The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 21 Issue 65

Saturday 8 September 2001

Contents

More about Star Wars 2: "Letter from America"
Pete Mellor
The Heavens at War: NMD assessed
Leonard Erickson
Getting the Facts Out - Announcing "FACT SQUAD"
Lauren Weinstein
Citibank ATM network outage
Joshua L. Weinberg
France Telecom inadvertent disclosure blamed on "computer error"
Peter Campbell
Photo tickets dismissed in San Diego
Jim Griffith
Web filter considered harmful
Thomas Roessler
Early morning phone call angers citizens
Barry Hurwitz
New software lets managers search e-mail
Jonathan Leffler
Consumer Reports password policy risks
Bill Bumgarner
Norton Personal Firewall
Ben Laurie
Solar parking meters are a bad idea in wet Britain
David Mediavilla Ezquibela
Sacramento woman denied $2.8 million jackpot
Max
Accidental disclosure
Gene Spafford
Re: Air Force office mails confidential information
Maj. John Robinson
Info on RISKS (comp.risks)

More about Star Wars 2: "Letter from America"

<Pete Mellor <pm@csr.city.ac.uk>>
Sun, 2 Sep 2001 21:11:07 +0100 (BST)

The following is a summary of Alistair Cooke's "Letter from America" this
week (BBC World Service and Radio 4, Sunday 2nd September 2001).

As in my previous message about "The Heavens at War", I have tried to give
a fair summary, indicating personal comments by [PM: blah, blah].

Technical Aspects:

Cooke summarised the progress on the National Missile Defense (NMD) project,
and referred to the recent successful interception flight test (IFT-6).

He then raised a problem with the vehicle used as a target.  After talking
about the various technical terms used in defence (going back to the time
when journalists had to learn terms like "uranium" and "plutonium") he
introduced the latest term: "spin-stabilisation".

[PM: I downloaded the glossary of terms and acronyms from the Ballistic
 Missile Defense Organization's website.  It occupies over 800 Kbytes in
 pdf format.

 Follow the link from:
 http://www.acq.osd.mil/bmdo/bmdolink/html/bmdolink.html ]

An advanced missile such as the USA is capable of launching would use
spin-stabilised warheads.  Rotating them increases their accuracy, but also
makes their trajectory more predictable and so they are easier to track in
mid-course than cruder missiles.  The targets used in the interception
flight tests were spin-stabilised.

Cooke quoted an anonymous source in the DoD who said that he had no
illusions about the difficulty of implementing the Star Wars interception
system, but having to intercept crude "wobblers" was an enormously difficult
task, particularly in the presence of similarly wobbly decoys.  The problem
is due precisely to the primitive nature of the missiles that are likely to
be launched in an attack from a less developed country!

Around 100 acres of US Government land in Alaska have been set aside for
testing interceptor flights to hit some of the USA's own crude wobbly
rockets. Cooke's source said: "To succeed will take years and years".  So,
if North Korea can wait until 2004 before launching a rogue attack, the US
might be able to intercept it!

Three systems are therefore under development:-

1. To intercept a spin-stabilised warhead,
2. To intercept the "wobbly tumbler" warheads which are still capable of
   causing massive damage although they might end up miles off target, and
3. (The supreme technical achievement) to detect real from fake wobbly
   tumblers and hit the right one.

Cooke quoted General Ronald T. Kadish:

Our test philosophy is to add, step-by-step over time, complexity such as
countermeasures and operations in increasingly stressful environments.
This approach allows us to make timely assessments of the most critical
design risk areas.  It is a walk-before-you-run, learn-as-you-go
development approach.  These testing activities provide critical
information that reduces developmental risk and improves our confidence
that a capability under development is progressing as intended.

[The Ballistic Missile Defense Program.  Address by Lieutenant General
 Ronald T. Kadish, USAF Director, Ballistic Missile Defense Organization,
 before the House Armed Services Committee on the Amended Fiscal Year 2002
 Budget. July 19, 2001
 http://www.acq.osd.mil/bmdo/bmdolink/html/kadish19jul01.html ]

(Cooke added a contemptuous "Harrumph".)

The Political Dimension:-

Although journalists are in the habit of saying that the President will do
this or that, the budget for any proposal must go through both Houses of
Congress before it is passed and funds become available.  (The President
proposes, Congress disposes.)

A further question is: Does the President have the constitutional right to
abrogate the ABM treaty?

A 2/3 majority in Congress is required to empower the President to sign a
treaty.

