From - Fri May 14 22:29:42 1999 Path: reader2.news.rcn.net!feed1.news.rcn.net!rcn!newsfeed.stanford.edu!newsfeed.berkeley.edu!agate!agateway!csl.sri.com!risko From: risko@csl.sri.com (RISKS List Owner) Newsgroups: comp.risks Subject: Risks Digest 20.39 Message-ID: Date: 14 May 99 18:59:39 GMT Sender: usenet Distribution: world Organization: The Internet Gateway Service Approved: risks@csl.sri.com Lines: 584 Xref: reader2.news.rcn.net comp.risks:1401 RISKS-LIST: Risks-Forum Digest Friday 14 May 1999 Volume 20 : Issue 39 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and at ftp.sri.com/risks/ . Contents: Hacker competition opens in Singapore with $10,000 prize (Keith A Rhodes) Faulty software doomed Titan 4B Milstar launch (Keith A Rhodes) MI6 Agents 'outed' by Web (Randy Holcomb) 41-year-old died while NYC's 911 system was down (Monty Solomon) ``Human error'' posts budget PR on the web prematurely (George Michaelson) Computer woes set back opening for Tulsa's jail (Jo Oerhlein) C compilers vs editors: WYSI NOT ALWAYS WYG (Daniel A. Graifer) Risks of upgrading a UNIX system (Wolfgang Moeller) Any Bell Atlantic customer can be spuriously Opted Out from CALL54 (Douglas A. Brothers) SurfWatch filters out plugandpray.com and minow.org (Martin Minow) MS AutoRoute Express 2000 (Pete Mellor) Another talking lift bug (George Michaelson) On-line account access (Leo Sokolskiy) Wrong e-mail address (Bruce Wampler) Risks of 3-letter user IDs for free e-mail accounts (Dan Yurman) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 14 May 1999 10:07:33 -0500 From: "Keith A Rhodes" Subject: Hacker competition opens in Singapore with $10,000 prize Prizes up to $10K are being offered to anyone who first penetrates supposedly secure Web servers at an information technology trade show in Singapore. The two servers are products of Voltaire Advanced Data Security in Israel [210.24.153.70] and Conclave Integrated Internet Security in California [210.24.153.90]. There is also a third (unprotected) server [210.25.153.80]. Successful penetrators must alert the organizers at hackerszoneAyahoo.com within one day of the hack. Conclave regional director George Kane said it had "100 percent confidence" that its server was hacker-proof. You must "break into two workstations, then the secure server, retrieve and change specified files, and then manage to leak the information into a public work station." Voltaire's key security product is a device that physically divides one single personal computer into two workstations, guaranteeing separation of secured and unsecured environments. Conclave utilizes an integrated system that includes a firewall, anti-virus and encrypting capabilities. [Source: Agence France-Press item from Singapore, 13 May 1999] ------------------------------ Date: Thu, 13 May 1999 14:35:24 -0500 From: "Keith A Rhodes" Subject: Faulty software doomed Titan 4B Milstar launch (RISKS-20.36) The 30 Apr 1999 improper Milstar orbit was the result of Lockheed Martin engineers loading flawed software into the Titan/Centaur rocket. The flaw was not detected despite extensive prelaunch "verification". The report will be published next week in *Aviation Week and Space Technology*. "The software was verified at Lockheed Martin Astronautics in Littleton, Colo. The work force there already had been stung by 900 impending job cuts and the murder of 12 students and a teacher at nearby Columbine High School." [Source: Article by Todd Halvorson, Florida Today, 8 May 1999, http://www.flatoday.com/space/explore/stories/1999/050899b.htm; PGN-ed] ------------------------------ Date: Thu, 13 May 1999 11:04:57 -0400 From: "Holcomb, Randy" Subject: MI6 Agents 'outed' by Web A 'disgruntled employee' has reportedly exposed the identities of over 100 MI6 agents on a Web site. [The U.K. government has insisted that the Web pages be removed, although apparently mirrors are popping up in other places. PGN-ed] ------------------------------ Date: Tue, 2 Feb 1999 12:07:14 -0500 From: Monty Solomon Subject: 41-year-old died while NYC's 911 system was down Susan Ungvary repeatedly called 911 when her boyfriend collapsed, but repeatedly got busy signals. It turns out that the 911 system was down for over an hour, as a result of a routine test (four times each year since 1996) of emergency generators in which the backup system failed to forward calls to police headquarters. Whether the death could be attributed to the system outage is unresolved. [Source: Associated Press item, *The Boston Globe*, 2 Feb 1999, page