The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 84

Monday 11 August 2003

Contents

Identity Crisis, article by Robert O'Harrow Jr.
PGN
Man proves he was victimized by network vandals
NewsScan
Dutch price index wrong due to software error
Erling Kristiansen
Worker deletes herself out of job
M Taylor
UCITA support fading fast
NewsScan
Judge throws out RIAA subpoenas
NewsScan
Who profits from spam? Surprise!
Bob Sullivan via Monty Solomon
Ticketmaster privacy policy slammed
Paul Festa via Monty Solomon
Hacker gets Acxiom customer information
Caryn Rousseau via Monty Solomon
Acxiom's FTP Server compromised by /now former/ client
Randy Holcomb
Software patching gets automated
William Jackson via Lillie Coney
How many Windows crashes occur in a year?
John Dvorak via Monty Solomon
Company's error sends customers to Massachusetts adult phone line
Monty Solomon
University library catalogue + security
Richard A. O'Keefe
GenCon Registration Woes Blamed on Computer Network
Allan Goodall
Re: Metadata in Photoshop files
Sidney Markowitz
Re: New online futures market bets on next White House scandal
Stephen R. Holmes
Re: Software violates stock ownership limits
John R. Levine
Info on RISKS (comp.risks)

Identity Crisis, article by Robert O'Harrow Jr.

<"Peter G. Neumann" <neumann@csl.sri.com>>
Sat, 9 Aug 2003 11:33:27 PDT

*The Washington Post Magazine* Cover Story:
Identity Crisis, by Robert O'Harrow Jr.
http://www.washingtonpost.com/wp-dyn/articles/A25358-2003Aug6.html

Caption on pair of photos:
LEFT:
Meet Michael Berry: political activist, cancer survivor, creditor's dream.
RIGHT:
Meet Michael Berry: scam artist, killer, the real Michael Berry's worst
nightmare ...

  [This is an extraordinary article.  MUST READING for all of us
  victims-in-waiting.  PLEASE dig it out while it is still on-line.  PGN]


Man proves he was victimized by network vandals

<"NewsScan" <newsscan@newsscan.com>>
Mon, 11 Aug 2003 09:16:20 -0700

In the U.K., a man has been acquitted in Exeter Crown Court after
successfully arguing that child pornography found on his personal computer
had been placed there without his knowledge by network vandals who had used
a "Trojan horse" program to infect his machine. The case creates two
worries: one, that actual child pornographers now have a new alibi that
would be difficult to disprove; two, that innocent Web surfers might find
themselves charged with possessing illegal material planted on their
computers by malicious invaders. Former U.S. federal computer crime
prosecutor Mark Rasch says, "The scary thing is not that the defense might
work. The scary thing is that the defense might be right. The nightmare
scenario is somebody might go to jail for something he didn't do because he
was set up."  [*The New York Times*, 11 Aug 2003; NewsScan Daily, 11 Aug
2003] http://partners.nytimes.com/2003/08/11/technology/11PORN.html


Dutch price index wrong due to software error

<Erling Kristiansen <erling.kristiansen@xs4all.nl>>
Thu, 07 Aug 2003 22:13:23 +0200

The Dutch Central Bureau of Statistics (CBS) published an incorrect price
index due to "an error in a computer program", according to the newspaper
Trouw (7 August). The published index was too high by "a few tenths of a
percent". No further explanation is given as to the nature of the error, why
it was not discovered before publication, or how it was discovered later.

This may have an impact on salary adjustments as well as pensions and
various social benefits that are linked to the inflation rate.

This is yet another example of how dependent we have become on "the computer
says so, so it must be right". A few tenths of a percent on a country-wide
basis, even in a small country, adds up to a lot of money.


Worker deletes herself out of job

<M Taylor <mctaylor@privacy.nb.ca>>
Thu, 7 Aug 2003 21:31:17 +0100

A Nova Scotia [Canada] government employee has been fired for deleting her
own speeding ticket from a computer database. ... The unidentified woman will
not face criminal charges.

