:
header providing the IP address of the originating machine or proxy;
just a somewhat useless 'may be forged' warning.

I can't see this service staying in its current state long.

<L.Wood@surrey.ac.uk>PGP<http://www.ee.surrey.ac.uk/Personal/L.Wood/>


British law would allow police to intercept e-mail

"NewsScan" <newsscan@newsscan.com>
Wed, 19 Jul 2000 12:28:55 -0700
The British government appears likely to enact legislation that would allow
law enforcement authorities to intercept personal and corporate e-mail
messages and would require Internet service providers to install, at their
own expense, surveillance equipment that would resend some of their
customers' messages to a monitoring center run by the domestic security
service, MI5. A government official argued that "the powers in the bill are
necessary and proportionate to the threat posed by 21st century criminals,
no more, no less." The bill has angered civil libertarians, and a
spokesperson for Amnesty International in London said: "What this does is
contravene a large number of fundamental rights in the European convention
on human rights and other international standards, which include the right
to privacy, the right to liberty, the right to freedom of expression, and
the right to freedom of association."  [*The New York Times*, 19 Jul 2000
http://www.nytimes.com/library/tech/00/07/biztech/articles/19britain.html;
NewsScan Daily, 19 July 2000]


Clinton administration plans on wire taps & encryption

"NewsScan" <newsscan@newsscan.com>
Tue, 18 Jul 2000 08:49:33 -0700
A speech by White House chief of staff John D. Podesta has pleased the
business community with the Administration's new software encryption policy,
which will loosen export controls on encryption technology, but upset civil
libertarians with the Clinton Administration's position on allowing law
enforcement agencies to monitor Internet traffic. Barry Steinhardt of the
American Civil Liberties Union said the government's attempt to expand
wiretapping on the Internet "represents a grave threat to the privacy of all
Americans by giving law enforcement agencies unsupervised access to a nearly
unlimited amount of communications traffic." [*The Washington Post*, 18 Jul
2000, http://www.washingtonpost.com/wp-dyn/articles/A57330-2000Jul17.html;
NewsScan Daily, 18 July 2000]


ID theft finally coming to the fore

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 22 Jun 2000 09:59:00 PDT
The RISKS archives are chock full of reported cases of people being
victimized by identity theft.  An article in *The Washington Post*, 13 Jul
2000, notes that the Federal Trade Commission has logged at least 20,000
phone calls since starting its toll-free hotline eight months ago.
Complaints include masquerading with other people's Social Security numbers
-- fraudulent loans, setting up bogus credit-card accounts, and so on.  The
Internet is clearing creating new opportunities, partly because of the huge
amount of information available.  The pending Kyl-Feinstein Senate
legislation would outlaw the sale of SSNs, require better validation of
credit-card address change requests, make fraud-alert notations part of
credit reports once you have reported an identity theft, and provide you
with free yearly credit reports (presumably only YOURS).  [How about
forbidding the ubiquitous use of SSNs and other easily attainable
information as authenticators, not just identifiers?  And while we are at
it, how about getting rid of reusable passwords floating around in the
clear?  PGN]


Mother's maiden name as security check

"Bill Tolle" <BillTolle@ExclusiveBuyersAgents.com>
Tue, 18 Jul 2000 21:39:25 -0500
When you call many credit-card companies [and banks], they ask for your
Mother's Maiden Name as verification when you want to obtain information
about the account.

The State of Texas has now placed many birth records on the Internet,
including the mother's maiden name.

Go to http://userdb.rootsweb.com/tx/birth/general/search.cgi

Enter "Smith" as Surname

Leave all other fields blank.

The search engine will return 35,072 names (first, last, and middle) with
birth dates and the Mothers Maiden name (first, last, and middle) and
Father's name (first, last, and middle).

Bill Tolle <BillTolle@ExclusiveBuyersAgents.com>

  [Of course, the real crime is that the SSN and MMN are used as
  AUTHENTICATORS, as we have noted here many times.  But this database
  really escalates the identity-theft problem.  PGN]


Navy to use Windows 2000 on aircraft carriers

<leveson@sunnyday.mit.edu>
Thu, 13 Jul 2000 18:30:26 -0400
A press release on 13 Jul 2000 says that "Lockheed Martin Naval Electronics
systems announced that Microsoft Federal Systems is joining the Integrated
Warfare Systems Team supporting the design and development of the CVN 77,
the nuclear-powered aircraft carrier Newport News Shipbuilding is providing
to the U.S. Navy.