A10; PGN-ed. http://www.boston.com/dailyglobe2/033/nation/As_41_year_old_died__NYC_s_911_was_busy+.shtml] ------------------------------ Date: Wed, 12 May 1999 15:56:57 +1000 (EST) From: George Michaelson Subject: ``Human error'' posts budget PR on the web prematurely I liked: "result of a series of technical and human errors associated with preparations to meet the requirement for Budget information on government Websites immediately after the Budget speech" Down here, and in the UK, it is routine for the Journalists to be in a lock-in with government flaks 2-3 hours ahead of the budget so they can do live comment based on advance knowledge. I bet somebody took the logical steps to make the Internet 'just as good as the lock-in'. [http://www.abc.net.au/news/newslink/nat/newsnat-12may1999-47.htm] ------------------------------ Date: Fri, 14 May 1999 09:20:34 EDT From: COehrlein@aol.com (Jo Oerhlein) Subject: Computer woes set back opening for Tulsa's jail The new Tulsa County jail will be dedicated tomorrow, but it is not ready for prisoners -- because of software problems. A pervasive information system is supposed to track up to 1440 prisoners using bar-coded wristbands. EPIC Solutions (San Diego) implemented the system, but is finding the challenge more difficult than expected. [Source: Article by Larry Levy, *The Daily Oklahoman*, 14 May 1999, page 5] ------------------------------ Date: Fri, 14 May 1999 10:48:44 -0400 From: "Daniel A. Graifer" Subject: C compilers vs editors: WYSI NOT ALWAYS WYG I recently sent some C source developed on unix to a colleague for modification and compilation under MS Windows. The resulting executable behaved in unexpected ways precisely at the points he modified. I have finally figured what happened. The MS Visual Studio V5.0 he is using has a built in source editor that recognizes both Windows and unix as "newline". The integrated C/C++ compiler will accept C++ style "//" comments in C source. In making his modifications, the colleague used "//" comments to suppress my code, then added new lines of his own code, sometimes above, sometimes below the suppressed entries. Apparently, the VC++ preprocessor or compiler didn't recognize the unix characters as termination of the commented out lines, and skipped everything up to his next entered line containing the required ! This is the only situation in C/C++ I can think where it would matter. Still, I think having the editor and the compiler from the same development platform have different definitions of "newline" is poor form. But just remember, What You See Is NOT What You Get! Daniel A. Graifer Parker & Company 1-888-426-6548 Andrew Davidson & Company 588 Broadway, Ste 610, NY 10012 (212)274-9075 ------------------------------ Date: Mon, 10 May 1999 22:26:19 +0200 From: "GWDVMS::MOELLER" Subject: Risks of upgrading a UNIX system When was the last time you rebuilt all privileged (`suid root') applications when upgrading a unix system, just in case? I'm pretty sure one can find `small print' that demands this, however I'm equally sure that hardly any system manager does so, since problems seem to occur _very_ rarely. Here's a neat one: Some time prior to the upgrade, system manager (S.M.) was asked to install `sshd' on a not-so-common platform (nothing really security-relevant, machine used for raw speed only, users just being accustomed to that sort of login). Said platform (featuring a particularly elaborate user data base) requires some special calls (simple calling sequences) to be done during `login' - no problem, `sshd' knows about them, although not explicitly aware of the particular hardware. Cautiously, S.M. configures `sshd' to not allow `root' logins from the outside. What other harm could it possibly do? Upgrade has to occur somewhat in a hurry, release documentation isn't on-site, but procedures are known well enough. S.M. asks the manufacturer's support representative if special precautions have to be taken, "errr, not that I'd think so". S.M. installs new version, all fine & dandy, even remembers to check out `sshd' afterwards and finds it to work the same as before. A couple of days later, S.M. logs in via `sshd' himself, and for the first time enters `su'. Gets very amazed at the new system's intelligence, as it knows to not ask him for a password. Minutes later, S.M. recognizes that `su' would never ask for a password, when the parent process had been created via `sshd' ... in spite of no other visible peculiarities with that process. A re-build (pretty likely boiling down to nothing