The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 21 Issue 39

Friday 11 May 2001

Contents

U.S. Air Force blasts Outlook security patch
Yves Bellefeuille
Univ. Virginia prof uses computer to catch cheaters
Richard Kaszeta
Potential timestamp overflow on 9 Sep 2001
Don Stokes
Excel-lent leaks
Christophe Augier
Foolish wireless network access policies and spam engines
Thor Lancelot Simon
Cops say teen concocted radio calls
Steve Hutto
The RISKS spam crossover has finally taken place!
RISKS
DMV screws up on licenses
PGN
To drive or to avoid identity theft: mutually exclusive?
Brett Glass
Re: Recording industry threatens researcher
Douglas W. Jones
16th Annual Software Engineering Symposium 2001
Carol Biesecker
Info on RISKS (comp.risks)

U.S. Air Force blasts Outlook security patch

<yan@storm.ca (Yves Bellefeuille)>
Fri, 04 May 2001 17:28:25 -0400

A paper, "Reinforcing dialog-based security," by Martin Carlisle and Scott
Studer, of the US Air Force Academy Computer Science Department, is to be
presented on 5 Jun 2001 at the IEEE Systems, Man, and Cybernetics
Information Assurance Workshop in West Point, NY, sponsored by NSA.  The
paper criticizes the Outlook 2000 SR-1 E-mail Security update [RISKS-21.36],
developed in response to the I Love You virus to block certain types of
attachments.

  [Source: *Infoworld* Article by Sumner Lemon, PGN-ed. Thanks also to Monty
  Solomon. http://www.infoworld.com/articles/hn/xml/01/05/04/010504hnairf.xml]


U. Virginia prof uses computer to catch cheaters

<Richard Kaszeta <kaszeta@me.umn.edu>>
Tue, 8 May 2001 11:01:03 -0500 (CDT)

The latest Wired News includes an article that discusses how a University of
Virginia professor nabbed 122 students for plagiarism using a computer
program he wrote himself.  The program basically compares papers and looks
for phrases shared between papers.  Using this technique, the professor
caught 122 of 500 students in his class cheating.  All the students caught
were referred to the schools Honor committee.
  (http://www.wired.com/news/school/0,1383,43561,00.html)

As a seasoned systems administrator in a college department and former
student myself, I know that in a college environment, the efforts to which
some students will go to cheat show an astonishing amount of
creativity---breaking into accounts, exploiting lack of permission control
on other users' accounts, searching through the recycle bins, etc.  The use
of technology in this environment has made cheating easier, and harder to
trace.

The risk is that some of the students are probably innocent, merely being
guilty of having their own papers copied without their knowledge.  Indeed,
some of the students claim towards the end of the article that exactly that
has happened.

Unfortunately, the technology of online composition and submission of papers
(as typically done at most Universities) lacks sufficient security,
encryption, and authentication standards.

Richard W Kaszeta, Engineer, University of MN, ME Dept
rich@kaszeta.org  http://www.kaszeta.org/rich


Potential timestamp overflow on 9 Sep 2001

<Don Stokes <don@daedalus.co.nz>>
Mon, 07 May 2001 01:46:08 +1200

In case no-one else has noticed ...

On 9 Sep 2001, at 1:46:40 UTC, the Unix time_t value (the number of seconds
since the 1st of January 1970 0:0:0 UTC) ticks over from 999999999 to
1000000000, thereby moving from being a nine digit decimal number (as it has
been since 1973) to a ten-digit number.

Anyone storing decimal time_t values into a nine-digit field is going to
have an interesting problem on that date.


Excel-lent leaks

<"Christophe Augier" <augier@altran.com>>
Fri, 4 May 2001 09:14:05 -0400

This amusing story was told to me by a friend, whose company name will stay
hidden.  Once upon a time, there was a sales director in a big spirit and
wines company. This person managed the whole team for a big European
country. One day she had to take the decision of laying off a high position
salesman, working for this company since years. Because of the turmoil
generated inside the team by this firing, she wanted to set the organization
changes, and she made a new Org-chart and asked her administrative assistant
to forward the file to all the sales team.

Well... Everything looks fine, since you don't know yet that the new
org-chart was made on an Excel Book. "Book" means several sheets... So, what
was distributed to the whole team?....

Sheet 1 : The Org-chart : ok. At least THAT was good.
Sheet 2 : All the names of the salesman for the whole country, their salary,
  and appreciation commentaries (kind off:"this guy will never succeed /
  he is a burden") and raises projection. By the way, with a good raise
  projection for herself :)
Sheet 3 : A road-map to lay off the old salesman. all the information,
  dates, argumentation needed to get rid of him.