Microsoft Federal Systems, based in Washington D.C., will help design the
ship's information technology architecture based on the company's Windows
2000 platform."

The Navy never seems to learn (remember the fiasco they had using
Windows NT on their cruisers).  [Yorktown, RISKS-19.88, 20.37]

Prof. Nancy G. Leveson, Software Engineering Research Lab (SERL), Aero/Astro
Dept., MIT, Cambridge, MA 02139-4307 1-617-258-0505  http://sunnyday.mit.edu

 "Information technology is becoming a key part of everything the aerospace
  and defense industry does for a living, and as the century closes it is
  computers and software that hold the keys to the future ... Companies
  that exploit information technology most effectively will be the most
  likely to dominate the aerospace landscape in the 21st century."
  David Hughes, *Aviation Week & Space Tech.*, 21/28 Dec 1998


House rejects Internet gambling bill

"NewsScan" <newsscan@newsscan.com>
Tue, 18 Jul 2000 08:49:33 -0700
The U.S. House of Representatives gave the Internet gambling industry a
victory by failing to muster the two-thirds majority set as a requirement by
House leaders in its 245 to 159 vote on a bill to ban online casinos. The
votes in favor of the ban fell 25 short of the requirement. Sue Schneider of
the Interactive Gaming Council said: "It appears that cooler heads have
prevailed here. We have a brand new medium we're dealing with. We don't have
the same kind of borders we had before." But Rep. Robert Goodlatte (R-Va.),
who sponsored the bill, scoffed at the notion that it was anti-Internet:
"One way to promote the Internet is to make sure that the seamy side of life
is dealt with on the Internet. Just like child pornography has to be dealt
with on the Internet, so does unregulated, out-of-control, illegal
gambling." [AP/*San Jose Mercury News*, 17 Jul 2000,
http://www.sjmercury.com/svtech/news/breaking/ap/docs/206358l.htm;
NewsScan Daily, 18 July 2000]


Italian crash exposes risks of online stock trading

"Keith A Rhodes" <rhodesk.aimd@gao.gov>
Mon, 10 Jul 2000 15:54:03 -0400
Milan's stock exchange (Europe's fourth largest) opened 8 hours late on 5
Jul 2000, after corruption of the authorized-dealer database resulting from
testing of a new covered-warrants market the previous evening -- evidently a
maintenance glitch.  Brokers claimed losses of 20 billion lire (US$9.9M)
from lost commissions.  (The London exchange had an 8-hour blackout in April
2000.)  [PGN-ed from
http://www.cnn.com/2000/TECH/computing/07/10/system.crash.idg/index.html;


DC Metro can't label rerouted trains

Wm. Randolph Franklin <wrf@ecse.rpi.edu>
Tue, 11 Jul 2000 16:02:33 -0400
On 4 Jul 2000, the Washington DC Metro (subway) system changed the routes of
the several of their lines to accommodate the large number of passengers
expected to see the fireworks.  This was a major effort, involving taping a
replacement route map over every route map in the whole system (trains and
stations), printing flyers, and stationing people at the entrances to answer
questions.

Unfortunately, the SW wouldn't let them couldn't change the destinations
listed on the computerized signs on the trains themselves.  So, the trains
from Reagan airport that went to Rosslyn were labeled SPECIAL YELLOW,
instead of ROSSLYN, and staff had to make frequent announcements telling
what that meant.

Apparently, the list of possible destinations, which the computerized signs
could display for each route, was hardcoded into the trains, and couldn't be
changed.

That is, the old, cardboard, signs were more flexible than the new,
computerized signs.  I'll let you draw the moral.

Wm. Randolph Franklin, Electrical, Computer, and Systems Engineering Dept.,
Rensselaer Polytechnic Institute  <rfranklin@altavista.net>


Illinois man dies after utility cuts power

Bill Higgins-- Beam Jockey <higgins@fnal.gov>
Wed, 12 Jul 2000 18:18:53 -0500
I found the following story at the *Chicago Sun-Times*.
<http://www.suntimes.com:80/output/news/vent12.html>

> Man dies after ComEd cuts power
>
> July 12, 2000
>
> BY DAN ROZEK AND STEVE WARMBIR SUBURBAN REPORTERS
>
> An elderly Aurora man who used an electrically powered oxygen system
> to help him breathe died in his home several hours after ComEd shut
> off the power because he was behind in his bills.

