precedence: bulk
Subject: Risks Digest 20.03

RISKS-LIST: Risks-Forum Digest  Tuesday 13 October 1998  Volume 20 : Issue 03

  FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
  ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at http://catless.ncl.ac.uk/Risks/20.03.html and at
ftp.sri.com/risks/ .

 Contents:
Computerized gas-pump cheat (Conrad  Heiney)
Trojan Horse infests 15,000 Internet chat users (Monty Solomon)
Computer glitch trips up Dow Jones industrial average (Cliff Sojourner)
IE4 and its "magical" features (Chenxi Wang)
Unreliable reception of e-mailed WP documents (Daniel P. B. Smith)
Microsoft web site denies access based upon Windows regional settings
 (Eric Ulevik)
Risks of installing Microsoft's Media Player (Wade Ripkowski via James Love)
Insidious SQL interpreter bug messes up files (David Tonhofer)
Netscape Netcenter password hint (Dan Pritts)
Radio clock blows daylight savings (Ian Macky)
The risks of "keep it simple" [Martin D Kealey)
Finland: Fraud with copied banking cards (Kimmo Ketolainen)
Offensive information warfare deemed offensive? (PGN)
Hackers stay a step ahead of China's cyber-police (PGN)
LA 911 outage...backup worked! (Thomas Maufer)
Some good Y2K news: whisky will be on tap for Hogmanay 1999 (Declan McCullagh)
Military preparations to mobilize for Y2K (Declan McCullagh)
Void where prohibited by date (Rob Slade)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 9 Oct 1998 12:55:06 -0700
From: "Conrad  Heiney" <[email protected]>
Subject: Computerized gas-pump cheat

Today's *Los Angeles Times* reports that the county district attorney has
filed charges against four men who are alleged to have replaced computer
chips in electronic gas pumps, thus cheating customers of between 7%-25%
of their gasoline.

The url to the full story is
http://www.latimes.com/HOME/NEWS/METRO/t000091711.html

According to the story, the problem was hard to detect partly because
the chips were programmed to generate accurate results in the five- and
ten-gallon amounts used for testing the accuracy of pumps.

The RISK here is twofold: That misplaced trust in digital technology can
lead consumers not to check things like gas pumps, and that it's easier
to fool the regulators with an intelligently programmed cheat.

Conrad Heiney [email protected] Manager, Systems & Development
University Access, Inc. http://www.universityaccess.com

 [Also noted by David Lesher, heard on NPR, and Richard Schroeppel.  PGN]

------------------------------

Date: Fri, 9 Oct 1998 01:22:14 -0400
From: Monty Solomon <[email protected]>
Subject: Trojan Horse infests 15,000 Internet chat users

Due to a Trojan horse on Internet Relay Chat, Back Orifice (see RISKS-19.90)
was apparently made available to up to 15,000 IRC users who transferred
files.  This was discovered by GeoCities when it received thousands of
requests for the nfo.zip file.  [Source: Trojan Horse Infests 15,000
Internet Chat Users, By Andy Patrizio, TechWeb, 8 Oct 1998,
http://www.techweb.com/wire/story/TWB19981008S0019]

------------------------------

Date: Thu, 08 Oct 1998 12:02:46 -0700
From: Cliff Sojourner <[email protected]>
Subject: Computer glitch trips up Dow Jones industrial average

The Dow Jones Industrial Average was erroneous for the first 12 minutes
Thursday morning 8 Oct 1998, resulting from the merger of, with the
resulting Citigroup using Citicorp's ticker symbol, CCI.  The previous
night's closing price of Citicorp (in the $70s) was used instead of the
Citigroup opening price (31.75).  [Source: Computer glitch trips up Dow
Jones industrial average, By Margaret Kane, ZDNet, 8 Oct 1998; PGN
Abstracting]

Cliff Sojourner, Cisco Systems Inc.  [email protected]
(408) 527-7637   170 W. Tasman Drive, SJ CA 95134  bldg H2/cube E2-7
 [Also noted by Doneel Edelson]

------------------------------

Date: Mon, 12 Oct 1998 10:25:34 -0400
From: Chenxi Wang <[email protected]>
Subject: IE4 and its "magical" features

Last week my Windows 95 machine refused to boot, citing a protection error
in the IO unit. My system staff, after laboring over my machine for some
time, told me that it was due to a bug in the IO, and that according to
Microsoft, the only way to fix it was to install IE4! So IE4 was installed,
and sure enough, it fixed whatever problem the machine was having. I was
doing some disk cleaning up this past weekend, and I accidently deleted some
files that appeared to have been installed by the IE installation. Curious
to see if IE still worked, I double clicked on the icon. Guess what
happened? -- It launched my netscape communicator to the URL of the IE
download site! I was incredulous...