Isn't that nice?

Conclusion : A nightmare ! all the guys with a bad appreciation went postal
(one guy from the south realized that his "sibling" of the north was making
double money for the same work & results, etc...). I guess they should have
had a lot of resignation...  And a friend of the fired salesman forwarded
the mail to him, giving him good material for the lawsuit he was engaging
against the company.

The risks?  When you don't know how to use Excel or any software : don't use
it for critical information !  When you send an e-mail : watch out what you
are sending !


Foolish wireless network access policies and spam engines

<tls@panix.com (Thor Lancelot Simon)>
3 May 2001 20:53:30 -0400

A local university has deployed a large 802.11 wireless network without WEP
or any other security measure.  Given the complexity of distributing WEP
keys to huge numbers of students, faculty, and staff, not to mention the
need for periodic changes, and the notorious insecurity of WEP itself, this
might seem to be a reasonable choice.  They have decided to provide public
access to their IP connectivity for those within radio range of their campus
rather than tackle the very significant issues associated with restricting
access.

The RISK?  Their campus mail-handling machines will relay mail to any inside
or outside destination if it's received from an address "inside" their
campus network.  The network architecture they've chosen for their wireless
deployment dictates that anyone can walk onto their (large, urban) campus,
or even just park his car outside, and spam away freely with hundreds of
megabits per second of bandwidth to most points on the Internet.

Basically, their entire campus just became a "safe harbor" for anyone owning
a laptop and wireless card to do nefarious things to outside hosts with,
essentially, perfect, impenetrable anonymity.  There's not even a billing
record for a throwaway dialup account to trace back; just a MAC address that
can be trivially changed and the knowledge that it was used *somewhere* on
their campus to do Bad Things at some point in the past.

Thor Lancelot Simon <tls@rek.tjls.com>


Cops say teen concocted radio calls

<Steve Hutto <shutto@kata.chezns.org>>
Fri, 11 May 2001 12:07:04 -0600 (MDT)

*Rocky Mountain News*, 11 May 2001 (excerpt)
http://rockymountainnews.com/drmn/local/article/0,1299,DRMN_15_455095,00.html

"A 16-year-old boy using a handheld radio and a computer allegedly sent Denver
police cruisers and a helicopter to fake emergencies and called officers off
legitimate 911 calls for more than a month before getting caught.

Police said Thursday that the teen managed to hack into the department's
computer-controlled radio system, program his radio to transmit on the
department's frequency from his Southwest Denver home and then took on the
alias of Jerry Martinez, a fictitious Denver police officer."

The teen enjoyed chatting with police helicopters flying overhead as well as
reporting non-existent emergencies and accidents.

Eventually, police dispatchers caught on.  When he called requesting
license-plate information, they kept him talking for an hour and a half while
the FCC physically located him using "special equipment".  The final straw
came a couple days later when an informant talked him into modifying another
radio to transmit on police frequencies.  The teen was charged with a dozen
misdemeanors and a dozen felonies.

The best part of the story is near the end:

"Police have not determined how the teen allegedly hacked into their radio
system. The police department's emergency radio system uses two sets of
security identification codes and a computer to prevent unauthorized access."

Considering all the possible risks here is a scary proposition, especially
if used judiciously by someone with a bit more restraint.

-Steve Hutto


The RISKS spam crossover has finally taken place!

<RISKS List Owner <risko@csl.sri.com>>
Wed, 2 May 2001 16:31:28 PDT

Subsequent to the posting of RISKS-21.35, for the very first time in our
almost 16 years of RISKS issues, the number of spam e-mail messages has
exceeded 50% of all RISKS e-mail (despite filtering by our incoming mail
systems).  This is an extremely unfortunate happening, because I first have
to filter out and delete all the e-junk before I can even hope to ferret out
the good stuff that you are faithfully submitting.  Also noteworthy is that
the volume of legitimate contributions continues to increase (which is
wonderful because more of you are responding, but is sad because I cannot
include everything)...

I hate to recommend draconian anti-spam measures, but the problem is clearly
out of control.  We are of course opposed to short-sighted legislation and
censorship -- especially if it overzealously filters out desired e-mail.
Perhaps it is time to implement some radical techniques such as that
described in a 1992 paper by Cynthia Dwork and Moni Naor, Pricing Via
Processing Or Combatting Junkmail, Proc. Crypto 1992, LNCS 740.

