The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 21 Issue 34

Wednesday 11 April 2001

Contents

MIT'S cathedral of learning: online and free
NewsScan
Modern Times, II
jhaynes
Careful with that e-mail!
Lord Wodehouse
Risks of appearing in rec.humor.funny
Jim Griffith
Re: Risks of auto-updating software
L. P. Levine
More on Yahoo mail's anti-virus attachment translation
Kirrily Skud Robert
Re: Bogus Microsoft Corporation digital certificates
Nick Brown
Summertime blues
Lord Wodehouse
Re: Upcoming time-change risks
Derek Ziglar
Another Silly Date Problem
Peter B. Ladkin
Re: Dutch police fight cell theft ...
Zygo Blaxell
Christian Bartsch
Re: Cellphone text 'bombs'
Peter Chuck
Re: Future Mac Viruses?
Craig S. Cottingham
Paul Hessels
Re: "Internet Voting is no 'Magic Ballot'"
Julian White
Jay R. Ashworth
Bathtub Burnout
Rebecca Mercuri
Auto-updating and ReplayTV
Alan Wexelblat
Info on RISKS (comp.risks)

MIT'S cathedral of learning: online and free

<"NewsScan" <newsscan@newsscan.com>>
Wed, 04 Apr 2001 09:05:05 -0700

The Massachusetts Institute of Technology has committed up to $100 million
for a 10-year project to create public Web sites that offer, without charge,
learning materials used in almost all of its 2,000 courses. The materials
will include lecture notes, problem sets, syllabuses, exams, simulations,
and video lectures. Called OpenCourseWare, the program is not intended for
"audit" purposes and not as a means for students to earn college
credits. Computer science professor Hal Abelson explained: "In the Middle
Ages people built cathedrals, where the whole town would get together and
make a thing that's greater than any individual person could do and the
society would kind of revel in that. We don't do that as much anymore, but
in a sense this is kind of like building a cathedral." MIT President Charles
M. Vest is confident that the new program will in no way detract from the
value received by residential students who are paying tuition of $26,000 for
the on-campus experience of working directly with faculty and other
students." I don't think we are giving away the direct value, by any means,
that we give to students. But I think we will help other institutions around
the world... I also suspect in this country and throughout the world, a lot
of really bright, precocious high school students will find this a great
playground." (*The New York Times*, 4 Apr 2001; NewsScan Daily, 4 Apr 2001
http://www.nytimes.com/2001/04/04/technology/04MIT.html)

  [This is a marvelous development to inVest in the future.
  RISKS applauds MIT.  Three Cheers!  PGN]


Modern Times, II

<<jhaynes@alumni.uark.edu>>
Sun, 8 Apr 2001 10:13:24 -0500 (CDT)

The local paper reprinted a column by *Los Angeles Times* columnist Doris
Kearns Goodwin.  She starts out saying that Abe Lincoln's 1861 first
inaugural address reached Sacramento in a time of seven days and 17 hours by
Pony Express.  "On March 17, [2001] the London Times released a Web version
of a story that would appear in the next day's paper, falsely alleging that
Steven Spielberg -- who has optioned my unfinished manuscript on Lincoln --
and I planned to present Lincoln as a 'manic depressive racist' and head of a
'dysfunctional' family 'who nearly lost the American Civil War.'"

"Carried by satellite, the story reached Matt Drudge's Florida headquarters
and was placed on his Web site even before the newsprint edition of the
London Times had reached the streets.  In the next 24 hours, 1.6 million
hits were recorded n the Drudge site.  The story was picked up by dozens of
newspapers and made it to Rush Limbaugh's Web site, where Spielberg and I
were accused of engaging in a left-wing conspiracy to denigrate American
heroes in order to enhance the reputation of Bill Clinton.  Within hours,
the story was being discussed on talk radio and on television, and I was
receiving e-mails from lincoln scholars as far away as Australia, who were
understandably concerned by the story's portrayal of my intentions."