Chenxi Wang  University of Virginia <[email protected]>

------------------------------

Date: Fri, 9 Oct 1998 09:55:45 -0400 (EDT)
From: "Daniel P. B. Smith" <[email protected]>
Subject: Unreliable reception of e-mailed WP documents

Some unpleasantness occurred in a meeting recently. Person A said that the
reasons he hadn't performed a task was because he was still waiting for
Person B to supply some needed information. Person B said he'd supplied it a
week ago in a specific memo which he'd distributed via e-mail.  Person C
said, "I got it and I'm almost sure I saw A on the distribution list."
Person A said "I got the earlier version where all of those numbers were
blank, but I've never gotten anything that had the numbers." Person B said
"What version where the numbers were blank?" Person E said "You know, the
one you sent out about a week ago.  I never got the one with the numbers
filled in, either."

On comparing notes, it turned out that a single version of the memo had been
e-mailed, and when opened by about half the participants a critical table was
complete and had information visible in all columns, and about half of them
had a column in which all cells were blank.  All recipients of the damaged
version had simply assumed that the blank cells were intentional.

Incidentally, this was a 100%-pure-Microsoft situation, involving no version
of Word more than a year old (no version skew of more than one version) and
involved RTF format which is the format Microsoft specifically designates
for document transfer.  There was no obvious pattern to the problem; the
originator used Word 97 on a PC, and some receivers using Word 98 on a Mac
received it correctly while some receivers using Word 97 on a PC got blank
columns.  We don't know the full story but it is suspected that the set of
fonts installed, the OS version, the screen dimensions and resolution, and
the kind of printer the user is connected to may all play some part in this
crazy equation.

The RISK here is the same as with any other kind of unreliable communication
that is falsely _assumed_ to be reliable.  Notice that, in general, when you
send a word-processing document to someone else, _the sender has no reliable
way to confirm what the receiver will ultimately see and print.  Unless the
user guesses there is something wrong and complains, the problem is likely
to go undetected.  Even when the problem is detected, it is usually hard to
resolve, because nothing in the system logs all the configuration
information that would be needed to resolve it.  Unless the recipient is a
colleague in an adjacent cubicle and is willing to experiment with you in
real time, problems of this kind are likely to remain unsolved.

Daniel P. B. Smith  <[email protected]>

------------------------------

Date: Tue, 6 Oct 1998 18:59:44 +1000
From: "Eric Ulevik" <[email protected]>
Subject: Microsoft web site denies access based upon Windows regional settings

I use home.microsoft.com as my home page under Internet Explorer 4.01 SP1
running on Windows NT 4.0. I have customized the data; I like the
presentation.

Today, I found that I can no longer access my home page. The browser is
redirected to ninemsn.com.au - a local web site put together by Microsoft
and Channel 9 (an Australian TV station). ninemsn tells me that this is "MSN
strategy".

But other PCs in the same office are not redirected. The significant
difference appears to be that the other PCs are set to US date formats.

The risk is that configuring your computer's date format has surprising
consequences.

Eric Ulevik <[email protected]>

------------------------------

Date: Sat, 03 Oct 1998 17:21:44 -0400
From: James Love <[email protected]>
Subject: Risks of installing Microsoft's Media Player

James Love, Consumer Project on Technology, P.O.Box 19367, Washington, DC 20036
http://www.cptech.org [email protected]  202.387.8030, fax 202.234.5176

<--begin message from Wade Ripkowski-->

Subject: RE: Sony PC & Windows 98 Licensing
Date: Fri, 2 Oct 1998 14:21:23 -0400
>From: "Ripkowski, Wade" <[email protected]>
To: "'James Love'" <[email protected]>

I just hate being abused by Microsoft.  I just encountered a whole new issue
with Microsoft's "new" Media Player that you may be interested in as well.
I installed it and it changed EVERY multi-media association on the machine
to use itself as the player.  The problem here is that the media player I
was using up until then utilized the hardware based MPEG decoder and
subsequently played MPEG video better (no jumping).  MS Media Player also
redirected the CD Audio player to itself.  Again the audio player I used
before was much better.