PGN


DMV screws up on licenses

<"Peter G. Neumann" <Neumann@CSL.sri.com>>
Fri, 11 May 2001 07:58:14 -0700 (PDT)

  [TNX to KFWB item from Lauren Weinstein]

DMV Sends Licenses To Wrong Addresses

California's Department of Motor Vehicles has mailed as many as 3,000
driver's licenses to the wrong addresses due to a malfunction in an
8-year-old sorting machine that processes more than 7 million licenses and
ID cards every year.  DMV officials say they will retire the machine.

It is unclear exactly how many licenses were erroneously mailed.  There are
202 confirmed errors so far, but officials expect more.

Officials say they are not concerned about the stray licenses. They are
asking those who receive a license that does not belong to them to return
it. Those who do not could face criminal charges.

For the actual license owners, the DMV will issue a new license number upon
request to prevent identity theft.

Motorists with questions should call DMV's information line at
1-800-777-0133.


To drive or to avoid identity theft: mutually exclusive?

<Brett Glass <brett@lariat.org>>
Fri, 11 May 2001 09:36:11 -0600

This February, my driver's license came up for renewal -- a fairly ordinary
event. I expected to wait briefly at the local Department of Transportation
office, take an eye test, have an unflattering photo taken, and be on my way
in short order. Alas, it was not to be. When I submitted the renewal form, I
was shocked and dismayed to discover that the clerk would not renew my
license unless I placed my Social Security number on it. There was no
Privacy Act notice on the form (as required by the 1974 Privacy Act), so I
asked the clerk why she believed she could to demand my Social Security
number -- and refuse me a license if I did not supply it.

What I found out was chilling. Not only does Federal Law -- thanks to the
striking of a single word from a huge statute -- require that drivers submit
their Social Security numbers when applying for licenses. It also requires
that all of the information maintained about a driver by a state --
including that number -- be revealed to virtually all comers. Here are the
details of these onerous laws, along with additional information about the
laws in my particular state (which are typical of state laws throughout the
country). I'll also describe the way in which one state is fighting the
Federal laws that would require it to compromise its citizens' privacy and
subject them to trivially easy identity theft.

Requirement for Collection

Very recently, welfare reform legislation changed Federal law to require
that states collect all citizens' Social Security numbers when they apply
for driver's licenses. (Earlier versions of the law only required it if one
applied for a *commercial* driver's license, on the theory that one could
threaten a deadbeat parent's livelihood if he or she required that license
to work.) But a subtle amendment, slipped in just recently, struck the word
"commercial," requiring the SSN to be collected from all applicants. The
ironically numbered passage at 42 USC 666(a) (see
http://www4.law.cornell.edu/uscode/42/666.html) says:

>(13) Recording of social security numbers in certain family matters. -
>Procedures requiring that the social security number of -
>
>    (A) any applicant for a professional license, driver's
>    license, occupational license, recreational license, or
>    marriage license be recorded on the application;
>
>    (B) any individual who is subject to a divorce decree,
>    support order, or paternity determination or acknowledgment be
>    placed in the records relating to the matter; and
>
>    (C) any individual who has died be placed in the records
>    relating to the death and be recorded on the death certificate.
>    For purposes of subparagraph (A), if a State allows the use of a
>    number other than the social security number to be used on the
>    face of the document while the social security number is kept on
>    file at the agency, the State shall so advise any applicants.

Note that while a different number may be used on the "face" of some
licenses, the state must still collect the Social Security number. Also note
that many of the items mentioned above are public records which can be
accessed by all comers (in some cases, due to open record laws such as
Wyoming's).

Requirement to Disseminate

The requirement that states disseminate Social Security Numbers it has
collected comes from a law misleadingly titled the "Drivers' Privacy
Protection Act." This law did in fact start out as a law to protect drivers'
privacy, but due to amendments promoted by monied lobbyists it has just the
opposite effect. (It is said, justifiably, that the law should really be
called the "Drivers' Privacy Prevention Act.")

The law is reproduced on the Web at
  http://www.networkusa.org/fingerprint/page1b/fp-dmv-records-18-usc-123.html

Note that this law makes ALL of the information you submit to your state's
DMV/DOT available to *anyone* who claims that it's needed for any business
purpose. If I wanted your driving records and SSN, all I'd have to do is
walk into the courthouse and claim that you owed me a dollar.

The DPPA was challenged by the Alabama Attorney General on states' rights
grounds and was ruled unconstitutional by a Federal district court:

http://www.networkusa.org/fingerprint/page1b/fp-dppa-al-appeal.html

However, the US Supreme Court, in a chilling ruling that dubbed our
personal information "items in interstate commerce" and therefore subject
to Congressional control under the Commerce Clause, reversed the Circuit Court:

http://caselaw.lp.findlaw.com/cgi-bin/getcase.pl
  ?court=US&navby=case&vol=000&invol=98-1464  [SPLIT URL]

In retrospect, challenging the law on the basis of states' rights was
probably a big mistake. The Alabama AG might have had better success had he
cited the right to personal privacy delineated in Griswold v. Connecticut.

