precedence: bulk
Subject: RISKS DIGEST 19.82
RISKS-LIST: Risks-Forum Digest Saturday 20 June 1998 Volume 19 : Issue 82
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at
http://catless.ncl.ac.uk/Risks/19.82.html
<<<<< ANNUAL RISKS SEASONAL SLOWDOWN TIME. >>>>>
Contents: [Happy World Juggling Day. Here are a few more risks to juggle.]
Air-traffic control glitch again under Air Force Two (Doneel Edelson)
Being Extra #$@% Careful Brings Extra #$#$@Q (Peter Wayner)
World shipping full-speed ahead to beat Y2K torpedo (Keith Rhodes)
Digital Wins Product Liability Suit (Edupage)
California has dueling lawsuits filed over Deadbeat Dads/Moms (Keith Rhodes)
Who is leaving the security doors open in Japan? (Keith Rhodes)
Severed MCI cable cripples the Net (Doneel Edelson)
Will we have power on 1 Jan 2000? (Doneel Edelson)
Fire risks compounded by loss of residential power (Jeremy Erwin)
Double points from supermarket loyalty-card system (Paul Howlett)
Re: Exchange/Outlook plug-in for PGP bypasses crypto (Joshua R. Poulson)
Re: Navy stops teaching celestial navigation (Kurt Cockrum)
Meaconing (Ralph Hoefelmeyer, Henry Spencer)
Re: 15th century time machine and Y2K (Steve King)
Privacy Digests (PGN)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Wed, 17 Jun 1998 15:22:18 -0500
From: "Edelson, Doneel" <
[email protected]>
Subject: Air-traffic control glitch again under Air Force Two
On 7 Jun 1998, and again on 17 Jun, both times when VP Al Gore was in Air
Force Two flying over New Jersey, air-traffic controllers lost flight
information from radar screens. The first time they lost AF-Two for 24
seconds, whereas the second time AF-Two was not among those planes blipped
out. As usual, reports said there was no danger. (As you recall, this is
considered a normal occurrence -- see RISKS-19.63 and .79 for cases
involving Air Force One.) [Source: USA Today, 17 Jun 1998; PGN Abstracting,
incorporating a news item from 9 Jun 1998.]
------------------------------
Date: Wed, 17 Jun 1998 15:58:21 -0400
From: Peter Wayner <
[email protected]>
Subject: Being Extra #$@% Careful Brings Extra #$#$@Q
The 17 Jun 1998 *Wall Street Journal* reports (B1) that a software program
that reads to kids would occasionally toss in foul swear words. Apparently
the product would grab text from the screen and send it to the voice
synthesizer. While I haven't checked up on the reporting, the article seems
to make it clear that the problem occurs because the company tried to be
extra careful. It built in a filter that would check for four letter words
and prevent them. Apparently the sort of pointer twisting bugs that made C
famous, causes this program to swap the list of filterable words with the
list of words to be spoken. Voila, the voice synthesizer starts spouting
words from the forbidden list. [The software is called Secret Writer's
Society, from Matsushita's Panasonic Interactive Media. PGN]
------------------------------
Date: Wed, 17 Jun 98 08:30:25 -0500
From:
[email protected] (Keith Rhodes)
Subject: World shipping full-speed ahead to beat Y2K torpedo
Reuters reports that world shipping is at risk from the Y2K problem, with
much work yet to be done. Many aspects of merchant shipping are now highly
dependent on computers, many of which are not yet Y2K compliant. The
increased computerization has resulted in sharp cutbacks in crew sizes, but
also leaves a shortage of people familiar with old-style backups (sextants,
Morse code, etc.). Malcolm Gosling, who heads Electrical Services at Royal
Dutch's Shell Trading and Shipping Company, said that Shell had tested
systems on Very Large Crude Carriers, and found Y2K-related failures in
seven areas including radar system mapping, ballast monitoring, and ships
performance monitoring. Gas carrier computer systems had also tested badly.