Goes on to say that no reporter ever contacted her to check the accuracy of
the story, and that the original reporter blamed the error on others and
would allow her to submit a letter to the editor; but by then the false
story was all over the world.  Goes on to detail some history of Lincoln,
some very early statements of his that could be construed to make him appear
racist, clearly voided by his later statements, including his last speech,
which stirred up John Wilkes Booth to kill him.


Careful with that e-mail!

<Lord Wodehouse <w0400@ggr.co.uk>>
Fri, 6 Apr 2001 17:54:05 +0100 (GMT Daylight Time)

Reported by the BBC

http://news.bbc.co.uk/hi/english/world/americas/newsid_1263000/1263917.stm

  A chief executive who used an e-mail to threaten his staff with the sack
  for being lazy has seen his company's share price collapse after the
  message appeared on the Internet.

  Neal Patterson, head of the Cerner Corporation in Kansas City, USA, had
  no idea his private directive to staff would end up being seen by
  millions of people on the world wide web.

  In the three days after the publication of the message, shares in the
  healthcare software development company plummeted 22% on the stock
  market.

It never ceases to amaze me that people armed with a computer and e-mail
completely lose their common sense.  However it seems to the the type of
e-mail that should never have been written let alone sent and not by a
senior person in the company. Gerald Ratner built up the family business,
piling it high, selling it cheap and making a fortune out of cut-price
jewelry. But a throw-away joke in a speech at the Royal Albert Hall in
front of Chancellor Norman Lamont brought his empire crashing down around
his ears. (he called a item he sold cr*p.) With the Internet the inept
director can find that it is even easier to ensure that bad news travels
faster and further.


Risks of appearing in rec.humor.funny

<griffith@olagrande.net>
Thu, 5 Apr 2001 15:34:57 -0500 (CDT)

In 1994, I had an article appear on rec.humor.funny titled "AOL's cutting
edge customer service", in which I related an incident where an AOL
representative responded to a complaint by suggesting that the complainant
should "telephone the Internet and talk to their tech support people".
Since them (and as recently as today), I've been receiving email from AOL
users who are somehow convinced that my e-mail address is the AOL customer
service address.

Jim


Re: Risks of auto-updating software

<"Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>>
Tue, 3 Apr 2001 12:49:31 -0500 (CDT)

Graystreak <wex@media.mit.edu> said:
>In his recent (April 2001) AskTog column, Bruce Tognazzini reports on his
>ReplayTV which, one recent day, updated itself to disable a valuable
>feature.
>    http://www.asktog.com/columns/045ReplayTV.html

I agree with his main point that software that updates itself is a menace
and a problem, but the replay change that was noted in the Tognazzini
posting came and went in about 4 weeks.  I noted the change and did not like
it but said nothing.  After a few weeks the feature that had been disabled
(a clean pause without ads) reappeared.  I must assume that there was a good
deal of noise made by the customer base as RePlay had just scrapped a
revenue source.  Good for them.

Customers who don't like a product revision should speak up and even decide
to drop the product.  Manufacturers will listen, but we got to talk.

Leonard P. Levine                  e-mail levine@uwm.edu
Professor, Computer Science        University of Wisconsin-Milwaukee


More on Yahoo mail's anti-virus attachment translation

<Kirrily Skud Robert <skud@infotrope.net>>
Mon, 2 Apr 2001 22:00:13 -0400

Further to "Yahoo! Mail translates attachments" in RISKS-21.27, I saw
the following e-mail on a mailing list which discusses medieval cookery:

  From: <xxxxxxxxxx@yahoo.com>
  Subject: (OT) "Medireview" ???

  Does anyone know why certain Web sites and mail servers change the word
  "medieval" to "medireview" without any warning?  Have I missed something?
  Did they change the spelling of the word, and not mail me the notice?

In addition to translating terms like "expression" to "statement" and "eval"
to "review" in an attempt to disable potential virus code, it seems that
they don't check for word boundaries, so "eval" is translated to "review"
even when it's within a word like "medieval".

It's easy to fix this in Perl (for instance), where the programmer
would write

  s/\beval\b/review/g

to check for word boundaries.

