The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 20

Thursday 22 August 2002

Contents

"Homeland Insecurity"
Monty Solomon
Home overvalued by $200 million affects tax recovery
Fuzzy Gorilla
103-year-old man told to bring parents for eye test
Arthur Goldstein
Alleged ID thief arrested in NYC
Monty Solomon
Your packets know the way to San Jose.
Malcolm Purvis
Emergency call-center power-supply woes
Dave Stringer-Calvert
YASST: Yet Another Silly Spam Trick
Rob Slade
Re: E-mail content filtering ...
Joe Stoy
E-mail *envelope* filters blocking NDN and DSN
MAtteo HCE Valsasna
Content based e-mail filtering -- timely example
Betsy Schwartz
Klez + html login = no security
Leonard Erickson
Klez: The Virus That Won't Die
Monty Solomon
The left hand of the government asketh ...
Rob Slade
Re: Apple OSX and iDisk and Mail.app
Dave
REVIEW: "Computers and Ethics in the Cyberage", Hester/Ford
Rob Slade
SAFECOMP 2002 & ECCE-11
Massimo Felici
Info on RISKS (comp.risks)

"Homeland Insecurity"

<Monty Solomon <monty@roscom.com>>
Wed, 14 Aug 2002 10:16:15 -0400

Charles C. Mann, a top expert, says America's approach to protecting itself
will only make matters worse.  Forget "foolproof" technology -- we need
systems designed to fail smartly...

  To stop the rampant theft of expensive cars, manufacturers in the 1990s
  began to make ignitions very difficult to hot-wire. This reduced the
  likelihood that cars would be stolen from parking lots-but apparently
  contributed to the sudden appearance of a new and more dangerous crime,
  carjacking.

  After a vote against management Vivendi Universal announced earlier this
  year that its electronic shareholder-voting system, which it had adopted
  to tabulate votes efficiently and securely, had been broken into by
  hackers. Because the new system eliminated the old paper ballots,
  recounting the votes-or even independently verifying that the attack had
  occurred-was impossible.

  To help merchants verify and protect the identity of their customers,
  marketing firms and financial institutions have created large computerized
  databases of personal information: Social Security numbers, credit-card
  numbers, telephone numbers, home addresses, and the like. With these
  databases being increasingly interconnected by means of the Internet, they
  have become irresistible targets for criminals. From 1995 to 2000 the
  incidence of identity theft tripled.

http://www.theatlantic.com/issues/2002/09/mann.htm

  [This article is extremely timely, well written, and important for
  RISKS readers.  It also features various insights from Bruce Schneier,
  whom Charles interviewed while researching the article.  PGN]


Home overvalued by $200 million affects tax recovery

<"Fuzzy Gorilla" <fuzzygorilla@euroseek.com>>
Mon, 19 Aug 2002 16:20:50 -0700

In Manhattan, Kansas, a home property valued at $59,500 was inadvertently
changed to $200,059,000, and seriously disrupted the calculation of the
local budgets for the school district, the city, and Riley County --
resulting in a 6.5% overstatement of the value of county property, and a
shortfall in tax revenues of over $2.3 million.  [PGN-ed]
  http://dailynews.yahoo.com/news?u=/ap/20020819/ap_on_fe_st/property_value_2


103-year-old man told to bring parents for eye test

<arthur.goldstein@att.net>
Fri, 02 Aug 2002 01:14:55 +0000

Another cute medical mix-up (Reuters, 31 Jul 2002):
http://news.excite.com/odd/article/
  id/256255|oddlyenough|07-31-2002::12:22|reuters.html

British pensioner Joseph Dickinson, 103, had a shock when his local hospital
called him in for an eye test and told him to bring his parents.  "I must be
getting younger, in fact much younger," he told his local paper, the
Hartlepool Mail.  He was born in 1899, but because the hospital computer
only read the last two digits it mistook his age as just three years old. ...