At airports where Shell delivered supplies, failures due to Year 2000
problems included flow metering, fire alarms, and climate control. [Source:
Reuters News Service, 16 June 1998; PGN Stark Abstracting]
------------------------------
Date: Thu, 18 Jun 1998 11:58:55 -0400
From: Edupage Editors <
[email protected]>
Subject: Digital Wins Product Liability Suit
A New York jury has found Digital Equipment not liable for the repetitive
stress injuries suffered by nine workers who claimed Digital keyboards
caused their problems. Digital said that although the workers did have
medical problems, they were attributable to a host of other health issues
and complications. "A keyboard is a tool. It is not more dangerous than a
bricklayer's trowel, a piano, or even a pen," said the general counsel and
senior VP at Compaq, which acquired Digital last week. "We applaud the
jurors' wisdom and common sense." Digital hopes this victory will
discourage more keyboard liability lawsuits. "Judges and juries have
rejected keyboard product liability claims 30 out of 31 times," says
Digital's trial counsel. "It would be unfortunate if the courts were forced
to spend valuable time hearing more cases that obviously have no merit."
(Reuters, 17 Jun 1998; Edupage, 18 June 1998)
[To subscribe to Edupage: send mail
[email protected], with one line,
subscribe edupage (with your first and last names)
[Earlier items on RSI liability involve Apple and IBM (RISKS-16.86).
Digital's cases were noted in RISKS-18.66 (three awards, largest $5.3M)
for arm, wrist, hand injuries attributed to Digital's LK201 keyboard,
but a judge later overturned all but smallest verdict (RISKS-19.14).
(Various references on RSI were noted in RISKS-18.68.) PGN]
------------------------------
Date: Mon, 15 Jun 98 17:03:34 -0500
From:
[email protected] (Keith Rhodes)
Subject: California has dueling lawsuits filed over Deadbeat Dads/Moms
The state of California and Lockheed Martin Information Management Systems
Corporation are suing each other over the cancellation of the $103M
California deadbeat parents' database system, although this is apparently a
procedural maneuver prior to an alternative dispute resolution. In March
1998, a state auditor identified as flawed decisions and incompetent
management on both sides. (See RISKS-19.12, .43, and .47 for earlier
reports on the California system.) [Source: Cathleen Ferraro, Sacramento
Bee, reported by Nando.net/Scripps-McClatchy Western, 13 Jun 1998; PGN Stark
Abstracting]
------------------------------
Date: Thu, 18 Jun 98 10:19:52 -0500
From:
[email protected] (Keith Rhodes)
Subject: Who is leaving the security doors open in Japan?
A 1996 survey of 2,000 Japanese companies conducted by an institute
affiliated with the Ministry of Industrial Trade and Industry revealed that
only 17.1 percent had a security manager in charge of preventing
unauthorized access to their computer networks; 14.3 percent offered
security education; 7 percent used firewalls. More than half of the
respondents said they didn't take necessary protective measures because they
don't know what to do. [NOTE: Source: a rather revealing editorial in the
"CYBERIA" section of *The Japan Times*, 18 Jun 1998; PGN Stark Abstracting]
------------------------------
Date: Tue, 16 Jun 1998 16:37:17 -0500
From: "Edelson, Doneel" <
[email protected]>
Subject: Severed MCI cable cripples the Net
A fiber optics cable was severed under 42nd Street in the Bronx, affecting
Internet service and long-distance phone calls to much of the East Coast on
11 Jun 1998. MCI workers spliced the cable, but are still searching for the
exact cause of the break. [Source: MSNBC, 11 June 1998, PGN Abstracting]
------------------------------
Date: Tue, 16 Jun 1998 16:37:17 -0500
From: "Edelson, Doneel" <
[email protected]>
Subject: Will we have power on Jan. 1, 2000?
A Senate Y2K committee (whose chairman believes that if today were 1 Jan
2000, the nation's power grid would collapse) heard testimony from utility
experts who were not able to promise that power would remain available in
the U.S. when the Y2K date rolls around. [Source: MSNBC, 12 June 1998, PGN
Abstracting. Incidentally, a House hearing on 16 June 1998 considered the
Y2K threats to the telecommunications networks.]
------------------------------
Date: Wed, 17 Jun 1998 13:34:07 -0400
From:
[email protected] (Jeremy Erwin)
Subject: Fire risks compounded by loss of residential power
*The Washington Post* reported (15 June 1998) that a residential fire
recently killed one 13 year old boy and seriously burned four others, when,
during a power outage caused by severe thunderstorms that night, candles
were used to provide lighting. A candle tipped over and ignited a chair, but
the occupants were not immediately warned of the resulting flames because
the smoke detector ran off the house's electrical grid. When members of the
household smelled smoke, they could not immediately call for help because
their cordless phone required AC power to run.