The RISKS?  Firstly, "two wrongs don't make a right."  Yahoo's half-baked
attempt to fix one problem without adequate thought or testing has caused
more problems.  Secondly, while the mangling of the word "medieval" on a
cookery mailing list may be unimportant, similar mangling occurring to a
person's name, address, e-mail address, URL or other important data could
have knock-on effects of a much more serious nature.

  Addendum: I've just had a report of an actual instance of a mangled
  e-mail address:

> Someone [...] changed his e-mail address to "cheval" and several of us
> couldn't get his new address straight because it kept coming up at
> "chreview".  Eventually, we realized what the word actually was, but it
> took a while.

*sigh*

Kirrily "Skud" Robert  http://infotrope.net


Re: Bogus Microsoft Corporation digital certificates (Savit, R-21.30)

<BROWN Nick <Nick.BROWN@coe.int>>
Fri, 6 Apr 2001 17:55:18 +0200

This whole area is reminiscent of, say, nuclear power, or electronic voting,
or anything based on Social Security numbers: the technocrats (who do not
necessarily have any technical background, even if thet are in the private
sector) come up with some great scheme that "simply" relies on nobody ever,
ever screwing up.  (Since most technocrats have never actually done a real
job in their lives, they have probably never screwed up either.)  This
attitude is known in French as "yapuka", short for "il n'y a plus qu'a...",
or "it's easy, all you have to do is...".

It "should have been obvious" (that phrase again) that at some point,
somebody would screw up and some invalid certificates would slip out.  If
this had been considered in advance, Microsoft and Verisign would maybe look
a bit less like headless chickens right now.

I have a modest proposal: all documentation and marketing material
concerning any system which contains any technology whatsoever should, by
law, carry the word "probably" in front of each verb describing technical
details of the system, and "unless someone screws up" at the end of each
sentence describing (claimed) functionality.

Examples:
- "When you click on the icon of the diskette, Microsoft Word will
*probably* save your work".
- "When you select 'Book now', the system will *probably* reserve your
ticket".
- "XYZ Backup Manager means you will never lose another file, unless someone
screws up".

See how much more accurate this is?  Imagine how much happier the world will
be without all the disappointment which users feel when the system fails to
deliver as promised.

Nick Brown, Strasbourg, France


Summertime blues

<Lord Wodehouse <w0400@ggr.co.uk>>
Tue, 3 Apr 2001 13:18:28 +0100

It may have already been noted, but in Germany, Deutsche Telekom had
problems with their speaking clock over the weekend of 24th/25th
March. Users using the alarm service found that on Monday 26th March their
call was an hour late, because the system did not advance to daylight
savings time.

I expect there were other problems, including the ones where US and
UK/Europe companies found that the time difference was one hour more for a
week.

John, Global Research IS, GlaxoSmithKline, Medicines Research Centre,
Gunnels Wood Road, Stevenage SG1 2NY United Kingdom
+44 1438 76 3222  e-mail: mailto:w0400@ggr.co.uk Web: http://www.gsk.com/


Re: Upcoming time-change risks

<"Derek Ziglar" <dziglar@yahoo.com>>
Tue, 3 Apr 2001 21:08:13 -0400

> In the USA we change to Daylight Savings Time (spring ahead) ...
> This year, that also happens to be the first day in April.  ...
> I can see that this confluence is going to cause some amount of confusion,
> as some people automatically disbelieve any official-seeming announcement

More true that you may think. I may even cause the media to fail to even
report such announcements.

In January 1999, a defect in the Microsoft Visual C++ Runtime Libraries was
discovered and documented in PC World magazine. Someone had discovered that
the time function in the runtime library had an inherent error that it would
misapply the Daylight Saving Time setting of Microsoft Windows anytime the
daylight savings time went into effect on the first day of the month--like
in 2001. The consequence of this bug is that Visual C++ built programs and
others that use this same shared library will 'see' the time incorrectly for
the first week of the month, then correct itself. Programs on the same
computer that don't use this library should see the time correctly.