Alleged ID thief arrested in NYC

<Monty Solomon <monty@roscom.com>>
Tue, 20 Aug 2002 22:17:56 -0400

A man captured by the US Marshals Service in New York is accused of stealing
the identities of 12 Boston lawyers to buy lavish cars and finance spending
sprees, the agency said yesterday.  Shawn R. Pelley, 26, had evaded
authorities for nearly a year before he was caught after a car chase.  Once
convicted of fraud, he allegedly began an identity-theft scam shortly after
his release from prison last summer.  Using information from a law
directory, he allegedly obtained his victims' birth certificates and credit
reports, opened credit-card accounts, and took bank loans on the stolen IDs.
[Source: Thanassis Cambanis, *The Boston Globe*, 20 Aug 2002; PGN-ed]
  <http://www.boston.com/dailyglobe2/232/metro/Alleged_ID_thief_arrested_in_NYC+.shtml>


Your packets know the way to San Jose.

<Malcolm Purvis <malcolmpurvis@optushome.com.au>>
Wed, 21 Aug 2002 22:32:00 +1000

The Southern Cross Cable Network, a significant supplier of bandwidth
between Australia and the US, recently announced a new access point in San
Jose.  The Associated Press release says in part:

  The new San Jose access point is located at Market Post Tower, which
  currently houses the world's most famous Internet peering point, MAE
  West. Virtually all of the network access points and data centers in the
  surrounding San Francisco Bay Area connect to Market Post Tower via
  high-speed local fiber rings. ...  70% of the Internet traffic from the
  Western United States and 40% of the world Internet traffic passes through
  the building that houses the new Southern Cross access point.

I wonder how well the rest of the Internet would cope if something happened
to that building (which has a web site, so you can learn all about it).  I
also see that MAE West is owned by WorldCom.

The press release is at:
  <http://www.southerncrosscables.com/layup_ms19_8_02.htm>


Emergency call-center power-supply woes

<Dave Stringer-Calvert <dave_sc@csl.sri.com>>
Mon, 19 Aug 2002 21:46:05 -0700

One of North Yorkshire Police's main telephone switchboards was shut down
for four hours as the result of a serious control-room power-supply problem
in Newby Wiske, Northallerton.  Traffic was redirected to the York control
room, which had considerable congestion due to the reduced total number of
operators.  [Source: Article by Tony Tierney, *Yorkshire Evening Press*, 19
Aug 2002; PGN-ed]


YASST: Yet Another Silly Spam Trick

<Rob Slade <rslade@sprint.ca>>
Sun, 4 Aug 2002 14:58:43 -0800

At the moment I have a hotmail account, rmslade@hotmail.com.  It gets a ton
of spam, of course.  Recently, as I was cleaning ou the accumulated sludge
(Hotmail's "junk" settings are pretty useless), I noted a message that
appeared to come from "rmslade."  Now, it isn't unusual for spammers to set
up the mailing so that the messages have a forged "From" line that contains
the same address the message is sent to.  Only in this case, the message was
from rmslade@yahoo.com, and that is not an address I own.

Looking at the headers in detail revealed (along with the fact that the
spammer is probably yallddamail.com [65.121.131.5] [Qwest Communications])
that the actual address used is $user@yahoo.com.

Now, as I said, spammers spoof addresses all the time.  But does Hotmail
have to enable such a transparent means of allowing it?

rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade


Re: E-mail content filtering ... (Miller, RISKS-22.16)

<Joe Stoy <stoy@sandburst.com>>
Mon, 29 Jul 2002 10:32:34 -0400

My favourite story along these lines is about the two German musicologists
who were having a learned discussion by e-mail about Bach's B Minor Mass,
until both simultaneously came to the conclusion that the other side was
losing interest towards the end of the Gloria.  But it turned out that their
e-mail system was simply refusing to let through any mention by name of the
magnificent fugue at the end of that section.