To make a long story short.  I opted to "uninstall" it think my system would
be put back the way it was.  Boy was I wrong.  It uninstalled itself and
changed all the multi-media associations to use Microsoft ActiveMovie!  Now
I am left with a system in which I must reinstall the Audio/Video
applications I want in order to use them, and to top it off, my RealAudio
player no longer works either!  I spoke with a friend of mine this morning
and he ran into the exact same problem I did, although he has a Gateway
machine.

I think this is somewhat along the lines of the "browser battle".  It looks
as if Microsoft knows they lost the battle, but if they cant own that, then
they will own the multi-media portion of the machine.  They advertise
"forget all the plug-ins, all media, one player".  So I should have read the
literal meaning -- my mistake.  And they are dumping this product free to
everyone on the internet.  This will surely hurt Real, Inc., and possibly
other similar companies.

I am not opposed to one vendor writing all the software for the PC I use, if
that software works properly and at an acceptable performance level.  If one
vender wants all the business, fine, make software that earns it on merit,
not on price / availability!!!   [...]

<--end message from Wade Ripkowski-->

------------------------------

Date: Tue, 13 Oct 1998 12:08:56 +0200
From: [email protected]
Subject: Insidious SQL interpreter bug messes up files

Recently, the informatics department  of our company found out - quite by
accident - that the SQL interpreter on our midrange server (made by a
well-known manufacturer) exhibited an interesting bug - in interactive and
dynamic/compiled-in SQL queries.

An UPDATE query with an assignment of a constant value to a numeric field
'a' set 'a' field to '0' in case of a simultaneous assignment with any
field
on the right-hand side of that assignment and a 'WHERE'-condition, like so:

 UPDATE table SET a = 10, b = b+b WHERE c > 10

resulted in 'a' having value 0 for all c > 10, whereas

 UPDATE table SET a = 10.0, b = b+b WHERE c > 10

succeeded. Yuck!

With a bug like this, your company database might slowly turn belly-up
without anyone noticing.

Anyway, after the manufacturer's help-desk had analyzed the problem, we
applied patch SF47057 and everything was well ever after (we hope).

Risk: Do not forget to apply your patches. Also, the system your are
building on or upgrading to might be flakier than you thought.

-- DaTo


------------------------------

Date: Mon, 12 Oct 1998 16:02:36 -0400
From: Dan Pritts <[email protected]>
Subject: Netscape Netcenter password hint

My Netscape is part of Netscape Netcenter, the service that Netscape is
pushing as its entry to the Net portal business.  My Netscape has, like
most such services, a new account sign-up form.

This form is available via a 320+char URL which i have omitted for the
sake of buggy mailers, and via the red "personalize" button in the
upper left corner of http://my.netscape.com/ (presumably only if you
aren't already a member).

On this (non-encrypted) page, next to a field labeled "Enter a password
hint:", you're given the following explanation of a password hint:

   If you forget your password, Netcenter will present you this
   password hint to help jog your memory. Example hint:"same password
   as my bank acct.".

The risks are obvious.

Amusingly, my initial attempt to send this report to Netscape failed;
the "Feedback" link at the top of the same page is broken.

danno  dan pritts

------------------------------

Date: Thu, 8 Oct 98 16:21:25 PDT
From: Ian Macky <[email protected]>
Subject: Radio clock blows daylight savings

For the first time in many years I foolishly purchased a new high-tech
consumer product: a clock with built-in radio receiver which listens to
broadcast time standard and keeps synchronized.  It's been accurate to the
second since I turned it on... until last week, when one morning it was
exactly one hour early.  It ended daylight savings time too soon!

Naturally, you can't force this clock in any way.  You can't set the time,
or change whether it honors daylight savings.  You're at the mercy of a
distant radio transmitter.

KISS!  I should have known better.  It's too bad noone is manufacturing any
of Harrison's old designs (has everyone read "Longitude"?).

--ian

------------------------------

Date: Mon, 05 Oct 1998 12:40:46 +1300
From: Martin D Kealey <[email protected]>
Subject: The risks of "keep it simple" [Re: Cohen, RISKS-20.02)

Sometimes simplicity can be deceptive; once again an example of making a
simple stand-alone system in the present, without considering how it
shifts complexity into other systems, either now or in the future.

Fred Cohen wrote:
> Rule 2: You can sign up or off the list in the same way as you
> make submissions to the list.

With respect, I'd like to suggest this isn't such a good idea.

> Because we are fully moderated, it all goes to the same place anyway.

In short, this is a non-sequitur, and irrelevant from the list subscribers'
point of view...