The risk? Well, I certainly heard no recent alerts that this was to occur! I
had no cause to suspect any problem until Sunday morning when my company's
servers started misprocessing work because the C++ programs that process our
data 'saw' the time one hour differently than SQL Server itself did. A most
perplexing situation to debug--when two programs running on the *same*
computer have a different view of the time!

Sure, Microsoft reports this bug was supposedly fixed in a service patch to
the *compiler*, But who was responsible for distributing the fixed *runtime*
components that were distributed with all the applications people had
written using that compiler?

As Alan Wexelblat said, how many people would fail to take seriously a
problem warning associated with April 1st? Apparently enough that the media
completely failed to follow up on this April 1, 2001 risk they had reported
over two years ago!

January 1999 article from PC World
http://www.pcworld.com/resource/printable/article/0,aid,9327,00.asp

Microsoft Knowledge Base documentation on the problem.
http://support.microsoft.com/support/kb/articles/Q214/6/61.ASP?LN=EN-US&SD=g
n&FR=0&qry=daylight%20savings&rnk=5&src=DHCS_MSPSS_gn_SRCH&SPR=VCC

Derek Ziglar, Atlanta, Georgia


Another Silly Date Problem

<"Peter B. Ladkin" <ladkin@rvs.uni-bielefeld.de>>
Fri, 06 Apr 2001 09:15:20 +0200

I have a digital certificate from a well-known german certification
authority, trustcenter.de. They informed me on the 9 February that the
certificate was about to run out.

    Es laeuft am 04/05/01 15:00:42.000 ab.

(It runs out on 04/05/01)

On the 4 April, they said it again:

    Ihr [...] Client-Zertifikat mit den folgenden Daten, [...]
    gueltig seit: 04/05/00 15:00:42.000, [...]
    nur noch bis zum 04/05/01 15:00:42.000 gueltig ist.

(Your certificate with the following Information [...]
 valid since 04/05/00 15:00:42.000
 ist only valid until 04/05/01 15:00:42.000)

I believed them. I also want this certificate. But this morning at
06.25 local time they informed me:

    Ihr Class 1 Client-Zertifikat mit den folgenden Daten, [...]
    ist am 04/05/01 15:00:42.000 abgelaufen.

(Your  certificate with the following Information [...]
 ran out on 04/05/01 15:00:42.000)

In the language in which this security agency is writing to me, 04/05/01
means unambiguously 4 May 2001.  As it does unambiguously all over Europe.
But they obviously meant it to mean the 5 Apr 2001.  Can I *really* be the
first person that has been caught by this mistake?

This goes to show that it's not only NASA that can mix up their units.  The
solution is probably to insist that agencies which provide an official
security function use ISO-standard dates.

Peter Ladkin


Re: Dutch police fight cell theft ... (Dzubin, RISKS-21.32)

<Zygo Blaxell <zblaxell@feedme.hungrycats.org>>
Wed, 04 Apr 2001 16:59:54 -0400

>After a user reports his GMS handset stolen, [...]

Uhhh...I'm not sure what GMS is in this context, but if it's a misspelling
of "GSM", then I see a problem.

In GSM, there is a separate SIM card in the handset which contains all of
the subscriber's authentication/authorization information, and which is
intentionally interchangeable between handsets (subject to some restrictions,
but generally when switching between handsets supplied by the same
service provider).

If someone was trying to sell the _handset_, they could do so without
including the SIM card--I've done this a couple of times as handset
technology evolves over the years.  The buyer provides their own smart
card, and the telco doesn't even have to be informed that the sale took
place for the handset to work for its new owner.

Naive GSM users reading this article might attempt to send such messages
to their own phone number if their handset is stolen.  This won't work
if the thief has any clue at all.  Kids, don't try this at home.

I suppose it is possible that the police may use the telco's resources to
track the handset down by its IMEI or something--handsets, high-end
accessories, even batteries these days have serial numbers embedded into
them which are accessible from the handset firmware and can be
interrogated from the telco (if not routinely broadcast while the
handset is on).