Now the kicker is she was found by an audit conducted after another employee
had also altered entries in the database of driver's records.  Why can
people delete records from such a database?  Shouldn't it operate like the
accountant's double-entry ledger?  Where mistakes are not deleted, but a
correction entry is appended.

http://novascotia.cbc.ca/regional/servlet/View?filename=ns_firedwork20030806

M Taylor  http://www.mctaylor.com/


UCITA support fading fast

<"NewsScan" <newsscan@newsscan.com>>
Fri, 08 Aug 2003 11:08:16 -0700

Key backers of the Uniform Computer Information Transactions Act (UCITA)
have bowed to pressure from opposition groups and will stop lobbying for the
bill's passage. The bill was intended to protect software developers from
intellectual property theft by bringing into conformity conflicting software
licensing laws in various states, but critics, including the American Bar
Association and the American Library Association, said the legislation would
grant software makers too much power over their products at the expense of
consumers. So far, UCITA has been enacted in only two states, Maryland and
Virginia, and now that the effort has lost the support of the National
Conference of Commissioners on Uniform State Laws (NCCUSL), UCITA is
unlikely to gain further consideration from other states, says an NCCUSL
spokeswoman. Opponents of the bill commended NCCUSL for its decision: "It is
heartening to see NCCUSL backing away from a very flawed statute, but it
will never be able to write sound law for the information economy until it
takes to heart the criticisms of the user sector," said Jean Braucher, a law
professor at the University of Arizona and a member of AFFECT -- Americans
For Fair Electronic Commerce Transactions.  [CNet News.com 7 Aug 2003;
NewsScan Daily, 8 August 2003]

http://news.com.com/2100-1028_3-5061061.html?tag=fd_top


Judge throws out RIAA subpoenas

<"NewsScan" <newsscan@newsscan.com>>
Mon, 11 Aug 2003 09:16:20 -0700

A federal judge in Boston has rejected subpoenas filed by the Recording
Industry Association of America last month as part of its nationwide
crackdown on digital music file-sharing. The subpoenas targeted students at
Boston College and the Massachusetts Institute of Technology who used
various screen names to share songs online. In his ruling, Judge Joseph L.
Tauro said that under federal rules, subpoenas issued in Washington cannot
be served in Massachusetts. The RIAA called the ruling "a minor procedural
issue" but declined to say whether it would refile in Boston.  pAP 8 Aug
2003; NewsScan Daily, 11 Aug 2003]
  http://apnews.excite.com/article/20030809/D7SQ5LC80.html


Who profits from spam? Surprise! (Bob Sullivan)

<Monty Solomon <monty@roscom.com>>
Sun, 10 Aug 2003 12:27:27 -0400

Many companies with names you know are benefiting
Bob Sullivan, MSNBC, 8 Aug 2003

There wouldn't be spam if there wasn't money in spam. So to understand what
primes the spam economy, MSNBC.com answered a single unsolicited commercial
e-mail. Following this one spam trail led us from Alabama to Argentina, from
a tiny Birmingham-based firm and someone named "Erp" past a notorious
spammer named Super-Zonda - and right through big-name companies like
Ameriquest, Quicken, and LoanWeb. And that's just the beginning. The truth
about spam is this: While the dirty work is done by secretive, faceless
computer jockeys who are constantly evading authorities, lots of companies
with names you know profit, at least tangentially, from their efforts.  ...
  http://www.msnbc.com/news/940490.asp


Ticketmaster privacy policy slammed (Paul Festa)

<Monty Solomon <monty@roscom.com>>
Fri, 8 Aug 2003 01:30:04 -0400

By Paul Festa, CNET News.com, 6 Aug 2003

People buying tickets online through Ticketmaster may be surprised to find
themselves receiving spam as an encore.  The ticket service, which holds a
lock on advance ticket sales for most major entertainment events, is taking
heat from consumers for a privacy policy that does not let online ticket
buyers opt out of receiving e-mail pitches from an event's producers and
other businesses associated with it.  That, Ticketmaster critics say, means
that the company has made receiving spam part of the price of admission.

