Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 21: Issue 71

Weds 24 October 2001

Contents

With Mars probe maneuver, NASA finally catches a brake

inthenews

DB and WWW on one machine in Australian election

Andrew Goodman-Jones

Web defacement and cyberattacks

Dave Stringer-Calvert

Hacker cracks Microsoft anti-piracy software

Monty Solomon

Are spammers getting sneakier? part 1

Rob Slade

Are spammers getting sneakier? part 2

Rob Slade

Redesi virus

Rob Slade

The British BSE crisis

Anthony W. Youngman

Pregnant chad revisited

Fred E. Ballard

Re: Stray bomb caused by typo

Dan Jacobson

Non-risk, re: Jet engine starter motors

Ben Laurie

Re: Euro changeover

Otto Stolz

Re: Improper address-change validation

Chuck Falconer

Cutting through hype, spin, and propaganda - "Fact Squad Radio"

Lauren Weinstein

Re: Ham radio and Morse Code

Scott K. Ellis
Skip La Fetra

Info on RISKS (comp.risks)

With Mars probe maneuver, NASA finally catches a brake

<inthenews <inthenews@SIGMAXI.ORG>>

Wed, 24 Oct 2001 11:11:44 -0400

  [In RISKS, we try to include success stories, not just catastrophes.  Here
  is a NASA success (albeit after several Mars-related failures that have
  been reported here earlier).  This item is from *The Washington Post*,
  23 Oct 2001, via Science In the News (Sigma Xi).  PGN]

The Mars Odyssey, which left Earth seven months ago, braked into orbit
around the red planet last night, giving NASA's Mars program a welcome boost
after back-to-back failures in 1999.  While outwardly confident, engineers
at NASA's Jet Propulsion Laboratory in Pasadena, Calif., were anxious about
the make-or-break "Mars orbit insertion" -- MOI -- rocket firing, a
19.7-minute maneuver one manager described as "the longest 20 minutes of our
lives."  In reality, engineers had to wait a full half-hour to find out
whether Odyssey's main engine had done its job.  After a brief scare caused
by a momentary loss of data, flight controllers were able to confirm the
rocket firing had started on time at 10:26 p.m. EDT based on analysis of
radio transmissions from the spacecraft. But Odyssey disappeared behind Mars
-- as expected -- halfway through the maneuver.
  http://www.washingtonpost.com/wp-dyn/articles/A42061-2001Oct23.html

DB and WWW on one machine in Australian election

<"Andrew Goodman-Jones" <goodie@ozemail.com.au>>

Mon, 22 Oct 2001 15:17:52 +1000

Technical hiccups hit ACT election counting
By Sandra Rossi, 22 Oct 2001, Computerworld Australia

It is ironic that counting in Australia's first election offering electronic
voting stalled because of technical hiccups following the ACT poll [on 20
Oct 2001].  Electronic voting is supposed to speed up the polling process
and was used on Saturday during the ACT election offering voters a choice
between traditional paper ballots and the Internet.  By the time voting
closed, the ACT Electoral Commissioner Phil Green was claiming Internet
users significantly slowed down the collating of electronic votes.

More than 11,000 pre-poll electronic votes were supposed to have been
counted just after the polls closed at 6pm but there were periods when
counting was at a virtual standstill.  According to Green, disks were slower
to load than expected and processing the disks for eight polling stations
equipped for computer voting was drawn out because of competition from the
Internet.  "We're getting lots of hits on our Internet site and that's
actually slowing down our server because it's all being run off the one
database," Green said during counting.

http://www.computerworld.com.au/IDG2.NSF/a/00046162?OpenDocument&n=e&c=CP

Web defacement and cyberattacks

<Dave Stringer-Calvert <dave_sc@csl.sri.com>>

Mon, 22 Oct 2001 17:37:08 -0700

GForce Pakistan hackers defaced the U.S. Defense Test and Evaluation
Processional Institute Web site www.dtepi.mil as well as
enduringfreedom.dtepi.mil and nasa.dtepi.mil
  http://www.newsbytes.com/news/01/171341.html
after which a rival group of Pakistani vigilante hackers (Yiyat) identified
the purported culprit and retaliated.
  http://www.newsbytes.com/news/01/171365.html

    [Above text PGN-ed from the URLs.  I tried to verify the
    "processional", but dtepi.mil was apparently off the Net.  PGN]

Also, an interesting CNN article on a DoE cyberattack scenario.  Best
quote:

  The important lesson is that Black Ice showed how interdependent are the
  various infrastructure systems -- including telecommunications, utilities
  and banking -- and how major might be the combined effects of cyber- and
  physical attacks, she says.