State SSN Requirements And Public Records Acts

The laws of many states also mandate the collection of Social Security
numbers -- and make the forms containing those numbers public records. I
live in Wyoming, and this is the case in my state. (The details of the
laws are instructive because they are similar to those in other states;
however, if you're uninterested in the specifics, you may want to skip
down to the heading "Michigan's Challenge" to learn more about a recent
challenge to the Federal laws.)

Wyoming law, at W.S. 31-7-111 (b) ("W.S." = "Wyoming Statutes"),
describes the information required on a driver's license application:

>(b)  The application shall include:
>
>     (i)  The full legal name and current mailing and residential
> address of the
>          person;
>
>     (ii)  A physical description of the person including sex, height
> and weight;
>
>     (iii)  Date of birth;
>
>     (iv)  The person's social security number or other numbers or letters
>           deemed appropriate on applications for instruction permits,
>           driver's licenses, commercial driver's licenses and
>           commercial driver instruction permits;

Note that the statute does provide for an alternative; however, the
phrase "deemed appropriate" (By whom? What is the standard of propriety?)
is vague. The clerk said that she, at least, deemed no other numbers or
letters to be "appropriate."

The law also requires the state to keep the application on file even
after it is processed. According to W.S. 31-7-120,

>31-7-120.  Records to be kept by division; exception.
>
>  (a)  The division shall maintain a readily available file of and
> suitable indexes for:
>
>     (i)  All license applications denied with the reasons for denial
> noted thereon;
>
>     (ii)  All applications granted;
>
>     (iii)  Every licensee whose license has been suspended or revoked
> and the reasons
>            for the action;
>
>     (iv)  All accident reports and abstracts of court records of convictions
>           received under the laws of this state with suitable notations for
>           each licensee showing the convictions of the licensee and the
> traffic
>           accidents in which he has been involved.

What's more, the application is, according to the state's open records
law, a public record that anyone may access. According to W.S. 16-4-201(a)(v),

>(v)  "Public records" when not otherwise specified includes the original
>and copies of any paper, correspondence, form, book, photograph,
>photostat, film, microfilm, sound recording, map drawing or other
>document, regardless of physical form or characteristics that have been
>made by the state of Wyoming and any counties, municipalities and
>political subdivisions thereof and by any agencies of the state,
>counties, municipalities and political subdivisions thereof, or received
>by them in connection with the transaction of public business, except
>those privileged or confidential by law;

Needless to say, an open records law would be meaningless if a government
agency were allowed to censor the records on its own initiative before
revealing them! So, if the Social Security number were to be redacted,
the Department of Transportation would have to be specifically authorized
by law to do it. Alas, as in most states, there appears to be no Wyoming
statute declaring the form -- or the information on it, including the
Social Security number -- to be privileged or confidential. Worse still,
any such declaration would arguably be overridden by the Federal statute.

Wyoming Violates the Privacy Act

The Wyoming Department of Transportation (WYDOT) also violates the
Federal Privacy Act by failing to place a Privacy Act Notice on its
driver's license applications. 5 U.S.C.  552a note (1982) (see
http://www.usdoj.gov/foia/privstat.htm), also called the Privacy Act of
1974, provides that:

>(b) Any Federal, State or local government agency which requests an
>individual to disclose his social security account number shall inform
>that individual whether that disclosure is mandatory or voluntary, by what
>statutory or other authority such number is solicited, and what uses will
>be made of it.

Without a Privacy Act notice (which does *not* appear on the current
application), WYDOT is not permitted to collect Social Security numbers
whether there is a Federal requirement for it to do so or not. This was
affirmed in Gredinger v. Davis (see
http://www.networkusa.org/fingerprint/page2/fp-ssn-davis.html).
Nonetheless, the state's Department of Transportation refuses to issue
the license based on an otherwise complete application.

Michigan's Challenge

The Michigan Secretary of State is challenging the Federal laws that,
together, require collection and disclosure of Social Security numbers.
The two press releases at

http://www.sos.state.mi.us/pressrel/active/010227-1n.html

and

http://www.sos.state.mi.us/pressrel/active/010104-1n.html

describe the progress of the case.

