precedence: bulk
Subject: Risks Digest 20.14
RISKS-LIST: Risks-Forum Digest Sunday 3 January 1999 Volume 20 : Issue 14
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <URL:
http://catless.ncl.ac.uk/Risks/20.14.html>
and at ftp.sri.com/risks/ .
Contents:
Car computer directs couple into river (PGN)
Swedish passport system struck by 99 (Ulf Lindqvist)
Swedish Giroguide also hit by 99 (Martin Minow)
Excel bug (Tom Rowe)
Chinese sentence hackers to death (John Knight)
Student can criticize school on web site, judge says (Declan McCullagh)
Hackers have fun with Furby (Robert Raisch via Dave Farber)
Now you see it, now you don't (Jerry Leichter)
Y1999: Risk of re-using data fields for error signaling (Daniel A. Graifer)
99-Year retrospective health insurance - or Y2K problem (Fraser McHarg)
San Francisco power outage and the risks of signs (Eric Leif)
Page-layout program hazards (Jordin Kare)
Some new things to try at all.net (Fred Cohen)
Privacy Digests (RISKS moderator)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Mon, 28 Dec 1998 09:30:46 -0500
From: "Peter G. Neumann" <
[email protected]>
Subject: Car computer directs couple into river
A German couple drove their BMW with great confidence under control of its
computerized satellite navigation. Indeed, they drove it past a stop sign,
down a ferry ramp, and into the Havel River in Caputh, near Potsdam/Berlin,
Germany. The computer system reportedly neglected to tell them they needed
to wait for the ferry. Ship traffic was stopped for two hours, but the
couple was OK. [Sources: PGN Abstracting from numerous multiply submitted
similar copyrighted stories, several quoting different officials reminding
us that we should not blindly rely on technology. Big surprise to RISKS
readers! But for the price of a Beemer, I thought it drove on water. PGN]
------------------------------
Date: Fri, 1 Jan 1999 21:51:10 +0100 (MET)
From: Ulf Lindqvist <
[email protected]>
Subject: Swedish passport system struck by 99
In Sweden, the first report about a 99-related computer problem appeared
already on 1 Jan 1999. The Swedish police can normally issue provisional
passports at the three main international airports in Sweden. But on the
first day of 1999, no passports could be issued because the computer system
could not handle 99. Four people in Stockholm and two in Goteborg had to
cancel their trips because they could not get their passports. The system
was reported to have been fixed during the afternoon. [Primary source
*Sveriges Televisions Text-TV*, January 1 1999]
A couple of things to note: Of course it is a risk to try to travel abroad
without having a passport, but there could be good reasons - family
emergencies, for example. The ordinary Swedish passports where changed in
1998 to conform with European Union regulations, but in this case the system
must be much older or based on old components (if the designers where not
extremely shortsighted). Most businesses do not open until Monday 4 Jan - we
could expect to hear about more 99-problems then, I guess.
Ulf Lindqvist, Department of Computer Eng., Chalmers University of Technology
SE-412 96 Goteborg, SWEDEN +46 31 772 17 60
[email protected]
[Also reported by Martin Minow, and by Debora Weber-Wulff, who notes
that 99 seems to be used often in Sweden to denote "end-of-file"... PGN]
------------------------------
Date: Sat, 2 Jan 1999 10:02:39 -0800
From: Martin Minow <
[email protected]>
Subject: Swedish Giroguide also hit by 99
The New Year provided an early taste of Y2K in Sweden. According to the
Stockholm newspaper, *Svenska Dagbladet*, the modem-based "Giroguide"
payment service run by the PostGiro refused to process payments "if the
payer provided a specific date in 1999". (PostGiro is a convenient payment
system run by the Post Office used as widely as checking accounts in the
United States.)
"It was due to a programming error" ... that can depend on the combination
"99" that, in some cases, is used to mark end-of-run. Since you can enter
payments up to a year in advance, it may also be due to a year-2000 problem,
but Jarl Dahlerus, who is responsible for E-PostGiro, doesn't believe this
is the case. If any customer is affected by the error, they will be
compensated by PostGiro.