  The infrastructure system providers didn't understand the
  interdependencies among their systems," Scalingi says. "If you talk to
  state and local government and local utilities, they'll tell you they have
  great response plans. The problem is, they write them in isolation.
    http://www.cnn.com/2001/TECH/ptech/10/21/black.ice.idg/index.html

Hacker cracks Microsoft anti-piracy software

<Monty Solomon <monty@roscom.com>>

Sun, 21 Oct 2001 01:45:01 -0400

By John Borland, Staff Writer, CNET News.com, 19 Oct 2001

A piece of software being distributed anonymously online has successfully
cracked part of Microsoft's anti-piracy technology, the centerpiece of much
of the giant's recent forays into the audio and video world.

Microsoft confirmed Friday that the code, written by a programmer using the
pseudonym "Beale Screamer," can strip off the protections that prevent a
song from being copied an unlimited amount of times.

The company's digital media division has spent much of the day talking to
record labels and content partners in an effort to respond to Screamer's
software, said Group Product Manager Jonathan Usher.

http://news.cnet.com/news/0-1005-200-7590303.html

Are spammers getting sneakier? part 1

<Rob Slade <rslade@sprint.ca>>

Fri, 19 Oct 2001 09:33:54 -0800

As we are all well aware, spam has been around for a while.  As most of us
are aware, replying to the "if you have received this message in error and
want to be removed from our lists" message at the bottom of most spam simply
allows the spammers to verify that they have a "live one"--e-mail address,
that is.

Recently I received a flood of spam, all simply offering to take my name off
their list--if I replied to it.  I guess the clients of spam companies are
starting to get pickier about the quality of the lists.

However, I have also started to receive the odd message like one I got this
morning.  The subject line stated that the sender saw my ad on Google.  Now,
I don't advertise on Google.  But then again, Google is a Web search tool,
and a lot of people are careless about differentiating between the vast
quantities of sites out there consisting solely of masses of banners, and
information sites like the ones I have up.  Reading the message was no more
informative: it simply asked me to send more information.

The headers were more interesting.  The message was ostensibly from someone
at referralware.net, but the "Received" lines indicated an origin at
prontomail.com.

rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

Are spammers getting sneakier? part 2

<Rob Slade <rslade@sprint.ca>>

Sun, 21 Oct 2001 22:01:45 -0800

So I get this e-mail with no subject, but the "From" name is the same as my
daughter.  Only, of course, it isn't her.  It's somethingtosell5678@aol.com.
Only it isn't that, either, when you look at the headers, it's:

Received: from Azzarmaster (ppp-178.11.triton.net
[216.65.178.11] (may be forged))

Now isn't that clever!  triton.net has determined that the header
information *it* received may be forged!  It is helpfully warning me that I
may be receiving spam!  Really?  How would it know?  Is this, perhaps, an
open relay?  And, if so, why is it open?  Why isn't triton.net closing off
this type of abuse?

Well, let's look at the IP address, 216.65.178.11.  Good old Samspade.org
can tell us that:

Trying whois -h whois.arin.net 216.65.178.11

     Lucre, Inc. (NETBLK-LUCRE)
        4011 Plainfield Ave
        Grand Rapids, MI 49525
        US
[...]
        Coordinator:
           Hale, Steve  (SH1448-ARIN)  steve@lucre.net
           (616) 361-0128

OK, lucre.net certainly sounds like a domain name that a spammer would pick.
However, the information goes on:

Domain System inverse mapping provided by:

        NS1.TRITON.NET 209.172.0.5

So let's be guessing that the header isn't actually forged at all.  Perhaps
we are just supposed to give up looking when we see an indication of a
forged header, and not try to find out who actually sent this message.  Or,
perhaps triton.net is simply going for plausible deniability: "Spam?  Gee,
that's too bad.  Bummer that the headers are forged, otherwise we could tell
who sent it."

rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

Redesi virus

<Rob Slade <rslade@sprint.ca>>

Sun, 21 Oct 2001 11:44:54 -0800

RISKS readers may have heard of one or both variants of Redesi, also known
as Dark Machine or Ucon.  (In fact, it was PGN who first alerted me to the
existence of the second.)  (If you haven't heard about them, don't open any
e-mail attachments with filenames of Common.exe, Rede.exe, Si.exe,
UserConf.exe, or Disk.exe.  These filenames seem to be consistent in both
versions, in file attachments, and on infected machines.)