In Aurora, Illinois, Eric Shackelford, an 81-year-old man, used oxygen 24
hours a day to help him breathe; he suffered from "severe heart disease."
His daughter, Renia Thomas of Chicago, claims that the power cutoff shut his
oxygen down, and may bring a wrongful-death lawsuit against the power
company, Commonwealth Edison.

The story reports, however, that a roommate says Shackelford had two oxygen
systems, one of which did not depend on electrical power.

The RISKS relevance is in the dispute over record-keeping.  The family
says that  Shackelford's doctor had sent at least two letters to ComEd
asking that power not be shut off.

> A ComEd spokesman, however, said the utility had never received enough
> information to determine that Shackelford was entitled to be added to
> a list of about 1,000 customers who needed continuous electric power
> for medical equipment. ComEd files contain only one letter from a
> doctor regarding Shackelford, ComEd spokesman Don Kirchoffner said.
>
> "We would never, ever cut the power to anyone we thought was on life
> support," Kirchoffner said.  [...]
> A final notice sent in June said
> Shackelford should notify ComEd if he had medical equipment that
> required electricity, and there's no record anyone contacted the
> utility, Kirchoffner said.  [...]
> Kane County Coroner David Moore said it was unclear whether the power
> shutdown caused or contributed to Shackelford's death.

It would be interesting to know more about the process by which a power
company keeps track of customers who are dependent on power.  How do you
make such a process fail-safe?

Bill Higgins  Fermi National Accelerator Laboratory  <higgins@fnal.gov>


Fox network misprograms time on US VCRs for a year

"Michael D. Crawford" <crawford@goingware.com>
Sat, 15 Jul 2000 11:58:26 -0700
http://dailynews.yahoo.com/h/nm/20000714/tc/life_vcr_dc_2.html
describes how Fox Broadcasting Corp. sent out a signal that programmed
the time for VCRs with an automatic time setting feature to be US
Pacific time for about a year, regardless of whether the VCR was located
in another time zone.

The result was that VCR owners across the country found the time set on
their machines wrong and they couldn't figure out why.

The problem was uncovered by the San Jose Mercury News.  Apparently one
is supposed to defer to local stations to set the time.

The *Mercury News* article is here:

http://www.mercurycenter.com/svtech/news/breaking/merc/docs/001688.htm

Apparently also a northern California PBS station reprogrammed viewers'
VCRs 24 minutes fast for about two years.

> ``We don't really know how much simpler to make it,'' Tom Hantson,
> national product manager for Panasonic Consumer Electronics Co., a
> prominent VCR manufacturer, told the Mercury News. ``But no matter how
> simple you make it, it's not simple enough.''

Michael D. Crawford crawford@goingware.com http://www.goingware.com

  [Also noted by Tom Van Vleck.  PGN]


Company lost domain name

"Arthur J. Byrnes" <arthur@ajb.com>
Mon, 10 Jul 2000 00:39:18 -0400
 >J.P. Morgan & Company (worth $21 billion) lost its Internet connectivity on
 >13 Jun 2000 because they failed to pay their $35 bill from Network Solutions
 >for their jpmorgan.com domain: three bills ignored over six weeks.

Since reading these type of stories, and not wanting to lose my 3 letter
domain to the same kind of "ignorance", I have been keeping a close eye on
my domain registration.

My domain was due to expire July 31, 2000  Now according to NSI's web site,
here is how it should work;

 >Under normal conditions, 30 days before the annual renewal fee is due,
 >Network Solutions' will send an invoice to the billing contact by postal and
 >electronic mail. Payment is due within 30 days. If payment is not received
 >by the due date, the domain name is subject to deactivation and deletion.
 >The registrant is solely responsible for ensuring that their Web Address
 >remains active.

I received neither the e-mail, or the snail mail notification that NSI says
I should have.  Yes, the e-mail and snail mail contact info are correct and
complete.

So, my personal experience makes me wonder where the blame actually lies in
these stories.  I know that if I worked for a dot.com, I'd be checking all
of my employer's domains expiration dates.