but a re-link) of `sshd' fixed the problem. Quite a few years ago, when I saw the first mention of `ssh', I commented "If you're a bank, you don't buy your safe at a flea market; if you're not, you might be better off without a safe". Maybe there's _some_ truth in it, after all. Dr. Wolfgang J. "s."Moeller, Tel. +49 551 2011510, GWDG, D-37077 Goettingen, F.R.Germany P.S. re "software bloat": Imagine uSoft going open source, and no-one going to have a look at it... ------------------------------ Date: Tue, 11 May 1999 17:19:02 -0400 (EDT) From: brothers@clark.net Subject: Any Bell Atlantic customer can be spuriously Opted Out from CALL54 In the spring of 1999, Bell Atlantic-Virginia has notified its customers that it plans to introduce the Bell Atlantic CALL54(sm) service to its customers in northern Virginia. The CALL54 service is an automated reverse directory assistance service that will enable northern Virginia customers to obtain names and addresses for telephone numbers published by Bell Atlantic. Name and address information for telephone numbers in the entire states of Virginia and Maryland will be available at a charge of $.75 per request of up to 3 numbers. This service is already available in New Jersey, West Virginia and Maryland. Bell Atlantic will not provide name and address information for non-published numbers. Customers with published telephone numbers may exclude their names and addresses from CALL54 service by calling toll free 1-877-678-6887 to "Opt Out" of the service. There is no charge to "Opt Out" of CALL54. When you call their "Opt Out" service, you enter a ten-digit phone number and the system repeats it back to you. You are asked for a confirmation (depress 1) or cancellation (depress 2.). What would prevent anyone in the world from opting you out of the service? Would you be notified that you were "Opted Out?" The process could be made considerably more secure by requiring that a subscriber call from the number being "Opted Out" or "Opted In" and then only giving the user the choice of "In" or "Out". There would be no need to enter a number as the phone company knows your number when you call them. Douglas A. Brothers ------------------------------ Date: Fri, 7 May 1999 20:50:08 -0700 From: Martin Minow Subject: SurfWatch filters out plugandpray.com and minow.org EXPLETIVE DELETED: SurfWatch, an Internet-filtering company that aims to protect children from online pornography and violence, boasts that it only blocks objectionable sites after "thoughtful analysis" by its staff. This left James Tyre, a Pasadena lawyer and Internet activist opposed to filtering, more than a little bemused when SurfWatch blocked his newly registered site, www.plugandpray.com for "sexually explicit content." The main problem: Mr. Tyre's site was and remains totally blank but for an innocuous banner ad. SurfWatch says its software most likely confused Mr. Tyre's site with a pornography site that shares the same numerical Internet protocol address in a setup called "virtual hosting." SurfWatch has since unblocked Mr. Tyre's site, but others haven't been so lucky. Martin Minow, a Silicon Valley programmer, recently discovered that his new site www.minow.org, was also blocked by SurfWatch for alleged explicit content. The site bears only the words, "This site is under construction." Theresa Marcroft, director of marketing for SurfWatch, concedes that the company's software tends to block even innocuous virtually hosted sites if they are added to an Internet address that has been previously blocked, although she notes that the company responds quickly to unblock clean sites once it knows about them. "We're doing our best," she says. "This is such a nit in the overall objective of keeping kids away from the objectionable stuff." [Compiled by Nicole Harris and Ann Grimes, Posted by James S. Tyre , from *The Wall Street Journal*, 6 May 1999, B4] ------------------------------ Date: Tue, 11 May 1999 12:25:21 +0100 (BST) From: Pete Mellor Subject: MS AutoRoute Express 2000 The following is taken from the BBC Watchdog web pages (www.bbc.co.uk/watchdog). I would like to thank Gordon Brown for passing it to one of my colleagues. AutoRoute Express 2000 Weekend Watchdog 07.05.99 In February, Microsoft launched the new AutoRoute Express 2000 journey planner. By entering the details of any journey you want to make, it will show you the best roads to use and calculates how long the drive will take. It predicts possible hold ups and even recommends scenic spots on the way. Now Microsoft