There are two variants.  One comes with a large variety of possible subject
lines, all of which contain either a double hyphen or an ellipsis (three or
six periods).  Many appear to be comments from Kev, Gaz, Will, Si, Jim,
Arwel, or Michelle.  The body of the message of this A version reads "heh. I
tell ya this is nuts ! You gotta check it out !" and file attachments with
filenames as listed above.  Infected machines will have files with the
filenames listed created in the root directory of the C: drive with the
hidden attribute set.  However, this variant doesn't make any changes to the
Registry, and doesn't do any apparent damage.

The second variant comes with a subject line that may refer to Microsoft,
security updates, alerts, terrorists, emergency response, and viruses.  The
body contains what appears to be a message from Microsoft describing the
attachment as a security patch, and a message of endorsement from the
forwarder. (Since both variants are forwarded using Microsoft Outlook
address books, the messages will appear to come from someone you know.)
(Note that Microsoft is not in the habit of sending out security patches as
e-mail attachments.)  The B variant adds entries to the Registry, and
attempts to use an entry in the Autoexec.bat file to reformat the disk on or
after November 11, 2001.  The filenames of the attachments, and the files
created, are the same.

Note that the close association and quick release of the two variants may
have been a two stage piece of social engineering.  The first release would
create some concern, and would promote a heightened sense of urgency about
applying patches or fixes, possibly enough to prompt people to run suggested
repair programs without getting confirmation.  The second virus would take
advantage of this kind of panic.  And, in this case, the "cure" is
definitely worse than the disease.

(However, given some of the second set of subject lines, the second release
may simply be trying to take advantage of the uncertainty over terrorist
attacks.)

By the way, if you are trying to filter viruses at the e-mail gateway, scan
e-mail for messages with attachments with filenames Common.exe, Rede.exe,
Si.exe, UserConf.exe, or Disk.exe.  Also note the message text "heh. I tell
ya this is nuts ! You gotta check it out !" and "Just recieved this in my
email I have contacted Microsoft and they say it's real !"  Note that
deleting messages on the basis of body text is not recommended, since it may
eliminate warning messages.

rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

The British BSE crisis

<"Anthony W. Youngman" <Anthony.Youngman@ECA-International.com>>

Mon, 22 Oct 2001 15:08:30 +0100

  [This message is not particularly relevant to COMPUTERS,
  but highly relevant to TRUSTING THIRD-PARTIES.  PGN]

As you probably know, some scientists were asked to study whether BSE had
jumped species into sheep, and were given a load of sheep-brains to study.
It then turned out that these were not sheep, but cow brains, leading to
newspaper headlines about how scientists couldn't tell the difference
between sheep and cows.

This morning, it took a turn for the worse. It appears that the scientists
*had* suspected something was wrong, and asked for a sample of their
material to be analysed to check the species. However, as their brief was to
look for BSE, they could only *request* that somebody else check for
species. It seems that when this check was done, it was done on a sample of
material that the original scientists *should* have been given, not on the
sample they had provided from what they *had* been given. So of course the
species test "proved" they had sheep brains.

The risk? The classic "need to know" principle meaning that people are
forced to rely on others "doing the right thing" rather than being empowered
to make sure themselves that things are okay. And the classic of basing your
test on the assumption that things are okay, rather than assuming (and
looking for) a cock-up.  [Heard on Radio 4]

Pregnant chad revisited (Re: Jones, RISKS-21.70)

<fred.e.ballard@abbott.com>

Mon, 22 Oct 2001 11:32:18 -0500

It is shocking that a risk so obvious was not mentioned or found.  I think it
is a real insult to voters, and a disgrace to the manufacturer and voting
officials.

Sheesh!  Like so many things in RISKS, an intelligent sixth grader wouldn't
run things this way.

Fred Ballard  fredb@acm.org  fred.ballard@abbott.com

  [The really sad thing is that many of the same punch-card machines
  were apparently also implicated in the 1988 Florida Senate race.
  Buddy Mackay lost a close election to Connie Mack, in which there was
  a drop-off of 210,000 votes relative to the Presidential race in the
  same four counties.  A lot of people must have been asleep at the wheel.
  PGN]

Re: Stray bomb caused by typo (Hollebeek, RISKS-21.70)

<Dan Jacobson <jidanni@deadspam.com>>

20 Oct 2001 08:19:35 +0800

> ... GPS coordinates could use a check digit that detects one digit errors
> and transpositions, much like the one used in credit-card numbers.