Translated and summarized by Martin Minow,
[email protected]
------------------------------
Date: Thu, 31 Dec 1998 23:02:41 +0100
From: "Tom Rowe" <
[email protected]>
Subject: Excel bug
I imagine this has been discussed some, but in case it hasn't.
If you enter a number, say 123456789999 in Excel and save the file as
comma delimited (csv I think MS uses) it will be saved as 1.234567E+11.
Quite a few programs can't import this properly, including Word.
But what's worse, bringing it back into Excel gives you 123456700000.
I think the risks are fairly obvious.
I wonder if the large bank I work for (which has standardized on
Excel) knows about it.
When opening an account I guess not only do I need to ask banks the
interest rates, fees etc, but also what software they use. Sheesh.
Tom Rowe, Atlanta, GA
------------------------------
Date: Thu, 31 Dec 1998 12:38:59 -0500 (EST)
From: John Knight <
[email protected]>
Subject: Chinese sentence hackers to death
Twin-brother computer hackers sentenced to
death in China (Deutsche Presse-Agentur, 28 Dec 1998)
Two Chinese computer hackers who illegally transferred 720,000 yuan (about
87,000 dollars) to their own bank accounts have been sentenced to death, the
Beijing Chenbao newspaper said in its Monday edition. The hackers, twin
brothers, had used inside information to rob a bank in the city of
Zhenjiang, the report said. One of the brothers, Hao Jingwen, opened 16
accounts under false names in September, the report said. Then he entered a
branch of the Trade and Industry Bank in Zhenjiang, in Jiangsu province, and
installed a piece of equipment in the bank's computer system.
http://web.lexis-nexis.com/more/cahners-chicago/11407/4120740/4
[Extracted from NMIA ZGram,
[email protected] (Zhi Hamby)]
------------------------------
Date: Tue, 29 Dec 1998 18:02:45 -0500
From: Declan McCullagh <
[email protected]>
Subject: Student can criticize school on web site, judge says
This case reminds me of another I wrote about earlier this year -- but with
a happier ending:
http://cgi.pathfinder.com/time/digital/daily/0,2822,12983,00.html
http://www.wired.com/news/news/politics/story/17068.html
[Also AP item 28 Dec 1998]
School Dazed by Speech Ruling, by Declan McCullagh
A Missouri high school cannot punish a student for criticizing a teacher on
a personal Web page, a federal judge ruled Monday. Saying the school
violated free speech rights protected by the First Amendment, District Judge
Rodney Sippel ordered the Woodland School District to let the student
publish his site from a home computer. "Disliking or being upset by the
content of a student's speech is not an acceptable justification for
limiting student speech," Sippel wrote in a 17-page opinion.
POLITECH -- the moderated mailing list of politics and technology
To subscribe: send a message to
[email protected] with this text:
subscribe politech
More information is at
http://www.well.com/~declan/politech/
------------------------------
Date: Sun, 27 Dec 1998 11:05:23 -0500
From: Dave Farber <
[email protected]>
Subject: IP: Hackers have fun with Furby (from Robert Raisch)
See Also: Reverse Engineering the LEGO RCX
http://graphics.stanford.edu/~kekoa/rcx/talk/
>From: "Robert Raisch" <
[email protected]>
(When you provide technically capable, questing minds with simple, cheap and
effective communications channels, they do what come naturally. This is why
DIVX is doomed. /rr)
Hackers have fun with Furby, BY MARGIE WYLIE, Newhouse News Service
http://www7.mercurycenter.com/business/top/080145.htm
Excerpt:
While some people see a lovable little friend in this year's answer to
Tickle Me Elmo, toy hackers like the 25-year-old programmer see a challenge:
make Furby do as they command. Why? Why not?
``I figured it would be neat,'' said Tokash, who has created a Web site for
Furby hackers to swap information (
http://www.homestead.com/hackfurby).
``Somebody's going to hack this thing; I might as well be one of them.''