The Risks: Although the fire could have been prevented by more prudent
choice of "emergency" or supplemental lighting systems-- e.g. flashlights,
the fact that their smoke detector required outside power to run does point
to a risk in the residential building code. Electrical power losses are
common here, in Virginia Summers, either because of sizable loads-- air
conditioners-- or because of frequent electrical storms. Additionally, I'm
not sure that AC powered smoke detectors are necessarily reliable in the
case of an electrical fire. The cordless phone also contributed to the
risks. Although a standard phone may have allowed the victims to call for
help more quickly, phones that require supplemental AC power may well become
more common, especially as POTS is replaced by digital standards.
Full details are available at
http://washingtonpost.com/wp-srv/WPlate/1998-06/15/123l-061598-idx.html
Jeremy Erwin
------------------------------
Date: Wed, 17 Jun 1998 11:46:46 +0100
From: Paul Howlett <
[email protected]>
Subject: Double points from supermarket loyalty-card system
A leading UK supermarket chain have been found to have a hole in their
loyalty-card system which allows customers to claim twice as many points as
those earned.
The hole becomes apparent only if two customers, both using a loyalty card
attached to the same points account, pay for their shopping simultaneously
at different checkouts. The lack of any file locking in the system allows
both customers to claim for points from the same account. The result being
that the points are claimed from the account twice.
Paul Howlett +44 171 477 8469
[email protected]
http://www.cs.city.ac.uk/homes/paulh/
------------------------------
Date: Tue, 16 Jun 1998 19:44:12 -0700
From: "Joshua R. Poulson" <
[email protected]>
Subject: Re: Exchange/Outlook plug-in for PGP bypasses crypto (Choe, R-19.81)
I've also be berating PGP, Inc. (now NAI) because PGP 5.5.3 also does not
always correctly sign messages I send with Outlook 98. Their support side
has practically disappeared since the buy-out.
In the same lines as risky behavior because you believe your transport is
safe, there was a recent exploit discovered in versions of ssh prior to
1.2.25 where third parties could insert data into the stream that would be
unencrypted and trusted on the destination end. Insert a "^Zrm *" at the
right time and boom.
------------------------------
Date: Tue, 16 Jun 1998 12:16:19 -0700
From: Kurt Cockrum <
[email protected]>
Subject: Re: Navy stops teaching celestial navigation
Perhaps things have "advanced" to the point where manipulating a sextant
might be considered an activity more suitable for a technician, i. e. an
enlisted person, than "an officer and a gentleperson". Certainly a
quartermaster would have this skill. I can't help wondering what effect
this would have on the respectful relations between enlisted folk and
officers that is necessary for effective leadership, though.
There are a number of navigation/nautical skills that exist, that all tend
to complement each other, such as dead-reckoning, compass navigation,
sailing, and the like. If we lived in a sane world, GPS would simply be
regarded as another valuable navigation tool, to be added to an already
well-stocked toolbox; but we wouldn't foolishly throw away the rest of the
tools just because we had GPS.
------------------------------
Date: 16 Jun 98 14:16:56 EDT
From: Ralph Hoefelmeyer/CSP/BSM/MCI <
[email protected]>
Subject: Meaconing (Re: Navy celestial navigation, RISKS-19.79)
*meaconing*: A system of receiving radio beacon signals and rebroadcasting
them on the same frequency to confuse navigation. The meaconing stations
cause inaccurate bearings to be obtained by aircraft or ground stations.
In the context of GPS, spurious signals sent to a receiver to indicate a
different location. Interesting idea.
Ralph S. Hoefelmeyer, MCI
[email protected]
------------------------------
Date: Wed, 17 Jun 1998 13:15:04 -0400 (EDT)
From: Henry Spencer <
[email protected]>
Subject: Meaconing (Re: Navy celestial navigation, RISKS-19.79)
> The real problem to this ex-GI is that what happens when war breaks out
> and we find the GPS signal either jammed or, worse, meaconed[*] ...
For those not up on WW2 electronic-countermeasures history, "meaconing" is
the word that was coined to describe masking of German radio beacons by
receiving the signals of the genuine beacons and rebroadcasting them at high
power from transmitters in Britain. The GPS signals are really very
low-powered and it would be easy to swamp them. Some of the smarter
military GPS receivers are capable of figuring out that they are being
jammed and reconfiguring their antennas to minimize the effects, but it is
not clear whether rebroadcasting of genuine GPS signals would trigger this
countermeasure, and in any case a lot of receivers aren't that smart.