E-mail *envelope* filters blocking NDN and DSN

<MAtteo HCE Valsasna <valsasna@uninsubria.it>>
Mon, 29 Jul 2002 16:24:00 +0200 (CEST)

Many RISKS readers have already reported about RISKs associated with e-mail
filters based on the contents. But serious service RISKs are also associated
to envelope-based filters, i.e., filters based on the sender (or recipient)
used in SMTP transactions (in contrast with those present in the e-mail
headers).

Many SMTP servers have started fitering e-mail with an empty envelope sender,
their administrators claiming they can block a lot of spam that way. This is
in clear contrast with RFC [rfc1123, see quote below].

A reason for this is that an empty envelope sender must be used with NDN
(Non Delivery Notification) and DSN (Delivery status notification) messages,
which are used to inform the sender that his message couldn't be delivered
to the recipient, or to confirm to the sender the delivery or the reading of
a message [rfc1891, see quote below].

Filtering those messages could mean that, under certain conditions, a
delivery confirmation could fail to reach the sender, or, much worse, a
non-delivery notification could never reach the sender.

When empty reverse path filtering is applied at the SMTP server receiving
messages for the user's address, NDN and DSN messages originated at other
servers will be rejected. This can happen for example if the user uses a
different SMTP server to send her messages, if the SMTP server that receives
a message does not reject it immediately, but rather accepts it and later
generates a negative DSN message to inform the reader of the missed
delivery, and also happens for DSN messages generated at a different domain
than the sender's.

SPMT gives no guarantees about the delivery of a message, but makes any
possible effort to inform the sender that a message could not be delivered
(also these efforts are not generally guaranteed to succeed).  Filtering
messages with an empty envelope sender risks to render these attempts
useless.

Users have got accustomed to receive a negative confirmation (NDN) when they
send a message that will never reach the recipient, so they may trust that a
message for which they received no NDN has actually been delivered (a
classical problem of double-negative logic). Filtering empty reverse path
messages will void this trust, leaving the sender with the impression that
his message has reached someone. The RISKs associated with this false
assumption are obvious.

The assumption is actually false basing on SMTP's absence of guarantees, not
on the improper loss of NDN messages due to empty smtp sender filtering, but
users do not read manuals, they look at how the service actually works and
build their assumptions accordingly.

Another general-purpose RISK (assuming that a system that usually works will
*always* work).

MAtteo HCE Valsasna - Network & Linux Administrator
Centro SIC - Univ. degli Studi dell'Insubria

http://www.faqs.org/rfcs/rfc1123.html (Requirements for Internet Hosts
-- Application and Support)

 5.2.9  Command Syntax: RFC-821 Section 4.1.2

         The syntax shown in RFC-821 for the MAIL FROM: command omits
         the case of an empty path:  "MAIL FROM: <>" (see RFC-821 Page
         15).  An empty reverse path MUST be supported.

http://www.faqs.org/rfcs/rfc1891.html (SMTP Service Extension for
                   Delivery Status Notifications)

7.1 SMTP Envelope to be used with delivery status notifications

   The DSN sender address (in the SMTP MAIL command) MUST be a null
   reverse-path ("<>"), as required by section 5.3.3 of [9].  The DSN
   recipient address (in the RCPT command) is copied from the MAIL
   command which accompanied the message for which the DSN is being
   issued.  [...]


Content based e-mail filtering -- timely example

<Betsy Schwartz <betsys@pobox.com>>
Sun, 11 Aug 2002 12:59:17 -0400

Another problem is that it's impossible for any one sysadmin to know, for a
given string, whether it's a legitimate word or name in some contexts.

I've had several people say to me recently: "but, what legitimate e-mail
could possibly contain the word 'klez' "?  Well, I am a big fan of klezmer
music and there will be some sad wedding parties if "klez" is filtered out!
See http://www.klezmershack.com

  [And this will undoubtedly get THIS issue filtered for some readers.  PGN]


Klez + html login = no security

<shadow@krypton.rain.com (Leonard Erickson)>
Tue, 20 Aug 2002 03:12:14 PST

I mostly use a DOS based mail reader program, so I often get MIME
encoded mail or other mail that may or may not have viral payloads (or
just typical Microsoft "everyone uses our mailer" dreck).