When the Federal law was modified to encompass all drivers' licenses, it
was claimed by overzealous legislators that the change was necessary to
collect drivers' Social Security numbers to pursue deadbeat parents. The
Michigan Secretary of State, however, says that it would actually make
their system LESS effective, not more, because of the actual logistics of
tracking deadbeat parents. In the second press release cited above, her
office wrote:

>Secretary Miller argued in her exemption requests that the collection of
>Social Security numbers would violate the strong interest her department
>has in protecting customer privacy.  The process would be expensive and
>counterproductive to measures already in place by the state to track
>those owing child support.  It was also noted that in addition to being
>an unfunded federal mandate, the law raises questions about its ability
>to protect the welfare of Michigan children.
>
>This federal law applies only to citizens with driver licenses, which
>severely limits the ability to locate deadbeat parents. Consequently in
>Michigan, more than four million people would be overlooked because the
>databases containing records of suspended drivers, state identification
>card holders and those on the Qualified Voter File would be excluded
>from any search.
>
>Currently, the Michigan Family Independence Agency (FIA) conducts
>searches of all Secretary of State databases for deadbeat parents using
>a name, or even part of a name.  It is successful in obtaining
>identification 90 percent of the time, according to figures from FIA and
>the Secretary of State. The Secretary of State estimates that the
>success rate would drop to about 60 percent under the federal law
>primarily because searches would be limited to only residents with
>driver licenses. Other problems with the federal law identified by
>Secretary Miller include:
>
>* States would not be required to verify the Social Security numbers
>collected by their Department of Motor Vehicles or Secretary of State
>offices are correct.
>
>* The law represents a significant duplication of effort because both
>the Internal Revenue Service and Michigan Department of Treasury already
>have databases of Social Security numbers.
>
>* The law places the majority at risk for possible misuse of their
>Social Security numbers and identity fraud in attempts to target a
>minority guilty of delinquent child support payments.

Unfortunately, because the suit is being brought in only one Federal
district, a ruling in favor of the Michigan Secretary of State would not
be binding in the rest of the country.

My Status

Deb Ornelas, an administrator at the Wyoming Department of
Transportation, insists that I submit my Social Security number in order
to keep my license. She says that she believes that her hands are tied by
both state and Federal law. Indeed, due to a lack of vigilance by
legislators and citizens, they may well be unless the law is challenged
and that challenge is successful. Thus, I may need to decide between the
risk of trivially easy identity theft or loss of my right to drive.

Suggestions regarding how to proceed, and help in starting an initiative
to have the Federal laws changed, would be greatly appreciated.

--Brett Glass


Re: Recording industry threatens researcher (RISKS-21.37)

<"Douglas W. Jones" <jones@cs.uiowa.edu>>
Fri, 4 May 2001 11:00:07 -0500 (CDT)

I cannot avoid suggesting an analogy (in the spirit of the analogy
fest cited in the previous item in the same Risks Digest):

If I present a paper about the construction of a gun, nobody threatens to
sue me.  In fact, if I possess a gun, I am protected by the second
amendment.  My right to talk about and possess guns is unlimited.  Only my
use of guns to injure or kill is regulated by law.

If, on the other hand, I wish to present a paper describing the weakness of
a commercial encryption product, where that weakness could be used to
violate a copyright law, my first ammendment right to free speech is
irrelevant.  Discussion of the weakness itself is forbidden, without regard
to whether I construct a mechanism to exploit that weakness and without
regard to whether I actually injure the interests of a copyright holder.

We can conclude from this that the second ammendment is far stronger than
the first ammendment, or that the interests of copyright holders are far
more important than the right to life of potential shooting victims.

It is ironic that the entertainment industry is directly behind this
round of attacks on the first ammendment!

Doug Jones <jones@cs.uiowa.edu>

PS: http://www.cs.uiowa.edu/~jones/compress/#intro contains, in the
solution to machine problem 3, the source code of a program that I
believe would violate the DMCA if anyone were stupid enough to use
a ROTn Caesar cypher to protect a copyrighted work (distributing the
work in ROTn encrypted form, and selling the value of n to to
customers).  This program finds n for almost any ROTn encrypted
English text.


16th Annual Software Engineering Symposium 2001

<cb@sei.cmu.edu (Carol Biesecker)>
Mon, 7 May 2001 19:30:22 +0000 (UTC)

Catalysts for Improving Acquisition and Development of
  Software-Intensive Systems

SEI 16th Annual Software Engineering Symposium 2001
15 -- 18 Oct 2001
Grand Hyatt at Washington Center, Washington, D.C.

For more information about the Symposium, contact
Symposium 2001 Conference Coordinator
Phone:   412 / 268-3007
FAX:   412 / 268-5556
E-mail: symposium@sei.cmu.edu

Please report problems with the web pages to the maintainer

Top