Zygo Blaxell (Laptop) <zblaxell@feedme.hungrycats.org>


SMS in Netherlands on stolen phones (Re: RISKS-21.32)

<cbartsch@gmx.de (Christian Bartsch)>
03 Apr 2001 00:00:00 +0000

I've only seen reports (but no firsthand source, maybe because of my lack
of the Dutch language), but I have a little difficulty believing them.

AFAIK the SMS service in the GSM network addresses the SIM card in the phone
(i.e. the mobile's number). If you insert another (not stolen) SIM card and
throw away the old one, you won't receive any text messages.  Why? That
would require addressing the IMEI of the stolen phone, which to my knowledge
is not possible.  I think some American phones have their number hardcoded
in the phone, but here (i.e. GSM in Europe) you could only annoy anyone
using a stolen SIM card, not a stolen phone with a "clean" SIM card in,
methinks.

Chris

http://www.zahlungsverkehrsfragen.de/


Re: Cellphone text 'bombs'

<Peter Chuck <PChuck@capgemini.nl>>
Tue, 3 Apr 2001 11:26:24 +0200

The CNN article correctly explains that every mobile device has a built-in
serial number (IMEI).   Cellphone operators can block all use of a mobile
handset based on this IMEI.

Here in Belgium we have one operator that blocks stolen IMEIs and two
others that do not (it would cost them money).  The result is that all the
"new owners" of stolen cellphones are calling via the lazy/cheap operators.

In the Amsterdam scenario, the taxpayers are funding the police to do the
work of private cellphone operators.

Peter Chuck, Consultant, Cap Gemini Ernst & Young,   Brussels, Belgium.


Re: Future Mac Viruses? (PC Rescue, RISKS-21.32)

<"Craig S. Cottingham" <cottingham@mac.com>>
Mon, 02 Apr 2001 21:17:56 -0500

> Mac users have been crowing for some time that their system is less prone to
> viruses than the horrible alternative. Could this be about to change?

First off, any person who claims that Mac OS is less *susceptible* to
viruses than the "horrible alternative" is mistaken. The greater part of Mac
OS's relative dearth of viruses is due to "security through obscurity" -- in
this case, a much smaller developer base. All the tools you need to write
code for Mac OS, virulent or not, have been freely available for download
from Apple's web site for more than two years.

> "The box contains three installation CDs -- Mac OS X, Mac OS 9.1 and a CD
> full of developer tools, including the Cocoa programming environment, which
> is reportedly simple enough for school kids to use."

Secondly, Linux has included, from day one, developer tools simple enough
for school kids to use, as evidenced by the number of open source projects
started by students. (The most notable example that comes to mind is
Napster; I believe its author was a high school student when he created it.)
Following that logic, there should be a preponderance of viruses for Linux.
Instead, there are, to my knowledge, none. (Worms which exploit security
holes in daemons are a horse -- a Trojan horse? -- of a different color.)

The security model built into Linux and other Unix-like operating systems --
of which BSD, on which Mac OS X is built, is one -- contrasts sharply with
the security model, such as it is, built into the variants of Windows. So
right from the start, Mac OS X is starting from ground more solid than
either its predecessor or that "horrible alternative."

What remains to be seen is how well Apple has balanced the Unix-like
security model with the expectations of a user base that is used to having
free run of the machine. I haven't installed Mac OS X on any of my machines
yet, but it appears from the posts to one OS X mailing list that the
security model is obvious for tasks which require superuser rights.

Craig S. Cottingham <cottingham@mac.com>
  http://pgp.ai.mit.edu:11371/pks/lookup?op=get&search=0xA2FFBE41>


Re: Future Mac Viruses? (PC Rescue, RISKS-21.32)

<<hesselsp@ashaman.dhs.org>>
Wed, 4 Apr 2001 16:12:23 -0400 (EDT)

>Mac users have been crowing for some time that their system is
>less prone to viruses than the horrible alternative. Could this
>be about to change?

Considering Mac OS X is running FreeBSD, I don't expect virii to be any MORE
of a problem then from their legacy OS.  Its pretty hard to write a virus
that trashes a whole FreeBSD system.