In 1978 the late Senator Barry Goldwater brought suit against President
Jimmy Carter to prevent him withdrawing from the Mutual Defence Treaty
with Taiwan. The Supreme Court ruled 6 to 2 in Carter's favour, and stated
in its judgment that such a decision is down to the executive and
branches or the legislature.

A senior constitutional lawyer has stated that the Senate should decide next
week after its summer recess if the President does have that power.  If the
Goldwater/Carter case is taken as a precedent, then the President could in
theory opt out of any or all treaties to which the US is party (including
withdrawing from the United Nations and NATO!)

Cooke concluded that, all things considered, including the probable cost
[PM: $7,044.779 million for fiscal year 2002 alone, from Kadish's address]
and the serious doubts about the constitutional right to abrogate the ABM
treaty, "The prospect for Star Wars 2 seems, to put it mildly, ill-starred!"

[PM: Footnote.  See slide 13 in the news briefing on the interceptor
 flight test:-

 http://www.defenselink.mil/news/Aug2001/g010809-D-6570C.html

 Several software problems interfered with the functioning of the ground
 tracking station.]

Peter Mellor, Centre for Software Reliability, City University, Northampton
Square, London EC1V 0HB +44 (0)20 7040 8422  <p.mellor@csr.city.ac.uk>


The Heavens at War: NMD assessed

<shadow@krypton.rain.com (Leonard Erickson)>
Sun, 2 Sep 2001 05:31:10 PST

I'm just going to point out a few examples of a major risk here, the
arguments being advanced as to possible counter-measures against lasers
show a *fundamental* misunderstanding of the means by which weapons
lasers damage targets.

They don't *burn* thru the surface, they deposit *huge* amounts of
energy (kilojoules to megajoules) into the surface layers of the target
in *microseconds*.

The time scale makes rotating the vehicle a bad joke. And the energy
levels make reflective coatings an equally bad joke.

At these energy levels, the target spot *explodes* into plasma with
effect equivalent to a fair sized chunk of TNT.

And this has pointed out back when SDI was being worked on. Yet these
*same* "problems" are still being pointed out.

There are similarly disingenuous aspects to the discussion of decoys.

Given that none of this appears to have been mentioned in the program,
I have to conclude that it wasn't even *remotely* objective in assessing
the missile defense program.

In short, from what was reported to RISKS, the program was badly
slanted. And hardly anything to base a risk evaluation on.

Other aspects of the post make it seem inappropriate for RISKS as well.

As a counter,let me just note that there are risks to *not* trying to
develop a defense. And to spreading grossly inaccurate "risk
assessments" regarding something that is in it's early testing stages.

There are potential problems. But bringing up "problems" like the ones
I mention above is not eliminating risks, it's spreading propaganda.

Other items brought up may be valid risks or invalid ones, depending on
one's assessment of the relative risks of no missile defense versus one that
is not 100% effective. But *that* aspect of things is *not* a valid topic
for *this* list! Not unless there's been a major policy change that I'm
unaware of.

Leonard Erickson (aka shadow{G})  shadow@krypton.rain.com


Getting the Facts Out - Announcing "FACT SQUAD"

<pfir@pfir.org (PFIR - People For Internet Responsibility)>
Thu, 6 Sep 2001 19:26:50 -0700 (PDT)

PFIR - People For Internet Responsibility - http://www.pfir.org

   [ To subscribe or unsubscribe to/from this list, please send the
     command "subscribe" or "unsubscribe" respectively (without the
     quotes) in the body of an e-mail to "pfir-request@pfir.org". ]

          Getting the Facts Out - Announcing "FACT SQUAD"
	               September 6, 2001
            http://www.pfir.org/factsquad-announce

Greetings.  Immediately following the recent People For Internet
Responsibility "Future of the Internet" Workshop, technology columnist Dan
Gillmor reported on the event within his widely-read column.  He especially
noted one of the key points of agreement at the meeting -- there's a serious
need for coordinated information sources and experts to counter the often
skewed information provided by lobbyists and other vested interests relating
to technology issues.  As it stands, it's usually those well-heeled
interests who have successfully organized, for their own betterment, to
provide information about technical matters to media, politicians, and many
others.

Dan used the term "fact squad" to describe the need for a coordinated effort
to provide some balance in these matters.

PFIR has now set up a structure that we hope can provide assistance in
filling this fact gap.  We've created "Fact Squad" -- its home page,
which describes the project in more detail, is at:
  http://www.factsquad.org

Fact Squad is oriented specifically towards folks who need straightforward,
direct, and largely "jargon-free" information about these topics.  It is a
coordinated resource for media, researchers, or anyone else -- cutting
through the hype and getting to the facts.