"I have only bought a single ticket from Ticketmaster, many years ago,"
wrote one customer on an online discussion board devoted to the privacy
policy. "Since that purchase, I have received tons of 'targeted' e-mail
personalized with my full name, the city, etc...For now, I do everything I
can to avoid ticket purchases from Ticketmaster (and have been successful)."

The Ticketmaster privacy policy under fire states that customers may "opt
out" of getting e-mail from Ticketmaster itself, but cannot refuse to share
their personal information with "event partners" -- defined as "the venues,
promoters, artists, teams, leagues and other third parties associated with
that concert, game or other event."  ...
  http://news.com.com/2100-1026-5060827.html


Hacker gets Acxiom customer information (Caryn Rousseau)

<Monty Solomon <monty@roscom.com>>
Fri, 8 Aug 2003 02:20:18 -0400

By Caryn Rousseau, Associated Press, 7 Aug 2003

A computer hacker gained access to private files at Acxiom Corp., one of the
world's largest consumer database companies, and was able to download
sensitive information about some customers of the company's clients, the
company said Thursday.  "The data on the servers was a wide variety of
information, some of which was personal, some of which was not," Jennifer
Barrett, the company's chief privacy officer, said in an interview with The
Associated Press on Thursday. The AP was notified of the intrusion by an
anonymous caller who would not identify himself or his connection with the
company.  Barrett said the company did not know about the breach until a law
enforcement agency from Ohio contacted it last week.  Barrett said both the
hacker and the stolen information are in police custody. She said about 10
percent of the company's customers were affected and that, "it would include
some of our larger customers."  ...
  http://finance.lycos.com/home/news/story.asp?story=35190673


Acxiom's FTP Server compromised by /now former/ client

<"Randy Holcomb" <rholcomb@speakeasy.net>>
Fri, 8 Aug 2003 21:31:18 -0500

"... The breach involved one external FTP server outside Acxiom's firewall
that is used to transfer files back and forth between Acxiom and its
clients.  The company said no internal databases were accessed and no breach
penetrated its firewall. Additionally, the firm said only a small percentage
of its clients' data was involved in the incident.

Acxiom's client list includes a number of Fortune 500 companies, like
Microsoft, IBM, AT&T, and Blockbuster. The company says it services 14 of
the top 15 credit card companies, 7 of the top 10 auto makers, 7 of the top
10 media entertainment companies, 6 of the top 10 magazine publishing
companies, 4 of the top 5 telecom companies, 5 of the top 6 retail banks and
3 of the top 5 retailers. ..."
  <http://www.internetnews.com/article.php/2246461>


Software patching gets automated (William Jackson)

<Lillie Coney <lillie.coney@acm.org>>
Fri, 08 Aug 2003 15:09:26 -0400

By William Jackson, GCN Staff

Whenever the Defense Department's Computer Emergency Response Team
Coordination Center sends out a vulnerability alert, each DoD systems
administrator must acknowledge it and respond with a plan for closing the
hole.  The notification and response is becoming more automated, said a
security manager at a DoD software development shop, who contacted GCN and
asked that neither he nor his agency be named in print.  The problem is that
the remediation is manual.  When you get two or three alerts an hour, it
gets out of control.  The DoD security manager said he uses the Hercules
automated remediation tool from Citadel Security Software Inc. of Dallas to
cut the time for fixing flaws in multiple machines from weeks to days or
hours.  [...]