has admitted to Weekend Watchdog that Autoroute's directions could cause drivers to make unnecessary detours that add miles to their trips. Richard Emery, a logistical planner from Bracknell, advises companies on the best routes for moving their goods. It literally pays Richard to know the quickest way from A to B. Using Autoroute Express 2000, Richard planned a trip from his home to a charity office in Llanelli in South Wales. He knew it was a long way but was not sure how long it would take. The software came up with what appeared to be a good set of clear directions, providing almost door to door road names, and said that the journey should take 2 hours and 36 minutes. Then Richard programmed in two 10 minute service station breaks. The journey suddenly changed from 169 to 185 miles, and the time taken increased by 1 hour and 3 minutes. Richard demonstrated the problem to Weekend Watchdog with a real journey from Swindon to Reading. Autoroute Express 2000 says it is a distance of 49.3 miles and, without a coffee break, should take 51 minutes along the M4. Richard then programmed in a 10 minute stop at Membury Services, almost half way between Swindon and Reading on the motorway. Autoroute changed a 30 second round trip into a 33 minute drive through the countryside. The software ignores the fact that most service areas are connected to the motorway, and works out a route via junctions and A roads to the back of the service station. Richard has discovered that this is the case with routes all over England. For example, London to Nottingham, 127 miles with two short coffee breaks according to AutoRoute, will take 3 hours and 15 minutes. That leaves 1 hour and 5 minutes to get coffee. Microsoft says it's very sorry Richard Emery has experienced such problems with Autoroute Express 2000. It says that it is "committed to resolving these issues in the next version of the product". The company has set up an Autoroute Express 2000 Hotline on 0345 002000, which is open until 10pm on May 7th and between 9-5pm from then on. http://www.bbc.co.uk/watchdog/stories/autorout.shtml Peter Mellor, Centre for Software Reliability, City University, Northampton Square, London EC1V 0HB, UK. Tel: +44 (171) 477-8422, p.mellor@csr.city.ac.uk [Actually, the shortest distance between two points may involve the pub nearest where you started. If after a few pints you forget which way you were going, the trip can be much shorter. PGN] ------------------------------ Date: Wed, 12 May 1999 16:00:44 +1000 (EST) From: George Michaelson Subject: Another talking lift bug I've mentioned the lifts in our building with an off-by-one error on the floor. Now I've noticed that if you select a 'DOWN' lift button, but get into an 'UP' lift, albeit empty, and with no real 'UP' calls on it, although you get to select 'DOWN' as a destination, it still vocalizes "going up" as it moves.. downwards. The sole reason for talking lifts seems to be to help blind people. You can imagine that in an emergency (not that you should use lifts then anyway) there would be some concern that a talking lift can confuse the rider even if the delivery point is correct. I'm sure this is an example of an I.T. system grafted onto the core workings of the lift: the latter are going to be subject to some kind of safety proofs since the lift operations depend on them. The vocalizer is seen as 'ephemeral' and its bugs don't matter except... -George ------------------------------ Date: Tue, 11 May 1999 09:39:34 -0700 From: "Leonid (Leo) Sokolskiy" Subject: On-line account access Recently the bank which issued one of my credit cards, First USA, started to offer on-line account access. I decided to give it a shot: it is a nice system, letting you see your charges, etc. Imagine my surprise one day when after I logging in I was looking at someone else's list of charges although the system listed them under my account number. When I went to the statements section, I could pull up images of previous statements from someone else's account including name, address, account number, and list of charges. Amazingly, calls and e-mail to customer service produced little response beside weak assurances to "investigate and fix it". Thus, despite bank's repeated statements that they concerned and respectful of their customer's privacy, it does not see to trickle down to implementation level. ------------------------------ Date: Fri, 07 May 1999 18:36:59 -0600 From: Bruce Wampler Subject: Wrong e-mail address I just received a very big e-mail file filled with several