Arthur J. Byrnes


Royal Mail claims web orders encrypted when they aren't

Gary Barnes <gkb@bofh.org.uk>
Tue, 18 Jul 2000 14:18:27 +0100
A couple of weeks ago I wanted to order a substantial quantity of stamps,
and so went to the Royal Mail web site (http://www.royalmail.com/). I
clicked on the "Business Solutions" link at the foot of their front page,
and was taken to http://www.royalmail.com/atwork/ where there's a sidebar in
which "Shop" appears twice.

Following this link takes one to http://www.royalmail.com/shop/index.htm,
"The Shop".

I then clicked on "Stamps and Envelopes for business", and started to place
my order. When prompted to enter my credit card number to pay, I checked the
URL of the frame containing the form asking for these details. It was
http://www.royalmail.com/shop/direct/order.asp, and wasn't encrypted.

When I checked the "Security" link at the left of this very same page, I was
told (http://www.royalmail.com/shop/security.htm):

"Worried about security? For your ease of mind, all orders sent from your
computer to our web servers for products featured on this Internet web site
will be secured through the use of encryption technology"

In fact, there is a certificate for www.royalmail.co.uk, and I was able to
place an encrypted order via https://www.royalmail.co.uk/shop/direct/order.asp

I contacted the webmaster to point out that their shop didn't use a secure
URL, and received a reply saying that this would be fixed as soon as
possible, but this hasn't been done nearly two weeks later.

The RISK here is that customers will believe a web site that says "all
orders sent from your computer to our servers [...] will be secured through
the use of encryption technology", especially when the organisation
responsible is as "trustworthy" as Royal Mail, and then trustingly send their
unencrypted card details over the Internet.

There's also the RISK that once alerted to such mistakes companies won't
or can't act to fix the problem in a timely fashion, or at least remove
their incorrect boasts of being "secure".

Another contributory RISK seems to be the use of relative URLs such as
"direct/order.asp" instead of absolute URLs such as
"https://www.royalmail.co.uk/shop/direct/order.asp".

Gary Barnes


London Underground magnetic ticket bug

<boyd.roberts@ca-indosuez.com>
Tue, 18 Jul 2000 14:24:19 +0200
When I was in London last week, I'd just gone out through the ticket barrier
with my magnetic ticket.  Then I re-entered because I'd seen a timetable
which had some information I needed.  So far, so good. When I tried to get
out my ticket was refused.  A London Transport employee explained to me that
there was a timer on the ticket.  You can't get out until either the timer
expires or you find someone to let you out.

This is atrocious design.  They are trying prevent you from entering
multiple people with the same ticket but the timer runs in both senses;
entry and exit.  I guess they're just very lucky that you can't get to your
destination too quickly.

It could be even worse; say there's a fire and you need to get out and the
station is not staffed.  Who'd get sued over that?  LT?  The system
designers?  Could be interesting / catastrophic.

The Paris Metro, RER and SNCF does this right.  There's an entry timer, but
it's not used to control exiting.

Boyd Roberts <boyd.roberts@ca-indosuez.com>


Man charged with breaking into NASA computers

"Keith A Rhodes" <rhodesk.aimd@gao.gov>
Thu, 13 Jul 2000 07:14:45 -0400
A 20-year-old man was arrested Wednesday for allegedly breaking into two
computers owned by NASA's Jet Propulsion Laboratory and using one to host
Internet chat rooms devoted to hacking.  Raymond Torricelli of New Rochelle,
N.Y., was named in a five-count complaint that also charged him with sending
unsolicited advertisements for a pornographic Web site and intercepting
passwords and usernames traversing networks of computers owned by Georgia
Southern University and San Jose State University. He was also accused of
stealing credit card numbers that were used to make more than $10,000 in
unauthorized purchases. Court papers, which were unsealed in Manhattan federal
court, alleged Torricelli was the head of a hacker group known as "#conflict''
and that he used the name ``rolex.''  [Source: Reuters, 12 Jul 2000]


A self-referential risky accident

"Michael L. Cook" <MLCook@collins.rockwell.com>
Thu, 13 Jul 2000 15:40:25 -0500
I live in "semi-rural" Iowa, in an area where most house are on acreages
mixed in and around farm-land.  Neighboring houses are well in sight,
but not close together as in a traditional suburban neighborhood.