I don't expect that having an IDE that is so easy kids can use will make any
noticeable difference...

Now worms on the other hand.....

Paul


Re: "Internet Voting is no 'Magic Ballot'" (Ashworth, RISKS-21.32)

<"Julian White" <JWhite@Nu-D.com>>
Tue, 3 Apr 2001 09:35:39 +0100

I must agree with Jay on this one. Ensuring that the Internet vote
originates from who it claims to be is not wholly solvable at this time. To
many issues around the security of this information (whether that be
originality, transmission or storage) make it too risky to implement for
such an important process. Also, the flip side of adding complex security is
that if the Government were able to validate a vote against a voter, they
then will have the ability to collect information on a voter's voting habit.
I suspect that this is something that many of us would find unacceptable
behaviour on behalf of our esteemed Government staff. For those of us with
data protection and/or privacy laws we would at least have legislation to
strangle the Government with, for those of you without there will not be
much you could do to stop it.

However this does not mean we should exclude "electronic" voting.  One can
see the advantages of collecting the voting information electronically
direct from the ballot box.  Replacing the paper based system with an
electronic counter would produce a more accurate result, faster. The
verification of the voter is done as per normal, by turning up to the ballot
station. Of course we need to ensure that the voting tallies are not
tampered with, which is probably more procedural than technical.

The critical issues with electronic voting are those as described by Jurek
Kirakowski [RISKS-21.32], namely the user interface. This will be an issue
for the technical, social and psychologist arenas to solve as a collective.

Julian White, Nu-Dimensions, UK. JWhite@Nu-D.com


Re: "Internet Voting is no 'Magic Ballot'" (RISKS-21.32)

<"Jay R. Ashworth" <jra@baylink.com>>
Tue, 3 Apr 2001 05:16:15 -0400

Another method of counting can certainly be *added* to "paper"... but
note what I said about "a physical object that the voter can inspect".

And that can *be* recounted; the more important issue.
Paper cannot be abandoned.  Merely augmented.

Jay R. Ashworth <jra@baylink.com> Baylink The Suncoast Freenet, Tampa Bay FL
http://baylink.pitas.com   +1 727 804 5015


Bathtub Burnout (Re: Nordal, RISKS-21.33)

<Rebecca Mercuri <mercuri@gradient.cis.upenn.edu>>
Tue, 10 Apr 2001 22:00:44 -0400 (EDT)

> The risk of putting non-reliable legacy equipment in the same room
> as your $30,000 servers with hundreds of concurrent users is obvious.

Audun Nordal's conclusion is a tad misleading.  Anyone who has taken a
reliability engineering course (do they still teach such things anywhere?)
knows that the "bathtub curve function" indicates that it is at BOTH ends of
the equipment age spectrum where the increased possibility of breakdown
exists.  New equipment burn-in (note the full meaning of this terminology)
eliminates many of the front-end problems, but I'd suspect that brand-new
$30,000 servers (with defective CRT monitors) probably are at least as risky
as the workhorse VT420s.

Rebecca Mercuri


Auto-updating and ReplayTV

<Graystreak <wex@media.mit.edu>>
Thu, 5 Apr 2001 08:34:11 -0400

It has been pointed out to me that Tog's column, which I referenced in
RISKS-21.32 is (4) months out of date.  The malfeature Tog talks
about was removed, apparently, last December.

That does not, I think, obviate my major point.  I was _not_ trying to say:
     "ReplayTV is bad"
but rather
     "we have opened ourselves up to a whole new class of risks" through a
     combination of always-on/always-connected computers, and
     auto-updating software.

Risks Digest is a fine forum for presentation and analysis of specific
cases; however, part of the point of such cases - I think - is to
illustrate larger classes of risks and systemic design flaws which can
lead to multiple vulnerabilities.

Alan Wexelblat  wex@media.mit.edu  http://wex.www.media.mit.edu/people/wex/
moderator, rec.arts.sf.reviews

Please report problems with the web pages to the maintainer

Top