I move the messages to a directory to be checked out later.

Today I was going thru the message that'd piled up there over the last
couple of weeks. And I was looking at the other files included in Klez
infected messages.

One was a file that had "login" as part of the name, and no extension.  A
quick check with LIST showed it to be an HTML file. Out of curiosity, I
added an HTML extension, and looked at it on a Windows system.

I found myself on a website for a company I won't name. With the username
and password having just been entered on a login screen!

A password that seems to still be valid.

I found a "technical problems" email address on the web site and mailed the
contact the info about the problem. And I deleted the file.

But whatever program created this login "file" (I think html had embedded
Javascript) is *really* a bad idea to have in this world that has viruses
that email random files from infected systems to the world.

Anybody care to bet that my report to the company gets ignored?

Leonard Erickson (aka shadow{G})  shadow@krypton.rain.com


Klez: The Virus That Won't Die

<Monty Solomon <monty@roscom.com>>
Thu, 22 Aug 2002 09:15:25 -0400

Already the most prolific virus ever, Klez continues to wreak havoc.
By Andrew Brandt, Sep 2002 issue of *PC World* magazine, 1 Aug 2002

The Klez worm is approaching its seventh month of wriggling across the Web,
making it one of the most persistent viruses ever. And experts warn that it
may be a harbinger of new viruses that use a combination of pernicious
approaches to go from PC to PC.

Antivirus software makers Symantec and McAfee both report more than 2000 new
infections daily, with no sign of let-up at press time. The British security
firm MessageLabs estimates that 1 in every 300 e-mail messages holds a
variation of the Klez virus, and says that Klez has already surpassed last
summer's SirCam as the most prolific virus ever.

And some newer Klez variants aren't merely nuisances--they can carry
other viruses in them that corrupt your data.  ...
  http://www.pcworld.com/news/article/0,aid,103259,00.asp


The left hand of the government asketh ...

<Rob Slade <rslade@sprint.ca>>
Thu, 1 Aug 2002 08:34:19 -0800

Despite the reports being a day apart, the following two stories appeared
next to each other in last evening's Edupage from EDUCAUSE.  EDUCAUSE made
no comment on the juxtaposition.  However, I suspect that pretty much anyone
can see the cause for concern here.  Poorly thought out "quick fix"
legislative solutions, such as the DMCA, can definitely be much more trouble
than they are worth.

------- Forwarded message follows -------
>Date sent:      	Wed, 31 Jul 2002 17:43:42 -0600
>From:           	EDUCAUSE@EDUCAUSE.EDU
>Subject:        	Edupage, July 31, 2002

[...]
TOP STORIES FOR WEDNESDAY, JULY 31, 2002
  Clarke Urges Hackers to Find and Report Bugs
  H-P Uses DMCA Against Bug Finders

[...]
CLARKE URGES HACKERS TO FIND AND REPORT BUGS
Richard Clarke, the cybersecurity advisor to President Bush, told
attendees of the Black Hat conference in Las Vegas that they should
find and report software bugs that compromise computer security. [...]
Associated Press, 31 July 2002
http://www.nandotimes.com/technology/story/484376p-3867743c.html

H-P USES DMCA AGAINST BUG FINDERS
In an apparent first, Hewlett-Packard has invoked the controversial
Digital Millennium Copyright Act (DMCA) to stop researchers from
releasing information about software bugs. [...] But H-P sent
a letter to SnoSoft, a group of researchers, saying that the group
faces fines of $500,000 and jail time for releasing information about a
bug in an H-P Unix application. SnoSoft said that they notified H-P of
the flaw early enough that a patch should have been available before
public disclosure of the bug. [...]
CNET, 30 July 2002
http://news.com.com/2100-1023-947325.html

[...]
EDUPAGE INFORMATION

To subscribe, unsubscribe, or change your settings, visit
http://www.educause.edu/pub/edupage/edupage.html


Re: Apple OSX and iDisk and Mail.app

<Dave <davew1@mac.com>>
Sat, 27 Jul 2002 21:08:50 -0400

from Volume 22 : Issue 18:
> Net effect: your iDisk password is transmitted in the clear without
> your awareness, albeit as a mail password.
> Problems:
...
> - mac.com's mail password is *always* identical to iDisk password

Yes, by definition. mac.com mail and iDisk are part of iTools (now ".Mac")
which uses a single account/password to access all of its services.