It is always possible to start with multiple addresses aliased together;
it's a lot harder to start with one address and later get everyone out there
to stop using it for everything, especially as most of the people you would
want to stop will be people you've never heard from before (new subscribers)
and therefore won't have had the chance to tell them that it's changed.
It's very difficult to un-make an omelet.

At some point in the future you may wish to revise your configuration; there
are many reasons why it might need to be changed, but, for example, you may
wish to have multiple moderators, while keeping list management under the
control of a smaller group (even just one person).  When that happens, it
will be a lot easier to maintain the list with separate addresses for the
separate functions.

As a secondary effect, not publishing such a standard address indirectly
impacts on other mailing lists -- which necessarily may have separate
addresses for some or all of submissions, subscriptions, administration,
anonymizing, accounting and transport -- by not discouraging people from
sending requests to the submissions addresses.

Not everyone running a mailing list has the time or dedication to
hand-moderate everything, so I'd rather not encourage newcomers to make
random broadcasts; "please add me to your list" gets to be quite an
irritation to subscribers who are quite unable to do anything about it,
while the list maintainer won't even see such a request unless they read (or
moderate) the list.

-Martin

------------------------------

Date: Thu, 8 Oct 1998 07:47:27 +0300 (EET DST)
From: [email protected] (Kimmo Ketolainen +358 40 55555 08)
Subject: Finland: Fraud with copied banking cards

Someone apparently succeeded last Saturday in the old trick of copying
banking cards' magnetic stripes and reading then the PIN codes from the
keypad over the shoulder. What makes this scam spectacular is that the
artist(s) had attached an additional "small black" card reader on top of the
opening of the real reader in the cash dispenser.

They managed emptying some 60 accounts worth roughly 180 000 FIM (36 600
USD). In all, 500 customers have to renew their cards after using that
particular cash dispenser on Aleksanterinkatu in Helsinki during the
evening. No one has been arrested yet.

The three largest banks started to issue banking cards with a chip on top
last year, but all cards still come with a magnetic stripe as well. Using
a banking card in the chip card slot instead of the other one would have
prevented this type of attack.

Kimmo Ketolainen, Finland <[email protected]> <iki.fi/kk> +358 40 55555 08
 [GREAT address: sci.fi!  PGN]

------------------------------

Date: Tue, 13 Oct 1998 7:12:13 PDT
From: "Peter G. Neumann" <[email protected]>
Subject: Offensive information warfare deemed offensive?

``Hackers calling themselves the Electronic Disruption Theater allege the
Pentagon used illegal offensive information warfare techniques -- a charge
DoD officials deny -- to thwart the group's recent computer attack.  At
issue is whether in fighting back against the hackers, the Pentagon crossed
the line into so-called offensive information warfare, and perhaps violated
US laws that prohibit anyone from covertly accessing another's computer.
The issue of computer crimes, however, is highly controversial because US
legislation has not kept up with the capabilities of computer technology.''

This arose after a 9 Sep 1998 attack against DefenseLink, DoD's primary
public information Internet site.  The Pentagon apparently created Java
applet (``Hostile Applet'') that shut down targeted browsers of hackers
contributing to the collaborative attack.  [Source: Hackers take offense at
Pentagon defense; Experts Say DoD response treads fine legal line, *Defense
News*, By George L. Seffers, 7 Oct 1998; PGN Very Stark Abstracting]

------------------------------

Date: Tue, 13 Oct 98 5:52:01 PDT
From: "Peter G. Neumann" <[email protected]>
Subject: Hackers stay a step ahead of China's cyber-police

Computer crime is increasing in China, with more than 100 cases in the past
two years, one involving theft of $1.2M.  As a result, China is ratcheting
up its Internet police and surveillance capabilities.  Previous efforts have
concerned pornography and undesirable political messages.  Penetrations are
now illegal, subject to up to five-year sentences.  [Source: *People's
Daily*, via Reuters News Service, 12 Oct 1998; PGN Abstracting]


------------------------------

Date: Mon, 12 Oct 1998 13:37:44 -0700
From: Thomas Maufer <[email protected]>
Subject: LA 911 outage...backup worked!