Erm, but aren't any coordinates valid as long as you don't go beyond,
e.g. 90 degrees north latitude, etc.  OK, yes, it would be wise to check
that the coordinates are indeed within Afghanistan, unless oops, we want to
create a random international incident, or maybe even blow ourselves up.

Odd that with all that high tech, he still had to type them in instead of
clicking on it...

Or maybe he needs an Afghanistan Residential Zoning Map hooked into his GIS
to lock out bad picks.

http://www.geocities.com/jidanni/ Tel+886-4-25854780 ¿n¤¦¥§

  [Also commented on by Lou Schneider.  PGN]

Non-risk, re: Jet engine starter motors (RISKS-21.70)

<Ben Laurie <ben@algroup.co.uk>>

Sun, 21 Oct 2001 21:28:46 +0100

One of the rays of sunshine in the otherwise bleak cloudspace that is RISKS
is that the occasional risk turns out not to be. I have been told by a
significant number of people that the starter motor is not what goes on
"continuous" after the jet has taken off. Instead the ignitors stay on and
ensure that if the flame goes out, it is relit. It is, apparently, normally
not necessary to respin the turbines once in flight.

If I remember correctly, because the 777's engine start sequence is entirely
automated (literally one switch for each engine), there's no distinction
made between starter motors and ignitors on the control panel. There's a
single switch that does, in effect, "off", "on" and "continuous".

Thanks for all the corrections on this issue.

Ben <http://www.apache-ssl.org/ben.html>

Re: Euro changeover (Long, RISKS-21.70)

<Otto Stolz <Otto.Stolz@uni-konstanz.de>>

Mon, 22 Oct 2001 19:38:57 +0200

On Sun, 14 Oct 2001 21:50:48 +0200, Douglas Long wrote:
 > Converting all values to Euros and then calculating the
 > account balance [...] yields one answer.  Calculating a
 > partial balance in Francs, converting to Euros, and then
 > completing the remaining calculations using Euros [...]
 > yields a slightly different result.

This is an intrinsic property of the two operations {conversion | addition}:
they are not commutative;
cf. <http://europa.eu.int/euro/html/dossiers/00121/00121-en.pdf>.

Hence, there are rules the banks are legally bound to,
cf. <http://europa.eu.int/euro/html/home5.html?lang=5>.

However, according to the dossier cited above, the particular
issue observed by Douglas Long is subject to national rules.  [...]

(Note: EUR cash will only be introduced on 01 Jan 2002)

 > some ATM transactions are reported in Francs ... others ... in Euros

This sort of happening is forbidden in Germany.  However, I do not know
anything about national regulations in France.

In Germany, customers currently can choose whether their accounts are
handled in DM or in EUR. Banks are committed to carry the original amount
and currency of every single transaction through to the final account (in
addition to the EUR amount they use for their own balancing); hence, if a DM
amount is transferred from one DM account to another DM account, the
original DM amount will precisely be balanced in both customer accounts,
notwithstanding the fact that the banks themselves calculate in EUR. The
same scheme applies to cash deposits to, and withdrawals from, DM accounts.

Re: Improper address-change validation

<CBFalconer <cbfalconer@yahoo.com>>

Sat, 20 Oct 2001 03:18:24 GMT

The US postoffice operates the same way.  I recently put in a change of
address, and the advisory went to the new address, along with all the old
mail.

Chuck F (cbfalconer@yahoo.com)

  [At SRI, we did a study for the USPS many years ago, and I complained
  then about that stupid policy.  Evidently, they still have not learned. PGN]

Cutting through hype, spin, and propaganda - "Fact Squad Radio"

<Lauren Weinstein <lauren@vortex.com>>

Wed, 24 Oct 2001 10:42:25 -0700

	    	         Announcing "Fact Squad Radio"
                              October 21, 2001
                        http://www.factsquad.org/radio

	PFIR - People For Internet Responsibility - http://www.pfir.org

        [ To subscribe or unsubscribe to/from this list, please send the
          command "subscribe" or "unsubscribe" respectively (without the
	  quotes) in the body of an e-mail to "pfir-request@pfir.org". ]

Greetings.  The main purpose of People For Internet Responsibility's
recently-announced "Fact Squad" effort is to cut through hype, spin,
misinformation, and propaganda regarding technological issues and their
effects upon society.