Fact Squad by itself obviously cannot be the complete solution to the
long-festering and worsening problems of manipulated information and
propaganda relating to technical issues and their impact on society.  But we
think it's potentially an important step in the right direction.

In addition to the Fact Squad home page listed above, three new contact
e-mail addresses have been established relating to this effort:

- Questions or information about specific topics or issues:
    facts@factsquad.org

- General inquiries:
    general@factsquad.org

- Information about participating in Fact Squad:
    participate@factsquad.org

We look forward to your questions, comments, and participation.

Thanks very much.

Lauren Weinstein
lauren@pfir.org or lauren@vortex.com or lauren@privacyforum.org
Tel: +1 (818) 225-2800
Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy

Peter G. Neumann
neumann@pfir.org or neumann@csl.sri.com or neumann@risks.org
Tel: +1 (650) 859-2375
Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org
Moderator, RISKS Forum - http://catless.ncl.ac.uk/Risks
Chairman, ACM Committee on Computers and Public Policy
http://www.csl.sri.com/neumann


Citibank ATM network outage

<"Joshua L. Weinberg" <joshua@theWeinbergs.com>>
Wed, 05 Sep 2001 09:16:25 -0700

Citibank's network of 2000 automated teller machines went down on the
evening of 4 Sep 2001, due to software problems.  It was still down the next
day.  Citibank's online Internet system also crashed at the same time.
Basic service was restored about two hours later, but various problems
persisted.  [Source: Reuters item, 5 Sep 2001; PGN-ed]
  http://dailynews.yahoo.com/h/nm/20010905/bs/financial_citibank_dc_2.html

Joshua  L. Weinberg, 2 Townsend St., Apt 1-905, San Francisco, CA 94107
1-415-777-3339  joshua@theWeinbergs.com


France Telecom inadvertent disclosure blamed on "computer error"

<"Peter Campbell" <peter.a.campbell@worldnet.att.net>>
Thu, 6 Sep 2001 20:28:19 -0500

A variant on the risk of leaving information you don't want disclosed in
'comments' part of a MS Office document, except that instead of the
consequences being just egg-on-face, there are selective disclosure issues
and the potential for accusations of unfairness.  In the US, class action
lawsuits have been attempted for less.

  http://public.wsj.com/sn/y/SB999174259870751856.html
  http://biz.yahoo.com/prnews/010830/nyth052.html

For the uninitiated, selective disclosure of material information is a
mortal sin in the investment world.  The underlying principle of financial
markets is one of fairness to all shareholders -- stock in a company is not
called "equity" for nothing.  Executing trades based on information to which
all shareholders do not have access is called insider trading, though
mechanisms do exist that allow insiders to trade in a perfectly legitimate
and legal fashion, and is a grave offense in most countries with developed
financial markets.  Of course, most large investors have more time,
resources and expertise to devote to decision making than most small ones,
so their advantage is undeniable. But the basis for making investment
decisions, so-called material information, must be available to all
investors, large and small.  A widely discussed regulation, dubbed Reg FD
(for Fair Disclosure) was adopted by the SEC in October of 2000: more
information on that here:
  http://www.sec.gov/rules/final/33-7881.htm

Back to the subject and the risk: the error is obviously human and the risks
of email compounded with the notes/comments/change-tracking features have
been discussed many times in Risks.  Indeed the company I work for released
a PR document with the revision history intact...  I can happen to the best
of us !


Photo tickets dismissed in San Diego

<Jim Griffith <griffith@olagrande.net>>
Tue, 4 Sep 2001 18:22:57 -0500 (CDT)

A judge in San Diego dismissed 290 tickets issued by a new red light camera
system.  The issue was a $70 contingency fee paid per ticket to the private
company operating the system, which gave that company a clear monetary
incentive to issue more tickets.  The case in question may impact the
fifty other cities in the nation which also use red light camera systems.
The judge did not question the accuracy of the technology itself.

http://abcnews.go.com/wire/US/reuters20010904_522.html


Web filter considered harmful

<Thomas Roessler <roessler@does-not-exist.org>>
Fri, 7 Sep 2001 12:42:11 +0200

Today, I had to call Palm Support Germany about some problems encountered
with one of their new models (insert m500 into the USB cradle, and the PC
will occasionally reboot).

The call-center guy I had on the phone hadn't heard about the problem.
However, I had done a web search before, and had found some mailing list
discussions where someone reported that Palm's US second-tier support knew
the problem quite well.