> - OSX's "do what I mean" friendliness saves passwords without knowledge

Users enter their iTools info in the Internet preferences panel which
states: "Enter your member name and password. This information is used to
access iTools, including your iDisk and your e-mail account."  Hard to
misinterpret that.

> then connects to mac.com which *does not* support any method of
> encrypted password transmission.

That's the real problem which Apple will correct quickly (right guys?)


REVIEW: "Computers and Ethics in the Cyberage", Hester/Ford

<Rob Slade <rslade@sprint.ca>>
Tue, 20 Aug 2002 15:12:27 -0800

BKCMETCB.RVW   20020606

"Computers and Ethics in the Cyberage", D. Micah Hester/Paul J. Ford,
2001, 0-13-082978-1, U$41.00
%A   D. Micah Hester
%A   Paul J. Ford
%C   Scarborough, Ontario
%D   2001
%G   0-13-082978-1
%I   Prentice Hall
%O   U$41.00 800-576-3800 416-293-3621 fax: 201-236-7131
%P   498 p.
%T   "Computers and Ethics in the Cyberage"

This volume is a collection of essays, arranged in a rather complex fashion.
There are parts, subdivided into chapters, with each chapter containing
about four papers.  It isn't necessarily difficult to find the theme running
through each set of papers, but neither does the conjunction of ideas
support the individual discussions.

The preface, interestingly, states that the book provides no general
introduction to ethics.  There are also lists of alternative orderings and
selections of the papers included in the volume, suggested to address
additional topics.

Part one is an introduction to technology, computers, and values which last
is rather in contradiction to the assertion that the work contains no such
introduction.  In any case, there is no introduction to values.  The essays
in chapter one look at how the machine affects personality (a poetic but
unconvincing piece), a review of various (both positive and negative but
primarily religious) views of technology, opinions on technology and moral
responsibility, and the ethical problems presumed to be unique to computers.
Chapter two views computer technology as value-laden.  The first paper
insists that computers should be improved by the addition of abilities for
responding to simple requests in natural language, apparently implying that
the search for the "user-friendly" chimera has an ethical driver.  (A common
desire, but one that flies in the face of user-interface research that
indicates people are, in fact, unable to frame requests accurately even in
natural language.)  Others assert that computers fail to distinguish between
numbers and data (and between information and reason), that work with
Boolean algebra molds the thinking process, and that computers are fun
because they are magic.

Part two purports to review computers and quality of life.  Chapter three
looks at technology and relations with other people.  One paper points out
that the attitude of the Amish towards the telephone is supportive of
community living, but admits that the example has almost no relation to
other technology.  Others discuss various things you can do online, how much
Howard Rheingold likes the WELL service, and that John Perry Barlow doesn't
know whether community actually exists (online or in real life).  Computer
and individuality is addressed, in chapter four, with an unsupported
assertion that technology has some normative value, wild speculation on
implantable brain chips, a fictional short story about artificial
personality, and vague thoughts about the anthropomorphizing effect of the
changing language with regard to computers.  A look at computers in
developing nations assumes that the purpose of computer use is control,
asserts (but does not support) the idea that western (and therefore somehow
"authoritative") computers are unsuited to Africa (the entire continent is
assumed to have unreliable data), that information technology can help in
Latin America but there are problems, presents random memories of email use
in Jamaica, and asserts, in chapter five, that transferring technology to
the third world can create problems.