Microsoft Word documents from a name I did not recognize. My first reaction was to worry about the Melissa virus, but closer examination of the To: revealed a wrong e-mail address. The e-mail was addressed to "xxx@realitycentral.com". The documents were obviously confidential real estate contracts, and the intended address must have been "xxx@realtycentral.com" -- no "i". I own the URL "realitycentral.com" which is presently parked. All e-mail to the site is automatically forwarded to me. There are a lot of parked URLs waiting for development that probably forward e-mail, or even dump it. A couple of risks are obvious here. First, one needs to be very careful when sending confidential material that it goes to the right place, and really gets there. Second, it is possible to send e-mail to a site and have it delivered anyway, even though there is no one with the specific address at that site. This would usually cause a bounced message. Unless the sender is informed by the ultimate recipient of the e-mail (which I did), they will never know their mail went to the wrong place. Finally, there is the risk of having a URL similar to another busy site, not unlike having a phone number similar to a busy business number -- one may get a lot of wrong numbers. The topic of sending e-mail to the wrong address has no doubt been discussed before, but I thought this instance demonstrated a couple of interesting twists. Bruce E. Wampler, Ph.D., Author of the V C++ GUI Framework mailto:bruce@objectcentral.com http://www.objectcentral.com ------------------------------ Date: Sun, 9 May 1999 10:17:20 -0600 From: "Dan Yurman" Subject: Risks of 3-letter user IDs for free e-mail accounts The proliferation of free e-mail services available from a 'portal' sites raises the question of how to insure your user ID is unique among millions of other current and especially prior users of these services. For instance, a quick tour of the major portals indicate free e-mail is available from the following locations. This is necessarily a representative sample of sites chosen more or less for convenience, and not for any commercial purpose. Perhaps as many as 20 million people have or have had free e-mail accounts these or other sites. http://www.hotmail.com/ http://www.hotbot.com/ http://www.yahoo.com/ http://www.lycos.com/ http://www.excite.com/ http://www.bigfoot.com/ http://www.switchboard.com/ For those of you who are considering signing up for a free hotmail e-mail account, or for any of the others, consider this lesson learned from a friend. Don't sign up for a user ID on Hotmail, or any other free e-mail service, using the three letters of your initials. There may be someone out there, in fact count on it, who also has those initials, and who may have had a Hotmail or other free e-mail account prior to yours. Hotmail, like other free e-mail services, "recycles" user IDs. This is not unlike what the phone company does with your number after you move. After a suitable period of time, it reissues the number to a new customer. Otherwise, it would run out of numbers. I'm not picking on Hotmail, just arbitrarily using them in this example since they are one of the largest of the free e-mail services. This challenge is that you may not like what the previous "owner" of your three letter user ID was interested in getting over the Internet. For instance, suppose the three letters of your initials are 'ABC' yielding a Hotmail account of abc(at)hotmail(dot)com. So, if your name is 'Anna Belle Cornwall,' (a made up name for this posting with any resemblance to a real person strictly coincidental) it may be the prior user of that account name was Archie Bunker Cooper (same disclaimer). If "Archie" was into less than mainstream interests, or worse, and signed up for mailing lists on his favorite subjects, now innocent Anne Belle is going to get that stuff because she now owns the account abc(at)hotmail(dot)com. Not only will she get all of 'Archie's' solicited mailing list material, she will also get every piece of spam still hunting for valid e-mail addresses known to be linked to his user ID and interests. If she's lucky, all she'll get are some get rich quick schemes, the occasional porno come on, and offers to buy stamp / coin collections or HO train sets. It could be a lot worse, especially if "Archie's" ex-wife, his creditors, or other malcontents think they are still talking to him over the Internet. Of course, "Anna Belle" could try answer them, but usually at this point explanations will not work, and like