  [And when it is *fully* automated, think of how wonderful it will be to
  have new Trojan horses and security flaws installed instantaneously,
  without having to require human intervention.  Perhaps someday we might
  have systems that do not require continual patching, but I'm not holding
  my breath.  PGN]


How many Windows crashes occur in a year? (John C. Dvorak)

<Monty Solomon <monty@roscom.com>>
Sat, 9 Aug 2003 00:26:44 -0400

Magic Number: 30 Billion
By John C. Dvorak, 4 Aug 2003

So what actually happens when your Windows XP machine crashes and asks if
you want to send a report? The reports obviously accumulate in some
database, and I can only assume that when one bin piles up with similar
crash memos, the coders get to work. Exactly how many notifications does
Microsoft get? Nobody knows for sure, but based on comments Bill Gates made
at a recent meeting for analysts, the number must be astronomical.

Gates said that 5 percent of Windows machines crash, on average, twice
daily. Put another way, this means that 10 percent of Windows machines crash
every day, or any given machine will crash about three times a month. Since
Bill is a math junkie, I have to assume this number is real and based on
something other than a phone survey.  Those reports seem like the obvious
source.

Now according to StatMarket.com, as of March 2003, Windows XP had 33.41
percent global market share among operating systems. Let's give Microsoft
the benefit of the doubt and make Windows XP's share an even 35 percent at
this point. How many computers are in use?  According to the Computer
Industry Almanac, there were 603 million worldwide in 2001, and the growth
rate seems to be around 10 to 15 percent per year. Let's be relatively
conservative, and add just under 100 million to get a round number of 700
million PCs. With 10 percent of them crashing daily, we have 70 million
crashes every 24 hours. And since only 35 percent are XP machines, 24.5
million reports a day accumulate in Redmond-nearly 9 billion per year. I
doubt this number will go down anytime soon.  ...
  http://www.pcmag.com/article2/0,4149,1210067,00.asp

  [Wonderful article.  John goes on to estimate that this works out to a
  minimum of 30 billion Windows system crashes per year.  He points out that
  this magic number is also the number of gallons of fresh water California
  wastes because of mismanagement, the dollar total for the Enron scam, and
  a few other nice examples.  But he concludes that he is partial to the
  number ZERO, and thinks maybe that should be the target for Microsoft.
  PGN]


Company's error sends customers to Massachusetts adult phone line

<Monty Solomon <monty@roscom.com>>
Fri, 8 Aug 2003 01:01:44 -0400

Associated Press, 6 Aug 2003

Some unsuspecting Verizon customers trying to pick a new long-distance plan
were offered ''sexy introductions'' and a chance to ''continue the fun'' on
an adult phone line.  A letter sent to thousands of Verizon long-distance
customers across the country last week listed a number for ''Intimate
Connections'' as a Verizon customer service number, Verizon officials said
Tuesday.  ...
http://www.boston.com/dailynews/218/region/Company_s_error_sends_customer:.shtml


University library catalogue + security

<"Dr Richard A. O'Keefe" <ok@cs.otago.ac.nz>>
Mon, 11 Aug 2003 15:25:32 +1200

Until recently, our university library used a DYNIX catalogue.
That had a Telnet interface and a Web interface; I always used
the Telnet interface because that way I could get things done quicker.

We now have a new catalogue, called Conzulsys, which you may be able
to view at https://otago.conzulsys.ac.nz.
It's described as the "New Zealand Universities' Shared Library System",
and indeed one can look up things in (a few) other libraries as well.