The Furby was designed by Tiger Electronics of Illinois to squeal, sneeze or
snore and speak 200 words in a language called Furbish. And since its
October introduction, hackers have skinned, autopsied and beamed the
cloyingly sweet animatronic fur-ball with different infrared signals. The
results, in excruciating detail, are posted on the Web.
Rob Raisch, Internet Technical Hired Gun <
http://www.raisch.com/>
------------------------------
Date: Fri, 25 Dec 98 08:34:22 EST
From: Jerry Leichter <
[email protected]>
Subject: Now you see it, now you don't
The Net remembers everything; the Net forgets everything. What's the effect
on traditional ideas of research?
The Web these days relies on search engines. These are commercial ventures,
whose distinguishing features are in the technologies used to implement the
Web crawlers, indexers, and other components. Details of these technologies
have remained closely guarded trade secrets.
A group at Stanford University set out to do research on some nice new ideas
for search engines, applying and extending some traditional ideas from
library science to estimating relevance and importance of various Web pages.
The algorithms used, the architecture of the system, and other interesting
stuff, was published as a series of reports, which appeared - naturally
enough - on the Web at the group's Web site
(
http://google.stanford.edu/about.html).
If you're interested in learning more ... you're too late. If you go to
that site, you'll find that the research group no longer exists. It's been
reconstituted as a corporation, Web site
http://www.google.com/company.html.
That site currently has very little on it. The research papers are no
longer on the Web.
Now, I have no objection to the researchers going off to start a company. I
wish them the best of luck, even as I worry about the effect the drain of
talent from the academic world will ultimately have. However, I am
concerned about the removal of previously-public research material. We hear
repeated complaints that traditional journals don't accept URL's as
bibliographic citations. If *even a university research department*
approves the removal of on-line versions of its own research papers, how can
we take the Web seriously as a resource for scholarship?
Note that, even if the commercial venture decides to put the papers on-line
at its site, that would not be good enough. First of all, if anyone has a
citation to the papers at the old cite, the citation should be good on its
own - it should not require a chase to another site. More important,
however, commercial Web sites come and go. Even with the best of
intentions, a com- mercial Web site is not a stable academic reference. If
the new company fails; or if it succeeds, but is acquired by a larger
company and disappears as a separate entity; the papers will likely vanish
forever.
[Increasingly, much valuable research from the past is being forgotten.
Unfortunately, the operative motto seems increasingly to be
``If it is not now on the Web, it never existed.'' PGN]
------------------------------
Date: Wed, 30 Dec 1998 13:12:25 -0500
From: "Daniel A. Graifer" <
[email protected]>
Subject: Y1999: Risk of re-using data fields for error signaling
"1999 problems with medical device clocks found"
<
http://www.sjmercury.com/business/tech/docs/085460.htm> discusses two
medical devices that the FDA is warning hospitals of non-health
threatening failure in 1999. The HP defibrillator will print "set clock"
instead of the date on its printed record. The other, a patient
monitor, will also fail to correctly report the date in it's logs.
Obviously, somebody made "99" mean "clock needs to be reset". These are
relatively new devices. We they really so short of memory that they
couldn't find a bit somewhere for this flag?
Daniel A. Graifer, Parker & Company 1-888-426-6548
Andrew Davidson & Company, 588 Broadway, Ste 610, NY 10012 1-212-274-9075
[Note: relating to Jerry Leichter's Y2K item in RISKS-20.13,
various folks observed that 9 Apr 99 is the 99th day of 1999, which
in some programs is represented as 9999, an erstwhile stopcode. PGN]
------------------------------
Date: Tue, 29 Dec 1998 13:40:58 +1000
From:
[email protected]
Subject: 99-Year retrospective health insurance - or Y2K problem
Last week I received my Health Insurance renewal notice with the period of
cover listed as "From: 4 January 1999 To: 4 January 1900". Since I was not
alive for most of the 99-year period I am intending to decline their
generous retrospective insurance offer.
It does not bode well, that in December 1998, HBA, one of the larger Health
Insurance companies in Australia can presumably be so far behind in its
Year 2000 project that they have not tested the production of their primary
revenue collection document. Many other companies have already finished
their Year 2000 projects.