> Now imagine you've got a unit which has become dependent on the GPS and
> have allowed their land navigation skills to atrophy...
I would speculate that current policies are heavily influenced by the Gulf
War experience, in which it became clear that traditional land-navigation
skills are fairly useless (at least to the average soldier) in featureless
desert with out-of-date maps. GPS, vulnerabilities and all, really was a
godsend there.
> If I was a unit commander, I'd lock up the GPS's in the supply room and do
> all my field training without them. If the balloon goes up and they work,
> fine, If not, we are ready.
While this is not a bad idea in general, one does have to train enough with
the new gadgets to be handy with them and to know their limitations.
According to Aviation Week, there were a number of cases in the Gulf War
when one of the senior commanders got a visit from people who told him about
a wonderful ultra-secret gadget that could be made available and would make
his job easier, and he told them to get lost, because he couldn't use it
effectively without the opportunity to train his people with it first, and
there wasn't time for that any more.
Henry Spencer
[email protected] or
[email protected]
------------------------------
Date: Wed, 17 Jun 1998 10:05:02 +0100
From: Steve King <
[email protected]>
Subject: Re: 15th century time machine and Y2K (RISKS-19.79,81)
The London Times of Monday June 15 1998 has further details of this device,
including a picture. Archive copy available at
http://www.the-times.co.uk/ .
Steve King, Dept of Computer Science, University of York, Heslington,
York YO10 5DD UK
[email protected] phone 01904 433068
[Original URL not valid. Changed in archive copy. PGN]
------------------------------
Date: 17 Apr 1997
From: RISKS moderator
Subject: Privacy Digests
Periodically I remind you of TWO useful digests related to privacy, both of
which are siphoning off some of the material that would otherwise appear in
RISKS, but which should be read by those of you vitally interested in
privacy problems. RISKS will continue to carry general discussions in which
risks to privacy are a concern.
* The PRIVACY Forum is run by Lauren Weinstein. It includes a digest (which
he moderates quite selectively), archive, and other features, such as
PRIVACY Forum Radio interviews. It is somewhat akin to RISKS; it spans
the full range of both technological and nontechnological privacy-related
issues (with an emphasis on the former). For information regarding the
PRIVACY Forum, please send the exact line:
information privacy
as the BODY of a message to "
[email protected]"; you will receive
a response from an automated listserv system. To submit contributions,
send to "
[email protected]".
PRIVACY Forum materials, including archive access/searching, additional
information, and all other facets, are available on the Web via:
http://www.vortex.com
* The Computer PRIVACY Digest (CPD) (formerly the Telecom Privacy digest) is
run by Leonard P. Levine. It is gatewayed to the USENET newsgroup
comp.society.privacy. It is a relatively open (i.e., less tightly moderated)
forum, and was established to provide a forum for discussion on the
effect of technology on privacy. All too often technology is way ahead of
the law and society as it presents us with new devices and applications.
Technology can enhance and detract from privacy. Submissions should go to
[email protected] and administrative requests to
[email protected].
There is clearly much potential for overlap between the two digests,
although contributions tend not to appear in both places. If you are very
short of time and can scan only one, you might want to try the former. If
you are interested in ongoing discussions, try the latter. Otherwise, it
may well be appropriate for you to read both, depending on the strength of
your interests and time available.
PGN
------------------------------
Date: 31 Mar 1998 (LAST-MODIFIED)
From:
[email protected]
Subject: Abridged info on RISKS (comp.risks)
The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. Alternatively, via majordomo,
SEND DIRECT E-MAIL REQUESTS to <
[email protected]> with one-line,
SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or
INFO [for unabridged version of RISKS information]
.MIL users should contact <
[email protected]> (Dennis Rears).
.UK users should contact <
[email protected]>.
=> The INFO file (submissions, default disclaimers, archive sites,
copyright policy, PRIVACY digests, etc.) is also obtainable from
http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info
The full info file will appear now and then in future issues. *** All
contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to
[email protected] with meaningful SUBJECT: line.
=> ARCHIVES are available:
ftp://ftp.sri.com/risks or
ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
[volume-summary issues are in risks-*.00]
[back volumes have their own subdirectories, e.g., "cd 18" for volume 18]
or
http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue].
The ftp.sri.com site risks directory also contains the most recent
PostScript copy of PGN's comprehensive historical summary of one liners:
get illustrative.PS
------------------------------
End of RISKS-FORUM Digest 19.82
************************