The local telephone company has been laying fiber optic cable for the last
couple of years for this rural area.  They subcontract the trench cutting
and physical cable placement to others.  This morning on our neighbor's
property, a man was guiding a trenching machine ("Ditch Witch") to where a
trench was to be cut.  The heavy morning dew made the grass slippery, and
the machine slid down the side of the roadside ditch.  The man tried to leap
aside, but was knocked into the air by one of the tires of the rolling
machine as it started its slide downhill.  The man fell 10-15 feet into the
ditch and landed on his back.  Fortunately, the machine did not roll over
him.

Also fortunately, my family and I were outside at the time, and my wife saw
him fly through the air.  We all started running to the scene.  My wife got
there first and yelled to call 911.  I yelled to her to go to the neighbor's
house, just a few yards away from her.  I ran back to our house to also
place a call just in case she couldn't.  I called 911, and rescuers
responded in a few minutes, and the man seemed all right, but was
transported to the nearest large hospital several miles away.

However, my wife was unable to call from the neighbor's house.  Why?  The
trenching folks had disabled the phone line in order to do their work!  A
co-worker of the injured man didn't seem panicky, but apparently didn't
remember that he had a phone in his truck.

Risk: Don't have an accident while working on stuff you've disabled, since
you might need that equipment if you have an accident!


Re: Australian DST rules changed for Olympics (Lutton, RISKS-20.94)

<Fraser_McHarg@nag.national.com.au>
Mon, 10 Jul 2000 08:58:57 +1000
September is actually early spring in Australia, spring starts 1st September
here.  DST normally starts on the last Sunday of October.

Microsoft is "taking it calmly" doesn't actual inspire me.  My NT machine at
work has never got daylight savings time correct, although W98 has (until
this year at least).

The biggest risk is not the changing of the date of daylight savings but
having different states that are normally on the same timezone, or same
difference, suddenly being different.

Fraser McHarg, Melbourne, Australia


Re: Software upgrade cancels train tickets (Shorrocks, RISKS-20.94)

Matt Fichtenbaum <mattf@ma.ultranet.com>
Sun, 09 Jul 2000 14:29:17 -0400
> There is no substitute for complete lack of proper testing or for
> un-necessary software changes.

I interpret that as "Complete lack of proper testing is an
absolute requirement."  Lose a minus sign, did we? :-)


Re: UK Millennium Bridge instability (Woolf, RISKS-20.92)

"Charles Arthur, The Independent" <carthur@independent.co.uk>
Tue, 4 Jul 2000 11:39:04 +0100
(It shut on the Monday having opened on the Sunday. The
problems were less on the Sunday, though still noticeable to people who
walked over.)

Worries that the bridge was overloaded are wrong, said Arup's Tony
Fitzpatrick...  It could support 5 times the maximum number of people you
could stand on it, unless you started carrying people on your shoulders.

The interesting upshot of this, announced on 28 Jun, is that this really
is a new phenomenon in bridge problems. It's caused by the pedestrians and
the bridge acting as mutual exciters: certain spans of the bridge (it has
three) have resonant frequencies around 1 Hz, which is roughly walking
speed. This means that when the bridge begins moving from side to side,
people move sideways to keep their balance - increasing the forces making
the bridge swing.

Very nice animations of what happened (exaggerated) at
http://www.arup.com/MillenniumBridge/images/videos/mode_5.avi and
http://www.arup.com/MillenniumBridge/images/videos/mode_6.avi plus
explanations generally in the "engineering" section of the site
(http://www.arup.com/MillenniumBridge/).

Interesting, of course, that they can simulate it now but not before...
Which does bear out the risks noted above. However, it wouldn't have
mattered if this was being done by computers or fusion-powered elves.
Nobody had encountered it before (apart, it is suggested by Arup, from a
Japanese stadium where the manufacturer insisted that the problems should
not be publicised for fear of losing face). So they couldn't design against
it.


Re: Another Win95/DOS interaction (Epstein, RISKS-20.93)

Lloyd Wood <l.wood@eim.surrey.ac.uk>
Wed, 5 Jul 2000 23:42:43 +0100 (BST)
> Unfortunately, "/on" *really* means "sort in alphabetic order by the
> 8.3 short name of the file".  There doesn't seem to be a way to tell
> the "dir" command I want it to sort the real name of the file, not
> the abbreviation.

The 8.3 "abbreviation" is in fact the real name of the file. Windows
is hamstrung by its legacy support.

<L.Wood@surrey.ac.uk>PGP<http://www.ee.surrey.ac.uk/Personal/L.Wood/>

Please report problems with the web pages to the maintainer

Top