So I gave the list archive's URL to the guy, asking that he investigates the
problem.

"Sorry, I can't access this through our web proxy.  They want to be sure
that we don't surf for private purposes during work hours."

The RISK should be obvious: Filtering support employees' web access for
security or whatever other reasons can seriously damage these employees'
ability to do their job.

Thomas Roessler                        http://log.does-not-exist.org/


Early morning phone call angers citizens

<"Barry in Indy" <barryindy@ameritech.net>>
Sun, 2 Sep 2001 06:49:52 -0500

A lightning strike caused a computer to begin sending out an automated phone
message in the middle of the night. The meeting announcement, scheduled to
be delivered during the day on Friday, August 31, but was sent starting
after 9 PM Thursday night, and continued until 3:30 AM Friday. There were
about 50 complaints.

http://www.indystar.com/print/citystate/sat/articles/badcall01.html

The RISKS? Political suicide, at the least.

Barry Hurwitz


New software lets managers search e-mail

<Jonathan Leffler <jleffler@informix.com>>
Wed, 5 Sep 2001 12:49:04 -0700 (PDT)

Note from *Computerworld*: Managers everywhere will soon have the power to
remotely check employee e-mail boxes, search for common words and even
delete e-mail without notification, thanks to new software.

http://computerworld.com/nlt/0%2C3590%2CNAV47_STO63417_NLTDM%2C00.html

[JL: The risks of abuse seem legion.  And accidental abuse could occur;
what if that deleted email was actually important?]

Jonathan Leffler (Jonathan.Leffler@Informix.com)
Guardian of DBD::Informix v1.00.PC1 -- http://www.perl.com/CPAN


Consumer Reports password policy risks

<Bill Bumgarner <bbum@codefab.com>>
Wed, 05 Sep 2001 17:40:57 -0400

My family regularly uses *Consumer Reports* to evaluate various products
before we make a purchasing decision.

The enclosed e-mail is the culmination of a rather round-about discussion.
The original problem was that I could not log into my CR account [paid
subscription] because it kept claiming the password is incorrect.
Eventually, I discovered that I could log in if I claimed that I had
forgotten my password and forced the site to send me a "click here to change
your password" URL via email (in plain text, of course).

Along the click trail of "click here to change your password", the user
enters a new password twice, verifies the two passwords matches, logs the
user in (to the edit the account page-- ugh), and presents the user with the
site as if they had successfully logged in.

If the user happens to choose a password containing an exclamation point
(!), the site silently drops the exclamation point without giving the user
any feedback that it has done so.  Subsequent login attempts, of course,
fail (unless the user happens to forget to type the (!)).

Risk #1: Silently modifying the user's entered password, claiming successful
entry, and storing the modified (and likely insecure password)

Risk #2: Limiting passwords to just letters/numbers.  Most good password
crackers will brute force through all the various 'dog', 'd0g', d)g'
possibilities.

Risk #3: Having a "forgot your password" click path that leads directly to
all of the pertinent account information.  Thankfully, it does not display
your FULL credit card-- but does give the last five digits and does allow
the user to modify various bits of critical information.

Risk #4: Sending the "forgot your password" URL in a plain text email.  A
dead horse.

Risk #5: Having nice, responsive customer support that had *no clue* that
this problem existed (or even that it was a problem) when, in fact, the
problem has been an issue for nearly a year (maybe longer).

I'm sure there are others...

b.bum
(enjoying a 'Fisher & Paykel' as a result of information found on the
above site.... talk about killer engineering.  Drop a couple of wet
sneakers in it, set it to spin dry at 7,000 RPM and it actually balances
the drum to keep the thing from tearing itself apart!)

Begin forwarded message:

> From: customerservice@customerrelations.consumer.org
> Date: Wed Sep 05, 2001  05:14:24  PM America/Montreal
> To: "Mr. Bill Bumgarner" <bbum@codefab.com>
> Subject: Message from Consumer Reports Online - Ref:382442
>
> Dear Mr. Bumgarner:
>
> Thank you for your recent e-mail.  It was a pleasure to hear from you.
>
> After reading your e-mail, I'm sorry to say that your password cannot have
> an exclamation point (!).  However, please be assured that your password
> can indeed consist of letters and numbers.  If you have any questions,
> please feel free to contact our Online Subscription Department toll-free
> at
> (800) 633-0663.  A representative will be more than happy to assist you.
>
> Again, thanks for your e-mail.  I hope you continue to enjoy the benefits
> of Consumer Reports OnlineĈ.
>
> Sincerely,
>
> Jenny Manzueta
> Customer Relations
> 382442

In cyberspace, no one can hear you laugh.