Wow, a backup system that actually worked.  Of course, if the 911 sytem had
had more than one source of electrical power, the backup might never have
needed to be activated.  Tom

<http://dailynews.yahoo.com/headlines/local/state/california/>

>L.A.'s 911 Goes Out For 17 Hours - (LOS ANGELES) -- Los Angeles police
>are pleased their 911 backup system works...following a 17-hour
>breakdown in the 911 system.  Not a single emergency call was lost
>during the switch-over.  The emergency system was knocked out during a
>fire in an underground storage area at City Hall on Saturday afternoon,
>when water from the sprinklers seeped into the electrical system below.
>Authorities shut down power to the system, and the backup system kicked
>in...re-routing all calls to either individual police stations or the
>California Highway Patrol.  The fire began in some unstable, illegal
>fireworks being kept for an investigation.

------------------------------

Date: Fri, 25 Sep 1998 06:13:45 -0700 (PDT)
From: Declan McCullagh <[email protected]>
Subject: Some good Y2K news: whisky will be on tap for Hogmanay 1999

http://www.scotsman.com/interactive/it16nips980923.1.html

  Distiller is 100% millennium proof
  Whisky drinkers should be assured of their tipple being on tap for
  Hogmanay 1999, says Alan Crawford

Whisky tipplers can rest easy after the announcement last week that a
technological crisis that had threatened to halt the flow of Scotch has been
narrowly averted. Burn Stewart Distillers, whose brands include Tobermory
Single Malt and Wallace Liqueur, has declared that its computer systems will
be millennium compliant by the end of the year.

Although the whisky industry is steeped in tradition, it relies heavily on
computers to control many aspects of production and marketing. Burn Stewart
alone sells about 18 million bottles a year to 500 major customers. Failure
to deal with the millennium bug - which threatens global computer meltdown
due to an inability to recognise the date change from 1999 to 2000 - could
result in widespread disruption of the distilling, bottling and marketing
processes.  [...]

POLITECH -- the moderated mailing list of politics and technology To
subscribe: send a message to [email protected] with this text:
subscribe politech
More information is at http://www.well.com/~declan/politech/

------------------------------

Date: Sat, 10 Oct 1998 14:30:52 -0700 (PDT)
From: Declan McCullagh <[email protected]>
Subject: Military preparations to mobilize for Y2K

[Declan notes that the Wisconsin National Guard is preparing to mobilize
for Y2K http://www.jsonline.com/news/1007y2k.asp, as are Toronto-area army
reservists, considering stockpiling food and generators.  2000 cyberglitch
the major concern for Canadian forces, By Patrick Cain]

------------------------------

Date: Wed, 7 Oct 1998 14:48:02 -0800
From: Rob Slade <[email protected]>
Subject: Void where prohibited by date

Yesterday my wife brought home a copy of a letter that her organization had
received from their insurance broker.  As could be expected, this document,
produced by the Insurance Bureau of Canada, warns that insurance is probably
not going to pay out if something happens that is related to a Y2K bug.
(They use more words to say it, of course.)

The pamphlet warns about a number of things that should be checked, and
could be used to generate a reasonable list of items to be confirmed.
Unfortunately, how you might go about checking them isn't covered.  (There
is one sidebar on checking the BIOS clock for a PC.)

However, that wasn't all that came in the mail yesterday.  There was a
catalogue from a company that sells promotional material related
specifically to anniversaries.  With it was a covering letter congratulating
them on their tenth year in business, coming up this spring.

The institution my wife works for was founded in 1889.

[email protected]     [email protected]     [email protected]
virus, book info at http://www.freenet.victoria.bc.ca/techrev/rms.html

------------------------------

Date: 23 Sep 1998 (LAST-MODIFIED)
From: [email protected]
Subject: Abridged info on RISKS (comp.risks)

The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you.  Alternatively, via majordomo,
SEND DIRECT E-MAIL REQUESTS to <[email protected]> with one-line,
  SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or
  INFO     [for unabridged version of RISKS information]
.MIL users should contact <[email protected]> (Dennis Rears).
.UK users should contact <[email protected]>.
=> The INFO file (submissions, default disclaimers, archive sites,
copyright policy, PRIVACY digests, etc.) is also obtainable from
http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
The full info file will appear now and then in future issues.  *** All
contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to [email protected] with meaningful SUBJECT: line.
=> ARCHIVES are available: ftp://ftp.sri.com/risks or
ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
  [volume-summary issues are in risks-*.00]
  [back volumes have their own subdirectories, e.g., "cd 19" for volume 19]
or http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
PostScript copy of PGN's comprehensive historical summary of one liners:
  illustrative.PS at ftp.sri.com/risks .

------------------------------

End of RISKS-FORUM Digest 20.03
************************

You are viewing proxied material from gopher.quux.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.