trying to teach the proverbial pig to sing, only wastes her time and annoys the pig. The replies also tell spammers they have a valid e-mail address. There is nothing she is going to be able to do about all that spam, and the other stuff, except close the account and get a new one. This could be very inconvenient if she had already told her friends and family about her new three letter user ID. There are several good strategies to avoid this problem. * Put a number in your hotmail or other free e-mail user ID after the 1st letter, e.g a2bc(at)hotmail(dot)com, or in any position after the first letter, except the last. Hotmail, unlike some others, requires the first position to be a letter to avoid having their sites being the origin of spam. This strategy eliminates many heritage users IDs based on three initials. Even with 26 letters in the alphabet, there are still a finite number of combinations. The available three letter combinations go from AAA to ZZZ. Since Hotmail has millions of users, your probability of encountering a match using just the three initials of your name, based on a prior or current user, is very high. However, assigning an arbitrary number within the three letter sequence eliminates "collisions" with all users IDs based solely on three initials. * Use at least four letters, e.g. abcd(at)hotmail(dot)com, which will also eliminate a pretty good percentage of the like instances of inheriting three letter user IDs that have been recycled. This decreases the odds of encountering a match, but still raises the possibilities of "collisions" with people who have shifted user ID naming strategies from using their three initials to using their first names. If you use four letters and a number, after the 1st position, you have significantly increased the odds that no one else will have ever had this user ID before you. Now you have not only eliminated letter letter user IDs based on initials, but also almost all user IDs based on first names. The exception is if you put the number in the last position, e.g. if "Anna Belle" chooses 'anna5' etc. * For a maximum strength strategy to avoid duplication with previous e-mail user ID owners try at least four letters plus mixing in say the first two or three numbers of your house street address, last few digits of your zip code, birthday date of your dog, cat, goldfish, etc., or any other numeric sequence that is meaningful. If "Anna's" zip code is 95472, she could choose a user ID of A9n5n4bc(at)hotmail(dot)com. So if the mythical "Anne Belle" wants a no hassle user ID, that no one among the millions of past Hotmail users have held, one of these simple strategies should do the job for her. However, don't put these numbers at the end of the letter sequence. Mix them in the middle. It is common for other online services like AOL and Prodigy to put numbers at the end of user IDs to avoid duplications. * Pick an entirely non-obvious combination, say the bar code for your favorite beer brand, your initials combined with the current temperature (your choice of indoor or outdoor readings), or, as in my case, a geographic reference. I choose the nearest USGS map corner, but you could look up the lot lines of your home or apartment and get carried away with surveying coordinates. :-) The drawback is that these strategies fly in the face of personalizing your free e-mail account with something that others will remember easily. The whole point of the free e-mail accounts is that they are part of "mass customization" marketing strategies so the portal companies may not like this advice, or at least not very much. In fact this advice may fall in the same category as the story about the engineer who had to choose between a talking frog and a beautiful princess. However, it will work. I'm assuming you've already done some customization of your own with your home ISP, and that your use of a free e-mail account is to keep some communications out of your priority e-mail inbox, or for other business or personal reasons. Enjoy the Internet. Surf safely. I am not affiliated with hotmail except as an end user of the service. Dan Yurman n43w112@hotmail.com Eagle Rock, Idaho ------------------------------ Date: 23 Sep 1998 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 19" for volume 19] or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. PostScript copy of PGN's comprehensive historical summary of one liners: illustrative.PS at ftp.sri.com/risks . ------------------------------ End of RISKS-FORUM Digest 20.39 ************************