Norton Personal Firewall

<Ben Laurie <ben@algroup.co.uk>>
Tue, 04 Sep 2001 20:31:08 +0100

I recently had a problem with a Web site I run. A user complained that
Norton Personal Firewall was saying the site was "trying to access her bank
account details". Much investigation later, we discovered that the problem
was completely stupid.

NPF protects the user from sites that allow them to enter sensitive
information in a form that is not secured by SSL. I guess there's some value
in this. However, a number of factors combine to produce completely
unnecessary FUD, not to mention a complete waste of everyone's time.

Firstly, users are advised to protect their credit/debit card numbers by
entering only some of the digits - the recommended number being 4.

Secondly, the "firewall" objects to a web page being served by the server
containing the sensitive information if the page contains a form and is not
secured by SSL. However, it does not check whether the data presented is
even in the form.

Thirdly, the message presented to the user suggests that the webserver is
somehow trying to _access_ the sensitive data rather than present it (I'm
afraid I do not have the exact wording - figuring out the problem was
tedious enough without trying to elicit such details from the user).

The net effect of all this is that you get hysterical messages from the user
(and everyone else on the mailing list they post this problem to) saying
that you are trying to steal their credit card numbers.

And the cause? A link containing a timestamp in seconds. For any 4 digit
sequence the timestamp will match it for 1 second approximately 10 times a
day, for 10 seconds once a day, for 100 seconds every 10 days, and so
on. This lucky user happened to have a number that recently matched all the
time for a period of 12 days.

http://www.apache-ssl.org/ben.html


Solar parking meters are a bad idea in wet Britain

<David Mediavilla Ezquibela>
Thu, 6 Sep 2001 20:26:55 +0200

http://news.telegraph.co.uk/news/main.jhtml?xml=/news/2001/09/06/nmet06.xml

Nottingham Council (United Kingdom) admitted that the 215 parking meters
powered by solar energy that they installed didn't function as expected.
They followed the example of other countries in sunny Southern Europe, but,
even when this summer has been sunnier in Nottingham, several meters have
failed allowing parking for free during periods. Others didn't work even in
sunshine because they were under trees.  The provider, Metric, is adjusting
them for winter to save energy.

David Mediavilla Ezquibela	<davidme.forum@bigfootNO.SPAMcom>


Sacramento woman denied $2.8 million jackpot

<Max <max7531@earthlink.net>>
Fri, 07 Sep 2001 15:28:16 -0700

  [The RISK: having a failure mode the same as the winning mode.  Max]

Nevada Gaming Control Board agents say a Sacramento woman did not win a $2.8
million jackpot she thought she won last month at a Reno casino because the
machine malfunctioned. "The first reel started to spin, and it touched a
maintenance card," said Paul Dix, a Gaming Control Board supervisor. "And
the machine did what it was supposed to do. It went into a tilt." But
Francesca Galea, 29, insists her play was a legitimate win. And she's
willing to fight for the winnings.  [PGN-excerpted from AP report, 7 Sep 2001]


Accidental disclosure

<Gene Spafford <spaf@cerias.purdue.edu>>
Wed, 5 Sep 2001 08:42:03 -0500

Several recent Risks Digests have (once again) illustrated hazards
associated with accidental disclosure of personal information online.

Readers who do not get the Computing Research Association News might want to
check the May issue.  I wrote a cautionary article about using online
applications and recommendation letter collection, specifically for
academia.

See <http://www.cra.org/CRN/issues/0103.pdf> for " Protecting
Personal Information in Academia."


Re: Air Force office mails confidential information (RISKS-21.63)

<tympani@att.net>
Wed, 05 Sep 2001 14:53:18 +0000

Re: the USAF Academy e-mail foul-up mentioned in RISKS-21.63: the standard
e-mail package for Air Force offices is MS Outlook, which lets you assemble
lists of names into addressee groups to avoid the hassle of typing or
reselecting a large list of names each time you want to send out a mass
message. What likely happened here is that the officer responsible simply
clicked the wrong addressee group in haste or carelessness; for instance,
instead of selecting "Cadet Group Headquarters" he might have selected
"Cadet Group," which would shotgun the message out to everybody.

Of course there are any number of other ways this could have happened, but I
doubt that there are any shenanigans going on.

Maj. John Robinson, USAF
  [Still, it could be SirCam.  PGN]

Please report problems with the web pages to the maintainer

Top