Problems.
(1) There isn't a Telnet interface any more.  This means that I can no
    longer use 'expect' to drive queries.  Chizz.
(2) The interface isn't really designed for any of the machines I use (a
    SunBlade100 and a G3 PowerMac).  For example, quite a lot of buttons
    have black text on a dark blue background, so that I cannot see what
    the buttons actually are.  The navigation links at the top of the page
    are images, even though they are just plain text, and they're a little
    too small to read comfortably on a 90dpi screen.
(3) The ***** thing keeps timing out.  For example, just now I started a
    multisite search for a particular author; it popped up a window showing
    me that the searches had started, and then a second later, before
    delivering any results, said "Restart Web Voy&aacute;ge
    Your Catalogue session timed out due to inactivity."  How can that be
    when I've just entered a query?  And now that's happened, it doesn't
    matter _what_ I click, I get the same stupid timeout page.
(4) When new books come into the library, they are put on a rack of
    "New Arrivals" shelves.  It used to be that you could take them over
    to a terminal and book them.  Now you have to fill out a paper form and
    hand it to the librarians, and at the end of the week they have to spend
    several hours sorting these things out by hand.  (Literally sorting to
    get priority right; you have to fill out the time you put the form in.)
(5) You might not have predicted (3) or (4), but you probably *could* have
    predicted this one.  The HTML they generate is systematically bad.
    A <LINK> element is used to connect a page to its style sheet, BUT
    it is put in the <BODY> instead of the <HEAD> where it belongs.  In
    fact, it's worse than that.  Sometimes the <LINK> is before the
    <!DOCTYPE>.  In addition, ampersands in URIs are *not* escaped as &amp;.
    The pages are sufficiently garbled to give even HTML Tidy a headache,
    which makes it difficult to replace expect queries with wget queries.
(6) Nowhere in any of the pages is there the slightest mention of Javascript
    or that you must turn off security features to use the pages.  But
    Javascript there is.  You can imagine how thrilled I am at having to
    enable Javascript on the machine where I write exams...

But here's the really cute thing.  Under the old system, if I wanted to
reserve a book, I had to enter my library card barcode and a password.  As
far as I know, the library card barcode wasn't used for anything else, and
if someone intercepted the barcode and password, it didn't actually let
anybody *do* anything to me except reserve books, which would have been
nuisance value.  Now all the staff have been assigned a user code and a
password.  The user code has the form
  <3 letters of last name> <2 letters of first name> <2 digits> <1 letter>
I don't yet know how the final digits and letter are assigned.  This user
code is printed on the library cards, so at least all the library staff can
see them.  The password is not.

This is where social engineering comes in.  Because these user codes and
passwords are new, many staff members don't have them or don't know them.
So you ring up a certain phone number, and they tell you what your password
is or let you assign one.  When I assigned my password last week, there was
NO check that I was who I said I was.

Why is this a problem?  After all, all you can do with this is reserve
books and renew ones, plus see what someone has out, and I've always
regarded what I have out as pretty much public information anyway.

The government here is introducing something called Performance Based
Research Funding.  Sounds good, except that the data are going in now and
won't be updated until 2006, so it's really (*Former* Performance) Based
Research Funding.  Most academic staff have to use a web browser to enter a
lot of information (much of which the university should have anyway, but
that's another story) into a PBRF database.  How do they know you have a
right to enter this information?  Why, from your user code and password, of
course.  The same user code that is printed on your library card and the
same password which is set/reported without any checks on who you are.

After that, I don't suppose I need to tell you that the courseware system
uses the same user code and password as the other system.

  [I somewhat reluctantly fixed a typo above: "bardcode" sounded
  appropriately Shakespearean for a library system.  PGN]


GenCon Registration Woes Blamed on Computer Network

<Allan Goodall <agoodall@att.net>>
Mon, 11 Aug 2003 09:06:53 -0500

GenCon is a large, annual game convention and trade show held at the end of
July or early August. Although it was held in Milwaukee, Wisconsin for many
years, this was its first year in Indianapolis, Indiana, with a record
attendance figure of 28,000 people over the four days of the convention.