Now is the time that annual renewals for all sorts of things will be
issuing that should have expiry dates falling in January 2000, it will be
interesting to see how many other 1999 to 1900 renewals appear.
[Many people are actually expecting some serious problems beginning next
week for insurance companies and others who have to deal with dates a year
ahead. PGN]
------------------------------
Date: Wed, 23 Dec 1998 03:10:26 -0500
From:
[email protected] (eric leif)
Subject: San Francisco power outage and the risks of signs (Horiuchi, R-20.13)
The mention of a pipe and the risk of not having a sign reminded me of an
incident. Some background information, this took place in a nuclear training
facility. For the most part a "real" plant wouldn't have as many tags and
signs as this plant, but every pipe, wire, machine was labeled.
So that's the stage and the pipe in question had the label CPW, the meaning
of that pipe was taught early, and everyone there knew what it was, so much
in fact that an ongoing joke about its meaning as Coffee Pot Water, however
the real meaning of that acronym is Controlled Pure Water. And what that
means is this water could be potentially contaminated. Anyway you can
probably guess the conclusion of this story, but I will continue anyway. A
new trainee, had apparently heard the joke before the lesson, and used CPW
to fill up a coffee pot.
The risks here are many. The joke definition of the above incident is really
a risk with human nature or boredom of being over trained perhaps, but that
aside. The use of acronyms is certainly a risk and I'm sure its been seen on
this list many times. Even without using acronyms, the above sign could
still be misinterpreted, Controlled Pure Water sounds at first like its pure
and guaranteed to be so. Most people at this plant knew what controlled
meant in context of this plant, but others? And back to the SF power outage,
had that pipe been labeled substation ground, would that have meant anything
to a construction crew?
The real risk of this power outage would seem to me a physical security
risk, as with the CPW incident. Neither of these things needed to be easily
accessible, but once they are humans will err.
-eric leif <
[email protected]>
------------------------------
Date: Tue, 29 Dec 1998 10:54:49 -0800
From:
[email protected] (Jordin Kare)
Subject: Page-layout program hazards
In RISKS-20.13, Ben Sherman <
[email protected]> noted that Quark Xpress, as
part of a "feature" allowing embedded ASCII string commands, would
silently convert >> to >, mangling published UNIX listings. This is by no
means a new problem, and is, I think, inherent in the use of embedded
commands.
Circa 1981, I was typesetting a songbook using TROFF, the UNIX typesetting
program in which one flags command lines embedded in text by starting them
with a period (.), e.g., .PP signals a new paragraph. After some 2000
copies of the book had been printed and put on sale, we discovered that,
in perhaps a dozen places, entire lines of text had vanished. (This is
remarkably difficult to detect when proofreading familiar songs, similar
to losing complete sentences out of prose text).
On close examination, we found that TROFF had silently "eaten" every line
beginning with an apostrophe ('). VERY close reading of the TROFF manual
revealed that the apostrophe is an alternate command line marker, so that
any line starting with an apostrophe will be treated as a command. This
fact was noted in one obscure footnote, and not referenced anywhere else.
Why the programmers thought the apostrophe was a "safe" character to use
is unclear, but seems to follow the same logic that caused the Quark
Xpress bug: in "normal" writing, one does not use >>, nor start a line
with an apostrophe. However, these occur frequently in specific types of
writing: in UNIX shell scripts for >>, and in poetry or song lyrics for
lines starting with apostrophes (which frequently use contractions like
'Til and 'Tis).
The consistent Risk is that any reserved character combination, no matter
how obscure, may occur in someone's text, quite possibly without them
realizing it. If there is a solution (other than really careful
proofreading of typesetting-program output) it presumably includes
conspicuously documenting such combinations, ruthlessly minimizing their
number, and trying very hard to avoid anything even remotely likely to be
entered other than deliberately.