In furtherance of this goal, we're pleased to announce the launching of the
"Fact Squad Radio" service.  Fact Squad Radio is providing very short (one
minute), tightly-focused audio features, each concentrating on a single
relevant topic of importance.  These vignettes are aimed at explaining the
issues briefly in a non-technical manner suitable for general audiences.
Topics to be covered will include both matters of long-standing importance
and crucial issues of the moment.

We encourage linking and redistribution of these features, and they are
freely distributable without any further permission being needed for
non-broadcast, non-commercial usage.  Requests for other kinds of usage will
be considered on a case-by-case basis.  We'll be ramping up towards a five
per week, M-F schedule.  All segments are in the standard MP3 format.

The debut Fact Squad Radio feature concerns a topic of some significant
interest right now -- National ID Cards.

Fact Squad Radio is at:

   http://www.factsquad.org/radio

Thanks very much!

Lauren Weinstein lauren@pfir.org lauren@vortex.com lauren@privacyforum.org
Tel: +1 (818) 225-2800
Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org
Co-Founder, Fact Squad - http://www.factsquad.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy

Re: Ham radio and Morse Code (Decker, RISKS-21.70)

<"Scott K. Ellis" <storm@stormcrow.org>>

Fri, 19 Oct 2001 21:43:40 -0400

With due respect to Mr. Decker, I believe he has slightly (perhaps
unintentionally) distorted the most recent developments in amateur radio
licensing.  While it may be true that the ham radio community has in the
past considered Morse code a "favorable" barrier to entry to keep out
"undesirables," current Morse code requirements have a more reasonable
explanation.  The maximum required Morse code speed for a ham license is now
5 WPM.  While there are several license grades with more "long distance"
frequency bands available for use, they are now all accessible by passing
the appropriate technical knowledge test.  The 5 WPM code requirement for
the long-range frequency bands is a result of international treaty
requirements.  There are currently efforts underway to have that portion of
the international treaties changed, at which time the Morse code requirement
will be removed from the amateur licensing requirements.

Scott K. Ellis

---

Re: Ham radio and Morse Code (Decker, RISKS-21.70)

<"Skip La Fetra" <Skip@LaFetra.com>>

Sat, 20 Oct 2001 10:35:12 -0700

> ... And it's also something that could come back to bite you in the butt,
> should those of the "excluded" class ever reach positions of power.

No truer words have ever been spoken.  Mr Decker's points against the Morse
code requirement are true and to-the-point (I speak as an Amateur Extra (20
words-per-minute Morse) licensee who has *never* attempted a "real" Morse
contact -- I learned the code (and it *IS* very hard!) simply to get the
license.  Mr. Decker's points about exclusion ring true.

However, there are other points which were omitted in his message which need
to be made in balance -- and this is my reason for this message to RISKS.
These are not "rebuttals" to his premise, but point to other reasons why
Amateur ("ham") radio is justified in today's society.

Ham Radio (and its FCC justification) is about COMMUNICATION.  We are a
trained bunch of COMMUNICATORS (it does not really matter if we are using
Ham, CB, or other frequencies) who are experienced at accurate
COMMUNICATION.  We are equally skilled at picking up a police or fire
hand-held radio as we are at using our "special" frequencies -- and getting
a CLEAR message across.  In an emergency situation, communication needs far
outstrip the installed capability -- Hams are PEOPLE who have frequencies
(communication channels) and clear-communication skills who can use their
resources (or those of the police/fire/Red Cross agency they are present to
help) to keep information flowing.  (I do wish to point out that the ham
"special" frequencies are necessary to augment the limited number of
police/fire channels in a true communications emergency.)

This is (one of) the core justification(s) of Ham radio by the FCC.  Active
(hobby) use of the radio spectrum enables ham operators to be ready and able
to help in times of communications emergency.  Morse Code is a useful
method, but it is not the only method.

Skip La Fetra, Amateur Extra, AA6WK, Skip@LaFetra.com
http://www.LaFetra.com/Skip/AA6WK

  [I have omitted several other messages on this topic, but there
  seems to be lively disagreement.  PGN]

Report problems with the web pages to the maintainer