The wait in line to register has always been a point of complaint, but this
year that wait was particularly excessive, peaking at four hours on the
Saturday. In an open letter to various message boards and newsgroups, GenCon
CEO/owner Peter Adkison blamed most of the problem on the convention's
computer network. A copy of the open letter can be found here:
http://www.gamingreport.com/article.php?sid=9515

In summary:
- The computers used for registration were on the same network as the
computers that allowed convention attendees to freely access the Internet.
Apparently there were no restrictions on the use of these public access
computers.
- By the first day of the convention 216 computers on the network were
infected by a worm. The source of the infection was one of the public access
computers, which also contained downloaded p*rn files.
- The network wasn't sufficient to handle the traffic even without the worm
problem. The worm amplified the problem.
- Each attendee received a badge with their name printed on it. Badges were
printed at a limited number of printers, 6 badges to a sheet. At times, the
printers would time out due to the excessive network traffic. Sometimes the
printed sheets would get lost. The badge printers were a major bottleneck in
the system.

The RISKS here should be obvious.

This isn't the first time GenCon has had public access terminals on their
network. The registration process doesn't appear to be much different from
when I last attended (August 2000). Either the convention organizers were
unusually lucky in previous years, or the problems weren't deemed sufficiently
bad to warrant (in the minds of the organizers) stronger security and
procedural changes. Adkison doesn't state whether or not the change in venue
this year was a contributing factor.


Re: Metadata in Photoshop files (RISKS-22.83)

<Sidney Markowitz <sidney@sidney.com>>
Fri, 08 Aug 2003 10:35:25 +1200

Photoshop may not be to blame and the RISK may be broader than a single
software product being the Microsoft Word of photography.

According to Sue Chastain at
http://graphicssoft.about.com/b/a/2003_07_26.htm
the revealing thumbnails mentioned in RISKS-22.83 were not likely to be
placed by Photoshop. Thumbnail previews, part of the EXIF metadata standard
used by all digital cameras, may be created automatically when the picture
is taken. She says "EXIF information and metadata is increasingly becoming a
concern for professional photographers working in digital because it can
potentially expose information [...]". Photoshop, rather than being the
culprit, has a "Save for Web" command that strips out metadata including
thumbnail previews.


Re: New online futures market bets on next White House scandal

<"Stephen R. Holmes" <srh@myrealbox.com>>
Fri, 8 Aug 2003 17:04:27 -0400

Having just re-read John Brunner's 1975 novel "The Shockwave Rider", I was,
umm, shocked to open RISKS 22.83 and find "New online futures market bets on
next White House scandal" and "Pentagon's online trading market plan draws
fire".

In Brunner's future world (circa 200x), citizens gamble on the "Delphi" odds
that such-and-so (everything from war and famine to soap opera events) will
come to pass, in exactly the same fashion. Both schemes mentioned in RISKS
could have been taken directly from the novel.

Life imitating art?


Re: Software violates stock ownership limits (RISKS-22.83)

<johnl@iecc.com (John R. Levine)>
8 Aug 2003 04:33:56 -0000

About 25 years ago, someone had a computer hooked up to a Telex line and
programmed it to trade commodities futures, sending telex orders to his
broker.  But it wasn't programmed to take into account the size of the
various markets, some of which aren't all that big, and one day he got a
phone call from the CFTC and they were not at all pleased that he had
cornered the market in a thinly traded commodity, potatoes or something like
that.  He unwound his position and adjusted the program so it never traded
that particular commodity again.  I know this sounds like an urban legend,
but I personally know the guy.

> For companies, the RISKs are less clear.  It's not clear whether
> they had any way of finding out who was actually buying their stock, ...

Not really.  Stock held in accounts at brokers or banks (most of it these
days), is nominally owned by one of a handful of specialist companies such
as Cede & Co.  There is a way that the broker can tell the company who the
beneficial owner is so they can send out annual reports and proxy
statements, but that takes a while, so that companies have only a vague idea
of who owns their stock on any given day.  That's one of the reasons you
have to file notices with the SEC if you plan to buy a substantial amount of
a company's stock.

John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 330 5711
Member, Provisional board, Coalition Against Unsolicited Commercial E-mail

Please report problems with the web pages to the maintainer

Top