Part three concentrates on the uses, abuses (and maybe consequences) of
technology.  Chapter six looks at professionals and ethics, with various
views of whether professions have special obligations (and a final decision
that computing is not a profession), scenarios emphasizing conflicting
loyalties, and some factors that might help reduce computer misuse.
Freedom, privacy and control is the topic of chapter seven, discussing
problems with direct democracy, reprinting a political speech nominally
about privacy, and attempting to determine a definition and some
characteristics of privacy.  A review of intellectual property ownership and
piracy has an interesting examination of the differences in attitudes to
copyright between western (stressing ownership and roles) and Asian
(emphasizing social benefits and outcomes) cultures, as well as a student
survey, a statement that the arguments in favour of copyright are at best
unproven, and an opinion promoting copy protection cracking and the
distribution of "cracked" commercial programs (with the usual lack of logic
and writing skills).  (Despite this last essay, chapter eight is possibly
the best in the book.)  Chapter nine has some sensationalistic material on
hacking (and a very poor introduction to viruses) with no real conclusions,
a hacker "manifesto," a strong (but no perfect) analysis deciding that
computer intrusions cannot be held to be "victimless," an interview with a
self-styled "hacker" (as self- serving as most such), and a weak examination
of the Morris Worm.

Part four seems to assume that it is moving into more advanced or futuristic
technologies, although the discussions don't change much.  Chapter ten has
another fictional short story implying that computers are false gods, a
replay of "What Computers Can't Do," and a vague wondering about the
definition of life.  One essay, very much in contradiction to the thesis of
Rosalind Picard's excellent "Affective Computing" (cf. BKAFFCMP.RVW)
maintains that a computer which is "superior in every way" (to us) must be a
"monster," and assumes that artificial intelligence will be devoid of
compassion.  (Even if one does accept that intelligence must be emotionless,
there is no mention of the fact that such a system would also lack cruelty.)
The overview of virtual reality (VR) has an interesting examination of the
health and safety effects (limited) and benefits of the technology, and two
assertions of the need for a VR ethic, in chapter eleven.  In chapter
twelve, Al Gore sells the GII (Global Information Infrastructure), we are
told that there is pornography on the Internet, Dibbell's classic "Rape in
Cyberspace" is reprinted, and an article on cyberstalking seems to void its
premise by repeatedly demonstrating that most of the activities take place
in the real world, not the net.

Many of the papers in this collection are lifted wholesale from their
origin.  Although ellipses seem to indicate that material has been cut in a
number of places, there are still some very odd references to other papers
or presentations no longer "present," and even comments directed at people
who are no longer in the audience.

Much of this material is quite seriously flawed by a lack, on the part of
the authors, of a technical background.  This is not to say that
non-technical people cannot comment on the social aspects of technology, nor
that discussions of technical ethics could not benefit from the input of
philosophers, ethicists, sociologists, and the like.  However, many of the
speculations bear little relationship to technical reality, and therefore
the arguments and decisions are invalid.

Overall, there is a lack of direction to the work.  In the end, it gives an
impression of a vague complaint that computers aren't moral, and aren't
taking the burden of ethical decisions away from mankind.  Personally, I
find this position not only unhelpful, but extremely odd.

copyright Robert M. Slade, 2002   BKCMETCB.RVW   20020606
rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade


SAFECOMP 2002 & ECCE-11

<Massimo Felici <massimo.felici@ed.ac.uk>>
Tue, 20 Aug 2002 18:30:11 +0100

  SAFECOMP 2002
  The 21st International Conference on
  Computer Safety, Reliability and Security
  Catania, Italy, 10-13 September 2002, Catania, Italy
  http://www.safecomp.org/
  contact safecomp2002@safecomp.org

Co-located and Coordinated with
  ECCE 11 - Cognition, Culture and Design
  Eleventh European Conference on Cognitive Ergonomics
  Catania, Italy, 8-11 September 2002
  http://www.ecce.info/

Please report problems with the web pages to the maintainer

Top