Jordin Kare
------------------------------
Date: Thu, 24 Dec 1998 17:52:22 -0800 (PST)
From: Fred Cohen <
[email protected]>
Subject: Some new things to try at all.net
Just thought RISKS readers would like to know about a few New Year's gifts
from all.net:
I thought many of you might be interested in the newest "game" on
http://all.net/
The Cracking Game
In this 'game', we teach defenders about attack and defense techniques
by having them try to tell us how they would crack into a variety of
different sorts of systems and having various defensive things happen to
them along the way. It is also a lot of fun and somewhat of a
challenge. Just select it from the "Would you like to play a game?"
Menu and press Go.
Please note that the game is still under development and your comments
will be greatly appreciated.
I have also put up a beta-test version of an automatic game:
The Network Security Simulator
This simulator is intended for design, attack, and defense analysis for
computer networks, but it may also be of some interest from a gaming
viewpoint. It has just been added to the games menu at
http://all.net/ Just
select "Network Security Simulator", select inputs from the menus, press go,
and see the results. Press "reload" to simulate again - with different
results of course. Your comments again will be appreciated.
Fred Cohen & Associates:
http://all.net -
[email protected] - tel/fax:925-454-0171
[Standard RISKS disclaimer. In this case, FC's work at FC&A is separate
and independent from any work he does for at Sandia. PGN]
------------------------------
Date: 17 Apr 1997
From: RISKS moderator
Subject: Privacy Digests
Periodically I will remind you of TWO useful digests related to privacy,
both of which are siphoning off some of the material that would otherwise
appear in RISKS, but which should be read by those of you vitally interested
in privacy problems. RISKS will continue to carry general discussions in
which risks to privacy are a concern.
* The PRIVACY Forum is run by Lauren Weinstein. It includes a digest (which
he moderates quite selectively), archive, and other features, such as
PRIVACY Forum Radio interviews. It is somewhat akin to RISKS; it spans
the full range of both technological and nontechnological privacy-related
issues (with an emphasis on the former). For information regarding the
PRIVACY Forum, please send the exact line:
information privacy
as the BODY of a message to "
[email protected]"; you will receive
a response from an automated listserv system. To submit contributions,
send to "
[email protected]".
PRIVACY Forum materials, including archive access/searching, additional
information, and all other facets, are available on the Web via:
http://www.vortex.com
* The Computer PRIVACY Digest (CPD) (formerly the Telecom Privacy digest) is
run by Leonard P. Levine. It is gatewayed to the USENET newsgroup
comp.society.privacy. It is a relatively open (i.e., less tightly moderated)
forum, and was established to provide a forum for discussion on the
effect of technology on privacy. All too often technology is way ahead of
the law and society as it presents us with new devices and applications.
Technology can enhance and detract from privacy. Submissions should go to
[email protected] and administrative requests to
[email protected]. (For example, vol 13, issue 031, 23 Dec
1998, has a long item on random credit-card fraud via small charges.)
There is clearly much potential for overlap between the two digests,
although contributions tend not to appear in both places. If you are very
short of time and can scan only one, you might want to try the former. If
you are interested in ongoing discussions, try the latter. Otherwise, it
may well be appropriate for you to read both, depending on the strength of
your interests and time available.
PGN
------------------------------
Date: 23 Sep 1998 (LAST-MODIFIED)
From:
[email protected]
Subject: Abridged info on RISKS (comp.risks)
The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. Alternatively, via majordomo,
SEND DIRECT E-MAIL REQUESTS to <
[email protected]> with one-line,
SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or
INFO [for unabridged version of RISKS information]
.MIL users should contact <
[email protected]> (Dennis Rears).
.UK users should contact <
[email protected]>.
=> The INFO file (submissions, default disclaimers, archive sites,
copyright policy, PRIVACY digests, etc.) is also obtainable from
http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info
The full info file will appear now and then in future issues. *** All
contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to
[email protected] with meaningful SUBJECT: line.
=> ARCHIVES are available:
ftp://ftp.sri.com/risks or
ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
[volume-summary issues are in risks-*.00]
[back volumes have their own subdirectories, e.g., "cd 19" for volume 19]
or
http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue].
PostScript copy of PGN's comprehensive historical summary of one liners:
illustrative.PS at ftp.sri.com/risks .
------------------------------
End of RISKS-FORUM Digest 20.14
************************
